Abstract image of a woman sitting on books and studying on a laptop

Funda mental of information CHAPTER TWO.pptx

Download as PPTX, PDF
J
jamsibro140

Here is chapter 2 material use it

Education
Related topics:
For University Students
1 of 28
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
CHAPTER TWO Fundamentals of Information System Security(ISS) 1. Core Principles of Information Security  Confidentiality ensures that sensitive information is accessed only by authorized individuals. It protects data from unauthorized disclosure. Examples:  Encryption: Using encryption algorithms like AES to encrypt sensitive files so that only authorized users with the decryption key can access the contents.  Access Controls: Implementing role-based access control (RBAC) to limit access to financial records to only those in the finance department.
Cont .. Integrity Integrity ensures that data remains accurate and unaltered during storage and transmission. It helps maintain trust in data sources. Examples Hashing: Using SHA-256 to create a unique hash for a file. If the file is altered, the hash will change, indicating tampering. Digital Signatures: Utilizing digital signatures in emails to verify the sender's identity and confirm that the message has not been altered.
Cont .. Availability Availability ensures that information and resources are accessible to authorized users when needed. It involves maintaining system uptime and functionality. Examples Redundancy: Setting up redundant servers in different geographic locations to ensure that services remain available even if one server fails. Regular Maintenance: Conducting routine system updates and backups to prevent downtime and data loss.
2. Risk Management Risk management involves identifying, assessing, and mitigating risks to an organization’s information systems. It is a proactive approach to minimizing vulnerabilities and threats. Steps: Risk Assessment: Identifying assets (databases, applications), vulnerabilities (outdated software), and potential threats (cyberattacks). • Example: • Conducting a risk assessment to evaluate the likelihood of a data breach and the potential impact on the organization. • Using security information and event management (SIEM) tools to monitor network traffic for suspicious activity.
Cont .. Risk Mitigation: Implementing controls to reduce risk levels. • Example: Installing firewalls and intrusion detection systems to prevent unauthorized access. Continuous Monitoring: Regularly reviewing risk levels and the effectiveness of controls.
3. Access control Mechanisms Access control mechanisms restrict access to information and resources based on user identity and roles. They help prevent unauthorized access. Types: Discretionary Access Control (DAC): the owner of the resource (such as a file or system) has the authority to determine who can access it. Permissions can be granted or revoked at the owner's discretion. • Example: A project manager can share project files with team members but restrict access to others.
Cont… Mandatory Access Control (MAC): • MAC enforces access controls based on a system-wide policy determined by an administrator. • Users cannot change access permissions; they can only access resources based on their assigned security levels. Example: In a military setting, classified documents may have different security levels (e.g., confidential, secret, top secret), and only users with the appropriate clearance can access them.
Cont .. Role-Based Access Control (RBAC): Access is assigned based on roles within the organization. • Example: Employees in the HR department can access employee records, while others cannot.
4. Security Policies and Procedures is a set of rules and procedures that outline how an organization manages and protects its information. It's a high-level policy that includes directives, regulations, practices, and rules Security policies and procedures provide guidelines for acceptable use, data protection, and incident response. They are essential for ensuring compliance and establishing a security framework.
Cont… The different types of Security policy 1. Access Control Policy Purpose: To define who can access information systems and how. Key Points: User access is granted based on the principle of least privilege. All user accounts must have unique identifiers. Access reviews should be conducted in a timely basis.
Cont.. 2. Data Protection Policy Purpose: To safeguard sensitive data from unauthorized access and breaches. Key Points: Data encryption must be used for sensitive data in transit and at rest. Regular backups of critical data should be performed and tested. Retention schedules for data should be established and enforced.
Cont.. 3. Incident Response Policy Purpose: To outline the procedures for responding to security incidents. Key Points: Establish a response team responsible for managing security incidents. Define steps for identifying, containing, eradicating, and recovering from incidents. Conduct post-incident reviews to improve future responses.
