SlideShare a Scribd company logo

Information security: importance of having defined policy & process

Information Technology Society Nepal
Information Technology Society Nepal

This document discusses the importance of information security policies and processes. It defines information and explains that information can take many forms and must be appropriately protected. It then discusses the importance of information, what constitutes information security, and why information security is needed to protect organizations. Key risks like data breaches are outlined. The document emphasizes that information security is an organizational issue, not just an IT issue, and stresses the importance of people, processes, and technology in an information security program. It provides an overview of some common information security standards and regulations like ISO 27001 and HIPAA.

Technology
1 of 47
Information Security Importance of having defined Policy & Process
What is Information? Data that is •Accurate and timely •Specific and organized for a purpose •Presented within a context that gives it meaning and relevance •Lead to an increase in understanding and decrease in uncertainty
Information can be  Created, Stored or Destroyed  Processed  Transmitted  Corrupted  Displayed / published on web  Verbal – spoken in conversations ‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (BS ISO 27002:2005)
What is the Importance of Information? Information is valuable because it can affect • Behavior • Decision • An outcome
What Is Information Security?  Information security is exactly what it says, the security of information. “Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected”  Process by which digital information BS ISO assets are protected 27002:2005
Why is information security needed?  Ensure business continuity and reduce business damage  Prevent and minimize the impact of security incidents
Data Breach Trends Worldwide, approximately 1.1 million identities were exposed per breach, mainly owing to the large number of identities breached through hacking attacks. Apr18’2012 - According to CNN, messages on Twitter and Tumbler indicated members of the loosely-structured hacking network were celebrating the shutdown of the CIA's website. Sep03’2012 - Swedish government websites were jammed by hackers for hours Monday, with some supporters of WikiLeaks founder Julian Assange claiming responsibility on Twitter. Sep27'2012 - Police smashed one of Australia's most sophisticated credit card fraud syndicates, seizing more than 15,000 fake cards with a potential value of $37.5 million. Apr18’2012 - Emory Healthcare in Atlanta announced a data breach after the organization misplaced 10 backup disks, which contained information for more than 315,000 patients. 82% of large organizations reported security breaches caused by staff, including 47% who lost or leaked confidential information.
Security breaches leads to… • Reputation loss • Financial loss • Intellectual property loss • Legislative Breaches leading to legal actions (Cyber Law) • Loss of customer confidence • Business interruption costs LOSS OF GOODWILL
• Information Security is “Organizational Problem” rather than “IT Problem” • More than 70% of Threats are Internal • More than 60% culprits are First Time fraudsters • Biggest Risk : People • Biggest Asset : People • Social Engineering is major threat • More than 2/3rd express their inability to determine “Whether my systems are currently compromised?”
What is Risk? Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Threat: Something that can potentially cause damage to the organisation, IT Systems or network. Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.
The challenges before us  Define security policies and standards  Measure actual security against policy  Report violations to policy  Correct violations to conform with policy  Summarize policy compliance for the organization
Where do we start? “The framework within which an organization strives to meet its need for information security is codified as security policy. A security policy is a concise statement, by those responsible for a system (such as senior management), of information values, protection responsibilities and organizational commitment.” – US General Accounting Office (GAO)
What is “Security & Privacy”? “Information Security” relates to the information “owned” by an organisation. Traditionally included three component parts: 1. Confidentiality: Controlled access to information. Confidentiality of personally identifiable information is also a Privacy concern. 2. Integrity: Ensuring that information can be relied upon to be sufficiently accurate for its purpose. 3. Availability: Assurance that information is accessible when needed.
What Else is “Security”? It has been suggested recently that these should be reviewed completely or that at least two more components should be added: 4. Accountability: Someone is personally accountable and responsible for the protection of information assets. 5. Audit-ability: Ability to explain changes to information “state” and ongoing audit tests.
