Session 9 : Information Security and Risk

Similar documents
Chapter 7 Business Continuity and Risk Management

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

GUIDANCE FOR BUSINESS ASSOCIATES

System Business Continuity Classification

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

HIPAA HITECH ACT Compliance, Review and Training Services

System Business Continuity Classification

Personal Data Security Breach Management Policy

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

GUIDELINE INFORMATION MANAGEMENT (IM) PROGRAM PLAN

Information Services Hosting Arrangements

Christchurch Polytechnic Institute of Technology Access Control Security Standard

Presentation: The Demise of SAS 70 - What s Next?

VCU Payment Card Policy

Hillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network

Enterprise Security Management CIS 259

Plus500CY Ltd. Statement on Privacy and Cookie Policy

Internet and Policy User s Guide

Comtrex Systems Corporation. CISP/PCI Implementation Guidance for Odyssey Suite

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Online Learning Portal best practices guide

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

Change Management Process For [Project Name]

Information & Communications Technology ICT Security Compliance Guide (Student)

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

Avaya Business Continuity Plan Overview

Instant Chime for IBM Sametime Quick Start Guide

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

ISMF Standard 141 Endpoint Protection. OCIO/S4.6 Government standard on cyber security

CLOUD COMPUTING: SECURITY THREATS AND MECHANISM

LINCOLNSHIRE POLICE Policy Document

Understand Business Continuity

Research Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013

SPECIFICATION. Hospital Report Manager Connectivity Requirements. Electronic Medical Records DRAFT. OntarioMD Inc. Date: September 30, 2010

In addition to assisting with the disaster planning process, it is hoped this document will also::

FAFSA / DREAM ACT COMPLETION PROGRAM AGREEMENT

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

ACTIVITY MONITOR Real Time Monitor Employee Activity Monitor

Fraud Prevention Techniques for Higher Education

Change Management Process

IT Account and Access Procedure

Securely Managing Cryptographic Keys used within a Cloud Environment

Sources of Federal Government and Employee Information

NERC-CIP Cyber Security Standards Compliance Documentation

RATIONALE TERMS OF REFERENCE FOR THE QUALITY COMMITTEE UNDER THE EXCELLENT CARE FOR ALL ACT. Authority

EA-POL-015 Enterprise Architecture - Encryption Policy

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future

UBC Incident Response Plan V1.5

SharePoint Governance

How To Ensure Your Health Care Is Safe

CPIT Aoraki ICT Asset and Media Security Standard

ENTERPRISE RISK MANAGEMENT ENTERPRISE RISK MANAGEMENT POLICY

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

State of Wisconsin. File Server Service Service Offering Definition

Process for Responding to Privacy Breaches

Internal Audit Charter and operating standards

Vulnerability Management:

AuditNet Survey of Bring your own Device (BYOD) - Control, Risk and Audit

OFFICIAL JOB SPECIFICATION. Network Services Analyst. Network Services Team Manager

Business Continuity Management Policy

Remote Working (Policy & Procedure)

Serv-U Distributed Architecture Guide

Data classification for cloud readiness

IN-HOUSE OR OUTSOURCED BILLING

Transition to Electronic Medical Records (EMR)

Research Report. Abstract: Security Management and Operations: Changes on the Horizon. July 2012

The ADVANTAGE of Cloud Based Computing:

Computer Relocation Services

Transcription:

INFORMATION STRATEGY Sessin 9 : Infrmatin Security and Risk Tharaka Tennekn B.Sc (Hns) Cmputing, MBA (PIM - USJ) POST GRADUATE DIPLOMA IN BUSINESS AND FINANCE 2014

Infrmatin Management Framewrk 2

Infrmatin Security 3Ps Peple Cnfidentiality Integrity Availability Privacy Identificatin Authenticatin Authrizatin Accuntability Prcess Technlgy /Prducts

Infrmatin Security Prcess Plicies Plicies are statements f management intentins and gals Senir Management supprt and apprval is vital t success General, high-level bjectives Acceptable use, internet access, lgging, infrmatin security, etc. Prcedures Standards Prcedures are detailed steps t perfrm a specific task Usually required by plicy Decmmissining resurces, adding user accunts, deleting user accunts, change management, etc. Cnfidentiality Integrity Availability Standards specify the use f specific technlgies in a unifrm manner Requires unifrmity thrughut the rganizatin Operating systems, applicatins, server tls, ruter cnfiguratins, etc. Guidelines Guidelines are recmmended methds fr perfrming a task Recmmended, but nt required Malware cleanup, spyware remval, data cnversin, sanitizatin, etc.

