1 / 28

Information Security Management

Information Security Management. 2017-Shariaty University. Information Security Management. Final Exam : 13 point Exercises/class activity : 2 point Quiz : 1 point Presentation : 4 point (time(20’), file, lecture) Extra point: 2 point (Paper). Semester Definition. INFOSEC. Section 1.

barbaraajohnson
Télécharger la présentation

Information Security Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Security Management 2017-Shariaty University

  2. Information Security Management Final Exam : 13 point Exercises/class activity : 2 point Quiz : 1 point Presentation: 4 point (time(20’), file, lecture) Extra point: 2 point (Paper) Semester Definition

  3. INFOSEC Section 1 Information Security Management

  4. 'Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected’BS ISO 27002:2005

  5. Information can be • Displayed • Transmitted by post or using electronics means • Shown on corporate videos • Displayed / published on web • Stolen • Printed or written on paper • Stored electronically • Created • Stored • Destroyed • Processed • Transmitted • Used (for proper or improper proposes) • Corrupted • Lost ‘…Whatever form the information takes, or means by which it is shared or stored, it should always be appropriately protected’ (BS ISO 27002:2005)

  6. What is Security? “The quality or state of being secure--to be free from danger”

  7. What Is Security? • A successful organization should have multiple layers of security in place: • Physical security • Personal security • Operations security • Communications security • Network security • Information security

  8. What Is Information Security? • Deals with several different "trust" aspects of information and its protection • The U.S. Government’s National Information Assurance Glossary defines INFOSEC as: “Protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats.”

  9. What Is Information Security? • Three widely accepted elements or areas of focus (referred to as the “CIA Triad”): • Confidentiality • Integrity • Availability (Recoverability)

  10. What Is Information Security? • The protection of information and its critical elements, including systems and hardware that use, store, and transmit that information • Necessary tools: policy, awareness, training, education, technology • C.I.A. triangle was standard based on confidentiality, integrity, and availability • C.I.A. triangle now expanded into list of critical characteristics of information

  11. What Is Information Security?

  12. Confidentiality Secure Integrity Availability What Is Information Security? Over time the list of characteristics has expanded, but these three remain central

  13. Confidentiality • Confidentiality of information ensures that only those with sufficient privileges may access certain information • To protect confidentiality of information, a number of measures may be used including: • Information classification • Secure document storage • Application of general security policies • Education of information custodians and end users

  14. Integrity • Integrity is the quality or state of being whole, complete, and uncorrupted • The integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state • Corruption can occur while information is being compiled, stored, or transmitted

  15. Availability • Availability is making information accessible to user access without interference or obstruction in the required format • A user in this definition may be either a person or another computer system • Availability means availability to authorized users

  16. Key Concepts of Information Security • Authentication • Authentication occurs when a control provides proof that a user possesses the identity that he or she claims

  17. Authentication • Authentication deals with verifying the identity of a subject while access control deals with the ability of a subject (individual or process running on a computer system) to interact with an object (file or hardware device). • Three types of authentication • Something you know (password) • Something you have (token or card) • Something you are ( biometric)

  18. Key Concepts of Information Security • Authorization • After the identity of a user is authenticated, a process called authorization provides assurance that the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset

  19. Access Control vs. Authentication • Authentication – This proves that you (subject) are who you say you are. • Access control – This deals with the ability of a subject to interact with an object. • Once an individual has been authenticated, access controls then regulate what the individual can actually do on the system.

  20. Key Concepts of Information Security • Accountability: • generates the requirement for actions of an entity to be traced uniquely to that individual to support nonrepudiation, deference, fault isolation, etc

  21. The Operational Method of Computer Security • Protection = Prevention • Previous model • Protection = Prevention + (Detection + Response) • Includes operational aspects

  22. Sample Technologies in the Operational Model of Computer Security

  23. Components of an Information System • To fully understand the importance of information security, you need to know the elements of an information system • An Information System (IS) is much more than computer hardware; it is the entire set of software, hardware, data, people, and procedures necessary to use information as a resource in the organization

  24. Securing the Components • The computer can be either or both the subject of an attack and/or the object of an attack • When a computer is • the subject of an attack, it is used as an active tool to conduct the attack • the object of an attack, it is the entity being attacked

  25. Securing the Components

  26. Balancing Security and Access • Security should be considered a balance between protection and availability • To achieve balance, the level of security must allow reasonable access, yet protect against threats

  27. Balancing Security and Access

  28. It is impossible to obtain perfect security - it is not an absolute; it is a process

More Related