LO3 Review mechanisms to control organisational IT security

Slides:

Advertisements

Similar presentations

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Advertisements

2 Issues of the information age Computer _______ and mistakes –Preventing computer related waste & mistakes Computer crime –Computer as tool to commit.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

Security Controls – What Works

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Computer Security: Principles and Practice

Factors to be taken into account when designing ICT Security Policies

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Session 3 – Information Security Policies

Network security policy: best practices

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

Information Security Technological Security Implementation and Privacy Protection.

General Awareness Training

Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

BUSINESS B1 Information Security.

DEVELOPING A RISK ANALYSIS. What is a risk analysis? A Risk analysis is concerned with identifying the risks that an organisation is exposed to, identifying.

Security Awareness: Applying Practical Security in Your World Chapter 1: Introduction to Security.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #6 Forensics Services September 10, 2007.

Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.

How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Information Systems Security Operational Control for Information Security.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

G061 - Network Security. Learning Objective: explain methods for combating ICT crime and protecting ICT systems.

Working with HIT Systems

SECURITY OF DATA By: ADRIAN PERHAM. Issues of privacy; Threats to IT systems; Data integrity; Standard clerical procedures; Security measures taken to.

McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.

Introduction to Information Security

Security Policies. Threats to security and integrity  Threats to information systems include  Human error –keying errors, program errors, operator errors,

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Computer Security By Duncan Hall.

Organizing a Privacy Program: Administrative Infrastructure and Reporting Relationships Presented by: Samuel P. Jenkins, Director Defense Privacy Office.

A2 LEVEL ICT 13.6 LEGAL ASPECTS DISASTER RECOVERY.

Operational Issues. Operational Changes It is important to organisations to ensure that they abide by the Law when caring for the safety of their employees,

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Welcome to the ICT Department Unit 3_5 Security Policies.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Information Security and Privacy in HRIS

Technical Implementation: Security Risks

Information Systems Security

Add video notes to lecture

CompTIA Security+ Study Guide (SY0-401)

Issues and Protections

Unit 13 IT Systems Troubleshooting and Repair Anne Sewell

Ethical, Social, and Political Issues in E-commerce

Lecture 14: Business Information Systems - ICT Security

A Thread Relevant to all Levels of the EA Cube

INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.

Business Risks of Insecure Networks

Answer the questions to reveal the blocks and guess the picture.

Year 10 ICT ECDL/ICDL IT Security.

Securing Information Systems

Security in Networking

Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek

Unit 7 – Organisational Systems Security

LO2: Understand Computer Software

Reporting personal data breaches to the ICO

CompTIA Security+ Study Guide (SY0-501)

County HIPAA Review All Rights Reserved 2002.

INFORMATION SYSTEMS SECURITY and CONTROL

Backup and restoration of data, redundancy

LO2 - Be Able to Design IT Systems to Meet Business Needs

Cyber security Policy development and implementation

Security of Data

Unit 5: Security LO1: P1, P2 + M1.

G061 - Network Security.

European Computer Driving Licence Syllabus version 5.0

Presentation transcript:

LO3 Review mechanisms to control organisational IT security Unit 5: Security LO3 Review mechanisms to control organisational IT security

Learning Outcomes and Assessment Criteria Pass Merit Distinction LO3 Review mechanisms to control organisational IT security D2 Consider how IT security can be aligned with organisational policy, detailing the security impact of any misalignment. P5 Discuss risk assessment procedures. P6 Explain data protection processes and regulations as applicable to an organisation. M3 Summarise the ISO 31000 risk management methodology and its application in IT security. M4 Discuss possible impacts to organisational security resulting from an IT security audit.

LO3 Review mechanisms to control organisational IT security Risk assessment and integrated enterprise risk management: Network change management, audit control, business continuance/disaster recovery plans, potential loss of data/business, intellectual property, hardware and software; probability of occurrence e.g. disaster, theft; staff responsibilities; Data Protection Act; Computer Misuse Act; ISO 31000 standards. Company regulations: Site or system access criteria for personnel; physical security types e.g. biometrics, swipe cards, theft prevention.

Risk assessment and integrated enterprise risk management: Network change management Audit control Business continuance/disaster recovery plans, Potential loss of data/business, Intellectual property, Hardware and software Probability of occurrence e.g. disaster, theft; staff responsibilities; Data Protection Act; Computer Misuse Act; ISO 31000 standards.

