Information Security

prepared by Mark Chen November 2008

definition

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction

CIA

Confidentiality Integrity Availability

Confidentiality Confidentiality is the property of preve

nting disclosure of information to unauthorized individuals or systems

a credit card transaction on the Internet

someone looking over your shoulder at your computer screen

a laptop computer containing sensitive information is stolen or sold

Integrity Integrity means that data cannot be

modified without authorization an employee (accidentally or with mal

icious intent) deletes important data files

a computer virus infects a computer

Availability For any information system to serve it

s purpose, the information must be available when it is needed

computing systems, security controls and the communication channels must be functioning correctly

High availability systems aim to remain available at all times

Risk Management

Vulnerability A vulnerability is a weakness that could

be used to endanger or cause harm to an informational asset Threat

Threat A threat is anything (man made or act of

nature) that has the potential to cause harm.

Risk Management process 123 Identification of assets and estimating their

value. Include: people, buildings, hardware, software, data (electronic, print, other), supplies.

Conduct a threat assessment. Include: Acts of nature, acts of war, accidents, malicious acts originating from inside or outside the organization.

Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, quality control, technical security.

Risk Management process 456 Calculate the impact that each threat woul

d have on each asset. Use qualitative analysis or quantitative analysis.

Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset.

Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity.

Executive Management For any given risk

to accept the risk the relative low value of the asset, low

frequency of occurrence, or low impact on the business

to mitigate the risk to implement controls

to deny the risk This is itself a potential risk

Controls

Administrative controls (also called procedural controls) consist of approved written policies, procedures, standards and guidelines

Logical and Physical

Logical controls Logical controls (also called technical

controls) use software and data to monitor and control access to information and computing systems. For example:

passwords, firewalls, data encryption,…

principle of least privilege

Physical controls Physical controls monitor and control

the environment of the work place and computing facilities, including access to and from such facilities.

doors, locks, cameras,… Separating the network and work plac

e into functional areas separation of duties

Security Classification to recognize the value of information to definite appropriate procedures an

d protection requirements for the information.

Security Classification Labels Common information security classification

labels used by the business sector are: Public, Sensitive, Private, Confidential

Common information security classification labels used by government are: Unclassified, Sensitive But Unclassified, Restricted, Confidential, Secret, Top Secret and their non-English equivalents.

Change Management Change management is a formal proc

ess for directing and controlling alterations to the information processing environment.

including alterations to desktop computers, the network, servers and software

Change Management Process (1) Requested (2) Approved: (3) Planned (4) Tested (5) Scheduled (6) Communicated (7) Implemented (8) Documented (9) Post change review

Security Governance (1) An Enterprise-wide Issue. (2) Leaders are Accountable. (3) Viewed as a Business Requirement. (4) Risk-based. (5) Roles, Responsibilities, and Segrega

tion of Duties Defined. (6) Addressed and Enforced in Policy.

Security Governance (7) Adequate Resources Committed. (8) Staff Aware and Trained. (9) A Development Life Cycle Require

ment. (10) Planned, Managed, Measurable,

and Measured. (11) Reviewed and Audited.

Incident Response Plans (1) Selecting team members (2) Define roles, responsibilities and lines of authori

ty (3) Define a security incident (4) Define a reportable incident (5) Training (6) Detection (7) Classification (8) Escalation (9) Containment (10) Eradication (11) Documentation

Laws and regulations Sarbanes-Oxley Act of 2002 (SOX). Section 404 of th

e act requires publicly traded companies to assess the effectiveness of their internal controls for financial reporting in annual reports they submit at the end of each fiscal year. Chief information officers are responsible for the security, accuracy and the reliability of the systems that manage and report the financial data. The act also requires publicly traded companies to engage independent auditors who must attest to, and report on, the validity of their assessments

Conclusion Information security is the ongoing process

of exercising due care and due diligence to protect information, and information systems, from unauthorized access, use, disclosure, destruction, modification, or disruption or distribution.

The never ending process of information security involves ongoing training, assessment, protection, monitoring & detection, incident response & repair, documentation, and review