SlideShare a Scribd company logo

chapter 1. Introduction to Information Security

Download as PPT, PDF
E
elmuhammadmuhammad

This document provides an introduction to information security, discussing its evolution from computer security in the 1960s to current threats in the information age. It outlines essential concepts, the systems development life cycle for managing information security, and the roles of professionals within organizations. Additionally, it emphasizes the importance of confidentiality, integrity, and availability in securing information, and describes various threats and protective measures.

Technology
1 of 44
Downloaded 85 times
1
2
3
4
5
6
7
8
9
10
11
Most read
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Most read
30
31
32
33
34
35
36
37
38
Most read
39
40
41
42
43
44
SQUARE NORTH TECHNOLOGIES Information Security Training Chapter 1 Introduction to Information Security Muhammad Lawal Chief Executive Officer elmuhammadm@gmail.com 08124350304
Learning Objectives  Understand what information security is and how it came to mean what it does today.  Comprehend the history of computer security and how it evolved into information security.  Understand the key terms and critical concepts of information security as presented in the chapter.  Outline the phases of the security systems development life cycle.  Understand the role professionals involved in information security in an organizational structure.  Understand the business need for information security.  Understand a successful information security program is the responsibility of an organization‘s general management and I T management.  Understand the some threats posed to information security and the more common attacks associated with those threats.
Introduction  Some hundreds of years ago, we would have been making living on agriculture.  Say a hundred years ago you were likely to be making a living working in a factory.  Today, we live in the information age where everyone has a job somehow connected to information stored in digital form on a network.
The History Of Information Security Computer security began immediately after the first mainframes were developed Physical controls were needed to limit access to authorized personnel to sensitive military locations Only rudimentary controls were available to defend against physical theft, espionage, and sabotage
The 1960s • Department of Defense’s Advanced Research Project Agency (ARPA) began examining the feasibility of a redundant networked communi cations
chapter 1. Introduction to Information Security
The 1970s and 80s • ARPANET grew in popularity as did its potential for misuse • Fundamental problems with ARPANET security were identified – No safety procedures for dial-up connections to the ARPANET – User identification and authorization to the system were non-existent • In the late 1970s the microprocessor expanded computing capabilities and security threats
R-609 – The Start of the Study of Computer Security • Information Security began with Rand Report R-609 • The scope of computer security grew from physical security to include: – Safety of the data – Limiting unauthorized access to that data – Involvement of personnel from multiple levels of the organization
The 1990s • Networks of computers became more common, so too did the need to interconnect the networks • Resulted in the Internet, the first manifestation of a global network of networks • In early Internet deployments, security was treated as a low priority
The Present • The Internet has brought millions of computer networks into communication with each other – many of them unsecured • Ability to secure each now influenced by the security on every computer to which it is connected
What is Security?  The quality or state of being secure—to be fre e from danger  A successful organization should have multipl e layers of security in place: • Physical security • Personal security • Operations security • Communications security • Network security • Information security
Critical Characteristics of Information • The value of information comes from the char acteristics it possesses: – Availability – Accuracy – Authenticity – Confidentiality – Integrity – Utility – Possession
Components of an Information System • Information system (IS) is the entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organisation
Bottom Up Approach • Security from a grass-roots effort - systems administrators attempt to improve the security of their systems • Key advantage - technical expertise of the individual administrators • Seldom works, as it lacks a number of critical features: – participant support – organizational staying power
Top-down Approach • Initiated by upper management: – issue policy, procedures, and processes – dictate the goals and expected outcomes of the project – determine who is accountable for each of the required actions • This approach has strong upper management support, a dedicated champion, dedicated funding, clear planning, and the chance to influence organizational culture • May also involve a formal development strategy referred to as a systems development life cycle – Most successful top-down approach
chapter 1. Introduction to Information Security
The Systems Development Life Cycle • Information security must be managed in a manner similar to any other major system implemented in the organization • Using a methodology – ensures a rigorous process – avoids missing steps • The goal is creating a comprehensive security posture/program
The Security Systems Development Life Cycle • The same phases used in traditional SDLC may be adapte d to support specialized implementation of an IS project • Investigation • Analysis • Logical design • Physical design • Implementation • Maintenance & change • Identification of specific threats and creating controls to counter them • SecSDLC is a coherent program rather than a seri es of random, seemingly unconnected actions
chapter 1. Introduction to Information Security
Investigation • Identifies process, outcomes, goals, and const raints of the project • Begins with enterprise information security po licy • Organizational feasibility analysis is performed
Analysis • Documents from investigation phase are studied • Analyzes existing security policies or programs, a long with documented current threats and assoc iated controls • Includes analysis of relevant legal issues that co uld impact design of the security solution • The risk management task begins