Pillar of Information Security PEOPLE PROCESSES TECHNOLOGY
People “Who we are” People who use or interact with the Information include: Share Holders / Owners Management Employees Business Partners Service providers Contractors Customers / Clients Regulators etc…
Process “what we do” The processes refer to "work practices" or workflow. Processes are the repeatable steps to accomplish business objectives. Typical process in our IT Infrastructure could include: Helpdesk / Service management Incident Reporting and Management Change Requests process Request fulfillment Access management Identity management Service Level / Third-party Services Management IT procurement process etc...
Technology “what we use to improve what we do” Network Infrastructure: Application software: Cabling, Data/Voice Networks and equipment Finance and assets systems, including Accounting packages, Inventory management, HR Telecommunications services (PABX), including VoIP services , systems, Assessment and reporting systems Software , Video Conferencing software as a packaged or custom-made ISDN as a service (Sass) - instead of product. Etc.. Server computers and associated storage devices Physical Security components: Operating software for server computers CCTV Cameras Communications equipment and related hardware. Clock in systems / Biometrics Environmental management Systems: Humidity Control, Ventilation , Air Conditioning, Fire Intranet and Internet connections Control systems Electricity / Power backupenvironments VPNs and Virtual Access devices: access services Remote Desktop computers Wireless connectivity and PDAs Laptops, ultra-mobile laptops Thin client computing. Digital cameras, Printers, Scanners, Photocopier etc.
The Foundation of Information Security
The Information Security Functions
Managing Information Security
Policies
The Purpose Provide a framework for the management of security across the enterprise
Benefits: • A blue print for a company’s security program • The success of any information security program lies in policy development • Policy is the essential foundation of an effective information security program • An effective information security training and awareness effort cannot be initiated without writing information security policies
What are the Objectives & Goals?  Protect company & its assets against theft, abuse and other forms of harm and loss  Estimate possible damage and potential loss through Risk analysis  Comply with requirements for confidentiality, integrity and availability  Ensure service continuity even if major security incidents occur  Ensure compliance with current laws, regulations and guidelines  Motivate administrators and employees to maintain the responsibility for, ownership of and knowledge about information security, in order to minimize the risk of security incidents
Definitions  Policies  High level statements that provide guidance to workers who must make present and future decision  Standards  Requirement statements that provide specific technical specifications  Guidelines  Optional but recommended specifications
Security Policy Access to network resource will be granted Passwords through a unique will be 8 user ID and characters password long Passwords should include one non-alpha and not found in dictionary
Basic Rules in Shaping a Policy • Policy should never conflict with law • Policy must be able to stand up in court, if challenged • Policy must be properly supported and administered
Guidelines for making policy • All policies must contribute to the success of the organization • Management must ensure the adequate sharing of responsibility for proper use of information systems • End users of information systems should be involved in the steps of policy formulation
Policies should…… Clearly identify and define the information security goals and the goals of the organization.
Type of InfoSec policies • Based on NIST Special Publication 800-14, the three types of information security policies are – Enterprise information security program policy – Issue-specific security policies – System-specific security policies • The usual procedure – First – creation of the enterprise information security policy – the highest level of policy – Next – general policies are met by developing issue- and system-specific policies
Elements of Policies  Statement of Purpose  Establish roles and responsibility  Define asset classifications  Provide direction for decisions  Establish the scope of authority  Provide a basis for guidelines and procedures  Establish accountability  Describe appropriate use of assets  Establish relationships to legal requirements
Bull’s Eye Model • Proven mechanism for prioritizing complex changes • Issues are addressed by moving from general to specifics • Focus of systemic solutions instead of individual problems
Bull’s Eye Model (Contd.)
