INFORMATION SECURITY

What is Information?
What is Information Security?
What is RISK?
An Introduction to ISO for information
technology
User Responsibilities

2
Information can be

 Created
 Stored
 Destroyed

 Processed

 Transmitted

 Used – (For proper & improper purposes)

 Corrupted
 Lost
 Stolen

3
  Printed or written on paper

 Stored electronically

 Transmitted by post or using electronics means

 Shown on corporate videos

 Displayed / published on web

 Verbal – spoken in conversations

‘…Whatever form the information takes, or

means by which it is shared or stored, it
should always be appropriately protected’
(BS ISO 27002:2005)

4
 What Is Information Security

 The quality or state of being secure to be free from danger

 Security is achieved using several strategies

 Security is achieved using several strategies simultaneously or

used in combination with one another

 Security is recognized as essential to protect vital processes

and the systems that provide those processes

 Security is not something you buy, it is something you do

5
 What Is Information Security

 The architecture where an integrated combination

of appliances, systems and solutions, software,
alarms, and vulnerability scans working together

 Monitored 24x7

 Having People, Processes, Technology, policies,

procedures,

 Security is for PPT and not only for appliances or

devices

6/16/201
1
Mohan Kamat 7
 INFORMATION
SECURITY

1. Protects information from a range of threats

2. Ensures business continuity
3. Minimizes financial loss
4. Optimizes return on investments
5. Increases business opportunities

Business survival depends on information

security.

6/16/201 Mohan
7
1 Kamat
ISO 27002:2005 defines Information Security as the
preservation of:

Ensuring that information is

– Confidentiality accessible only to those
authorized to have access

Safeguarding the accuracy and

completeness of information
– Integrity and processing methods

Ensuring that authorized

users have access to
– Availability information and associated
assets when required

8
 What is Risk?

Risk: A possibility that a threat exploits a

vulnerability in an asset and causes damage or
loss to the asset.

Threat: Something that can potentially cause damage

to the organisation, IT Systems or network.

Vulnerability: A weakness in the organization, IT

Systems, or network that can be exploited
by a threat.

9
 Threat Identification

Elements of threats
Agent : The catalyst that performs the
threat.
Human
Machine
Nature

10
6/16/201 Mohan
1 Kamat
 Threat Identification

Elements of threats
Motive : Something that causes the agent
to act.
Accidental
Intentional
Only motivating factor that can be both
accidental and intentional is human
 Threat Identification

Elements of threats
Results : The outcome of the applied
threat. The results normally lead to the
loss of CIA
Confidentiality
Integrity
Availability

12
6/16/201 Mohan
1 Kamat
Threats
• Employees
• External Parties
• Low awareness of security issues
• Growth in networking and distributed computing
• Growth in complexity and effectiveness of hacking tools
and viruses
• Natural Disasters eg. fire, flood, earthquake

13
6/16/201 Mohan
1 Kamat
 No Categories of Threat Example
1 Human Errors or failures Accidents, Employee mistakes
2 Compromise to Intellectual Property Piracy, Copyright infringements
3 Deliberate Acts or espionage or Unauthorized Access and/or data collection
trespass

4 Deliberate Acts of Information Blackmail of information exposure /

extortion disclosure

5 Deliberate Acts of sabotage / Destruction of systems / information

vandalism

6 Deliberate Acts of theft Illegal confiscation of equipment or

information

7 Deliberate software attacks Viruses, worms, macros Denial of service

8 Deviations in quality of service from Power and WAN issues
service provider

9 Forces of nature Fire, flood, earthquake, lightening

10 Technical hardware failures or errors Equipment failures / errors
11 Technical software failures or errors Bugs, code problems, unknown loopholes
12 Technological Obsolesce Antiquated or outdated technologies

6/16/2011 Mohan Kamat 24

SO HOW DO WE
OVERCOME THESE
PROBLEMS?

15
• Information Security Policy - To provide
management direction and support for Information
security.
• Organisation Of Information Security
-
Management framework for implementation
• Asset Management - To ensure the security
of valuable organisational IT and its related
assets
• of
Human
humanResources
error, theft,Security
fraud or -misuse
To reduce the risks
of facilities.
• Physical & Environmental Security -To prevent
unauthorised access, theft, compromise , damage,
information and information processing facilities.
• Communications & Operations Management - To
ensure the correct and secure operation of information
processing facilities.
• Access Control - To control access to information
and information processing facilities on „need to know‟
and „need to do‟ basis.
• Information Systems Acquisition, Development
& Maintenance - To ensure security built into
information systems
• Information Security Incident Management - To
ensure information security events and weaknesses
associated with information systems are
communicated.

17
•Business Continuity Management - To reduce
disruption caused by disasters and security failures to an
acceptable level.
•Compliance - To avoid breaches of any criminal and
civil law, statutory, regulatory or contractual obligations
and of any security requirements.

18
 Access Control - Physical
• Follow Security Procedures
• Wear Identity Cards and Badges
• Ask unauthorized visitor his credentials
• Attend visitors in Reception and Conference Room only

• Bring visitors in operations area without

prior permission
• Bring hazardous and combustible material in
secure
area
• Practice ―Piggybacking‖
• Bring and use pen drives, zip drives, ipods, other storage
devices unless and otherwise authorized to do so

19
6/16/201 Mohan
1 Kamat
 Password Guidelines

 Always use at least 8 character password with

combination of alphabets, numbers and special characters (*, %, @,
#, $, ^)
 Use passwords that can be easily remembered by you
 Change password regularly as per policy
 Use password that is significantly different from earlier passwords

 Use passwords which reveals your personal

information or words found in dictionary
 Write down or Store passwords
 Share passwords over phone or Email
 Use passwords which do not match above complexity
criteria

20
6/16/201 Mohan
1 Kamat
 Internet Usage
 Use internet services for business purposes only

 Do not access internet through dial-up connectivity

 Do not use internet for viewing, storing or
transmitting obscene or pornographic material
 Do not use internet for accessing auction sites
 Do not use internet for hacking other computer systems
 Do not use internet to download / upload
commercial software / copyrighted material

Technology Department is continuously monitoring Internet

Usage. Any illegal use of internet and other assets shall call
for Disciplinary Action.

21
6/16/201 Mohan
1 Kamat
 E-mail Usage
 Use official mail for business purposes only
 Follow the mail storage guidelines to avoid blocking of E-mails
 If you come across any junk / spam mail, do the following
a) Remove the mail.
b) Inform the security help desk
c) Inform the same to server administrator
d) Inform the sender that such mails are undesired

 Do not use official ID for any personal subscription purpose

 Do not send unsolicited mails of any type like chain letters or
E-mail Hoax
 Do not send mails to client unless you are authorized to do so
 Do not post non-business related information to large
number of users
 Do not open the mail or attachment which is suspected to be
virus or received from an unidentified sender

22
6/16/201 Mohan
1 Kamat