2 security and internet security
TRANSCRIPT
If you don’t want to help yourself,
no one can
Security and Internet security
Jasmina [email protected]
ELSA ConferenceStrumica, 27.11.2008
If you don’t want to help yourself,
no one can
Topics covered
• What is Security and Information Security?
• Culture of Security
• Global Information Security Trends
• Security and Internet security
• Best practices for senior managers
If you don’t want to help yourself,
no one can
What is Security and Information Security?
If you don’t want to help yourself,
no one can
What is Security?
• “The quality or state of being secure—to be free from danger”
• A successful organization should have multiple layers of security in place:
– Physical security
– Personal security
– Operations security
– Communications security
– Network security
– Information security
If you don’t want to help yourself,
no one can
What is Information Security?
• The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information
• Necessary tools: policy, awareness, training, education, technology
• C.I.A. triangle was standard based on confidentiality, integrity, and availability
• C.I.A. triangle now expanded into list of critical characteristics of information
If you don’t want to help yourself,
no one can 6
If you don’t want to help yourself,
no one can
Critical Characteristics of Information
The value of information comes from the characteristics it possesses:
– Availability
– Accuracy
– Authenticity
– Confidentiality
– Integrity
– Utility
– Possession
If you don’t want to help yourself,
no one can
Figure 1-4 – NSTISSC Security Model
NSTISSC Security Model
If you don’t want to help yourself,
no one can
Culture of security
If you don’t want to help yourself,
no one can
History
OECD Guidelines for the Security
of Information Systems and Networks:
Towards a Culture of Security
ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT
• adopted as a Recommendation of the OECD Council at
its 1037th Session on 25 July 2002.
If you don’t want to help yourself,
no one can
Principles part 1
Awareness
• Participants should be aware of the need for security of information systems and networks and what they can do to enhance security.
Responsibility
• All participants are responsible for the security of information systems and networks.
Response
• Participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents.
If you don’t want to help yourself,
no one can
Principles part 2
Ethics
• Participants should respect the legitimate interests of others.
Democracy
• The security of information systems and networks should be compatible with essential values of a democratic society.
Risk assessment
• Participants should conduct risk assessments.
If you don’t want to help yourself,
no one can
Principles part 3
Security design and implementation
• Participants should incorporate security as an essential element of information systems and networks.
Security management
• Participants should adopt a comprehensive approach to security management.
Reassessment
• Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures.
If you don’t want to help yourself,
no one can
Global Information Security Trends
If you don’t want to help yourself,
no one can
Global information security survey 2008 – Ernst & Young 1/2
• Meeting business objectives is a growing focus of information security.
• Information security is now more integrated into overall risk management.
• Information security remains isolated from executive management and the strategic decision making process.
• Improving IT and operational efficiency are emerging as important objectives.
• Compliance continues to be primary driver of information security improvements.
If you don’t want to help yourself,
no one can
Global information security survey 2008 – Ernst & Young 2/2
• Privacy and data protection have become increasingly important drivers of information security.
• Organisations rely on audits and self-assessments to evaluate the effectiveness of their information security programs.
• Organisations are demanding more from vendors and business partners in managing third-party relationships.
• The greatest challenge to delivering information security projects continues to be the availability of experienced IT and information security resources.
If you don’t want to help yourself,
no one can
Internet security
If you don’t want to help yourself,
no one can
What is internet security
Internet security involves the protection of a computer's internet account and files from intrusion
of an outside user
Why is it important?
If you don’t want to help yourself,
no one can
Our life on the internet
• electronic mail (e-mail)
• Instant messaging: Skype, Gtalk, MSN messenger, Yahoo! messenger
• Web 2.0 aplications: Facebook, Hi5, Myspace
• e-commerce, e-banking, stock exchanges,
• Collaborative workspaces
• Educational portal and Student Information Systems
• Official website of corporations, government
If you don’t want to help yourself,
no one can
Aspects that need security on the internet
• Identity – who we are
– Internet personality
– Profiles, user names, accounts
• Possessions – what we own
– Information on resources: money, grades, property
• Information flow – what we “say”
– Money transfers, sent e-mails, instant messages, submitted documents
• IT assets – what we utilize for our life on the net
– PCs, notebooks, flash drives, mobile phones,…
If you don’t want to help yourself,
no one can
Attach sophistication vs. Intruders knowledge
If you don’t want to help yourself,
no one can
Best practices for information security for senior managers
If you don’t want to help yourself,
no one can
Best practices – part 1
• General management: Managers throughout the organization consider information security a normal part of their responsibility and the responsibility of every employee.
• Policy: Develop, deploy, review, and enforce security policies that satisfy business objectives.
One of the tests of leadership is the ability to
recognize a problem before it becomes an emergency.
Arnold Glasgow (1908-1970)
If you don’t want to help yourself,
no one can
Best practices – part 2
• Risk Management: Periodically conduct an information security risk evaluation that identifies critical information assets, threats to critical assets, asset vulnerabilities, and risks.
In cases of defense ‘tis best to weigh the enemy more mighty than he seems.
William Shakespeare(1564-1616)
If you don’t want to help yourself,
no one can
Best practices – part 3
• Security Architecture & Design: Generate, implement, and maintain an enterprise- (or site-) wide security architecture, based on satisfying business objectives and protecting the most critical information assets.
• User Issues - Accountability and Training, and Adequate Expertise: Establish accountability for user actions, train for accountability and enforce it, as reflected in organizational policies and procedures. Ensure that there is adequate in-house expertise or explicitly outsourced expertise for all supported technologies, including the secure operation of those technologies.
If you don’t want to help yourself,
no one can
There is one safeguard known generally to the wise, which is an advantage and security to all...What is it? Distrust.
Demosthenes (c. 384-322 B.C.)