Logical Design • Creates and develops blueprints for information secu rity • Incident response actions planned: – Continuity planning – Incident response – Disaster recovery • Feasibility analysis to determine whether project sho uld continue or be outsourced
Physical Design • Needed security technology is evaluated, alternatives generated, and final design selected • At end of phase, feasibility study determines readiness of organization for project
Implementation • Security solutions are acquired, tested, implemented, and tested again • Personnel issues evaluated; specific training and education programs conducted • Entire tested package is presented to management for final approval
Maintenance and Change • Perhaps the most important phase, given the ever-changing threat environment • Often, reparation and restoration of information is a constant duel with an unseen adversary • Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve
Professionals involved in information security within an organization Senior Management  Chief Information Officer (CIO) • Senior technology officer • Primarily responsible for advising senior executives on strategic planning  Chief Information Security Officer (CISO) • Primarily responsible for assessment, management, an d implementation of IS in the organization • Usually reports directly to the CIO
Information Security Project Team  A number of individuals who are experienced in one or more facets of required technical an d nontechnical areas: • Champion • Team leader • Security policy developers • Risk assessment specialists • Security professionals • Systems administrators • End users
Data Ownership • Data owner: responsible for the security and u se of a particular set of information • Data custodian: responsible for storage, maint enance, and protection of information • Data users: end users who work with informat ion to perform their daily jobs supporting the mission of the organization
What is Information Security? • “The concepts, techniques, technical measures, and adminis trative measures used to protect information assets from deli berate or inadvertent unauthorised acquisition, damage, discl osure, manipulation, modification, loss, or use is information security.” or • means protecting information and information systems from unauthorised access, use, disclosure, modification or destructi on. or • Implementing suitable controls - policies, practices, procedur es, organisational structures, software, etc, to secure informa tion for any information user.
• The protection of information and its critical e lements, including systems and hardware that use, store, and transmit that information • Necessary tools: policy, awareness, training, e ducation, technology • C.I.A. triangle was standard based on confiden tiality, integrity, and availability • C.I.A. triangle now expanded into list of critica l characteristics of information
How Can Information Security Be Achieved Access to network resource will be granted through a unique user ID and password Passwords will be 8 characters long Passwords should include one non-alpha and not found in dictionary Information Security is achieved by implementing a suitable set of controls, which could be: These controls need to be established in order to ensure that the specific security objectives of the organization are met.
Information Security Goals  Confidentiality - making sure that those who should not see the information can not see it.  Integrity - making sure the information has not been changed from how it was intended to be.  Availability – making sure the information is available for use when needed.
Confidentiality Integrity Availability Security Goals
Securing Components • Computer can be subject of an attack and/or the obj ect of an attack – When the subject of an attack, computer is used as an active tool to conduct attack – When the object of an attack, computer is the entity b eing attacked
chapter 1. Introduction to Information Security
Balancing Information Security and Access • Impossible to obtain perfect security—it is a p rocess, not an absolute • Security should be considered balance betwee n protection and availability • To achieve balance, level of security must allo w reasonable access, yet protect against threa ts
Balancing security and access
The Need for Information Security Business Needs First Technology Needs Last Information security performs three important functions for an organization: • Protects the organization‘s ability to function – Communities of interest must argue for information security in ter ms of impact and cost • Enables the safe operation of applications implemented on the organization‘s IT systems – Organizations must create integrated, efficient, and capable applic ations – Organization need environments that safeguard applications
• Protects the data the organization collects and uses – One of the most valuable assets is data – Without data, an organization loses its record of trans actions and/or its ability to deliver value to its custom ers – An effective information security program is essential to the protection of the integrity and value of the orga nization‘s data Technology Needs • Safeguards the technological assets in use at the organi zation • Organizations must have secure infrastructure services b ased on the size and scope of the enterprise
Areas of Information System Security  Data security  Computer security  LAN or Network security  Internet security
Major Threats & Issues Basic Threats  Theft of password  E-mail based threats  E-mail based extortion  Launch of malicious codes (trojans)
Corporate threats • Web defacement • Corporate espionage • Website based launch of malicious code cheating and fraud • Exchange of criminal ideas and tools • Cyber harassment • Forge websites Online threats • E-mail spamming • Theft of software and electronic records • Cyber stalking • E-mail bombing • Denial of service attacks
Protecting your computer and network  Physical security  Securing desktop computers  Securing laptops/notebooks/handheld computers  Securing network security  Software security  Protect against internet intruders with firewall s and IDS  Protect against viruses and other malware  Protect against spyware and adware  Protect against unwanted email
General spam protection practices  Do not give out your email address indiscriminately  Leave your email signature line blank if you post to a newsgroup  Do not reply to junk messages  Do not open obvious spam mails  Report to appropriate person – systems administrator

