SlideShare ist ein Scribd-Unternehmen logo

Intro.ppt

Als PPT, PDF herunterladen
R
RamaNingaiah

introduction to information security sysytem

Technologie
1 von 51
CS 620 Introduction to Information Security Dr. Karen Forcht Department of Computer Science James Madison University
Part I (Overview, Access, Control, Cryptography, Risk Analysis) Part II (Business Continuity Planning, Data Classification, Security Awareness, Computer and System Security)
Part III (Telecommunications Security, Organization Architecture, Legal Regulatory Investigation) Part IV (Investigation, Application program Security, Physical Security, Operations Security)
Part V (Information Ethics, Policy Development)
Computer Security Act of 1987 Requires: • Sensitive systems and data must be identified • Plans for ensuring security and control of such systems must be created • Personnel training programs must be developed and in place
Development of Security Program • Objectives • Policies • Connectivity, Corporate Structure, and Security • Plans • Responsibilities
Security Policy Goals • Avoidance • Deterrence • Detection • Correction
Risk Analysis • Identify sensitivity of data • Determine value of systems and information • Assess threats and vulnerabilities (sabotage, environment, errors)
Purposes of Risk Analysis • No significant intentional or accidental threat is overlooked • Assure that cost-benefit analysis is reasonable
Contingency Plan • Purpose: Protect, detect, recover • Criticality: Formulated, communicated to ALL employees, tested regularly
Legal Issues • Licenses • Fraud/Misuse • Privacy • Copyright • Trade Secrets • Employee Agreements
Access Control Collection of mechanisms to restrain or prohibit use of information and systems Includes: Functions, implementation, good practices, environmental constraints
Considerations • Ownership of Data • Custodian of Data • Accountability • Reconciliation • Rule of Least Privilege
User Authentication and Password Management • Access Control • Knowledge-Based Authentication • Token-Based Authentication • Characteristic-Based Authentication • Password Management
Access Control • Policies • Procedures • Standards • Control
Cryptography Definition: Use of secret codes to provide integrity/confidentiality of information during transfer and storage Considerations: -Complexity -Secrecy - Characteristics of key
Definition: Encryption: plaintext to ciphertext Decryption: From ciphertext to plaintext
Key Management • Public vs. Private • Selecting Key • Management of the Keys • Protection of Keys • Testing of Keys • Updating Keys • Error Detection
Risk Management Includes ideas, models, methods, techniques to control risk Includes: -Assessment -Reduction -Protective measures -Risk Acceptance -Insurance
Considerations of Risk Assessment • Annual Loss Expectancy(ALE) • Asset Valuation/Inventory • Types of Attacks/Threats • Availability of Resources/Denial of Service • Detection • Exposure • Passive Threats • Perils • Prevention • Analysis/Assessment/Management of Risk • Data Valuation
Classification of People/Assets Should Include: -People -Procedures -Data/Information -Software -Hardware
Threat and Exposure Assessment • Density/Volume of Information • Accessibility of Systems • Complexity • Electronic Vulnerability • Media Vulnerability • Human Factors
Safeguards and Counter Measures • Prevent Exposures • Detect Attempted Threats • Correct the Causes of Threats
Business Continuity Planning (1) • Planning and Analysis Methods • Rates of Occurrence of Disabling Events • Availability and Use of Planning Tools/Aids • Identification of Business Success factors(BSF) and Critical capabilities(Critical or Key Success Factors (CSF/KSF)
Business Continuity Planning (2) • Alternative Sources of Supply • Legal and Regulatory Requirements
Backups and Procedures • Importance for Recovery • Data Value • Manuals and Documentation • Back Up Frequency • On-Line Systems • Equipment
The Three C’s -Catastrophe -Contingency -Continuation BE PREPARED!!!
Off-site Backups and Storage Two Control Points: 1. When backup material is being transferred to/from the site 2. When backup material is stored at the site (also consider in-house storage)
Data Classification • Elements and Objectives of a Classification Scheme • Criteria used to Classify Data • Procedures to be Used • Differences Between Government and Commercial Programs • Limitations • Program Implementation
