Network and Information Security(NIS)

Unit.5 Network Security, Cyber Laws and

Compliance Standards.
C22620.e: Maintain secured networks and describe Information Security Compliance
standards.

DEPARTMENT OF COMPUTER ENGINEERING

 Kerberos:
Kerberos is a network protocol that uses secret-key cryptography to
authenticate client-server applications. Kerberos requests an encrypted ticket
via an authenticated server sequence to use services.
The protocol gets its name from the three-headed dog (Kerberos, or Cerberus)
that guarded the gates of Hades in Greek mythology.

DEPARTMENT OF COMPUTER ENGINEERIN

G
• AS = Authentication Server
• TGS = Ticket Granting Server
• SS or Server = Service Server (Server user
requesting its service, such as a print server, a
file server,etc...)
• TGT = Ticket Granting Ticket (Kerberos ticket for
the TGS. Prepared by AS, then used to talk
with TGS).

DEPARTMENT OF COMPUTER ENGINEERIN

G
Steps taken to authenticate in a Kerberized environment.
1. Client requests an authentication ticket (TGT) from the Key Distribution Center
(KDC)
.
2. The KDC verifies the credentials and sends back an encrypted TGT and session
key
3. The TGT is encrypted using the Ticket Granting Service (TGS) secret key
4. The client stores the TGT and when it expires the local session manager will
request another TGT (this process is transparent to the user)
If the Client is requesting access to a service or other resource on the network,
this is the process:
5. The client sends the current TGT to the TGS with the Service Principal Name
(SPN) of the resource the client wants to access
6. The KDC verifies the TGT of the user and that the user has access to the service
7. TGS sends a valid session key for the service to the client
8. Client forwards the session key to the service to prove the user has access, and the
service grants access.

DEPARTMENT OF COMPUTER ENGINEERING

 Email Security
Email security refers to the collective measures used to
secure the access and content of an email account or
service.
An email service provider implements email
security to secure subscriber email accounts and data
from hackers - at rest and in transit.

DEPARTMENT OF COMPUTER ENGINEERING

 1) SMTP
• SMTP stands for Simple Mail Transfer Protocol.
• SMTP is a set of communication guidelines that allow software to
transmit an electronic mail over the internet is called Simple Mail
Transfer Protocol.
• It is a program used for sending messages to other computer users
based on e-mail addresses.
• It provides a mail exchange between users on the same or different
computers, and it also supports:
1. It can send a single message to one or more recipients.
2. Sending message can include text, voice, video or graphics.
3. It can also send the messages on networks outside the internet.
• The main purpose of SMTP is used to set up communication rules
between servers.

DEPARTMENT OF COMPUTER ENGINEERING

 1) User agent (UA)
2) Mail transfer
agent (MTA)

Working of SMTP
1) Composition of Mail: A user sends an e-mail by composing an electronic mail
message using a Mail User Agent (MUA). Mail User Agent is a program which is
used to send and receive mail. The message contains two parts: body and header.
2) Submission of Mail: After composing an email, the mail client then submits the
completed e-mail to the SMTP server by using SMTP on TCP port 25.
3) Delivery of Mail: E-mail addresses contain two parts: username of the recipient
and domain name. For example, vivek@gmail.com, where "vivek" is the username of
the recipient and "gmail.com" is the domain name.
4) Receipt and Processing of Mail: Once the incoming message is received, the
exchange server delivers it to the incoming server (Mail Delivery Agent) which stores
the e-mail where it waits for the user to retrieve it.
5) Access and Retrieval of Mail: The stored email in MDA can be retrieved by using
MUA (Mail User Agent). MUA can be accessed by using login and password.
DEPARTMENT OF COMPUTER ENGINEERING
 2) Privacy Enhanced Mail (PEM)
• The privacy Enhanced Mail (EPM) is an email security
standard adopted by the Internet Architecture Board (IAB) to
provide secures electronic mail communication over the
internet.
• PEM is described in four specification documents, which are
RFC number 1421 to 1424.
• PEM support the three main cryptographic functions of
encryption, non-repudiation and message integrity.
•
Cryptographic functions of PEM

