This document discusses the importance of information security policies and processes. It defines information and explains that information can take many forms and must be appropriately protected. It then discusses the importance of information, what constitutes information security, and why information security is needed to protect organizations. Key risks like data breaches are outlined. The document emphasizes that information security is an organizational issue, not just an IT issue, and stresses the importance of people, processes, and technology in an information security program. It provides an overview of some common information security standards and regulations like ISO 27001 and HIPAA.
2. What is Information?
Data that is
•Accurate and timely
•Specific and organized for a purpose
•Presented within a context that gives it meaning and relevance
•Lead to an increase in understanding and decrease in uncertainty
3. Information can be
Created, Stored or Destroyed
Processed
Transmitted
Corrupted
Displayed / published on web
Verbal – spoken in conversations
‘…Whatever form the information takes, or means
by which it is shared or stored, it should always
be appropriately protected’
(BS ISO 27002:2005)
4. What is the Importance of Information?
Information is valuable because it can affect
• Behavior
• Decision
• An outcome
5. What Is Information Security?
Information security is exactly what it
says, the security of information.
“Information is an asset which, like
other important business assets, has
value to an organization and
consequently needs to be suitably
protected”
Process by which digital information
BS ISO
assets are protected
27002:2005
6. Why is information security needed?
Ensure business continuity
and reduce business damage
Prevent and minimize the
impact of security incidents
7. Data Breach Trends
Worldwide, approximately 1.1 million identities were exposed per breach, mainly owing to the
large number of identities breached through hacking attacks.
Apr18’2012 - According to CNN, messages on Twitter and Tumbler indicated members of the
loosely-structured hacking network were celebrating the shutdown of the CIA's website.
Sep03’2012 - Swedish government websites were jammed by hackers for hours Monday, with
some supporters of WikiLeaks founder Julian Assange claiming responsibility on Twitter.
Sep27'2012 - Police smashed one of Australia's most sophisticated credit card fraud syndicates,
seizing more than 15,000 fake cards with a potential value of $37.5 million.
Apr18’2012 - Emory Healthcare in Atlanta announced a data breach after the organization
misplaced 10 backup disks, which contained information for more than 315,000 patients.
82% of large organizations reported security breaches caused by staff, including 47% who lost
or leaked confidential information.
8. Security breaches leads to…
• Reputation loss
• Financial loss
• Intellectual property loss
• Legislative Breaches leading to legal actions
(Cyber Law)
• Loss of customer confidence
• Business interruption costs
LOSS OF GOODWILL
9. • Information Security is “Organizational Problem”
rather than “IT Problem”
• More than 70% of Threats are Internal
• More than 60% culprits are First Time fraudsters
• Biggest Risk : People
• Biggest Asset : People
• Social Engineering is major threat
• More than 2/3rd express their inability to determine
“Whether my systems are currently
compromised?”
10. What is Risk?
Risk: A possibility that a threat exploits a
vulnerability in an asset and causes damage or
loss to the asset.
Threat: Something that can potentially cause damage
to the organisation, IT Systems or network.
Vulnerability: A weakness in the organization, IT
Systems, or network that can be exploited
by a threat.
11. The challenges before us
Define security policies and standards
Measure actual security against policy
Report violations to policy
Correct violations to conform with policy
Summarize policy compliance for the
organization
12. Where do we start?
“The framework within which an organization strives to
meet its need for information security is codified as
security policy. A security policy is a concise
statement, by those responsible for a system (such as
senior management), of information values, protection
responsibilities and organizational commitment.”
– US General Accounting Office (GAO)
13. What is “Security & Privacy”?
“Information Security” relates to the information “owned” by an
organisation. Traditionally included three component parts:
1. Confidentiality: Controlled access to information.
Confidentiality of personally identifiable information is also a
Privacy concern.
2. Integrity: Ensuring that information can be relied upon to be
sufficiently accurate for its purpose.
3. Availability: Assurance that information is accessible when
needed.
14. What Else is “Security”?
It has been suggested recently that these should be reviewed
completely or that at least two more components should be
added:
4. Accountability: Someone is personally accountable and
responsible for the protection of information assets.
