Information Systems 365/765Information Systems Security and Strategy

Lecture 2Introduction to Information Security

Information Security Defined

Protecting information and informationSystems from unauthorized access, use,disclosure, disruption, modification, ordestruction. Information security isconcerned with the confidentiality,integrity and availability of data regardlessof the form the data may take: electronic,print, or other forms.

Why Study Information Security in the School of Business?

• Businesses collect mass amounts of data about their customers, employees, and competitors

• Most of this data is stored on computers and transmitted across networks

• If this information should fall into the hands of a competitor, the result could be loss of business, lawsuits and bankruptcy

• Protecting corporate data is no longer an option, it is a requirement

What Types of Jobs Do Information Security Professionals Hold?

• Information Systems Auditor• Business Continuity and

Disaster Recovery Planning and Implementation

• Digital Forensics• Infrastructure Design• Business Integration

History of Information Security

• Throughout history, confidentiality of information has always played a key role in military conflict

• Confidentiality• Tampering• Authenticity• Physical protection• Background checks• Encryption

Key Concept of Information Security. The single most

important slide in this course!

Confidentiality, Integrity,Availability (CIA Triad)

Confidentiality

Confidentiality is the process ofpreventing disclosure ofinformation to unauthorizedindividuals or systems.

Examples: Credit card, ShoulderSurfing, Laptop theft

Confidentiality is necessary, but notsufficient to maintain privacy

IntegrityIntegrity means that datacannot be modified withoutAuthorization

Examples: Manual deletion oralteration of important datafiles, Virus infection, Employeealtering their own salary,website vandalism, polling fraud

In Information Security, the term “dataintegrity” should not be confused withDatabase referential integrity

Integrity

For any information system to serve its purpose,The information must be available when it isneeded. This means that the computing systemsused to store and process the information, thesecurity controls used to protect it, and thecommunication channels used to access it must befunctioning correctly.

Examples: Power outages, Hardware failures,System upgrades and Preventing denial-of-serviceattacks

Authenticity

In computing, e-Business andinformation security it is necessaryto ensure that the data,transactions, communications ordocuments (electronic or physical)are genuine (i.e. they have not beenforged or fabricated.)

Examples: Passport, Credit cardAccounts, academic transcripts

Non-Repudiation

Non-Repudiation is a complexterm used to describe the lackof deniability of ownership of amessage, piece of data, orTransaction

Examples: Proof of an ATM transaction, a stock trade, or anemail

Strong Information Security = Solid Risk Management

Proper Risk Management involves understanding andcontrolling risks, vulnerabilities and threats

Risk is the likelihood thatsomething bad will happen thatcauses harm or loss of anInformational asset

Vulnerability is a weaknessthat could be used to endanger orcause harm to an informationalAsset

Threat is anything deliberate or random andUnanticipated that has the potential to cause harm

Risk Management

The likelihood that a threat will use avulnerability to cause harm creates a risk.

When a threat does use a vulnerability toinflict harm, it has an impact.

In the context of information security, the impact Ia loss of availability, integrity, and confidentiality,and possibly other losses (lost income, loss of life,loss of real property)

It should be pointed out that it is not possible toidentify all risks, nor is it possible to eliminate allrisk. The remaining risk is called residual risk.

Risk Assessment

A risk assessment is formal project carried out by ateam of people who have knowledge of specificareas of the business. Membership of the team mayvary over time as different parts of the business areassessed.

The assessment may use a subjective qualitativeanalysis based on informed opinion, or wherereliable dollar figures and historical information isavailable, the analysis may use quantitativeanalysis as well

Components of a Risk Assessment

Security Policy Organization of information security, Asset management Human resources security, Physical and environmental security, Communications and operations management, Access control, logical and physical Information systems acquisition and lifecyclemanagement Development and maintenance Information security incident management Business continuity management Regulatory compliance

Risk Management Process

Identification of assets and estimating their value.Include: people, buildings, hardware, software,data (electronic, print, other), supplies.

Conduct a threat assessment. Include: Acts ofnature, acts of war, accidents, malicious actsoriginating from inside or outsidethe organization.