More Related Content

What's hot (20)

PPTX
Network security
quest university nawabshah
 
PPT
Security Attacks.ppt
Zaheer720515
 
PDF
Network security - OSI Security Architecture
BharathiKrishna6
 
PPTX
02 Legal, Ethical, and Professional Issues in Information Security
sappingtonkr
 
PPT
Network security
Gichelle Amon
 
PPTX
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
PPSX
Security policies
Nishant Pahad
 
PPTX
Network security model.pptx
ssuserd24233
 
PDF
Network Security Fundamentals
Rahmat Suhatman
 
PPT
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
PPTX
Information Security Risk Management
Nikhil Soni
 
PPTX
Information security
avinashbalakrishnan2
 
PPTX
Cia security model
Imran Ahmed
 
PPTX
Types of attacks
Vivek Gandhi
 
PPTX
System security
sommerville-videos
 
PPTX
The CIA triad.pptx
GulnurAzat
 
PPT
Chapter 3: Information Security Framework
Nada G.Youssef
 
PDF
Authentication techniques
IGZ Software house
 
PPTX
Security vulnerability
A. Shamel
 
PDF
Cyber security
Shivam Yadav
 
Network security
quest university nawabshah
 
Security Attacks.ppt
Zaheer720515
 
Network security - OSI Security Architecture
BharathiKrishna6
 
02 Legal, Ethical, and Professional Issues in Information Security
sappingtonkr
 
Network security
Gichelle Amon
 
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Security policies
Nishant Pahad
 
Network security model.pptx
ssuserd24233
 
Network Security Fundamentals
Rahmat Suhatman
 
Intrusion Detection Systems and Intrusion Prevention Systems
Cleverence Kombe
 
Information Security Risk Management
Nikhil Soni
 
Information security
avinashbalakrishnan2
 
Cia security model
Imran Ahmed
 
Types of attacks
Vivek Gandhi
 
System security
sommerville-videos
 
The CIA triad.pptx
GulnurAzat
 
Chapter 3: Information Security Framework
Nada G.Youssef
 
Authentication techniques
IGZ Software house
 
Security vulnerability
A. Shamel
 
Cyber security
Shivam Yadav
 

Similar to chapter 1. Introduction to Information Security (20)

