chapter 3: information security framework. 2 objectives plan the protection of the confidentiality,...
TRANSCRIPT
![Page 1: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/1.jpg)
Chapter 3: Information Security Framework
![Page 2: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/2.jpg)
2
Objectives
Plan the protection of the confidentiality, integrity and availability of corporate data—the CIA Triad
Classify data and information Identify information ownership roles Apply the ISO 17799/BS 7799 Code of Practice
for Information Security Management Understand the intent of the 10 security domains
of the ISO 17799:2000 Code of Practice
![Page 3: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/3.jpg)
3
Introduction
The CIA Triad The Triad stands for Confidentiality, Integrity and
Availability An attack against either or several of the elements
of the CIA triad is an attack against the Information Security of the organization
Protecting the CIA triad means protecting the assets of the company
![Page 4: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/4.jpg)
4
C is for Confidentiality
Not all data owned by the company should be made available to the public
Failing to protect data confidentiality can be disastrous for an organization: Dissemination of Protected Health Information (PHI)
between doctors and patients Dissemination of Protected Financial Information (PFI)
between Banks and customers Dissemination of Business-critical information to rival
companies
![Page 5: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/5.jpg)
5
C is for Confidentiality Cont.
Only authorized users should gain access to information
Information must be protected when it is used, shared, transmitted and stored
Information must be protected from unauthorized users both internally and externally
Information must be protected whether it is in digital or paper format
![Page 6: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/6.jpg)
6
C is for Confidentiality Cont.
The threats to confidentiality must be identified. They include: Hackers Shoulder surfing Lack of shredding of paper documents Malicious Code (Virus, worms, Trojans) Unauthorized employee activity Improper access control
![Page 7: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/7.jpg)
7
C is for Confidentiality Cont.
Identifying threats is important, but so is the reason why the company is vulnerable to those threats
A risk assessment should be conducted prior to the creation of the policy
The risk assessment will identify what threats exist, why the organization is vulnerable to them, and what the risk of a threat becoming an actual attack is
![Page 8: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/8.jpg)
8
I is for Integrity
Protecting data integrity means protecting data from being tampered with by an unauthorized source
A business that cannot trust the integrity of its data is a business that cannot operate
An attack against data integrity can mean the end of an organization’s ability to conduct business
![Page 9: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/9.jpg)
9
I is for Integrity Cont.
Threats to data integrity include: Hackers Unauthorized user activity Improper access control Malicious code Interception and alteration of data during
transmission
![Page 10: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/10.jpg)
10
I is for Integrity Cont.
Controls that can be deployed to protect data integrity include: Technical controls:
Digital signatures for email use File Integrity Verifier utilities for operating systems
Behavioral controls: Separation of duties Rotation of duties End user security training
![Page 11: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/11.jpg)
11
A is for Availability
Availability: the assurance that the data is accessible when it is needed by authorized users
What is the cost of the loss of data availability to the organization?
A risk assessment should be conducted to more efficiently protect data availability
![Page 12: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/12.jpg)
12
A is for Availability Cont.
Threats to data availability include:
Loss of processing abilities due to natural disaster Loss of processing abilities due to hardware
failure Loss of processing abilities due to human error Loss of processing abilities due to malicious acts Loss of power Malicious code Temporary or permanent loss of key personnel
![Page 13: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/13.jpg)
13
Planning the Goals of an Information Security Program Which is more important to protect:
Confidentiality, Integrity or Availability?