Conduct a vulnerability assessment, and for eachvulnerability, calculate the probability that it will beexploited. Evaluate policies, procedures, standards,training, physical security, quality control andtechnical security.

Risk Management Process

Calculate the impact that each threatwould have on each asset. Use qualitativeanalysis or quantitative analysis.

Identify, select and implementappropriate controls. Provide aproportional response. Considerproductivity, cost effectiveness, and valueof the asset.

Evaluate the effectiveness of the controlmeasures. Ensure the controls provide therequired cost effective protection withoutdiscernible loss of productivity.

Risk Remedies

For any given risk, you may choose to:

Accept the risk based upon the relative low valueof the asset, the relative low frequency ofoccurrence, and the relative low impact on thebusiness.

Mitigate the risk by selecting and implementingappropriate control measures to reduce the risk.

Transfer the risk to another business by buyinginsurance or out-sourcing to another business.

Deny the risk, which is obviously dangerous

Information Security Controls

When Management chooses tomitigate a risk, they will do soby implementing one or more ofthree different types of controls

• Administrative Controls• Logical/Technical Controls• Physical Controls

Administrative Controls

Consist of approved written policies, procedures,standards and guidelines.

Administrative controls form the framework forrunning the business and managing people.

They inform people on how the business is to be run andhow day to day operations are to be conducted.

Laws and regulations created by government bodies arealso a type of administrative control, such as PCI, HIPAA,FERPA and SOX

Other examples of administrative controls include thecorporate security policy, password policy, hiring policies,and disciplinary policies.

Separation of Duties is the most important and often overlooked

physical controlSeparation of duties ensures that an individual cannot complete a critical task by themselves.

For example: an employee who submits a requestfor reimbursement should not also be able toauthorize payment or print the check.

An applications programmer should not also be theserver administrator or the database administrator

These roles and responsibilities must be separatedFrom one another

Logical Controls

Logical controls (also called technicalcontrols) consist of software anddata to monitor and control accessto information and computingsystems.

For example: passwords, networkand host based firewalls, networkintrusion detection systems, accesscontrol lists, and data encryption arelogical controls.

The Principle of Least Privilege is the most important and often overlooked logical control in IS

The principle of least privilege requires that an individual,program or system process is not granted any moreAccess privileges than are necessary to perform the task.

A blatant example of the failure to adhere to the principle of least privilege is logging into Windows asuser Administrator to read Email and surf the Web.

Violations of this principle can also occur when anIndividual: Collects additional access privileges over timeJob duties change, promotion, new position, etc.They are promoted to a new position, or they transfer toanother department.

Examine and adjust access rights for ALL employees on aregular basis

Physical Controls

Physical controls monitor and control theenvironment of the work place and computingfacilities. They also monitor and control access toand from such facilities.

For example: doors, locks, heating and airconditioning, smoke and fire alarms, firesuppression systems, cameras, barricades,fencing, security guards, cable locks, etc.

Separating the network and work place intofunctional areas are also physical controls.

Security Classification of Information

An important aspect of informationsecurity and risk management isrecognizing the value of informationand defining appropriate proceduresand protection requirements for theinformation. Not all information isequal and so not all informationrequires the same degree ofprotection. This requires informationto be assigned a securityclassification

Security Classification of Information

1. Identify a member of seniormanagement as the owner of theparticular information to beclassified

2. Develop a classification policy.The policy should describe thedifferent classification labels, definethe criteria for information to beassigned a particular label, and list therequired security controls for eachclassification

Security Classification of Information

Some factors that influence whichclassification information should beassigned include:1. How much value that informationhas to the organization 2. How old the information is andwhether or not the information hasbecome obsolete. 3. Laws and other regulatoryrequirements are also importantconsiderations when classifyinginformation

Information Security Classification Labels

Common information securityclassification labels used by thebusiness sector are:PublicSensitive Private Confidential

Information Security Classification Labels

All employees in the organization, as wellas business partners, must be trained onthe classification schema and understandthe required security controls and handlingprocedures for each classification.

The classification a particular informationasset has been assigned should bereviewed periodically to ensure theclassification is still appropriate for theinformation and to ensure the securitycontrols required by the classification arein place.