DEPARTMENT OF COMPUTER ENGINEERIN

G
 Working of PEM

PEM allows for three security options when sending an e-mail message. These
options are:
 Signature only (step 1 and 2)
 Signature and Base-64 encoding (step 1,2 and 4)
 Signature, Encryption and Base-64 encoding (step 1 to 4)

DEPARTMENT OF COMPUTER ENGINEERIN

G
Step 1 Canonical Conversion: PEM transforms
each e-mail message into an abstract, canonical
representation. This means that regardless of the
architecture and the operating system of the sending
and receiving computers, the e-mail message
always travel in uniform, independent format.
Step 2 Digital Signature :This is typical process of
digital signature that we had studied many times
cryptography technique. It is start by creating a
message digest of the e-mail message using an
algorithm such as MD2 or MD5, as shown in the
below image.
DEPARTMENT OF COMPUTER ENGINEERIN
G
The message digest thus created and then encrypted with the senders private key to form
the sender’s digital signature. The process shown below:

DEPARTMENT OF COMPUTER ENGINEERIN

G
Step 3 Encryption : In this step the original e-mail and the
digital signature are encrypted together with symmetric key.
For this, the DES or DES-3 algorithms in CBC (Cipher
Block Chaining) mode are used. This is shown I the below
image:

DEPARTMENT OF COMPUTER ENGINEERIN

G
Step 4 Base-64 Encoding : This is the last step in PEM. The base-64 encoding (also called
Radix-64 encoding or ASCII armour) process transforms arbitrary binary input into printable
character output

DEPARTMENT OF COMPUTER ENGINEERIN

G
 Base 64 encoding table

DEPARTMENT OF COMPUTER ENGINEERIN

G
 3) PGP(Pretty Good Privacy)
• PGP was designed to provide all four aspects of security, i.e., privacy,
integrity, authentication, and non-repudiation in the sending of email.
• PGP uses a digital signature (a combination of hashing and public key
encryption) to provide integrity, authentication, and non-repudiation.
PGP uses a combination of secret key encryption and public key
encryption to provide privacy. Therefore, we can say that the digital
signature uses one hash function, one secret key, and two private-
public key pairs.
• PGP is an open source and freely available software package for email
security.
• PGP provides authentication through the use of Digital Signature.
• It provides confidentiality through the use of symmetric block
encryption.
• It provides compression by using the ZIP algorithm, and EMAIL
compatibility using the radix-64 encoding scheme.

DEPARTMENT OF COMPUTER ENGINEERIN

G
Following are the steps taken by PGP to create secure e-mail at the sender site:
• The e-mail message is hashed by using a hashing function to create a digest.
• The digest is then encrypted to form a signed digest by using the sender's private key, and
then signed digest is added to the original email message.
• The original message and signed digest are encrypted by using a one-time secret key
created by the sender.
• The secret key is encrypted by using a receiver's public key.
• Both the encrypted secret key and the encrypted combination of message and digest are
sent together.
PGP at the Sender site (A)

DEPARTMENT OF COMPUTER ENGINEERING

Following are the steps taken to show how PGP uses hashing and a
combination of three keys to generate the original message:
• The receiver receives the combination of encrypted
secret key and message digest is received.
• The encrypted secret key is decrypted by using the
sender's private key to get the one-time secret key.
• The secret key is then used to decrypt the combination
of message and digest.
• The digest is decrypted by using the sender's public key,
and the original message is hashed by using a hash
function to create a digest.
• Both the digests are compared if both of them are equal
means that all the aspects of security are preserved.
DEPARTMENT OF COMPUTER ENGINEERIN
G
PGP at the Receiver site (B)

DEPARTMENT OF COMPUTER ENGINEERIN

G
Public Key Infrastructure
At its heart, an X.509 PKI is a security architecture that uses well-
established cryptographic mechanisms to support use-cases like email
protection and web server authentication.
1. A requestor generates a CSR and submits it to the CA.
2. The CA issues a certificate based on the CSR and returns it to the
requestor.
3. Should the certificate at some point be revoked, the CA adds it to
its CRL.

