Download presentation
Presentation is loading. Please wait.
Published byGwenda Fletcher Modified over 9 years ago
2
Agenda Introduce key concepts in information security from the practitioner’s viewpoint. Discuss identifying and prioritizing information assets through the practical application of risk assessment methods. Discuss the application of information security best practice models in high security environments.
3
Agenda Provide practical examples of identifying threats to information assets. Discuss compliance obligations for Government and non-government organizations.
4
“The Need to Know” Understanding your Information System Understanding the relationship between Information Security, Data Quality and Governance
5
What is Information Security ? Organisations which collect and store data about: Customers Staff, and; Key business processes (IP) Must be able to demonstrate effective security measures to: Ensure that personal information is accurate and up to date and that Vital IP about the core business is secure to retain the confidence of key stakeholders “If you can’t secure data you can’t measure it’s quality and you can’t improve integrity”
6
What is Information Security ? “Information Security” combination of: Communications security (Comsec) Computer security (Compusec) Ref: Australian National Computer Security and Information Security Authority The Defence Signals Directorate
7
What is Information Security ? "confidentiality“ ensuring that information is available only to those people properly authorized to receive it. “ Integrity” ensuring that information has not been changed or tampered with; “Availability” ensures that communications and computing systems are not disrupted in their normal operations;
8
What is Information Security ? Authentication ensures that a person accessing or providing information is actually who they claim to be; and, Non-repudiation ensures that a person is not able to deny the receipt of information if they have, in fact, received it. These factors are rapidly growing in importance as our day-to-day business is increasingly conducted by electronic means.
9
Risk Assessment Do you understand your information system ? Risk Assessment will reveal a detailed view of your information environment. Establish the boundaries of your system. Identify your information inventory. Identify and value your critical data sets. Establish the risks to your information system.
10
Risk Assessment The risk assessment process - converting subjective risks into objective harms. Harms to your information system can be assessed, analysed and measured. Risk is assessed against the likelihood and consequence of compromising: Confidentiality Integrity Availability of your information
11
Risk Assessment Determining the level of risk is achieved by comparing the relationship between the threats to information and assets and the known security weaknesses or vulnerability of information technology systems. The level of acceptable risk is a managerial decision based on the information and recommendations provided in the risk assessment.
12
Risk Assessment Discover environmental data: What data do you hold? Where is the information? Where does the data reside ? Interfaces ? Who has access to your information? What are the boundaries of your system? Is information systems security about computers or Information ?
13
Risk Assessment Establish the Context Define relationship with other systems. Identify assets. Establish risk criteria. Risk Identification Identify the risks to be managed. Determine what to protect against (Threats). Determine who to protect against.
14
Risk Assessment Risk Analysis Analyze risks to be managed. Estimate likelihood and consequence. Determine context against management/control measures. Assess existing/proposed security measures. Determine vulnerability and acceptable risk.
15
Risk Assessment Risk Evaluation and Treatment Compare assessed risks against risk criteria. Consider treatment options. Recommendations Identify the steps to be taken to manage the accepted or residual risks.
16
High Security Environments Security in Depth
17
High Security Environments Characterized by robust security plans. Information Security principles are the key. “The Need to Know” Principle. “The availability of information limited to those who need to use or access the information to do their work”.
18
High Security Environments Awareness - expectations about use and care of information. Protective security procedures and measures must be understood by those who will implement and practice them. Concept of “Security in Depth”
19
Security in Depth Concept of Security in Depth is a key element in securing information in high security environments. Several Protective Security barriers to access information must be penetrated by an external intruder or unauthorized staff member with no “Need to Know”.
20
Security in Depth The barriers consist of interlocking measures designed to combine to exclude any unauthorized penetration attempt. Protective Security procedures and measures must be understood by those who will implement and practice them.