No fixed answer: it depends on the information / process at hand
Organization needs to define and rate all the business processes on which it relies in order to assign the right order of importance for each one
Resources should be allocated in accordance with the ratings obtained
![Page 14: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/14.jpg)
14
Planning the Goals of an Information Security Program Cont. Impact of an attack on one aspect on the
others: Risk assessment should outline how an attack on
availability impacts the protection of data confidentiality and availability, for example
![Page 15: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/15.jpg)
15
The 5 A’s of Information Security
Accountability Assurance Authentication Authorization Accounting
![Page 16: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/16.jpg)
16
The 5 A’s of Information Security Cont. Accountability
All actions should be traceable to the person who committed them
Logs should be kept, archived and secured Intrusion Detection Systems should be deployed Computer Forensic techniques can be used
retroactively Accountability should be focused on both internal
and external actions
![Page 17: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/17.jpg)
17
The 5 A’s of Information Security Cont. Assurance
Security measures need to be designed and tested to ascertain that they are efficient and appropriate
The knowledge that these measures are indeed efficient is known as Assurance
The activities related to assurance include: Auditing and monitoring Testing Reporting
![Page 18: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/18.jpg)
18
The 5 A’s of Information Security Cont. Authentication
Authentication is the cornerstone of most network security models
It is the positive identification of the person or system seeking access to secured information and/or system
Examples of authentication models: User ID and password combination Tokens Biometric devices
![Page 19: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/19.jpg)
19
The 5 A’s of Information Security Cont. Authorization
Act of granting users or systems actual access to information resources
Note that the level of access may change based on the user’s defined access level
Examples of access level include the following: Read only Read and write Full
![Page 20: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/20.jpg)
20
The 5 A’s of Information Security Cont. Accounting
Defined as the logging of access and usage of resources
Keeps track of who access what resource, when, and for how long
Example of use: Internet Café, where users are charged by the minute of
use of the service
![Page 21: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/21.jpg)
21
Classifying Data and Information
Data Classification Data Classification is required when creating a
risk assessment Not all information features the same security
requirements The level of classification of data has a direct
impact on the security of the server on which it is located
![Page 22: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/22.jpg)
22
Classifying Data and Information Cont.
Each company can customize their own data classification model to better serve their security needs
The most common classification system includes three levels: Confidential Sensitive Public
![Page 23: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/23.jpg)
23
Classifying Data and Information Cont. Confidential Data:
Not to be shared with the public Not to be shared with all employees Only should be made available to a small subset
of authorized employees Unauthorized disclosure of this data would bring
harm to the organization Examples:
Financial information, R&D discoveries, proprietary information
![Page 24: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/24.jpg)
24
Classifying Data and Information Cont. Sensitive Data:
Not to be shared with the public Available on a “need-to-know” basis Usually available to more employees than
confidential information Unauthorized disclosure would harm the
company, especially in terms of reputation, privacy, credibility and regulatory compliance
![Page 25: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/25.jpg)
25
Classifying Data and Information Cont. Public Data:
Can be shared with the public Disclosure of this data would not bring harm to the
organization Examples:
Official price list, published list of service phone numbers
![Page 26: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/26.jpg)
26
Identifying Information Ownership Roles Information Ownership
Many are confused as to who the owner of information is, which can endanger the confidentiality of this information
It is important for the organization to clearly define who the information owners are
Information owners are those originally responsible for the policies and practices of information
IT usually plays the role of data custodian, not data owner
![Page 27: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/27.jpg)
27
The ISO 17799/BS 7799 Code of Practice for Information Security Management
A framework of information security recommendations applicable to public and private organizations of all sizes.