DEPARTMENT OF COMPUTER ENGINEERIN

G
Components
Public Key Infrastructure (PKI)
Security architecture where trust is conveyed through the
signature of a trusted CA.
Certificate Authority (CA)
Entity issuing certificates and CRLs.
Registration Authority (RA)
Entity handling PKI enrollment. May be identical with the CA.
Certificate
Public key and ID bound by a CA signature.
Certificate Signing Request (CSR)
Request for certification. Contains public key and ID to be
certified.
Certificate Revocation List (CRL)
List of revoked certificates. Issued by a CA at regular intervals.
Certification Practice Statement (CPS)
Document describing structure and processes of a CA.
DEPARTMENT OF COMPUTER ENGINEERIN
G
CA Types
CA Certificate
Certificate of a CA. Used to sign certificates and CRLs.
Root Certificate
Self-signed CA certificate at the root of a PKI hierarchy.
Serves as the PKI’s trust anchor.
Cross Certificate
CA certificate issued by a CA external to the primary
PKI hierarchy. Used to connect two PKIs and thus usually
comes in pairs.
User Certificate
End-user certificate issued for one or more purposes:
email-protection, server-auth, client-auth, code-signing, etc.
A user certificate cannot sign other certificates.
DEPARTMENT OF COMPUTER ENGINEERIN
G
 X.509 Certificate
These certificates are used for identity validation and for transmission
of encrypted data that only the owner (person, organization or
software) of a specific certificate is able to decrypt and read.
X.509 certificates include:
1. Owner’s information or subject distinguished name (DN)
2. Public key associated with the subject
3. Version information
4. Serial number of the certificate
5. Another distinguished name identifying the issuer of the
certificate (CA)
6. Digital signature of the CA
7. Information on the algorithm used to create the digital certificate

DEPARTMENT OF COMPUTER ENGINEERIN

G
Standard format of X.509 Certificate

DEPARTMENT OF COMPUTER ENGINEERIN

G
IP security (IPSec)
The IP security (IPSec) is an Internet Engineering Task Force
(IETF) standard suite of protocols between 2 communication points
across the IP network that provide data authentication, integrity, and
confidentiality. It also defines the encrypted, decrypted and
authenticated packets.
IPsec can be used to do the following things:
• To encrypt application layer data.
• To provide security for routers sending routing data across the public
internet.
• To provide authentication without encryption, like to authenticate
that the data originates from a known sender.
• To protect network data by setting up circuits using IPsec tunneling
in which all data is being sent between the two endpoints is
encrypted, as with a Virtual Private Network(VPN) connection.
DEPARTMENT OF COMPUTER ENGINEERIN
G
Components of IP Security –
• Encapsulating Security Payload (ESP) –
It provides data integrity, encryption, authentication and anti
replay. It also provides authentication for payload.
• Authentication Header (AH) –
It also provides data integrity, authentication and anti replay
and it does not provide encryption. The anti replay protection, protects
against unauthorized transmission of packets. It does not protect
data’s confidentiality.
• Internet Key Exchange (IKE) -
Internet Key Exchange (IKE) provides message content
protection and also an open frame for implementing standard algorithms
such as SHA and MD5. The algorithm’s IP sec users produces a unique
identifier for each packet. This identifier then allows a device to
determine whether a packet has been correct or not. Packets which are
not authorized are discarded and not given to receiver.
DEPARTMENT OF COMPUTER ENGINEERIN
G
IPSEC MODES

1. TUNNEL
MODE

2.
TRANSPORT
MODE
DEPARTMENT OF COMPUTER ENGINEERIN
G
IPSEC TUNNEL MODE
IPSec tunnel mode is the default mode. With tunnel
mode, the entire original IP packet is protected by IPSec.
This means IPSec wraps the original packet, encrypts it, adds
a new IP header and sends it to the other side of the VPN
tunnel (IPSec peer).
Tunnel mode is most commonly used between
gateways (Cisco routers or ASA firewalls), or at an end-
station to a gateway, the gateway acting as a proxy for the
hosts behind it.
Tunnel mode is used to encrypt traffic between secure
IPSec Gateways, for example two Cisco routers connected
over the Internet via IPSec VPN

