Information

Security
BAA-Audit & Information Systems
By
Winston Phethi
Information Security
 What is Information Security?
 Balancing Information Security and Access
 Key information Security concepts
 Why do we need information Security?
 How did Information Security start?
 Objectives of Information Security
 Principles, Tools, frameworks and standards for
Information Security
 Threats in Information Security
 Roles and Responsibility in Information Security
 Approaches to Information Security
Implementation
What is Information
Security?
 Information is “processed raw facts or data” while
Security is “the quality or state of being secure—to be
free from danger”.
 Information Security “is the protection of
information and its critical elements, including
systems that use, store, and transmit that
information.”
 A successful organization should have multiple layers
of security in place:
◦ Physical security
◦ Personal security
◦ Operations security
◦ Communications security
◦ Network security
◦ Information security
What is Information
Security?...Cont.
 Information security is a combination of
preventive, detective, and recovery measures.
 Information Security also includes education,
awareness, and training measures that inform
computer users of the “acceptable use”
principles and practices that support the
protection of information assets.
 Information security is achieved by the
combined efforts of information owners, users,
custodians, and information security personnel
Balancing Information Security and Access

 Impossible to obtain perfect security—it is a

process, not an absolute
 Security should be considered balance between
protection and availability
 To achieve balance, level of security must allow
reasonable access, yet protect against threats
Key Information Security Concepts

 Access: A subject or object’s ability to use,

manipulate, modify, or affect another subject
or object.
 Asset: The organizational resource that is
being protected.
 Attack: An intentional or unintentional act
that can cause damage to or otherwise
compromise information and/or the systems
that support it. Attacks can be active or
passive, intentional or unintentional, and
direct or indirect.
Key Information Security Concepts…Cont.

 Control, safeguard, or countermeasure:

Security mechanisms, policies, or procedures
that can successfully counter attacks, reduce
risk, resolve vulnerabilities, and otherwise
improve the security within an organization.
 Exploit: A technique used to compromise a
system.
 Exposure: A condition or state of being
exposed. In information security, exposure
exists when a vulnerability known to an
attacker is present.
Key Information Security Concepts…Cont.

 Loss: A single instance of an information

asset suffering damage or unintended or
unauthorized modification or disclosure.
 Threat: A category of objects, persons, or
other entities that presents a danger to an
asset.
 Threat agent: The specific instance or a
component of a threat.
 Vulnerability: A weaknesses or fault in a
system or protection mechanism that opens
it to attack or damage.
Why do we need Information Security?

Information security performs four important

functions for an organization:
1. Protecting the organization’s ability to
function
2. Enabling the safe operation of applications
running on the organization’s IT systems.
3. Protecting the data the organization
collects and uses
4. Safeguarding the organization’s
technology assets
How did Information Security start?

 Information security began with Rand

Report R-609 (paper that started the study
of computer security)
 Scope of computer security grew from
physical security to include:
Safety of data
Limiting unauthorized access to data
Involvement of personnel from multiple levels
of an organization
How did Information Security start?.. Cont.

In 1990’s
 Networks of computers became more common; so too did
the need to interconnect networks
 Internet became first manifestation of a global network of
networks
 In early Internet deployments, security was treated as a
low priority

Present
 The Internet brings millions of computer networks into
communication with each other—many of them unsecured
 Ability to secure a computer’s data influenced by the
security of every computer to which it is connected
Objectives of Information
Security
Three objectives include ;
 Confidentiality: Preserving authorized
restrictions on information access and
disclosure, including means for protecting
personal privacy and proprietary
information.
 Integrity: Guarding against improper
information modification or destruction,
including ensuring information non-
repudiation and authenticity.
 Availability: Ensuring timely and reliable
access to and use of information.
Objectives of Information
Security….cont.
• Authenticity; Being genuine, verified and
trusted.
◦ Confidence in the validity of: a transmission,
message and a message originator
◦ Verifying that users are who they say they are and
that each message came from a trusted source.

 Accountability; Actions of an entity can be

traced uniquely to that entity. Supports: Non-
repudiation, deterrence, Fault isolation, Intrusion
detection and prevention, Recovery and Legal
action
Principles, tools, frameworks
and standards for Information
Security
STANDARDS include;
1. ISO 17799/BS7799 –

◦ Purpose – “give recommendations for information

security management for use by those who are
responsible for initiating, implementing, or
maintaining security in their organization.

◦ One of the most widely referenced and often

discussed security models.

◦ Framework for information security that states

organizational security policy is needed to provide
management direction and support.
Principles, tools, frameworks and
standards for Information Security…
Cont.
2. NIST Security Models
Special Publication 800-14 ;
 Security supports mission of organization; this is
an integral element of sound management
 Security should be cost-effective; owners have
security responsibilities outside their own
organizations
 Security responsibilities and accountability should
be made explicit; security requires a
comprehensive and integrated approach
 Security should be periodically reassessed;
security is constrained by societal factors
Principles, tools, frameworks and
standards for Information Security…
Cont.
TOOLS include ;
Policy, Awareness, Training, Education and
Technology
 A policy is a plan or course of action that conveys
instructions from an organization’s senior
management to those who make decisions, take
actions, and perform other duties.
Security Education
 Everyone in an organization needs to be trained

and made aware of information security, but not

every member of the organization needs a formal
degree or certificate in information security.
Principles, tools, frameworks and
standards for Information Security…
Cont.
TOOLS include ;
Security Training
 Security training provides detailed

information and hands-on instruction to

employees to prepare them to perform
their duties securely.
Security Awareness
 A security awareness program is designed

to keep information security at the

forefront of users’ minds.
Principles, tools, frameworks
and standards for Information
Security
PRINCIPLES ;
 Generally Accepted Information

