Information security is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
The elements are
Integrity – maintaining accuracy
Availability – available when needed
Authenticity – ensure genuine data
Non-repudiation – two way transactions
The fundamental principles of any business operation are “people,” “processes,” and “technology.” Attention to all three are required to have significant and lasting change on how the organization operates.
Strong processes can often help to overcome potential vulnerabilities in a security product, while poor implementation can render good technologies ineffective.
Antivirus software is a good example of how people-process-technology all have roles in its effectiveness.
Conclusion:
Information security is the ongoing process of exercising due care and due diligence to protect information, and information systems, from unauthorized access, use, disclosure, destruction, modification, or disruption or distribution.
Circling back to the beginning of presentation – a focus on only technical security controls may leave you with a system that is not maintained (e.g., insufficient man-power, and/or training for people) and it is not very effective (e.g., poor processes and policies).
2. Introduction
• Information security is the practice of
defending information from unauthorized access,
use, disclosure, disruption, modification, perusal,
inspection, recording or destruction.
• The elements are
Integrity – maintaining accuracy
Availability – available when needed
Authenticity – ensure genuine data
Non-repudiation – two way transactions
3. People-Process-Technology
• The fundamental principles of any business
operation are “people,” “processes,” and
“technology.” Attention to all three are required to
have significant and lasting change on how the
organization operates.
• Strong processes can often help to overcome
potential vulnerabilities in a security product,
while poor implementation can render good
technologies ineffective.
• Antivirus software is a good example of how
people-process-technology all have roles in its
effectiveness.
6. Adopting International standards for IT security
• ISO27001 : Protect , preserve information
under confidentiality, integrity, availability.
• ISO22301 : Focuses both on the recovery
from disasters, but also on maintaining
access to and security of information.
Process in IT Security
8. Technology in IT Security
1. To improve productivity, efficiency, and process consistency.
2. Develop technical requirements for the submission of change
requests, evaluation, approval, and evidence retention.
3. Migrate proven change control procedures and forms into the
technology platform. Verify consistency with paper-based methods.
4. Implement technology to identify and track configuration of all
hardware's and software’s.
9. Cloud Access Security Brokers.
Adaptive Access Control.
Pervasive Sandboxing (Content Detonation) and IOC Confirmation.
Endpoint Detection and Response Solutions.
Big Data Security Analytics at the Heart of Next-generation Security
Platforms.
Machine-readable Threat Intelligence, Including Reputation Services.
Containment and Isolation as a Foundational Security Strategy.
Software-defined Security.
Interactive Application Security Testing.
Security Gateways, Brokers and Firewalls to Deal with the Internet of
Things.
10. “Information as Asset”
• Like any other corporate asset, an organization's information assets have
financial value. The value of asset increases in direct relationship to the
number of people who are able to make use of the information
• An information asset can be classified according to any criteria, not only by
its relative importance or frequency of use. For example, data can be
broken down according to topic, when it was created, where it was created
or which personnel or departments use it the most. A data
classification system can be implemented to make the organization's
information assets easy to find, share and maintain
• The major steps required for asset classification and controls are:
– A. Identification of the assets
– B. Accountability of assets
– C. Preparing a schema for information classification
– D. Implementing the classification schema
11. A. Identification of assets
• Information assets
• Software assets
• Physical assets
• Services
B. Accountability of assets
• Identifying owners
12. C. Preparing a schema for
classification
• Confidentiality – Confidential, Company Only, Shared,
Unclassified
• Value
• Time
• Access rights
• Destruction
D. Implementation of the
classification schema
• Uniform way of identifying the information
• Right amount of protection
13. Conclusion
• Information security is the ongoing process of
exercising due care and due diligence to protect
information, and information systems, from
unauthorized access, use, disclosure,
destruction, modification, or disruption or
distribution.
• Circling back to the beginning of presentation –
a focus on only technical security controls
may leave you with a system that is not
maintained (e.g., insufficient man-power,
and/or training for people) and it is not very
effective (e.g., poor processes and policies).