Anywhere Anytime

Computing !!!!

Resources of an Organisation

Man
Material
Money
Information

Alvin Toffler: Rate of change affecting humanity

Three waves: Agricultural wave, industrial
wave, information wave
Four powerful worldwide changes that have
altered the business environment
Globalization- international integration
Rise of information economy- knowledge as
source of value
Transformation of the business enterprise
Emergence of digital firm

Contribution of Information System &

Internet to Business
Improved services

Dissemination of information & exchange of

views at global level- better understanding
among people

Chapter: Introduction
to Information Security

What is Information?

Information is an asset which,

like other important business
assets,
has
value
to
an
organisation and consequently
needs to be suitably protected.
BS 7799-1:2000

Types of Information

Printed or written on paper

Stored electronically
Transmitted by post or using electronic means
Shown on corporate videos
Verbal - spoken in conversations
...Whatever form the information takes, or means by which it is
shared or stored, it should always be appropriately protected

(ISO/IEC 17799: 2000)

Information Lifecycle
Information can be:

Created

Processed

Stored

Destroyed ?

Transmitted

Used (for proper and improper purposes)

Lost !

Corrupted !

Importance of Information Systems to Organizations

They help organizations

Have easier work in things like
monitoring employees,
sending information or coordinating activities in the
work place.

They are also important because they create a

value chain between dealers, manufacturers,
marketers and suppliers.
9

Information System
Definition
A combination of hardware, software,
infrastructure and trained personnel organized
to facilitate planning, control, coordination,
and decision making in an organization.

10

Components of Information System

Data
Hardware
Software
Procedures
People (weakest link for security)

11

 Widening scope of IS
1950s technical changes
1960-1970- managerial controls
1980-1990- institutional core activities
Today: digital information webs extending beyond the enterprise

IS

Technical
changes
1950s
2000-2005
Time

IS

IS

IS

Vendors,
Institution
customers
Manageria
al core
beyond
l control
activities
the
enterprise
1960s-1970s
1980s1990s
13

What is Security?
The quality or state of being secure--to be free
from danger
To be protected from adversaries

14

What Is Information Security?

Information security in todays enterprise is a
well-informed sense of assurance (surety)
that the information risks and controls are
in balance. Jim Anderson, Inovant (2002)

15

The History of Information Security

Computer security began immediately after the first
mainframes were developed
Physical controls were needed to limit access to authorized
personnel to sensitive military locations
Only rudimentary controls were available to defend against
physical theft, espionage ( spying), and sabotage (damage)

16

Figure 1-1 The Enigma

17

The 1960s
Department of Defenses Advanced Research
Project Agency (ARPA) began examining the
feasibility of a redundant networked
communications- to support the militarys
need to exchange information
Larry Roberts developed the project from its
inception

18

The 1970s and 80s

ARPANET grew in popularity as did its potential for misuse
Fundamental problems with ARPANET security were identified
Individual remote users sites did not have sufficient
controls and safeguards to protect data against
unauthorized remote users.
There were no safety procedures for dial-up connections
to the ARPANET.
User identification and authorization to the system were
non-existent.
Phone numbers were widely distributed and openly
publicized on the walls of rest rooms and phone booths,
giving hackers easy access to ARPANET.
19

R-609 The Start of the Study of

Computer Security
Information Security began with Rand Report R609 (The Paper that Started the Study of
Computer Security)
The scope of computer security grew from physical
security to include:
Safety of the data
Limiting unauthorized access to that data
Involvement of personnel from multiple levels of the
organization
20

The 1990s
Networks of computers became more
common, so too did the need to interconnect
the networks
Resulted in the Internet, the first
manifestation of a global network of networks
In early Internet deployments, security was
treated as a low priority

21

The Present
The Internet has brought millions of computer
networks into communication with each other
many of them unsecured
Ability to secure each now influenced by the
security on every computer to which it is
connected

22

Security facts
All complex software programs have
flaws/bugs
It is extraordinarily difficult to build hardware/
software not vulnerable to attack

23

Security for a Successful Organization:

PPOC NI
A successful organization should have multiple layers of security in place:
Physical security: - to protect the physical items, objects, or areas
of an organization from unauthorized access and misuse
Personal security- to protect the individual or group of individuals
who are authorized to access the organization and its operations
Operations security : to protect the details of a particular operation
or series of activities
Communications security : to protect an organizations
communications media, technology, and content
Network security: to protect networking components, connections,
and contents.
Information Security (InfoSec)
24

What is Information Security?

