1 / 30

Managing Information System Security: Principles

Managing Information System Security: Principles. GP Dhillon Associate Professor Virginia Commonwealth University. Shocking news. 25% of the organizations did not have an internal audit 50% of the organizations did not have computer audit skills

weston
Download Presentation

Managing Information System Security: Principles

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing Information System Security: Principles GP Dhillon Associate Professor Virginia Commonwealth University

  2. Shocking news • 25% of the organizations did not have an internal audit • 50% of the organizations did not have computer audit skills • 60% of the organizations had no security awareness • 80% of the organizations did not conduct a risk analysis

  3. General Statistics CERT/CC: Incidents Reported • 1991 – 406 • 1993 – 1,334 • 1995 – 2,412 • 1997 – 2,134 • 1999 – 9,859 • 2001 – 52,658 • 2003 – 137,529

  4. Common Myths • “Why should I care, I have nothing to hide.” • “Why does anyone care about my computer?” • “It’s too difficult to get access to my computer or personal information…” • “If someone tries to [insert malicious activity here], I will notice!” • “Ignorance is bliss!”

  5. Are you at risk? Using the following puts you at risk: • Computers • Credit Cards • Banks • Airlines • Automobiles • …many more…

  6. CIA – the building blocks

  7. Confidentiality • Ensures privacy. • Applies to both data on disks and network communication. • Accomplished through encryption: • https:// • s/mime • pgp • ssh and ipsec

  8. Integrity • Develops trust of the network and computer systems. • Applies to both data on disks and network communication. • Integrity is increased by proper data and system management.

  9. Availability • Another catalyst for trust. • Required for data on disk and network • Prevents Denial o Service attacks, etc.

  10. Defending with technology

  11. Start with the basics • Basic computer security is through technology is easy; use… • A firewall, • Anti-Virus Software, • Patch your computer quickly, when required, • Strong passwords!

  12. Firewalls • The most useful tool in your bag of defenses. • Prevents intruders from accessing services on your computer. • Validates/normalizes network traffic. • May provide reports and trend analysis. • Available for all major operating systems – usually for free!

  13. Anti-virus software • Stops viruses and worms sent by email, attachments, downloads, etc. • Detects malicious software through intelligent heuristics. • Available for all major desktop and server operating systems. • A requirement; not an option.

  14. Patches • (Usually) free updates to your computer; can be downloaded from the Internet. • Available before most exploits surface. • Automated, usually. • Critical to overall security. • Chant: “We Must Patch, We Must Patch…”

  15. Strong passwords • Keeps you on-target with best practices. • Is composed of 8 or more characters and includes letters, numbers and 2 special characters, including !@#$%^&.-+-=|]{}:”. • Not based on any dictionary word from any language. • Changes regularly; not shared.

  16. Behavioral changes

  17. What technology doesn’t solve • Security technologies adapt as threats appear. They are not able to (easily) combat: • Threats, • Hoaxes, • Scams, • The behavior of others.

  18. The clue factor

  19. Education and awareness • Education and awareness are key to increasing the security posture of the University, and global Internet. • Dispells the FUD (fear, uncertainty, doubt). • Addresses problems before they exist. • Extends the radius of clue. • Creates inclusion in the entire infosecurity effort.

  20. Self-education • You can increase your own awareness of security related issues. • Subscribe to mailing lists for security notifications. • Visit security related websites. • Voice your concern on security related issues, helping raise awareness in others.

  21. Test your efforts • Remember: security is about sharing knowledge and contacts, not technology.

  22. The ‘RITE’ principles • Responsibility (and knowledge of Roles) • Integrity (as requirement of Membership) • Trust (as distinct from Control) • Ethicality (as opposed to Rules)

  23. “Total” security • CIA + RITE

  24. Technical controls Conceptualizing controls Pragmatic controls Formalcontrols

  25. Principle #1 • Principle 1: Education, training and awareness, although important, are not sufficient conditions for managing information security. A focus on developing a security culture goes a long way in developing and sustaining a secure environment.

  26. Principle #2 • Principle 2: Responsibility, integrity, trust and ethicality are the cornerstones for maintaining a secure environment.

  27. Principle #3 • Principle 3: Establishing a boundary between what can be formalized and what should be norm based is the basis for establishing appropriate control measures.

  28. Principle #4 • Principle 4: Rules for managing information security have little relevance unless they are contextualized.

  29. Principle #5 • Principle 5: In managing the security of technical systems a rationally planned grandiose strategy will fall short of achieving the purpose.

  30. Principle #6 • Principle 6: Formal models for maintaining the confidentiality, integrity and availability (CIA) of information cannot be applied to commercial organizations on a grand scale. Micro-management for achieving CIA is the way forward.

More Related