introduction to information
play

Introduction to information security Lecture #1 Security in - PowerPoint PPT Presentation

Introduction to information security Lecture #1 Security in Organizations 2011 Eric Verheul 1 Outline The lectures I will give Information Security events in the media What is Information Security? Recap Study for next


  1. Introduction to information security Lecture #1 Security in Organizations 2011 Eric Verheul 1

  2. Outline • The lectures I will give • Information Security events in the media • What is Information Security? • Recap • Study for next week 2

  3. The lectures I will give Things I will teach • Information security in organizations in practice based on the ISO 27001 / ISO 27002 standards • Conducting IS risk assessments in organizations • Introduction to EDP audits and auditors • Writing an information security policy 3

  4. The lectures I will give Information Security (IS) • Information Security: • Preservation of confidentiality, integrity and availability of information (ISO). • The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability (NIST). • The condition in which confidentiality, integrity and availability of information and information technology are protected by appropriate safeguards. (BSI). 4

  5. The lectures I will give Literature Main literature for my lectures (apart from the slides): 1. ISO 27001, ISO 27002, ISO 27005 2. How to Achieve 27001 Certification , Sigurjon Thor Arnason, Keith D. Willett, Auerbach publications, 2008. Accessible through SIO webpage 3. Management Issues, Chapter 22 of Security Engineering: A Guide to Building Dependable Distributed Systems, R. Anderson 4. What Is Security Engineering? Chapter 23 of Security Engineering: A Guide to Building Dependable Distributed Systems, R. Anderson 5

  6. Outline • The lectures I will give • Information Security events in the media • What is Information Security? • Recap • Study for next week 6

  7. Citibank admits: we've lost the backup tape C7 C5 C14 C11 C12 C8 C13 7

  8. Information Security events in the media Management commitment C5 ISO 27002 Chapter 5: SECURITY POLICY 8

  9. Information Security events in the media Organization of information security C6 ISO 27002 Chapter 6: Organization of Information Security 9

  10. Information Security events in the media Organization of information security C6 ISO 27002 Chapter 6: Organization of Information Security 10

  11. Information Security events in the media Lost USB sticks C7 ISO 27002 Chapter 7: ASSET MANAGEMENT 11

  12. Information Security events in the media Lost backup tapes Citibank admits: we've C7 lost the backup tape C7 Source http://www.theregister.co.uk ISO 27002 Chapter 7: ASSET MANAGEMENT 12

  13. Information Security events in the media Lost tax declarations C7 ISO 27002 Chapter 7: ASSET MANAGEMENT 13

  14. Information Security events in the media User awareness C8 ISO 27002 Chapter 8: HUMAN RESOURCES SECURITY 14

  15. Information Security events in the media User awareness C8 Source http://www.rtl.nl ISO 27002 Chapter 8: HUMAN RESOURCES SECURITY 15

  16. Information Security events in the media Screening C8 ISO 27002 Chapter 8: HUMAN RESOURCES SECURITY 16

  17. Information Security events in the media Physical security C9 ISO 27002 Chapter 9: PHYSICAL AND ENVIRONMENTAL SECURITY 17

  18. Information Security events in the media Physical security C9 ISO 27002 Chapter 9: PHYSICAL AND ENVIRONMENTAL SECURITY 18

  19. Information Security events in the media Fire C9 ISO 27002 Chapter 9: PHYSICAL AND ENVIRONMENTAL SECURITY 19

  20. Information Security events in the media Power failure C9 Source http://www.webwereld.nl ISO 27002 Chapter 9: PHYSICAL AND ENVIRONMENTAL SECURITY 20

  21. Information Security events in the media Power failure C9 Source http://www.nos.nl, August 10 2009 ISO 27002 Chapter 9: PHYSICAL AND ENVIRONMENTAL SECURITY 21

  22. Information Security events in the media Malicious code protection C10 ISO 27002 Chapter 10: COMMUNICATIONS AND OPERATIONS MANAGEMENT 22

  23. Information Security events in the media Malicious code protection C10 ISO 27002 Chapter 10: COMMUNICATIONS AND OPERATIONS MANAGEMENT 23

  24. Information Security events in the media Patching C10 ISO 27002 Chapter 10: COMMUNICATIONS AND OPERATIONS MANAGEMENT 24

