Государственный Медицинский Университет г.Семей Тема: Security risks of information. Industry of Cybersafety. Cybersafety and control of the Internet Подготовил: Студент 1-го курса факультет: ОМФ Иброхимов Ш.И Проверила: Абдуакитова А.Е. Семей 2016
What is Information? What is Information Security? What is RISK? An Introduction to ISO for information technology User Responsibilities 2
The architecture where an integrated combination of appliances, systems and solutions, software, alarms, and vulnerability scans working together What Is Information Security Security is for PPT and not only for appliances or devices Monitored 24x7 Having People, Processes, Technology, policies, procedures, 5/13/ Mohan Kamat
PEOPLE PROCESSES TECHNOLOGY Organization Staff Business Processes Technology used by Organisation 5/13/ Mohan Kamat
Technology what we use to improve what we do Application software: Finance and assets systems, including Accounting packages, Inventory management, HR systems, Assessment and reporting systemsFinance and assets systems, including Accounting packages, Inventory management, HR systems, Assessment and reporting systems Software as a service (Sass) - instead of software as a packaged or custom-made product. Etc..Software as a service (Sass) - instead of software as a packaged or custom-made product. Etc.. Physical Security components: CCTV CamerasCCTV Cameras Clock in systems / BiometricsClock in systems / Biometrics Environmental management Systems: Humidity Control, Ventilation, Air Conditioning, Fire Control systemsEnvironmental management Systems: Humidity Control, Ventilation, Air Conditioning, Fire Control systems Electricity / Power backupElectricity / Power backup Access devices: Desktop computersDesktop computers Laptops, ultra-mobile laptops and PDAsLaptops, ultra-mobile laptops and PDAs Thin client computing.Thin client computing. Digital cameras, Printers, Scanners, Photocopier etc.Digital cameras, Printers, Scanners, Photocopier etc. 5/13/ Mohan Kamat
What is Risk? Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Threat: Something that can potentially cause damage to the organisation, IT Systems or network. Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat. 6
Relationship between Risk, Threats, and Vulnerabilities Threats Vulnerabilities exploit * Controls: A practice, procedure or mechanism that reduces risk Risk Asset values Protection Requirements increase Information assets Controls * expose protect against reduce have increase indicate met by 7
Threat Identification Elements of threats Agent : The catalyst that performs the threat. Human Machine Nature 5/13/ Mohan Kamat
NoCategories of ThreatExample 1Human Errors or failuresAccidents, Employee mistakes 2Compromise to Intellectual PropertyPiracy, Copyright infringements 3Deliberate Acts or espionage or trespass Unauthorized Access and/or data collection 4Deliberate Acts of Information extortion Blackmail of information exposure / disclosure 5Deliberate Acts of sabotage / vandalism Destruction of systems / information 6Deliberate Acts of theftIllegal confiscation of equipment or information 7Deliberate software attacksViruses, worms, macros Denial of service 8Deviations in quality of service from service provider Power and WAN issues 9Forces of natureFire, flood, earthquake, lightening 10Technical hardware failures or errorsEquipment failures / errors 11Technical software failures or errorsBugs, code problems, unknown loopholes 12Technological ObsolesceAntiquated or outdated technologies 5/13/ Mohan Kamat
High User Knowledge of IT Systems Theft, Sabotage, Misuse Virus Attacks Systems & Network Failure Lack Of Documentation Lapse in Physical Security Natural Calamities & Fire 5/13/ Mohan Kamat
SO HOW DO WE OVERCOME THESE PROBLEMS? 5/13/ Mohan Kamat
Interested Parties Interested Parties Information Security Requirements & Expectations Information Security Requirements & Expectations PLAN Establish ISMS PLAN Establish ISMS CHECK Monitor & Review ISMS CHECK Monitor & Review ISMS ACT Maintain & Improve ACT Maintain & Improve Management Responsibility ISMS PROCESS PDCA Process Interested Parties Interested Parties Managed Information Security Managed Information Security DO Implement & Operate the ISMS DO Implement & Operate the ISMS 5/13/ Mohan Kamat
Information Security Policy Organisation of Information Security Asset Management Human Resource Security Physical Security Communication & Operations Management Access Control System Development & Maintenance Incident Management Business Continuity Planning Compliance Confidentiality Integrity Availability 13
Information Security Policy - To provide management direction and support for Information security. Organisation Of Information Security - Management framework for implementation Asset Management - To ensure the security of valuable organisational IT and its related assets Human Resources Security - To reduce the risks of human error, theft, fraud or misuse of facilities. Physical & Environmental Security -To prevent unauthorised access, theft, compromise, damage, information and information processing facilities. 5/13/ Mohan Kamat
Communications & Operations Management - To ensure the correct and secure operation of information processing facilities. Access Control - To control access to information and information processing facilities on need to know and need to do basis. Information Systems Acquisition, Development & Maintenance - To ensure security built into information systems Information Security Incident Management - To ensure information security events and weaknesses associated with information systems are communicated. 5/13/ Mohan Kamat
Business Continuity Management - To reduce disruption caused by disasters and security failures to an acceptable level. Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements. 5/13/ Mohan Kamat
PLAN Establish ISMS PLAN Establish ISMS CHECK Monitor & Review ISMS CHECK Monitor & Review ISMS ACT Maintain & Improve ACT Maintain & Improve DO Implement & Operate the ISMS DO Implement & Operate the ISMS IS POLICY SECURITY ORGANISATION ASSET IDENTIFICATION & CLASSIFICATION CONTROL SELECTION & IMPLEMENTATION OPERATIONALIZ E THE PROCESES MANAGEMENT REVIEW CORRECTIVE & PREVENTIVE ACTIONS CHECK PROCESSES 5/13/ Mohan Kamat
Non-information Assets [Physical] Information is processed with the help of technology. The assets, which are helpful in creating, processing, output generation and storage. Such assets need to be identified and valued for the purpose of their criticality in business process. Asset valuation of non information / physical Assets like software, Hardware, Services is carried out based on different criteria applicable to the specific group of physical assets involved in organizations business processes. 5/13/ Mohan Kamat
5/13/ Mohan Kamat