Embed Size (px)
Citation preview
Information Information SecuritySecurity
Agenda
Introduce key concepts in information security from the practitioner’s viewpoint.
Discuss identifying and prioritizing information assets through the practical application of risk assessment methods.
Discuss the application of information security best practice models in high security environments.
Agenda
Provide practical examples of identifying threats to information assets.
Discuss compliance obligations
for Government and non-government organizations.
“The Need to Know”
Understanding your Understanding your Information SystemInformation System
Understanding the Understanding the relationship betweenrelationship between
Information Security, Data Information Security, Data Quality and GovernanceQuality and Governance
What is Information Security ?What is Information Security ?
Organisations which collect and store data about: Customers Staff, and; Key business processes (IP)
Must be able to demonstrate effective security measures to:
Ensure that personal information is accurate and up to date and that Vital IP about the core business is secure to retain the confidence of key stakeholders
““If you can’t secure data you can’t measure it’s If you can’t secure data you can’t measure it’s quality and you can’t improve integrity”quality and you can’t improve integrity”
What is Information Security ? What is Information Security ?
“Information Security” combination of:
Communications security (Comsec)
Computer security (Compusec)
Ref: Australian National Computer Security and Information Security Authority
The Defence Signals Directorate
What is Information Security ?What is Information Security ?
"confidentiality“ ensuring that information is
available only to those people properly authorized to receive it.
“ Integrity” ensuring that information has not
been changed or tampered with;
“Availability” ensures that communications and
computing systems are not disrupted in their normal operations;
What is Information Security ?What is Information Security ?
Authentication ensures that a person accessing or providing
information is actually who they claim to be; and,
Non-repudiation ensures that a person is not able to deny the
receipt of information if they have, in fact, received it.
These factors are rapidly growing in importance as our day-to-day business is increasingly conducted by electronic means.
Risk Assessment
Do you understand your information system ?
Risk Assessment will reveal a detailed view of your information environment. Establish the boundaries of your
system. Identify your information inventory. Identify and value your critical data
sets. Establish the risks to your
information system.
Risk Assessment
The risk assessment process - converting subjective risks into objective harms.
Harms to your information system can be assessed, analysed and measured.
Risk is assessed against the likelihood and consequence of compromising: Confidentiality Integrity Availability of your information
Risk Assessment
Determining the level of risk is achieved by comparing the relationship between the threats to information and assets and the known security weaknesses or vulnerability of information technology systems.
The level of acceptable risk is a managerial decision based on the information and recommendations provided in the risk assessment.
Risk Assessment
Discover environmental data: What data do you hold? Where is the information? Where does the data reside ? Interfaces ? Who has access to your information? What are the boundaries of your system?
Is information systems security about
computers or Information ?
Risk Assessment
Establish the Context Define relationship with other
systems. Identify assets. Establish risk criteria. Risk Identification Identify the risks to be managed. Determine what to protect
against (Threats). Determine who to protect
against.
Risk Assessment
Risk Analysis Analyze risks to be managed. Estimate likelihood and
consequence. Determine context against
management/control measures. Assess existing/proposed security
measures. Determine vulnerability and
acceptable risk.
Risk Assessment
Risk Evaluation and Treatment Compare assessed risks against
risk criteria. Consider treatment options.
Recommendations Identify the steps to be taken to
manage the accepted or residual risks.
High Security Environments
Security Security inin Depth Depth
High Security Environments
Characterized by robust security plans.
Information Security principles are the key.
“The Need to Know” Principle.
“The availability of information limited to those who need to use or access the information to do their work”.
High Security Environments
Awareness - expectations about use and care of information.
Protective security procedures and measures must be understood by those who will implement and practice them.
Concept of “Security in Depth”
Security in Depth
Concept of Security in Depth is a key element in securing information in high security environments.
Several Protective Security barriers to access information must be penetrated by an external intruder or unauthorized staff member with no “Need to Know”.
Security in Depth
The barriers consist of interlocking measures designed to combine to exclude any unauthorized penetration attempt.
Protective Security procedures and measures must be understood by those who will implement and practice them.
