Information Security Awareness

Transcription

1 Information Security Awareness

2 Agenda Ø What is Information and 14 more questions!

3 What is Information?

4 Information Anything which has a business value!

5 Information Where is it? Services Paper Software Information Personnel Service Provider Physical (Hardware) Literally.. everywhere

6 What is Security? What are the key terms?

7 What is CIA? ConFidentiality? Ensuring that information is accessible only to those authorised to have access. Integrity? Safeguarding the accuracy and completeness of information and processing methods. Availability? Ensuring that authorised users have access to information and associated assets when required. E x a m p l e?

8 Why do we need to protect information?

9 Why is Information Security needed? To prevent unauthorised disclosure (ConFidentiality) To prevent unauthorized modi>ication/alteration (Integrity) Business Requirements To protect against Loss/Destruction natural/man- made (Availability) Legislative Requirements

10 Bene>its of Information Security 1. Protects your job 2. Protects business enables Continuity 3. Partner Trust 4. Security in everything we do 5. Reduce response time in case of incident *Not exhaustive

11 Who is interested in your information?

12 What is ISO 27001?

13 ISO Domain & Controls Domains Control Objectives Controls A.5 Security policy 1 2 A.6 Organization of information security 2 7 A.7 Human resource security 3 6 A.8 Asset management 3 10 A.9 Access control 4 14 A.10 Cryptography 1 2 A.11 Physical and environmental security 2 15 A.12 Operations Security 7 14 A.13 Communications security 2 7 A.14 System acquisition, development and maintenance 3 13 A.15 Supplier relationships 2 5 A. 16 Information security incident management 1 7 A. 17 Information security aspects of business continuity management 2 4 A. 18 Compliance 2 8 Total

14 Physical security controls covers all aspects of physical security such as doors, access control systems, entry and exit areas, and associated processes (such as Fire evacuation, visitor management to name a few..) Technical controls can cover user ID and password, Antivirus, encryption, Firewall and associated processes (such as change management, access management) Personnel controls such as background screening, induction training, revocation of access upon employee departure (not exhaustive) Administrative controls such as asset identification, document classification, risk assessment, documentation to name a few.. Anything else?

15 What is a vulnerability?

16 Vulnerability Types Process Vulnerability Insecure Practices/Usage No formal change management process No screen saver in the machines No induction process of information security Irregular backups Implementation Flaw Door s lock is not working No responsibility for Firewall configuration Unnecessary services running on the server Insecure Product/Protocol telnet instead of ssh http instead of https Plain text instead of encrypted data store Wrong allocation of password rights Tail gating Irregular patch management Insecure Development Process Absence of security in development LC No check in application for invalid characters 16

17 What is the difference between incident and weakness?

18 When do YOU become a security incident?

19 How to report a security incident/weakness?

20 By Phone! By ! By Direct Reporting!

21 Which policy document you must read to know about your security Dos and Donts?

22 Acceptable Usage Policy

23 Acceptable Usage Policy (AUP) Table of Contents 1.! Purpose... 2.! ISO reference... 3.! Definition.of.Information.Assets... 4.! Responsibility... 5.! General.Security.Practices... 6.! Userid.&.Password.Protection... 7.! Usage.of.Electronic.Mail.( )... 8.! Prohibited.Actions.Using ! Usage.of.Office.Network.&.Communication.Infrastructure ! Usage.of.Desktop.Computer ! Usage.of.Notebook/Laptop.Computer ! Connecting.to.Internet.from.Public.places ! Secure.usage.of.mobile.devices ! Secure.usage.of.physical.access.cards ! Secure.usage.of.cryptographic.keys ! Internet.usage.policy ! Clear.Desk.and.Clear.Screen.Policy ! Teleworking.Policy ! Social.Media/Social.networking.Policy ! Weakness.&.Incident.Reporting ! Consequence.Management/Disciplinary.action.Procedure.(DAP) ! Intellectual.Property/ownership ! Right.to.audit ! Question/clarifications/improvements... Reading and accepting terms of AUP is mandatory!

24 Common End User Security Expectations You are eyes and ears for securing information/organisation Clear desk and clear screen policy Learn [Windows] + L! Do not exploit a weakness report it! Use complex passwords Protect your smartphone by adding password Know your security manager Read Policy - Acceptable Usage

25 & Q A

26 ! Thank You