ISYS 0575-01 Information Security Management

profileEva Chan
IntroductiontoInformationSecurity.pdf

Introduction to Information Security Management

ISYS 0575

Agenda ● Introductions ● Syllabus review ● Class format ● Intro to Information Security

Scott Eigenhuis ● Will respond to

○ Mr. Eigenhuis ○ Professor Eigenhuis ○ Professor Scott

[email protected] ● Office

○ BUS 309 ○ Monday 5:30 to 6:30

Career Path

Liberty University - BS in Journalism, minor in Linguistics

University of San Francisco - Masters in Information Systems

E du

ca tio

n W

or k

...

Class Format ● Lecture / Discussion / Demonstrations

○ Credit for participation

● Quiz at end of class ○ Requires computer ○ Graded ○ Includes reading and lecture

● Two in class essays (TBD) ● One group project (TBD)

What I do Information Security Officer

Manage the Information Security and Privacy team and programs for my company

Work with auditors, engineers, privacy, and legal to evaluate and manage security and privacy risk. Implement, operate and monitor security controls. Detect and respond to security incidents.

Remaining a viable business requires that we protect our intellectual property, customer and employee data.

What? How? Why?

The Security Triad

Confidentiality Integrity

Availability

Different Aspects of Security Information Security deals with information, regardless of its format—it encompasses paper documents, digital and intellectual property in people’s minds, and verbal or visual communications.

Cybersecurity is concerned with protecting digital assets—everything from networks to hardware and information that is processed, stored or transported by internetworked information systems.

Privacy is additionally concerned with the data subject's right to control information. Notice, choice and consent, data subject access. The Creepiness Factor. Often has legal focus.

Security Compliance evaluates a company's stance against requirements.

Relationship of Security Domains

Information Security

Application Security

Critical Infrastructure Protection

Network Security

Internet Security

Cybersecurity

Cybercrime Cybersafety

Source: ISO/IEC 27032:2012

Security Jobs

CISO Compliance Analyst Application Security

Engineer

Information Security Architect

Network Security Engineer

Incident Responder

Security Analyst Penetration Tester Auditor

Privacy Officer / Analyst

Forensics Specialist Cryptographer /

Cryptanalyst

CSO Sales Engineer Security Researcher

Skills Gap in Information Security

Source: ISACA 2018 State of Cybersecurity Study

Situational Awareness

stakeholders

controls

vulnerabilities

assetsthreats

threat agents risk

value wish to minimize

impose

to reduce

that may be reduced by

that may possess

leading to

that increase to

wish to abuse and/or may damage

may be aware of

give rise to

that exploit

Source: ISO/IEC 27032:2012

Information Security Governance ● Governance is the responsibility of board and senior management

○ Strategic Direction ○ Ensure objectives are achieved ○ Risk management ○ Use of resources

● Risk management is conducted throughout the organization through assessment and implementation of controls

● Compliance is demonstration of the adherence to mandated laws and regulations

Protecting the Digital Assets Identify – Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities. Protect – Develop and implement appropriate safeguards to ensure delivery of critical services. Detect – Develop and implement appropriate activities to identify the occurrence of a cybersecurity event. Respond – Develop and implement appropriate activities to take action regarding a detected cybersecurity incident. Recover – Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

Source: NIST Cybersecurity Framework 1.1

Information Security Objectives Confidentiality the protection of information from unauthorized disclosure.

Integrity the protection of information from unauthorized modification.

Availability the timely and reliable access to and use of information and systems.

Nonrepudiation ensures that a message or information is genuine.

CIA model and related impacts Requirement Impact and Consequence Methods of Controls

Confidentiality ● Disclosure of information protected by law

● Loss of public confidence ● Loss of competitive

advantage

● Access controls ● File permissions ● Encryption

Integrity ● Inaccuracy ● Erroneous decisions ● Fraud ● Loss of compliance

● Access controls ● Logging ● Hashes ● Backups

Availability ● Loss of productive time ● Loss of compliance ● Fines from regulators

● Highly available systems ● Business continuity and

disaster recovery

Information Security Roles

Board of Directors

Executive Management

Senior Information Security Management

Information Security Practitioners