Upload
john-macasio
View
651
Download
2
Embed Size (px)
Citation preview
Information Security Essentials Information Security Essentials Confidentiality, Integrity and Availability
of Information in Networked Workplace
www.facebook.com/groups/[email protected]
AGENDA
• Networked Workplace
• Information Security Essential Questions
• Information Security Basic Methods and Tools
www.facebook.com/groups/[email protected]
Networked Workplace
Network is a decentralized matrix of “nodes” through which communication can occur with a multidirectional freedom to flow text, document, images, sound and
video of information which is neither time-bound nor spatially-restricted to change.
Knowledge Relationship Participation Development
Networked Workplace
Networked workplace is context of performance whose functional structure is made of networks of people and
connected information enabled by information and communication technology infrastructure and services.
www.facebook.com/groups/[email protected]
Networked Workplace
In the networked workplace, information comes as a critical asset being created, utilized, stored and shared. Availability, immediacy and quality of information dictates the condition of what is created, what is consumed, what is believed, what is recorded, what is known, what is decided, what is acted, and what is reused.
Document
Contacts
Conversation Records
Identity
www.facebook.com/groups/[email protected]
Networked Workplace
Being connected to the networked workplace means enabling the condition of safety and security in information
Creation Storage
Use Sharing
Safety
Security
www.facebook.com/groups/[email protected]
Networked Workplace
The information managers and workers in the networked workplace are obligated to make safe and secure the person (organization), process, data, application and infrastructure of information.
PersonProcess
DataApplication
Infrastructure
www.facebook.com/groups/[email protected]
Networked Workplace
On-lineorganization,are yourinformationsecured?
Data Privacy Cybercrime Access Availability System Integrity
https://www.youtube.com/watch?v=sdpxddDzXfE
Networked Society
On-lineorganization,are yourinformationsecured?
Access Reliability System Integrity
Secure Partially Secure
I do not Know
Data Privacy
AccessAvailability
UserControl
SystemIntegrity
Cybercrime
Networked Workplace
On-lineorganization,are yourinformationsecured?
Access Reliability System Integrity
Fully Known
PartiallyKnown
I do not Know
1. Standards & Policies
2. Physical Facility
3. Access &Identification
4. Data Processing
5. RecordsHandling
6. Computer Network
Cyber Security Risk Landscape
https://www.youtube.com/watch?v=fyh05k83js8
Information Security Questions…
1. Who leads, directs and controls information security?
2. What are the available and status of competencies on information security management?
3. What are the information assets?
– What are their rated confidential value, integrity metrics and availability parameters?
– What are their security risks, vulnerabilities and threats (People, Process, Data, Application, Infrastructure)?
4. What is information security policy making guidelines for the process, standards, content, format, participation, communication, implementation, monitoring and control of the covered domains of information security?
5. What is the information security plan, the agreed and subscribed methodology, standards, technology and toolkit for both proactive and reactive response to safety and security risks of information?
Information Security Question…
6. What particular procedure that everybody must know to identify the security risk of information being produced, kept, shared and re-used?
7. What particular policy that everybody must know to speak of principles and guidance of assuring confidentiality, availability and integrity in the creation, safekeeping and release of information?
8. Who is responsible in auditing the compliance of in-house and out-source develop information systems to the defined information security requirements?
9. How is the integrity of information system validated and verified?
10. How is the confidential value of information defined and assured?
11. Who investigates when information is compromised?
12. What process insures the detection of breach in confidentiality of information?
13. When do you consider information is misrepresented?
Enterprise Architecture Information Security
Questions
InformationSecurityPrinciples
InformationSecurity
Risks
Information Security
Methodology
BUSINESSFUNCTIONPROCESS
BUSINESSDATA &
APPLICATION
BUSINESSTECHNOLOGY
INFRASTRUCTURE
ENTERPRISEINFORMATION
SECURITYInformation
SecurityGovernance
NETWORKED INFORMATION SUPPLIER & CUSTOMER
www.facebook.com/groups/[email protected]
Information Security Means…
Information Security
Confidentiality
Availability
Integrity
Secrecy, Privacy and Authority
Accurate, Complete and Compliant
Accessible, Immediate and Uptime
www.facebook.com/groups/[email protected]
BUSINESS CONTEXT OF INFORMATION SECURITY
MEMBERSHIPMANAGEMENT
COLLECTIONMANAGEMENT
BENEFITSMANAGEMENT
ACCREDITATIONMANAGEMENT
payment
identificationclaims
certification
[email protected] www.facebook.com/groups/[email protected]
BUSINESS CONTEXT OF INFORMATION SECURITY
FINANCIALMANAGEMENT
PERSONNELMANAGEMENT
ASSETMANAGEMENT
LEGALMANAGEMENT
www.facebook.com/groups/[email protected]
BUSINESS CONTEXT OF INFORMATION SECURITY
AUDITMANAGEMENT
STRATEGYMANAGEMENT
RISKMANAGEMENT
PROJECTMANAGEMENT
www.facebook.com/groups/[email protected]
BUSINESS CONTEXT OF INFORMATION SECURITY
INFRASTRUCTUREMANAGEMENT
NETWORKMANAGEMENT
APPLICATIONMANAGEMENT
DATAMANAGEMENT
www.facebook.com/groups/[email protected]
Information Insecurity Means…
StolenMisrepresented
Breached
Information is not secure
when something is
Misused
IncompleteUnauthorized
Compromised Denied
www.facebook.com/groups/[email protected]
Information SecurityRisk Landscape…
Hacking &Cybercrime
HumanError
DataSharing& Reuse
Insider&
Third PartyThreat
PeopleAwareness
& Capability
Infrastructure& SystemStandards
Compliance
User AccessManagement
Governance& ControlManagement
UsableApplicable
Policies
Funds
Acquisition& Support
www.facebook.com/groups/[email protected]
Is government at risk?