Cont .. 4. Acceptable Use Policy Purpose: To provide guidelines for acceptable behavior when using organizational resources. Key Points: Employees must use company resources for legitimate business purposes only. Prohibitions on the use of unauthorized software and websites. Clear consequences for violations of the policy.
Cont .. 5. Password Policy Purpose: To ensure the security of user passwords. Key Points: Passwords must meet complexity requirements (length, symbols, etc.). Passwords should be changed every 90 days. Multi-factor authentication (MFA) should be implemented wherever possible.
Cont .. 6. Remote Access Policy Purpose: To secure remote access to the organization’s information systems. Key Points: Only approved devices may connect to the network remotely. Use of VPNs is mandatory for remote access. Regular audits of remote access logs should be conducted.
Cont .. 7. Security Awareness Training Policy Purpose: To educate employees about security risks and best practices. Key Points: All employees must complete security awareness training annually. Training should cover topics such as phishing, social engineering, and data protection. Ongoing updates and refreshers should be provided as needed.
Cont … 8. Change Management Policy Purpose: To manage changes to information systems in a controlled manner. Key Points: All changes must be documented and approved before implementation. Changes should be tested in a controlled environment before deployment. A rollback plan must be in place for critical changes.
Cont .. 9. Physical Security Policy Purpose: To protect physical assets and facilities. Key Points: Access to sensitive areas must be restricted to authorized personnel only. Surveillance systems should be in place to monitor critical areas. Procedures for visitor access should be established and enforced.
Cont … 10. Mobile Device Management Policy Purpose: To secure mobile devices that access organizational resources. Key Points: All mobile devices must be enrolled in a mobile device management (MDM) system. Devices must be configured to require PINs or passwords. Lost or stolen devices must be reported immediately, and appropriate actions taken.
11. Encryption Encryption: is the process of converting information into a secure format that is unreadable without the correct decryption key. It protects data confidentiality. Types: Symmetric Encryption: Same key for encryption and decryption. Example: AES (Advanced Encryption Standard) is commonly used for encrypting files and communications.
Cont… Asymmetric Encryption: Uses a pair of keys (public and private). Example: RSA (Rivest-Shamir-Adleman) is used for secure data transmission where the public key encrypts data and the private key decrypts it.
12. Security Awareness training This training educates employees about security risks and best practices to reduce human error, which is often a significant factor in security breaches.
13. Compliance and Legal Considerations Organizations must adhere to various laws and regulations that govern data protection and privacy. Compliance is crucial for avoiding legal penalties and protecting the organization’s reputation. Examples: GDPR (General Data Protection Regulation): Affects organizations that handle the personal data of EU citizens, requiring strict data protection measures. HIPAA (Health Insurance Portability and Accountability Act): Governs the protection of sensitive patient health information in the U.S. PCI DSS (Payment Card Industry Data Security Standard): Regulates the security of credit card transactions.
14. Physical Security Physical security measures protect physical assets and facilities from unauthorized access and damage, ensuring that information systems are safe from environmental threats and intrusions. Components: Access Controls: Implementing key card systems to restrict entry to sensitive areas. Surveillance: Using CCTV cameras to monitor entry points and sensitive areas. Environmental Controls: Installing fire suppression systems and climate control to protect hardware from damage.
Principles of Information Systems Security The core principles guiding IS Security include: Least Privilege: Users should have the minimum level of access necessary to perform their job functions. Separation of Duties: Dividing responsibilities among different individuals to reduce the risk of fraud or error. Fail-Safe Defaults: Systems should be configured to deny access by default, only allowing access when explicitly granted. Auditing and Monitoring: Continuous logging and monitoring of systems to detect and respond to security incidents.
Plan, Design, and Implement IS Security The process of planning, designing, and implementing IS Security involves several steps: Assessment: Conducting a thorough risk assessment to identify vulnerabilities and threats to information assets. Strategic Planning: Developing a security strategy that aligns with organizational goals and risk tolerance.
Cont … Designing Security Controls: Selecting appropriate technical and administrative controls based on the assessed risks. Implementation: Deploying security measures, training employees, and establishing security policies. Monitoring and Review: Continuously monitoring security systems and policies to ensure effectiveness and making adjustments as necessary.
END OF CHAPTER TWO

