Post on 16-Jan-2015
description
Information Systems 365/765Information Systems Security and Strategy
Lecture 2Introduction to Information Security
Information Security Defined
Protecting information and informationSystems from unauthorized access, use,disclosure, disruption, modification, ordestruction. Information security isconcerned with the confidentiality,integrity and availability of data regardlessof the form the data may take: electronic,print, or other forms.
Why Study Information Security in the School of Business?
• Businesses collect mass amounts of data about their customers, employees, and competitors
• Most of this data is stored on computers and transmitted across networks
• If this information should fall into the hands of a competitor, the result could be loss of business, lawsuits and bankruptcy
• Protecting corporate data is no longer an option, it is a requirement
What Types of Jobs Do Information Security Professionals Hold?
• Information Systems Auditor• Business Continuity and
Disaster Recovery Planning and Implementation
• Digital Forensics• Infrastructure Design• Business Integration
History of Information Security
• Throughout history, confidentiality of information has always played a key role in military conflict
• Confidentiality• Tampering• Authenticity• Physical protection• Background checks• Encryption
Key Concept of Information Security. The single most
important slide in this course!
Confidentiality, Integrity,Availability (CIA Triad)
Confidentiality
Confidentiality is the process ofpreventing disclosure ofinformation to unauthorizedindividuals or systems.
Examples: Credit card, ShoulderSurfing, Laptop theft
Confidentiality is necessary, but notsufficient to maintain privacy
IntegrityIntegrity means that datacannot be modified withoutAuthorization
Examples: Manual deletion oralteration of important datafiles, Virus infection, Employeealtering their own salary,website vandalism, polling fraud
In Information Security, the term “dataintegrity” should not be confused withDatabase referential integrity
Integrity
For any information system to serve its purpose,The information must be available when it isneeded. This means that the computing systemsused to store and process the information, thesecurity controls used to protect it, and thecommunication channels used to access it must befunctioning correctly.
Examples: Power outages, Hardware failures,System upgrades and Preventing denial-of-serviceattacks
Authenticity
In computing, e-Business andinformation security it is necessaryto ensure that the data,transactions, communications ordocuments (electronic or physical)are genuine (i.e. they have not beenforged or fabricated.)
Examples: Passport, Credit cardAccounts, academic transcripts
Non-Repudiation
Non-Repudiation is a complexterm used to describe the lackof deniability of ownership of amessage, piece of data, orTransaction
Examples: Proof of an ATM transaction, a stock trade, or anemail
Strong Information Security = Solid Risk Management
Proper Risk Management involves understanding andcontrolling risks, vulnerabilities and threats
Risk is the likelihood thatsomething bad will happen thatcauses harm or loss of anInformational asset
Vulnerability is a weaknessthat could be used to endanger orcause harm to an informationalAsset
Threat is anything deliberate or random andUnanticipated that has the potential to cause harm
Risk Management
The likelihood that a threat will use avulnerability to cause harm creates a risk.
When a threat does use a vulnerability toinflict harm, it has an impact.
In the context of information security, the impact Ia loss of availability, integrity, and confidentiality,and possibly other losses (lost income, loss of life,loss of real property)
It should be pointed out that it is not possible toidentify all risks, nor is it possible to eliminate allrisk. The remaining risk is called residual risk.
Risk Assessment
A risk assessment is formal project carried out by ateam of people who have knowledge of specificareas of the business. Membership of the team mayvary over time as different parts of the business areassessed.
The assessment may use a subjective qualitativeanalysis based on informed opinion, or wherereliable dollar figures and historical information isavailable, the analysis may use quantitativeanalysis as well
Components of a Risk Assessment
Security Policy Organization of information security, Asset management Human resources security, Physical and environmental security, Communications and operations management, Access control, logical and physical Information systems acquisition and lifecyclemanagement Development and maintenance Information security incident management Business continuity management Regulatory compliance
Risk Management Process
Identification of assets and estimating their value.Include: people, buildings, hardware, software,data (electronic, print, other), supplies.
Conduct a threat assessment. Include: Acts ofnature, acts of war, accidents, malicious actsoriginating from inside or outsidethe organization.
