Fundamentals of Information Security

By: Vikash Chourasia

Umbrella of Information Security

Introduction
Elements of Information Protection More than Just Computer Security Employee Mind Set toward Control Roles and Responsibilities Knowledge and Skill Common Threat Policies and Procedure Risk Management Typical Information Protection Program

Elements of Information Protection

Business Objective. Element of Due Care Cost Effective. Responsibility & Accountability Should be made Explicit. Responsibility outside their Organization. Comprehensive and Integrated Approach. Periodically Reassessed. Culture of the Organization.
Duty of Loyalty Duty of Care

More Than Just Security

Address the issue of Enterprise Wide Information Protection Address every stage of information asset life cycles

Employee Mind Set Toward Controls

Walk About
Element to be addressed
Office Secured Desk & Cabinet Secured Work Station Secured Information Secured Diskettes Secured

Roles & Responsibility

Corporate Information Officer Day-To-Day Management of Information Asset

Senior Management

ISSO & SA Day-To-Day Administration of Information protection Program

Operational Management

Physical Security group Procurement Group Contingency Planning Group

Supportive Roles Service Provider Computer System Technical Security

Academic Purpose - Internal

Technical Management

Review & Discuss Control

Human Resources 7

Organization Chart

9 Knowledge & Skill

10% Managerial & Practice Management Willingness to manage or to personally execute necessary task Ability to Supervise a Multidisciplinary team and a small staff

40% Technical Information Processing Platform, OS, Networking in a global Distributed Environment, Security Techniques, technical experience in industrial design, risk analysis, physical and data security, auditing techniques
Excellent Visionary Skill that focus on scalability , cost effectiveness and implementation ease 20% Business Information Flow multinational multiplatform networked environment Business Dynamics, business Processes, good planning and goal setting 30% Interpersonal Consulting Skill, Communication Skill, Legal Understanding, ability to work with all management level and resolve issues, Business Need with Security Requirement.

10 Common Threat

As Per the Survey of Current & Future Danger

80% are Internal Employee 65% are due to error and omission 13% dishonest Employees 10% Disgruntle Employees 8% Physical Facilities Remaining is for the hacker and crackers

11 Policies and Procedures

Documentation on Handling & Protection of Information. It should be Enterprises wide Part of Organization Asset Management The look will differ on Company Basis Its an Beginning of an Information Security Plan
Deals with the Protection of Information
C I A

12 Risk Management

Risk is the possibility of adverse happening Identify those Risk Identify information Asset Assess the probability of its occurrence The impact to the asset Prioritize the risk Identify Controls and Safeguard. Cost Factor, Legislations

13
Risk Acceptance

The type of Risk may be different from Previous Risk The risk may be technical and difficult for a layout person to grasp The current environment may make it difficult to identify the risk

14 Typical Information Protection Program

Initially it was for access control and disaster recovery. But now expanded :
Firewall Control Risk Analysis BIA Virus Control & Response Team CERT Computer Crime Investigation Record Management Encryption

15

E-mail, voice mail, Internet, Video-Mail Policy EIPP NDA Legal Issues Internet Monitoring Disaster Planning BCP Digital Signature Secure Single Sign-On Information Classification Local Area Network Modem Control Remote Access Security Awareness Program

16 Conclusion

Roles are Changing Very fast Resource are Limited- Owner and Users Must accept the control. Understand the needs of the business or the mission of your organization

17 Topic of the presentation

Aspects of Information Security

Security Policy Organization Security Asset Classification Personnel Security Physical Security Communication and Operation Management Access Control System Development & Maintenance Disaster Recovery and Management Compliance

18

Common Threat
Error & Omission Fraud & Theft Malicious Code Denial of Service Social Engineering Common Type of Social Engineering

Security Policy

Secure

Monitor

Security Policy

Improve

Test

A formal statement of the rules by which people who are given access to an organizations technology and information assets must abide 19

20

Organization Security

Takes the input from Security policy and develop the framework for implementing throughout the organization. Senior Management Support for ISAP Advising Business head their role in the overall security process

21
Asset Classification

Identify all resources and do bucketing This process can make security administration easier after it has been implemented

22 Personnel Security

Fun and taxing at the same time. Responsibility of another and not the sole responsibility of ISM.

Creating Job Description, performing background check, helping in the recruitment process and user training

23
Physical Security

Is a Component of Information Security that is often the responsibility of a separate person the other facets of information security. It can encompass everything from closed-circuit television to security lighting and fencing, to badge access to HVAC. One area is back up power.

24
Communication and Operation Management

Ensuring that no person has the ability to cover up a crime. Making sure that the systems that are being disposed of are being disposed in a secure manner. It is easy to overlook this task, doing so can create large security holes in an organization

25 Access Control

If information Security policy is the central nervous system then access control is the skin. It ensures the authorized access. Access Control can implemented in many ways:
Routers Firewalls Desktop operating system File Server Application

26 System Development and Maintenance

Patch Management. System Development Life Cycle.

27

Disaster Recovery and Management

What would you do if your primary computer died? Do you have the plan for restoring all the critical files? Just Having an idea of what will you do is not sufficient.
A formal plan must be written, tested and revised regularly. Everyone will know what to do..

28
Compliance

Is Compliance is someone else job? Compliance is the immune system of the information security program. Reviewing and testing an information system for completeness and adequacy.

29 Common Threat

Error and Omission

It attack the integrity of the CIA triad least Privilege Adequate and frequent backup.

Fraud & Theft

If your end user are not accidentally destroying the information then it will be the case of fraud and theft. The best line of defense against it is to have a well defined security policies.

30

Malicious Hacker
Hacker Cracker Phreaker The Methodology for a hacker is:
Reconnaissance Scanning Gaining access Covering Tracks

Malicious Code
Virus Worm Trojan Horse Logic Bomb.

31

Denial of Service
Syn Flood FIN Flood Smurf Fraggles

Social Engineering
It is based upon building of an trusted relationship The goal engineering is to trick someone into providing valuable information
The desire to be helpful A tendency to trust people The fear of getting into trouble The willingness to cut corner

32

Information Security Policies

Policy is the cornerstone
It Establish a strong footing Two types
Internal External

Form of Policy Statement

General Program Policy (Tier 1) Topic Specific Policy (Tier 2) Application Specific (Tier 3)

High Level (Tier 1)

Employment practice Employee Standard of Conduct Conflict of Interest Performance Management Employee Discipline Information Security Corporate Communication Procurement and Contract

33

34

Continued
Record Management Workplace Security Business Continuity Planning

Asset Classification
Why Classify Information?
Prioritization

10% Critical

80 % Internal
10%

35

36

What is information Classification ?

Decision Making Process. Input from management team.
what are the mission critical or sensitive activities or operation? Where they are stored? Where is this information processed? Who requires access to this information ?

37

Where to Begin?
Cultivate contacts Beware of what u are uncovering?

38

Applications
Protection of information from unauthorized disclosure. Protection of intellectual property. Facilitate the new information asset Sharing of information.

39

Basics of Classification of Information

For corporate and private use
Unrestricted information Protected Confidential Restricted

40

Continued
For government and public usage
Confidential Secret Top Secret

Note: In case of merger and acquisition, the classification level should match with the parent company.

41

Implementing information Security classification

labeling information; storing information; transmitting information; disposing of unneeded information; protecting the integrity of information; allowing appropriate access and disclosure; and establishing accountability.

Information Security Classification Example

42

43

Storing Information

44

45

Transmitting information

Access Control and Information Classification

46

Sample Method

47

Process Flow Chart

48