More Related Content

PPTX
Strategies for Developing Breach Resilient Data Lakes
prathamaywork
 
PPTX
Securing Networks and Operating Systems.pptx
lionbitme
 
DOCX
Comprehensive Analysis of Contemporary Information Security Challenges
sidraasif9090
 
PPTX
mittre attack pattern notes for education.pptx
esaabren
 
PDF
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdf
Dr Amit Phadikar
 
PDF
Ch06 Policy
phanleson
 
PPTX
chp unit 1 Provide Network System Administration.pptx
TadeseBeyene
 
PDF
CSI-503 - 10. Security & Protection (Operating System)
ghayour abbas
 
Strategies for Developing Breach Resilient Data Lakes
prathamaywork
 
Securing Networks and Operating Systems.pptx
lionbitme
 
Comprehensive Analysis of Contemporary Information Security Challenges
sidraasif9090
 
mittre attack pattern notes for education.pptx
esaabren
 
database-security-access-control-models-a-brief-overview-IJERTV2IS50406.pdf
Dr Amit Phadikar
 
Ch06 Policy
phanleson
 
chp unit 1 Provide Network System Administration.pptx
TadeseBeyene
 
CSI-503 - 10. Security & Protection (Operating System)
ghayour abbas
 

Similar to Funda mental of information CHAPTER TWO.pptx (20)

DOCX
Excel Data Reporting Assignment 3 Data Analysis (Feasibility .docx
gitagrimston
 
PPTX
providenetworksystemadministration.pptxhnnhgcbdjckk
kebimesay23
 
PPTX
Access control policy
Bsmah Fahad
 
PPT
its a computer security based ppt which is very useful
SantoshChintawar
 
DOCX
Unit-5 cyber security.future use and conclusion
shivangisharma636228
 
PDF
CS-1,2.pdf
techuniverso01
 
PPT
Bis Chapter15
Chun Hoi Lam
 
DOCX
Risk Assessment
jenito21
 
DOCX
R.a 1
jenito21
 
DOCX
Unit-4 cyber security new tools and methods
shivangisharma636228
 
PPTX
operating system ppt tegeng2.pptxguktgjh
tegenefikadu91
 
PDF
Security Education and Training1111.pdf
akkashkumar055
 
PPTX
Cyber Security: Protecting Our Digital World
sssamyu2005
 
PPTX
Unit 1 Network Fundamentals and Security .pptx
Guna Dhondwad
 
PPT
Identifying and Using Network Hand Tools
wondimagegndesta
 
PPT
Ch10 Conducting Audits
Information Technology
 
PPTX
Data security
AbdulBasit938
 
PPTX
user managment system for information technology
abdibedilu2
 
PPTX
Top three tips in ensuring security and compliance in cloud computing
OsazeeOboh
 
