information security system
TRANSCRIPT
WELCOME
Information System Security
WHAT IS INFORMATION SECURITY?
The protection of information and its
elements including systems, hardware that
use, store and transmit the
information
SECURITY TYPES• Physical Security : To protect Physical items, objects or areas
• Personal Security : To protect the individual or group of individuals who are
authorized
• Operations Security : To protect the details of a particular operation or activities
• Communications Security : To protect communication media, technology and
content
• Network Security : To protect networking components, connections and
contents
• Information Security : To protect information assets
THREATS TO INFORMATION SYSTEM
There are many information security threats that we need to be constantly aware of and protect against in order to ensure our sensitive information remains secure. Some of the threats are as follows:
UNAUTHORIZED ACCESS –
• The attempted or successful access of information or systems,
without permission or rights to do so.
Ensure you have a properly configured firewall, up to date
malware prevention software and all software has the latest
security updates.
Protect all sensitive information, utilizing encryption where
appropriate, and use strong passwords that are changed
regularly.
CYBER ESPIONAGE
• The act of spying through the use of computers, involving the
covert access or ‘hacking’ of company or
government networks to obtain sensitive information.
Be alert for social engineering attempts and
verify all requests for sensitive information.
Ensure software has the latest security updates, your network
is secure and monitor for unusual network behavior.
MALWARE
• A collective term for malicious software, such as viruses, worms
and trojans; designed to infiltrate systems and information for
criminal, commercial or destructive purposes.
Ensure you have a properly configured firewall, up to date
malware prevention and all software has the latest security
updates.
Do not click links or open attachments in emails from unknown
senders, visit un-trusted websites or install dubious software.
DATA LEAKAGE • The intentional or accidental loss, theft or exposure of
sensitive company or personal information
Ensure all sensitive information stored on removable
storage media, mobile devices or laptops is encrypted
Be mindful of what you post online, check email recipients
before pressing send, and never email sensitive company
information to personal email accounts
MOBILE DEVICE ATTACK
• The malicious attack on, or unauthorized access of mobile
devices and the information stored or processed by them;
performed wirelessly or through physical possession.
Keep devices with you at all times, encrypt all sensitive data
and removable storage media, and use strong passwords.
Avoid connecting to insecure, un-trusted public wireless
networks and ensure Bluetooth is in ‘undiscoverable’ mode.
SOCIAL ENGINEERING
• Tricking and manipulating others by phone, email, online or in-
person, into divulging sensitive information, in order to access
company information or systems.
Verify all requests for sensitive information, no matter how
legitimate they may seem, and never share your passwords with
anyone – not even the helpdesk.
Never part with sensitive information if in doubt, and report
suspected social engineering attempts immediately.
INSIDERS • An employee or worker with malicious intent to steal
sensitive company information, commit fraud or cause
damage to company systems or information
Ensure access to sensitive information is restricted to only
those that need it and revoke access when no longer
required
Report all suspicious activity or workers immediately
PHISHING • A form of social engineering, involving the sending of legitimate looking
emails aimed at fraudulently extracting sensitive information from recipients,
usually to gain access to systems or for identity theft.
• Look out for emails containing unexpected or unsolicited requests for
sensitive information, or contextually relevant emails from unknown senders.
• Never click on suspicious looking links within emails, and report all
suspected phishing attempts immediately.
SPAM
• Unsolicited email sent in bulk to many individuals, usually
for commercial gain, but increasingly for spreading
malware.
Only give your email to those you trust and never post your
address online for others to view.
Use a spam filter and never reply to spam emails or click
links within them.
IDENTITY THEFT • The theft of an unknowing individual’s personal information, in order
to fraudulently assume that individual’s identity to commit a crime,
usually for financial gain.
• Never provide personal information to un-trusted individuals or
websites.
• Ensure personal information is protected when stored and securely
disposed of when no longer needed.
PROTECTING INFORMATION SYSTEM
1. Data security is fundamental
Data security is crucial to all academic, medical and
business operations.
All existing and new business and data processes should
include a data security review to be sure data is safe from
loss and secured against unauthorized access.
2. Plan ahead
Create a plan to review your data security status and
policies and create routine processes to access, handle and
store the data safely as well as archive unneeded data.
Make sure you and your colleagues know how to respond if
you have a data loss or data breach incident.
3. Know what data you have
The first step to secure computing is knowing what data you
have and what levels of protection are required to keep the
data both confidential and safe from loss.
4. Scale down the data
Keep only the data you need for routine current business,
safely archive or destroy older data, and remove it from all
computers and other devices (smart phones, laptops, flash
drives, external hard disks).
5. Lock up!
Physical security is the key to safe and confidential computing.
All the passwords in the world won't get your laptop back if the
computer itself is stolen.
Back up the data to a safe place in the event of loss.
INFORMATION SECURITY CONTROLS
Security is generally defined as the freedom from danger or
as the condition of safety.
Computer security, specifically, is the protection of data in
a system against unauthorized disclosure, modification, or
destruction and protection of the computer system itself
against unauthorized use, modification, or denial of service.
PHYSICAL CONTROLS
It is the use of locks, security guards, badges, alarms, and similar
measures to control access to computers, related equipment
(including utilities), and the processing facility itself.
In addition, measures are required for protecting computers,
related equipment, and their contents from espionage, theft, and
destruction or damage by accident, fire, or natural disaster (e.g.,
floods and earthquakes).
TECHNICAL CONTROLS
Involves the use of safeguards incorporated in computer
hardware, operations or applications software,
communications hardware and software, and related devices.
Technical controls are sometimes referred to as logical
controls.
TECHNICAL CONTROLSPreventive technical controls are used to prevent
unauthorized personnel or programs from gaining remote access to computing resources. Examples of these controls include:
o Access control softwareo Antivirus softwareo Library control systemso Passwordso Smart cardso EncryptionoDial-up access control and callback systems
ADMINISTRATIVE CONTROLS
Consists of management constraints, operational
procedures, accountability procedures, and supplemental
administrative controls established to provide an acceptable
level of protection for computing resources.
In addition, administrative controls include procedures
established to ensure that all personnel who have access to
computing resources have the required authorizations and
appropriate security clearances.
ADMINISTRATIVE CONTROLSPreventive administrative controls are personnel-oriented techniques
for controlling people’s behavior to ensure the confidentiality, integrity, and availability of computing data and programs. Examples of preventive administrative controls include:o Security awareness and technical trainingo Separation of dutieso Procedures for recruiting and terminating employeeso Security policies and procedureso Supervision.o Disaster recovery, contingency, and emergency planso User registration for computer access
THANK YOU