Bull’s Eye Model Layers • Policies – the outer layer in the bull’s eye diagram • Networks – the place where threats from public networks meet the organization’s networking infrastructure; in the past, most information security efforts have focused on networks, and until recently information security was often thought to be synonymous with network security • Systems – computers used as servers, desktop computers, and systems used for process control and manufacturing systems • Application – all applications systems, ranging from packed applications such as office automation and e-mail programs, to high-end ERP packages and custom application software developed by the organization
The Ten-Step Approach
What Should Management Do? It is the responsibility of senior management to:  Clarify what data should be protected  Decide how sensitive this information is  Budget for the protection of different types of data  Determine how much risk the organization is willing to accept  Implement business processes to regular monitor and improve  Assign responsibility for this to appropriate senior staff
What Should IT Do? The IT department can then decide on the best way to provide the necessary security:  Work with management to inventory the corporate information assets & develop security policy  Stay informed of breaking issues  Develop and maintain security management capabilities (in- house or contract resources)  Participate in security audits It is advisable to concentrate responsibility for the security of information in all forms, printed and electronic, under a single management structure.
What Can You Do? Once an information security system has been established, organizational culture is a critical factor in ensuring that individual employees pay attention to the information security policies and implement the procedures:  Become aware of the information assets that cross your desk  Each time you forward corporate information to someone ask yourself if there are any security risks  Speak up if you see evidence of security breaches  Provide feedback to IT to assist ongoing management of Information Security Information Security is everyone’s business!!
HIPAA Security Guidelines  Security Administration  Physical Safeguards  Technical Security Services and Mechanisms
Minimum HIPAA Requirements  Security Administration  Certification Policy ( .308(a)(1))  Chain of Trust Policy ( .308(a)(2))  Contingency Planning Policy ( .308(a)(3))  Data Classification Policy ( .308(a)(4))  Access Control Policy ( .308(a)(5))  Audit Trail Policy ( .308(a)(6))  Configuration Management Policy( .308(a)(8))  Incident Reporting Policy ( .308(a)(9))  Security Governance Policy ( .308(a)(10))  Access Termination Policy ( .308(a)(11))  Security Awareness & Training Policy( .308(a)(12))
Minimum HIPAA Requirements  Physical Safeguards  Security Plan (Security Roles and Responsibilities) ( .308(b)(1))  Media Control Policy ( .308(b)(2))  Physical Access Policy ( .308(b)(3))  Workstation Use Policy ( .308(b)(4))  Workstation Safeguard Policy ( .308(b)(5))  Security Awareness & Training Policy ( .308(b)(6))
Minimum HIPAA Requirements  Technical Security Services and Mechanisms  Mechanism for controlling system access ( .308(c)(1)(i))  “Need-to-know”  Employ event logging on systems that process or store PHI ( .308(c)(1)(ii))  Mechanism to authorize the privileged use of PHI ( .308(c)(3))  Employ a system or application-based mechanism to authorize activities within system resources in accordance with the Least Privilege Principle.  Provide corroboration that PHI has not been altered or destroyed in an unauthorized manner ( .308(c)(4))  checksums, double keying, message authentication codes, and digital signatures.  Users must be authenticated prior to accessing PHI ( .308(c)(5))  Uniquely identify each user and authenticate identity  Implement at least one of the following methods to authenticate a user:  Password;  Biometrics;  Physical token;  Call-back or strong authentication for dial-up remote access users.  Implement automatic log-offs to terminate sessions after set periods of inactivity.  Protection of PHI on networks with connections to external communication systems or public networks ( .308(d))  Intrusion detection  Encryption
Information Security Standards ISO/IEC 27001 (ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems – Requirements) but commonly known as "ISO 27001".  Published in 2005  Formally specifies a management system that is intended to bring information security under explicit management control.  Mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant  Management systematically examines the organization's information security risks, taking account of the threats, vulnerabilities and impacts;  Requires a comprehensive suite of information security controls and/or other forms of risk treatment (e.g. risk avoidance, risk transfer)  Requires a management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
Final Note  Policies are a countermeasure to protect assets from threats  Policies exist to inform employees of acceptable (unacceptable) behavior  Are meant to improve employee productivity and prevent potentially embarrassing situations  Communicate penalties for noncompliance
Human Wall Is Always Better Than A Firewall . . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL
Information security: importance of having defined policy & process

