Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

Similar documents
Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two Information Security in Universities

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session Two

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Information Security and Challenges

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

<Insert Picture Here> How to protect sensitive data, challenges & risks

Aberdeen City Council IT Security (Network and perimeter)

Business Case. for an. Information Security Awareness Program

Best Practices For Department Server and Enterprise System Checklist

Cyber Security and Information Assurance Controls Prevention and Reaction NOVEMBER 2013

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

2012 Endpoint Security Best Practices Survey

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Data Security and Healthcare

Defending Against Data Beaches: Internal Controls for Cybersecurity

How users bypass your security!

Client Security Risk Assessment Questionnaire

Automation Suite for. 201 CMR Compliance

Goals. Understanding security testing

Ellucian Cloud Services. Joe Street Cloud Services, Sr. Solution Consultant

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Smarter Security for Smarter Local Government. Craig Sargent, Solutions Specialist

Security Threat Risk Assessment: the final key piece of the PIA puzzle

Security Controls What Works. Southside Virginia Community College: Security Awareness

Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence

10 Smart Ideas for. Keeping Data Safe. From Hackers

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training - Session One

Security aspects of e-tailing. Chapter 7

CloudCheck Compliance Certification Program

Common Cyber Threats. Common cyber threats include:

External Supplier Control Requirements

THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Why The Security You Bought Yesterday, Won t Save You Today

Information Security

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

IT Security. Securing Your Business Investments

STRONGER ONLINE SECURITY

Network Assessment. Prepared For: Prospect Or Customer Prepared By: Your Company Name

Central Agency for Information Technology

Network and Security Controls

White Paper. Information Security -- Network Assessment

ABB s approach concerning IS Security for Automation Systems

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

PII Compliance Guidelines

SRA International Managed Information Systems Internal Audit Report

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Symantec Protection Suite Enterprise Edition for Servers Complete and high performance protection where you need it

Top tips for improved network security

8 Steps for Network Security Protection

PCI Compliance for Healthcare

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

What you can do prevent virus infections on your computer

8 Steps For Network Security Protection

The Importance of Vulnerability Assessment For Your Organisation

Information security controls. Briefing for clients on Experian information security controls

Auburn Montgomery. Registration and Security Policy for AUM Servers

Data Leakage: What You Need to Know

Fundamentals of Information Systems Security Unit 1 Information Systems Security Fundamentals

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Business ebanking Fraud Prevention Best Practices

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

A practical guide to IT security

Information Security Breaches Survey 2013

CONTENTS. Security Policy

A Rackspace White Paper Spring 2010

INSTANT MESSAGING SECURITY

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

REQUEST FOR BOARD ACTION

Electronic Fraud Awareness Advisory

Data Management Policies. Sage ERP Online

Online Banking Fraud Prevention Recommendations and Best Practices

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

ALERT LOGIC FOR HIPAA COMPLIANCE

Securing the Service Desk in the Cloud

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Security Policy for External Customers

Evaluation Report. Office of Inspector General

PCI DSS 3.0 : THE CHANGES AND HOW THEY WILL EFFECT YOUR BUSINESS

Global Partner Management Notice

Top 10 Tips to Keep Your Small Business Safe

PCI Requirements Coverage Summary Table

Standard: Web Application Development

Bring Your Own Device (BYOD) & Customer Data Protection Are You Ready?

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

PCI-DSS Compliance. Ron Dinwiddie Chief Technology Officer J. Spargo & Associates

INFORMATION SECURITY California Maritime Academy

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

Protecting Your Organisation from Targeted Cyber Intrusion

Transcription:

Joint Universities Computer Centre Limited ( JUCC ) Information Security Awareness Training- Session One Data Handling in University Human Factor in Information Security

Agenda The Information Security Concept The CIA Triad Managing Information Security Information Security Controls Human Factors in Information Security Information Security Roles and Responsibilities Improving Information Security Human Factors 1

Background and concept of the Human Factor in Information Security Human (procedural) versus Technical (automated) IS controls: Information security is both a human and a technological problem. (Gary Hinson, IsecT Ltd) Examples: With an organisation-wide IS policy and standard in place, do users understand the need to choose strong passwords, keep them secret, and change them often? Does a system administrator check that users follow the guidance? Are the new releases of software programs checked before implementation to the production network? Does the programmer knows whether or not a new release is suitable? 2

The core principles of information security: Confidentiality Confidentiality is keeping sensitive information protected Integrity is keeping information intact and valid The CIA Triad Availability is keeping information available and accessible Integrity Availability 3