Conduct a vulnerability assessment, and for eachvulnerability, calculate the probability that it will beexploited. Evaluate policies, procedures, standards,training, physical security, quality control andtechnical security.
Risk Management Process
Calculate the impact that each threatwould have on each asset. Use qualitativeanalysis or quantitative analysis.
Identify, select and implementappropriate controls. Provide aproportional response. Considerproductivity, cost effectiveness, and valueof the asset.
Evaluate the effectiveness of the controlmeasures. Ensure the controls provide therequired cost effective protection withoutdiscernible loss of productivity.
Risk Remedies
For any given risk, you may choose to:
Accept the risk based upon the relative low valueof the asset, the relative low frequency ofoccurrence, and the relative low impact on thebusiness.
Mitigate the risk by selecting and implementingappropriate control measures to reduce the risk.
Transfer the risk to another business by buyinginsurance or out-sourcing to another business.
Deny the risk, which is obviously dangerous
Information Security Controls
When Management chooses tomitigate a risk, they will do soby implementing one or more ofthree different types of controls
• Administrative Controls• Logical/Technical Controls• Physical Controls
Administrative Controls
Consist of approved written policies, procedures,standards and guidelines.
Administrative controls form the framework forrunning the business and managing people.
They inform people on how the business is to be run andhow day to day operations are to be conducted.
Laws and regulations created by government bodies arealso a type of administrative control, such as PCI, HIPAA,FERPA and SOX
Other examples of administrative controls include thecorporate security policy, password policy, hiring policies,and disciplinary policies.
Separation of Duties is the most important and often overlooked
physical controlSeparation of duties ensures that an individual cannot complete a critical task by themselves.
For example: an employee who submits a requestfor reimbursement should not also be able toauthorize payment or print the check.
An applications programmer should not also be theserver administrator or the database administrator
These roles and responsibilities must be separatedFrom one another
Logical Controls
Logical controls (also called technicalcontrols) consist of software anddata to monitor and control accessto information and computingsystems.
For example: passwords, networkand host based firewalls, networkintrusion detection systems, accesscontrol lists, and data encryption arelogical controls.
The Principle of Least Privilege is the most important and often overlooked logical control in IS
The principle of least privilege requires that an individual,program or system process is not granted any moreAccess privileges than are necessary to perform the task.
A blatant example of the failure to adhere to the principle of least privilege is logging into Windows asuser Administrator to read Email and surf the Web.
Violations of this principle can also occur when anIndividual: Collects additional access privileges over timeJob duties change, promotion, new position, etc.They are promoted to a new position, or they transfer toanother department.
Examine and adjust access rights for ALL employees on aregular basis
Physical Controls
Physical controls monitor and control theenvironment of the work place and computingfacilities. They also monitor and control access toand from such facilities.
For example: doors, locks, heating and airconditioning, smoke and fire alarms, firesuppression systems, cameras, barricades,fencing, security guards, cable locks, etc.
Separating the network and work place intofunctional areas are also physical controls.
Security Classification of Information
An important aspect of informationsecurity and risk management isrecognizing the value of informationand defining appropriate proceduresand protection requirements for theinformation. Not all information isequal and so not all informationrequires the same degree ofprotection. This requires informationto be assigned a securityclassification
Security Classification of Information
1. Identify a member of seniormanagement as the owner of theparticular information to beclassified
2. Develop a classification policy.The policy should describe thedifferent classification labels, definethe criteria for information to beassigned a particular label, and list therequired security controls for eachclassification
Security Classification of Information
Some factors that influence whichclassification information should beassigned include:1. How much value that informationhas to the organization 2. How old the information is andwhether or not the information hasbecome obsolete. 3. Laws and other regulatoryrequirements are also importantconsiderations when classifyinginformation
Information Security Classification Labels
Common information securityclassification labels used by thebusiness sector are:PublicSensitive Private Confidential
Information Security Classification Labels
All employees in the organization, as wellas business partners, must be trained onthe classification schema and understandthe required security controls and handlingprocedures for each classification.
The classification a particular informationasset has been assigned should bereviewed periodically to ensure theclassification is still appropriate for theinformation and to ensure the securitycontrols required by the classification arein place.