https://www.youtube.com/watch?v=yDSni9AjX8Q
Information Security Risk Assessment
Example of Information Security Risk Assessment Template
www.facebook.com/groups/[email protected]
Information Security Compliance Checklist
https://www.youtube.com/watch?v=AxUzDfekIOE
Information Security Compliance Checklist
Example of Agency Information Security Compliance Checklist
www.facebook.com/groups/[email protected]
BASIC METHODS & TOOLS OF INFORMATION SECURITY
www.facebook.com/groups/[email protected]
What it means to secure information…
1. Establish the governance and management organization of information security that comply to best practice standards.
www.facebook.com/groups/[email protected]
What it means to secure information…
2. Identify the information assets, and perform the assessment of vulnerabilities and threats that surround the creation, storage, use and sharing of information.
www.facebook.com/groups/[email protected]
What it means to secure information…
3. Develop, document and implement policies, standards, procedures, and guidelines that ensure confidentiality, integrity, and availability in the person, process, data, application and infrastructure of information.
www.facebook.com/groups/[email protected]
What it means to secure information…
4. Evaluate, acquire and use security management tools to classify data and risk, to audit information system, to assess and analyze risks in the solution development and infrastructure, to monitor and control areas of vulnerabilities. and implement security controls and appropriate reactive responses to threats.
www.facebook.com/groups/[email protected]
Layered Approach to Security
Policies
Physical Security
Access Control
Anti Virus and Malware
Segmentation
Device Hardening
Intrusion Defense
Awareness and Training
www.facebook.com/groups/[email protected]
Mitigating InformationSecurity Risk
Information Security
Risk Mitigation
Assessment
Policy Governance
Technology
Why Who
What How
www.facebook.com/groups/[email protected]
Security Policy Requirement
Governance
•Functional Organization
•Roles and Responsibilities
Competencies
•Knowledge, Skills and Attitudes Requirements
•Training Program and Certification
Process
•Business Workflow, Procedures and Rules
•Risk Audit and Control Procedures
Data
Infrastructure
•Acceptable Use
•Data Management•Risk Audit and Control Procedures
•Infrastructure Management
•Sourcing & Procurement
•Risk Audit and Control
GovernanceGuidance andImplementation
CompetencyReference andAssessment
FunctionsProcessModels andControlGuidance
Data and ApplicationSecurity Models andAcceptable Use
Physical ConfigurationNetwork ModelsService SourcingTrusted TechnologyAcceptable Use
No Need toReinvent the Wheel
1. Recognize security needs & question2. Find the fitted practitioner standards3. Apply standards to real life condition4. Assess and improve the practice
Governance
Competency
Process
Data
Infrastructure
Information Security Risk Assessment
Information Asset
Inventory
(Information Systems)
Risk Mitigation
Treatment
Prevention
Impact Rating of
Vulnerability
Identification
Vulnerability
Threat Source
1. Organization2. Process3. Data4. Application5. Infrastructure
www.facebook.com/groups/[email protected]
Information Security Plan
Basic Security Steps
Authorized Access
Device Integrity
Data ExchangeProtocol
Monitoring& Audit
NetworkHardening
Service Agreements
InformationSystemsSecurity
Standards
RiskAssessment& Policies
SecurityServices
UserTraining
Basic Security Steps
Password Anti-Malware File Cleaners Encryption Firewall Backup Network Scan
https://www.youtube.com/watch?v=eUxUUarTRW4
Thank You!Thank You!
JOHN J. [email protected]
0917-329-7993
www.facebook.com/groups/manageictservices