DEPARTMENT OF COMPUTER ENGINEERIN

G
 IPSec Tunnel
mode with ESP header

IPSec Tunnel
mode with AH
header:

DEPARTMENT OF COMPUTER ENGINEERIN

G
IPSEC TRANSPORT MODE
IPSec Transport mode is used for end-to-
end communications, for example, for
communication between a client and a server or
between a workstation and a gateway (if the
gateway is being treated as a host).
A good example would be an encrypted
Telnet or Remote Desktop session from a
workstation to a server.

DEPARTMENT OF COMPUTER ENGINEERIN

G
 IPSec Transport
mode with ESP
header:

IPSec Transport
mode with AH header:

DEPARTMENT OF COMPUTER ENGINEERIN

G
 Cyber Crime
• Cyber crime or computer-oriented crime is a crime that includes a
computer and a network.
• Cyber crime is the use of a computer as a weapon for committing
crimes such as committing fraud, identities theft or breaching
privacy.
• Cyber crime may endanger a person or a nation’s security and
financial health.
Categories:
1. Crimes that aim computer networks or devices.
These types of crimes involves different threats (like virus,
bugs etc.) and denial-of-service (DoS) attacks.
2. Crimes that use computer networks to commit other criminal
activities.
These types of crimes include cyber stalking, financial fraud or
identity theft.
DEPARTMENT OF COMPUTER ENGINEERIN
G
Prevention of Cyber Crime:
1. Use strong password:
2. Use trusted antivirus in devices.
3. Keep social media private.
4. Keep your device software updated.
TYPES OF CYBER CRIME
1) Hacking
Hacking is identifying weakness in computer systems or networks to exploit its
weaknesses to gain access.
Eg: Using password cracking algorithm to gain access to a system.
What is Ethical Hacking?
Ethical Hacking is identifying weakness in computer systems and/or
computer networks and coming with countermeasures that protect the weaknesses.
Ethical hackers must abide by the following rules.
Get written permission from the owner of the computer system and/or
computer network before hacking.
Protect the privacy of the organization been hacked.
Transparently report all the identified weaknesses in the computer system
to the organization.
Inform hardware and software vendors of the identified weaknesses.
DEPARTMENT OF COMPUTER ENGINEERIN
G
Why Ethical Hacking?
Information is one of the most valuable assets of an organization.
Keeping information secure can protect an organization’s image and save
an organization a lot of money.
Hacking can lead to loss of business for organizations that deal in
finance such as PayPal.
Ethical hacking puts them a step ahead of the cyber criminals
who would otherwise lead to loss of business.

Who is a Hacker?
A Hacker is a person who finds and exploits the weakness in
computer systems and/or networks to gain access.
Hackers are usually skilled computer programmers with
knowledge of computer security.
Hackers are classified according to the intent of their actions

DEPARTMENT OF COMPUTER ENGINEERIN

G
Types of Hackers
Symbol Description

Ethical Hacker (White hat): A hacker who gains access to systems with
a view to fix the identified weaknesses. They may also perform
penetration Testing and vulnerability assessments.

Cracker (Black hat): A hacker who gains unauthorized access to

computer systems for personal gain. The intent is usually to steal corporate
data, violate privacy rights, transfer funds from bank accounts etc.

Grey hat: A hacker who is in between ethical and black hat hackers.
He/she breaks into computer systems without authority with a view to
identify weaknesses and reveal them to the system owner.

Script kiddies: A non-skilled person who gains access to computer

systems using already made tools.

Hacktivist: A hacker who use hacking to send social, religious, and

political, etc. messages. This is usually done by hijacking websites and
leaving the message on the hijacked website.

Phreaker: A hacker who identifies and exploits weaknesses in telephones

instead of computers.

DEPARTMENT OF COMPUTER ENGINEERIN

G
2) Digital forgery
Digital forgery is falsely altering digital contents such as
pictures, images, documents, and music perhaps for economic gain.

