Information Security at the Workplace

Information Security Essentials Information Security Essentials Confidentiality, Integrity and Availability

of Information in Networked Workplace

www.facebook.com/groups/[email protected]

AGENDA

• Networked Workplace

• Information Security Essential Questions

• Information Security Basic Methods and Tools


Networked Workplace

Network is a decentralized matrix of “nodes” through which communication can occur with a multidirectional freedom to flow text, document, images, sound and

video of information which is neither time-bound nor spatially-restricted to change.

Knowledge Relationship Participation Development

Networked Workplace

Networked workplace is context of performance whose functional structure is made of networks of people and

connected information enabled by information and communication technology infrastructure and services.


Networked Workplace

In the networked workplace, information comes as a critical asset being created, utilized, stored and shared. Availability, immediacy and quality of information dictates the condition of what is created, what is consumed, what is believed, what is recorded, what is known, what is decided, what is acted, and what is reused.

Document

Contacts

Conversation Records

Identity


Networked Workplace

Being connected to the networked workplace means enabling the condition of safety and security in information

Creation Storage

Use Sharing

Safety

Security


Networked Workplace

The information managers and workers in the networked workplace are obligated to make safe and secure the person (organization), process, data, application and infrastructure of information.

PersonProcess

DataApplication

Infrastructure


Networked Workplace

On-lineorganization,are yourinformationsecured?

Data Privacy Cybercrime Access Availability System Integrity

https://www.youtube.com/watch?v=sdpxddDzXfE

Networked Society


Access Reliability System Integrity

Secure Partially Secure

I do not Know

Data Privacy

AccessAvailability

UserControl

SystemIntegrity

Cybercrime

Networked Workplace


Access Reliability System Integrity

Fully Known

PartiallyKnown

I do not Know

1. Standards & Policies

2. Physical Facility

3. Access &Identification

4. Data Processing

5. RecordsHandling

6. Computer Network

ESSENTIAL QUESTIONS

Information Security


Cyber Security Risk Landscape

https://www.youtube.com/watch?v=fyh05k83js8

Information Security Questions…

1. Who leads, directs and controls information security?

2. What are the available and status of competencies on information security management?

3. What are the information assets?

– What are their rated confidential value, integrity metrics and availability parameters?

– What are their security risks, vulnerabilities and threats (People, Process, Data, Application, Infrastructure)?

4. What is information security policy making guidelines for the process, standards, content, format, participation, communication, implementation, monitoring and control of the covered domains of information security?

5. What is the information security plan, the agreed and subscribed methodology, standards, technology and toolkit for both proactive and reactive response to safety and security risks of information?

Information Security Question…

6. What particular procedure that everybody must know to identify the security risk of information being produced, kept, shared and re-used?

7. What particular policy that everybody must know to speak of principles and guidance of assuring confidentiality, availability and integrity in the creation, safekeeping and release of information?

8. Who is responsible in auditing the compliance of in-house and out-source develop information systems to the defined information security requirements?

9. How is the integrity of information system validated and verified?

10. How is the confidential value of information defined and assured?

11. Who investigates when information is compromised?

12. What process insures the detection of breach in confidentiality of information?

13. When do you consider information is misrepresented?

Enterprise Architecture Information Security

Questions

InformationSecurityPrinciples

InformationSecurity

Risks


Methodology

BUSINESSFUNCTIONPROCESS

BUSINESSDATA &

APPLICATION

BUSINESSTECHNOLOGY

INFRASTRUCTURE

ENTERPRISEINFORMATION

SECURITYInformation

SecurityGovernance

NETWORKED INFORMATION SUPPLIER & CUSTOMER


Information Security Means…


Confidentiality

Availability

Integrity

Secrecy, Privacy and Authority

Accurate, Complete and Compliant

Accessible, Immediate and Uptime


BUSINESS CONTEXT OF INFORMATION SECURITY

MEMBERSHIPMANAGEMENT

COLLECTIONMANAGEMENT

BENEFITSMANAGEMENT

ACCREDITATIONMANAGEMENT

payment

identificationclaims

certification

[email protected] www.facebook.com/groups/[email protected]


