This presentation describes Information Security and the various aspects of information security in IT environment.

1. INTRODUCTION TO
INFORMATION SECURITY
By Avinash Balakrishnan
ENBLISS IT SERVICES PVT LTD

2. OBJECTIVES
 Define Basic security concepts
 Begin to Assess Security Risks
 Outline a security policy
 Locate Information Security Resources

3. BASIC SECURITY CONCEPTS
 Information Security – Perception
 Information Security – Reality
 CIA (Confidentiality, Data Integrity and Availability)
 PPP (Physical Security, Privacy and Marketplace Security)

4.  What is Information?
 What is Information Security?
 What is Risk?
 An Introduction to ISO for information Technology.

5. Information is an asset, which, like other important business assets, has
the value to an organization and consequently needs to be suitably
protected.
BS ISO 27002:2005

6. INFORMATION CAN BE:
 Created
 Stored
 Destroyed
 Processed
 Transmitted
 Used – ( for proper and improper processes)
 Corrupted
 Lost
 Stolen
 Printed or Written on paper
 Stored electronically
 Transmitted by post or using electronic means
 Shown on completed videos
 Displayed / Published on web
 Verbal – spoken in conversations
‘ … Whatever form information takes, or means by which it is shared, or stored, it should always be appropriately
protected’ (BS ISO 27002:2005)

7. WHAT IS INFORMATION
SECURITY
 The quality or state of being secure to be free from danger
 Security is achieved using several strategies
 Security is achieved using several strategies simultaneously or used in
combination with one another
 Security is recognized as essential to protect viral processes and
systems that provide those processes
 Security is not something you buy, it is something you do

8. WHAT IS INFORMATION
SECURITY
 The architecture where an integrated combination of appliances,
systems and solutions, software, alarms and vulnerability scans working
together.
 Monitored 24*7
 Having People, Process, Technology, Policies and procedures
 Security is for PPT and not for appliances or devices

9. PEOPLE, PROCESS AND TECHNOLOGY:

10. PEOPLE “ WHO WE ARE”
 People who use or interact with the Information include:
• Shareholders/owners
• Management
• Employees
• Business Partners
• Service providers
• Contractors
• Customers / Clients
• Regulators etc…

11. PROCESS : “WHAT WE DO”
 The processes or “work practices” or workflow. Processes are the
repeatable steps to accomplish business objectives. Typical process in
our IT Infrastructure could include:
• Helpdesk / Service Management
• Incident Reporting and Management
• Change Requests Process
• Request fulfillment
• Access Management
• Identity Management
• Service Level / Third party Services Management
• IT Procurement process etc..

12. TECHNOLOGY: “ WHAT WE USE TO
IMPROVE WHAT WE DO”
 Network Infrastructure:
• Cabling, Data/ Voice Networks and equipment
• Telecommunication Services (PABX), including VOIP Services, ISDN, Video
Conferencing
• Server computers and associated storage devices
• Operating software for server computers
• Communications equipment and related hardware
• Intranet and Internet connections
• VPNS and virtual environments
• Remote access services
• Wireless Connectivity

13. TECHNOLOGY: “ WHAT WE USE TO
IMPROVE WHAT WE DO”
 Application Software:
• Finance and assets systems, including accounting packages, Inventory
management, HR systems, Assessments, and reporting systems
• Software as a service (SaaS) – Instead of software as a packaged or custom-
made-product. Etc.
 Physical Security components:
• CCTV cameras
• Clock in systems/ Biometrics
• Environmental management systems: Humidity control, ventilation, Air
conditioning, Firecontrol Systems
• Electricity / Power backup
 Access Devices:
• Desktop computers
• Laptops, Ultra-mobile laptops and PDAs.
• Thin client computing.
• Digital cameras, Printers, Scanners, and photocopier etc.