Recommended

Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 
Isms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information SecurityIsms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information Securityanilchip
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Cissp Training PPT
Cissp Training PPTCissp Training PPT
Cissp Training PPTADEPT TECHNOLOGY
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 

Recommended

Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 
Isms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information SecurityIsms Implementer Course Module 1 Introduction To Information Security
Isms Implementer Course Module 1 Introduction To Information Securityanilchip
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Cissp Training PPT
Cissp Training PPTCissp Training PPT
Cissp Training PPTADEPT TECHNOLOGY
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset SecurityMaganathin Veeraragaloo
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) Priyanka Aash
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsPeter Rawsthorne
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and proceduresCAS
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationExigent Technologies LLC
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 
Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 

More Related Content

What's hot

Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)MetroStar
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesSlideTeam
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1Tanmay Shinde
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) Priyanka Aash
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsPeter Rawsthorne
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterTuan Phan
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityKarthikeyan Dhayalan
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)Ahmad Haghighi
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and proceduresCAS
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationExigent Technologies LLC
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
Information security management
Information security managementInformation security management
Information security managementUMaine
 

What's hot (20)

Security policy
Security policySecurity policy
Security policy
 
Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)Guide to Risk Management Framework (RMF)
Guide to Risk Management Framework (RMF)
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
 
ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1ISO 27001 - information security user awareness training presentation - Part 1
ISO 27001 - information security user awareness training presentation - Part 1
 
Information security
Information securityInformation security
Information security
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
Defence in Depth Architectural Decisions
Defence in Depth Architectural DecisionsDefence in Depth Architectural Decisions
Defence in Depth Architectural Decisions
 
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
 
CISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset SecurityCISSP - Chapter 2 - Asset Security
CISSP - Chapter 2 - Asset Security
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and procedures
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
How to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organizationHow to implement NIST cybersecurity standards in my organization
How to implement NIST cybersecurity standards in my organization
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 
Information security management
Information security managementInformation security management
Information security management
 

Viewers also liked

Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policycharlesgarrett
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
Network security policies
Network security policiesNetwork security policies
Network security policiesUsman Mukhtar
 
Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security PrimerVenkatesh Iyer
 
Email and web security
Email and web securityEmail and web security
Email and web securityshahhardik27
 
Graphics programming in Java
Graphics programming in JavaGraphics programming in Java
Graphics programming in JavaTushar B Kute
 
Microsoft Hololens
Microsoft Hololens Microsoft Hololens
Microsoft Hololens arun alfie
 
Packages and inbuilt classes of java
Packages and inbuilt classes of javaPackages and inbuilt classes of java
Packages and inbuilt classes of javakamal kotecha
 
Threats to information security
Threats to information securityThreats to information security
Threats to information securityarun alfie
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system gaurav koriya
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
Threats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - ShimnaThreats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - ShimnaChinnu Shimna
 
Email security - Netwroking
Email security - Netwroking Email security - Netwroking
Email security - Netwroking Salman Memon
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & preventionPriSim
 

Viewers also liked (18)

Importance Of A Security Policy
Importance Of A Security PolicyImportance Of A Security Policy
Importance Of A Security Policy
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Network security policies
Network security policiesNetwork security policies
Network security policies
 
Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security Primer
 
Email and web security
Email and web securityEmail and web security
Email and web security
 
Graphics programming in Java
Graphics programming in JavaGraphics programming in Java
Graphics programming in Java
 
Microsoft Hololens
Microsoft Hololens Microsoft Hololens
Microsoft Hololens
 
Packages and inbuilt classes of java
Packages and inbuilt classes of javaPackages and inbuilt classes of java
Packages and inbuilt classes of java
 
