Information Security - I.T Project Management

Welingkar’s Distance Learning Division

I.T. for Management

CHAPTER-18

Information Security

We Learn – A Continuous Learning Forum



IT Security, Control, Audit & governanceInformation is Power is a very old adage in the IT sector. In today’s world information is being increasingly viewed as an Asset which has real value & is to be protected Accumulating information was once done more for Statutory purposes. Today sophisticated data warehouses are hold what may be considered as “gold mine” of knowledge & data mining tools are available to extract the right information at right time




Objectives of IT Security ManagementThe purpose of IT Security Management is to ensure:• Confidentiality: Restricting access to right people for

the right purpose• Integrity: Correctness& validity of information stored

or processed• Availability: Ensuring information is available to

authorized persons




In almost every large enterprise, the physical and IT security departments operate independently of each other. They are generally unaware of the strengths and weaknesses of one another's practices, the liabilities of operating independently, and the benefits of integrated security management.



Information SecurityPhysical Security and IT Security

Physical security focuses on the protection of physical assets, personnel and facility structures. This involves managing the flow of individuals and assets into, out of, and within a facility. IT security focuses on the protection of information resources, primarily computer and telephone systems and their data networks. This involves managing the flow of information into, out of, and within a facility’s IT systems, including human access to information systems and their networks. Clearly these two are separate domains. Why should they be integrated?



Information SecurityPhysical Security and IT Security a Management Issue

The question above accurately reflects the thoughts of most security practitioners as they approach this subject. How is the question misleading? To lean on a common idiom, it focuses on the trees rather than the forest.It is the management of physical and IT security that must be integrated. No one is going to integrate a brick wall and a database. However, the management of who is allowed inside the wall and inside the database must be integrated, or there will be gaps in the organization’s security. Figure 1 below illustrates the concept of integrated security management. Whenever you hear or read the phrase “integration of physical and IT security,” think “integration of physical and IT security management” and you’ll be on the right track.







While it is true that many of the physical and IT security processes and procedures must be integrated at the technology level, it is not the technology that defines the integration. The business processes and procedures define it; the technology implements it. That's why the first step in integrating physical and IT security is an examination of security-related business requirements and the physical and IT security processes that support them. The integration of the business processes will determine where integration of physical security and IT technology is required








Types of control Examples

Physical control

Doors & Lock, Security gates, raised floors, double doors, ups system

IT related Password, Directory services, Firewall, antivirus Application server, Hot standby server, backup of software

Document related

Correct labeling, version control, copies of key documents

Application Specific

Data validation so that correct data only acceptedLength, Range, Code checkedProcess related checksOutput controls


Information Security StandardsBS 7799 Standard

The subject of IT security is therefore not one of merely putting appropriate control measures A process approach whereby the information security has• Defined organizational policy• Backed by management commitment• Necessary resources, Defined procedures• Appropriate control objectives• Suitable control measures• Recording & reviewing incidences• Continuous improvement of security process




The BS7799 is a British standard which addresses precisely this aspect. It provides a comprehensive framework within which an organization can set up an effective Information Security Management System(ISMS)More specifically some of controls objectives which it describes include following• Management of ISMS• Physical security• Information processing• Access to information to IT employees, outsourced vendors• Access from remote location




To implement the BS7799 standard an organization must take following steps.Define Information security policyOrganization & its management must demonstrate its commitment to information There must be formal reviews related with security incidentsRisk assessment. The organization must conduct risk assessment.This will help to identify the more important sources of risk. It would select from the following strategies Risk avoidance, Migration, Insurance or transfer Assumption of risk Cont…..




• Based on the strategy decided for each risk asset combination it will select appropriate control to manage the risk.

• For instance to prevent unauthorized entry it may provide smart card or biometric entry

• The organization would have also identified detailed procedure for implementing and monitoring ,defined roles various controls, Dos & don’t to all employees

• Finally process needs to be sustained & continuously evaluated



Information Security StandardsBusiness Continuity Planning (BCP)

Availability is one of the key elements in the information security. Failure in IT for e.g incidents like power failure, Virus attack can be disastrous

Organizations such as the stock exchange or a bank works on a Central data center. BCP outlines:The Objective of plan in event of disasterThe resourcesPriorities assigned for Business continuityProcedures to follow in the event of disaster Communication to outsider




The BCP ensures that certain critical business functions continue despite a disasterThe BCP also can be viewed from point of 3 stages• Pre-disaster• During the disaster• Post disasterThus each procedure should cover these three stagesDisaster Recovery is a set of plans to enable an organization to come back to normalcy




Disaster RecoveryThe time frame within which the recovery must happen is a matter of practicality & organizations policy. Solutions used for BCP


Hard disk crash RAID Arrays Mirror diskSAN/NAS solution

Complete data center crippled Hot remote site e.g. NSE has a hot site at Pune, which take over if Mumbai center fails

Telecom/ISP crashes Have a leased line from more than one ISP



The choice of solution depends upon the perceived impact of the disaster on business continuityMost of the times the BCP/DR misses out on Mock DrillsThis can be best done thru simulation by generating a disaster conditions thereby enabling & training people to understand individual role at the time of disaster & specific actions to be taken




End of Chapter 18


Information Security - I.T Project Management

Business

security processes

security gates

examination of security

security practitioners

security departments

organizations security

right information

information systems