14. INFORMATION SECURITY
 Protects information from a range of threats
 Ensures business continuity
 Minimizes financial loss
 Optimizes return on investments
 Increases business opportunities
Business Survival depends on Information Security

15. ISO 27002:2005 DEFINES INFORMATION
SECURITY AS THE PRESERVATION OF:
- Confidentiality
- Integrity
- Availability
Ensuring that information is
accessible to only those authorized
to have access
Safeguarding the accuracy and
completeness of information and
processing methods
Ensuring that authorized users have
access to information and
associated assets when required

16. WHAT IS RISK?
 Risk : A Possiblity that a threat exploits a vulnerability in an asset and
causes damage or loss to asset
 Threat: Something that can potentially cause damage to the
organization, IT systems or network
 Vulnerability: A weakness in the organization, IT systems, or network
that can be exploited by a threat.

17. ISO 27001 SECURITY

18. THREAT IDENTIFICATION
Elements of Threats
Agent: The catalyst that performs the threat.
Human
Machine
Nature
Motive: Something that causes the agent to act.
Accidental
Intentional
Only motivating factor that can be both accidental and intentional is human
Results: The outcome of applied threat. The results normally lead to the loss of
CIA
Confidentiality
Integrity
Availability

19. THREATS
• Employees
• External parties
• Low Awareness of security issues
• Growth in networking and distributed computing
• Growith in complexity and effectiveness hacking tools and viruses
• Natural disasters e.g., fire, flood, earthquake

20. ISO27001 SECURITY

21. ISO27001 SECURITY

22. CYBER THREAT HISTORY
 Early 1990
• DTI(UK) established a working group
• Information Security Management code of practice produced as BSI- DISC publication
 1995
• BS7799 published as UK Standard
 1999
• BS 7799-1:1999 second revision published
 2000
• BS 7799-1 accepted by ISO as ISO-17799 published
• BS 7799-2:2002 published

23. HISTORY
 ISO 27001:2005
Information Technology – Security Techniques – Information Security
management systems - Requirements
 ISO 27002:2005
Information technology – Security techniques – code of practice for
information security management

24. ISO 27001
ISO 27001: This International standard covers all types of organizations
(e.g., commercial enterprises, government agencies, non-profit
organizations). This
International standard specifies the requirements for establishing,
implementing, operating, monitoring, reviewing, maintaining and
improving documented ISMS within the context of the organization’s
overall business risks. It specifies requirements for the implementation of
the security controls customized to the needs of the individual
organizations or parts thereof.
The ISMS is designated to ensure the selection of adequate and
proportionate security controls that protect Information assests and give
confidence to interested parties.

25. FEATURES
Features of ISO 27001
• Plan, Do, Check, Act (PCDA) process model
• Process based approach
• Stress on continual process improvements
• Scope covers information security not only IT security
• Covers people, process and technology.
• 5600 plus organizations worldwide have been certified
• 11 Domains, 39 control objectives, 133 controls

26. PDCA

27. CONTROL CLAUSES

28. CONTROL CLAUSES
• Information Security policy- To provide management direction and
support for information security.
• Organization of information security – management framework for
implementation
• Assest management – To ensure security of valuable organizational IT
and its related assets
• Human Resources security – To reduce risks of human error, theft,
fraud or misuse of facilities.
• Physical & Enivironmental Security – To prevent unauthorized access,
theft, compromise, damage, information and information processing
facilities.

29.  Communications & Operations management – To ensure the correct
and secure operation of information processing facilities.
 Access Control – To control access to information and information
processing facilities on ‘ need to know’ and ‘need to do’ basis
 Information systems acquisition, Development & Maintenance – To
ensure security built into information systems
 Information security incident management – To ensure information
security events and weaknesses associated with information systems
are communicated.

30. CONTROL CLAUSES
 Business continuity management – To reduce disruptions caused by
disasters and security failures to an acceptable level.
 Compliance – To avoid breaches of any criminal and civil law, statutory,
regulatory or contractual obligations and of any security requirements.