Threats to information security
Threats to information securityThreats to information security
Threats to information security
 
Email Security
Email SecurityEmail Security
Email Security
 
pgp s mime
pgp s mimepgp s mime
pgp s mime
 
Java packages
Java packagesJava packages
Java packages
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
 
Threats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - ShimnaThreats to Information Resources - MIS - Shimna
Threats to Information Resources - MIS - Shimna
 
Email security - Netwroking
Email security - Netwroking Email security - Netwroking
Email security - Netwroking
 
Computer security threats & prevention
Computer security threats & preventionComputer security threats & prevention
Computer security threats & prevention
 
Digital signature
Digital signatureDigital signature
Digital signature
 

Similar to Information security: importance of having defined policy & process

What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfSecureCurve
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Innovators
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataPrecisely
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
Life After Compliance march 2010 v2
Life After Compliance march 2010 v2Life After Compliance march 2010 v2
Life After Compliance march 2010 v2SafeNet
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessnewbie2019
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteGlobus
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationSyed Azher
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-securityskumartarget
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis Belsis MPhil/MRes/BSc
 
Information Security
Information Security Information Security
Information Security Alok Katiyar
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze DataExchangeAgency
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceAdrian Dumitrescu
 

Similar to Information security: importance of having defined policy & process (20)

Information security
Information securityInformation security
Information security
 
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdfWhat Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
What Is Digital Asset Security. What Are the Risks Associated With It.docx.pdf
 
Data security
Data securityData security
Data security
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015Community IT Webinar - Crafting IT Security Policy Apr 2015
Community IT Webinar - Crafting IT Security Policy Apr 2015
 
internet security and cyber lawUnit1
internet security and cyber lawUnit1internet security and cyber lawUnit1
internet security and cyber lawUnit1
 
Complying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and DataComplying with Cybersecurity Regulations for IBM i Servers and Data
Complying with Cybersecurity Regulations for IBM i Servers and Data
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
CCA study group
CCA study groupCCA study group
CCA study group
 
Life After Compliance march 2010 v2
Life After Compliance march 2010 v2Life After Compliance march 2010 v2
Life After Compliance march 2010 v2
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
ISM-CS5750-01.pptx
ISM-CS5750-01.pptxISM-CS5750-01.pptx
ISM-CS5750-01.pptx
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
 
Enabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest KeynoteEnabling Science with Trust and Security – Guest Keynote
Enabling Science with Trust and Security – Guest Keynote
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an Organisation
 
Ravi i ot-security
Ravi i ot-securityRavi i ot-security
Ravi i ot-security
 
Meletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information securityMeletis BelsisManaging and enforcing information security
Meletis BelsisManaging and enforcing information security
 
Information Security
Information Security Information Security
Information Security
 
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
 
GDPR Part 2: Quest Relevance
GDPR Part 2: Quest RelevanceGDPR Part 2: Quest Relevance
GDPR Part 2: Quest Relevance
 

More from Information Technology Society Nepal

More from Information Technology Society Nepal (6)

Where should I be encrypting my data?
Where should I be encrypting my data? Where should I be encrypting my data?
Where should I be encrypting my data?
 
Information security
Information securityInformation security
Information security
 
Exploring web vulnerabilities
Exploring web vulnerabilitiesExploring web vulnerabilities
Exploring web vulnerabilities
 
Power of logs: practices for network security
Power of logs: practices for network securityPower of logs: practices for network security
Power of logs: practices for network security
 
Cyber law in nepal and implementation
Cyber law in nepal and implementationCyber law in nepal and implementation
Cyber law in nepal and implementation
 
Role of youth in cyber law
Role of youth in cyber lawRole of youth in cyber law
Role of youth in cyber law
 

Recently uploaded

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Recently uploaded (20)