(NCCM) Network configuration and change management With this system/discipline in place organising and maintaining information about all of the components in a computer network becomes significantly easier. Network device configuration information will be stored in a centrally located server, where device configurations can be easily downloaded. The network administrator refers to the network configuration management database to determine the best course of action when repairs, modifications or upgrades are needed. https://blog.netwrix.com/2018/01/16/how-to-perform-it-risk-assessment/

(NCCM) Network configuration and change management Uses include: Daily checking of device configuration data to spot any changes in configuration files, which could reveal cyber threats and potential failures. Creating bulk changes such as implementing mass changes to passwords on devices throughout the network Auditing and reporting allowing for easy track information about network components. https://blog.netwrix.com/2018/01/16/how-to-perform-it-risk-assessment/

This image is taken from: Also see more info here: https://searchnetworking.techtarget.com/definition/network-configuration-management This image is taken from: https://www.manageengine.com/network-configuration-manager/network- configuration-and-change-management.html This is a good resource to see a practical software application of NCCM.

Audit control Audits could include: Review and management eg access to systems. Establishment and review of personal, corporate and technical trust. Vetting of staff. Forensic analysis of systems Use of custom forensics or existing sysadmin tools. Audit control An organisation that is unaware of how and where security breaches might occur could soon be faced with a situation that will be costly, and could be very embarrassing. Instead, a security audit should be conducted to check what might go wrong, and to plan improvements before a hacker – or some other individual – takes advantage of the situation.

Training should be given so that employees know what to do, for example, if they suspect a virus attack: Who should they contact first? Should they turn their ICT system off? Employees also need to know what to do if they think their login ID is being used by someone else: Who should they inform of their fear? What methods might be used to trap the culprit? What procedures should be followed to prevent similar lapses in security in future. Business continuance While a security audit will identify weaknesses that ought to be addressed, and an organisation should make every effort to remedy any shortfall, there will always be a risk of a security breach. For this reason, an analysis of risks should be carried out and a contingency plan drawn up. This contingency plan should cover backup, offsite storage, data recovery procedures, access to immediate hardware replacement, plus insurance that covers replacement, loss of business and all the recovery work. Ability of an organization to maintain essential functions during, as well as after, a disaster has occurred.

Backup/restoration of data Employees who are responsible for data recovery should also know the procedures to follow. The aim should be to plan ahead so that the whole system can be up and running again within a specified time- scale, e.g. 24 hours. Then, if the worst case scenario happens, disaster recovery should be as smooth as possible. The contingency plan has to be developed from a full risk analysis, so that every eventuality is taken into consideration.

Potential loss of data/business Costs If data is lost, costs are incurred in recovering the data. If software is corrupted, a copy should be available, but the replacement will take time and incur staff costs. Depending on how serious a breach was experienced, there may be a need to consult specialists, and this too will incur extra costs Loss of business A security breach can result in the collapse of an ICT system. The time during which normal service is not available is called downtime. Organisations that rely on an ICT system to take orders will suffer a loss of business during the downtime. Some customers will come back later, but some will not; they will already have taken their business elsewhere. If a security breach causes data loss, and it proves difficult to recover that data, then the result can be disastrous for an organisation.

Intellectual property Intellectual property protection helps you to stop people stealing or copying: the names of your products or brands your inventions the design or look of your products things you write, make or produce Copyright, patents, designs and trade marks are all types of intellectual property protection. You get some types of protection automatically, others you have to apply for. Consider that you must have mechanisms in place to protect a company's IP

Hardware and software Risk assessment of this take place through ISO 27001 Risk Assessment and Treatment Process.

Probability of occurrence Consider the following when outlining likelihood of security risks: Disaster Theft How can a company meet the following: Data Protection Act (2018 Computer Misuse Act (1990) ISO 31000 standards. What are staff responsibility's in this process? Explaining why data is collected, how it is stored, management of data, following security guidelines etc.

Data Protection Act 2018 Implementation of General Data Protection Regulation(GDPR) Outlines strict rules called ‘data protection principles” There is stronger legal protection for more sensitive information, such as: Race, ethnic background, political opinions, religious beliefs, trade union membership, genetics biometrics (where used for identification), health, sex life or orientation Outlines rights to find out what information the government and other organisations store about you.

Computer Misuse Act (1990) Protect computer users against attacks and theft of information. Offences under the act include: hacking, unauthorized access to computer systems purposefully spreading malicious and damaging software (malware), such as viruses.

ISO 31000 standards Provides guidelines for dealing with today’s threats Not requirements, and is therefore not intended for certification purposes. Risk management guidelines include: Planning Implementing Measure Learn.

Company regulations: Site or system access criteria for personnel; It should not be easy to walk into a facility without a key or badge, or without being required to show identity or authorization. Controlling physical access is your first line of defense, by protecting your data (and your staff) against the simplest of inadvertent or malicious intrusions and interferences. Physical security types could include e.g. biometrics, swipe cards, theft prevention(Cameras etc.).