View
651
Download
2
Category
Preview:
Citation preview
Information Security Essentials Information Security Essentials Confidentiality, Integrity and Availability
of Information in Networked Workplace
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
AGENDA
• Networked Workplace
• Information Security Essential Questions
• Information Security Basic Methods and Tools
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
Networked Workplace
Network is a decentralized matrix of “nodes” through which communication can occur with a multidirectional freedom to flow text, document, images, sound and
video of information which is neither time-bound nor spatially-restricted to change.
Knowledge Relationship Participation Development
Networked Workplace
Networked workplace is context of performance whose functional structure is made of networks of people and
connected information enabled by information and communication technology infrastructure and services.
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
Networked Workplace
In the networked workplace, information comes as a critical asset being created, utilized, stored and shared. Availability, immediacy and quality of information dictates the condition of what is created, what is consumed, what is believed, what is recorded, what is known, what is decided, what is acted, and what is reused.
Document
Contacts
Conversation Records
Identity
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
Networked Workplace
Being connected to the networked workplace means enabling the condition of safety and security in information
Creation Storage
Use Sharing
Safety
Security
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
Networked Workplace
The information managers and workers in the networked workplace are obligated to make safe and secure the person (organization), process, data, application and infrastructure of information.
PersonProcess
DataApplication
Infrastructure
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
Networked Workplace
On-lineorganization,are yourinformationsecured?
Data Privacy Cybercrime Access Availability System Integrity
https://www.youtube.com/watch?v=sdpxddDzXfE
Networked Society
On-lineorganization,are yourinformationsecured?
Access Reliability System Integrity
Secure Partially Secure
I do not Know
Data Privacy
AccessAvailability
UserControl
SystemIntegrity
Cybercrime
Networked Workplace
On-lineorganization,are yourinformationsecured?
Access Reliability System Integrity
Fully Known
PartiallyKnown
I do not Know
1. Standards & Policies
2. Physical Facility
3. Access &Identification
4. Data Processing
5. RecordsHandling
6. Computer Network
ESSENTIAL QUESTIONS
Information Security
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
Cyber Security Risk Landscape
https://www.youtube.com/watch?v=fyh05k83js8
Information Security Questions…
1. Who leads, directs and controls information security?
2. What are the available and status of competencies on information security management?
3. What are the information assets?
– What are their rated confidential value, integrity metrics and availability parameters?
– What are their security risks, vulnerabilities and threats (People, Process, Data, Application, Infrastructure)?
4. What is information security policy making guidelines for the process, standards, content, format, participation, communication, implementation, monitoring and control of the covered domains of information security?
5. What is the information security plan, the agreed and subscribed methodology, standards, technology and toolkit for both proactive and reactive response to safety and security risks of information?
Information Security Question…
6. What particular procedure that everybody must know to identify the security risk of information being produced, kept, shared and re-used?
7. What particular policy that everybody must know to speak of principles and guidance of assuring confidentiality, availability and integrity in the creation, safekeeping and release of information?
8. Who is responsible in auditing the compliance of in-house and out-source develop information systems to the defined information security requirements?
9. How is the integrity of information system validated and verified?
10. How is the confidential value of information defined and assured?
11. Who investigates when information is compromised?
12. What process insures the detection of breach in confidentiality of information?
13. When do you consider information is misrepresented?
Enterprise Architecture Information Security
Questions
InformationSecurityPrinciples
InformationSecurity
Risks
Information Security
Methodology
BUSINESSFUNCTIONPROCESS
BUSINESSDATA &
APPLICATION
BUSINESSTECHNOLOGY
INFRASTRUCTURE
ENTERPRISEINFORMATION
SECURITYInformation
SecurityGovernance
NETWORKED INFORMATION SUPPLIER & CUSTOMER
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
Information Security Means…
Information Security
Confidentiality
Availability
Integrity
Secrecy, Privacy and Authority
Accurate, Complete and Compliant
Accessible, Immediate and Uptime
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
BUSINESS CONTEXT OF INFORMATION SECURITY
MEMBERSHIPMANAGEMENT
COLLECTIONMANAGEMENT
BENEFITSMANAGEMENT
ACCREDITATIONMANAGEMENT
payment
identificationclaims
certification
johnmacasio@gmail.com www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
BUSINESS CONTEXT OF INFORMATION SECURITY
FINANCIALMANAGEMENT
PERSONNELMANAGEMENT
ASSETMANAGEMENT
LEGALMANAGEMENT
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
BUSINESS CONTEXT OF INFORMATION SECURITY
AUDITMANAGEMENT
STRATEGYMANAGEMENT
RISKMANAGEMENT
PROJECTMANAGEMENT
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
BUSINESS CONTEXT OF INFORMATION SECURITY
INFRASTRUCTUREMANAGEMENT
NETWORKMANAGEMENT
APPLICATIONMANAGEMENT
DATAMANAGEMENT
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
johnmacasio@gmail.com
Information Insecurity Means…
StolenMisrepresented
Breached
Information is not secure
when something is
Misused
IncompleteUnauthorized
Compromised Denied
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
Information SecurityRisk Landscape…
Hacking &Cybercrime
HumanError
DataSharing& Reuse
Insider&
Third PartyThreat
PeopleAwareness
& Capability
Infrastructure& SystemStandards
Compliance
User AccessManagement
Governance& ControlManagement
UsableApplicable
Policies
Funds
Acquisition& Support
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
Is government at risk?