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

Information security: importance of having defined policy & process

  • 1. Information Security Importance of having defined Policy & Process
  • 2. What is Information? Data that is •Accurate and timely •Specific and organized for a purpose •Presented within a context that gives it meaning and relevance •Lead to an increase in understanding and decrease in uncertainty
  • 3. Information can be  Created, Stored or Destroyed  Processed  Transmitted  Corrupted  Displayed / published on web  Verbal – spoken in conversations ‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (BS ISO 27002:2005)
  • 4. What is the Importance of Information? Information is valuable because it can affect • Behavior • Decision • An outcome
  • 5. What Is Information Security?  Information security is exactly what it says, the security of information. “Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected”  Process by which digital information BS ISO assets are protected 27002:2005
  • 6. Why is information security needed?  Ensure business continuity and reduce business damage  Prevent and minimize the impact of security incidents
  • 7. Data Breach Trends Worldwide, approximately 1.1 million identities were exposed per breach, mainly owing to the large number of identities breached through hacking attacks. Apr18’2012 - According to CNN, messages on Twitter and Tumbler indicated members of the loosely-structured hacking network were celebrating the shutdown of the CIA's website. Sep03’2012 - Swedish government websites were jammed by hackers for hours Monday, with some supporters of WikiLeaks founder Julian Assange claiming responsibility on Twitter. Sep27'2012 - Police smashed one of Australia's most sophisticated credit card fraud syndicates, seizing more than 15,000 fake cards with a potential value of $37.5 million. Apr18’2012 - Emory Healthcare in Atlanta announced a data breach after the organization misplaced 10 backup disks, which contained information for more than 315,000 patients. 82% of large organizations reported security breaches caused by staff, including 47% who lost or leaked confidential information.
  • 8. Security breaches leads to… • Reputation loss • Financial loss • Intellectual property loss • Legislative Breaches leading to legal actions (Cyber Law) • Loss of customer confidence • Business interruption costs LOSS OF GOODWILL
  • 9. Information Security is “Organizational Problem” rather than “IT Problem” • More than 70% of Threats are Internal • More than 60% culprits are First Time fraudsters • Biggest Risk : People • Biggest Asset : People • Social Engineering is major threat • More than 2/3rd express their inability to determine “Whether my systems are currently compromised?”
  • 10. What is Risk? Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Threat: Something that can potentially cause damage to the organisation, IT Systems or network. Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.
  • 11. The challenges before us  Define security policies and standards  Measure actual security against policy  Report violations to policy  Correct violations to conform with policy  Summarize policy compliance for the organization
  • 12. Where do we start? “The framework within which an organization strives to meet its need for information security is codified as security policy. A security policy is a concise statement, by those responsible for a system (such as senior management), of information values, protection responsibilities and organizational commitment.” – US General Accounting Office (GAO)
  • 13. What is “Security & Privacy”? “Information Security” relates to the information “owned” by an organisation. Traditionally included three component parts: 1. Confidentiality: Controlled access to information. Confidentiality of personally identifiable information is also a Privacy concern. 2. Integrity: Ensuring that information can be relied upon to be sufficiently accurate for its purpose. 3. Availability: Assurance that information is accessible when needed.
  • 14. What Else is “Security”? It has been suggested recently that these should be reviewed completely or that at least two more components should be added: 4. Accountability: Someone is personally accountable and responsible for the protection of information assets. 5. Audit-ability: Ability to explain changes to information “state” and ongoing audit tests.
  • 15. Pillar of Information Security PEOPLE PROCESSES TECHNOLOGY
  • 16. People “Who we are” People who use or interact with the Information include: Share Holders / Owners Management Employees Business Partners Service providers Contractors Customers / Clients Regulators etc…
  • 17. Process “what we do” The processes refer to "work practices" or workflow. Processes are the repeatable steps to accomplish business objectives. Typical process in our IT Infrastructure could include: Helpdesk / Service management Incident Reporting and Management Change Requests process Request fulfillment Access management Identity management Service Level / Third-party Services Management IT procurement process etc...
