UNIT – 3

Information Security Governance –

This governance describes the way a company manages its information security needs.
Ideally, it protects the integrity, confidentiality, and availability of information. IT managers
begin by identifying all possible risks. They then design proactive policies and frameworks to
tackle these issues at the source.

Building a governance system requires an in-depth analysis of an organization's information,

storage needs, and security status. These are the five main areas managers need to cover
when evaluating their organizations' information security governance needs.

1. Information Security Strategy

Managers must create a well-defined plan that aligns well with organizational goals. This
strategy should outline the overall approach for managing and protecting information assets.

2. Policies and Procedures

Employees need comprehensive and up-to-date policies to help organizations safeguard data.
For example, the effectiveness of multi-factor authentication has dropped from 99% to as
little as 30%. Companies must update policies to match these and other changes.

3. Risk Management

You can’t manage risk without first identifying the threats present. IT managers should
follow a basic process to address this:

Identify the potential risks.

Assess the organization’s exposure to these risks.

Implement solutions that mitigate these risks.

Monitor and review how well these solutions protect the organization.

4. Compliance and Audit

Effective managers conduct regular audits and assessments to ensure compliance.

5. Incident Response and Management

Organizations should have a well-defined incident response plan to detect and address
threats. Start by establishing a dedicated, multi-disciplinary incident response team. It should
include lawyers, communication specialists, and compliance officers. This team should
develop a response strategy to deploy instantly when needed.

Risk management Process

The Risk Management Process is a clearly defined method of understanding what risks and
opportunities are present, how they could affect a project or organization, and how to respond
to them.

The process of risk management involves several stages are as follows-

1. Risk Identification: In this stage, the possible project, product and business risks are
identified.
2. Risk Analysis: In this stage or process, the likelihood and consequences of these risks
assessed.
3. Risk Planning: In this stage, risk avoidance in either planned to affect the plan or mitigate
its effects on the project.
4. Risk Monitoring : In this stage, risk assessment is done continuously and the risk
reduction plan is revised as more information about risk is available.

Security Architecture and design

Security architecture is a strategy for designing and building a company’s security

infrastructure. Troubleshoots data protection issues by analyzing processes, controls and
systems. This multifaceted strategy has many elements such as security policy, risk
management, and determination of controls and procedures. It is suitable for special cases
such as network security, application security or business information security.

Elements of Security Architecture

The security architecture aspect includes many products and activities designed to provide
effective security in the organization. These devices work together to protect data assets and
reduce risk. The following are the main components of security architecture:

1. Security Framework:

Policies and procedures that establish security standards, procedures, and policies in an
organization.

Responsibilities: Building a security system, communicating expectations, and providing a

framework for compliance is part of the job.

2. Security Management:

Security measures taken to detect, prevent or reduce the impact of security threats and
vulnerabilities.

Responsibilities: Prevent unauthorized access, data deletion, and other security issues by
using security policies.

3. Risk Management:

The process of identifying, analyzing and monitoring risks to the institution’s information
assets.
Responsibilities: Participate in decision making, resource allocation and implementation of
controls to reduce or control identified risks.

4. IAM (Identity and Access Management):

Management of user identities and their access to systems, applications and information.

Responsibilities: Ensuring that only authorized personnel can access sensitive information,
preventing unauthorized access or information leakage.

5. Encryption:

The process of encoding data so that it cannot be understood without the decryption key.

Responsibilities: Protect sensitive data from unauthorized access while maintaining

confidentiality, especially during data transfer and storage.

6. Responses to Issues:

A good way to handle a security incident and control its outcome.

Responsibilities: Minimize downtime, recover quickly, and analyze and learn from security
incidents.

7. Security Architecture Framework:

A model or framework that provides best practices and guidelines for designing and
implementing security solutions.

Responsibilities: As a plan to create an integrated and effective security system that suits
business needs.

8. Security Education and Training:

Programs and events designed to educate employees and users about security risks, policies,
and best practices.

Responsibilities: To improve the human base of security by promoting knowledge, behavior

and compliance with security laws.

Intrusion Detection Systems

Intrusion Detection Systems, also known as Intrusion Detection and Prevention Systems, are
the appliances that monitor malicious activities in a network, log information about such
activities, take steps to stop them, and finally report them. Intrusion detection systems help in
sending an alarm against any malicious activity in the network, drop the packets, and reset
the connection to save the IP address from any blockage. Intrusion detection systems can also
 perform the following actions: Correct Cyclic Redundancy Check (CRC) errors Prevent
TCP sequencing issues Clean up unwanted transport and network layer options

Security issues in hardware –

Hardware security is a critical aspect of cybersecurity, as vulnerabilities at the hardware level

can have significant implications for overall system security. Here are some common security
issues in hardware:

