Professional Documents
Culture Documents
Cyber/Information Security
Module 2: Security Management
1.
2.
3.
4.
5.
6.
Security Assurance
Security Laws
IPR
International Standards
Security Audit
SSE-CMM / COBIT etc
Security Principles
Identification:
To have proper identification of a user.
Authentication:
To authenticate identity of the user
Authorization:
To authorize authenticated user.
Privacy:
User will use the data for authorized purpose.
Non-Repudiation:
User cannot deny doing a particular thing.
Information Security
Information Security
Security
Information Security
Information
of Information Security
Network Security
Computer and Data Security
Security Management
Security Management
of Information Security
Management
Planning
Policy
Programs
Protection
People
Project
Management
Management
Need of ISMS
InfoSec
Benefits of ISMS
Manages
Applications of ISMS
Banks
Insurance
companies
Manufacturing companies
Hospitals
BPOs
Software developments
Information Classification
Information Classification
Organizations like to classify their information
for suitable treatment.
All organizations government, public, private,
defense need to classify their information.
Reason for classification: not all
data/information have the same level of
importance or same level of relevance/criticality
to an organization.
Eg: trade secrets ,formulae, new product
information loss can create significant loss to the
organization
Information Classification
Benefits
of information Classification
information
classification is a demonstration
toward an organizations commitment to
security protections.
It helps identify which information is most
sensitive or vital to an organization.
It supports the tenets of CIA as it pertains to
data.
it helps identify which protections apply to
which information.
It fulfils statutory requirements towards
regulatory, compliance or legal mandates.
Information Classification
The
but unclassified(SBU)
Confidential
Secret
Top Secret
Information Classification
Unclassified: information is neither sensitive
not classified. The public release of this
information does not violate confidentiality.
Sensitive but unclassified(SBU): information
designated as minor secret, but may not
create serious damage if disclosed. Eg: health
care, answers to tests.
Confidential: information is designated to be
of a confidential nature. The unauthorised
disclosure of this information could cause
some damage to security. Eg: teacher
feedback
Information Classification
Secret:
Information Classification
It
Information Classification
Public: information similar to unclassified
information. All of organizations information
that doesnt fit into any to the categories is
considered to be public. This information
probably should not be discussed. But even if
it is disclosed it is not expected to seriously or
adversely impact the organization/
Sensitive: information that requires higher
level of classification than normal data. This
information is protected from a loss of
confidentiality as well as loss of integrity
owing to an unauthorized alteration.
Information Classification
Private:
procedural steps
Identify
owner/administrator/custodian for
data information which are considered to be
important.
Specify criteria for information to be classified
and labeled.
Classify data by owner
Specify and document any exceptions to the
classification policy.
procedural steps
Depending
Data Obfuscation
It
Non-critical
: functions may be
interrupted for an extended period of time,
at little or no cost to the company.
E.g.
Event Classification
Security Policy
Regulatory Policy
These
These
Regulatory Policy
Purposes
Ensuring
Organizations
Informative policy
These
internal audits
Resolving legal disputes about the
management
practices
and
responsibilities of other users.
ISP
Statement
of purpose:
elements
Need for information Security
Roles and Responsibilities
Reference to Other Standards and Guidelines
What
is Policy??
Policies
2.
Password policy
The policy on password can define multiple
attributes like
1. Whether user ID and password can match
2. Maximum occurrences of consecutive
characters
3. Maximum Lifetime of the password
4. Minimum length of password
5. Whether users previous password can be
used.
Policy Mapping
Policies include procedures, standards, guidelines, baselines
Laws, Regulations, Requirements, Organizational goals, Objectives
Functional Policies
Procedures
Standards
Guidelines
Baselines
Policy Mapping
Procedures are the detailed steps required to
perform a specific task.
Standards describe the uniform use of specific
technologies throughout the organization.
Design
blueprint for security
Design
planning for continuity
Implement
Maintain
Phase
Design Phase
It contains initial design framework, after
refinement it turns into blueprint.
Users or organization members acknowledge what
they have received by making signature and date
on a form
Phase
Policy
The Web
Government sites such as NIST
Professional literature
Peer networks
Professional consultants
Maintenance
Policy
phase
Components of ISSP
Policy Statement
this outlines the scope and applicability i.e. what
is the purpose and who is responsible for
implementation.
It also defines technologies used.
Components of ISSP
Prohibited
usage of Equipment
Specifies
Systems
Defines
Management
Components of ISSP
Policy
violations
Specifies
violation
Also mentions procedures for reporting policy
violation
Policy
Specifies
Components of ISSP
Limitations
It
of Liability
configuration includes
Intrusion
Access
Policy Infrastructure
Foundations
Information protection
Control the access to information
Administer (monitor) the users
Policy Infrastructure
Information
Protection
Control
access
Administer
Users
Manage Security
Information Security Policies and Standards
IS Goal
Policy
Standards
Procedures
Awareness
Action
InfoSec
Guidelines
Design Processes
Policy
Standard
Guidelines
Upcoming technology
New threats
New goals or modified existing goals
Changes in the standard
Changes in law
Un success in existing policy
Sample Policy
Sample
Policy