FINANCIALMANAGEMENT

PERSONNELMANAGEMENT

ASSETMANAGEMENT

LEGALMANAGEMENT



AUDITMANAGEMENT

STRATEGYMANAGEMENT

RISKMANAGEMENT

PROJECTMANAGEMENT



INFRASTRUCTUREMANAGEMENT

NETWORKMANAGEMENT

APPLICATIONMANAGEMENT

DATAMANAGEMENT


[email protected]

Information Insecurity Means…

StolenMisrepresented

Breached

Information is not secure

when something is

Misused

IncompleteUnauthorized

Compromised Denied


Information SecurityRisk Landscape…

Hacking &Cybercrime

HumanError

DataSharing& Reuse

Insider&

Third PartyThreat

PeopleAwareness

& Capability

Infrastructure& SystemStandards

Compliance

User AccessManagement

Governance& ControlManagement

UsableApplicable

Policies

Funds

Acquisition& Support


Is government at risk?

https://www.youtube.com/watch?v=yDSni9AjX8Q

Information Security Risk Assessment

Example of Information Security Risk Assessment Template


Information Security Compliance Checklist

[email protected]

https://www.youtube.com/watch?v=AxUzDfekIOE

Information Security Compliance Checklist

Example of Agency Information Security Compliance Checklist


BASIC METHODS & TOOLS OF INFORMATION SECURITY


What it means to secure information…

1. Establish the governance and management organization of information security that comply to best practice standards.



2. Identify the information assets, and perform the assessment of vulnerabilities and threats that surround the creation, storage, use and sharing of information.



3. Develop, document and implement policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability in the person, process, data, application and infrastructure of information.



4. Evaluate, acquire and use security management tools to classify data and risk, to audit information system, to assess and analyze risks in the solution development and infrastructure, to monitor and control areas of vulnerabilities. and implement security controls and appropriate reactive responses to threats.


Layered Approach to Security

Policies

Physical Security

Access Control

Anti Virus and Malware

Segmentation

Device Hardening

Intrusion Defense

Awareness and Training


Mitigating InformationSecurity Risk


Risk Mitigation

Assessment

Policy Governance

Technology

Why Who

What How


Security Policy Requirement

Governance

•Functional Organization

•Roles and Responsibilities

Competencies

•Knowledge, Skills and Attitudes Requirements

•Training Program and Certification

Process

•Business Workflow, Procedures and Rules

•Risk Audit and Control Procedures

Data

Infrastructure

•Acceptable Use

•Data Management•Risk Audit and Control Procedures

•Infrastructure Management

•Sourcing & Procurement

•Risk Audit and Control

GovernanceGuidance andImplementation

CompetencyReference andAssessment

FunctionsProcessModels andControlGuidance

Data and ApplicationSecurity Models andAcceptable Use

Physical ConfigurationNetwork ModelsService SourcingTrusted TechnologyAcceptable Use

No Need toReinvent the Wheel

1. Recognize security needs & question2. Find the fitted practitioner standards3. Apply standards to real life condition4. Assess and improve the practice

Governance

Competency

Process

Data

Infrastructure

[email protected]

Information Security Risk Assessment

Information Asset

Inventory

(Information Systems)

Risk Mitigation

Treatment

Prevention

Impact Rating of

Vulnerability

Identification

Vulnerability

Threat Source

1. Organization2. Process3. Data4. Application5. Infrastructure


Information Security Plan

[email protected]

Basic Security Steps

Authorized Access

Device Integrity

Data ExchangeProtocol

Monitoring& Audit

NetworkHardening

Service Agreements

InformationSystemsSecurity

Standards

RiskAssessment& Policies

SecurityServices

UserTraining

[email protected]

Basic Security Steps

Password Anti-Malware File Cleaners Encryption Firewall Backup Network Scan

https://www.youtube.com/watch?v=eUxUUarTRW4

Thank You!Thank You!

JOHN J. [email protected]

[email protected]

0917-329-7993

www.facebook.com/groups/manageictservices