Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security Management. Workshop Agenda Understanding your Information Security EnvironmentUnderstanding your Information Security Environment.

Published byGeorge Shields Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security Management. Workshop Agenda Understanding your Information Security EnvironmentUnderstanding your Information Security Environment."— Presentation transcript:

1 Information Security Management

2 Workshop Agenda Understanding your Information Security EnvironmentUnderstanding your Information Security Environment Service Management & Risk IdentificationService Management & Risk Identification Understanding your Risk EnvironmentUnderstanding your Risk Environment Managing the Risk – Compliance ManagementManaging the Risk – Compliance Management Information Security PlansInformation Security Plans

3 Workshop Theme Management Staff and Customers “Need to Know” ?

4 “The Need to Know” ? Understanding Your Information Environment Information Environment

5 Enterprise Level Information Environment If you can’t map your system you can’t secure your data Your system is bounded by your data model What do you protect ? –The data in the system The system is more that the static ICT elements: –Paper –Media – removable –Knowledge – people –Communications – internet, phone, mobile fax etc

6 “The Need to Know” ? Understanding Your Information Security Environment Information Security Environment

7 What is Information Security ? Organisations which collect and store data about: – Customers, Staff, Key business processes (IP) Must be able to demonstrate effective security measures Ensure that personal information is accurate and up to date Security - the key to retain the confidence of key stakeholders “ If you can’t secure data” “ you can’t measure quality and you can’t improve integrity”

8 What is Information Security ? “Information Security” combination of: Communications securityCommunications security (Comsec) Computer securityComputer security (Compusec) Ref: Australian National Computer Security and Information Security Authority The Defence Signals Directorate

9 What is Information Security ? “Confidentiality““Confidentiality“ –ensuring that information is available only to those people properly authorized to receive it “ Integrity”“ Integrity” –ensuring that information has not been changed or tampered with “Availability”“Availability” –ensures that communications and computing systems are not disrupted in their normal operations

10 What is Information Security ? AuthenticationAuthentication –ensures that a person accessing or providing information is actually who they claim to be Non-repudiationNon-repudiation –ensures that a person is not able to deny the receipt of information if they have received it These factors are rapidly growing in importance –our day-to-day business is increasingly conducted by electronic means

11 QUESTIONS?

12 “The Need to Know” ? Service Management Service Management& Risk Identification Risk Identification

13 Service Delivery Management System StrategiesStrategies - Policy implementation (business drivers) e.g. Resolution Management at the system level PlansPlans - Example - What is resolution management, How it will be implemented, Who is responsible e.g. helpdesk manager (reviewed annually) ProcessesProcesses - Process flows of the Resolution Process (Flowcharts) ProceduresProcedures - Detailed process charts HandbooksHandbooks - Functional Client/Practitioner Perspective e.g. Help desk scripts

14

15 Service Management - Risk Identification ICT Service Management includes –Security Management Effective Security Management requires a holistic approach IT&C Security Management Framework –ensure effective management of all security functions –security risk management –security related management reporting –requirements of PSM and Australian Standards

16 Service Management - Risk Identification Effective Information Security Management System is characterised by the Plan, Do, Check, Act (PDCA) process model Alignment of Service and Security management functions will ensure –a seamless transition of service incidents through the resolution process –to achieve timely response and –detection of risks which will ensure improved protection of the Agency and networks

17 Service Management - Risk Identification Plan-Do-Check-Act (PDCA) The Plan-Do-Check-Act (PDCA) methodology: PlanPlan: establish the objectives/processes used to deliver results to meet customer requirements and the organizations policies DoDo: implement the processes CheckCheck: monitor and measure processes/services against policies, objectives and requirements and report the results ActAct: take actions to continually improve process performance

18 Service Management - Risk Identification Service Management resolution processes: –Include Incident and Problem Management The relationship between Service incidents and Security incidents is fundamental to the –Detection –Recording –Investigation –Resolution of security incidents Service and Security incidents may impact on the efficiency of networks - may represent a risk

19 Service Management - Risk Identification Service and Security incident / Risk detection Timely detection of Service and Security incidents –essential to avert damage or –disruption to services Resolution of Service delivery issues starts in the Helpdesk First Line response to incidents Challenge - Capture of Issues or Possible Risks at the Helpdesk

20 Service Management - Risk Identification Risk identification Resolution is achieved by the Helpdesk –incident is closed –Resolution Process is deemed complete Detection of risks to the network or system may also be initiated at the incident recording stage by the Helpdesk Development of a comprehensive assessment method to detect the characteristics of incidents Avert realisation of risks to the network or organization

21 QUESTIONS?

22 “The Need to Know” ? Understanding your Risk Environment Risk Environment

23 Risk Management Environment Discover environmental data: What data do you hold? Where is the information? Where does the data reside ? Interfaces ? Who has access to your information? What are the boundaries of your system? Is information security about Computers or Information ? Computers or Information ?