Security Principles (GAISP) these I

Principles, tools, frameworks and
standards for Information Security…
cont.
Principles - these include;
1. Accountability Principle
 The responsibilities and accountability of owners, providers and

users of information systems and other parties concerned with the

security of information systems should be explicit.
2. Awareness Principle
 In order to foster confidence in information systems, owners,

providers and users of information systems and other parties should

readily be able, consistent with maintaining security, to gain
appropriate knowledge of and be informed about the existence and
general extent of measures, practices and procedures for the
security of information systems.
3. Ethics Principle
 Information systems and the security of information systems should

be provided and used in such a manner that the rights and

legitimate interests of others are respected.
Principles, tools, frameworks and
standards for Information Security…
cont.
4. Multidisciplinary Principle
 Measures, practices and procedures for the security of information

systems should take account of and address all relevant

considerations and viewpoints, including technical, administrative,
organizational, operational, commercial, educational and legal.
5. Proportionality Principle
 Security levels, costs, measures, practices and procedures should

be appropriate and proportionate to the value of and degree of

reliance on the information systems and to the severity, probability
and extent of potential harm, as the requirements for security vary
depending upon the particular information systems.
6. Integration Principle
 Measures, practices and procedures for the security of information

systems should be coordinated and integrated with each other and

with other measures, practices and procedures of the organization
so as to create a coherent system of security.
Principles, tools, frameworks and
standards for Information Security…
cont.
7. Timeliness Principle
 Public and private parties, at both national and

international levels, should act in a timely coordinated

manner to prevent and to respond to breaches of
security of information systems.
8. Reassessment Principle
 The security of information systems should be

reassessed periodically, as information systems and

the requirements for their security vary over time.
9. Equity Principle
 The security of information systems should be

compatible with the legitimate use and flow of data

and information
Threats to Information Security
Roles and Responsibility in
Information Security
 Senior management is the key component
and the vital force for a successful
implementation of an information security
program.
 Administrative support is also essential to

developing and executing specific security

policies and procedures, and technical
expertise.
Roles and Responsibility in
Information Security…Cont.
 Senior management - senior technology officer;
 Chief Information Officer (CIO), is primarily
responsible for advising the chief executive
office.
 Translates the strategic plans of the organization
as a whole into strategic information plans for the
information systems or data processing division
of the organization.
 Works with subordinate managers to develop
tactical and operational plans for the division and
to enable planning and management of the
systems that support the organization.
Roles and Responsibility in
Information Security…Cont.
 Chief Information Security officer (CISO);
has primary responsibility for the assessment,
management, and implementation of
information security in the organization.
 May also be referred to as the manager for IT
security, the security administrator, or a
similar title
 Usually reports directly to the CIO, although in
larger organizations it is not uncommon for
one or more layers of management to exist
between the two.
Roles and Responsibility in
Information Security…Cont.
 Information Security Project Team –
should consist of a number of individuals
who are experienced in one or multiple
facets of the required technical and
nontechnical areas. These include;
 Champion: A senior executive who

promotes the project and ensures its

support, both financially and
administratively, at the highest levels of the
organization.
Roles and Responsibility in
Information Security…Cont.
 Team leader: A project manager, who may be a
departmental line manager or staff unit manager,
who understands project management, personnel
management, and information security technical
requirements.
 Security policy developers: People who
understand the organizational culture, existing
policies, and requirements for developing and
implementing successful policies.
 Risk assessment specialists: People who
understand financial risk assessment techniques, the
value of organizational assets, and the security
methods to be used.
Roles and Responsibility in
Information Security…Cont.
 Security professionals: Dedicated,
trained, and well-educated specialists in all
aspects of information security from both a
technical and nontechnical standpoint.
 Systems administrators: People with the

primary responsibility for administering the

systems that house the information used by
the organization.
 End users: Those whom the new system

will most directly affect.

Approaches to Information
Security Implementation
The implementation of information security in an
organization must begin somewhere, and cannot
happen overnight.
 The top-down approach—in which the project is

initiated by upper-level managers who issue policy,

procedures and processes, dictate the goals and
expected outcomes, and determine accountability for
each required action—has a higher probability of
success.
 This approach has strong upper-management support,

a dedicated champion, usually dedicated funding, a

clear planning and implementation process, and the
means of influencing organizational culture.
Approaches to Information
Security Implementation…Cont.
 The bottom-up approach.— Information security
can begin as a grassroots effort in which systems
administrators attempt to improve the security of
their systems.
 The key advantage of the bottom-up approach is the
technical expertise of the individual administrators.
 Working with information systems on a day-to-day
basis, these administrators possess in-depth
knowledge that can greatly enhance the
development of an information security system.
 They know and understand the threats to their
systems and the mechanisms needed to protect
them successfully.
References
 Principles of Information Security,
Fourth Edition, Michael E. Whitman,
Ph.D., CISM, CISSP and Herbert J.
Mattord, CISM, CISSP From Kennesaw State
University
 Organization for Economic Cooperation and

Development (OECD), Guidelines for the

Security of Information Systems, 1992.