View
221
Download
1
Category
Tags:
Preview:
Citation preview
Program Objective• Security Basics
• Framework for managing information security
• user’s role in implementing & maintaining information security
Information Security
Information Security is a method by which an
organization ensures that-- it has control over its systems and data,
thereby protecting its investment in information
technology, customer’s confidence and its ability to
maintain business operations in effective and
efficient manner
Information Security Is NOT…
Its not just IS team or IT team….It’s more than that!
Information security is not only about applying technical controls and installing security devices.
Rather..
Information security is achieved by implementing a suitable set of controls like -
• policies
• procedures & guidelines
• technical systems
• security awareness workshops
Information Security Objectives
Confidentiality
IntegrityAvailability
Securing an information asset primarily
means ensuring it’s -
• Confidentiality
• Integrity
• Availability
What is Confidentiality?
Protecting sensitive records from unauthorized use and distribution
Examples include:-• Income Information
• Transaction Records• Customer site information, Designs & Layouts, intellectual property related
records.
Confidentiality
IntegrityAvailability
What is Integrity?
Maintaining the quality and validity of a record. Non-repudiation is the concept
arising out of integrity. It is a process by which the ultimate responsibility for a
transaction is pinned on the user/ customer
Examples include:-• Balance and transaction data is not changed in an unauthorized manner.• Formulation of medicine are not changed.
• Composition of materials are not altered
Confidentiality
IntegrityAvailability
What is Availability?
Ensuring that Records are accessible whenever required
Examples include:-• Information is available when it is required like Customer Information
• Customer Medical records.
Confidentiality
IntegrityAvailability
How every one is involved?An aware
workforce is the best defense
against information
security threats
The right technology needs
to be implemented for cost effective
Information Security
Suitable Policies and Processes need to be implemented for
effective Information Security
PEOPLE
PROCESSES TECHNOLOGY
INFORMATIONSECURITY
We are all responsible for Information security
What is an Asset?
• Asset is anything of value / importance to an organization.
• Asset can be of the following types:
• Data Assets – Records / Data Assets - others;
• Software Assets;
• Physical Assets;
• Services Asset;
• People Asset.
What is a Threat?
• A threat has the potential to cause an unwanted incident which may result in harm to a system, organization and its assets
• For e.g.
• Fire• Theft• Virus & worms• Malicious software
What are Vulnerabilities?
• Vulnerabilities are weaknesses associated with an assets. Trust is equal to voluntary vulnerability
These weaknesses may be exploited by a threat resulting in loss, damage or harm to assets
• For e.g.• Lack of physical protection
• Wrong selection and use of passwords
• Unprotected storage of documents
• Insufficient security training
What are Security Controls?
• Security controls are practices, procedures or mechanisms which
• protect against threats • reduce vulnerabilities • limit the impact of an incident
• For e.g.:-• Access control
• Access Cards
• Userid / Password
• Environmental controls• Fire control system
• Water leakage prevention
Password Security> Control Implemented
• Password policy for operating system and application
> Your Support• Don’t
• Do not write it down or share it with ANYONE
• Never use
• Your logon id or its variations
• Words in dictionary
• Birth dates, name of spouse, Company name etc.
• Do
• Keep long passwords
• Change password frequently
• User secure systems
Select Strong Passwords
• 8 characters
• Has numbers (1,2..), capital
letters (A,B..) and special
characters (!,@..)
• Make simple words complex –
H1m@l@y@
• First letter of sentence –
J&Jwuth
Note: Do not use these examples as
your passwords
Laptop Security• Your Support
• Always lock your laptop when stepping away from it.• Lock your laptop to your desks using laptop locks.• Do not leave laptop unattended in public places• Use application passwords for all confidential data so that nobody
can access in case, laptop is lost• Never install any application on the PC which is not purchased or
downloaded from genuine suppliers site.
E-Mail Security• Pls change your password frequently.
• In case if you are leaving confidential data in the mail, please
ensure that they are encrypted, so that in case of compromise
of your email no body can use it.
• Don't open documents that are received from unknown
sources.
• Be aware of Trojan, viruses that are being sent across by
attachments.
• Donot share personal information to unknown recepeints
• Donot forward any email with other parties email-ids
• Donot respond to spam emails received from source not known
PhishingIt is not a virus, but ways to trick you into giving up personal or financial information
• Never use a link in E-mail to get to any web page• Never send personal or financial information to anyone
via E-mail• Access any financial institution site through the
genuine parent site than through emails
How to safeguard yourself?
Clear Desk & Clear Screen
– Lock all the restricted and confidential documents
in lockable container, i.e. in lock and key
– Do not leave sensitive documents on your
desk/printer/fax/ public places
– Always shred your unwanted documents properly
to avoid dumpster diving
– Lock your computer when you leave any place.
Source as above
Social Engineering
• Social engineering preys on qualities of human nature:
• the desire to be helpful • the tendency to trust people• the fear of getting into trouble
• Some of the ways in which social engineering is carried out are:
• Forged phone calls• Dumpster Diving• Persuasion• Phishing
• Do not discuss sensitive
information with others in public
• Do not give out sensitive
information over
email/telephone
• Make sure nobody is looking at you
when you are
typing in your password. “Avoid
Shoulder Surfing”
• Always be assure of the other
person’s identity, when you receive
a call which you are not expecting
PC best practices
• Buy genuine software• Install firewall, antivirus• Update patches given by OS and other
vendors• Do not open, download any executable file
or email attachment when in doubt
Physical Security
• Data Centre door ……..…… Keep it closed
• Access control card……... Use it , do not share it
• Always wear your identification and access badge
• Escort a visitor/ vendor to work/ server area
• Never leave the entry gate open
• Tail-gating/ Piggy-backing should be discouraged
• Never use camera phone at work / server area
• Never share your ID card with others
Recommended