Download presentation
Presentation is loading. Please wait.
Published byGeorge Shields Modified over 9 years ago
1
Information Security Management
2
Workshop Agenda Understanding your Information Security EnvironmentUnderstanding your Information Security Environment Service Management & Risk IdentificationService Management & Risk Identification Understanding your Risk EnvironmentUnderstanding your Risk Environment Managing the Risk – Compliance ManagementManaging the Risk – Compliance Management Information Security PlansInformation Security Plans
3
Workshop Theme Management Staff and Customers “Need to Know” ?
4
“The Need to Know” ? Understanding Your Information Environment Information Environment
5
Enterprise Level Information Environment If you can’t map your system you can’t secure your data Your system is bounded by your data model What do you protect ? –The data in the system The system is more that the static ICT elements: –Paper –Media – removable –Knowledge – people –Communications – internet, phone, mobile fax etc
6
“The Need to Know” ? Understanding Your Information Security Environment Information Security Environment
7
What is Information Security ? Organisations which collect and store data about: – Customers, Staff, Key business processes (IP) Must be able to demonstrate effective security measures Ensure that personal information is accurate and up to date Security - the key to retain the confidence of key stakeholders “ If you can’t secure data” “ you can’t measure quality and you can’t improve integrity”
8
What is Information Security ? “Information Security” combination of: Communications securityCommunications security (Comsec) Computer securityComputer security (Compusec) Ref: Australian National Computer Security and Information Security Authority The Defence Signals Directorate
9
What is Information Security ? “Confidentiality““Confidentiality“ –ensuring that information is available only to those people properly authorized to receive it “ Integrity”“ Integrity” –ensuring that information has not been changed or tampered with “Availability”“Availability” –ensures that communications and computing systems are not disrupted in their normal operations
10
What is Information Security ? AuthenticationAuthentication –ensures that a person accessing or providing information is actually who they claim to be Non-repudiationNon-repudiation –ensures that a person is not able to deny the receipt of information if they have received it These factors are rapidly growing in importance –our day-to-day business is increasingly conducted by electronic means
11
QUESTIONS?
12
“The Need to Know” ? Service Management Service Management& Risk Identification Risk Identification
13
Service Delivery Management System StrategiesStrategies - Policy implementation (business drivers) e.g. Resolution Management at the system level PlansPlans - Example - What is resolution management, How it will be implemented, Who is responsible e.g. helpdesk manager (reviewed annually) ProcessesProcesses - Process flows of the Resolution Process (Flowcharts) ProceduresProcedures - Detailed process charts HandbooksHandbooks - Functional Client/Practitioner Perspective e.g. Help desk scripts
15
Service Management - Risk Identification ICT Service Management includes –Security Management Effective Security Management requires a holistic approach IT&C Security Management Framework –ensure effective management of all security functions –security risk management –security related management reporting –requirements of PSM and Australian Standards
16
Service Management - Risk Identification Effective Information Security Management System is characterised by the Plan, Do, Check, Act (PDCA) process model Alignment of Service and Security management functions will ensure –a seamless transition of service incidents through the resolution process –to achieve timely response and –detection of risks which will ensure improved protection of the Agency and networks
17
Service Management - Risk Identification Plan-Do-Check-Act (PDCA) The Plan-Do-Check-Act (PDCA) methodology: PlanPlan: establish the objectives/processes used to deliver results to meet customer requirements and the organizations policies DoDo: implement the processes CheckCheck: monitor and measure processes/services against policies, objectives and requirements and report the results ActAct: take actions to continually improve process performance
18
Service Management - Risk Identification Service Management resolution processes: –Include Incident and Problem Management The relationship between Service incidents and Security incidents is fundamental to the –Detection –Recording –Investigation –Resolution of security incidents Service and Security incidents may impact on the efficiency of networks - may represent a risk
19
Service Management - Risk Identification Service and Security incident / Risk detection Timely detection of Service and Security incidents –essential to avert damage or –disruption to services Resolution of Service delivery issues starts in the Helpdesk First Line response to incidents Challenge - Capture of Issues or Possible Risks at the Helpdesk
20
Service Management - Risk Identification Risk identification Resolution is achieved by the Helpdesk –incident is closed –Resolution Process is deemed complete Detection of risks to the network or system may also be initiated at the incident recording stage by the Helpdesk Development of a comprehensive assessment method to detect the characteristics of incidents Avert realisation of risks to the network or organization
21
QUESTIONS?
