iinformation security
DESCRIPTION
IT's most important aspect is coveredTRANSCRIPT
Information Security
What it mean ??
Protect Information Set rules for Expected behavior of users Authorise security personal to monitor, probe & investigate
Define and authorize consequences of violation Help to track to compliance with regulation
Audience groups
Management – All Levels Technical Staff End Users IT Engineers
In relation with
Data Management Information Ownership Roles & Responsibility Risk Management Implementation of IT Policy Security awareness training
Roles & Responsibility
For Data Classification – Roles & Responsibility Information Owner Information Custodian Application Owner User Manager Security Administrator End User
Information Security
Information Security should be handled through Data Management Responsibility / Ownership of data Unattended Computers Control over software usage Data Transfer Discipline with Internet Usage
Steps towards Information Security
Identification of current Vulnerabilities Data Management
Required Attention Ownership, Reporting on utilisation
Priority List Critical Information centers (Imp dept , Billing section, service counter desk info)
Compliance Department Manual on data management
Security Awareness Training
Audit Verification Process
Information Ownership
Observation Suggestion Expected Result
Process Owners are not aware of their responsibility about their data Management.
Data management should be implemented by Department Data Policy. It should be followed with prime responsibility by everyone and its responsibility lies with process owners.
Training should be provided by Process owners to end users to follow data management as per department data policy.
Through Ownership, the data security will be enhanced at department level.
Risk Management
Risks can be identified & reduced, but never eliminated .
Risk of data transfer is minimized by control over followings
USB mass storage – Should be Prohibited Optical Drives – Should be Prohibited Data transfer using allowed USB drives – Should be
Recorded Internet access – Should be controlled Server Data – Should be controlled by Access Control Policy
Risk Management Continued
CCTV Surveillance will be useful for : - Prevention & deterrent for theft Establishment of an anti fraud culture Event Recordings
IT Policy
A proper IT policy will be useful to enforce Information security.
Components of effective IT Policy• Purpose
• Authorization
• Scope
• Measurement expectations
• Exception Procedure
• Accountability
• Listing of Risk Management Practices
Training
Security Awareness Must be driven from Top to Bottom Must be comprehensive to all the way to usb pen
drives
Training Programs• Should be part of Induction program
• Part of regular training for employees
• For all levels of management to end users
• Evaluation of audience
Information Security
Thank You