To Be Included: • Distinguish Between Classification and Sensitivity • Classified vs. Sensitive • Data Elements • Handling of Data • Identify Criteria • Classification Schemes • Rule of Users Managers • Effect of Data Aggregation on Classification • Techniques for Avoiding Disclosure
Security Awareness Include: • Corporate Policies, Procedures, Intentions • Areas Where Remedial Actions are Needed • Assessment of Threats and Vulnerabilities • Technology Trends • Behaviors to be Encouraged • User Motives • Applicable Laws and Regulation • Available/Applicable Communication Channels/Media
Administrative/Organizational Controls • Policies • Awareness • Employee Non-Disclosure Considerations • Employee Training • Telecommuting Considerations • Effects of Technological Changes/Updates
Personnel Considerations • Human Motives for Criminal Action • Employee Selection • Professional Certificates • Working Environment • Technological Updates (Effect on Users) • Employee Separation
Computer and System Security Professionals Should Understand: • Computer Organizations, Architectures, Designs • Source and Origin of Security Requirements • Advantages/Disadvantages of Various Architectures • Security Features/Functions of Various Components • Choices to be Considered When Selecting Components
Common Flaws and Penetration Methods • Operating Systems Flaws • Penetration Techniques(Trojan Horses, Virus, Salami Attack, Deception)
Viruses • Design • Protection • Recovery • Prevention • Counter Measures
Telecommunications Security • Objectives • hazards and Exposures • Effects of Topology, Media, Protocols, Switching • Hazards and Classes of Attack • Defenses and Protective Measures
Methods • Aborted Connection • Active Wiretapping • Between - The - Lines Entry • Call Back • Emanations • Covert Channel • Cross-Talk • Eavesdropping • Electronic Funds Transfer(EFT) • Handshaking
Considerations • Transmission Technologies • Bandwidth • Connectivity Potential • Geographical Scope • Noise Immunity • Security • Applications • Relative Cost
System Security Officer • Organizational Knowledge (Structural and Behavioral) • Technical Knowledge • Accounting/Audit Concepts • Personnel Administration Matters • Laws/Legislation • Strategic/Tactical Planning • Labor/Negotiation/Strategies/Tactics
Computer Security Incidence Response • Goals • Constituency • Structure • Management Support/Funding • Charter • Handbook of Operations • Staffing
Legal/Regulatory • Federal Laws/Regulations • State Laws/Regulations • International Issues • Organizational/Agency Considerations • Personal Behavior • Remedies to Constituents • Civil vs. Criminal Law • Pending Legislation
Computer Crime • Fraud • Embezzlement • Unauthorized Access • “White Collar” Crime • Theft of Hardware/Copying Software • Physical Abuse • Misuse of Information • Privacy/Confidentiality Violations • Intellectual Property • Negligence • License Agreements
Investigation • Legal Requirements for Maintaining a Trail of Evidence • Interrogation Techniques • Legal Limits on Interrogation Methods Permitted
Application Program Security • Distribution of Controls Between Application and System • Controls Specific to Key, Common, or Industry Applications • Criteria for Selection and Application • Tests for Adequacy • Standards for Good Practice
Software Controls • Development • Maintenance • Assurance • Specification and Verification • Database Security Controls • Accounting/Auditing
Physical Security • Site/Building Location • External characteristics/Appearance • Location of Computer Centers • Construction Standards • Electrical Power(UPS) • Water/Fire Considerations • Traffic/Access Control • Air Conditioning/Exhaust • Entrances/Exits • Furnishings • Storage of Media/Supplies
Operations Security • Resources to be Protected • Privileges to be Restricted • Available Control Mechanisms • Potential for Abuse of Access • Appropriateness of Controls • Acceptable Norms of Good Practice
Information Ethics Doing the Right Thing!! • Privacy/Confidentiality • Common Good • Professional Societies • Professional Certifications
Policy Development Considerations: • Have Longevity • Be Jargon Free • Be Independent of Jobs, Titles, or Positions • Set Objectives • Fix Responsibility • Provide Resources • Allocate Staff • Be Implemented Using Standards and Guidelines
That’s All Folks (and not a minute too soon!!) I’m Looking Forward to working With You!!!!

