Download - 06 IT Security
-
7/28/2019 06 IT Security
1/26
3 June 20131
IT Security
-
7/28/2019 06 IT Security
2/26
Overview
3 June 20132
Information held in IT systems is increasinglya critical resource in enabling organisations
to achieve their goals
Expectation of privacy and protection fromharm
Expectation that the systems will perform
their functions efficiently whilst exercisingproper control of the information
-
7/28/2019 06 IT Security
3/26
Managements Concern about IT Security
3 June 20133
Dependence on IT systems Information systems which can provide accurate
services when and where they are required are thekey to the survival of most modern businesses
Exposure of IT systems IT systems need a stable environment Organisations rely upon the accuracy of information
provided by their systems
Investment in IT systems Information systems are costly both to develop and
maintain, and management should protect theirinvestment like any other valuable asset
-
7/28/2019 06 IT Security
4/26
Balance of Protecting IT Assets
3 June 20134
Appropriate to an organisations businessneeds yet comprehensive in its coverage
Justified to the extent that it will reduce
perceived risks to the level that managementare willing to accept
Effective against actual threats
-
7/28/2019 06 IT Security
5/26
Objective of IT Security
3 June 20135
Information is accessible only to thoseauthorised to have access (confidentiality)
Safeguarding the accuracy and
completeness of information and processingmethods (integrity)
Ensuring that authorised users have access
to information and associated assets whenrequired (availability)
-
7/28/2019 06 IT Security
6/26
IT Security Standards & Frameworks
3 June 20136
ISO/IEC 17799
COBIT
etc
-
7/28/2019 06 IT Security
7/26
ISO/IEC 17799
3 June 20137
1. Risk assessment and treatment2. Security policy
3. Organisation of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management11. Business continuity management
12. Compliance
-
7/28/2019 06 IT Security
8/26
COBIT
3 June 20138
Control Objectives for Information and RelatedTechnology
Newest: COBIT 5
Widely used: COBIT 4.1
Framework
Control Objectives
Management Guidelines
Maturity Models
-
7/28/2019 06 IT Security
9/26
IT Risk Analysis
3 June 20139
Objective identify the various ways inwhich data, the information system, and
network which support it, are exposed to risk
Involves assessing the possibility that each ofa wide range of threats
End resultsecur i ty requ irementfor each
type of threat that could affect the system
-
7/28/2019 06 IT Security
10/26
Risk
3 June 201310
Risk in IT combination of threat,vulnerability, and impact
Threat an unwanted that could remove,disable, damage, or destroy an IT asset
Vulnerability a weakness that could beexploited by a threat
Impact the consequences of a vulnerabilityin a system being exploited by a threat
-
7/28/2019 06 IT Security
11/26
Risk Analysis & Risk Management
3 June 201311
-
7/28/2019 06 IT Security
12/26
Risk Analysis Principles
3 June 201312
Business modelling to determine which informationsystems support which business functions
Impact analysis to determine the sensitivity of keybusiness functions to a breach of confidentiality,
integrity or availability Dependency analysis to determine points of access
to information systems and assets that must be inplace to deliver a service to a business function
Threat and vulnerability analysis to determinepoints of weakness in the system configuration andthe likelihood of events
-
7/28/2019 06 IT Security
13/26
Components of IT Risk
3 June 201313
-
7/28/2019 06 IT Security
14/26
Reviewing IT risks
3 June 201314
IT risk analysis involves identifying IT assets thatare at risk:
What type of threats do they face?
What are their likely causes and their probableimpact(s)?
What is the likelihood of the threat succeeding?
How would we know if the threat did succeed?
What can we do to prevent the impact?
What can we do to recover if the threat doessucceed?
-
7/28/2019 06 IT Security
15/26
Risk Management
3 June 201315
Involves the identification, selection, andimplementation of countermeasures that are
designed to reduce the identified levels of risk
to acceptable levels It is impossible to reduce all risks to zero (by
term of cost-effective RM)
-
7/28/2019 06 IT Security
16/26
Types of Countermeasures
3 June 201316
Reduce the threat
Reduce the vulnerability
Reduce the impact
Detect an incident
Recover from the impact
-
7/28/2019 06 IT Security
17/26
Risk Management Process
3 June 201317
Prioritize actions Based on the risk levels presented in the risk assessment
report, the implementation actions are prioritized.
Evaluate recommended control actions The technical feasibility and effectiveness of all identified
controls should be evaluated so that the most appropriatecontrol is chosen.
Conduct cost-benefit analysis To allocate resources and implement cost-effective solutions,
organisations should conduct a cost-benefit analysis for each
proposed control. Select control
On the basis of the results of the cost-benefit analysis,management selects the cost-effective controls for reducingrisks.
-
7/28/2019 06 IT Security
18/26
Risk Management Process
3 June 201318
Assign responsibility Responsibility should be assigned to in-house experts
or an outside agency which have the appropriate skillset and expertise to implement the selected control.
Develop safeguard implementation plan The safeguard implementation plan prioritizes theimplementation actions and projects the start datesand the target completion dates.
Implement selected controls The selected controls should be implemented so that
the risks are brought down within the acceptablelevels.
-
7/28/2019 06 IT Security
19/26
Organisation of Information Security
3 June 201319
Information security structure
Security of third party access
Outsourcing
-
7/28/2019 06 IT Security
20/26
1. Information Security Structure
3 June 201320
The objective is to deal with management ofinformation security within the organisation.
A management framework should be
established to initiate and control theimplementation of information security within
the organisation
Review to IS Management course
-
7/28/2019 06 IT Security
21/26
2. Security of 3rd Party Access
3 June 201321
The objective is to maintain security oforganisational information processing
facilities accessed by third parties.
Access to organisations informationprocessing facilities by third parties should be
controlled
-
7/28/2019 06 IT Security
22/26
3. Outsourcing
3 June 201322
The objective is to maintain security ofinformation when responsibility for processing
is outsourced
-
7/28/2019 06 IT Security
23/26
Types of Information Systems Assets
3 June 201323
Information assets databases and data files,system documentation, user manuals, trainingmaterial, operational or support procedures, continuityplans, fallback arrangements, archived information
Software assets application software, systemsoftware, development tools and utilities
Physical assets computer equipment (processors,monitors, laptops, modems), communicationequipment (routers, PABX, fax machines), magnetic
media (tapes and disks) Services computing and communication services,
general utilities, e.g. heating, lighting, power, air-conditioning
-
7/28/2019 06 IT Security
24/26
(Networking & Communication) New
Threats and Risks
3 June 201324
Data loss Data may be deleted or lost in transmission
Data corruption Data errors can occur during transmission
System unavailability Network links may be easily damaged
A loss of a hub can affect the processing ability of
many users Communications lines often extend beyond the
boundaries of control of the client, e.g. the client mayrely on the local telephone company for ISDN lines
-
7/28/2019 06 IT Security
25/26
3 June 201325
-
7/28/2019 06 IT Security
26/26
Tugas
3 June 201326
Buatlah makalah mengenai isu-isu auditkeamanan informasi
Tugas kelompok (gunakan kelompok yang
sudah ada) Delivery:
Presentasi tgl 26 Maret
Laporan dalam bentuk hard copydikumpulkanketika UTS