Session 9 : Information Security and Risk

Transcription

1 INFORMATION STRATEGY Sessin 9 : Infrmatin Security and Risk Tharaka Tennekn B.Sc (Hns) Cmputing, MBA (PIM - USJ) POST GRADUATE DIPLOMA IN BUSINESS AND FINANCE 2014

2 Infrmatin Management Framewrk 2

3 Infrmatin Security 3Ps Peple Cnfidentiality Integrity Availability Privacy Identificatin Authenticatin Authrizatin Accuntability Prcess Technlgy /Prducts

4 Infrmatin Security Prcess Plicies Plicies are statements f management intentins and gals Senir Management supprt and apprval is vital t success General, high-level bjectives Acceptable use, internet access, lgging, infrmatin security, etc. Prcedures Standards Prcedures are detailed steps t perfrm a specific task Usually required by plicy Decmmissining resurces, adding user accunts, deleting user accunts, change management, etc. Cnfidentiality Integrity Availability Standards specify the use f specific technlgies in a unifrm manner Requires unifrmity thrughut the rganizatin Operating systems, applicatins, server tls, ruter cnfiguratins, etc. Guidelines Guidelines are recmmended methds fr perfrming a task Recmmended, but nt required Malware cleanup, spyware remval, data cnversin, sanitizatin, etc.

5 Infrmatin Security 3Ps : Example Cnfidentiality Integrity Availability

6 Infrmatin Security CIA Cnfidentiality f infrmatin ensures that nly thse with sufficient privileges may access certain infrmatin. T prtect cnfidentiality f infrmatin, a number f measures may be used, including: Infrmatin classificatin Secure dcument strage Applicatin f general security plicies Educatin f infrmatin custdians and end users Integrity is the quality r state f being whle, cmplete and uncrrupted. The integrity f infrmatin is threatened when it is expsed t crruptin, damage, destructin, r ther disruptin f its authentic state. Crruptin can ccur while infrmatin is being cmpiled, stred, r transmitted. Cnfidentiality Integrity Availability Availability is making infrmatin accessible t user access withut interference r bstructin in the required frmat. A user in this definitin may be either a persn r anther cmputer system. Availability means availability t authrized users.

7 Infrmatin Security CIA + Privacy - Infrmatin is t be used nly fr purpses knwn t the data wner. This des nt fcus n freedm frm bservatin, but rather that infrmatin will be used nly in ways knwn t the wner. Identificatin - Cnfidentiality Infrmatin systems pssess the characteristic f identificatin Integrity when they are able t recgnize individual Availability users. Identificatin and authenticatin are essential t establishing the level f access r authrizatin that an individual is granted.

8 Infrmatin Security CIA + Authenticatin ccurs when a cntrl prvides prf that a user pssesses the identity that he r she claims. Authrizatin - after the identity f a user is authenticated, a prcess called authrizatin prvides assurance that the user (whether a persn r a cmputer) has been specifically & explicitly authrized Cnfidentiality by the prper authrity t access, update, r delete Integrity the cntents f an infrmatin asset. Availability Accuntability - The characteristic f accuntability exists when a cntrl prvides assurance that every activity undertaken can be attributed t a named persn r autmated prcess.

9 Infrmatin Security 6Ps Planning - Included in the planning mdel are activities necessary t supprt the design, creatin, and implementatin f infrmatin security strategies as they exist within the IT planning envirnment. Incident respnse Business cntinuity Disaster recvery Plicy Persnnel Technlgy rllut Risk management Security prgram - educatin, training, & awareness Plicy Prgrams specific entities managed in the infrmatin security dmain. Example: security educatin training & awareness prgram, Physical security prgram, - fire, physical access, gates, guards etc. Prtectin - Risk management activities, including risk assessment and cntrl, as well as prtectin mechanisms, technlgies, & tls. Each f these mechanisms represents sme aspect f the management f specific cntrls in the verall infrmatin security plan. Peple - are the mst critical link in the infrmatin security prgram. Prject Management shuld be present thrughut all elements f the infrmatin security prgram. Identifying and cntrlling the resurces applied t the prject Measuring prgress & adjusting the prcess as prgress is made tward the gal

10 Infrmatin Systems Risk, Threats x Vulnerabilities A threat is an agent that may want t r definitely can result in harm t the target rganizatin. Threats include rganized crime, spyware, malware, adware cmpanies, and disgruntled internal emplyees wh start attacking their emplyer. Wrms and viruses als characterize a threat as they culd pssibly cause harm in yur rganizatin even withut a human directing them t d s by infecting machines and causing damage autmatically. Threats are usually referred t as attackers r bad guys. Example : hackers, spammers, viruses, scial engineers, wrms, DDOS (btnet, zmbie army) Vulnerability is sme flaw in ur envirnment that a malicius attacker culd use t cause damage in yur rganizatin. Vulnerabilities culd exist in numerus areas in ur envirnments, including ur system design, business peratins, installed sftware, and netwrk cnfiguratins. Zer devise, IIS, aut play, java applet, SQL injectin Risk is where threat and vulnerability verlap. That is, we get a risk when ur systems have a vulnerability that a given threat can attack. 10

11 Infrmatin Systems Threats 11

12 Infrmatin Systems Vulnerabilities 12

13 Infrmatin Systems Risk Risk = (Likelihd x Value) Current Cntrls + Uncertainty 13

14 Risk Financial Lss 14

15 Risk by Industry 15

16 Tharaka Tennekn, B.Sc (Hns), MBA (PIM - USJ) inf@tpmstline.cm