PPT
Introduction to information security
Kumawat Dharmpal
 
PPT
01Introduction to Information Security.ppt
it160320737038
 
PDF
Introduction to Cybersecurity.pdf
ssuserf98dd4
 
PPTX
Information security Chap 1 whitman.pptx
sania82678
 
PPTX
Introduction to information security
KATHEESKUMAR S
 
PPTX
Introduction-to-Information-Security.pptx
SittieAmaniAlonto
 
PPT
is_1_Introduction to Information Security
SARJERAO Sarju
 
PPTX
IS Chap 1 by whitman chapter 1 pptx.pptx
sania82678
 
PPTX
Week 1 - Introduction to CyberSecurity.pptx
juancx3
 
PPTX
Human Factors_MODULE_2.pptx
Shreeveni
 
PDF
Chapter 1 introduction(web security)
Kirti Ahirrao
 
PPTX
SECURITY AND CONTROL
shinydey
 
PPT
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERING
ThumilvannanSambanda
 
PPTX
ICS_Unit-I_Foundations of Information Security
KartikMaski
 
PDF
Unit 1&2.pdf
Ndheh
 
PPT
Information security
Praveen Minz
 
PDF
Introduction to informationsecurity lecture1.pdf
OmerMohamed64
 
PPT
information security management
Gurpreetkaur838
 
PPT
Information security
razendar79
 
PPTX
Chapter 1 Introduction about information assurance.pptx
mc0225225
 
Introduction to information security
Kumawat Dharmpal
 
01Introduction to Information Security.ppt
it160320737038
 
Introduction to Cybersecurity.pdf
ssuserf98dd4
 
Information security Chap 1 whitman.pptx
sania82678
 
Introduction to information security
KATHEESKUMAR S
 
Introduction-to-Information-Security.pptx
SittieAmaniAlonto
 
is_1_Introduction to Information Security
SARJERAO Sarju
 
IS Chap 1 by whitman chapter 1 pptx.pptx
sania82678
 
Week 1 - Introduction to CyberSecurity.pptx
juancx3
 
Human Factors_MODULE_2.pptx
Shreeveni
 
Chapter 1 introduction(web security)
Kirti Ahirrao
 
SECURITY AND CONTROL
shinydey
 
IT8073 INFORMATION SECURITY FOR FINAL YEAR COMPUTER SCIENCE ENGINEERING
ThumilvannanSambanda
 
ICS_Unit-I_Foundations of Information Security
KartikMaski
 
Unit 1&2.pdf
Ndheh
 
Information security
Praveen Minz
 
Introduction to informationsecurity lecture1.pdf
OmerMohamed64
 
information security management
Gurpreetkaur838
 
Information security
razendar79
 
Chapter 1 Introduction about information assurance.pptx
mc0225225
 
Ad

Recently uploaded (20)

PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
July Patch Tuesday
Ivanti
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
PDF
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PDF
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
PPTX
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
PDF
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
PDF
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
PPTX
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
Building Real-Time Digital Twins with IBM Maximo & ArcGIS Indoors
Safe Software
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
July Patch Tuesday
Ivanti
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
Using FME to Develop Self-Service CAD Applications for a Major UK Police Force
Safe Software
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
"AI Transformation: Directions and Challenges", Pavlo Shaternik
Fwdays
 