DEPARTMENT OF COMPUTER ENGINEERIN

G
3)Cyber-stalking
If someone keeps contacting you on Facebook or any kind of online site and
it’s making you scared and upset, it sounds like you’re being stalked.
Stalking is illegal.
The person could get dangerous.Stalking includes following someone around
or leaving messages on their phone or online, and deliberately trying to make them
feel scared.
A good way to document incidents of stalking would be to keep a
stalking incident log.
This could include the following information:
STALKING INCIDENT LOG
Victim Information:
Your name:
Gender:
Date of Birth:
Address:
Telephone numbers including home, work and mobile:
Email address:
Aboriginality or Ethnicity:
Language spoken:
Occupation:
DEPARTMENT OF COMPUTER ENGINEERIN
Do you have a current Apprehended
G Domestic Violence Order?: Yes or No
4)Cyber-harassment
Cyber-harassment, or cyber-bullying, can include things like:
Checking your email without permission
Impersonating you or hacking into your online accounts
Spreading rumours about you, or
Sharing photos or videos of you without your consent.
Cyber-harassment is not just about being teased – it’s repeated
behaviour that is designed to humiliate, control or scare the person
being targeted.
It’s not legal, and it’s not OK.

DEPARTMENT OF COMPUTER ENGINEERIN

G
5) Cyberpornography
Cyberpornography is the act of using cyberspace to create,
display, distribute, import, or publish pornography or obscene materials,
especially materials depicting children engaged in sexual acts with
adults. Cyberpornography is a criminal offense, classified as causing
harm to persons .
6) Cyberterrorism
According to the U.S. Federal Bureau of Investigation,
cyberterrorism is any "premeditated, politically motivated attack against
information, computer systems, computer programs, and data which
results in violence against non-combatant targets by sub-national groups
or clandestine agents.“
7) CYBER DEFAMATION
The term defamation is used to define the injury that is caused to
the reputation of a person in the eyes of a third person. The injury can
be done by words oral or written, or by signs or by visible
representations. The intention of the person making the defamatory
statement must be to lower the reputation of the person against whom
DEPARTMENT OF COMPUTER ENGINEERIN
the statement has been made
G in the eyes of the general public.
 Cyber Laws
1) IT act 2000:
According to Indian cyber laws, Information technology is the important law and it
had passed in Indian parliament in year 2000.This act is helpful to encourage
business by use of internet. Due to misuse of internet and increase of cybercrime, the
Govt. of India made an act for safeguarding the internet users. The main objectives
of this act are as follows.
1. To provide legal recognition to the transaction that can be done by electronic way
or by using internet.

2. To provide legal recognition to digital signature used in transaction.

3. To provide facilities like filling of document online relating to admission or

registration.

4. To provide facility to any company that they can store their data in electronic
storage.

5. To provide legal recognition for bankers and other companies to keep accounts in
electronic form.
DEPARTMENT OF COMPUTER ENGINEERIN
G
2) IT act 2008:
• It is the Information Technology Amendment Act,2008.the act was
developed for IT industries, control e-commerce, to provide e-
governance facility and to stop cybercrime attacks. Following are the
characteristics of IT ACT 2008:

• a) This act provide legal recognition for the transaction i.e. Electronic
Data Interchange(EDI) and other electronic communications.

• b) This Act also gives facilities for electronic filling of information

with the Government agencies.

• c) It is considered necessary to give effect to the said resolution and

to promote efficient delivery of Government services by means of
reliable electronic records.
DEPARTMENT OF COMPUTER ENGINEERIN
G
What is IT compliance?
IT compliance refers to businesses meeting all legal
requirements, standards and regulations for the software
their company uses.
Achieving these standards means following all
industry regulations, government policies, security
frameworks and customer terms of agreement to ensure the
security and appropriate usage of software in business.
In addition to protecting the security of businesses
and customers, compliance standards promote the
availability and reliability of services, and it ensures
businesses use the software as intended.