  • 18. Technology “what we use to improve what we do” Network Infrastructure: Application software: Cabling, Data/Voice Networks and equipment Finance and assets systems, including Accounting packages, Inventory management, HR Telecommunications services (PABX), including VoIP services , systems, Assessment and reporting systems Software , Video Conferencing software as a packaged or custom-made ISDN as a service (Sass) - instead of product. Etc.. Server computers and associated storage devices Physical Security components: Operating software for server computers CCTV Cameras Communications equipment and related hardware. Clock in systems / Biometrics Environmental management Systems: Humidity Control, Ventilation , Air Conditioning, Fire Intranet and Internet connections Control systems Electricity / Power backupenvironments VPNs and Virtual Access devices: access services Remote Desktop computers Wireless connectivity and PDAs Laptops, ultra-mobile laptops Thin client computing. Digital cameras, Printers, Scanners, Photocopier etc.
  • 19. The Foundation of Information Security
  • 23. The Purpose Provide a framework for the management of security across the enterprise
  • 24. Benefits: • A blue print for a company’s security program • The success of any information security program lies in policy development • Policy is the essential foundation of an effective information security program • An effective information security training and awareness effort cannot be initiated without writing information security policies
  • 25. What are the Objectives & Goals?  Protect company & its assets against theft, abuse and other forms of harm and loss  Estimate possible damage and potential loss through Risk analysis  Comply with requirements for confidentiality, integrity and availability  Ensure service continuity even if major security incidents occur  Ensure compliance with current laws, regulations and guidelines  Motivate administrators and employees to maintain the responsibility for, ownership of and knowledge about information security, in order to minimize the risk of security incidents
  • 26. Definitions  Policies  High level statements that provide guidance to workers who must make present and future decision  Standards  Requirement statements that provide specific technical specifications  Guidelines  Optional but recommended specifications
  • 27. Security Policy Access to network resource will be granted Passwords through a unique will be 8 user ID and characters password long Passwords should include one non-alpha and not found in dictionary
  • 28. Basic Rules in Shaping a Policy • Policy should never conflict with law • Policy must be able to stand up in court, if challenged • Policy must be properly supported and administered
  • 29. Guidelines for making policy • All policies must contribute to the success of the organization • Management must ensure the adequate sharing of responsibility for proper use of information systems • End users of information systems should be involved in the steps of policy formulation
  • 30. Policies should…… Clearly identify and define the information security goals and the goals of the organization.
  • 31. Type of InfoSec policies • Based on NIST Special Publication 800-14, the three types of information security policies are – Enterprise information security program policy – Issue-specific security policies – System-specific security policies • The usual procedure – First – creation of the enterprise information security policy – the highest level of policy – Next – general policies are met by developing issue- and system-specific policies
  • 32. Elements of Policies  Statement of Purpose  Establish roles and responsibility  Define asset classifications  Provide direction for decisions  Establish the scope of authority  Provide a basis for guidelines and procedures  Establish accountability  Describe appropriate use of assets  Establish relationships to legal requirements
  • 33. Bull’s Eye Model • Proven mechanism for prioritizing complex changes • Issues are addressed by moving from general to specifics • Focus of systemic solutions instead of individual problems
  • 34. Bull’s Eye Model (Contd.)
  • 35. Bull’s Eye Model Layers • Policies – the outer layer in the bull’s eye diagram • Networks – the place where threats from public networks meet the organization’s networking infrastructure; in the past, most information security efforts have focused on networks, and until recently information security was often thought to be synonymous with network security • Systems – computers used as servers, desktop computers, and systems used for process control and manufacturing systems • Application – all applications systems, ranging from packed applications such as office automation and e-mail programs, to high-end ERP packages and custom application software developed by the organization
