WHAT IS INFORMATION SECURITY

26/05/2024
Chapter 1 Topics

This chapter covers the following topics and concepts:

▪ What unauthorized access and data breaches are
▪ What information systems security is
▪ What the tenets of information systems security are
▪ What the seven domains of an IT infrastructure are
▪ What the weakest link in an IT infrastructure is
▪ How an IT security policy framework can reduce risk
▪ How a data classification standard affects an IT infrastructure’s security needs
Information Systems Security

▪ Information security is defined as “protecting information and information

systems from unauthorized access, use, disclosure, disruption, modification,
or destruction,”according to US law.
▪ Security means protecting our assets from attackers invading our networks,
virus/worms, natural disasters, adverse environmental conditions, power
failures, theft, or other undesirable states.
▪ With the Internet of Things (IoT) now connecting personal devices, home
devices, and vehicles to the Internet, there are even more data to steal. All
users must defend their information from attackers.
What are we securing?
Insecure state

we can quickly list a number of items that would put us in insecure state:
▪ Not patching our systems or not patching quickly enough. A patch is a set
of changes to a computer program or its supporting data designed to
update, fix, or improve it.
▪ Using weak passwords such as “password” or “12345678”
▪ Downloading infected programs from the Internet
▪ Opening dangerous e-mail attachments from unknown senders
▪ Using wireless networks without encryption that can be monitored by
anyone
Threats, vulnerabilities, and risk

▪ Threats: have the potential to cause harm to our assets. Threats tend to be
specific to certain environments, particularly in the world of information
security. For example, although a virus might pose a threat to a Windows
operating system, the same virus will be unlikely to have any effect on a
Linux operating system.
▪ Vulnerabilities are weaknesses that can be used to harm our assets. A
vulnerability might be a specific operating system or application that we are
running, a physical location where we have chosen to place our office
building, a data center that is populated over the capacity of its air-
conditioning system, a lack of backup generators, or other factors.
Threats, vulnerabilities, and risk

▪ Risk: is the likelihood that something bad will happen to an asset. It is the level
of exposure to some event that has an effect on an asset. In the context of IT
security, an asset can be a computer, a database, or a piece of information.
Examples of risk include the following:
▪ Losing data
▪ Losing business because a disaster has destroyed your building
▪ Failing to comply with laws and regulations
Tenets of Information Systems Security

Three of the primary concepts in information security are: confidentiality,

integrity, and availability, commonly known as (CIA)

▪ Confidentiality: Only authorized users can view information.

▪ Integrity: Only authorized users can change information.
▪ Availability: Information is accessible by authorized users whenever they
request the information.
Confidentiality

Confidentiality means guarding information from everyone except those

with rights to it. Confidential information includes the following:
▪ Private data of individuals
▪ Intellectual property of businesses
▪ National security for countries and governments
Confidentiality

Protecting private data is the process of ensuring data confidentiality.

Organizations must use proper security controls specific to this
concern. Some examples include the following:
▪ Adopting a data classification standard that defines how to treat
data throughout your IT infrastructure.
▪ Limiting access to systems and applications that house confidential
data to only those authorized to use that data.
▪ Encrypting data that cross the public Internet.
▪ Encrypting data that are stored within databases and storage
devices.
▪
Integrity

Integrity of information refers to protecting information from being

modified by unauthorized parties as illustrated by figure below:

corruption of data integrity are serious threats to an organization,

especially if the data are critical to business operations.
Availability

Availability is a common term in everyday life. For example, you

probably pay attention to the availability of
▪ your Internet service.
▪ TV service.
▪ cell phone service.
In the context of information security, availability is generally
expressed as the amount of time users can use a system, application,
and data:
The Seven Domains of a Typical IT Infrastructure

What role do the three tenets of systems security play in a typical IT

infrastructure? First, let’s review what a typical IT infrastructure looks
like.
User Domain

▪ The User Domain defines the people who access an organization’s information
system.
▪ The User Domain is where you will find an acceptable use policy (AUP). An
AUP defines what users are allowed and not allowed to do with organization-
owned IT assets. It’s like a rule book that employees must follow. Violation of
these rules can be grounds for dismissal. This is where the first layer of defense
starts for a layered security strategy.
User Domain

RISK, THREAT, OR MITIGATION

VULNERABILITY
Lack of user awareness Conduct security awareness training, display security
awareness posters, and send email reminders to
employees.

User insertion of CDs and USB Disable internal CD drives and USB ports. Enable automatic
drives with personal photos, antivirus scans for inserted media drives
music, and videos

Security policy violations Place employee on probation, review AUP and employee
manual, discuss during performance reviews.
Workstation Domain
A workstation can be a desktop computer, a laptop computer, a special-purpose
terminal, or any other device that connects to your network. Workstation
computers are generally thin clients or thick clients.
▪ A thin client is software or an actual computer with no hard drive that runs
on a network and relies on a server to provide applications, data, and all
processing.
▪ A thick client is more fully featured hardware that contains a hard drive and
applications and processes data locally, going to the server mainly for file
storage. An ordinary PC is an example of a thick client.
Other devices that can be considered workstations are personal digital assistants
(PDAs), smartphones, and tablet PCs.
Workstation Domain

RISK, THREAT, OR MITIGATION

VULNERABILITY
Unauthorized access to Enable password protection on workstations for access.
workstation Enable auto screen lockout for inactive times. Disable
system admin rights for users.