Official definition: “the ISO […] standard gives recommendations for information security management for use by those who are responsible for initiating, implementing or maintaining security in their organization”(From the ISO Web Site)
![Page 28: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/28.jpg)
28
The ISO 17799/BS 7799 Code of Practice for Information Security Management Cont. Quick facts about the ISO 17799/BS 7799
Started as a British document in 1989 Was proposed as an international standard after
two revisions in 1997 and 1999 Adopted by the ISO in August, 2000 There is currently no certification process for the
ISO 17799 Adopted internationally
![Page 29: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/29.jpg)
29
Using the Ten Security Domains of the ISO 17799:2000 The Security Policy domain:
Focuses on providing direction and support for the information security program
Emphasizes the importance of a visible leadership and involvement of senior management
This involvement should impact the following processes: establishing policy the direction of the information security program A commitment to protecting physical & logical resources
![Page 30: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/30.jpg)
30
Using the Ten Security Domains of the ISO 17799:2000 Cont. The Organizational Security domain:
Focuses on establishing & supporting a management framework to implement and manage information security within, across and outside the organization
Inward-facing controls: concentrate on employees’ and stakeholders’ relationships to information systems
Outward-facing controls: concentrate on third-party access to information systems
![Page 31: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/31.jpg)
31
Using the Ten Security Domains of the ISO 17799:2000 Cont. The Asset Classification & Control domain:
An accurate inventory of all information security assets should be maintained
Information assets should be classified to receive the appropriate level of protection
Information assets include: Intellectual property Raw data Mined information Software
![Page 32: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/32.jpg)
32
Using the Ten Security Domains of the ISO 17799:2000 Cont. The Personnel Security domain:
Organizations need controls for security in the hiring, employing and termination of staff
Such controls include: Personnel screening Acceptable use & confidentiality agreements Terms and conditions of employment
Employees should be trained to be: Security conscious Ready to handle incident response situations
![Page 33: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/33.jpg)
33
Using the Ten Security Domains of the ISO 17799:2000 Cont. The Physical & Environmental Security
domain: Focuses on designing & maintaining a secure
physical environment to protect the company from: unauthorized access, damage & interference to business premises
Achieved by: Control of the physical security perimeter & entry Creating secure offices and rooms Deploying physical access controls
Must include several company departments
![Page 34: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/34.jpg)
34
Using the Ten Security Domains of the ISO 17799:2000 Cont. The Communications & Operations
Management domain: Focuses on secure operation of information
processing facilities Includes detailed operating instructions & incident
response procedures Technical controls include IDS, antivirus, backup,
auditing, logging and system monitoring, encryption for transmitted information.
![Page 35: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/35.jpg)
35
Using the Ten Security Domains of the ISO 17799:2000 Cont. The Access Control domain:
Goal: to prevent unauthorized access to information systems
Defines access control policy, user authentication and access management, network access controls, operating system access controls, monitoring and logging
Also applies to mobile computing
![Page 36: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/36.jpg)
36
Using the Ten Security Domains of the ISO 17799:2000 Cont. The System Development & Maintenance
domain: Security should be defined at the genesis of the
product development cycle New product may require encryption Change control policies should be implemented to
ensure the integrity of system and information files
![Page 37: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/37.jpg)
37
Using the Ten Security Domains of the ISO 17799:2000 Cont. The Business Continuity domain:
Business-critical processes must be protected from the effects of disasters
Focuses on data and system availability Identifies the impact of events that cause
interruption of business processes Designs response, recovery & continuity plan Plan should be regularly tested and reassessed
![Page 38: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/38.jpg)
38
Using the Ten Security Domains of the ISO 17799:2000 Cont. The Compliance domain:
All organizations must comply with regulations at different levels, which include: Local, national and international laws Criminal and civil laws Regulatory and/or contractual obligations Intellectual property rights Copyrights
The organization’s legal advisor should be involved in this domain
![Page 39: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/39.jpg)
39
Using the Ten Security Domains of the ISO 17799:2000 Cont. Quick facts:
Based on the size of the company, not all policies related to the ISO 17799 need to be implemented
Too many policies, especially when not all are needed, can become too confusing and result in the rejection of the whole policy
The organization should identify which of the policies are appropriate and should be implemented
![Page 40: Chapter 3: Information Security Framework. 2 Objectives Plan the protection of the confidentiality, integrity and availability of corporate data—the](https://reader035.vdocuments.net/reader035/viewer/2022062407/56649d925503460f94a78f23/html5/thumbnails/40.jpg)
40
Summary
The CIA triad is the blue print of what assets needs to be protected in order to protect the organization.
Protecting the organization’s information security can seem vague and too conceptual. Protecting the confidentiality, integrity and availability of the data is a more concrete way of saying the same thing.
Standards such as the ISO 17799 exist to help organizations better define appropriate ways to protect their information assets.