The protection of information and its critical
elements, including the systems and hardware that
use, store, and transmit that information

Tools necessary to ensure security

Policy, awareness, education, training, and technology

25

Security Important Terms

Vulnerability- is a weakness which allows
an attacker to reduce a system's information assurance
(degree of exposure to threat)
Threat- a possible danger that might exploit
a vulnerability to breach security and thus cause
possible harm.
Countermeasures: Set of actions implemented to
prevent threats
26

Three Pillars of Information Security: Big Three

Confidentialit
y
Ensuring that
information is
accessible only
to those
authorized to
have access

Integrity
Safeguarding
the accuracy
&
completeness are
tions e
offi
information
a
c
i
o th
Modand processing
t
e
d
ma
notmethods
by

Availability
Ensuring that
authorized
users have
access to
information and
associated
assets when
required

data ized
are
r
s
o
m
h
t
t
e
n
Syst
unau nel or
Preve al/u
and
n
o
p
n
s
u
o
r
i
e
t
p
ses
inten tional
s
e
ni ng
c
n
o
u
r
r
p
n
d
rize
h ey
ninte orized
o
t
h
n
t
e
u
wh
are
th
/una
s
ed
n
f
d
o
i
o
e
unau
t
e
e
a
n
r
fic
su
he
are
t
o
modi
t
disclo nts
ade
e
m
t
t
n
o
o
n
c
by
data
zed
i
r
o
h
aut
l or
e
n
n
perso sses
e
ocMobile
Self reading : Security challenges posedprby
Devices Page No 32
s
i
a
onwards from the book ISS- Nina GodboleDat ent
27
t
s
i
s
con

CIA
Confidentiality
Confidentiality refers to limiting information access
and disclosure to authorized users -- "the right
people" -- and preventing access by or disclosure to
unauthorized ones -- "the wrong people."
Authentication methods like user-IDs and
passwords, that uniquely identify data systems'
users and control access to data systems'
resources, strengthen the goal of confidentiality.
28

Integrity
Integrity refers to the trustworthiness of
information resources.
It includes the concept of "data integrity" -namely, that data have not been changed
inappropriately, whether by accident or
deliberate activity.
It also includes "origin" or "source
integrity" -- that is, that the data actually
came from the person or entity you think it
did, rather than an imposter.
29

 Integrity can even include the notion that the person

or entity in question entered the right information
-- that is, that the information reflected the actual
circumstances (in statistics, this is the concept of
"validity") and that under the same circumstances
would generate identical data (what statisticians
call "reliability").
On a more restrictive view, however, integrity of an
information system includes only preservation
without corruption of whatever was transmitted
or entered into the system, right or wrong.
30

Availability
Availability refers to the availability of information
resources.
An information system that is not available when you
need it is almost as bad as none at all.
Availability, like other aspects of security, may be
affected by purely technical issues (e.g., a
malfunctioning part of a computer or communications
device), natural phenomena (e.g., wind or water), or
human causes (accidental or deliberate).
Eg. DOS, DDOS.
31

example
Confidentiality: only sender, intended receiver should understand
message contents
Sender encrypts
Receiver decrypts
Message integrity: sender, receiver wants to know that message not
altered (in transit or afterwards)
Access & availability: services must be accessible and available to
authorized users
Authentication: sender, receiver want to confirm identity of each other
Accountability (Non repudiation) : assurance that any transaction that
take place can be subsequently be proved to have taken place. Both the
sender & the receiver agree that the exchange took place
32

Additional Objective
Accountability : involves actions of an entity
can be traced uniquely to that entity, supports
non repudiation, deterrence, fault isolation,
intrusion, detection and prevention.
Non-repudiation implies one's intention to
fulfill their obligations to a contract. It also
implies that one party of a transaction cannot
deny having received a transaction nor can the
other party deny having sent a transaction.
33

Network
Eavesdroppin
g
Network
Sniffing

Network layer attack

36

37

38

NSTISSC Security Model

TheCommittee on National
X-axis: information states
Security Systems
y-axis: key objectives
The National Security
z-axis: primary means of implementation
Telecommunications and
Information Systems Security
Committee

40

Confidentialit
y
Ensuring that
information is
accessible only
to those
authorized to
have access

Disclosure

Integrity

Availability

Safeguarding
the accuracy
&
completeness
of information
and processing
methods

Ensuring that
authorized
users have
access to
information and
associated
assets when
required