1. Hardware Trojans: These are malicious modifications inserted into a hardware component
during the manufacturing process or at some point in the supply chain. They can be used to
facilitate unauthorized access, leak sensitive information, or disrupt the functioning of the
system.
2. Backdoors: Hardware backdoors are intentional or unintentional vulnerabilities inserted into
a device's design, allowing unauthorized access or control over the system. These can be
exploited by attackers to compromise the security of the device.
3. Firmware Attacks: Firmware, which resides on hardware components such as BIOS, UEFI,
or microcontrollers, can be targeted by attackers to implant malicious code or modify the
firmware to gain unauthorized access or control over the device.
4. Side-Channel Attacks: Side-channel attacks exploit information leaked through the physical
implementation of a cryptographic algorithm, such as power consumption, electromagnetic
emissions, or timing variations, to extract sensitive information from a device.
5. Hardware Vulnerabilities: Weaknesses in the design or implementation of hardware
components can lead to vulnerabilities that attackers can exploit to compromise the security
of a system. Examples include buffer overflow vulnerabilities, race conditions, or inadequate
input validation.
6. Supply Chain Attacks: Hardware components can be tampered with or compromised during
the manufacturing or distribution process, posing significant security risks to the devices in
which they are installed. Attackers may exploit weaknesses in the supply chain to inject
malicious hardware or modify legitimate components.
7. Physical Attacks: Physical attacks involve tampering with hardware components directly,
either through physical access to the device or by intercepting it during transit. Techniques
such as tampering with hardware components, probing, or reverse engineering can be used to
extract sensitive information or compromise the security of the device.

Data Storage & Downloadable Devices

1. Encryption: Utilize strong encryption algorithms to protect data both at rest and in transit.
This ensures that even if unauthorized access occurs, the data remains unreadable.
2. Access Controls: Implement robust access controls to restrict access to sensitive data only to
authorized users. This includes authentication mechanisms like passwords, biometrics, and
multi-factor authentication.
3. Secure Protocols: Ensure that data transfer protocols, such as HTTPS for web downloads and
secure file transfer protocols (SFTP, SCP) for file transfers, are used to prevent interception
and tampering.
4. Secure Coding Practices: Employ secure coding practices when developing downloadable
software to mitigate vulnerabilities such as buffer overflows, SQL injection, and cross-site
scripting (XSS) attacks.
5. Regular Updates and Patch Management: Keep all software, firmware, and operating systems
up to date with the latest security patches to address known vulnerabilities and reduce the risk
of exploitation.
6. Data Backups: Regularly backup data and ensure that backup copies are stored securely. This
helps mitigate the impact of data loss or corruption resulting from cyber attacks.
7. Data Loss Prevention (DLP): Implement DLP solutions to monitor and prevent unauthorized
data transfers or leaks. This includes monitoring for unusual file access patterns and
enforcing policies to prevent sensitive data from leaving the organization.
8. Network Segmentation: Segment networks to limit the scope of potential attacks and
minimize the impact of a breach. This can be achieved through the use of firewalls, VLANs,
and access control lists (ACLs).
9. Intrusion Detection and Prevention Systems (IDPS): Deploy IDPS solutions to monitor
network traffic for signs of suspicious activity and automatically block or alert on potential
threats.
10. Employee Training and Awareness: Educate employees about cybersecurity best practices,
such as avoiding phishing scams, using strong passwords, and being cautious when
downloading files from the internet.

Physical Security Of IT Assets

Physical security aims to protect people, property, and physical assets from any action or
event that could lead to loss or damage. Physical security is crucial, and security teams must
work together to ensure the security of digital assets.

Physical security keeps your employees, facilities, and assets safe from real-world threats.
These threats can arise from internal or external intruders that question data security.

Physical attacks can cause a safe area to break into or the invasion of a restricted area part.
An attacker can easily damage or steal critical IT assets, install malware on systems, or leave
a remote access port on the network.

It is important to have strict physical security to protect against external threats, as well as
equally effective measures to avoid the risks of any internal intruder.

Key components of physical security include:

• Access control and monitoring of physical access should cover the entire area, using
sophisticated physical security tools such as biometric and ID card restrictions. However, it is
important to understand the pros and cons of each measure and how these access controls can
be forged.

• Surveillance, containing burglar alarms, guards, and CCTV that keeps a complete record of
the entire movement. High-risk areas may have sophisticated detectors to ensure a more
holistic view.

The general principles of physical security measures should respond to:

• Physical Security Perimeter
• Physical Input Controls
• Security of Offices, Rooms, and Facilities
• Protection against External and Environmental Threats
• Working in Safe Areas
• Public Access, Loading and Unloading Areas
• Protection and Disposal of Equipment

Access Control

Access control is a data security process that enables organizations to manage who is
authorized to access corporate data and resources. Secure access control uses policies that
verify users are who they claim to be and ensures appropriate control access levels are
granted to users.

