information security discussion for gm667 saint mary's university of mn
DESCRIPTION
Information security basicsTRANSCRIPT
1
Fundamental Principles of Security
Three Control Objectives• Confidentiality• Integrity• Availability
These three fundamental control objectives provide means to identify all business exposures,assess risks and select controls
2
Three Control Objectives
Confidentiality principle
Protection of sensitive information from unauthorized disclosure; prevention of inappropriate reading or copying
• Examples of confidential information– Medical records– Payroll lists– Client lists– Trade secrets
3
Three Control Objectives
Integrity principle
Detection or prevention of inappropriate and unauthorized data transformations
• Threats to integrity may be classified as either accidental or intentional:– Errors– Omissions– Modification– Deletion– Replay and Insertion
• Accidental integrity violations are actually data reliability problems
4
Three Control Objectives
Availability principle
Ensuring systems resources are available to sustain
critical business activities
• Preparation for an unforeseen event • It has many names: Contingency Planning; Disaster Recovery
Planning; Business Continuance Planning • Two Primary Objectives
– Disaster Avoidance or Mitigation Strategies– Disaster Recovery Procedures
5
Three Control Objectives
Three Control Objectives (“CIA”) Confidentiality Integrity Availability
These three fundamental control objectives provide means to identify all business exposures,assess risks and select controls
Which one is the most important to your organization?
6
Information Security Definition
The protection of information assets from unauthorized disclosure, modification, or destruction;
or the inability to process that information
Confidentiality principle
Integrity principle
Availability principle
Embedded within the basic definition of information security are the three fundamental principles of information security:
7
Risk Management
The following terms are routinely used during information security projects; they are often used interchangeably and incorrectly.
• Threat • Vulnerability • Threat Agent• Exposure• Control • Risk
8
Risk Management Terminology
Threat
An Event or Action that can have a Negative
Impact upon an Organization
or
A Potential Danger to an Information System
9
Examples of Threats
• Unauthorized access– Hackers– Mishandled password
• Misuse of authorized access• Interception of information
– Wiretap– Document left at a copier
• Introduction of malicious software– Virus– Worms– Trojan Horses
• Denial of Service Attacks• Accidental alteration or deletion of data• Social Engineering• Undetected software errors• Natural disasters • A bomb• A fire• Disgruntled employee
10
Risk Management Terminology
Vulnerability
A Condition Which Allows a Threat to OccurOr
A Software, Hardware or Procedural Weakness
• Threats considered alone do not provide very meaningful information• Threats and vulnerabilities are best considered in pairs• Threats describe the environment; external considerations
– Your organization may have little control or influence over these• Vulnerabilities describe the internal environment
– Vulnerabilities are your responsibility; you can take action to correct these
11
Examples of Threat/Vulnerability Pairing
Threats
Bomb
Water
Disgruntled employee
Severed network cables
Vulnerabilities
An operations center with signage
A data center below ground level
No exit or termination procedures
Unlocked telecom cables closets
We have little or no control over these
Things you can change
12
Risk Management Terminology
Threat Agent
The Entity that Takes Advantage of a Vulnerability
Examples:• Intruder• Employee• Software
13
Risk Management Terminology
Exposure
The Negative Effect or Loss that Results after a Threat Occurs
• Monetary Loss– Direct: Destruction or Theft of Assets– Indirect: Replacement Costs, Customer Bad Will
• Loss of Business• Loss of Public Trust or Confidence• Negative Publicity• Loss of New Business Opportunities
14
Risk Management Terminology
Risk
The Likelihood of a Threat Agent Taking
Advantage of a Vulnerability
There are two approaches are used to measure risk:• Quantitative Methods• Qualitative Methods
15
Risk Management Terminology
Control
Mechanisms or Procedures Used to
Prevent, Detect Or Limit Exposures
or
A Countermeasure or Safeguard that Mitigates Risk
There Are Three Basic Types of Controls:• Administrative• Physical • Technical
16
Prevent Detect Limit
Administrative
Physical
Technical
Controls Cube
Risk Management Terminology
This simple graphicShows the types of controls available.
All types must be used To form a completeand effectivesystem of controls
17
Risk Management Terminology
P D L
A
P
T
Examples of ControlsAdministrative/Prevention Controls • Segregation of duties• Security checks on new personnel• Authorization process for changes
Physical/Detection Controls:• Cameras• Door intrusion alarms
Technical/Limiting Controls:• Transaction limits on ATM cards• Access privileges on user accounts
18
Controls-Another Perspective
InformationAssets
NetworkControls
ComputerControls
AuditPrograms
PhysicalControls
Other controls...
19
Risk Management Terminology Summary
Threat An event or action that can have a negative impact upon an organization
Vulnerability A condition that allows a threat to occur
Threat Agent The entity that takes advantage of a vulnerability
Exposure The negative effect or loss that results after a threat occurs
Control Mechanisms or procedures used to prevent, detect or limit exposures
20
Risk Management Terminology
From: CISSP Exam Guide
Shon Harris
McGraw Hill
ThreatAgent
Threat
Vulner-ability
Risk
Asset
Exposure
Control
Gives rise to a
Whichexploits a
and creates
Can damage
And cause an
May be Counteredwith…
21
Information Security Definition
The protection of information assets from unauthorized disclosure, modification, or destruction
or the inability to process that information
Remember, our basic definition of security is to protect information.
This information may be moving (through a network), at rest (in storage), or is being manipulated (processed by a computer or human).
Keep your eye on the information, no matter where it is.