ISYS 0575-01 Information Security Management
Introduction to Information Security Management
ISYS 0575
Agenda ● Introductions ● Syllabus review ● Class format ● Intro to Information Security
Scott Eigenhuis ● Will respond to
○ Mr. Eigenhuis ○ Professor Eigenhuis ○ Professor Scott
● [email protected] ● Office
○ BUS 309 ○ Monday 5:30 to 6:30
Career Path
Liberty University - BS in Journalism, minor in Linguistics
University of San Francisco - Masters in Information Systems
E du
ca tio
n W
or k
...
Class Format ● Lecture / Discussion / Demonstrations
○ Credit for participation
● Quiz at end of class ○ Requires computer ○ Graded ○ Includes reading and lecture
● Two in class essays (TBD) ● One group project (TBD)
What I do Information Security Officer
Manage the Information Security and Privacy team and programs for my company
Work with auditors, engineers, privacy, and legal to evaluate and manage security and privacy risk. Implement, operate and monitor security controls. Detect and respond to security incidents.
Remaining a viable business requires that we protect our intellectual property, customer and employee data.
What? How? Why?
The Security Triad
Confidentiality Integrity
Availability
Different Aspects of Security Information Security deals with information, regardless of its format—it encompasses paper documents, digital and intellectual property in people’s minds, and verbal or visual communications.
Cybersecurity is concerned with protecting digital assets—everything from networks to hardware and information that is processed, stored or transported by internetworked information systems.
Privacy is additionally concerned with the data subject's right to control information. Notice, choice and consent, data subject access. The Creepiness Factor. Often has legal focus.
Security Compliance evaluates a company's stance against requirements.
Relationship of Security Domains
Information Security
Application Security
Critical Infrastructure Protection
Network Security
Internet Security
Cybersecurity
Cybercrime Cybersafety
Source: ISO/IEC 27032:2012
Security Jobs
CISO Compliance Analyst Application Security
Engineer
Information Security Architect
Network Security Engineer
Incident Responder
Security Analyst Penetration Tester Auditor
Privacy Officer / Analyst
Forensics Specialist Cryptographer /
Cryptanalyst
CSO Sales Engineer Security Researcher
Skills Gap in Information Security
Source: ISACA 2018 State of Cybersecurity Study
Situational Awareness
stakeholders
controls
vulnerabilities
assetsthreats
threat agents risk
value wish to minimize
impose
to reduce
that may be reduced by
that may possess
leading to
that increase to
wish to abuse and/or may damage
may be aware of
give rise to
that exploit
Source: ISO/IEC 27032:2012
Information Security Governance ● Governance is the responsibility of board and senior management
○ Strategic Direction ○ Ensure objectives are achieved ○ Risk management ○ Use of resources
● Risk management is conducted throughout the organization through assessment and implementation of controls
● Compliance is demonstration of the adherence to mandated laws and regulations
Protecting the Digital Assets Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Protect – Develop and implement appropriate safeguards to ensure delivery of critical services. Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.
Source: NIST Cybersecurity Framework 1.1
Information Security Objectives Confidentiality the protection of information from unauthorized disclosure.
Integrity the protection of information from unauthorized modification.
Availability the timely and reliable access to and use of information and systems.
Nonrepudiation ensures that a message or information is genuine.
CIA model and related impacts Requirement Impact and Consequence Methods of Controls
Confidentiality ● Disclosure of information protected by law
● Loss of public confidence ● Loss of competitive
advantage
● Access controls ● File permissions ● Encryption
Integrity ● Inaccuracy ● Erroneous decisions ● Fraud ● Loss of compliance
● Access controls ● Logging ● Hashes ● Backups
Availability ● Loss of productive time ● Loss of compliance ● Fines from regulators
● Highly available systems ● Business continuity and
disaster recovery
Information Security Roles
Board of Directors
Executive Management
Senior Information Security Management
Information Security Practitioners