Alteration

Destruction

41

FIGURE 1-1
Components of Information Security

42

14-43

Computer: Subject & Object of Attack

The computer can be either or both the subject
of an attack and/or the object of an attack
When a computer is
the subject of an attack, it is used as an active
tool to conduct the attack
the object of an attack, it is the entity being
attacked

45

Figure 1-5 Subject and Object of Attack

46

Balancing Security and Access

Security should be considered a balance between
protection and availability
To achieve balance, the level of security must allow
reasonable access, yet protect against threats
It is impossible
to obtain
perfect security
- it is not an
absolute; it is a
process
47

Figure 1-6 Balancing Security and Access

This graphic intends to show that

tradeoffs between security and access.
48

Bottom Up Approach
Security from a grass-roots effort when
systems administrators attempt to improve the
security of their systems
Key advantage - technical expertise of the
individual administrators
Seldom works, as it lacks a number of critical
features:
participant support
organizational staying power
49

Top Down Approach

The top-down approach utilizes a level of planning and strategy which is
not seen in the bottom-up approach.
With the project initiated by upper management, there is a clear
implementation process as well as the element of organization from the
start.
This means that the initiation, support, and direction come from top
management, and work their way through middle management, and then
reach staff members
A top-down approach makes sure the people actually responsible for
protecting the companys assets i.e. senior management are driving
the program. Thus the rate of success is far superior to the bottom-up
approach

50

Figure 1-7 Approaches to Security

Implementation

51

53

Control in IT environment
Controlling function
Determining when the actual activities of the
information system function deviates from the
planned activities
How much should the organization be spending
on the information system functions?
Look for industry averages- benchmarking

Is the organization getting value for money from

its information systems function?
54

Information level (based) threats

Vs Network-level threats

Information level (based) threats

threats that involve the (purposeful) dissemination of information in such a
way that organisations, their operations and their reputations may be affected.
May also make heavy use of network but at the primary level is the content of
the message and not the form
Examples:, setting up revenge websites and disseminating false or biased
information.

Network-level threats
-

hacking of computer systems, spreading malicious code, launching a DoS attack

Other security issues involved when data are transmitted over networks are
confidentiality, authentication, integrity and non- repudation
examples-: sending fake inquiries to the service a/c to eat up resources flooding
the mail server

55

Information Security Management System

Objective

To provide a systematic approach

to manage sensitive information
of an organisation in order to
protect it.
To implement the appropriate
measurements to eliminate or
minimize the impact that various
security related threats and
vulnerabilities might have on an

57

 Information security is achieved by applying a suitable set

of controls (policies, processes, procedures, organizational
structures, and software and hardware functions).

An Information Security Management System (ISMS) is

way to protect and manage information based on a
systematic business risk approach, to establish,
implement, operate, monitor, review, maintain, and
improve information security.
It is an organizational approach to information security.
59

What is an ISMS?
The ISO/IEC 27000 standard defines it as: "A model for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving
the protection of information assets to achieve business objectives based
upon a risk assessment and the organization's risk acceptance levels
designed to effectively treat and manage risks".

BSI (the British Standards Institution) defines it as: "A systematic approach
to managing sensitive company information so that it remains secure. It
encompasses people, processes and IT systems".

Wikipedia defines it as: "A set of policies concerned with information

security management or IT related risks".
60

 "A risk based organizational approach to information security.

Risk -because an ISMS follows a risk based approach.
Organizational- because IT affects the whole organization and the
fact that it is the organization of processes involving establishing,
implementing, operating, reviewing, maintaining and improving.
Information- because we are dealing with data.
And security to encompass the protection of the data.
Whether the system is paper based or electronic, it comprises of
people, policies/processes and IT systems.
61

Features of ISMS
Stress on continual process improvement
Scope covers information security not only IT
Security
Focused on people, process and technology
Combination of Management, Operational &
Technical controls
Adopted PDCA model

62

63

Benefits of ISMS
Signal of reliability for your stakeholders, as it
demonstrates that security of their information
is taken seriously
Helps provide a competitive edge to the
company
Improves risk management and reduces risks
Improves efficiency of operations
Tool to ensure your businesss continuity
64

65

ISMS - Framework
1. Definition of Security Policy
2. Definition of ISMS Scope
3. Risk Assessment (as part of Risk
Heart of
ISMS
Management)
4. Risk Management
5.Selection of Appropriate Controls and
6. Statement of Applicability
operative actions required for the technical implementation,
maintenance and control of security measurements.
66

