INTRODUCTION TO INFORMATION SECURITY MANAGEMENT Information Security Management (INFS 5055) & Information Security Management (INFS 3070) Study Period 2, 2010 Today’s Reference: Whitman & Mattord, 2008, Management of Information Security, 2 nd edition Chapter 1 (alternatively, 3 rd edition is fine)
31
Embed
INTRODUCTION TO INFORMATION SECURITY MANAGEMENT Information Security Management (INFS 5055) & Information Security Management (INFS 3070) Study Period.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
INTRODUCTION TO
INFORMATION SECURITYMANAGEMENT
Information Security Management (INFS 5055) &
Information Security Management (INFS 3070)
Study Period 2, 2010
Today’s Reference:
Whitman & Mattord, 2008, Management of Information Security, 2nd editionChapter 1(alternatively, 3rd edition is fine)
What is Security?
• “a well-informed sense of assurance that the information risks and controls are in balance.” —Jim Anderson, Inovant (2002)
• “The quality or state of being secure—to be free from danger”
• A successful organization should have multiple layers of security in place: – Physical security– Personal security – Operations security – Communications security – Network security– Information security
• The extended characteristics of information security are known as the six Ps:– Planning– Policy– Programs– Protection– People– Project Management
Planning
• Several types of InfoSec plans exist:– Incident response– Business continuity– Disaster recovery– Policy– Personnel– Technology rollout – Risk management – Security program including
education, training, and awareness
Policy
• The set of organizational guidelines that dictates certain behavior within the organization is called policy
• In InfoSec, there are three general categories of policy: – General program policy
(Enterprise Security Policy)– An issue-specific security policy
(ISSP) – System-specific policies (SSSPs)
Programs
• Specific entities managed in the information security domain
• A security education training and awareness (SETA) program is one such entity
• Other programs that may emerge include a physical security program, complete with fire, physical access, gates, guards, and so on
Protection
• Risk management activities, including risk assessment and control, as well as protection mechanisms, technologies, and tools
• Each of these mechanisms represents some aspect of the management of specific controls in the overall information security plan
People
• People are the most critical link in the information security program
• It is imperative that managers continuously recognize the crucial role that people play
• Including information security personnel and the security of personnel
Project Management
• Project management discipline should be present throughout all elements of the information security program
• This effort involves identifying and controlling the resources applied to the project, as well as measuring progress and adjusting the process as progress is made toward the goal
THREATS
ASSETS
RISKS
CONTROLS
The Sequence
threaten
which create
Which require
Vulnerability? Risk Exposure?Countermeasures?
“Health & Safety” of a person
• Threats– Heart attack, stroke, car accident– Work accident, sporting injury,
• Programming standards– range checks– check digits– modular programs
• Change control procedures
• Authorisation controls
Authentication Controls
• passwords
• PINs
• smart cards
• biometric devices
• something user knows
• something user has
• something user is
• something user can do
• someplace user is
• 1. IS security policy document• 2. Allocation of security responsibilities• 3. IS security education & training• 4. Reporting of security incidents• 5. Virus control• 6. Business continuity planning• 7. Control of proprietary copying• 8. Safeguarding of company records• 9. Compliance with data protection