  • 37. What Should Management Do? It is the responsibility of senior management to:  Clarify what data should be protected  Decide how sensitive this information is  Budget for the protection of different types of data  Determine how much risk the organization is willing to accept  Implement business processes to regular monitor and improve  Assign responsibility for this to appropriate senior staff
  • 38. What Should IT Do? The IT department can then decide on the best way to provide the necessary security:  Work with management to inventory the corporate information assets & develop security policy  Stay informed of breaking issues  Develop and maintain security management capabilities (in- house or contract resources)  Participate in security audits It is advisable to concentrate responsibility for the security of information in all forms, printed and electronic, under a single management structure.
  • 39. What Can You Do? Once an information security system has been established, organizational culture is a critical factor in ensuring that individual employees pay attention to the information security policies and implement the procedures:  Become aware of the information assets that cross your desk  Each time you forward corporate information to someone ask yourself if there are any security risks  Speak up if you see evidence of security breaches  Provide feedback to IT to assist ongoing management of Information Security Information Security is everyone’s business!!
  • 40. HIPAA Security Guidelines  Security Administration  Physical Safeguards  Technical Security Services and Mechanisms
  • 41. Minimum HIPAA Requirements  Security Administration  Certification Policy ( .308(a)(1))  Chain of Trust Policy ( .308(a)(2))  Contingency Planning Policy ( .308(a)(3))  Data Classification Policy ( .308(a)(4))  Access Control Policy ( .308(a)(5))  Audit Trail Policy ( .308(a)(6))  Configuration Management Policy( .308(a)(8))  Incident Reporting Policy ( .308(a)(9))  Security Governance Policy ( .308(a)(10))  Access Termination Policy ( .308(a)(11))  Security Awareness & Training Policy( .308(a)(12))
  • 42. Minimum HIPAA Requirements  Physical Safeguards  Security Plan (Security Roles and Responsibilities) ( .308(b)(1))  Media Control Policy ( .308(b)(2))  Physical Access Policy ( .308(b)(3))  Workstation Use Policy ( .308(b)(4))  Workstation Safeguard Policy ( .308(b)(5))  Security Awareness & Training Policy ( .308(b)(6))
  • 43. Minimum HIPAA Requirements  Technical Security Services and Mechanisms  Mechanism for controlling system access ( .308(c)(1)(i))  “Need-to-know”  Employ event logging on systems that process or store PHI ( .308(c)(1)(ii))  Mechanism to authorize the privileged use of PHI ( .308(c)(3))  Employ a system or application-based mechanism to authorize activities within system resources in accordance with the Least Privilege Principle.  Provide corroboration that PHI has not been altered or destroyed in an unauthorized manner ( .308(c)(4))  checksums, double keying, message authentication codes, and digital signatures.  Users must be authenticated prior to accessing PHI ( .308(c)(5))  Uniquely identify each user and authenticate identity  Implement at least one of the following methods to authenticate a user:  Password;  Biometrics;  Physical token;  Call-back or strong authentication for dial-up remote access users.  Implement automatic log-offs to terminate sessions after set periods of inactivity.  Protection of PHI on networks with connections to external communication systems or public networks ( .308(d))  Intrusion detection  Encryption
  • 44. Information Security Standards ISO/IEC 27001 (ISO/IEC 27001:2005 - Information technology -- Security techniques -- Information security management systems – Requirements) but commonly known as "ISO 27001".  Published in 2005  Formally specifies a management system that is intended to bring information security under explicit management control.  Mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant  Management systematically examines the organization's information security risks, taking account of the threats, vulnerabilities and impacts;  Requires a comprehensive suite of information security controls and/or other forms of risk treatment (e.g. risk avoidance, risk transfer)  Requires a management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
  • 45. Final Note  Policies are a countermeasure to protect assets from threats  Policies exist to inform employees of acceptable (unacceptable) behavior  Are meant to improve employee productivity and prevent potentially embarrassing situations  Communicate penalties for noncompliance
  • 46. Human Wall Is Always Better Than A Firewall . . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL