Professional Documents
Culture Documents
Introduction
Elements of Information Protection More than Just Computer Security Employee Mind Set toward Control Roles and Responsibilities Knowledge and Skill Common Threat Policies and Procedure Risk Management Typical Information Protection Program
Senior Management
Operational Management
Technical Management
Organization Chart
40% Technical Information Processing Platform, OS, Networking in a global Distributed Environment, Security Techniques, technical experience in industrial design, risk analysis, physical and data security, auditing techniques
Excellent Visionary Skill that focus on scalability , cost effectiveness and implementation ease 20% Business Information Flow multinational multiplatform networked environment Business Dynamics, business Processes, good planning and goal setting 30% Interpersonal Consulting Skill, Communication Skill, Legal Understanding, ability to work with all management level and resolve issues, Business Need with Security Requirement.
10 Common Threat
Documentation on Handling & Protection of Information. It should be Enterprises wide Part of Organization Asset Management The look will differ on Company Basis Its an Beginning of an Information Security Plan
Deals with the Protection of Information
C I A
12 Risk Management
Risk is the possibility of adverse happening Identify those Risk Identify information Asset Assess the probability of its occurrence The impact to the asset Prioritize the risk Identify Controls and Safeguard. Cost Factor, Legislations
13
Risk Acceptance
The type of Risk may be different from Previous Risk The risk may be technical and difficult for a layout person to grasp The current environment may make it difficult to identify the risk
Initially it was for access control and disaster recovery. But now expanded :
Firewall Control Risk Analysis BIA Virus Control & Response Team CERT Computer Crime Investigation Record Management Encryption
15
E-mail, voice mail, Internet, Video-Mail Policy EIPP NDA Legal Issues Internet Monitoring Disaster Planning BCP Digital Signature Secure Single Sign-On Information Classification Local Area Network Modem Control Remote Access Security Awareness Program
16 Conclusion
Roles are Changing Very fast Resource are Limited- Owner and Users Must accept the control. Understand the needs of the business or the mission of your organization
18
Common Threat
Error & Omission Fraud & Theft Malicious Code Denial of Service Social Engineering Common Type of Social Engineering
Security Policy
Secure
Monitor
Security Policy
Improve
Test
A formal statement of the rules by which people who are given access to an organizations technology and information assets must abide 19
20
Organization Security
Takes the input from Security policy and develop the framework for implementing throughout the organization. Senior Management Support for ISAP Advising Business head their role in the overall security process
21
Asset Classification
Identify all resources and do bucketing This process can make security administration easier after it has been implemented
22 Personnel Security
Fun and taxing at the same time. Responsibility of another and not the sole responsibility of ISM.
Creating Job Description, performing background check, helping in the recruitment process and user training
23
Physical Security
Is a Component of Information Security that is often the responsibility of a separate person the other facets of information security. It can encompass everything from closed-circuit television to security lighting and fencing, to badge access to HVAC. One area is back up power.
24
Communication and Operation Management
Ensuring that no person has the ability to cover up a crime. Making sure that the systems that are being disposed of are being disposed in a secure manner. It is easy to overlook this task, doing so can create large security holes in an organization
25 Access Control
If information Security policy is the central nervous system then access control is the skin. It ensures the authorized access. Access Control can implemented in many ways:
Routers Firewalls Desktop operating system File Server Application
27
28
Compliance
Is Compliance is someone else job? Compliance is the immune system of the information security program. Reviewing and testing an information system for completeness and adequacy.
29 Common Threat
30
Malicious Hacker
Hacker Cracker Phreaker The Methodology for a hacker is:
Reconnaissance Scanning Gaining access Covering Tracks
Malicious Code
Virus Worm Trojan Horse Logic Bomb.
31
Denial of Service
Syn Flood FIN Flood Smurf Fraggles
Social Engineering
It is based upon building of an trusted relationship The goal engineering is to trick someone into providing valuable information
The desire to be helpful A tendency to trust people The fear of getting into trouble The willingness to cut corner
32
33
34
Continued
Record Management Workplace Security Business Continuity Planning
Asset Classification
Why Classify Information?
Prioritization
10% Critical
80 % Internal
10%
35
36
37
Where to Begin?
Cultivate contacts Beware of what u are uncovering?
38
Applications
Protection of information from unauthorized disclosure. Protection of intellectual property. Facilitate the new information asset Sharing of information.
39
40
Continued
For government and public usage
Confidential Secret Top Secret
Note: In case of merger and acquisition, the classification level should match with the parent company.
41
42
43
Storing Information
44
45
Transmitting information
46
Sample Method
47
48