Click here to load reader
Upload
praveen-minz
View
205
Download
0
Embed Size (px)
DESCRIPTION
Information security
Citation preview
INFORMATION SECURITY•It is a prime concern for all those organizations which use computer based information systems as potential of information security breaches is much higher in these as compared to manual ones.
•It relates to the protection of assets against loss, damage, or disclosure of information.
•The basic objective of IS is the protection of the interests of those who rely on information from harm resulting from the failure of availability, confidentiality and integrity
•IS objective is met when:
IS are available and usable whenever required (availability objective)Information is disclosed only to those who have the right to know it (confidentiality objective) Information is protected against unauthorized modification (integrity objective)
PRINCIPLES OF IS
1. Accountability principle
2. Awareness principle
3. Multidisciplinary principle
4. Integration principle
5. Timeliness principle
6. Reassessment principle
7. Cost-effective principle
8. Societal principle
1. Accountability principle: following issues should be considered:
• Specification of ownership of data and information• Identification of users who access the system in a
unique way• Assignment of responsibility for maintenance of data
and information
• Institution of investigative and other remedial procedures when a breach or an attempted breach of information security occurs.
2. Awareness principle: following issues should be considered:
• Levels of details disclosed should be consistent with information security requirements
• Appropriate knowledge should be available to all parties concerned
• Information security is not one shot action but is an on-going process so that it becomes part of the organizational culture
• Security awareness being an on-going process is applicable to all employees, whether old or new recruits
3. Multidisciplinary principle: issues to ba tackled in this context are as:
• Business value of the information being protected• Technology that is available to meet the information
security• Impact of organizational and technological changes• Requirements of legal and industry norms
• Requirements of managing advanced technology for information security
4. Integration principle: the issues that should be addressed are:
• Information security policy and administration to be included as integral part of the overall management of the organization
• Information development and information security to be consistent with each other
5. Timeliness principle: The issues that should be taken care are:
• Instantaneous and irrevocable nature of business transactions
• Volume of information generated from the increasingly interconnected and complex information systems
• Automated tools to support real-time monitoring• Expediency of reporting security breaches to
appropriate decision making level
6. Reassessment principle: The issues that should be taken care are:
• Increase in up gradation of information systems according to business needs
• Changes in information systems and their infrastructure
• New threats to emerge over the period of time requiring extra safeguard
• New information security technology that has emerged or id emerging.
7. Cost-effective principle: The issues that should be taken care are:
• Value to and dependence of the organization on a particular information asset
• The amount of security and confidentiality required• The nature of threats that exists• Costs and benefits of security
• Optimum level beyond which costs of security measures to be prohibitive
8. Societal principle: The issues that should be taken care are:
• Fair presentation of data and information to legitimate users
• Ethical use and disclosure of information obtained from others
APPROACHES• Preventive information protection approach
• Restorative information protection approach
• Holistic information protection approach
IMPLEMENTATION OF IS1. DEVELOPMENT OF SECURITY POLICIES
2. PRESCRIBING ROLES AND RESPONSIBILITIES
3. DESIGNING SECURITY MEASURES
4. EDUCATING EMPLOYEES
5. IMPLEMENTATION
6. MONITORING
DEVELOPMENT OF SECURITY POLICIES
• A policy is the statement or general understanding which provides guidelines in decision making to members of an organization in respect to any course of action
• While designing such policies the core principles of IS should be kept in mind so that sound policies are developed
• It should cover the following aspects:• The importance and need of IS in the organization• Statement for the chief executive of the organization in support if the
objectives on effective IS• Data security• Communication security/ Personnel security• Description of responsibility and accountability for IS• Physical, logical and environment security• Security awareness, education and training
contd..
• Security breaches, detection and reporting requirements
2. PRESCRIBING ROLES AND RESPONSIBILITIES• Chief information executive: has overall responsibility of
developing and operating information systems including security• Information security administrator-has overall responsibility for
information security• Other professionals- responsible for security measures in their
respective areas• Data owners- responsible for ensuring that appropriate security ,
consistent with organizational policies , is embedded in the information systems
• Technology providers-responsible for assisting in implementation of IS
• Users- responsible for adhering to procedures prescribed for IS
3. REDESIGNING SECURITY MEASURES• It includes prescribing of standards, procedures, methods, and
practices in respect of IS.• While designing security measures , security requirements of
individual information systems should be taken into account as different information systems have different security requirements.
4. EDUCATING EMPLOYEES• Technical training• Behavioral training
5. IMPLEMENTATION• Managerial control• Identification and authentication controls• Logical access controls• Accountability controls• Cryptographic controls
Contd..
• Computer operations control• Physical and environmental controls
6. MONITORING Issues that need to be addressed in achieving effective
monitoring include:• Appointment of appropriate person, may be information security
administrator, with appropriate authority to work and adequate tools and resources to control
• Establishment of clear investigating procedures• Information system audit by external auditors• Establishment of audit trail information from a large number of
systems that may need to be examined.
SOURCES OF THREATS TO IS
• INTERNAL SOURCES
• EXTERNAL SOURCES
INTERNET FRAUDS
Hacking
Protection against hacking:• Checking system security• Use of firewalls
• Data encryption
Viruses
Protection against Viruses• Use of antivirus
• Procurement of software from reliable sources
• Testing new applications on stand alone systems
Measure against computer frauds
• Detection of frauds
• Disk imaging and analysis technique:– Imaging hard disk– Recovering deleted files– Analysis of the processed image
• Actions after detection of frauds
Prevention of computer frauds
• Making fraud commitment difficult– Applying strong controls– Rotating jobs– Controlling sensitive data
– Controlling laptop computers
– Applying harsh punishment measures
• Improving fraud detection methods– Use of fraud detection software– Use of computer security officer
– Monitoring system activities
– Conducting system audit