Presentation is loading. Please wait.

Presentation is loading. Please wait.

TOPIC 1 INTRODUCTION TO INFORMATION SECURITY

PublishHope Watts Modified over 6 years ago

Similar presentations

Presentation on theme: "TOPIC 1 INTRODUCTION TO INFORMATION SECURITY"— Presentation transcript:

1 TOPIC 1 INTRODUCTION TO INFORMATION SECURITY
Reference Principles of Information Security

2 HISTORY OF INFORMATION SECURITY
Computer security has been around since the days of the mainframe Need to secure the physical location of hardware from outside threats With World War II, security actually began Access to classified information was limited to those authorized by badges, keys, background checks, and face recognition.

3 HISTORY OF INFORMATION SECURITY
Operating systems provided no security during these times Information security was mainly composed of simple document classification schemes The primary security concern was equipment theft, espionage (間諜活動) against products of the systems and sabotage (破壞活動)

4 HISTORY OF INFORMATION SECURITY
1970s and 1980s – ARPANET grew into use and so did its misuse. Potential security problems: Sites did not have protection from others accessing remotely Vulnerability of passwords No safety procedures for dial-up connections to ARPANET User identification to access the system did not exist

5 HISTORY OF INFORMATION SECURITY
The Rand Report R-609, which was sponsored by the DoD Identify the role of management and policy issues in computer security Expand the scope of computer security to not only include physical security but also: Safety of the data Limiting access to data Involvement of all personnel from all levels of the organization.

6 HISTORY OF INFORMATION SECURITY
1990s – As networks became more common, connecting was a must, and connecting to the Internet was high in demand The Internet brought connectivity to all computers that could connect to a phone line or LAN The first connections to the Internet were based on de facto standards that did not consider the security issues involved Security used to be a low priority

7 HISTORY OF INFORMATION SECURITY
Today, the Internet has brought millions of unsecured networks into communication with each other The ability for an individual to secure information on a computer relies on how good the overall network security is that the computer is connected to If an outsider has access to the inside network, it would not take long to access an individual node on that network Computer security has evolved into a component of a complex, multifaceted environment now defined as Information Security

8 WHAT IS SECURITY? A successful organization should have multiple layers of security in place: Physical security Personal security Operations security Communications security Network security Information security

9 WHAT IS INFORMATION SECURITY?
The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information Necessary tools: policy, awareness, training, education, technology C.I.A. triangle was standard based on confidentiality, integrity, and availability C.I.A. triangle now expanded into list of critical characteristics of information

10 WHAT IS INFORMATION SECURITY?

11 CRITICAL CHARACTERISTICS OF INFORMATION
Availability – Authorized only users have access to information when and where needed as well as the data needs to in the correct format Accuracy – Accurate, valid. Wrong data is worse than no data Authenticity – State of being original or genuine rather than a copy or fabrication Confidentiality (privacy) - Only those with the rights or privileges access it

12 CRITICAL CHARACTERISTICS OF INFORMATION
Integrity – Quality, completeness, or state of the data (uncorrupted) Utility - Purpose or usability of the data or information Possession - Having ownership or control of information A breach of confidentiality always results in a breach of possession But a breach of possession does not always result in a breach of confidentiality. Example - Someone steals a tape backup containing encrypted data. The theft is a breach of possession, but since the data is encrypted, the data will remain confidential (until the code is broken).

13 COMPONENTS OF AN INFORMATION SYSTEM
Software – System software and application software. Hardest to secure Hardware – Physical components (assets) of the information system Data – The main object of intentional attempted attacks People – Security is a people problem. People are the weakest link when it comes to security. More inside theft/security breaches occur than outside. It takes policy, education, training, technology, and awareness to strengthen the weakest link.

14 COMPONENTS OF AN INFORMATION SYSTEM
Procedures – Written instructions used to accomplish a task. If an unauthorized person acquires procedures, that can be a security breach. Procedures should be distributed on a need-to-know basis. Networks – Most networks are connected to the Internet. Steps to make networks secure is very demanding and definitely essential.

15 Direct Attack/Indirect Attack
Computer can be subject of an attack and/or the object of an attack. When the subject of an attack, computer is used as an active tool to conduct attack. When the object of an attack, computer is the entity being attacked.

16 Security Versus Access
Impossible to obtain perfect security. it is a process, not an absolute. Security should be considered balance between protection and availability. To achieve balance, level of security must allow reasonable access, yet protect against threats.

