IT-Secrurity Cookbook Enter your login: Enter your password:

Slides:

Advertisements

Similar presentations

Nishidh, CISSP. To comply with Sarbanes oxley and other legislations To comply with industry standards and business partner requirements To protect.

Advertisements

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Auditing Computer Systems

Security Controls – What Works

Security+ Guide to Network Security Fundamentals

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Factors to be taken into account when designing ICT Security Policies

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Session 3 – Information Security Policies

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Agenda  Introduce key concepts in information security from the practitioner’s viewpoint.  Discuss identifying and prioritizing information assets through.

Disaster Planning and Security Policies. Threats to data DeliberateTerrorism Criminal vandalism/sabotage White collar crime Accidental Floods and fire,

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.

Information Security OECD, April 2001 International Computing Centre Managing Information Security Ed Gelbstein, International Computing Centre, Geneva.

Thomas Levy. Agenda 1.Aims: CIAN 2.Common Business Attacks 3.Information Security & Risk Management 4.Access Control 5.Cryptography 6.Physical Security.

Evolving IT Framework Standards (Compliance and IT)

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Confidentiality Integrity Accountability Communications Data Hardware Software Next.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Information System Security and Control

ITSC Writing an Operational Security Plan E. Jane Powanda FISSEA 2005 Conference March 22,

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.

Information Systems Security Operational Control for Information Security.

System administration Risk Management Risk Definition Risk Strategies Risk Assessments.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

Prepared by Natalie Rose1 Managing Information Resources, Control and Security Lecture 9.

Zulhizam Bin Ebrahim Mohd Shamir Bin Abd Azia Muhammad Salehin Bin Suhaimi

Phases of BCP The BCP process can be divided into the following life cycle phases: Creation of a business continuity and disaster recovery policy. Business.

SECURITY OF DATA By: ADRIAN PERHAM. Issues of privacy; Threats to IT systems; Data integrity; Standard clerical procedures; Security measures taken to.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.

Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &

Viewing Information Systems Security. The basic objectives of Information Security are the same as the basic objectives of EDP auditing. They are: 1.To.

Introduction to Information Security

Security Policies. Threats to security and integrity  Threats to information systems include  Human error –keying errors, program errors, operator errors,

Chap1: Is there a Security Problem in Computing?.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

CONTROLLING INFORMATION SYSTEMS

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

Safety & Security By Kieran Bolko. Laws The main law that you should be taking note of is the Data Protection Act 1998 – this law sets rules for the electronic.

Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Contingency Management Indiana University of Pennsylvania John P. Draganosky.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Welcome to the ICT Department Unit 3_5 Security Policies.

Information Systems Security

CS457 Introduction to Information Security Systems

Explaining strategies to ensure compliance with workplace legislation

Risk management.

Issues and Protections

Chapter 17 Risks, Security and Disaster Recovery

LAND RECORDS INFORMATION SYSTEMS DIVISION

Lecture 14: Business Information Systems - ICT Security

Managing the IT Function

Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek

System administration Risk Management

Planning and Security Policies

INFORMATION SYSTEMS SECURITY and CONTROL

Security of Data

Mohammad Alauthman Computer Security Mohammad Alauthman

Presentation transcript:

IT-Secrurity Cookbook Enter your login: Enter your password:

What is IT-Securiry Protection of information, systems and services Against disasters, mistakes and manipulation So that likelihood and impact of security incidents is minimised

IT-Security consists of Confidentiality Sensitive business objects Disclosed ONLY to authorised persons Integrity Control modification of objects Ensure that objects are accurate and complete Availability Ensure reliability of services Legal Compliance Legislation of relevant countries

IT-Security - Exercise Confidentiality Integrity Availability Legal Compliance Two persons – discuss and present eksamples of the different types of security concepts listed above.

The Network is the Computer Common causes of damage: Human error52% Fire15% Water10% Dishonest people10% Technical Sabotage10% Terrorism3%

The Network is the Computer Who Causes damage? Current employees81% Outsiders13% Former employees6%

The Network is the Computer Types of computer crime Money Theft44% Damage to software16% Theft of information16% Alteration af data12% Theft og services10% Trespass2%

How to improve security Knowing what need to be protected Recognising the threats Judging possible impacts Calculating the risks Counter measures Develop startegy to reduce risks

Important to observe When improving security remember: Keep it simple Keep it coherent (logical links) Keep to standards Your improvements should be able to function in a crisis situation, where people have no time to think deeply!

Bottom-UP approach If you know WHAT to protect from WHOM and to WHAT DEGREE: Create an attack situation (i.e. as if you were the attacker) Summarize weaknesses Judge the impacts Create counter measures

Top-Down Approach Start analysing – creating an overview: Define security objectives and analyse threats Make an impact analysis Calculate risk Analyse constraints (from environment) Decide on counter strategy Implement

Calculations! Calculate the risk: Risk = impact * likelihood Risk = impact + likelihood + threats

Risk planning Description of the risk Costs/ impacts 1(Low) – 5(High) Possibility 1(Low) – 5(High) ImpactsIndica- tors Mitigra-tion strategy Contin- gencyplan Tot- al prio rity Virus and worms 43System stop Slow systems Malfunctio ns System log entries Slow systems Virus protec-tion program- mes Firewall Safe backup Re- installation plan 12 Minor natural disasters 51Damage to HW and SW Rain Storm Remote Backup Re- installation plan 5

Security Isues - Exercise Give some examples of security isues based on your project organisation. Use the scheme from the previus slide.

Security Organization Roles and responsibilities: Executives: security strategy IT-Security Manager: guidelines, risk analysis Line Managers: awareness of policies Users: responsible for their actions Auditor: independent person

Security Processes Security hotline Change management System monitoring Intruder detection (”uninvited” guests) Data backup and recovery Systems audits

Crisis Management ”Firecall”: Who is on ”firecall” If ”firecall” can´t solve it: Who is ”emergency standby” Crisis management: Who will be in charge of crisis management on the spot (decide in beforehand on a chain of command) Keep a list of crisis staff off-line!

Information Classification Availability classification Classify as to: Maximum allowed server downtime per event Expected availability percentage Sensitivity classification Decide on a concept Decide on who is to declare sensitivity

Sensitivity Classification Concept Concept: All data has an owner The owner must classify the information The owner is responsible for the information All documents should be classified Classification: Public / non classified information Internal information Confidential information Secret information

Requirements on systems System model i layers: Physical: Buildings, hardware Users and organization Application Network and communication Database or transaction monitor Operating system

Requirements to each class Public / non classified data A virus scanner, screen locking, only authorised persons allowed access Internal data Security design philosophy Systems architecture Confidential data Trusted facility manual Secure data transmission Secret data Process isolation, security testing and testing Mandatory access control