Information Systems Security IS 460 Notes by Thomas Hilton

Overview What is an Information System Personnel Security Procedural Security Facilities Security Technical Security Security Implementation

Security Perspective: What is an Information System The General Systems View… Intended Output Unintended Output Main Input Spurious Input Transformation Processes Output Interface Input Interface Control Processes

Security Perspective: What is an Information System Intended Output: High Quality Information Unintended Output: Mis-, Dis-, Untimely, Irrelevant, Unknown Origin Main Input: High Quality Data Spurious Input: Mis-, Dis-, Untimely, Irrelevant, Unknown Origin Transformation Processes: Hardware, Software, Procedures, People Output Interface: Video/Print/Audio/Tactile-Kinesthetic/Olfactory, /IM/Website/Telnet/Disks/Cable/Wireless, Conversations/Phone/Notes/Memos/Terminations/Departures Input Interface: Tactile-Kinesthetic/Audio/Video/Print/Olfactory, /IM/Web/Telnet/Disks/Cable/Wireless, Conversations/Phone/Notes/Memos/Hires/Arrivals Control Processes: …?

Scope of Security Subsystem a lá U.S. Department of Defense… Personnel Procedural Facilities Technical

Personnel Security Security Organization Steering Committee CSO Other security personnel Security responsibilities of all personnel Human Resources Hiring and Remuneration Vacation Termination

Procedural Security Risk Assessment Security Audit Security Policy Business Continuity Plan Training Plan

Facilities Security Proximity(Each other, Users, Threats) Perimeters(Boundaries, Access) Power(Electricity Availability, Quality) Etc. (Cooling, Hardening, …)

Technical Security Information C.I.A. Confidentiality Integrity Availability Event Management Deter Detect Mitigate Recover Debrief

Security Implementation IndividualWorkstation WorkgroupLAN EnterpriseWAN / Intranet E-CommerceInternet

Security Implementation Individual / Workstation Operating Systems and Applications User Account Management Data File Management Anti-Virus Software Personal Firewall Other Utilities

Security Implementation Workgroup / LAN All of the above Server security Eaves-dropping Topologies

Security Implementation Enterprise / WAN All of the above DMZs (multiple firewalls) Routers Cold/Hot Site synchronization VPNs

Security Implementation E-Commerce / Internet All of the above Internet visible systems HTML FTP SMTP Etc.