Implementing access control is a crucial component of web application security, ensuring

only the right users have the right level of access to the right resources. The process is critical
to helping organizations avoid data breaches and fighting attack vectors, such as a buffer
overflow attack, KRACK attack, on-path attack, or phishing attack.

Access control is managed through several components:

1. Authentication

Authentication is the initial process of establishing the identity of a user. For example, when
a user signs in to their email service or online banking account with a username and password
combination, their identity has been authenticated. However, authentication alone is not
sufficient to protect organizations’ data.

2. Authorization

Authorization adds an extra layer of security to the authentication process. It specifies access
rights and privileges to resources to determine whether the user should be granted access to
data or make a specific transaction.

For example, an email service or online bank account can require users to provide two-factor
authentication (2FA), which is typically a combination of something they know (such as a
password), something they possess (such as a token), or something they are (like a biometric
verification). This information can also be verified through a 2FA mobile app or a thumbprint
scan on a smartphone.

3. Access

Once a user has completed the authentication and authorization steps, their identity will be
verified. This grants them access to the resource they are attempting to log in to.
4. Manage

Organizations can manage their access control system by adding and removing the
authentication and authorization of their users and systems. Managing these systems can
become complex in modern IT environments that comprise cloud services and on-premises
systems.

5. Audit

Organizations can enforce the principle of least privilege through the access control audit
process. This enables them to gather data around user activity and analyze that information to
discover potential access violations.

CCTV (closed-circuit television)

CCTV (closed-circuit television) is a TV system in which signals are not publicly distributed
but are monitored, primarily for surveillance and security purposes.

How does CCTV work?

CCTV relies on strategic placement of cameras, and observation of the camera's input on
monitors somewhere. Because the cameras communicate with monitors and/or video
recorders across private coaxial cable runs or wireless communication links, they gain the
designation "closed-circuit" to indicate that access to their content is limited by design only to
those able to see it.

CCTV use cases

Older CCTV systems used small, low-resolution black and white monitors with no interactive
capabilities. Modern CCTV displays can be color, high-resolution displays and can include
the ability to zoom in on an image or track something (or someone) among their features.
Talk CCTV allows an overseer to speak to people within range of the camera's associated
speakers.

CCTV is commonly used for a variety of purposes, including:

 Maintaining perimeter security in medium- to high-secure areas and installations.

 Observing behavior of incarcerated inmates and potentially dangerous patients in medical

facilities.
 Traffic monitoring.

 Overseeing locations that would be hazardous to a human, for example, highly radioactive
or toxic industrial environments.

 Building and grounds security.

Backup Security Measures

Backup and recovery policies are essential for most of operating systems. Many system
managers use a layered backup schedule. Written procedures and rules are required
elements of system management. Backing up files is an important system administrator
task. The backup files are used for restoring system to previous state whenever system fails.
Backup encryption is one of many activities that contributes to a comprehensive security
strategy.
Types of Backup :
1. Full Backup –
A full backup is a backup where every single file (including system and user files) is
written to backup media. Full backup does not check if a file has changed since last
backup it just blindly writes everything to the backup media.
2. Incremental Backup –
It checks file modification time. If modification time is recent than its last backup time,
then it takes a backup otherwise not. Incremental backup is also used with a full backup.
It is faster than a full backup. A major disadvantage with incremental backup is that it
takes a longer time for restoration. Incremental backups pose threat of operator error.

1. Differential Backup –
It contains all files modified since last full backup, making it possible to perform a
complete restoration with only last full backup and last differential backup.
2. Network Backup –
It backing up a file system from one machine onto a backup device connected to another
machine. It is referred to as a remote or network backup.
Data is life-blood of business and must be guarded against malicious intent while in active
state on production servers or preserved state on tape.
Backup security measures are as follows :
 Assign accountability, responsibility, and authority –
Storage security function should be included in company’s security policy. Some
companies create a storage team for taking backup. Even after creating a separate team,
company still must integrate any storage and backup security measures with those that
secure rest of infrastructure It provides defense-in-depth protection. If data is highly
sensitive, then duties are divided into a number of working members.
 Assess storage risk as it pertains to information security –
Risk assessment is a structured and systematic procedure, which is dependent upon
correct identification of hazards. Managers must examine each step of their backup
methodology looking for
security vulnerabilities. lt is necessary to perform a risk analysis of entire backup
process. Many times data is duplicated throughout environment. It is important to have
 policies and procedures that provide a good understanding of where data lives at any
point in time.
 Develop an information protection program –
Multilayer data protection system is used for providing security to storage network.
Authentication, authorization, encryption, and auditing are examples of multilayer
protection system. Encrypt data as it’s stored to hard disk preventing even other people
with access to that system to access those files.
 Communicate processes around information protection and security –
Its time to define process to ensure that sensitive data is properly protected and handled.
It is important to ensure that people responsible for carrying out their security are
informed and trained. Security policies are most important aspect of assigning
accountability, responsibility, and authority.