2 pages apa style answer the question

profileJamVic
Chapter.pptx

Security Program and Policies Principles and Practices

by Sari Stern Greene

Chapter 3: Information Security Framework

1

Copyright 2014 Pearson Education, Inc.

2

Objectives

Recognize the importance of the CIA security model and describe the security objectives of confidentiality, integrity, and availability

Discuss why organizations choose to adopt a security framework

Recognize the values of NIST resources

Understand the intent of ISO/IEC 27000-series of information security standards

Outline the domains of an information security program

2

Copyright 2014 Pearson Education, Inc.

3

CIA

The CIA Triad or CIA security model

Stands for Confidentiality, Integrity, and Availability

An attack against either or several of the elements of the CIA triad is an attack against the Information Security of the organization

Protecting the CIA triad means protecting the assets of the company

3

Copyright 2014 Pearson Education, Inc.

4

What Is Confidentiality?

Not all data owned by the company should be made available to the public

Failing to protect data confidentiality can be disastrous for an organization:

Dissemination of Protected Health Information (PHI) between doctor and patient

Dissemination of Protected Financial Information (PFI) between bank and customer

Dissemination of business-critical information to rival company

4

Copyright 2014 Pearson Education, Inc.

5

What Is Confidentiality? Cont.

Only authorized users should gain access to information

Information must be protected when it is used, shared, transmitted, and stored

Information must be protected from unauthorized users both internally and externally

Information must be protected whether it is in digital or paper format

5

Copyright 2014 Pearson Education, Inc.

6

What Is Confidentiality? Cont.

The threats to confidentiality must be identified. They include:

Hackers and hacktivists

Shoulder surfing

Lack of shredding of paper documents

Malicious Code (Virus, worms, Trojans)

Unauthorized employee activity

Improper access control

6

Copyright 2014 Pearson Education, Inc.

7

What Is Integrity? Cont.

Protecting data, processes, or systems from intentional or accidental unauthorized modification

Data integrity

System integrity

A business that cannot trust the integrity of its data is a business that cannot operate

An attack against data integrity can mean the end of an organization’s capability to conduct business

7

Copyright 2014 Pearson Education, Inc.

8

What Is Integrity? Cont.

Threats to data integrity include:

Human error

Hackers

Unauthorized user activity

Improper access control

Malicious code

Interception and alteration of data during transmission

8

Copyright 2014 Pearson Education, Inc.

9

What Is Integrity? Cont.

Controls that can be deployed to protect data integrity include:

Access controls:

Encryption

Digital signatures

Process controls

Code testing

Monitoring controls

File integrity monitoring

Log analysis

Behavioral controls:

Separation of duties

Rotation of duties

End user security training

9

Copyright 2014 Pearson Education, Inc.

10

What Is Availability?

Availability: The assurance that the data and systems are accessible when needed by authorized users

What is the cost of the loss of data availability to the organization?

A risk assessment should be conducted to more efficiently protect data availability

10

Copyright 2014 Pearson Education, Inc.

11

What Is Availability? Cont.

Threats to data availability include:

Natural disaster

Hardware failures

Programming errors

Human errors

Distributed Denial of Service attacks

Loss of power

Malicious code

Temporary or permanent loss of key personnel

11

Copyright 2014 Pearson Education, Inc.

12

The Five A’s of Information Security

Accountability

Assurance

Authentication

Authorization

Accounting

12

Copyright 2014 Pearson Education, Inc.

13

TheFive A’s of Information Security Cont.

Accountability

All actions should be traceable to the person who committed them

Logs should be kept, archived, and secured

Intrusion detection systems should be deployed

Computer forensic techniques can be used retroactively

Accountability should be focused on both internal and external actions

13

Copyright 2014 Pearson Education, Inc.

14

The Five A’s of Information Security Cont.

Assurance

Security measures need to be designed and tested to ascertain that they are efficient and appropriate

The knowledge that these measures are indeed efficient is known as assurance

The activities related to assurance include:

Auditing and monitoring

Testing

Reporting

14

Copyright 2014 Pearson Education, Inc.

15

The Five A’s of Information Security Cont.

Authentication

Authentication is the cornerstone of most network security models

It is the positive identification of the person or system seeking access to secured information and/or system

Examples of authentication models:

User ID and password combination

Tokens

Biometric devices

15

Copyright 2014 Pearson Education, Inc.

16

The Five A’s of Information Security Cont.

Authorization

Act of granting users or systems actual access to information resources

Note that the level of access may change based on the user’s defined access level

Examples of access level include the following:

Read only

Read and write

Full

16

Copyright 2014 Pearson Education, Inc.

17

The Five A’s of Information Security Cont.

Accounting

Defined as the logging of access and usage of resources

Keeps track of who accesses what resource, when, and for how long

An example of use:

Internet café, where users are charged by the minute of use of the service

17

Who Is Responsible for CIA?

Information owner

An official with statutory or operational authority for specified information

Has the responsibility for ensuring information is protected from creation through destruction

Information custodian

Maintain the systems that store, process, and transmit the information

Copyright 2014 Pearson Education, Inc.

18

Information Security Framework

Two of the most widely used frameworks are:

Information Technology and Security Framework by NIST

Information Security Management System by ISO

Copyright 2014 Pearson Education, Inc.

19

NIST Functions

Founded in 1901

Nonregulatory federal agency

Its mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve quality of life

Published more than 300 information security-related documents including

Federal Information Processing Standards

Special Publication 800 series

ITL bulletins

Copyright 2014 Pearson Education, Inc.

20

ISO Functions

A network of national standards institutes of 146 countries

Nongovernmental organization that has developed more than 13,000 international standards

The ISO/IEC 27000 series represents information security standards published by ISO and Electro-techinical Commission (IEC)

Copyright 2014 Pearson Education, Inc.

21

ISO 27002:2013 Code of Practice

Comprehensive set of information security recommendations on best practices in information security

ISO 27002:2013 is organized in the following domains:

Information security policies (Section 5)

Organization of information security (Section 6)

Human Resources security (Section 7)

Asset management (Section 8)

Access control (Section 9)

Cryptography (Section 10)

Physical and environmental security (Section 11)

Copyright 2014 Pearson Education, Inc.

22

ISO 27002:2013 Code of Practice cont.

Operations security (Section 12)

Communications security (Section 13)

Information systems acquisition, development, and maintenance (Section 14)

Supplier relationships (Section 15)

Information security incident management (Section 16)

Business continuity (Section 17)

Compliance management (Section 18)

Copyright 2014 Pearson Education, Inc.

23

Copyright 2014 Pearson Education, Inc.

24

Summary

The CIA triad is the blueprint of what assets needs to be protected to protect the organization.

Protecting the organization’s information security can seem vague and too conceptual. Protecting the confidentiality, integrit, and availability of the data is a concrete way of saying the same thing.

Standards such as the ISO 27002 exist to help organizations better define appropriate ways to protect their information assets.

24