Infrmatin Security 3Ps : Example Cnfidentiality Integrity Availability

Infrmatin Security CIA Cnfidentiality f infrmatin ensures that nly thse with sufficient privileges may access certain infrmatin. T prtect cnfidentiality f infrmatin, a number f measures may be used, including: Infrmatin classificatin Secure dcument strage Applicatin f general security plicies Educatin f infrmatin custdians and end users Integrity is the quality r state f being whle, cmplete and uncrrupted. The integrity f infrmatin is threatened when it is expsed t crruptin, damage, destructin, r ther disruptin f its authentic state. Crruptin can ccur while infrmatin is being cmpiled, stred, r transmitted. Cnfidentiality Integrity Availability Availability is making infrmatin accessible t user access withut interference r bstructin in the required frmat. A user in this definitin may be either a persn r anther cmputer system. Availability means availability t authrized users.

Infrmatin Security CIA + Privacy - Infrmatin is t be used nly fr purpses knwn t the data wner. This des nt fcus n freedm frm bservatin, but rather that infrmatin will be used nly in ways knwn t the wner. Identificatin - Cnfidentiality Infrmatin systems pssess the characteristic f identificatin Integrity when they are able t recgnize individual Availability users. Identificatin and authenticatin are essential t establishing the level f access r authrizatin that an individual is granted.

Infrmatin Security CIA + Authenticatin ccurs when a cntrl prvides prf that a user pssesses the identity that he r she claims. Authrizatin - after the identity f a user is authenticated, a prcess called authrizatin prvides assurance that the user (whether a persn r a cmputer) has been specifically & explicitly authrized Cnfidentiality by the prper authrity t access, update, r delete Integrity the cntents f an infrmatin asset. Availability Accuntability - The characteristic f accuntability exists when a cntrl prvides assurance that every activity undertaken can be attributed t a named persn r autmated prcess.

Infrmatin Security 6Ps Planning - Included in the planning mdel are activities necessary t supprt the design, creatin, and implementatin f infrmatin security strategies as they exist within the IT planning envirnment. Incident respnse Business cntinuity Disaster recvery Plicy Persnnel Technlgy rllut Risk management Security prgram - educatin, training, & awareness Plicy Prgrams specific entities managed in the infrmatin security dmain. Example: security educatin training & awareness prgram, Physical security prgram, - fire, physical access, gates, guards etc. Prtectin - Risk management activities, including risk assessment and cntrl, as well as prtectin mechanisms, technlgies, & tls. Each f these mechanisms represents sme aspect f the management f specific cntrls in the verall infrmatin security plan. Peple - are the mst critical link in the infrmatin security prgram. Prject Management shuld be present thrughut all elements f the infrmatin security prgram. Identifying and cntrlling the resurces applied t the prject Measuring prgress & adjusting the prcess as prgress is made tward the gal

Infrmatin Systems Risk, Threats x Vulnerabilities A threat is an agent that may want t r definitely can result in harm t the target rganizatin. Threats include rganized crime, spyware, malware, adware cmpanies, and disgruntled internal emplyees wh start attacking their emplyer. Wrms and viruses als characterize a threat as they culd pssibly cause harm in yur rganizatin even withut a human directing them t d s by infecting machines and causing damage autmatically. Threats are usually referred t as attackers r bad guys. Example : hackers, spammers, viruses, scial engineers, wrms, DDOS (btnet, zmbie army) Vulnerability is sme flaw in ur envirnment that a malicius attacker culd use t cause damage in yur rganizatin. Vulnerabilities culd exist in numerus areas in ur envirnments, including ur system design, business peratins, installed sftware, and netwrk cnfiguratins. Zer devise, IIS, aut play, java applet, SQL injectin Risk is where threat and vulnerability verlap. That is, we get a risk when ur systems have a vulnerability that a given threat can attack. 10

Infrmatin Systems Threats 11

Infrmatin Systems Vulnerabilities 12

Infrmatin Systems Risk Risk = (Likelihd x Value) Current Cntrls + Uncertainty 13

Risk Financial Lss 14

Risk by Industry 15

Tharaka Tennekn, B.Sc (Hns), MBA (PIM - USJ) +94 773403609 inf@tpmstline.cm

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information