31. IMPLEMETATION PROCESS CYCLE –
ISO 27001

32. BENEFITS
 At the organization level – commitment
 At the legal level – compliance
 At the operational level – Risk management
 At the commercial level – credibility and confidence
 At the financial level – Reduced costs
 At the human level – Improved employee awareness

33. USER RESPONSIBILITIES

34. USER RESPONSIBILITIES

35. USER RESPONSIBILITIES

36. USER RESPONSIBILITIES ISO:27001
Security Incidents
 Report security incidents ( IT and NON – IT) to Helpdesk through
• E-mail to info.sec@organization.com
• Telephone: xxxx-xxxx-xxxx
• Anonymous reporting through Drop boxes
e.g.:
IT Incidents: Mail spamming, Virus attack, Hacking etc.,
Non-IT incidents: Unsupervised visitor movement, Information leakage,
Bringing unauthorized media.
Do not discuss security incidents with any one outside organization
Do not attempt to interfere with, obstruct or prevent anyone from reporting
incidents.

37. USER RESPONSIBILITIES
 Ensure your desktops are having latest antivirus updates
 Ensure your system is locked when you are away
 Always store laptops / media in a lockable place
 Be alert while working on laptops during travel
 Ensure sensitive business information is under lock and key when
unattended
 Ensure backup of sensitive and critical information assets
 Understand compliance issues such as
• Cyber Law
• IPR, Copyrights, NDA
• Contractual obligations with customer
 Verify credentials, if the message is received from unknown sender
 Always keep switch off your computer before leaving for the day
 Keep yourself updated on information security aspects

38. BASIC SECURITY CONCEPTS
CIA
TRIADE
PPP
TRIADE
Integrity Availability
Confidentiality
Privacy
Physical
Security
Market
Place
• Confidentiality – Only individuals
can access data
• Integrity – data changes are
tracked and properly controlled
• Availability – Systems are
accessible for business needs

39. ASSESSING RISKS
ASSESSMENT CAN BE PERFORMED USING A
5-STEP PROCESS
 Check existing security policies and processes
 Analyze, prioritize and categorize resources
 Consider business concerns
 Evaluate existing security Controls
 Leverage existing management and control architecture.

40. ASSESSING RISKS
 Check existing security policies and processes
 Analyze, prioritize, and categorize resources by determining:
 Total cost of ownership, internal value, and external value.
- TCO refers to the total monetary and labor costs calculated over a specific
time period
- Internal value refers to the monetary assessment of the importance of a
particular asset to the internal working of a company
- External value refers to the money or another commodity that the asset
brings to the company from external sources.

41. ASSESSING RISK
 Consider the business concerns through the annualized loss
expectancy( ALE = SLE *ARO)
- Single loss expectancy (SLE) is equal to the asset’s value times the
exposure factor(EF)
• Asset value = TCO + internal value + external value
• EF is the percentage of asset loss that Is expected from a particular threat
- Annualized Rate of Occurance (ARO) is the estimated frequency with
which a particular threat may occur each year.

42.  Evaluate existing security controls to determine what controls are
deployed and effective
 Leverage existing management and control architecture to build a
persuasive business case for, against, implementing new security
controls.
ASSESSING RISK

43. SECURITY POLICY
 At a minimum, an organization’s security policy should cover the
following:
• Physical security
• Access Control
• Network Security
• System security
• Authorized security Tools
• Auditing procedures

44. BENEFITS OF A SECURITY POLICY
 A Security Policy has the following three important benefits:
 Communicates a common vision for security throughout a company
 Represents a single easy-to-use source of security requirements
 Exists as a flexible document that should be updated at less annually to
address new security threats

45. INPUTS FOR SECURITY POLICY
 Local Laws, regulations and business contracts
 Internal business goals, principles and guidelines
 Security measures deemed essential through risk assessment.

