Transcript INFORMATION SECURITY

Overview
Of
Information Security Management
By
BM RAO
Senior Technical Director
National Informatics Centre
Ministry of Communications and Information Technology
Government of India
Email : [email protected]
Phone No : 040 23494406
INFORMATION SECURITY
Generating information for the
organization involves various components,
processes and persons .
INFORMATION SECURITY
• Prime things for the organization information processes are
People
Data center
 Servers
 Storage devices
Software
 OS
 Application software
Network
INFORMATION SECURITY
• Information that can exist in many forms






Data stored on computers
Tr a n s m i t t e d A c r o s s N e t w o r k s
Print Outs
Wr i t t e n o n a P a p e r
Sent by Fax
Stored on Disks
INFORMATION SECURITY
• Information security is the protection against the
loss/damage of information and preservation
with
Confidentiality
Integrity
Availability
Information asset
• An information asset is a body of information,
defined and managed as a single unit so it can be
understood, shared, protected and exploited
effectively.
• Information assets have certain value.
Value of asset
• Each organization has its own asset valuation scale (e.g. ‘high’,
‘medium’, ‘low’ etc.)
• The value expresses the potential impact and damage to the business
from a loss of
- Confidentiality
- Integrity
- Availability
• Values associated with breach of legislation
Value of asset
• Dependent on loss/damage
- Financial loss
- Loss of sales/market share
- Service availability & disruption to operations
- Processing capability & productivity
- Damage to image and reputation
Vulnerabilities
Vulnerabilities are weaknesses associated organization’s
assets.
Vulnerabilities may be identified in following areas
 Processes and procedures
 Personnel
 Physical environment
 Information system configuration
 Hardware, software or communications equipment
 Dependence on external parties
Threats
• Threats are anything that could cause
damage/harm/loss to assets
• Threats can be accidental or deliberate
• Assets are subject to many kinds of threats
which exploit vulnerabilities associated with
them
Security Risk
• A security risk is the potential that a given threat
will exploit vulnerabilities to cause loos/damage
to asset.
• It is a function of the impact of the undesirable
event and the probability the event occurred.
INFORMATION SECURITY
Security
Vulnerabilities
Security
Confidentiality
Integrity
Threats
Availability
Security
Security
Safeguarding the
accuracy and
completeness of
information and
processing methods
Information
assets
Ensuring that
information is
accessible only to
those authorized to
have access
Security Risks
Ensuring that
authorized users have
access to information
and associated assets
when required
Threats & Vulnerabilities : Human Resources Security
Vulnerabilities
Threats
Unsupervised work
Theft
Insufficient security training
Operational support staff error
Poorly documented software
Operational support staff error
Lack of monitoring mechanism
Use of facilities in unauthorised way
Lack of policies for correct use of internet/ Use of facilities in unauthorised way
e-mail
Threats & Vulnerabilities : Physical Security
Vulnerabilities
Threats
Unprotected storage
Theft
Unstable power grid
Power fluctuation
Lack of physical protection of building
Theft
Susceptibility to voltage
Power fluctuation
Susceptibility to temperature variation
Temperature extremes
Location in flood susceptible area
Flooding
Risk Assessment
• Assessment of threats to, impacts on and
vulnerabilities of assets and the likelihood of their
occurrence
• It produces an estimate of the risk to an asset at a
given point in time.
Risk Assessment
Risk is function of asset value, Threat value and Vulnerability value
R=f(A,T,V)
R = Risk Value
T = Threat Value
A = Asset Value V = Vulnerability Value
Organization is free to chose the function ‘f’ as long as the out put
of Risk Assessment is relevant.
Sometimes threats and vulnerabilities are commonly called as Security
concern and assessed as single entry S(Sc/SI/SA)
Security control
• Measures to Prevent, Detect or Reduce the Risk
• Effective security generally requires combinations of
the following :
detection
Correction
deterrence
recovery
Prevention
monitoring
Limitation
awareness
Information Security Management
• Information security that can be achieved through
technical means is limited
• Security also depends on people, policies, processes
and procedures
• Resources are not unlimited
• It is not a once off exercise but an ongoing activity
Steps involved in establishing security management
system for the organization
• Listing of information assets and categorization
• Identifying vulnerabilities
• Identifying threats
• Valuate threats
• Valuate vulnerabilities
• Valuate production policies
• Determine threat loss
• Arrival risk factors
• Select controls
Security frame work
Security Policy
Organization of Information Security
Asset Management
Human
Resource
Security
Physical &
environmental
security
Communications
& operations
management
Access control
Info. Systems
Acquisition
development &
maintenance
Information Security Incident Management
Business Continuity Management
Compliance
How to Select Controls
• Baseline controls
⁻ Gap analysis
o Controls not or partially in place, but needed
⁻ Legal and business requirements
• Risk assessment controls
₋ Selected to reduce specific risks
₋ Aiming at identified security problems
o Threats, vulnerabilities, assets protection, insurance etc.
Selection of Control Objectives and Controls
• Review the risk and identify control options
• The selection of controls should be made to bring down the risk to
acceptable level
• The selection of controls should be cost effective
Implementing the controls
• A plan of implantation should be developed containing
‒ Priorities (input from risk assessment)
‒ Implementing schedule
‒ The budget needed
‒ Responsibilities
‒ Necessary training activities
Setting of objectives and controls Example
Physical and environmental security
Secure areas
Objective: To prevent unauthorized physical access, damage and interference to the organization’s premises
and information.
Physical security perimeter
Control
Security perimeters (barriers such as walls, card controlled entry gates or
manned reception desks) shall be used to protect areas that contain information
and information processing facilities.
Physical entry controls
Control
Secure areas shall be protected by appropriate entry controls to ensure that
only authorized personnel are allowed access.
Securing offices, room and
facilities
Control
Physical security for offices, room and facilities shall be designed and applied.
Setting of objectives and controls Example
Protecting against external
and environmental threats
Controls
Physical protection against damage from fire, flood, earthquake, explosion, civil
unrest and other forms of natural or natural or man-made disaster shall be
designed and applied.
Working in secure areas
Controls
Physical protection and guidelines for working in secure areas shall be designed
and applied.
Public access, delivery and
loading areas
Controls
Access points such as delivery and loading areas and other points where
unauthorized persons may enter the premises shall be controlled and , if
possible, isolated from information processing facilities to avoid unauthorized
access.
ISMS is
• That part of overall management system based
on a
business risk approach to
- Establish
- Implement
- Operate
- Monitor
- Review
- Maintain & Improve
ISMS Standards
- ISO/IEC 27001 : 2005
- A Specification ( Specifies requirements for implementing,
operating, monitoring, reviewing, maintaining & improving,
a documented ISMS)
- Specifies the requirements of implementing of Security
control, customised to the needs of individual organisation
of part thereof.
- Used as a basis for certification
- ISO/IEC 27002 : 2005 ( Originally ISO/IEC 17799 : 2005)
- A code of practice for Information Security management
- Provides best practice guidance
Security Control Clauses of ISO 27001
A.5 Security Policy
A.6 Organization of Information Security
A.7 Asset Management
A.8 Human
Resource
Security
A.9 Physical &
environmental
security
A.10
Communications &
operations
management
A.12 Info. Systems
Acquisition
development &
maintenance
A.11 Access control
A.13 Information Security Incident Management
A.14 Business Continuity Management
A.15 Compliance
Effective Implementation of ISMS
• Management Commitment
• Organisation
• Resources
• Focus on Prevention
• Training
• Communication
• Participation
• System Review
THANK YOU