Empfohlen

ISAA PPt
ISAA PPtISAA PPt
ISAA PPt
RishabhAgrawal695188
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
What are the important objectives of Cybersecurity.pdf
What are the important objectives of Cybersecurity.pdfWhat are the important objectives of Cybersecurity.pdf
What are the important objectives of Cybersecurity.pdf
Bytecode Security
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
Ndheh
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Knoldus Inc.
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
Jonathan Coleman
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
Priyank Hada
 

Empfohlen

ISAA PPt
ISAA PPtISAA PPt
ISAA PPt
RishabhAgrawal695188
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
Sam Bowne
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
Security Innovation
 
What are the important objectives of Cybersecurity.pdf
What are the important objectives of Cybersecurity.pdfWhat are the important objectives of Cybersecurity.pdf
What are the important objectives of Cybersecurity.pdf
Bytecode Security
 
Unit 1&2.pdf
Unit 1&2.pdfUnit 1&2.pdf
Unit 1&2.pdf
Ndheh
 
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Definitive Security Testing Checklist Shielding Your Applications against Cyb...
Knoldus Inc.
 
MIS: Information Security Management
MIS: Information Security ManagementMIS: Information Security Management
MIS: Information Security Management
Jonathan Coleman
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
Priyank Hada
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)
Sam Bowne
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
McKonly & Asbury, LLP
 
Managing IT Risk and Assessing Vulnerability
Managing IT Risk and Assessing VulnerabilityManaging IT Risk and Assessing Vulnerability
Managing IT Risk and Assessing Vulnerability
AIS Network
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
madunix
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of Interest
Matthew Rosenquist
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
Evan Francen
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy Development
Sam Bowne
 
Introduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfIntroduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdf
ssuserf98dd4
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
Kumawat Dharmpal
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
it160320737038
 
RISK IDENTIFICATION 18 Aug.pptx
RISK IDENTIFICATION 18 Aug.pptxRISK IDENTIFICATION 18 Aug.pptx
RISK IDENTIFICATION 18 Aug.pptx
Sameera Amjad
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
dotco
 
bh-win-04-conacher.ppt
bh-win-04-conacher.pptbh-win-04-conacher.ppt
bh-win-04-conacher.ppt
Rakesh Kumar
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptx
StevenTharp2
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
See You Rise Holdings
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
Karthikeyan Dhayalan
 
Information Security
Information SecurityInformation Security
Information Security
Dhilsath Fathima
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
Jeffrey Paulette
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Weitere ähnliche Inhalte

Ähnlich wie Intro.ppt

1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
madunix
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of Interest
Matthew Rosenquist
 

Ähnlich wie Intro.ppt (20)

1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)CNIT 125: Ch 2. Security and Risk Management (Part 1)
CNIT 125: Ch 2. Security and Risk Management (Part 1)
 
Cybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect MatchCybersecurity Frameworks and You: The Perfect Match
Cybersecurity Frameworks and You: The Perfect Match
 
Managing IT Risk and Assessing Vulnerability
Managing IT Risk and Assessing VulnerabilityManaging IT Risk and Assessing Vulnerability
Managing IT Risk and Assessing Vulnerability
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
 
Mergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of InterestMergers and Acquisition Security - Areas of Interest
Mergers and Acquisition Security - Areas of Interest
 
FRSecure Sales Deck
FRSecure Sales DeckFRSecure Sales Deck
FRSecure Sales Deck
 
CNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy DevelopmentCNIT 160: Ch 2b: Security Strategy Development
CNIT 160: Ch 2b: Security Strategy Development
 
Introduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdfIntroduction to Cybersecurity.pdf
Introduction to Cybersecurity.pdf
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
 
RISK IDENTIFICATION 18 Aug.pptx
RISK IDENTIFICATION 18 Aug.pptxRISK IDENTIFICATION 18 Aug.pptx
RISK IDENTIFICATION 18 Aug.pptx
 
crisc_wk_5.pptx
crisc_wk_5.pptxcrisc_wk_5.pptx
crisc_wk_5.pptx
 
bh-win-04-conacher.ppt
bh-win-04-conacher.pptbh-win-04-conacher.ppt
bh-win-04-conacher.ppt
 
L1_Introduction.pptx
L1_Introduction.pptxL1_Introduction.pptx
L1_Introduction.pptx
 
Introduction to information security - by Ivan Nganda
Introduction to information security - by Ivan NgandaIntroduction to information security - by Ivan Nganda
Introduction to information security - by Ivan Nganda
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
 
Information Security
Information SecurityInformation Security
Information Security
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
 

