170 likes | 174 Views
INFORMATION SECURITY AND CONTROL. SECURITY:. Deter Detect Minimize Investigate Recover. Security Risks. Internal External. Threats. Disaster and breakdowns Access and disclosure Alteration or destruction Improper use. RISK ASSESSMENT. P1 Probability of attack
E N D
SECURITY: • Deter • Detect • Minimize • Investigate • Recover
Security Risks • Internal • External
Threats • Disaster and breakdowns • Access and disclosure • Alteration or destruction • Improper use
RISK ASSESSMENT • P1 Probability of attack • P2 Probability of success • L Cost of Loss Expected Loss = P1 * P2 * L Minimize Threat Categories
Administrative Controls Standards, rules, procedures and discipline to assure that personnel abide by established policies. Includes segregation of functions.
Security Policy Security is always a cost to efficiency. It must be promoted to be effective. • From the top • Before installing hardware • Politically charged
Writing a Security Policy • Assess the types of risks • Identify vulnerabilities • Analyze user needs • Write the policy • Develop change procedures • Plan implementation • Implement
Vulnerabilities • Servers Operating systems and applications • Networks Snooping, attacks, spoofing • Clients and modems PCAnywhere etc. • Viruses
Operating Systems • UNIX • Novell Netware • Windows and Windows NT
Administrative Controls • Security organization • Audits • Risk assessment • Administrative standards and procedures
Disaster Management • Redundancy and fault tolerant systems • Backups and off site storage • Hot and cold sites • Planning and procedures
Architectural Controls • Software controls Prevent unauthorized changes • Hardware controls Control access and use
Tools • Firewalls • Network partitioning and routers • Encryption • Testing tools • Consultants
Encryption • Keys and key length • Public key/private key • Processing problems • Location • Application • Network • Firewall • Link
Authentication • Passwords • Biometrics • Isolation • Remote location verification
SECURITY: • Deter • Detect • Minimize • Investigate • Recover