5. Audit-ability: Ability to explain changes to information
“state” and ongoing audit tests.
16. People “Who we are”
People who use or interact with the Information include:
Share Holders / Owners
Management
Employees
Business Partners
Service providers
Contractors
Customers / Clients
Regulators etc…
17. Process “what we do”
The processes refer to "work practices" or workflow. Processes are the
repeatable steps to accomplish business objectives. Typical process in our
IT Infrastructure could include:
Helpdesk / Service management
Incident Reporting and Management
Change Requests process
Request fulfillment
Access management
Identity management
Service Level / Third-party Services Management
IT procurement process etc...
18. Technology “what we use to improve
what we do”
Network Infrastructure:
Application software:
Cabling, Data/Voice Networks and equipment
Finance and assets systems, including Accounting packages, Inventory management, HR
Telecommunications services (PABX), including VoIP services ,
systems, Assessment and reporting systems
Software , Video Conferencing software as a packaged or custom-made
ISDN as a service (Sass) - instead of
product. Etc..
Server computers and associated storage devices
Physical Security components:
Operating software for server computers
CCTV Cameras
Communications equipment and related hardware.
Clock in systems / Biometrics
Environmental management Systems: Humidity Control, Ventilation , Air Conditioning, Fire
Intranet and Internet connections
Control systems
Electricity / Power backupenvironments
VPNs and Virtual
Access devices: access services
Remote
Desktop computers
Wireless connectivity and PDAs
Laptops, ultra-mobile laptops
Thin client computing.
Digital cameras, Printers, Scanners, Photocopier etc.
23. The Purpose
Provide a framework for the
management of security
across the enterprise
24. Benefits:
• A blue print for a company’s security program
• The success of any information security program lies in policy
development
• Policy is the essential foundation of an effective information
security program
• An effective information security training and awareness effort
cannot be initiated without writing information security policies
25. What are the Objectives & Goals?
Protect company & its assets against theft, abuse and other forms of harm and loss
Estimate possible damage and potential loss through Risk analysis
Comply with requirements for confidentiality, integrity and availability
Ensure service continuity even if major security incidents occur
Ensure compliance with current laws, regulations and guidelines
Motivate administrators and employees to maintain the responsibility for, ownership of
and knowledge about information security, in order to minimize the risk of security
incidents
26. Definitions
Policies
High level statements that provide guidance to
workers who must make present and future
decision
Standards
Requirement statements that provide specific
technical specifications
Guidelines
Optional but recommended specifications
27. Security Policy
Access to
network resource
will be granted
Passwords
through a unique
will be 8
user ID and
characters
password
long
Passwords
should include
one non-alpha
and not found
in dictionary
28. Basic Rules in Shaping a Policy
• Policy should never conflict with law
• Policy must be able to stand up in court, if
challenged
• Policy must be properly supported and
administered
29. Guidelines for making policy
• All policies must contribute to the success of
the organization
• Management must ensure the adequate
sharing of responsibility for proper use of
information systems
• End users of information systems should be
involved in the steps of policy formulation
30. Policies should……
Clearly identify and define
the information
security goals and the goals
of the organization.
