INFORMATION STRATEGY

POST GRADUATE DIPLOMA IN BUSINESS AND FINANCE 2014

Session 9 : Information Security and Risk

Tharaka Tennekoon B.Sc (Hons) Computing, MBA (PIM - USJ)

Information Management Framework

2

Information Security – 3Ps

People

Process Technology/Products

Confidentiality Integrity

Availability

Privacy Identification Authentication Authorization Accountability

Information Security – Process

Confidentiality Integrity

Availability

Policies o Policies are statements of management intentions and goals o Senior Management support and approval is vital to success o General, high-level objectives o Acceptable use, internet access, logging, information security, etc.

Procedures o Procedures are detailed steps to perform a specific task o Usually required by policy o Decommissioning resources, adding user accounts, deleting user

accounts, change management, etc.

Standards o Standards specify the use of specific technologies in a uniform manner o Requires uniformity throughout the organization o Operating systems, applications, server tools, router configurations, etc.

Guidelines o Guidelines are recommended methods for performing a task o Recommended, but not required o Malware cleanup, spyware removal, data conversion, sanitization, etc.

Information Security – 3Ps : Example

Confidentiality Integrity

Availability

Information Security – CIA

Confidentiality Integrity

Availability

Confidentiality of information ensures that only those with sufficient privileges may access certain information.

• To protect confidentiality of information, a number of measures may be used, including: o Information classification o Secure document storage o Application of general security policies o Education of information custodians and end users

Integrity is the quality or state of being whole, complete and uncorrupted. • The integrity of information is threatened when it is exposed to corruption,

damage, destruction, or other disruption of its authentic state. • Corruption can occur while information is being compiled, stored, or

transmitted.

Availability is making information accessible to user access without interference or obstruction in the required format.

• A user in this definition may be either a person or another computer system. • Availability means availability to authorized users.

Information Security – CIA +

Confidentiality Integrity

Availability

Privacy - Information is to be used only for purposes known to the data owner. This does not focus on freedom from observation, but rather that information will be used only in ways known to the owner.

Identification - Information systems possess the characteristic of identification when they are able to recognize individual users. Identification and authentication are essential to establishing the level of access or authorization that an individual is granted.

Information Security – CIA +

Confidentiality Integrity

Availability

Authentication occurs when a control provides proof that a user possesses the identity that he or she claims.

Authorization - after the identity of a user is authenticated, a process called authorization provides assurance that the user (whether a person or a computer) has been specifically & explicitly authorized by the proper authority to access, update, or delete the contents of an information asset.

Accountability - The characteristic of accountability exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process.

Information Security – 6Ps Planning - Included in the planning model are activities necessary to support the design,

creation, and implementation of information security strategies as they exist within the IT planning environment. o Incident response o Business continuity o Disaster recovery o Policy o Personnel o Technology rollout o Risk management o Security program - education, training, & awareness

Policy Programs – specific entities managed in the information security domain.

o Example: security education training & awareness program, o Physical security program, - fire, physical access, gates, guards etc.

Protection - Risk management activities, including risk assessment and control, as well as protection mechanisms, technologies, & tools. Each of these mechanisms represents some aspect of the management of specific controls in the overall information security plan.

People - are the most critical link in the information security program. Project Management–should be present throughout all elements of the information

security program. o Identifying and controlling the resources applied to the project o Measuring progress & adjusting the process as progress is made toward the goal

Information Systems – Risk, Threats x Vulnerabilities

10

A threat is an agent that may want to or definitely can result in harm to the target organization. Threats include organized crime, spyware, malware, adware companies, and disgruntled internal employees who start attacking their employer. Worms and viruses also characterize a threat as they could possibly cause harm in your organization even without a human directing them to do so by infecting machines and causing damage automatically. Threats are usually referred to as “attackers” or “bad guys”. o Example : hackers, spammers, viruses, social engineers, worms, DDOS

(botnet, zombie army)

Vulnerability is some flaw in our environment that a malicious attacker could use to cause damage in your organization. Vulnerabilities could exist in numerous areas in our environments, including our system design, business operations, installed software, and network configurations. o Zero devise, IIS, auto play, java applet, SQL injection

Risk is where threat and vulnerability overlap. That is, we get a risk when our

systems have a vulnerability that a given threat can attack.

Information Systems – Threats

11

Information Systems – Vulnerabilities

12

Information Systems – Risk

13

Risk = (Likelihood x Value) – Current Controls + Uncertainty

Risk – Financial Loss

14

Risk – by Industry

15

Tharaka Tennekoon, B.Sc (Hons), MBA (PIM - USJ)

+94 773403609

info@topmostline.com