PDF
Data security and Integrity
Zaid Shabbir
 
Excel Data Reporting Assignment 3 Data Analysis (Feasibility .docx
gitagrimston
 
providenetworksystemadministration.pptxhnnhgcbdjckk
kebimesay23
 
Access control policy
Bsmah Fahad
 
its a computer security based ppt which is very useful
SantoshChintawar
 
Unit-5 cyber security.future use and conclusion
shivangisharma636228
 
CS-1,2.pdf
techuniverso01
 
Bis Chapter15
Chun Hoi Lam
 
Risk Assessment
jenito21
 
R.a 1
jenito21
 
Unit-4 cyber security new tools and methods
shivangisharma636228
 
operating system ppt tegeng2.pptxguktgjh
tegenefikadu91
 
Security Education and Training1111.pdf
akkashkumar055
 
Cyber Security: Protecting Our Digital World
sssamyu2005
 
Unit 1 Network Fundamentals and Security .pptx
Guna Dhondwad
 
Identifying and Using Network Hand Tools
wondimagegndesta
 
Ch10 Conducting Audits
Information Technology
 
Data security
AbdulBasit938
 
user managment system for information technology
abdibedilu2
 
Top three tips in ensuring security and compliance in cloud computing
OsazeeOboh
 
Data security and Integrity
Zaid Shabbir
 
Ad

More from jamsibro140 (17)

PPT
RM chapter-4 (3).ppt measurements and descriptive
jamsibro140
 
PPTX
RM chapter-5 (5).pptx survey and experimental
jamsibro140
 
PPT
System development chapter six power point
jamsibro140
 
PPT
Artificial intelligence chapter three power point
jamsibro140
 
PPTX
Accounting for merchandise chapter four ppt
jamsibro140
 
PPT
Enterprise_Systems_for_Management.power point
jamsibro140
 
PPTX
Computer organization and architecture Chapter 1-1.pptx
jamsibro140
 
PPTX
Algorithm 4Chapter Four- Deadlock (5).pptx
jamsibro140
 
PPTX
Operating system 1Chapter One- Introduction(0) (1).pptx
jamsibro140
 
PPTX
2Chapter Two- Process Management(2) (1).pptx
jamsibro140
 
PPT
Information system society Chapter one.ppt
jamsibro140
 
PPTX
Machine learning Chapter three (16).pptx
jamsibro140
 
PPTX
Information systems security chapter (5).pptx
jamsibro140
 
PPTX
Data communication and computer network Chapter 2.pptx
jamsibro140
 
PPT
Knowledge Management system_Slides_Ch 1.ppt
jamsibro140
 
PPT
CHapter 2_text operation.ppt material for university students
jamsibro140
 
PPTX
Computer organization and architecture Chapter 1 (3).PPTX
jamsibro140
 
RM chapter-4 (3).ppt measurements and descriptive
jamsibro140
 
RM chapter-5 (5).pptx survey and experimental
jamsibro140
 
System development chapter six power point
jamsibro140
 
Artificial intelligence chapter three power point
jamsibro140
 
Accounting for merchandise chapter four ppt
jamsibro140
 
Enterprise_Systems_for_Management.power point
jamsibro140
 
Computer organization and architecture Chapter 1-1.pptx
jamsibro140
 
Algorithm 4Chapter Four- Deadlock (5).pptx
jamsibro140
 
Operating system 1Chapter One- Introduction(0) (1).pptx
jamsibro140
 
2Chapter Two- Process Management(2) (1).pptx
jamsibro140
 
Information system society Chapter one.ppt
jamsibro140
 
Machine learning Chapter three (16).pptx
jamsibro140
 
Information systems security chapter (5).pptx
jamsibro140
 
Data communication and computer network Chapter 2.pptx
jamsibro140
 
Knowledge Management system_Slides_Ch 1.ppt
jamsibro140
 
CHapter 2_text operation.ppt material for university students
jamsibro140
 
Computer organization and architecture Chapter 1 (3).PPTX
jamsibro140
 
Ad

Recently uploaded (20)

PPTX
principlesofmanagementsem1slides-131211060335-phpapp01 (1).ppt
Jeyasunitha
 
PPSX
namma_kalvi_12th_botany_chapter_9_ppt.ppsx
gomathiNATHAN5
 
PDF
Compact First Student's Book Cambridge Official
TunHng48
 
PDF
POM_Unit1_Notes.pdf Introduction to Management #mba #bba #bcom #bballb #class...
priyasinghy107
 