  25. Information Security events in the media Password management C11 Source http://www.infosectoday.com ISO 27002 Chapter 11 : ACCESS CONTROL 25

  26. Information Security events in the media Security in software lifecycle C12 Source http://news.zdnet.co.uk ISO 27002 Chapter 12: INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE 26

  27. Information Security events in the media Security incident handling C13 ISO 27002 Chapter 13: INFORMATION SECURITY INCIDENT MANAGEMENT 27

  28. Information Security events in the media Massive loss of information and employees C14 September 9, 2001 ISO 27002 Chapter 14: BUSINESS CONTINUITY MANAGEMENT 28

  29. Information Security events in the media Non compliance with privacy regulations C15 ISO 27002 Chapter 15: COMPLIANCE 29

  30. Information Security events in the media Non compliance with privacy regulations C15 ISO 27002 Chapter 15: COMPLIANCE 30

  31. Information Security controls (ISO 27002) ISO 27002 H ISO 27002 NEN Vertaling 5 Security Policy Beveiligingsbeleid 6 Organization of Information Security Beveiligingsorganisatie 7 Asset Management Classificatie en beheer van bedrijfsmiddelen 8 Human resources security Beveiligingseisen ten aanzien van personeel 9 Physical and Environmental Security Fysieke beveiliging en beveiliging van de omgeving 10 Communications and Operations Beheer van communicatie- en Management bedieningsprocessen 11 Access Control Toegangsbeveiliging 12 Information Systems Acquisition, Ontwikkeling en onderhoud van Development and Maintenance systemen 13 Information Security Incident Incidentmanagement Management 14 Business Continuity Management Continuïteitsmanagement 15 Compliance Naleving 31

  32. Outline • The lectures I will give • Information Security events in the media • What is Information Security? • Recap • Study for next week 32

  33. What is Information Security? Information Security (IS) Do you think that the incidents we have seen would not have occurred when the organizations implemented the 133 controls from ISO 27002? 33

  34. What is Information Security? Information Security (IS) Strangely enough the notion of ‘risk’ is not involved in these definitions. 34

  35. What is Information Security Alternative definition of IS • Adequately protecting information against possible threat manifestations. 35

  36. What is Information Security Alternative definition of IS • Adequately protecting the confidentiality, integrity and availability of information against possible threat manifestations. 36

  37. What is Information Security? Alternative definition of IS • Adequately protecting the confidentiality, integrity and availability of information against possible threat manifestations. • Threat manifestation ( or potential incident ): the successful combination of a threat and a vulnerability: • A threat is a) something „negative‟ that can accidentally happen or b) that some party intentionally wants to achieve. • A vulnerability is a weakness that can be accidentally triggered or intentionally exploited. • Threats can be Natural/Environmental or Human. 37

  38. What is Information Security? Alternative definition of IS • Adequately protecting the confidentiality, integrity and availability of information against possible threat manifestations. • Protection (controls) can be either: • Preventive • Detective • Repressive (e.g. fire extinguishers or punishment), or • Corrective (repairing the damage) 38

  39. What is Information Security? Alternative definition of IS • Adequately protecting the confidentiality, integrity and availability of information against possible threat manifestations. Risk Treatment Threat #1 Vulnerability #1 Threat #2 Vulnerability #2 Threat #3 Vulnerability #3 Threat #4 Vulnerability #4 Poten tenti tial al incide dents nts Threat # n Vulnerability # n 39

  40. What is Information Security? Alternative definition of IS • Adequately protecting the confidentiality, integrity and availability of information against possible threat manifestations. • Adequate: as supported by a risk assessment and treatment analysis whereby all possible manifestations of threats and their impacts („risks‟) are considered and somehow all „relevant‟ ones are sufficiently reduced with controls. • Risks are typically reduced but can also be accepted, avoided or transferred. • Who decides, who provides priority/budget? 40

  41. What is Information Security? Alternative definition of IS • Adequately protecting the confidentiality, integrity and availability of information against possible threat manifestations. Risk Treatment Risks can be: Preventive controls • Reduced/removed Detective controls Repressive controls • Accepted Corrective controls • Avoided • Transferred 41

  42. Outline • The lectures I will give • Information Security events in the media • What is Information Security? • Recap • Study for next week 42

Recommend


More recommend