DEPARTMENT OF COMPUTER ENGINEERIN

G
DEPARTMENT OF COMPUTER ENGINEERIN
G
Why is IT compliance important?
IT compliance is important not only for
protecting the privacy and security of your
customers, clients, employees and your business
itself but also for improving your customer's trust in
your business.
When businesses meet a high standard of
compliance with digital security and privacy
standards, it can improve their reputation and help
customers feel more secure using their services.

DEPARTMENT OF COMPUTER ENGINEERIN

G
6 common IT compliance standards to consider
1. GDPR
The European Union (EU) enforces a set of IT regulations called the General Data
Protection Regulation (GDPR).
2. PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) regulates the security of
financial card information, such as customer debit and credit cards.
3. SOX
Another financial compliance standard is the Sarbanes-Oxley Act (SOX). This standard
requires transparency and complete disclosure of a business's financial information.
4. HIPPA
In health care, the Health Insurance Portability and Accountability Act (HIPPA) maintains
the security of patient health records.
5. GLBA
The Gramm-Leah-Bliley Act (GLBA) applies to financial institutions that provide
services such as client loans, insurance and financial or investment advice.
6. FISMA
FISMA is the Federal Information Security Management Act. It applies to federal
agencies and requires them to implement information security plans to protect sensitive
information.

DEPARTMENT OF COMPUTER ENGINEERIN

G
 Information Security Management System?
ISO/IEC 27000 defines an Information Security Management
System (ISMS) as a framework of policies, procedures, guidelines and
associated resources and activities jointly managed by an organisation
to protect its information assets.

DEPARTMENT OF COMPUTER ENGINEERIN

G
Step 1. Secure executive support and set the objectives
Making a decision to implement an ISMS compliant with
ISO/IEC 27001 should always start with getting the
involvement / confirmation of the organisation’s top
management
Step 2. Define the scope of the system
Contrary to the public opinion, which dates back to
experiences with the ISO 9001 standards, ISO/IEC 27001 is
well-grounded in the reality and technical requirements of
information security.

DEPARTMENT OF COMPUTER ENGINEERIN

G
Step 3. Evaluate assets and analyse the risk
Some of asset categories include:
• Hardware – computers, phones, physical data storage
media,
• Servers – both physical and virtual serves comprising
the company’s ICT infrastructure,
• Network infrastructure – elements of the company’s
network infrastructure,
• (Cloud) services – e.g. 365, Amazon Web Services,
JIRA, Confluence, Dropbox, banking services, etc.,
• Customer information – information provided by
customers; usually involves the greatest business risk,
• Other – this category includes paper data media.
DEPARTMENT OF COMPUTER ENGINEERIN
G
Step 4. Define the Information Security Management System
• Usually this is an iterative process where the following ISMS
components are defined:
• Policies
• Processes
• Procedures
• Instructions
• Inputs/Outputs
• Training
• Guides
• Sources of knowledge
• Roles
• Normative sources

DEPARTMENT OF COMPUTER ENGINEERIN

G
Step 5. Train and build competencies for the Roles
At this stage, the organisation should specify the
competencies and skills of the persons/roles involved in the
Information Security Management System.
Some of the information security roles that can be found in
most implementations include:
• Employee – role representing any person employed at the
organisation,
• Internal auditor – role responsible for conducting
management system audits,
• IT administrator – role representing people responsible for
managing the IT infrastructure of the organisation,
• Top management – role representing the group responsible
for setting directions and controlling the organisation at the
top level,
DEPARTMENT OF COMPUTER ENGINEERIN
G
Step 6. System maintenance and monitoring
Before commencing the certification of the
information security management system it
should already work in the organisation. Ideally, a
fully defined system will have been implemented
and maintained in the organisation for at least a
month or two prior to the start of the
certification audit, providing the time for
conducting the necessary training, carrying out a
management system review, implementing the
required security measures, and adjusting the
risk analysis and risk management plan
DEPARTMENT OF COMPUTER ENGINEERIN
G
Step 7. Certification audit
The implementation of an information
security management system in a company is
confirmed by a certificate of compliance with
the ISO/IEC 27001 standard. The certification
requires completing a certification audit
conducted by a body certifying management
system.

