Introduction to information security Lecture #1 Security in - - PowerPoint PPT Presentation

introduction to information
SMART_READER_LITE
LIVE PREVIEW

Introduction to information security Lecture #1 Security in - - PowerPoint PPT Presentation

Jun 24, 2023 290 likes •755 views

Introduction to information security Lecture #1 Security in Organizations 2011 Eric Verheul 1 Outline The lectures I will give Information Security events in the media What is Information Security? Recap Study for next

slide-1
SLIDE 1

1

Introduction to information security

Lecture #1

Security in Organizations 2011 Eric Verheul

slide-2
SLIDE 2

2

Outline

  • The lectures I will give
  • Information Security events in the media
  • What is Information Security?
  • Recap
  • Study for next week
slide-3
SLIDE 3

3

Things I will teach

The lectures I will give

  • Information security in organizations in practice based
  • n the ISO 27001 / ISO 27002 standards
  • Conducting IS risk assessments in organizations
  • Introduction to EDP audits and auditors
  • Writing an information security policy
slide-4
SLIDE 4

4

Information Security (IS)

The lectures I will give

  • Information Security:
  • Preservation of confidentiality, integrity and availability of

information (ISO).

  • The protection of information and information systems from

unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability (NIST).

  • The condition in which confidentiality, integrity and

availability of information and information technology are protected by appropriate safeguards. (BSI).

slide-5
SLIDE 5

5

Literature

Main literature for my lectures (apart from the slides): 1. ISO 27001, ISO 27002, ISO 27005 2. How to Achieve 27001 Certification, Sigurjon Thor Arnason, Keith D. Willett, Auerbach publications, 2008. Accessible through SIO webpage 3. Management Issues, Chapter 22 of Security Engineering: A Guide to Building Dependable Distributed Systems, R. Anderson 4. What Is Security Engineering? Chapter 23 of Security Engineering: A Guide to Building Dependable Distributed Systems, R. Anderson

The lectures I will give

slide-6
SLIDE 6

6

Outline

  • The lectures I will give
  • Information Security events in the media
  • What is Information Security?
  • Recap
  • Study for next week
slide-7
SLIDE 7