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
Ad

chapter 1. Introduction to Information Security

  • 1. SQUARE NORTH TECHNOLOGIES Information Security Training Chapter 1 Introduction to Information Security Muhammad Lawal Chief Executive Officer [email protected] 08124350304
  • 2. Learning Objectives  Understand what information security is and how it came to mean what it does today.  Comprehend the history of computer security and how it evolved into information security.  Understand the key terms and critical concepts of information security as presented in the chapter.  Outline the phases of the security systems development life cycle.  Understand the role professionals involved in information security in an organizational structure.  Understand the business need for information security.  Understand a successful information security program is the responsibility of an organization‘s general management and I T management.  Understand the some threats posed to information security and the more common attacks associated with those threats.
  • 3. Introduction  Some hundreds of years ago, we would have been making living on agriculture.  Say a hundred years ago you were likely to be making a living working in a factory.  Today, we live in the information age where everyone has a job somehow connected to information stored in digital form on a network.
  • 4. The History Of Information Security Computer security began immediately after the first mainframes were developed Physical controls were needed to limit access to authorized personnel to sensitive military locations Only rudimentary controls were available to defend against physical theft, espionage, and sabotage
  • 5. The 1960s • Department of Defense’s Advanced Research Project Agency (ARPA) began examining the feasibility of a redundant networked communi cations
  • 7. The 1970s and 80s • ARPANET grew in popularity as did its potential for misuse • Fundamental problems with ARPANET security were identified – No safety procedures for dial-up connections to the ARPANET – User identification and authorization to the system were non-existent • In the late 1970s the microprocessor expanded computing capabilities and security threats
  • 8. R-609 – The Start of the Study of Computer Security • Information Security began with Rand Report R-609 • The scope of computer security grew from physical security to include: – Safety of the data – Limiting unauthorized access to that data – Involvement of personnel from multiple levels of the organization
  • 9. The 1990s • Networks of computers became more common, so too did the need to interconnect the networks • Resulted in the Internet, the first manifestation of a global network of networks • In early Internet deployments, security was treated as a low priority
  • 10. The Present • The Internet has brought millions of computer networks into communication with each other – many of them unsecured • Ability to secure each now influenced by the security on every computer to which it is connected
  • 11. What is Security?  The quality or state of being secure—to be fre e from danger  A successful organization should have multipl e layers of security in place: • Physical security • Personal security • Operations security • Communications security • Network security • Information security
  • 12. Critical Characteristics of Information • The value of information comes from the char acteristics it possesses: – Availability – Accuracy – Authenticity – Confidentiality – Integrity – Utility – Possession
  • 13. Components of an Information System • Information system (IS) is the entire set of software, hardware, data, people, procedures, and networks necessary to use information as a resource in the organisation
  • 14. Bottom Up Approach • Security from a grass-roots effort - systems administrators attempt to improve the security of their systems • Key advantage - technical expertise of the individual administrators • Seldom works, as it lacks a number of critical features: – participant support – organizational staying power
  • 15. Top-down Approach • Initiated by upper management: – issue policy, procedures, and processes – dictate the goals and expected outcomes of the project – determine who is accountable for each of the required actions • This approach has strong upper management support, a dedicated champion, dedicated funding, clear planning, and the chance to influence organizational culture • May also involve a formal development strategy referred to as a systems development life cycle – Most successful top-down approach
  • 17. The Systems Development Life Cycle • Information security must be managed in a manner similar to any other major system implemented in the organization • Using a methodology – ensures a rigorous process – avoids missing steps • The goal is creating a comprehensive security posture/program
  • 18. The Security Systems Development Life Cycle • The same phases used in traditional SDLC may be adapte d to support specialized implementation of an IS project • Investigation • Analysis • Logical design • Physical design • Implementation • Maintenance & change • Identification of specific threats and creating controls to counter them • SecSDLC is a coherent program rather than a seri es of random, seemingly unconnected actions
  • 20. Investigation • Identifies process, outcomes, goals, and const raints of the project • Begins with enterprise information security po licy • Organizational feasibility analysis is performed
  • 21. Analysis • Documents from investigation phase are studied • Analyzes existing security policies or programs, a long with documented current threats and assoc iated controls • Includes analysis of relevant legal issues that co uld impact design of the security solution • The risk management task begins
  • 22. Logical Design • Creates and develops blueprints for information secu rity • Incident response actions planned: – Continuity planning – Incident response – Disaster recovery • Feasibility analysis to determine whether project sho uld continue or be outsourced
  • 23. Physical Design • Needed security technology is evaluated, alternatives generated, and final design selected • At end of phase, feasibility study determines readiness of organization for project