17 Security Versus Access

18 Approaches to Information Security Implementation
Bottom-Up Approach Grassroots effort: systems administrators attempt to improve security of their systems Key advantage: technical expertise of individual administrators Seldom works, as it lacks a number of critical features: Participant support Organizational staying power

19 Approaches to Information Security Implementation
Top-Down Approach Initiated by upper management Issue policy, procedures and processes Dictate goals and expected outcomes of project Determine accountability for each required action The most successful also involve formal development strategy referred to as systems development life cycle

20 SYSTEMS DEVELOPMENT LIFE CYCLE
Systems development life cycle (SDLC) is methodology and design for implementation of information security within an organization Methodology is formal approach to problem-solving based on structured sequence of procedures Using a methodology ensures a rigorous process avoids missing steps Goal is creating a comprehensive security posture/program

21 SYSTEMS DEVELOPMENT LIFE CYCLE

22 INVESTIGATION What problem is the system being developed to solve?
Objectives, constraints and scope of project are specified Preliminary cost-benefit analysis is developed At the end, feasibility analysis is performed to assesses economic, technical, and behavioral feasibilities of the process

23 ANALYSIS Consists of assessments of the organization, status of current systems, and capability to support proposed systems Analysts determine what new system is expected to do and how it will interact with existing systems Ends with documentation of findings and update of feasibility analysis

24 LOGICAL DESIGN Main factor is business need; applications capable of providing needed services are selected Data support and structures capable of providing the needed inputs are identified Technologies to implement physical solution are determined Feasibility analysis performed at the end

25 PHYSICAL DESIGN Technologies to support the alternatives identified and evaluated in the logical design are selected Components evaluated on make-or-buy decision Feasibility analysis performed; entire solution presented to end-user representatives for approval

26 IMPLEMENTATION Needed software created; components ordered, received, assembled, and tested Users trained and documentation created Feasibility analysis prepared; users presented with system for performance review and acceptance test

27 MAINTENANCE AND CHANGE
Consists of tasks necessary to support and modify system for remainder of its useful life Life cycle continues until the process begins again from the investigation phase When current system can no longer support the organization’s mission, a new project is implemented

28 Security SDLC The same phases used in traditional SDLC may be adapted to support specialized implementation of an IS project Identification of specific threats and creating controls to counter them

29 Security SDLC Phase 1: Investigation Phase 2: Analysis
Management defines project processes and goals and documents these in the program security policy Phase 2: Analysis Analyze existing security policies and programs Analyze current threats and controls Examine legal issues Perform risk analysis

30 Security SDLC Phase 3: Logical Design Phase 4: Physical Design
Develop security blueprint Plan incident response actions Plan business response to disaster Determine feasibility of continuing and/or outsourcing the project Phase 4: Physical Design Select technologies needed to support security blueprint Develop definition of successful solution Design physical security measures to support technological solutions Review the approval project

31 Security SDLC Phase 5: Implementation Phase 6: Maintenance
Buy or develop security solutions At end of phase, present tested package to management for approval Phase 6: Maintenance Constantly monitor, test, modify, update, and repair to meet changing threats

32 INFORMATION SECURITY IS IT AN ART OR A SCIENCE?
Implementation of information security often described as combination of art and science Security as Art No hard and fast rules nor many universally accepted complete solutions No manual for implementing security through entire system

33 INFORMATION SECURITY IS IT AN ART OR A SCIENCE?
Security as Science Dealing with technology designed to perform at high levels of performance Specific conditions cause virtually all actions that occur in computer systems Nearly every fault, security hole, and systems malfunction a result of interaction of specific hardware and software If developers had sufficient time, they could resolve and eliminate faults

34 Information Security terms and concepts
Asset – Organization resource being protected Exploit – A technique used to compromise a system Exposure – A condition or state of being exposed. When a vulnerability known to an attacker is present. Risk – The probability that something unwanted will happen Threat – A category of objects, persons or other entities that presents a danger to asset Threat agent – The specific instance or component of a threat

35 SUMMARY Security should be considered a balance between protection and availability Information security must be managed similar to any major system implemented in an organization using a methodology like Security SDLC Implementation of information security often described as a combination of art and science

36 Readings The CIA Triad Building Security Into The Software Life Cycle
Building Security Into The Software Life Cycle Rethinking Information Security to Improve Business Agility

Download ppt "TOPIC 1 INTRODUCTION TO INFORMATION SECURITY"

Similar presentations

Software Quality Assurance Plan

Software Quality Assurance Plan
Principles of Information Security, Fourth Edition

Principles of Information Security, Fourth Edition
Acquiring Information Systems and Applications

Acquiring Information Systems and Applications
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Security Controls – What Works

Security Controls – What Works
Learning Objectives Upon completion of this material, you should be able to:

Learning Objectives Upon completion of this material, you should be able to:
Introduction to Information Security Chapter 1

Introduction to Information Security Chapter 1
Introduction to Information Security

Introduction to Information Security
Fundamentals of Information Systems, Second Edition

Fundamentals of Information Systems, Second Edition
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 18-1 Accounting Information Systems 9 th Edition Marshall.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 18-1 Accounting Information Systems 9 th Edition Marshall.
7.2 System Development Life Cycle (SDLC)

7.2 System Development Life Cycle (SDLC)
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Introduction to Systems Analysis and Design

Introduction to Systems Analysis and Design
Acquiring Information Systems and Applications

Acquiring Information Systems and Applications
Acquiring Information Systems and Applications

Acquiring Information Systems and Applications
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Introduction to Computer Technology

Introduction to Computer Technology
Introduction to Network Defense

Introduction to Network Defense
Learning Objectives Upon completion of this material, you should be able to:

Learning Objectives Upon completion of this material, you should be able to:

Similar presentations

Ads by Google