7

C5 C8

Citibank admits: we've lost the backup tape

C13 C7 C14 C11 C12

slide-8
SLIDE 8

8

Management commitment

ISO 27002 Chapter 5: SECURITY POLICY

C5

Information Security events in the media

slide-9
SLIDE 9

9

Organization of information security

ISO 27002 Chapter 6: Organization of Information Security

Information Security events in the media

C6

slide-10
SLIDE 10

10

Organization of information security

Information Security events in the media

C6

ISO 27002 Chapter 6: Organization of Information Security

slide-11
SLIDE 11

11

Lost USB sticks

C7

ISO 27002 Chapter 7: ASSET MANAGEMENT

Information Security events in the media

slide-12
SLIDE 12

12

Lost backup tapes

ISO 27002 Chapter 7: ASSET MANAGEMENT

Citibank admits: we've lost the backup tape C7

Source http://www.theregister.co.uk

Information Security events in the media

C7

slide-13
SLIDE 13

13

Lost tax declarations

ISO 27002 Chapter 7: ASSET MANAGEMENT

C7

Information Security events in the media

slide-14
SLIDE 14

14

User awareness

ISO 27002 Chapter 8: HUMAN RESOURCES SECURITY

C8

Information Security events in the media

slide-15
SLIDE 15

15

User awareness

ISO 27002 Chapter 8: HUMAN RESOURCES SECURITY

C8

Information Security events in the media

Source http://www.rtl.nl

slide-16
SLIDE 16

16

Screening

C8

Information Security events in the media

ISO 27002 Chapter 8: HUMAN RESOURCES SECURITY

slide-17
SLIDE 17

17

Physical security

ISO 27002 Chapter 9: PHYSICAL AND ENVIRONMENTAL SECURITY C9

Information Security events in the media

slide-18
SLIDE 18

18

Physical security

ISO 27002 Chapter 9: PHYSICAL AND ENVIRONMENTAL SECURITY C9

Information Security events in the media

slide-19
SLIDE 19

19

Fire

ISO 27002 Chapter 9: PHYSICAL AND ENVIRONMENTAL SECURITY C9

Information Security events in the media

slide-20
SLIDE 20

20

Power failure

ISO 27002 Chapter 9: PHYSICAL AND ENVIRONMENTAL SECURITY C9

Source http://www.webwereld.nl

Information Security events in the media

slide-21
SLIDE 21

21

Power failure

ISO 27002 Chapter 9: PHYSICAL AND ENVIRONMENTAL SECURITY C9

Source http://www.nos.nl, August 10 2009

Information Security events in the media

slide-22
SLIDE 22

22

Malicious code protection

ISO 27002 Chapter 10: COMMUNICATIONS AND OPERATIONS MANAGEMENT

C10

Information Security events in the media

slide-23
SLIDE 23

23

Malicious code protection

ISO 27002 Chapter 10: COMMUNICATIONS AND OPERATIONS MANAGEMENT

C10

Information Security events in the media

slide-24
SLIDE 24

24

Patching

ISO 27002 Chapter 10: COMMUNICATIONS AND OPERATIONS MANAGEMENT

C10

Information Security events in the media

slide-25
SLIDE 25

25

Password management

ISO 27002 Chapter 11 : ACCESS CONTROL

C11

Source http://www.infosectoday.com

Information Security events in the media

slide-26
SLIDE 26

26

Security in software lifecycle

ISO 27002 Chapter 12: INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE

C12

Source http://news.zdnet.co.uk

Information Security events in the media

slide-27
SLIDE 27

27

Security incident handling

ISO 27002 Chapter 13: INFORMATION SECURITY INCIDENT MANAGEMENT

C13

Information Security events in the media

slide-28
SLIDE 28

28

Massive loss of information and employees

ISO 27002 Chapter 14: BUSINESS CONTINUITY MANAGEMENT C14

September 9, 2001

Information Security events in the media

slide-29
SLIDE 29

29

Non compliance with privacy regulations

ISO 27002 Chapter 15: COMPLIANCE

C15

Information Security events in the media

slide-30
SLIDE 30

30

Non compliance with privacy regulations

ISO 27002 Chapter 15: COMPLIANCE

C15

Information Security events in the media

slide-31
SLIDE 31

31

ISO 27002

H ISO 27002 NEN Vertaling 5 Security Policy Beveiligingsbeleid 6 Organization of Information Security Beveiligingsorganisatie 7 Asset Management Classificatie en beheer van bedrijfsmiddelen 8 Human resources security Beveiligingseisen ten aanzien van personeel 9 Physical and Environmental Security Fysieke beveiliging en beveiliging van de omgeving 10 Communications and Operations Management Beheer van communicatie- en bedieningsprocessen 11 Access Control Toegangsbeveiliging 12 Information Systems Acquisition, Development and Maintenance Ontwikkeling en onderhoud van systemen 13 Information Security Incident Management Incidentmanagement 14 Business Continuity Management Continuïteitsmanagement 15 Compliance Naleving

Information Security controls (ISO 27002)

slide-32
SLIDE 32

32

Outline

  • The lectures I will give
  • Information Security events in the media
  • What is Information Security?
  • Recap
  • Study for next week
slide-33
SLIDE 33

33

Information Security (IS)

What is Information Security?

Do you think that the incidents we have seen would not have occurred when the organizations implemented the 133 controls from ISO 27002?

slide-34
SLIDE 34

34

Information Security (IS)

What is Information Security?

Strangely enough the notion of ‘risk’ is not involved in these definitions.

slide-35
SLIDE 35

35

Alternative definition of IS

What is Information Security

  • Adequately protecting information against possible

threat manifestations.

slide-36
SLIDE 36

36

Alternative definition of IS

What is Information Security

  • Adequately protecting the confidentiality, integrity and

availability of information against possible threat manifestations.

slide-37
SLIDE 37

37

Alternative definition of IS

What is Information Security?

  • Threat manifestation (or potential incident): the

successful combination of a threat and a vulnerability:

  • A threat is a) something „negative‟ that can accidentally

happen or b) that some party intentionally wants to achieve.

  • A vulnerability is a weakness that can be accidentally

triggered or intentionally exploited.

  • Threats can be Natural/Environmental or Human.
  • Adequately protecting the confidentiality, integrity and

availability of information against possible threat manifestations.

slide-38
SLIDE 38

38

Alternative definition of IS

What is Information Security?

  • Protection (controls) can be either:
  • Preventive
  • Detective
  • Repressive (e.g. fire extinguishers or punishment), or
  • Corrective (repairing the damage)
  • Adequately protecting the confidentiality, integrity and

availability of information against possible threat manifestations.

slide-39
SLIDE 39

39

Alternative definition of IS

What is Information Security?

  • Adequately protecting the confidentiality, integrity and

availability of information against possible threat manifestations.

Threat #1 Threat #2 Threat #3 Threat #4 Threat #n Vulnerability #1 Vulnerability #2 Vulnerability #3 Vulnerability #4 Vulnerability #n

Risk Treatment

Poten tenti tial al incide dents nts

slide-40
SLIDE 40

40

Alternative definition of IS

What is Information Security?

  • Adequate: as supported by a risk assessment and

treatment analysis whereby all possible manifestations of threats and their impacts („risks‟) are considered and somehow all „relevant‟ ones are sufficiently reduced with controls.

  • Risks are typically reduced but can also be accepted,

avoided or transferred.

  • Who decides, who provides priority/budget?
  • Adequately protecting the confidentiality, integrity and

availability of information against possible threat manifestations.

slide-41
SLIDE 41

41

Alternative definition of IS

What is Information Security?

  • Adequately protecting the confidentiality, integrity and

availability of information against possible threat manifestations.

Risk Treatment

Risks can be:

  • Reduced/removed
  • Accepted
  • Avoided
  • Transferred

Preventive controls Detective controls Repressive controls Corrective controls

slide-42
SLIDE 42

42

Outline

  • The lectures I will give
  • Information Security events in the media
  • What is Information Security?
  • Recap
  • Study for next week
slide-43
SLIDE 43

43

Recap

Recap on information security

  • Complicating factors in implementing Information Security

(IS) are its multidisciplinary nature and constraints on budget, effort and getting management attention

  • ISO 27002 is a (long) of list of 133 IS controls divided over 11

chapters originally dating from the nineties

  • Practice shows that „just‟ implementing ISO 27002 is not the

way to secure organizations because not all controls are equally relevant for all organizations and circumstances

  • To address this ISO 27002 was supplemented with ISO

27001 which describes „security management‟ that we will discuss next week.

slide-44
SLIDE 44

44

Outline

  • The lectures I will give
  • Information Security events in the media
  • What is Information Security?
  • Recap
  • Study for next week
slide-45
SLIDE 45

45

Study for next week

Information Security controls (ISO 27002)

  • Study for next week:
  • The ISO 27001 and 27002 standards
  • First four chapters of “How to Achieve 27001 Certification”, Sigurjon

Thor Arnason, Keith D. Willett, Auerbach publications, 2008. Accessible through SIO webpage

  • http://www.iso27001security.com
  • Look at the information security policy assignment