PDF
Laparoscopic Imaging Systems at World Laparoscopy Hospital
mohitsuren827
 
PPTX
Thinking Routines and Learning Engagements.pptx
n646vnqyjz
 
PDF
Disorder of Endocrine system (1).pdfyyhyyyy
[email protected]
 
PPTX
2025 High Blood Pressure Guideline Slide Set.pptx
Ramesh Kumar
 
PPTX
MMW-CHAPTER-1-final.pptx major Elementary Education
kimberlydespair4
 
PDF
Horaris_Grups_25-26_Definitiu_15_07_25.pdf
rpujol11
 
PDF
FYJC - Chemistry textbook - standard 11.
nhunhuq968
 
PDF
CHALLENGES FACED BY TEACHERS WHEN TEACHING LEARNERS WITH DEVELOPMENTAL DISABI...
HarlynCaballero1
 
PPTX
Diploma pharmaceutics notes..helps diploma students
zonuntluangimph
 
PDF
GSA-Past-Papers-2010-2024-2.pdf CSS examination
AsraAli6
 
PPTX
Copy of ARAL Program Primer_071725(1).pptx
LovelyLocsinVillar
 
PPTX
growth and developement.pptxweeeeerrgttyyy
[email protected]
 
PPTX
Power Point PR B.Inggris 12 Ed. 2019.pptx
FirdaFauziah14
 
DOCX
THEORY AND PRACTICE ASSIGNMENT SEMESTER MAY 2025.docx
muhammadsyahir916
 
PDF
anganwadi services for the b.sc nursing and GNM
shaila55
 
PPT
hemostasis and its significance, physiology
rakshasb
 
principlesofmanagementsem1slides-131211060335-phpapp01 (1).ppt
Jeyasunitha
 
namma_kalvi_12th_botany_chapter_9_ppt.ppsx
gomathiNATHAN5
 
Compact First Student's Book Cambridge Official
TunHng48
 
POM_Unit1_Notes.pdf Introduction to Management #mba #bba #bcom #bballb #class...
priyasinghy107
 
Laparoscopic Imaging Systems at World Laparoscopy Hospital
mohitsuren827
 
Thinking Routines and Learning Engagements.pptx
n646vnqyjz
 
Disorder of Endocrine system (1).pdfyyhyyyy
[email protected]
 
2025 High Blood Pressure Guideline Slide Set.pptx
Ramesh Kumar
 
MMW-CHAPTER-1-final.pptx major Elementary Education
kimberlydespair4
 
Horaris_Grups_25-26_Definitiu_15_07_25.pdf
rpujol11
 
FYJC - Chemistry textbook - standard 11.
nhunhuq968
 
CHALLENGES FACED BY TEACHERS WHEN TEACHING LEARNERS WITH DEVELOPMENTAL DISABI...
HarlynCaballero1
 
Diploma pharmaceutics notes..helps diploma students
zonuntluangimph
 
GSA-Past-Papers-2010-2024-2.pdf CSS examination
AsraAli6
 
Copy of ARAL Program Primer_071725(1).pptx
LovelyLocsinVillar
 
growth and developement.pptxweeeeerrgttyyy
[email protected]
 