24 Risk Management System Determining the level of risk -achieved by –comparing the relationship between the threats to information and assets –the known security weaknesses or vulnerability of information technology systems The level of acceptable risk –a managerial decision based on the information and recommendations provided in the risk assessment

25 Dynamic Risk Management Systems Establish the Context Define relationship with other systems Identify assets Establish risk criteria Risk Identification Identify the risks to be managed Determine what to protect against (Threats) Determine who to protect against

26 Dynamic Risk Management Systems Risk Analysis Analyze risks to be managed Estimate likelihood and consequence Determine context against management/control measures Assess existing/proposed security measures Determine vulnerability and acceptable risk

27 Dynamic Risk Management Systems Risk Evaluation and Treatment –Compare assessed risks against risk criteria –Consider treatment options Recommendations –Identify the steps to be taken to manage the accepted or residual risks

28 Risk Assessment Do you understand your information system ? Risk Assessment will reveal a detailed view of your information environment –Establish the boundaries of your system –Identify your information inventory –Identify and value your critical data sets –Establish the risks to your information system

29 Risk Assessment The risk assessment process - converting subjective risks into objective harms Harms to your information system can be assessed, analysed and measured. Risk is assessed against the likelihood and consequence of compromising: –Confidentiality –Integrity –Availability of your information

30 Threats to Information Assets Threats that can impact on the Confidentiality, Integrity and Availability of an Information System include the following generic threats: Accidental Threats –Fire –Programming error –Technical (hardware) failure –Data entry error –Environmental –Failure of power

31 Threats to Information Assets Deliberate Threats including: –Denial of Service –Eavesdropping –Malicious code - virus –Malicious code - logic –Malicious destruction of data –Malicious destruction of facilities –Unauthorised access to data –Unauthorised release of data

32 QUESTIONS?

33 “The Need to Know” ? Managing the Risk Compliance Management Compliance Management

34 Compliance Obligations Handle all information with care – all information that an employee or contractor accesses must be handled according to policy – official information, personal information (Privacy Act) Information must only be used for the purpose stated by the agency or organization- any other use is misuse Information must be secured appropriately- sound security risk management – Procedures to identify Vital information and information resources Risks must be reduced to an acceptable level

35 Compliance Obligations The Integrity and reliability of information systems which process, store or transmit information - require some level of protection Some Government information (official information) is given a security classification where its compromise could cause harm to the nation, the public interest, the Government or other entities or individuals Specific security measures must be followed

36 QUESTIONS?

37 Information Security Plans If you can’t map your system you can’t secure your data Your system is bounded by your data model What do you protect ? –The data in the system The system is more that the static ICT elements: –Paper –Media – removable –Knowledge – people –Communications – internet, phone, mobile fax etc

38 Information Security Plans Aim: Provide an effective, integral and available information system and resource by: Incorporating security into every facet of the architecture, design and operation of the System environment Establishing a Security Management Strategy Developing Security Standards

39 Information Security Plans Development of Information Security Plans requires a good understanding of your data Step 1 Understand your information (Data) Step 2 Understand your Information System Step 3 Map your system boundaries - SAPP (Security Architecture and Policy Plan)

40 Information Security Plans Step 4 - Develop an Information Security (IS) Policy Step 5 - Develop an Information Security (IS) Plan Step 6 - Develop / implement Risk Management System Step 7 - Establish an IS Education Program

41 Information Security Plans Implement Security System Implement Compliance Management System Implement Security Education and Awareness Program Outcome Protecting information against unauthorized disclosure, fraud, loss, damage or theft

42 QUESTIONS?

Download ppt "Information Security Management. Workshop Agenda Understanding your Information Security EnvironmentUnderstanding your Information Security Environment."

Similar presentations

Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Risk Management Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Risk Management Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Software Quality Assurance Plan

Software Quality Assurance Plan
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
ITIL: Service Transition

ITIL: Service Transition
Auditing Computer Systems

Auditing Computer Systems
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
The Islamic University of Gaza

The Islamic University of Gaza
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Information Systems Security Officer

Information Systems Security Officer
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Similar presentations

Ads by Google