STEPS FOR DEVELOPING

ISMS

The following are the main steps used to

develop the ISMS
Project Plan
Risk Assessment
ISMS Management Structure based upon risk
assessment
Security policy, plans and procedure
development based upon risk assessment
67

Step 1: Project plan

A project plan for development of an ISMS
Association should be prepared before the
project initiates.
This process shall involve
identification of the stakeholders,
approval from the sponsors and
support from the management

68

The project plan should consists, at least, the following

details:

Create WBS
Identify Stakeholders or the resources required to
conduct the work identified in the WBS
Identify Proposed time (start & end date) line for
each items identified in WBS
Approval from the ISMS association

69

Step 2: Risk assessment and management

The Risk Assessment is a process to identify the risks
and assess the damage it could cause.
The end result of a risk assessment is justification of
any control or safeguards that need to be implemented
to mitigate the risk to an acceptable level.
The process of selecting controls or countermeasures
will complete the Risk Management process.

70

71

Establish context (Identify asset)

Establishing the context of the risk assessment includes
determining the relationship and setting assessment
criteria.
This section provides the background information
required to conduct the assessment.
Assets are integral to the risk assessment process.
Security risk assessments are based on protecting an
asset or a multitude of assets.

72

 When determining the assets, the organization must

detail the criticality or value of an asset.
For a physical asset (e.g. server) the value of the asset
could be determined at the replacement cost, but there
are a variety of other factors that need to be considered
including, cost of unavailability of service provided and
loss of reputation or goodwill, etc.
It is important that all costs / values are considered. Risk
level of Low is considered acceptable to the ---organization and any risk level Medium or higher will
require treatment to mitigate it to an acceptable level.

73

Risk Identification
Risk identification is the determination of
threats and vulnerabilities that could lead to an
adverse event.
The focus is on the nature and source of the
risk such as:
What could happen or go wrong?
How could it happen?
Why can it happen?
Who or what can be harmed?
74

Risk Analysis
Once the risk against any asset is identified,
the risk is analyzed based upon two factors,
Likelihood of risk materializing and the
Consequence of risk materialization to the --organisation.

75

Criteria used during this assessment.

76

77

Risk Evaluation and Treatment

Results from the risk analysis will be a list of
security risks.
The risk will range from Nil to Extreme.
This should be compared against the
acceptable risk determined by the --organisation in the establish context and
scoping phase of the assessment.
Only the risks that are identified as
unacceptable should be assessed in the next
phase.
78

79

 Determining the priority of risks that needs

be treated are calculated based on the formula:
Risk Level Rating - Acceptable Risk Level Rating =
Priority rating

80

Step 3: Management structure development

and approvals
For development of ISMS for ---organisation ,
a management structure is required which
demonstrates upper managements
commitment to Security in general.

81

ISMS Management Structure

The following organizational structure represents the
ISMS Management
The Chief Executive Officer (CEO) of the
Association is ultimately responsible for secure
operation , Therefore, it is most appropriate for the
CEO to head the ISMS
Management Committee to demonstrate senior
managements commitment to the security of the
system.

82

83

 The IT Manager : responsible for secure

operation .
All of the operational staff, for example, System
Administrators, report directly to the IT Manager.
The IT Security Manger: responsible for
enforcing security policy, compliance, auditing
and incident response activities.
This structure ensures that operational staff will
not easily be able to avoid security for
convenience in operations or additional
functionality against the security policy.
84

Step 4: Security Policy, Standards and procedures

development
Again, risk assessment should drive the Security Policy
development
Security Policy should address the following areas:

Gateway access policy

Physical security policy
Personnel security policy
System access policy
Configuration control policy
Change management policy
Incident detection and response policy
Contingency policy
Acceptable user policy
85

86

91

The Statement Of Applicability (SOA)

Is a document which identifies the controls chosen for your environment, and
explains how and why they are appropriate.
The SOA is derived from the output of the risk assessment/ risk treatment plan
The SOA should make reference to the policies, procedures or other
documentation or systems through which the selected control will actually
manifest.

It is also good practice to document the justification of why those controls not
selected were excluded.

Once the Statement of Applicability is complete the next step is the

implementation programme.

92

Documentation levels in ISMS

Level 1
Policy, scope, risk assessment,
statement of applicability
Level 2
Describe processes- who, what, when, where
Level 3

Level 4

Describes how tasks and specific activities are

done
Provide objective evidence of compliance with ISMS
requirements

93

Plan-Do-Check-Act Cycle of ISMS

94