Power Point PR B.Inggris 12 Ed. 2019.pptx
FirdaFauziah14
 
THEORY AND PRACTICE ASSIGNMENT SEMESTER MAY 2025.docx
muhammadsyahir916
 
anganwadi services for the b.sc nursing and GNM
shaila55
 
hemostasis and its significance, physiology
rakshasb
 

Funda mental of information CHAPTER TWO.pptx

  • 1. CHAPTER TWO Fundamentals of Information System Security(ISS) 1. Core Principles of Information Security  Confidentiality ensures that sensitive information is accessed only by authorized individuals. It protects data from unauthorized disclosure. Examples:  Encryption: Using encryption algorithms like AES to encrypt sensitive files so that only authorized users with the decryption key can access the contents.  Access Controls: Implementing role-based access control (RBAC) to limit access to financial records to only those in the finance department.
  • 2. Cont .. Integrity Integrity ensures that data remains accurate and unaltered during storage and transmission. It helps maintain trust in data sources. Examples Hashing: Using SHA-256 to create a unique hash for a file. If the file is altered, the hash will change, indicating tampering. Digital Signatures: Utilizing digital signatures in emails to verify the sender's identity and confirm that the message has not been altered.
  • 3. Cont .. Availability Availability ensures that information and resources are accessible to authorized users when needed. It involves maintaining system uptime and functionality. Examples Redundancy: Setting up redundant servers in different geographic locations to ensure that services remain available even if one server fails. Regular Maintenance: Conducting routine system updates and backups to prevent downtime and data loss.
  • 4. 2. Risk Management Risk management involves identifying, assessing, and mitigating risks to an organization’s information systems. It is a proactive approach to minimizing vulnerabilities and threats. Steps: Risk Assessment: Identifying assets (databases, applications), vulnerabilities (outdated software), and potential threats (cyberattacks). • Example: • Conducting a risk assessment to evaluate the likelihood of a data breach and the potential impact on the organization. • Using security information and event management (SIEM) tools to monitor network traffic for suspicious activity.
  • 5. Cont .. Risk Mitigation: Implementing controls to reduce risk levels. • Example: Installing firewalls and intrusion detection systems to prevent unauthorized access. Continuous Monitoring: Regularly reviewing risk levels and the effectiveness of controls.
  • 6. 3. Access control Mechanisms Access control mechanisms restrict access to information and resources based on user identity and roles. They help prevent unauthorized access. Types: Discretionary Access Control (DAC): the owner of the resource (such as a file or system) has the authority to determine who can access it. Permissions can be granted or revoked at the owner's discretion. • Example: A project manager can share project files with team members but restrict access to others.
  • 7. Cont… Mandatory Access Control (MAC): • MAC enforces access controls based on a system-wide policy determined by an administrator. • Users cannot change access permissions; they can only access resources based on their assigned security levels. Example: In a military setting, classified documents may have different security levels (e.g., confidential, secret, top secret), and only users with the appropriate clearance can access them.
  • 8. Cont .. Role-Based Access Control (RBAC): Access is assigned based on roles within the organization. • Example: Employees in the HR department can access employee records, while others cannot.
  • 9. 4. Security Policies and Procedures is a set of rules and procedures that outline how an organization manages and protects its information. It's a high-level policy that includes directives, regulations, practices, and rules Security policies and procedures provide guidelines for acceptable use, data protection, and incident response. They are essential for ensuring compliance and establishing a security framework.
  • 10. Cont… The different types of Security policy 1. Access Control Policy Purpose: To define who can access information systems and how. Key Points: User access is granted based on the principle of least privilege. All user accounts must have unique identifiers. Access reviews should be conducted in a timely basis.
  • 11. Cont.. 2. Data Protection Policy Purpose: To safeguard sensitive data from unauthorized access and breaches. Key Points: Data encryption must be used for sensitive data in transit and at rest. Regular backups of critical data should be performed and tested. Retention schedules for data should be established and enforced.
  • 12. Cont.. 3. Incident Response Policy Purpose: To outline the procedures for responding to security incidents. Key Points: Establish a response team responsible for managing security incidents. Define steps for identifying, containing, eradicating, and recovering from incidents. Conduct post-incident reviews to improve future responses.