DEPARTMENT OF COMPUTER ENGINEERIN

G
ISO/IEC 27001 is widely known, providing requirements
for an information security management system (ISMS),
though there are more than a dozen
standards in the ISO/IEC 27000 family. Using them
enables organizations of any kind to manage the security
of assets such as financial information, intellectual
property, employee details or information entrusted by
third parties.
ISO 20000 is the international standard that
describes best practice for IT service management
(ITSM). It helps organisations evaluate how effectively
they deliver managed services, measure service levels and
assess their performance. It is strongly linked to ITIL ®, the
most common approach for IT service management.
DEPARTMENT OF COMPUTER ENGINEERIN
G
Just like ISO 27001, ISO 9001, ISO 14001 and other
standards that define management systems, BS 25999-2 also
defines a business continuity management system which
contains the same four management phases: planning,
implementing, reviewing and monitoring, and finally,
improving. The point of these four phases is that the system is
continually updated and improved in order to be usable when
a disaster occurs. The following are some of the key
procedures and documents required by BS 25999-2:
PCI DSS 12 requirements are a set of security controls that
businesses are required to implement to protect credit
card data and comply with the Payment Card Industry
Data Security Standard (PCI DSS)

DEPARTMENT OF COMPUTER ENGINEERIN

G
The 12 requirements of PCI DSS are:
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other
security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

DEPARTMENT OF COMPUTER ENGINEERIN

G
ITIL framework
ITIL stands for Information Technology
Infrastructure Library.
The Framework of Information Security Management in
ITIL
There are five key elements that are addressed in an
Information Security Management system framework.

DEPARTMENT OF COMPUTER ENGINEERIN

G
• Control
A management framework should be established to manage
information security, to prepare and implement an policy, to
allocate responsibilities, to establish and control the documentation.
• Plan
This phase of the framework involves the collection of
information and understanding the security requirements of the
organization. Afterward, the appropriate solutions should be
recommended keeping in mind the budget and corporate culture.
• Implement
In the implementation phase, the plan will be put into action.
While doing so, it is important to ensure that adequate safeguards
are in place to enact and enforce the information security policy.

DEPARTMENT OF COMPUTER ENGINEERIN

G
• Evaluate
After the security policies and plans have been
implemented, it is necessary to monitor them and make sure
that the systems are completely secure and operating in
accordance with the policies, security requirements, and
service level agreements of the organization.
• Maintain
For an information management system to be
effective, it needs to be improved on a continuous basis.
This involves revising the service level agreements, security
policies, and the techniques used to monitor and control.

DEPARTMENT OF COMPUTER ENGINEERIN

G
Process Activities of Information Security Management in
ITIL
• Create, review and revise the information security
policy as per the requirements.
• Communicate, implement and enforce the security
policies adequately.
• Analyze and classify all the information and
documentation in possession.
• Implement a set of security controls and risk responses
and improve them.
• Constantly monitor and manage all breaches of security
and any major security incidents.
• Analyze, report on, and take the necessary actions in
order to decrease the volume and effect of security
incidents.
• Schedule and perform security reviews, audits, and
penetration tests.

DEPARTMENT OF COMPUTER ENGINEERIN

G
COBIT framework
COBIT is the acronym for Control Objectives for Information and
Related Technologies.
The COBIT framework was created by ISACA to bridge the crucial gap
between technical issues, business risks and control requirements.
COBIT is used by both government and private sector
organizations because it helps in increasing the sensibility of IT processes.

COBIT 5 principles
Principle 1: Meeting stakeholder needs.
Principle 2: Covering the enterprise end to end.
Principle 3: Applying a single integrated framework.
Principle 4: Enabling a holistic approach.
Principle 5: Separating governance from management.

DEPARTMENT OF COMPUTER ENGINEERIN

G
DEPARTMENT OF COMPUTER ENGINEERIN
G
Case Study

https://
www.isaca.org/resources/news-and-trends/industr
y-news/2014/information-security-management-at
-hdfc-bank

DEPARTMENT OF COMPUTER ENGINEERIN

G