Professional Documents
Culture Documents
Day 1
Agenda
Need for Information Systems Security Policy Elements of Information Security Policy Approach for development of Information Security Policy Information Security Organization and roles, responsibilities
What is Information?
BS ISO 27002:2005 Information as : defines
'Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected
Slide 3
What is Information?
Information can be
Printed or written on paper Stored electronically Transmitted by post or using electronics means Shown on corporate videos Displayed / published on web Verbal spoken in conversations
Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected (BS ISO 27002:2005)
Slide 4
Information in Governments
Governments are moving towards e-Governance to improve convenience, reduce time, improve transparency in delivering services to businesses and citizens Businesses and citizens expect high standards of services, instant access to information, efficient transactions and support, whenever and wherever they need it, but in a secure fashion. The two major components of the approach are the information delivery and service delivery. In the first component, various web-based information services are used by the Governments of different granularity. On the other hand, in the second component, the citizen is given access to the Government business related IT systems to provide transaction services (e.g. tax payments, filing of forms, issuing certificates etc)
Slide 5
Information in Governments
These two types of components bring the issues of information and systems security such as architecture, standards and technology to the forefront. Another fundamental element of the problem is the unprecedented gap between the pace of technological change and the inevitably glacial pace of policy and law making. Any good system of governance should be resilient to attacks by frauds, inadvertent virus, a variety of motivated cyber crimes through unauthorised access and even to a nationsponsored cyber war and in the scenarios of disaster and warfare. In a networked society these kinds of threats have a potential to cripple a Government.
Slide 6
Information in Governments
Models of e-Governance From the developmental perspective, e-Governance can be defined as the application of electronic means (in particular the ICT) in: (1) the interaction between Government and citizens and Government and businesses, as well as in (2) internal Government operations to simplify and improve democratic, Government and business aspects of Governance
Slide 7
Information types
Business Information, and Comparative Data,
Based on these classes of information, their sources and frequency of update and exchange, various models of e-Governance projects are evolved.
Slide 8
Slide 9
Slide 10
Third-Party Application
Internet
Application
Network Layer Information resides at the network level which encompasses the entire business functions of the Governments. Service Delivery platforms have a huge asset in terms of government data
Common Framework
Backbone Network
Slide 12
Slide 13
Slide 14
Slide 15
Web-site Security
Anti-virus tools Anti-phishing tools
Slide 16
Slide 17
Slide 18
Slide 19
Security myths
Threat: Something that can potentially cause damage to the organization, IT Systems or network.
Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat
Slide 21
Threats
External Parties Low awareness of security issues Employees Growth in networking and distributed computing Growth in complexity and effectiveness of hacking tools and viruses Natural Disasters eg. fire, flood, earthquake
Slide 22
Deliberate
Accidental
Outside
Deliberate
Slide 23
Slide 24
Slide 25
Slide 26
Slide 27
Slide 28
Threat Sources
Source
External Hackers
Motivation
Challenge Ego Game Playing Deadline Financial problems
Threat
System hacking Backdoors Fraud Poor documentation System attacks Letter bombs Viruses Denial of service Corruption of data Malicious code introduction System bugs Unauthorized access
Internal Hackers
External Agents
Revenge Political
Slide 29
Threat Sources
Categories of Threat Human Errors or failures Compromise to Intellectual Property Deliberate Acts or espionage or trespass Deliberate Acts of Information extortion Deliberate Acts of sabotage / vandalism Deliberate Acts of theft Deliberate software attacks Deviations in quality of service from service provider Forces of nature Technical hardware failures or errors Technical software failures or errors Technological Obsolesce Example Accidents, Employee mistakes Piracy, Copyright infringements Unauthorized Access and/or data collection Blackmail of information exposure / disclosure Destruction of systems / information Illegal confiscation of equipment or information Viruses, worms, macros Denial of service Power and WAN issues Fire, flood, earthquake, lightening Equipment failures / errors Bugs, code problems, unknown loopholes Antiquated or outdated technologies
Slide 30
Threat Sources
Virus Attacks
Lack Of Documentation
Lack of security
Slide 31
Threat
Exploits
Vulnerability
Leads to
Risks
Asset
Can damage
Exposure Safeguard
Can be countered by And cause an
Slide 32
Information Security
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. Information security enables a Organizations to meet its business objectives by implementing business systems with due consideration of information technology (IT)- related risks to the organization, business and trading partners, technology service providers, and most importantly CITIZENS. The terms information security, computer security and information assurance are frequently incorrectly used interchangeably. These fields are interrelated often and share the common goals of protecting the confidentiality, integrity, availability , accountability and assurance of information.
Slide 33
IT Security
IT Security means eliminating the disruption of business operations and reducing the exposure to various attacks. IT Security deals with several different trust aspects of information. Information security involves the architecture where an integrated combination of appliances, systems and solutions, software, surveillance, and vulnerability scans working together IT Security is not just confined to computer systems, it applies to all aspects of protecting information or data, in whatever form. i.e. Physical, People etc. Security is achieved using several strategies simultaneously or used in combination with one another
Slide 34
Security objectives
Organizations meet this goal by striving to accomplish the following objectives: AvailabilityThe ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information or systems. Integrity of Data or SystemsSystem and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability. Confidentiality of Data or Systems Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.
Slide 36
People
Process Technology
Slide 38
Slide 39
Application software Finance and assets systems, including Accounting packages, Inventory management, HR systems, Assessment and reporting systems Software as a service - instead of software as a packaged or custom-made product.
Slide 40
Access devices
Desktop computers Laptops, ultra-mobile laptops and PDAs Thin client computing. Printers, Scanners, Photocopier etc.
Slide 41
Information Security
Confidentiality
Integrity
Availability
Authenticity
Assurance
People
Process
Technology
Security Policy Regulatory Compliance User Awareness Program Access Control Security Audit Incident Response Encryption, PKI Firewall, IPS/IDS Antivirus
Security Audit
42
Security Testing
Requirement Validation
Slide 44
Slide 45
Slide 46
Slide 47
Implementation of controls
Refinement of controls
Slide 48
Low Baseline Selection of a subset of security controls from the master catalog consisting of basic level controls
Medium Baseline Builds on Low Baseline with additional controls, and control enhancements selected from the master catalog
High Baseline Builds on Medium Baseline with additional controls, and control enhancements selected from the master catalog Slide 49
Risk Assessment
Identify risks based on
Asset value Impacts Threats Vulnerabilities Asset loss exposure
Slide 50
Slide 51
Slide 52
References
www.mit.gov.in www.egovonline.net
Slide 53