Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security IBK3IBV01 College 2 Paul J. Cornelisse.

Published byBranden Pope Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security IBK3IBV01 College 2 Paul J. Cornelisse."— Presentation transcript:

1 Information Security IBK3IBV01 College 2 Paul J. Cornelisse

2 ▸ Information systems and the information processed on them are often considered to be critical assets that support the mission of an organization. Basis

3 ▸ The cost and benefits of information security should be carefully examined in both monetary and nonmonetary terms to ensure that the cost of controls does not exceed the expected benefits. Cost

4 ▸ Information security controls should be appropriate and proportionate. Controls

5 ▸ responsibilities and accountabilities of the ▸ information owners ▸ providers, ▸ and users of computer services and other parties concerned with the protection of information and computer assets should be explicit. R & A

6 ▸ If a system has external users, its owners have a responsibility to share appropriate knowledge about the existence and general extent of control measures so that other users can be confident that the system is adequately secure. External users

7 ▸ As we expand the user base to include suppliers, vendors, clients, customers, shareholders, and the like, it is incumbent upon the enterprise to have clear and identifiable controls. External users

8 ▸ For many organizations, the initial sign-on screen is the first indication that there are controls in place. First sign

9 ▸ It should contain three basic elements: 1.The system is for authorized users only 2.Activities are monitored 3.By completing the sign-on process, the user agrees to the monitoring Basic elements of logon screen

10 ▸ An information security program is more than establishing controls for the computer-held data. More than Just Computer Security

11 ▸ the “paperless office” ▸ To be an effective program, information security must move beyond the narrow scope of IT and address the issues of information security. More than Just Computer Security

12 ▸ Employee Mindset Toward Controls 1.Offices secured 2.Desks and cabinets secured 3.Workstations secured 4.Information secured 5.Electronic media secured More than Just Computer Security

13 ▸ the typical office environment will have a 90% to 95% noncompliance rate with at least one of these basic control mechanisms. ▸ When conducting a review, employee privacy issues must be remembered. More than Just Computer Security

14 Developing Policies Policy Is the Cornerstone The cornerstone of an effective information security architecture is a well-written policy statement. This is the source from which all other directives, standards, procedures, guidelines, and other supporting documents will spring.

15 Developing Policies The internal portion tells employees what is expected of them and how their actions will be judged The external portion tells the world how the enterprise sees its responsibilities.

16 Developing Policies Definitions

17 Developing Policies Policy A policy is a high-level statement of enterprise beliefs goals objectives and the general means for their attainment for a specified subject area

18 Developing Policies Standards Standards are mandatory requirements that support individual policies Standards can range from what software or hardware can be used, to what remote access protocol is to be implemented, to who is responsible for approving what

19 Developing Policies Procedures Procedures are Mandatory step-by-step detailed actions required to successfully complete a task

20 Developing Policies Guidelines Guidelines are documented suggestions for the regular and consistent implementation of accepted practices

21 Policy Key Elements To meet the needs of an organization, a good policy should: Be easy to understand Be applicable Be doable Be enforceable Be phased in Be proactive Avoid absolutes Meet business objectives

22 Developing Policies Policy Format Depends on the policies look and feel in your own organization Content Topic Scope Responsibilities Compliance or Consequences

23 Developing Policies The three types of policies are 1. Global (tier 1) 2. Topic-specific (tier 2) 3. Application-specific (tier 3)

24 Developing Policies Global (tier 1) used to create the organization’s overall vision and direction

25 Developing Policies Topic-specific (tier 2) address particular subjects of concern.

26 Developing Policies Application-specific policies focus on decisions taken by management to control particular applications (financial reporting, payroll, etc.) or systems (budgeting system)

27 Developing Policies More on tier 3: Who has the authority to read or modify data? Under what circumstances can data be read or modified? How is remote access to be controlled?

28 Resume Reason: To provide direction regarding the protection of.... information resources from unauthorized access, modification, duplication, destruction or disclosure

29 Resume The policy applies to all.... personnel including employees, interns, vendors, contractors, and volunteers The policy pertains to all information resources used to conduct.... business or used to transmit or store.... Restrictedor Confidential information

30 Developing Policies Information Resource Information Owner Business Owner Information Classification Categories Restricted Confidential Public Reclassification Custodian Users

31 Developing Policies Information includes, but is not limited to: a. Personally identifiable information (PII) b. Reports, files, folders, memoranda c. Statements, examinations, transcripts d. Images, and e. Communications

32 Developing Policies Information Owner the Director of a Division where the information resource is created, or who is the primary user of the information resource

33 Developing Policies Business Owner Where multiple information owners for the same information resource occur, the information owners must designate a Business Owner who will have authority to make decisions on behalf of all the owners of the information resource

34 Developing Policies Information Classification Categories All information shall be classified by the information owner into one of three classification categories: Restricted Confidential Public

35 Developing Policies Reclassification the information owner is to establish a review cycle for all information classified as Restricted or Confidential Reclassify it when it no longer meets the criteria established for such information This cycle should be commensurate with the value of the information but should not exceed 1 year

36 Developing Policies Custodian the individual or entity designated by the information owner that is responsible for maintaining safeguards established by the information owner

37 Developing Policies Users authorized personnel responsible for using and safeguarding the information resources under their control according to the directions of the information owner

38 Developing Policies The information owner has the responsibility to a. Identify the classification level of all information resources within their division b. Define and verify implementation of appropriate safeguards to ensure the confidentiality, integrity, and availability of the information resource c. Monitor the safeguards to ensure their compliance and report instances of noncompliance d. Authorize access to those who have a demonstrated business need for the information resource, and e. Remove access to those who no longer have a business need for the information resource

39 Developing Policies The Custodian has the responsibility to a. Implement integrity controls and access control requirements specified by the information owner b. Advise the information owner of any major deficiency or vulnerability encountered that results in a failure to meet requirements c. Comply with all specific guidelines and procedures to implement, support, and maintain information security

40 Developing Policies The Users have the responsibility to a. Access only the information for which they have been authorized b. Use the information only for the purpose intended c. Ensure that authenticating information (e.g., password) is in compliance with existing security standards d. Maintain the integrity, confidentiality and availability of information accessed consistent with the information owner’s expectations while under their control e. Comply with all specific guidelines and procedures to implement, support, and maintain Information Security policies and standards f. Report violations or suspected violations of policies and standards to the appropriate management or Information Security Project Manager

41

Download ppt "Information Security IBK3IBV01 College 2 Paul J. Cornelisse."

Similar presentations

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Auditing Computer Systems

Auditing Computer Systems
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
CST 481/598 x.2.  Broad overview of policy material  What is a “process”  Tiers (not tears) Many thanks to Jeni Li.

CST 481/598 x.2.  Broad overview of policy material  What is a “process”  Tiers (not tears) Many thanks to Jeni Li.
IS Audit Function Knowledge

IS Audit Function Knowledge
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

Similar presentations

Ads by Google