Information Security at the Workplace

Information Security Essentials Information Security Essentials Confidentiality, Integrity and Availability

of Information in Networked Workplace

www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com

AGENDA

• Networked Workplace

• Information Security Essential Questions

• Information Security Basic Methods and Tools

Networked Workplace

Network is a decentralized matrix of “nodes” through which communication can occur with a multidirectional freedom to flow text, document, images, sound and

video of information which is neither time-bound nor spatially-restricted to change.

Knowledge Relationship Participation Development

Networked Workplace

Networked workplace is context of performance whose functional structure is made of networks of people and

connected information enabled by information and communication technology infrastructure and services.

Networked Workplace

In the networked workplace, information comes as a critical asset being created, utilized, stored and shared. Availability, immediacy and quality of information dictates the condition of what is created, what is consumed, what is believed, what is recorded, what is known, what is decided, what is acted, and what is reused.

Document

Contacts

Conversation Records

Identity

Networked Workplace

Being connected to the networked workplace means enabling the condition of safety and security in information

Creation Storage

Use Sharing

Safety

Security

Networked Workplace

The information managers and workers in the networked workplace are obligated to make safe and secure the person (organization), process, data, application and infrastructure of information.

PersonProcess

DataApplication

Infrastructure

Networked Workplace

On-lineorganization,are yourinformationsecured?

Data Privacy Cybercrime Access Availability System Integrity

https://www.youtube.com/watch?v=sdpxddDzXfE

Networked Society

Access Reliability System Integrity

Secure Partially Secure

I do not Know

Data Privacy

AccessAvailability

UserControl

SystemIntegrity

Cybercrime

Networked Workplace

Access Reliability System Integrity

Fully Known

PartiallyKnown

I do not Know

1. Standards & Policies

2. Physical Facility

3. Access &Identification

4. Data Processing

5. RecordsHandling

6. Computer Network

ESSENTIAL QUESTIONS

Information Security

Cyber Security Risk Landscape

https://www.youtube.com/watch?v=fyh05k83js8

Information Security Questions…

1. Who leads, directs and controls information security?

2. What are the available and status of competencies on information security management?

3. What are the information assets?

– What are their rated confidential value, integrity metrics and availability parameters?

– What are their security risks, vulnerabilities and threats (People, Process, Data, Application, Infrastructure)?

4. What is information security policy making guidelines for the process, standards, content, format, participation, communication, implementation, monitoring and control of the covered domains of information security?

5. What is the information security plan, the agreed and subscribed methodology, standards, technology and toolkit for both proactive and reactive response to safety and security risks of information?

Information Security Question…

6. What particular procedure that everybody must know to identify the security risk of information being produced, kept, shared and re-used?

7. What particular policy that everybody must know to speak of principles and guidance of assuring confidentiality, availability and integrity in the creation, safekeeping and release of information?

8. Who is responsible in auditing the compliance of in-house and out-source develop information systems to the defined information security requirements?

9. How is the integrity of information system validated and verified?

10. How is the confidential value of information defined and assured?

11. Who investigates when information is compromised?

12. What process insures the detection of breach in confidentiality of information?

13. When do you consider information is misrepresented?

Enterprise Architecture Information Security

Questions

InformationSecurityPrinciples

InformationSecurity

Methodology

BUSINESSFUNCTIONPROCESS

BUSINESSDATA &

APPLICATION

BUSINESSTECHNOLOGY

INFRASTRUCTURE

ENTERPRISEINFORMATION

SECURITYInformation

SecurityGovernance

NETWORKED INFORMATION SUPPLIER & CUSTOMER

Information Security Means…

Confidentiality

Availability

Integrity

Secrecy, Privacy and Authority

Accurate, Complete and Compliant

Accessible, Immediate and Uptime

BUSINESS CONTEXT OF INFORMATION SECURITY

MEMBERSHIPMANAGEMENT

COLLECTIONMANAGEMENT

BENEFITSMANAGEMENT

ACCREDITATIONMANAGEMENT

payment

identificationclaims

certification

johnmacasio@gmail.com www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com

FINANCIALMANAGEMENT

PERSONNELMANAGEMENT

ASSETMANAGEMENT

LEGALMANAGEMENT

AUDITMANAGEMENT

STRATEGYMANAGEMENT

RISKMANAGEMENT

PROJECTMANAGEMENT

INFRASTRUCTUREMANAGEMENT

NETWORKMANAGEMENT

APPLICATIONMANAGEMENT

DATAMANAGEMENT

johnmacasio@gmail.com

Information Insecurity Means…

StolenMisrepresented

Breached

Information is not secure

when something is

Misused

IncompleteUnauthorized

Compromised Denied

Information SecurityRisk Landscape…

Hacking &Cybercrime

HumanError

DataSharing& Reuse

Insider&

Third PartyThreat

PeopleAwareness

& Capability

Infrastructure& SystemStandards

Compliance

User AccessManagement

Governance& ControlManagement

UsableApplicable

Policies

Acquisition& Support

Is government at risk?

https://www.youtube.com/watch?v=yDSni9AjX8Q

Information Security Risk Assessment

Example of Information Security Risk Assessment Template

Information Security Compliance Checklist

john.macasio@redfoxtechnologies.com

https://www.youtube.com/watch?v=AxUzDfekIOE

Information Security Compliance Checklist

Example of Agency Information Security Compliance Checklist

BASIC METHODS & TOOLS OF INFORMATION SECURITY

What it means to secure information…

1. Establish the governance and management organization of information security that comply to best practice standards.

2. Identify the information assets, and perform the assessment of vulnerabilities and threats that surround the creation, storage, use and sharing of information.