Kürzlich hochgeladen

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Kürzlich hochgeladen (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

Intro.ppt

  • 1. CS 620 Introduction to Information Security Dr. Karen Forcht Department of Computer Science James Madison University
  • 2. Part I (Overview, Access, Control, Cryptography, Risk Analysis) Part II (Business Continuity Planning, Data Classification, Security Awareness, Computer and System Security)
  • 3. Part III (Telecommunications Security, Organization Architecture, Legal Regulatory Investigation) Part IV (Investigation, Application program Security, Physical Security, Operations Security)
  • 4. Part V (Information Ethics, Policy Development)
  • 5. Computer Security Act of 1987 Requires: • Sensitive systems and data must be identified • Plans for ensuring security and control of such systems must be created • Personnel training programs must be developed and in place
  • 6. Development of Security Program • Objectives • Policies • Connectivity, Corporate Structure, and Security • Plans • Responsibilities
  • 7. Security Policy Goals • Avoidance • Deterrence • Detection • Correction
  • 8. Risk Analysis • Identify sensitivity of data • Determine value of systems and information • Assess threats and vulnerabilities (sabotage, environment, errors)
  • 9. Purposes of Risk Analysis • No significant intentional or accidental threat is overlooked • Assure that cost-benefit analysis is reasonable
  • 10. Contingency Plan • Purpose: Protect, detect, recover • Criticality: Formulated, communicated to ALL employees, tested regularly
  • 11. Legal Issues • Licenses • Fraud/Misuse • Privacy • Copyright • Trade Secrets • Employee Agreements
  • 12. Access Control Collection of mechanisms to restrain or prohibit use of information and systems Includes: Functions, implementation, good practices, environmental constraints
  • 13. Considerations • Ownership of Data • Custodian of Data • Accountability • Reconciliation • Rule of Least Privilege
  • 14. User Authentication and Password Management • Access Control • Knowledge-Based Authentication • Token-Based Authentication • Characteristic-Based Authentication • Password Management
  • 15. Access Control • Policies • Procedures • Standards • Control
  • 16. Cryptography Definition: Use of secret codes to provide integrity/confidentiality of information during transfer and storage Considerations: -Complexity -Secrecy - Characteristics of key
  • 18. Key Management • Public vs. Private • Selecting Key • Management of the Keys • Protection of Keys • Testing of Keys • Updating Keys • Error Detection
  • 19. Risk Management Includes ideas, models, methods, techniques to control risk Includes: -Assessment -Reduction -Protective measures -Risk Acceptance -Insurance
  • 20. Considerations of Risk Assessment • Annual Loss Expectancy(ALE) • Asset Valuation/Inventory • Types of Attacks/Threats • Availability of Resources/Denial of Service • Detection • Exposure • Passive Threats • Perils • Prevention • Analysis/Assessment/Management of Risk • Data Valuation
  • 21. Classification of People/Assets Should Include: -People -Procedures -Data/Information -Software -Hardware
  • 22. Threat and Exposure Assessment • Density/Volume of Information • Accessibility of Systems • Complexity • Electronic Vulnerability • Media Vulnerability • Human Factors
  • 23. Safeguards and Counter Measures • Prevent Exposures • Detect Attempted Threats • Correct the Causes of Threats
  • 24. Business Continuity Planning (1) • Planning and Analysis Methods • Rates of Occurrence of Disabling Events • Availability and Use of Planning Tools/Aids • Identification of Business Success factors(BSF) and Critical capabilities(Critical or Key Success Factors (CSF/KSF)
  • 25. Business Continuity Planning (2) • Alternative Sources of Supply • Legal and Regulatory Requirements
  • 26. Backups and Procedures • Importance for Recovery • Data Value • Manuals and Documentation • Back Up Frequency • On-Line Systems • Equipment
  • 28. Off-site Backups and Storage Two Control Points: 1. When backup material is being transferred to/from the site 2. When backup material is stored at the site (also consider in-house storage)
  • 29. Data Classification • Elements and Objectives of a Classification Scheme • Criteria used to Classify Data • Procedures to be Used • Differences Between Government and Commercial Programs • Limitations • Program Implementation