Managing Information Security Information security is not only related to computer systems. People are always the weakest link. People A complete framework is required to manage information security. JUCC is committed to improve the security environment of the universities in all 3 perspectives Process Technology 4

Managing Information Security Process Regular monitoring Security hardening Effective incident management Patching management User awareness program Information classification IT risk assessment Internal audit Penetration testing Change management Security news update Process People Technology People Management commitment Technical capability Security awareness Corporate culture Communication Technology Antivirus Firewall Intrusion Detection System Security patches Security logging 5

Information Security Controls Types of Information Security Controls Know when it occurs Administrative Logical Physical Detective Corrective Preventive Rectify when it occurs Limitations No 100% assurance Breakdown e.g. misunderstand/ mistake Involve human judgement Management override Collusion Avoid its occurrence 6

COST Information Security Controls Control Implementation- Cost vs Loss Optimised Level of Control Total Cost Cost of Loss Cost of Control Cost of Security Control Potential Loss CONTROL 7

Information Security Controls The Cost-Effectiveness of Information Security Controls shows that An ounce of prevention is worth a pound of cure (Benjamin Franklin) as preventive controls reduce or eliminate the impact costs. However, no control is 100% effective, corrective and detective control can always be implemented together with the preventive control. Effectiveness Cost Preventive Detective Corrective 8

Human Factors in Information Security People Why it is not just about Technology? Technology is fallible Organisation may not be able to adequately address all technical security concerns Technology is expensive People implement and operate technologies Process Technology PEOPLE- always the weakest link 9

Human Factors in Information Security Human Factor- the Risk Management Perspective Threats- human causing threats. E.g. deliberate circumvention of security controls by malicious staff or outsider Vulnerabilities- human creating the vulnerability in campus. E.g. staff giving out sensitive information (social engineering) Impacts- breaches creating human impacts. E.g. decreased trust towards system integrity 10

Human Factors in Information Security Mistake Negligence Fraud Curiosity Inputting the wrong value Forgetting to log off Deliberate spreading of virus Clicking links in email from unknown sender Creating erroneous routine in application Sharing of password Creation of hidden backdoor in application Installing software from unknown publisher 11

Human Factors in Information Security Application Developed by Tested by Used by Security Policy Written by Reviewed by Observed by Monitoring Process Conducted by Operated by Firewall/ IPS Built by Configured by Operated by mistake negligence fraud curiosity 12

Human Factors in Information Security Examples Application Authentication Password policy defined with requirements over password length, complexity and expiry Password policy implemented into the application used by general departmental users Validation and expiration reminders implemented to help users in observing the password policy requirements Due to the frequent password change, user wrote the password on a memo and stuck on the screen Will you hang your key next to your door? 13

Human Factors in Information Security Examples System Patch Vendor identified system vulnerabilities System patch and proof-of-concept were announced Patch was not installed by the administrator due to the large amount of security updates available Virus was developed utilising the identified vulnerability Virus outbreak in campus network 14

Human Factors in Information Security Examples Malicious Email Security awareness training was conducted to spread that message that email attachment from suspicious senders should not be opened Virus writers managed to find ways to leverage on general users curiosity by coming up with interesting subject line, body text and file name. To unsubscribe, click here You won a prize! Your favourite service is coming to end-of-life Reset your password Click to support A funny photo attached Love Letter.doc Like 15

Information Security Roles and Responsibilities Management Understand the importance of information security Understand the influence to users for management support towards information security Establish general direction and allocate sufficient budget for information security management (including technical and awareness training) Follow up on security breaches Involve the information security team in management meetings 16

Information Security Roles and Responsibilities Information Security Team Obtain up-to-date information regarding security trends and latest threats and vulnerabilities Conduct adequate security awareness training to users Review and update the security policies and communicate changes to users Duly report security incidents to management Review the technical competence of operation team Understand the security trends in campus and identify potential loopholes 17

Information Security Roles and Responsibilities Operation Team Obtain up-to-date information regarding security trends and latest threats and vulnerabilities Acquire up-to-date technical information and system related security updates Timely implement security updates to systems and report to the security management team Users Understand their roles in information security Attend security awareness training Be skeptical when dealing with suspicious emails and Internet contents Use a strong password and keep them secret 18

Improving Information Security- Human Factors Management Support Enforcement of Policy and Procedures Awareness Training Mistake REVIEW PROCESS Negligence/ Curiosity AWARENESS. Fraud SUPERVISION 19

Q&A? 20

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information