46. BUILDING A SECURITY POLICY
 An organization’s security policy should cover the following:
 Foreword: Purpose, Scope, Responsibilities, and Penalties for non-
compliance
 Physical Security: Controls to protect the people, equipment, facilites
and computer assets
 USER ID and rights management: Only authorized individuals have
access to the necessary systems and network devices

47. BUILDING A SECURITY POLICY
An organization’s security policy should cover the following:
• Network Security: Protect the network devices and data in transit
• System security: Necessary defenses to protect computer systems from
compromise
• Testing: Authorized security tools and testing
• Auditing: Procedures to periodically check security compliance

48. BUILDING A SECURITY POLICY
FOREWORD
• Purpose: Why is the policy being established?
• Scope: What people, systems, software, information and facilities are
covered?
• Responsibilties: Who is responsible for the various computing roles in a
company?
• Compliance: What are the penalties for noncompliance? Which
organization is responsible for auditing compliance?

49. BUILDING A SECURITY POLICY
PHYSICAL SECURITY
• Human threats: theft, vandalism, sabotage, and terrorism
• Building damage: fire, water damage, and toxic leaks
• Natural disasters: floods, hurricanes, and tornadoes
• Infrastructure disruption: loss of power, loss of HVAC, and downed
communication lines
• Equipment failure: computer system damage and network device failure

50. BUILDING A SECURITY POLICY
USER ID AND RIGHTS
Authentication:
• Authentication model
• Implementing technologies
• Implementation mechanism
Access controls – determine who gets what access to what
• Access control model
• Implementing mechanism

51. BUILDING A SECURITY POLICY
NETWORK SECURITY
• Specific timeframes for changing passwords on network devices
• Use of network protocols
• Firewalls of specific chokepoints in a network architecture
• Use of authentication servers to access network devices

52. BUILDING A SECURITY POLICY
SYSTEM SECURITY
• The systems section is used to outline the specific settings required to
secure a particular operating system or application
- For Example, for Windows NT 4.0, it may be a requirement that
every logical drive be installed with NTFS.
- For a particular UNIX flavor, shadow passwords may be required
to hide user IDS and passwords from general users.

53. BUILDING A SECURITY POLICY
TESTING AND AUDITING
• Specific requirements for vulnerability scanners, compliance checking
tools, and other security tools run within the environment
• Require auditing logs on specific devices, periodic self-audits
performed by the system administrators, and the use of security
compliance checking tools
• Specify corporate auditing requirements, frequencies and
organizations.

54. SECURITY RESOURCES AND
CERTIFICATIONS
• CISSP - Certified Information
Systems Security Professional.
• SSCP - Systems Security Certified Practitioner
• GIAC - Global Information Assurance Certification
• CISA - Certified Information Systems Auditor
• CIW - Certified Internet Web Professional

56. SUMMARY
• The CIA TRIAD categorizes aspect of information that must be protected
from attacks: confidentiality, integrity, and availability.
• The PPP TRIAD depicts security, privacy and market place perception as
three additional abstract concepts that should drive security efforts.

57. SUMMARY
• The first step in creating an effective security policy is to perform a risk assessment
within the environment. A risk assessment consists of five steps:
- Check for existing security policies and processes
- Analyze, prioritize and categorize resources
- Consider business concerns
- Evaluate existing security controls
- Leverage existing management and control architecture
• To estimate potential financial loss from security threats, the following formula
works well by accounting for the most important cost factors associated with
security: ALE = SLE * ARO
• A Security policy has three major benefits. IT:
- Communicates a common vision for security throughout a company
` - Represents a single easy-to-use source of security requirements
- Exists as a flexible document that should be updated at least annually to address
new security threats

58. SUMMARY
• An effective security policy includes security requirements in the following
areas:
- Physical security
- USERID rights and rights management
- Systems
- Network
- Security Tools
- Auditing
• There are a number of security related certifications to help security
professionals quantify their knowledge on a resume.
• Every security professional must stay current about the latest threats
through web resources, mailing lists, and printed materials.

59. THE END