22
“The Need to Know” ? Understanding your Risk Environment Risk Environment
23
Risk Management Environment Discover environmental data: What data do you hold? Where is the information? Where does the data reside ? Interfaces ? Who has access to your information? What are the boundaries of your system? Is information security about Computers or Information ? Computers or Information ?
24
Risk Management System Determining the level of risk -achieved by –comparing the relationship between the threats to information and assets –the known security weaknesses or vulnerability of information technology systems The level of acceptable risk –a managerial decision based on the information and recommendations provided in the risk assessment
25
Dynamic Risk Management Systems Establish the Context Define relationship with other systems Identify assets Establish risk criteria Risk Identification Identify the risks to be managed Determine what to protect against (Threats) Determine who to protect against
26
Dynamic Risk Management Systems Risk Analysis Analyze risks to be managed Estimate likelihood and consequence Determine context against management/control measures Assess existing/proposed security measures Determine vulnerability and acceptable risk
27
Dynamic Risk Management Systems Risk Evaluation and Treatment –Compare assessed risks against risk criteria –Consider treatment options Recommendations –Identify the steps to be taken to manage the accepted or residual risks
28
Risk Assessment Do you understand your information system ? Risk Assessment will reveal a detailed view of your information environment –Establish the boundaries of your system –Identify your information inventory –Identify and value your critical data sets –Establish the risks to your information system
29
Risk Assessment The risk assessment process - converting subjective risks into objective harms Harms to your information system can be assessed, analysed and measured. Risk is assessed against the likelihood and consequence of compromising: –Confidentiality –Integrity –Availability of your information
30
Threats to Information Assets Threats that can impact on the Confidentiality, Integrity and Availability of an Information System include the following generic threats: Accidental Threats –Fire –Programming error –Technical (hardware) failure –Data entry error –Environmental –Failure of power
31
Threats to Information Assets Deliberate Threats including: –Denial of Service –Eavesdropping –Malicious code - virus –Malicious code - logic –Malicious destruction of data –Malicious destruction of facilities –Unauthorised access to data –Unauthorised release of data
32
QUESTIONS?
33
“The Need to Know” ? Managing the Risk Compliance Management Compliance Management
34
Compliance Obligations Handle all information with care – all information that an employee or contractor accesses must be handled according to policy – official information, personal information (Privacy Act) Information must only be used for the purpose stated by the agency or organization- any other use is misuse Information must be secured appropriately- sound security risk management – Procedures to identify Vital information and information resources Risks must be reduced to an acceptable level
35
Compliance Obligations The Integrity and reliability of information systems which process, store or transmit information - require some level of protection Some Government information (official information) is given a security classification where its compromise could cause harm to the nation, the public interest, the Government or other entities or individuals Specific security measures must be followed
36
QUESTIONS?
37
Information Security Plans If you can’t map your system you can’t secure your data Your system is bounded by your data model What do you protect ? –The data in the system The system is more that the static ICT elements: –Paper –Media – removable –Knowledge – people –Communications – internet, phone, mobile fax etc
38
Information Security Plans Aim: Provide an effective, integral and available information system and resource by: Incorporating security into every facet of the architecture, design and operation of the System environment Establishing a Security Management Strategy Developing Security Standards
39
Information Security Plans Development of Information Security Plans requires a good understanding of your data Step 1 Understand your information (Data) Step 2 Understand your Information System Step 3 Map your system boundaries - SAPP (Security Architecture and Policy Plan)
40
Information Security Plans Step 4 - Develop an Information Security (IS) Policy Step 5 - Develop an Information Security (IS) Plan Step 6 - Develop / implement Risk Management System Step 7 - Establish an IS Education Program
41
Information Security Plans Implement Security System Implement Compliance Management System Implement Security Education and Awareness Program Outcome Protecting information against unauthorized disclosure, fraud, loss, damage or theft
42
QUESTIONS?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.