Information security focuses on protecting valuable information that will help businesses to succeed in their strategies. Confidentiality, integrity and availability are the three basic objectives of Information Security.
For more such innovative content on management studies, join WeSchool PGDM-DLP Program: http://bit.ly/ZEcPAc
2. Information Security
IT Security,Control,Audit & governance
Information is Power is a very old adage in the IT
sector. In today’s world information is being
increasingly viewed as an Asset which has real
value & is to be protected
Accumulating information was once done more for
Statutory purposes.Today sophisticated data
warehouses are hold what may be considered as
“gold mine” of knowledge & data mining tools are
available to extract the right information at right
time
3. Information Security
Objectives of IT Security Management
The purpose of IT Security Management is to
ensure:
•Confidentiality :Restricting access to right
people for the right purpose
•Integrity: Correctness& validity of
information stored or processed
•Availability : Ensuring information is available
to authorized persons
4. Information Security
In almost every large enterprise, the
physical and IT security departments
operate independently of each other.
They are generally unaware of the
strengths and weaknesses of one
another's practices, the liabilities of
operating independently, and the benefits
of integrated security management.
5. Information Security
Physical Security and IT Security
Physical security focuses on the protection of physical
assets, personnel and facility structures. This involves
managing the flow of individuals and assets into, out
of, and within a facility. IT security focuses on the
protection of information resources, primarily
computer and telephone systems and their data
networks. This involves managing the flow of
information into, out of, and within a facility's IT
systems, including human access to information
systems and their networks. Clearly these two are
separate domains. Why should they be integrated?
6. Information Security
Physical Security and IT Security a Management Issue
The question above accurately reflects the thoughts of most
security practitioners as they approach this subject. How is the
question misleading? To lean on a common idiom, it focuses
on the trees rather than the forest.
It is the management of physical and IT security that must
be integrated. No one is going to integrate a brick wall and a
database. However, the management of who is allowed inside
the wall and inside the database must be integrated, or there
will be gaps in the organization's security. Figure 1 below
illustrates the concept of integrated security management.
Whenever you hear or read the phrase “integration of physical
and IT security,” think “integration of physical and IT security
management” and you'll be on the right track.
8. Information Security
While it is true that many of the physical and IT
security processes and procedures must be integrated
at the technology level, it is not the technology that
defines the integration. The business processes and
procedures define it; the technology implements it.
That's why the first step in integrating physical and
IT security is an examination of security-related
business requirements and the physical and IT
security processes that support them. The integration
of the business processes will determine where
integration of physical security and IT technology is
required
10. Information Security
Types of Examples
control control
Physical Doors & Lock,Security gates,raised
floors,double doors,ups system
IT related Password, Directory services,Firewall,antivirus
Application server,Hot standby server,backup of
software
Document Correct labeling ,version control,copies of key
related documents
Application Data validation so that correct data only
Specific accepted
Length,Range,Code checked
Process related checks
Output controls
11. Information Security Standards
BS 7799 Standard
The subject of IT security is therefore not one of
merely putting appropriate control measures
A process approach whereby the information
security has
•Defined organizational policy
•Backed by management commitment
•Necessary resources,Defined procedures
•Appropriate control objectives
•Suitable control measures
•Recording & reviewing incidences
•Continuous improvement of security process
12. Information Security Standards
BS 7799 Standard
The BS7799 is a British standard which addresses
precisely this aspect.
It provides a comprehensive framework within
which an organization can set up an effective
Information Security Management System(ISMS)
More specifically some of controls objectives which
it describes include following
•Management of ISMS
•Physical security
•Information processing
•Access to information to IT employees,outsourced vendors
•Access from remote location
13. Information Security Standards
BS 7799 Standard
To implement the BS7799 standard an organization
must take following steps.
•Define Information security policy
•Organization & its management must demonstrate
its commitment to information There must be formal
reviews related with security incidents
•Risk assessment.The organization must conduct risk
assessment.This will help to identify the more
important sources of risk.It would select from the
following strategies
Risk avoidance,Migration,Insurance or transfer
Assumption of risk Cont…..
14. Information Security Standards
BS 7799 Standard
• Based on the strategy decided for each risk asset
combination it will select appropriate control to
manage the risk.
•For instance to prevent unauthorized entry it may
provide smart card or biometric entry
•The organization would have also identified
detailed procedure for implementing and monitoring
,defined roles various controls,Dos &don’t to all
employees
•Finally process needs to be sustained &
continuously evaluated
15. Information Security Standards
Business Continuity Planning (BCP)
__ Availability is one of the key elements in
the information security.Failure in IT for e.g
incidents like power failure,Virus attack can be
disastrous
Organizations such as the stock exchange
or a bank works on a Central data center. BCP
outlines:
The Objective of plan in event of disaster
The resources
Priorities assigned for Business continuity
Procedures to follow in the event of disaster
Communication to outsider
16. Information Security Standards
Business Continuity Planning (BCP)
__
The BCP ensures that certain critical business
functions continue despite a disaster
The BCP also can be viewed from point of 3 stages
•Pre-disaster
•During the disaster
•Post disaster
Thus each procedure should cover these three
stages
Disaster Recovery is a set of plans to enable an
organization to come back to normalcy
17. Information Security Standards
Business Continuity Planning (BCP)
Disaster Recovery
__
The time frame within which the recovery must
happen is a matter of practicality & organizations
policy. Solutions used for BCP
Hard disk Crash RAID Arrays Mirror disk
SAN/NAS solution
Complete data center crippled Hot remote site .e.g NSE has
a hot site at Pune,which take
over if Mumbai center fails
Telecom/ISP crashes Have a leased line from more
than one ISP
18. Information Security Standards
Business Continuity Planning (BCP)
__ The choice of solution depends upon the
perceived impact of the disaster on business
continuity
Most of the times the BCP/DR misses out on
Mock Drills
This can be best done thru simulation by
generating a disaster conditions thereby enabling &
training people to understand individual role
at the time of disaster & specific actions to be taken