  • 13. Cont .. 4. Acceptable Use Policy Purpose: To provide guidelines for acceptable behavior when using organizational resources. Key Points: Employees must use company resources for legitimate business purposes only. Prohibitions on the use of unauthorized software and websites. Clear consequences for violations of the policy.
  • 14. Cont .. 5. Password Policy Purpose: To ensure the security of user passwords. Key Points: Passwords must meet complexity requirements (length, symbols, etc.). Passwords should be changed every 90 days. Multi-factor authentication (MFA) should be implemented wherever possible.
  • 15. Cont .. 6. Remote Access Policy Purpose: To secure remote access to the organization’s information systems. Key Points: Only approved devices may connect to the network remotely. Use of VPNs is mandatory for remote access. Regular audits of remote access logs should be conducted.
  • 16. Cont .. 7. Security Awareness Training Policy Purpose: To educate employees about security risks and best practices. Key Points: All employees must complete security awareness training annually. Training should cover topics such as phishing, social engineering, and data protection. Ongoing updates and refreshers should be provided as needed.
  • 17. Cont … 8. Change Management Policy Purpose: To manage changes to information systems in a controlled manner. Key Points: All changes must be documented and approved before implementation. Changes should be tested in a controlled environment before deployment. A rollback plan must be in place for critical changes.
  • 18. Cont .. 9. Physical Security Policy Purpose: To protect physical assets and facilities. Key Points: Access to sensitive areas must be restricted to authorized personnel only. Surveillance systems should be in place to monitor critical areas. Procedures for visitor access should be established and enforced.
  • 19. Cont … 10. Mobile Device Management Policy Purpose: To secure mobile devices that access organizational resources. Key Points: All mobile devices must be enrolled in a mobile device management (MDM) system. Devices must be configured to require PINs or passwords. Lost or stolen devices must be reported immediately, and appropriate actions taken.
  • 20. 11. Encryption Encryption: is the process of converting information into a secure format that is unreadable without the correct decryption key. It protects data confidentiality. Types: Symmetric Encryption: Same key for encryption and decryption. Example: AES (Advanced Encryption Standard) is commonly used for encrypting files and communications.
  • 21. Cont… Asymmetric Encryption: Uses a pair of keys (public and private). Example: RSA (Rivest-Shamir-Adleman) is used for secure data transmission where the public key encrypts data and the private key decrypts it.
  • 22. 12. Security Awareness training This training educates employees about security risks and best practices to reduce human error, which is often a significant factor in security breaches.
  • 23. 13. Compliance and Legal Considerations Organizations must adhere to various laws and regulations that govern data protection and privacy. Compliance is crucial for avoiding legal penalties and protecting the organization’s reputation. Examples: GDPR (General Data Protection Regulation): Affects organizations that handle the personal data of EU citizens, requiring strict data protection measures. HIPAA (Health Insurance Portability and Accountability Act): Governs the protection of sensitive patient health information in the U.S. PCI DSS (Payment Card Industry Data Security Standard): Regulates the security of credit card transactions.
  • 24. 14. Physical Security Physical security measures protect physical assets and facilities from unauthorized access and damage, ensuring that information systems are safe from environmental threats and intrusions. Components: Access Controls: Implementing key card systems to restrict entry to sensitive areas. Surveillance: Using CCTV cameras to monitor entry points and sensitive areas. Environmental Controls: Installing fire suppression systems and climate control to protect hardware from damage.
  • 25. Principles of Information Systems Security The core principles guiding IS Security include: Least Privilege: Users should have the minimum level of access necessary to perform their job functions. Separation of Duties: Dividing responsibilities among different individuals to reduce the risk of fraud or error. Fail-Safe Defaults: Systems should be configured to deny access by default, only allowing access when explicitly granted. Auditing and Monitoring: Continuous logging and monitoring of systems to detect and respond to security incidents.
  • 26. Plan, Design, and Implement IS Security The process of planning, designing, and implementing IS Security involves several steps: Assessment: Conducting a thorough risk assessment to identify vulnerabilities and threats to information assets. Strategic Planning: Developing a security strategy that aligns with organizational goals and risk tolerance.
  • 27. Cont … Designing Security Controls: Selecting appropriate technical and administrative controls based on the assessed risks. Implementation: Deploying security measures, training employees, and establishing security policies. Monitoring and Review: Continuously monitoring security systems and policies to ensure effectiveness and making adjustments as necessary.