21
Security in Depth Protective Security procedures / measures: Staff background checks Security instructions Security education programs Security guards Access control and surveillance systems Keys Safes Passwords
22
Threats to Information Assets
23
Threats that can impact on the Confidentiality, Integrity and Availability of an Information System include the following generic threats: Accidental Threats Fire Programming error Technical (hardware) failure Data entry error Environmental Failure of power
24
Threats to Information Assets Deliberate Threats including: Denial of Service Eavesdropping Malicious code – virus Malicious code - logic Malicious destruction of data Malicious destruction of Facilities Unauthorised access to data Unauthorised release of data
25
Compliance Obligations Handle all information with care – all information that an employee or contractor accesses must be handled according to policy – official information, personal information (Privacy Act). Information must only be used for the purpose stated by the agency or organization- any other use is misuse. Information must be secured appropriately- sound security risk management – Procedures to identify Vital information and information resources. Risks must be reduced to an acceptable level.
26
Compliance Obligations The Integrity and reliability of information systems which process, store or transmit information - require some level of protection. Some Government information (official information) is given a security classification where its compromise could cause harm to the nation, the public interest, the Government or other entities or individuals. Specific security measures must be followed.
27
Information Security Plans If you can’t map your system you can’t secure your data. Your system is bounded by your data model. What do you protect ? The data in the system. The system is more that the static ICT elements: Paper Media – removable Knowledge – people Communications – internet, phone, mobile fax etc
28
Information Security Plans Aim: Provide an effective, integral and available information system and resource by: Incorporating security into every facet of the architecture, design and operation of the System environment. Establishing a Security Management Strategy. Developing Security Standards.
29
Information Security Plans Development of Information Security Plans requires a good understanding of your data. Step 1 Understand your information (Data) Step 2 Understand your Information System. Step 3 Map your system boundaries - SAPP (Security Architecture and Policy Plan)
30
Information Security Plans Step 4 Develop an Information Security (IS) Policy. Step 5 Develop an Information Security (IS) Plan. Step 6 Develop and implement Risk Management System. Step 7 Establish an IS Education Program.
31
Information Security Plans Implement Security System. Implement compliance management system. Implement Security Education and Awareness ProgramOutcome Protecting information against unauthorized disclosure, fraud, loss, damage or theft.
32
Security Education and Awareness Program Who is Responsible ?
33
Restricting Overview Access All authorised users must take every possible precaution to ensure that information, regardless of its security classification and the security clearance of those in the vicinity, cannot be viewed by those without a “Need-to-Know”. Information accessed on the System may only be divulged to another person on a strictly need-to- know basis.
34
Restricting Overview Access Any person accessing the System may only view information which relates to that which they have a need-to-know to do their normal work. User with Privileged Access must only access System Information on a strictly need-to-know basis only when it involves system maintenance. Read and sign the Information Security Procedures at regular intervals
35
User Personal responsibility Maintain NEED to KNOW Report ALL Security Incidents to the Information Security Officer Adhere to the Password policy Regularly access Security informationOutcome Protecting information against unauthorized disclosure, fraud, loss, damage or theft
36
Password Security - The Basics Passwords must never be written down. Never share Passwords under any circumstances. Password length should be the minimum length defined in the Information Security Procedures. Never contain the User ID in the Password.
37
Password Security - The Basics Passwords should not be based on any common abbreviation or acronym. Passwords should not be based on any information about yourself, including family, friends, pets, birthdays etc Publish password rules in the Information Security Procedures.
38
Information Security Audit Conduct of regular Information Security Audit will improve Governance and management of your system. Provide better understanding of information and the system where the information resides. Improve Governance over all system data. The key word is UNDERSTANDING. “Managing the unknown will lead to less than optimal data quality.”
39
Review Key concepts in information security from the practitioner’s viewpoint. Identifying and prioritizing information assets through the practical application of risk assessment methods. The application of information security best practice models in high security environments.
40
Review Practical examples of identifying threats to information assets. Compliance obligations for Government and non-government organizations. Development of information security plans. Advantages of conducting Information Security Audits to check the health of your information security system.
41
QUESTIONS?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.