31. Type of InfoSec policies
• Based on NIST Special Publication 800-14, the three types of
information security policies are
– Enterprise information security program policy
– Issue-specific security policies
– System-specific security policies
• The usual procedure
– First – creation of the enterprise information security policy – the highest
level of policy
– Next – general policies are met by developing issue- and system-specific
policies
32. Elements of Policies
Statement of Purpose
Establish roles and responsibility
Define asset classifications
Provide direction for decisions
Establish the scope of authority
Provide a basis for guidelines and procedures
Establish accountability
Describe appropriate use of assets
Establish relationships to legal requirements
33. Bull’s Eye Model
• Proven mechanism for prioritizing
complex changes
• Issues are addressed by moving from
general to specifics
• Focus of systemic solutions instead of
individual problems
35. Bull’s Eye Model Layers
• Policies – the outer layer in the bull’s eye diagram
• Networks – the place where threats from public networks meet
the organization’s networking infrastructure; in the past, most
information security efforts have focused on networks, and until
recently information security was often thought to be
synonymous with network security
• Systems – computers used as servers, desktop computers, and
systems used for process control and manufacturing systems
• Application – all applications systems, ranging from packed
applications such as office automation and e-mail programs, to
high-end ERP packages and custom application software
developed by the organization
37. What Should Management Do?
It is the responsibility of senior management to:
Clarify what data should be protected
Decide how sensitive this information is
Budget for the protection of different types of data
Determine how much risk the organization is willing to accept
Implement business processes to regular monitor and improve
Assign responsibility for this to appropriate senior staff
38. What Should IT Do?
The IT department can then decide on the best way
to provide the necessary security:
Work with management to inventory the corporate
information assets & develop security policy
Stay informed of breaking issues
Develop and maintain security management capabilities (in-
house or contract resources)
Participate in security audits
It is advisable to concentrate responsibility for the
security of information in all forms, printed and
electronic, under a single management structure.
39. What Can You Do?
Once an information security system has been established,
organizational culture is a critical factor in ensuring that
individual employees pay attention to the information security
policies and implement the procedures:
Become aware of the information assets that cross your desk
Each time you forward corporate information to someone ask
yourself if there are any security risks
Speak up if you see evidence of security breaches
Provide feedback to IT to assist ongoing management of
Information Security
Information Security is everyone’s business!!
42. Minimum HIPAA Requirements
Physical Safeguards
Security Plan (Security Roles and Responsibilities) ( .308(b)(1))
Media Control Policy ( .308(b)(2))
Physical Access Policy ( .308(b)(3))
Workstation Use Policy ( .308(b)(4))
Workstation Safeguard Policy ( .308(b)(5))
Security Awareness & Training Policy ( .308(b)(6))
43. Minimum HIPAA Requirements
Technical Security Services and Mechanisms
Mechanism for controlling system access ( .308(c)(1)(i))
“Need-to-know”
Employ event logging on systems that process or store PHI ( .308(c)(1)(ii))
Mechanism to authorize the privileged use of PHI ( .308(c)(3))
Employ a system or application-based mechanism to authorize activities within system
resources in accordance with the Least Privilege Principle.
Provide corroboration that PHI has not been altered or destroyed in an unauthorized
manner ( .308(c)(4))
checksums, double keying, message authentication codes, and digital signatures.
Users must be authenticated prior to accessing PHI ( .308(c)(5))
Uniquely identify each user and authenticate identity
Implement at least one of the following methods to authenticate a user:
Password;
Biometrics;
Physical token;
Call-back or strong authentication for dial-up remote access users.
Implement automatic log-offs to terminate sessions after set periods of inactivity.
Protection of PHI on networks with connections to external communication systems or
public networks ( .308(d))
Intrusion detection
Encryption
44. Information Security Standards
ISO/IEC 27001 (ISO/IEC 27001:2005 - Information
technology -- Security techniques -- Information
security management systems – Requirements) but
commonly known as "ISO 27001".
Published in 2005
Formally specifies a management system that is intended to bring
information security under explicit management control.
Mandates specific requirements. Organizations that claim to have adopted
ISO/IEC 27001 can therefore be formally audited and certified compliant
Management systematically examines the organization's information
security risks, taking account of the threats, vulnerabilities and impacts;
Requires a comprehensive suite of information security controls and/or
other forms of risk treatment (e.g. risk avoidance, risk transfer)
Requires a management process to ensure that the information security
controls continue to meet the organization's information security needs on
an ongoing basis.
45. Final Note
Policies are a countermeasure to
protect assets from threats
Policies exist to inform employees of
acceptable (unacceptable) behavior
Are meant to improve employee
productivity and prevent potentially
embarrassing situations
Communicate penalties for noncompliance
46. Human Wall Is Always Better Than A Firewall
. . . LET US BUILD A HUMAN WALL ALONG WITH FIREWALL