Information Security Information Security Management Management

Workshop AgendaWorkshop Agenda

• Understanding your Information Security EnvironmentUnderstanding your Information Security Environment

• Service Management & Risk IdentificationService Management & Risk Identification

• Understanding your Risk Environment Understanding your Risk Environment

• Managing the Risk – Compliance ManagementManaging the Risk – Compliance Management

• Information Security PlansInformation Security Plans

Workshop ThemeWorkshop Theme

• Management

• Staff and

• Customers

““Need to Need to Know” ? Know” ?

““The Need to Know” ?The Need to Know” ?

Understanding YourUnderstanding Your

Information EnvironmentInformation Environment

Enterprise Level Information EnvironmentEnterprise Level Information Environment

• If you can’t map your system you can’t secure your data

• Your system is bounded by your data model• What do you protect ?

– The data in the system• The system is more that the static ICT elements:

– Paper– Media – removable – Knowledge – people – Communications – internet, phone, mobile fax etc

““The Need to Know” ?The Need to Know” ?

Understanding YourUnderstanding Your

Information Security Information Security EnvironmentEnvironment

What is Information Security ?What is Information Security ?

• Organisations which collect and store data about:– Customers , Staff , Key business processes (IP)

• Must be able to demonstrate effective security measures

• Ensure that personal information is accurate and up to date

• Security - the key to retain the confidence of key stakeholders

““If you can’t secure data”If you can’t secure data”

“ “ you can’t measure quality and you can’t you can’t measure quality and you can’t improve integrity”improve integrity”

What is Information Security ?What is Information Security ?

“Information Security” combination of:

• Communications securityCommunications security (Comsec)

• Computer securityComputer security (Compusec)

Ref: Australian National Computer Security and Information Security Authority The Defence Signals Directorate

What is Information Security ?What is Information Security ?

• ““Confidentiality“Confidentiality“– ensuring that information is available only to those

people properly authorized to receive it

• “ “ Integrity”Integrity”– ensuring that information has not been changed or

tampered with

• ““Availability”Availability”– ensures that communications and computing systems

are not disrupted in their normal operations

What is Information Security ?What is Information Security ?

• AuthenticationAuthentication– ensures that a person accessing or providing

information is actually who they claim to be

• Non-repudiationNon-repudiation– ensures that a person is not able to deny the

receipt of information if they have received it

• These factors are rapidly growing in importance– our day-to-day business is increasingly conducted by

electronic means

QUESTIONS?QUESTIONS?

““The Need to Know” ?The Need to Know” ?

Service ManagementService Management

&&

Risk Identification Risk Identification

Service Delivery Management SystemService Delivery Management System

• StrategiesStrategies - Policy implementation (business drivers) e.g. Resolution Management at the system level

• PlansPlans - Example - What is resolution management, How it will be implemented, Who is responsible e.g. helpdesk manager (reviewed annually)

• ProcessesProcesses - Process flows of the Resolution Process (Flowcharts)

• ProceduresProcedures - Detailed process charts• HandbooksHandbooks - Functional Client/Practitioner

Perspective e.g. Help desk scripts

Service Delivery Processes

t

Control Processes

Configuration ManagementChange Management

Capacity ManagementService Level Management

Service Reporting

Information Security Management

Service Continuity and Availability

Management

Budgeting and AccountingFor IT services

Release Process

Release Management

RelationshipProcesses

Business Relationship Management

Supplier Management

ResolutionProcesses

Incident Management

Problem Management

Service management processes

Service Management - Risk Identification Service Management - Risk Identification • ICT Service Management includes

– Security Management• Effective Security Management requires a holistic

approach• IT&C Security Management Framework

– ensure effective management of all security functions

– security risk management – security related management reporting – requirements of PSM and Australian Standards

Service Management - Risk IdentificationService Management - Risk Identification

• Effective Information Security Management System is characterised by the Plan, Do, Check, Act (PDCA) process model

• Alignment of Service and Security management functions will ensure– a seamless transition of service incidents through

the resolution process – to achieve timely response and – detection of risks which will ensure improved

protection of the Agency and networks

Service Management - Risk IdentificationService Management - Risk Identification

The Plan-Do-Check-Act (PDCA)Plan-Do-Check-Act (PDCA) methodology:• PlanPlan: establish the objectives/processes used to

deliver results to meet customer requirements and the organizations policies

• DoDo: implement the processes• CheckCheck: monitor and measure processes/services

against policies, objectives and requirements and report the results

• ActAct: take actions to continually improve process performance

Service Management - Risk IdentificationService Management - Risk Identification• Service Management resolution processes:

– Include Incident and Problem Management• The relationship between Service incidents and

Security incidents is fundamental to the – Detection – Recording– Investigation – Resolution of security incidents

• Service and Security incidents may impact on the efficiency of networks - may represent a risk

Service Management - Risk IdentificationService Management - Risk Identification

Service and Security incident / Risk detection Service and Security incident / Risk detection • Timely detection of Service and Security incidents

– essential to avert damage or– disruption to services

• Resolution of Service delivery issues starts in the Helpdesk First Line response to incidents

• Challenge - Capture of Issues or Possible Risks at the Helpdesk

Service Management - Risk IdentificationService Management - Risk IdentificationRisk identificationRisk identification • Resolution is achieved by the Helpdesk

– incident is closed – Resolution Process is deemed complete

• Detection of risks to the network or system may also be initiated at the incident recording stage by the Helpdesk

• Development of a comprehensive assessment method to detect the characteristics of incidents

• Avert realisation of risks to the network or organization

QUESTIONS?QUESTIONS?