  • 24. Implementation • Security solutions are acquired, tested, implemented, and tested again • Personnel issues evaluated; specific training and education programs conducted • Entire tested package is presented to management for final approval
  • 25. Maintenance and Change • Perhaps the most important phase, given the ever-changing threat environment • Often, reparation and restoration of information is a constant duel with an unseen adversary • Information security profile of an organization requires constant adaptation as new threats emerge and old threats evolve
  • 26. Professionals involved in information security within an organization Senior Management  Chief Information Officer (CIO) • Senior technology officer • Primarily responsible for advising senior executives on strategic planning  Chief Information Security Officer (CISO) • Primarily responsible for assessment, management, an d implementation of IS in the organization • Usually reports directly to the CIO
  • 27. Information Security Project Team  A number of individuals who are experienced in one or more facets of required technical an d nontechnical areas: • Champion • Team leader • Security policy developers • Risk assessment specialists • Security professionals • Systems administrators • End users
  • 28. Data Ownership • Data owner: responsible for the security and u se of a particular set of information • Data custodian: responsible for storage, maint enance, and protection of information • Data users: end users who work with informat ion to perform their daily jobs supporting the mission of the organization
  • 29. What is Information Security? • “The concepts, techniques, technical measures, and adminis trative measures used to protect information assets from deli berate or inadvertent unauthorised acquisition, damage, discl osure, manipulation, modification, loss, or use is information security.” or • means protecting information and information systems from unauthorised access, use, disclosure, modification or destructi on. or • Implementing suitable controls - policies, practices, procedur es, organisational structures, software, etc, to secure informa tion for any information user.
  • 30. • The protection of information and its critical e lements, including systems and hardware that use, store, and transmit that information • Necessary tools: policy, awareness, training, e ducation, technology • C.I.A. triangle was standard based on confiden tiality, integrity, and availability • C.I.A. triangle now expanded into list of critica l characteristics of information
  • 31. How Can Information Security Be Achieved Access to network resource will be granted through a unique user ID and password Passwords will be 8 characters long Passwords should include one non-alpha and not found in dictionary Information Security is achieved by implementing a suitable set of controls, which could be: These controls need to be established in order to ensure that the specific security objectives of the organization are met.
  • 32. Information Security Goals  Confidentiality - making sure that those who should not see the information can not see it.  Integrity - making sure the information has not been changed from how it was intended to be.  Availability – making sure the information is available for use when needed.
  • 34. Securing Components • Computer can be subject of an attack and/or the obj ect of an attack – When the subject of an attack, computer is used as an active tool to conduct attack – When the object of an attack, computer is the entity b eing attacked
  • 36. Balancing Information Security and Access • Impossible to obtain perfect security—it is a p rocess, not an absolute • Security should be considered balance betwee n protection and availability • To achieve balance, level of security must allo w reasonable access, yet protect against threa ts
  • 38. The Need for Information Security Business Needs First Technology Needs Last Information security performs three important functions for an organization: • Protects the organization‘s ability to function – Communities of interest must argue for information security in ter ms of impact and cost • Enables the safe operation of applications implemented on the organization‘s IT systems – Organizations must create integrated, efficient, and capable applic ations – Organization need environments that safeguard applications
  • 39. • Protects the data the organization collects and uses – One of the most valuable assets is data – Without data, an organization loses its record of trans actions and/or its ability to deliver value to its custom ers – An effective information security program is essential to the protection of the integrity and value of the orga nization‘s data Technology Needs • Safeguards the technological assets in use at the organi zation • Organizations must have secure infrastructure services b ased on the size and scope of the enterprise
  • 40. Areas of Information System Security  Data security  Computer security  LAN or Network security  Internet security
  • 41. Major Threats & Issues Basic Threats  Theft of password  E-mail based threats  E-mail based extortion  Launch of malicious codes (trojans)
  • 42. Corporate threats • Web defacement • Corporate espionage • Website based launch of malicious code cheating and fraud • Exchange of criminal ideas and tools • Cyber harassment • Forge websites Online threats • E-mail spamming • Theft of software and electronic records • Cyber stalking • E-mail bombing • Denial of service attacks
  • 43. Protecting your computer and network  Physical security  Securing desktop computers  Securing laptops/notebooks/handheld computers  Securing network security  Software security  Protect against internet intruders with firewall s and IDS  Protect against viruses and other malware  Protect against spyware and adware  Protect against unwanted email
  • 44. General spam protection practices  Do not give out your email address indiscriminately  Leave your email signature line blank if you post to a newsgroup  Do not reply to junk messages  Do not open obvious spam mails  Report to appropriate person – systems administrator

Editor's Notes