Security in Depth
Protective Security procedures / measures: Staff background checks Security instructions Security education programs Security guards Access control and surveillance systems Keys Safes Passwords
Threats to Information Assets
Threats to Information Assets
Threats that can impact on the Confidentiality, Integrity and Availability of an Information System include the following generic threats:
Accidental Threats Fire Programming error Technical (hardware) failure Data entry error Environmental Failure of power
Threats to Information Assets
Deliberate Threats including: Denial of Service Eavesdropping Malicious code – virus Malicious code - logic Malicious destruction of data Malicious destruction of Facilities Unauthorised access to data Unauthorised release of data
Compliance Obligations
Handle all information with care – all information that an employee or contractor accesses must be handled according to policy – official information, personal information (Privacy Act).
Information must only be used for the purpose stated by the agency or organization- any other use is misuse.
Information must be secured appropriately- sound security risk management – Procedures to identify Vital information and information resources.
Risks must be reduced to an acceptable level.
Compliance Obligations
The Integrity and reliability of information systems which process, store or transmit information - require some level of protection.
Some Government information (official information) is given a security classification where its compromise could cause harm to the nation, the public interest, the Government or other entities or individuals.
Specific security measures must be followed.
Information Security Plans
If you can’t map your system you can’t secure your data.
Your system is bounded by your data model. What do you protect ?
The data in the system. The system is more that the static ICT
elements: Paper Media – removable Knowledge – people Communications – internet, phone,
mobile fax etc
Information Security Plans
Aim: Provide an effective, integral and available information system and resource by:
• Incorporating security into every facet of the architecture, design and operation of the System environment.
• Establishing a Security Management Strategy.
• Developing Security Standards.
Information Security Plans
Development of Information Security Plans requires a good understanding of your data.
Step 1 Understand your information (Data)
Step 2 Understand your Information System.
Step 3 Map your system boundaries - SAPP (Security Architecture and Policy Plan)
Information Security Plans
Step 4 Develop an Information Security (IS) Policy.
Step 5 Develop an Information Security (IS) Plan.
Step 6 Develop and implement Risk Management System.
Step 7 Establish an IS Education Program.
Information Security Plans
• Implement Security System.
• Implement compliance management system.
• Implement Security Education and Awareness Program
OutcomeOutcome
Protecting information against Protecting information against unauthorized disclosure, fraud, loss, unauthorized disclosure, fraud, loss, damage or theft.damage or theft.
Security Education and Awareness Program
Who is ResponsibleWho is Responsible ? ?
Restricting Overview Access
All authorised users must take every possible precaution to ensure that information, regardless of its security classification and the security clearance of those in the vicinity, cannot be viewed by those without a “Need-to-Know”.
Information accessed on the System may only be divulged to another person on a strictly need-to-know basis.
Restricting Overview Access
Any person accessing the System may only view information which relates to that which they have a need-to-know to do their normal work.
User with Privileged Access must only access System Information on a strictly need-to-know basis only when it involves system maintenance.
Read and sign the Information Security Procedures at regular intervals
User Personal responsibility
Maintain NEED to KNOW Report ALL Security Incidents to the
Information Security Officer Adhere to the Password policy Regularly access Security information
Outcome Outcome
Protecting information against Protecting information against unauthorized disclosure, fraud, loss, unauthorized disclosure, fraud, loss,
damage or theftdamage or theft
Password Security - The Basics
• Passwords must never be written down.
• Never share Passwords under any circumstances.
• Password length should be the minimum length defined in the Information Security Procedures.
• Never contain the User ID in the Password.
Password Security - The Basics
• Passwords should not be based on any common abbreviation or acronym.
• Passwords should not be based on any information about yourself, including family, friends, pets, birthdays etc
• Publish password rules in the Information Security Procedures.
Information Security Audit
Conduct of regular Information Security Audit will improve Governance and management of your system.
Provide better understanding of information and the system where the information resides.
Improve Governance over all system data.
The key word is UNDERSTANDING.
““Managing the unknown will lead to less than Managing the unknown will lead to less than optimal data quality.”optimal data quality.”
Review
Key concepts in information security from the practitioner’s viewpoint.
Identifying and prioritizing information assets through the practical application of risk assessment methods.
The application of information security best practice models in high security environments.
Review
Practical examples of identifying threats to information assets.
Compliance obligations for Government
and non-government organizations.
Development of information security plans.
Advantages of conducting Information Security Audits to check the health of your information security system.
QUESTIONS?
