Http://dn58412/IS531/IS531_SP15.html Lecture 12 Information Security and Confidentiality (Chapter...

http://www.csun.edu/~dn58412/IS531/IS531_SP15.html

Lecture 12Information Security and

Confidentiality (Chapter 12)

1. Privacy, confidentiality, information privacy, and information security and the relationships among them.

2. How information system security affects privacy, confidentiality, and security.

3. The significance of security for information integrity

4. Potential threats to system security and information.

5. Security measures to protect informationIS 531 : Lecture 12 2

Learning ObjectivesLearning Objectives

Security ConcernSecurity Concern• Information security and confidentiality of

personal information represent major concerns in today’s society amidst growing reports of stolen and compromised information.

• Globalization and increased use of internet• Evolving technology and intrusion techniques• Information must be protected through a

combination of electronic and manual methods

IS 531 : Lecture 12 3

Information SecurityInformation Security

• The protection of information against threats to its integrity, inadvertent disclosure, or availability determines the survivability of a system


PrivacyPrivacy

• Freedom from intrusion, or control over the exposure of self or of personal information

• The right to determine what information is collected, how it is used, and the ability to review collected information for accuracy and security


ConfidentialityConfidentiality

• The protection of healthcare information is mandated by the Health Insurance Portability and Accountability Act (HIPAA) and the Joint Commission requirements.

• Must not disclose patient-related information without consent

• Share info only with the parties requiring it for client treatment

• Mostly due to careless communication in a public area or with appropriate person


Information/Data Information/Data PrivacyPrivacy

• The storage and disclosure/dissemination of personally identifiable information

• The right to choose the conditions and extent to which information and beliefs are shared

• The right to ensure accuracy of information collected


ConsentConsent

• The process by which an individual authorizes healthcare personnel to process his or her information based on an informed understanding of how this information will be used

• Entails making the individual aware of risks to privacy and measures to protect it


Information System SecurityInformation System Security

• Ongoing protection of both information stored in the system and the system itself from threats or disruption

• Primary goals :– Protection of client confidentiality– Protection of information integrity– Timely availability of information when

needed


Security PlanningSecurity Planning

• Safeguard against: – Downtime– Breeches in confidentiality– Loss of consumer confidence– Cybercrime– Liability– Lost productivity

• Ensure compliance with HIPAA


Steps to SecuritySteps to Security

• Assessment of risks and assets• An organizational plan• A “culture” of security• The establishment and enforcement of

policies


Threats to System Security Threats to System Security and Informationand Information

• Human threats– Thieves– Hackers and crackers– Denial of service attacks– Terrorists– Viruses, worms– Revenge attacks– Pirated Web sites


Threats to System Security Threats to System Security and Information …and Information …

• On-site threats– Poor password management– Compromised device– Human error– Unauthorized insider access– Flooding site– Power fluctuations

• Fires and natural disasters


Security Measures Security Measures

• Firewalls—barrier created from software and hardware

• Antivirus and spyware detection• User sign-on and passwords or other

means of identity management• Access on a need-to-know basis • Automatic sign-off• Physical restrictions to system access


AuthenticationAuthentication

• Process of determining whether someone is who he or she claims to be

• Methods: – access codes, – logon passwords, – digital certificates, – public or private keys used for

encryption– biometric measures


PasswordPassword• String of alphanumeric characters to type in

for system access• Inexpensive but not the most effective

means of authentication• Do:

– Choose 8-12 character passwords– Avoid obvious passwords– Using the first characters of your favorites verses

/ sayings.– Including special characters, lower and upper

cases, numbers .


Password …Password …

• Don’t: – Post or write down passwords.– Leave computers or applications running

when not in use.– Re-use the same password for different

systems.– Use the browser “save password” feature.

• Never share passwords.• Change password frequently


BiometricsBiometrics

• Identification based on a unique biological trait– fingerprint– voice – iris pattern / retinal scan– hand geometry / palmprint– face recognition– etc…


Antivirus SoftwareAntivirus Software

• Computer programs that can locate and eradicate viruses and other malicious programs from memory sticks, storage devices, individual computers, and networks

• Detect and eliminate malwares / spywares that install themselves without the user’s permission to collect passwords, PIN numbers, account numbers then send them to another party


Antivirus SoftwareAntivirus Software


Source : http://anti-virus-software-review.toptenreviews.com/

Proper Handling and Disposal Proper Handling and Disposal

• Acceptable uses• Audit trails to monitor access• Encourage review for accuracy• Establish controls for information use after-

hours and off-site• Shred or use locked receptacles for the

disposal of items containing personal health information


Implications for Mobile Implications for Mobile ComputingComputing

• Shared responsibility for information and information system security

• Devices are easily stolen.• Devices should require authentication and

encryption to safeguard information security.

• Devices should never be left where information may be seen by unauthorized viewers.

• Verify wireless networks before use.


FirewallFirewall


Physical vs. Logical Physical vs. Logical Access / ControlsAccess / Controls


EncryptionEncryption


I S 5 3 1 01001001 01010011 00110101 00110011 00110001

10010101 00110011 01010011 00110011 00010100

01101010 11001100 10101100 11001100 11101011

Binary CodesASCII (American Standard Code for Information Interchange) : 8 bits EBCDIC (Extended Binary-Coded Decimal Interchange Code ) : 16 bitsUnicode : 32 bits and more

EncodingEncoding


A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

DROPBOX TONIGHT

F G H I J K L M N O P Q R S T U V W X Y Z A B C D E

IWTUGTC YTSNLMY

Normal sequence :

Encoded sequence :

Message :

Encoded message :

Public KeysPublic Keys


ReferencesReferences

• CMU - Security 101 (2011)http

://www.cmu.edu/iso/aware/presentation/security101-v2.pdf

• CMU - Governing for Enterprise Security (2005)https://resources.sei.cmu.edu/asset_files/TechnicalNote/2005_004_001_14513.pdf


http://www.cmu.edu/iso/aware/presentation/security101-v2.pdf



https://resources.sei.cmu.edu/asset_files/TechnicalNote/2005_004_001_14513.pdf

https://resources.sei.cmu.edu/asset_files/TechnicalNote/2005_004_001_14513.pdf

Http://dn58412/IS531/IS531_SP15.html Lecture 12 Information Security and Confidentiality (Chapter...

Documents

Transcript of Http://dn58412/IS531/IS531_SP15.html Lecture 12 Information Security and Confidentiality (Chapter...