3. Develop, document and implement policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability in the person, process, data, application and infrastructure of information.

4. Evaluate, acquire and use security management tools to classify data and risk, to audit information system, to assess and analyze risks in the solution development and infrastructure, to monitor and control areas of vulnerabilities. and implement security controls and appropriate reactive responses to threats.

Layered Approach to Security

Policies

Physical Security

Access Control

Anti Virus and Malware

Segmentation

Device Hardening

Intrusion Defense

Awareness and Training

Mitigating InformationSecurity Risk

Risk Mitigation

Assessment

Policy Governance

Technology

Why Who

What How

Security Policy Requirement

Governance

•Functional Organization

•Roles and Responsibilities

Competencies

•Knowledge, Skills and Attitudes Requirements

•Training Program and Certification

Process

•Business Workflow, Procedures and Rules

•Risk Audit and Control Procedures

Infrastructure

•Acceptable Use

•Data Management•Risk Audit and Control Procedures

•Infrastructure Management

•Sourcing & Procurement

•Risk Audit and Control

GovernanceGuidance andImplementation

CompetencyReference andAssessment

FunctionsProcessModels andControlGuidance

Data and ApplicationSecurity Models andAcceptable Use

Physical ConfigurationNetwork ModelsService SourcingTrusted TechnologyAcceptable Use

No Need toReinvent the Wheel

1. Recognize security needs & question2. Find the fitted practitioner standards3. Apply standards to real life condition4. Assess and improve the practice

Governance

Competency

Process

Infrastructure

Information Security Risk Assessment

Information Asset

Inventory

(Information Systems)

Risk Mitigation

Treatment

Prevention

Impact Rating of

Vulnerability

Identification

Vulnerability

Threat Source

1. Organization2. Process3. Data4. Application5. Infrastructure

Information Security Plan

Basic Security Steps

Authorized Access

Device Integrity

Data ExchangeProtocol

Monitoring& Audit

NetworkHardening

Service Agreements

InformationSystemsSecurity

Standards

RiskAssessment& Policies

SecurityServices

UserTraining

Basic Security Steps

Password Anti-Malware File Cleaners Encryption Firewall Backup Network Scan

https://www.youtube.com/watch?v=eUxUUarTRW4

Thank You!Thank You!

JOHN J. MACASIOjohn.macasio@redfoxtechnologies.com

0917-329-7993

www.facebook.com/groups/manageictservices

Information Security at the Workplace

Technology

achieving sustainability workplace safety and security · workplace safety and security achieving sustainability A Structured System ... years, received the ISRS Lifetime Achievement

Workplace Security for Employees

Information security awareness: transfer from workplace - CERT.LV

Information Security in the Workplace: What Every User ...Information Security in the Workplace: What Every User Should Know Published by: CERIAS, The Center for Education and Research

IIP Program for Workplace Security

Workplace safety 101 workplace hazardous materials information system (whmis)

Information Classification in the Workplace

SECURING INFORMATION IN THE MODERN WORKPLACE WITH …€¦ · WORKPLACE WITH HPE AND MICROSOFT Bedrich Chaloupka Global Collaboration Platforms Architect, Digital Workplace. Information

Workplace Hazardous Materials Information System

Workplace Safety And Security Hotel.Ppt

Workplace Security Awareness - Instructor's Guide

IS906 Workplace Security Awarenesspages.southwesterncc.edu/b_emory/Professional... · IS-906: Workplace Security Awareness Identify vulnerabilities. Avoid complacency. Observe with

E-Verify Enhances Security in Your Workplace

Workplace Policy - whatdotheyknow.com viewInformation Workplace Programme. Records Management Policy . Information Workplace Programme. Records Management Policy. Information Workplace

On guard against workplace hazards · PDF fileMonthly Labor Review • February 2012 3 Security Guard Safety On guard against workplace hazards Security guards face a variety of workplace

Physical Security In The Workplace

IS906 Workplace Security Awarenessgonzosgarage.net/documents/IS-906_Visuals_Mar2012.pdf · Visual 3 IS-906: Workplace Security Awareness Identify potential risks to workplace security

Safeguarding Government Information - Alberta · Safeguarding Government Information Security Classification: PUBLIC 5 At the Workplace Access Security starts at the front door. Managing

Student Consumer Information - RRTCrrtc.edu › wp-content › uploads › 2018-2019-Consumer... · Schools and Workplace Policy, placement data, campus security information, grievance

Employee Security Understanding Workplace Violence