““The Need to Know” ?The Need to Know” ?

Understanding yourUnderstanding your

Risk EnvironmentRisk Environment

RiskRisk Management EnvironmentManagement Environment

Discover environmental data:

• What data do you hold?• Where is the information?• Where does the data reside ?• Interfaces ?• Who has access to your information?• What are the boundaries of your system?

Is information security aboutIs information security about Computers or Information ?Computers or Information ?

RiskRisk Management SystemManagement System

• Determining the level of risk -achieved by– comparing the relationship between the threats to

information and assets

– the known security weaknesses or vulnerability of information technology systems

• The level of acceptable risk– a managerial decision based on the information and

recommendations provided in the risk assessment

Dynamic Risk Management SystemsDynamic Risk Management Systems

Establish the Context• Define relationship with other systems• Identify assets• Establish risk criteria

Risk Identification• Identify the risks to be managed• Determine what to protect against (Threats)• Determine who to protect against

Dynamic Risk Management SystemsDynamic Risk Management Systems

Risk Analysis• Analyze risks to be managed• Estimate likelihood and consequence• Determine context against management/control

measures• Assess existing/proposed security measures • Determine vulnerability and acceptable risk

Dynamic Risk Management SystemsDynamic Risk Management Systems

• Risk Evaluation and Treatment– Compare assessed risks against risk criteria– Consider treatment options

• Recommendations– Identify the steps to be taken to manage the

accepted or residual risks

Risk AssessmentRisk Assessment

• Do you understand your information system ?

• Risk Assessment will reveal a detailed view of your information environment– Establish the boundaries of your system– Identify your information inventory– Identify and value your critical data sets– Establish the risks to your information system

Risk AssessmentRisk Assessment

• The risk assessment process - converting subjective risks into objective harms

• Harms to your information system can be assessed, analysed and measured.

• Risk is assessed against the likelihood and consequence of compromising:– Confidentiality– Integrity – Availability of your information

Threats to Information AssetsThreats to Information Assets

Threats that can impact on the Confidentiality, Integrity and Availability of an Information System include the following generic threats:

• Accidental Threats– Fire– Programming error– Technical (hardware) failure– Data entry error– Environmental– Failure of power

Threats to Information AssetsThreats to Information Assets

Deliberate Threats including:– Denial of Service– Eavesdropping– Malicious code - virus– Malicious code - logic– Malicious destruction of data– Malicious destruction of facilities– Unauthorised access to data– Unauthorised release of data

QUESTIONS?QUESTIONS?

““The Need to Know” ?The Need to Know” ?

Managing the RiskManaging the Risk

Compliance ManagementCompliance Management

Compliance ObligationsCompliance Obligations

• Handle all information with care – all information that an employee or contractor accesses must be handled according to policy – official information, personal information (Privacy Act)

• Information must only be used for the purpose stated by the agency or organization- any other use is misuse

• Information must be secured appropriately- sound security risk management – Procedures to identify Vital information and information resources

• Risks must be reduced to an acceptable level

Compliance ObligationsCompliance Obligations

• The Integrity and reliability of information systems which process, store or transmit information - require some level of protection

• Some Government information (official information) is given a security classification where its compromise could cause harm to the nation, the public interest, the Government or other entities or individuals

• Specific security measures must be followed

QUESTIONS?QUESTIONS?

Information Security PlansInformation Security Plans

• If you can’t map your system you can’t secure your data

• Your system is bounded by your data model • What do you protect ?

– The data in the system• The system is more that the static ICT elements:

– Paper– Media – removable – Knowledge – people – Communications – internet, phone, mobile fax etc

Information Security PlansInformation Security Plans

Aim: Provide an effective, integral and available information system and resource by:

• Incorporating security into every facet of the architecture, design and operation of the System environment

• Establishing a Security Management Strategy

• Developing Security Standards

Information Security PlansInformation Security Plans

Development of Information Security Plans requires a good understanding of your data

• Step 1 Understand your information (Data)

• Step 2 Understand your Information System

• Step 3 Map your system boundaries - SAPP (Security Architecture and Policy Plan)

Information Security PlansInformation Security Plans

Step 4 - Develop an Information Security (IS) Policy

Step 5 - Develop an Information Security (IS) Plan

Step 6 - Develop / implement Risk Management System

Step 7 - Establish an IS Education Program

Information Security PlansInformation Security Plans

Implement Security System

Implement Compliance Management System

Implement Security Education and Awareness Program

Outcome

Protecting information against unauthorized disclosure, fraud, loss, damage or theft

QUESTIONS?QUESTIONS?