  • 30. To Be Included: • Distinguish Between Classification and Sensitivity • Classified vs. Sensitive • Data Elements • Handling of Data • Identify Criteria • Classification Schemes • Rule of Users Managers • Effect of Data Aggregation on Classification • Techniques for Avoiding Disclosure
  • 31. Security Awareness Include: • Corporate Policies, Procedures, Intentions • Areas Where Remedial Actions are Needed • Assessment of Threats and Vulnerabilities • Technology Trends • Behaviors to be Encouraged • User Motives • Applicable Laws and Regulation • Available/Applicable Communication Channels/Media
  • 32. Administrative/Organizational Controls • Policies • Awareness • Employee Non-Disclosure Considerations • Employee Training • Telecommuting Considerations • Effects of Technological Changes/Updates
  • 33. Personnel Considerations • Human Motives for Criminal Action • Employee Selection • Professional Certificates • Working Environment • Technological Updates (Effect on Users) • Employee Separation
  • 34. Computer and System Security Professionals Should Understand: • Computer Organizations, Architectures, Designs • Source and Origin of Security Requirements • Advantages/Disadvantages of Various Architectures • Security Features/Functions of Various Components • Choices to be Considered When Selecting Components
  • 35. Common Flaws and Penetration Methods • Operating Systems Flaws • Penetration Techniques(Trojan Horses, Virus, Salami Attack, Deception)
  • 36. Viruses • Design • Protection • Recovery • Prevention • Counter Measures
  • 37. Telecommunications Security • Objectives • hazards and Exposures • Effects of Topology, Media, Protocols, Switching • Hazards and Classes of Attack • Defenses and Protective Measures
  • 38. Methods • Aborted Connection • Active Wiretapping • Between - The - Lines Entry • Call Back • Emanations • Covert Channel • Cross-Talk • Eavesdropping • Electronic Funds Transfer(EFT) • Handshaking
  • 39. Considerations • Transmission Technologies • Bandwidth • Connectivity Potential • Geographical Scope • Noise Immunity • Security • Applications • Relative Cost
  • 40. System Security Officer • Organizational Knowledge (Structural and Behavioral) • Technical Knowledge • Accounting/Audit Concepts • Personnel Administration Matters • Laws/Legislation • Strategic/Tactical Planning • Labor/Negotiation/Strategies/Tactics
  • 41. Computer Security Incidence Response • Goals • Constituency • Structure • Management Support/Funding • Charter • Handbook of Operations • Staffing
  • 42. Legal/Regulatory • Federal Laws/Regulations • State Laws/Regulations • International Issues • Organizational/Agency Considerations • Personal Behavior • Remedies to Constituents • Civil vs. Criminal Law • Pending Legislation
  • 43. Computer Crime • Fraud • Embezzlement • Unauthorized Access • “White Collar” Crime • Theft of Hardware/Copying Software • Physical Abuse • Misuse of Information • Privacy/Confidentiality Violations • Intellectual Property • Negligence • License Agreements
  • 44. Investigation • Legal Requirements for Maintaining a Trail of Evidence • Interrogation Techniques • Legal Limits on Interrogation Methods Permitted
  • 45. Application Program Security • Distribution of Controls Between Application and System • Controls Specific to Key, Common, or Industry Applications • Criteria for Selection and Application • Tests for Adequacy • Standards for Good Practice
  • 46. Software Controls • Development • Maintenance • Assurance • Specification and Verification • Database Security Controls • Accounting/Auditing
  • 47. Physical Security • Site/Building Location • External characteristics/Appearance • Location of Computer Centers • Construction Standards • Electrical Power(UPS) • Water/Fire Considerations • Traffic/Access Control • Air Conditioning/Exhaust • Entrances/Exits • Furnishings • Storage of Media/Supplies
  • 48. Operations Security • Resources to be Protected • Privileges to be Restricted • Available Control Mechanisms • Potential for Abuse of Access • Appropriateness of Controls • Acceptable Norms of Good Practice
  • 49. Information Ethics Doing the Right Thing!! • Privacy/Confidentiality • Common Good • Professional Societies • Professional Certifications
  • 50. Policy Development Considerations: • Have Longevity • Be Jargon Free • Be Independent of Jobs, Titles, or Positions • Set Objectives • Fix Responsibility • Provide Resources • Allocate Staff • Be Implemented Using Standards and Guidelines
  • 51. That’s All Folks (and not a minute too soon!!) I’m Looking Forward to working With You!!!!