https://www.youtube.com/watch?v=yDSni9AjX8Q
Information Security Risk Assessment
Example of Information Security Risk Assessment Template
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
Information Security Compliance Checklist
john.macasio@redfoxtechnologies.com
https://www.youtube.com/watch?v=AxUzDfekIOE
Information Security Compliance Checklist
Example of Agency Information Security Compliance Checklist
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
BASIC METHODS & TOOLS OF INFORMATION SECURITY
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
What it means to secure information…
1. Establish the governance and management organization of information security that comply to best practice standards.
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
What it means to secure information…
2. Identify the information assets, and perform the assessment of vulnerabilities and threats that surround the creation, storage, use and sharing of information.
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
What it means to secure information…
3. Develop, document and implement policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability in the person, process, data, application and infrastructure of information.
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
What it means to secure information…
4. Evaluate, acquire and use security management tools to classify data and risk, to audit information system, to assess and analyze risks in the solution development and infrastructure, to monitor and control areas of vulnerabilities. and implement security controls and appropriate reactive responses to threats.
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
Layered Approach to Security
Policies
Physical Security
Access Control
Anti Virus and Malware
Segmentation
Device Hardening
Intrusion Defense
Awareness and Training
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
Mitigating InformationSecurity Risk
Information Security
Risk Mitigation
Assessment
Policy Governance
Technology
Why Who
What How
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
Security Policy Requirement
Governance
•Functional Organization
•Roles and Responsibilities
Competencies
•Knowledge, Skills and Attitudes Requirements
•Training Program and Certification
Process
•Business Workflow, Procedures and Rules
•Risk Audit and Control Procedures
Data
Infrastructure
•Acceptable Use
•Data Management•Risk Audit and Control Procedures
•Infrastructure Management
•Sourcing & Procurement
•Risk Audit and Control
GovernanceGuidance andImplementation
CompetencyReference andAssessment
FunctionsProcessModels andControlGuidance
Data and ApplicationSecurity Models andAcceptable Use
Physical ConfigurationNetwork ModelsService SourcingTrusted TechnologyAcceptable Use
No Need toReinvent the Wheel
1. Recognize security needs & question2. Find the fitted practitioner standards3. Apply standards to real life condition4. Assess and improve the practice
Governance
Competency
Process
Data
Infrastructure
johnmacasio@gmail.com
Information Security Risk Assessment
Information Asset
Inventory
(Information Systems)
Risk Mitigation
Treatment
Prevention
Impact Rating of
Vulnerability
Identification
Vulnerability
Threat Source
1. Organization2. Process3. Data4. Application5. Infrastructure
www.facebook.com/groups/manageictservicesjohnmacasio@gmail.com
Information Security Plan
johnmacasio@gmail.com
Basic Security Steps
Authorized Access
Device Integrity
Data ExchangeProtocol
Monitoring& Audit
NetworkHardening
Service Agreements
InformationSystemsSecurity
Standards
RiskAssessment& Policies
SecurityServices
UserTraining
johnmacasio@gmail.com
Basic Security Steps
Password Anti-Malware File Cleaners Encryption Firewall Backup Network Scan
https://www.youtube.com/watch?v=eUxUUarTRW4
Thank You!Thank You!
JOHN J. MACASIOjohn.macasio@redfoxtechnologies.com
johnmacasio@gmail.com
0917-329-7993
www.facebook.com/groups/manageictservices
Recommended