Unauthorized access to systems, Define strict access control policies, standards, procedures,
applications, and data and guidelines. Implement a second level or layer of
authentication to applications that contain sensitive data
(e.g., two-step authentication).

User insertion of CDs, digital Deactivate all CD, DVD, and USB ports. Enable automatic
video discs (DVDs), or universal antivirus scans for inserted CDs, DVDs, and USB thumb
serial bus (USB) thumb drives drives that have files.
into the organization’s computers
LAN Domain
A local area network (LAN) is a collection of computers connected to one
another or to a common connection medium. The physical part of the LAN
Domain consists of the following:
▪ Network interface card (NIC).
▪ Cabling.
▪ LAN switch.
▪ Wireless access points (WAPs).
▪ File server and print server.
LAN Domain

LAN system administration includes maintaining the master lists of user accounts and
access rights. In the LAN Domain, two-step authentication might be required. Two-step
authentication is like a gate whereby the user must confirm his or her identity a second
time. This mitigates the risk of unauthorized physical access.
RISK, THREAT, OR MITIGATION
VULNERABILITY
Unauthorized access to LAN Make sure wiring closets, data centers, and computer
rooms are secure. Do not allow anyone access without
proper ID.

Unauthorized access to systems, Define strict access control policies, standards, procedures,
applications, and data and guidelines. Implement a second-level identity check to
gain access to sensitive systems, applications, and data.
Restrict users from access to LAN folders and
read/write/delete privileges on specific documents as
needed.
Weakest Link in the Security of an IT Infrastructure

The user is the weakest link in security. Human error is a major risk and threat to
any organization. No group can completely control any person’s behavior. For
these reasons, every organization must be prepared for malicious users, untrained
users, and careless users. The following strategies can help reduce risk:
▪ Check the background of each job candidate carefully.
▪ Give each staff member a regular evaluation.
▪ Rotate access to sensitive systems, applications, and data among different staff
positions.
▪ Apply sound application and software testing and review for quality.
▪ Regularly review security plans throughout the seven domains of a typical IT
system.
▪ Perform annual security control audits.
IT Security Policy Framework

Cyberspace cannot continue to flourish without some assurances of

user security. Several laws now require organizations to keep personal
data private. Businesses cannot operate effectively on an Internet
where anyone can steal their data. IT security is crucial to any
organization’s ability to survive. This section introduces you to an IT
security policy framework.
The framework consists of policies, standards, procedures, and
guidelines that reduce risks and threats.
Definitions

An IT security policy framework contains four main components:

▪ Policy: a policy is a short written statement that the people in charge of an
organization have set as a course of action or direction. A policy comes from
upper management and applies to the entire organization.
▪ Standard: a standard is a detailed written definition for hardware and software
and how they are to be used. Standards ensure that consistent security controls
are used throughout the IT system.
▪ Procedures: these are written instructions for how to use policies and standards.
They may include a plan of action, installation, testing, and auditing of security
controls.
▪ Guidelines: a guideline is a suggested course of action for using the policy,
standards, or procedures. Guidelines can be specific or flexible regarding use.
Definitions

Guidelines: a guideline is a suggested course of action for using the policy,

standards, or procedures. Guidelines can be specific or flexible regarding use.

Policies apply to an entire organization. Standards are specific to a given policy.

Procedures and guidelines help define use. Within each policy and standard,
identify the impact for the seven domains of a typical IT infrastructure. This will
help define the roles, responsibilities, and accountability throughout.
Foundational IT Security Policies

▪ Acceptable use policy (AUP): The AUP defines the actions that are and are not
allowed with respect to the use of organization-owned IT assets. This policy is
specific to the User Domain and mitigates risk between an organization and its
employees.
▪ Security awareness policy: This policy defines how to ensure that all personnel
are aware of the importance of security and behavioral expectations under the
organization’s security policy. This policy is specific to the User Domain.
Data Classification Standards

The goal and objective of a data classification standard is to provide a consistent

definition for how an organization should handle and secure different types of
data. For businesses and organizations under recent compliance laws, data
classification standards typically include the following major categories:

▪ Private data: data about people that must be kept private. Organizations must
use proper security controls to be in compliance.
▪ Confidential: information or data owned by the organization. Intellectual
property, customer lists, pricing information, and patents are examples of
confidential data.
Data Classification Standards

▪ Internal use only: information or data shared internally by an organization.

Although confidential information or data may not be included,
communications are not intended to leave the organization.
▪ Public domain data: information or data shared with the public such as
website content.
THANK YOU