![Page 1: Lecture 29 Information Security. Overview The CIA Security Governance – Policies, Procedures, etc. – Organizational Structures – Roles and Responsibilities](https://reader031.vdocuments.us/reader031/viewer/2022013012/5697bfde1a28abf838cb2190/html5/thumbnails/1.jpg)
Lecture 29Information Security
![Page 2: Lecture 29 Information Security. Overview The CIA Security Governance – Policies, Procedures, etc. – Organizational Structures – Roles and Responsibilities](https://reader031.vdocuments.us/reader031/viewer/2022013012/5697bfde1a28abf838cb2190/html5/thumbnails/2.jpg)
Overview
• The CIA• Security Governance
– Policies, Procedures, etc.– Organizational Structures– Roles and Responsibilities
• Information Classification• Risk Management
2
![Page 3: Lecture 29 Information Security. Overview The CIA Security Governance – Policies, Procedures, etc. – Organizational Structures – Roles and Responsibilities](https://reader031.vdocuments.us/reader031/viewer/2022013012/5697bfde1a28abf838cb2190/html5/thumbnails/3.jpg)
The CIA: Information Security Principles
• Confidentiality– Allowing only authorized subjects access to
information• Integrity
– Allowing only authorized subjects to modify information
• Availability– Ensuring that information and resources are
accessible when needed
3
![Page 4: Lecture 29 Information Security. Overview The CIA Security Governance – Policies, Procedures, etc. – Organizational Structures – Roles and Responsibilities](https://reader031.vdocuments.us/reader031/viewer/2022013012/5697bfde1a28abf838cb2190/html5/thumbnails/4.jpg)
Reverse CIA
• Confidentiality– Preventing unauthorized subjects from accessing
information• Integrity
– Preventing unauthorized subjects from modifying information
• Availability– Preventing information and resources from being
inaccessible when needed
4
![Page 5: Lecture 29 Information Security. Overview The CIA Security Governance – Policies, Procedures, etc. – Organizational Structures – Roles and Responsibilities](https://reader031.vdocuments.us/reader031/viewer/2022013012/5697bfde1a28abf838cb2190/html5/thumbnails/5.jpg)
Using the CIA
• Think in terms of the core information security principles
• How does this threat impact the CIA?• What controls can be used to reduce the risk
to CIA?• If we increase confidentiality, will we
decrease availability?
5
![Page 6: Lecture 29 Information Security. Overview The CIA Security Governance – Policies, Procedures, etc. – Organizational Structures – Roles and Responsibilities](https://reader031.vdocuments.us/reader031/viewer/2022013012/5697bfde1a28abf838cb2190/html5/thumbnails/6.jpg)
Security Governance
• Security Governance is the organizational processes and relationships for managing risk– Policies, Procedures, Standards, Guidelines,
Baselines– Organizational Structures– Roles and Responsibilities
6
![Page 7: Lecture 29 Information Security. Overview The CIA Security Governance – Policies, Procedures, etc. – Organizational Structures – Roles and Responsibilities](https://reader031.vdocuments.us/reader031/viewer/2022013012/5697bfde1a28abf838cb2190/html5/thumbnails/7.jpg)
Policy Mapping
7
Functional Policies
Procedures Standards Guidelines Baselines
Laws, Regulations, Requirements, Organizational Goals, Objectives
General Organizational Policies
![Page 8: Lecture 29 Information Security. Overview The CIA Security Governance – Policies, Procedures, etc. – Organizational Structures – Roles and Responsibilities](https://reader031.vdocuments.us/reader031/viewer/2022013012/5697bfde1a28abf838cb2190/html5/thumbnails/8.jpg)
Policies
• Policies are statements of management intentions and goals
• Senior Management support and approval is vital to success
• General, high-level objectives• Acceptable use, internet access, logging,
information security, etc
8
![Page 9: Lecture 29 Information Security. Overview The CIA Security Governance – Policies, Procedures, etc. – Organizational Structures – Roles and Responsibilities](https://reader031.vdocuments.us/reader031/viewer/2022013012/5697bfde1a28abf838cb2190/html5/thumbnails/9.jpg)
Procedures
• Procedures are detailed steps to perform a specific task
• Usually required by policy• Decommissioning resources, adding user
accounts, deleting user accounts, change management, etc
9
![Page 10: Lecture 29 Information Security. Overview The CIA Security Governance – Policies, Procedures, etc. – Organizational Structures – Roles and Responsibilities](https://reader031.vdocuments.us/reader031/viewer/2022013012/5697bfde1a28abf838cb2190/html5/thumbnails/10.jpg)
Standards
• Standards specify the use of specific technologies in a uniform manner
• Requires uniformity throughout the organization
• Operating systems, applications, server tools, router configurations, etc
10
![Page 11: Lecture 29 Information Security. Overview The CIA Security Governance – Policies, Procedures, etc. – Organizational Structures – Roles and Responsibilities](https://reader031.vdocuments.us/reader031/viewer/2022013012/5697bfde1a28abf838cb2190/html5/thumbnails/11.jpg)
Guidelines
• Guidelines are recommended methods for performing a task
• Recommended, but not required• Malware cleanup, spyware removal, data
conversion, sanitization, etc
11
![Page 12: Lecture 29 Information Security. Overview The CIA Security Governance – Policies, Procedures, etc. – Organizational Structures – Roles and Responsibilities](https://reader031.vdocuments.us/reader031/viewer/2022013012/5697bfde1a28abf838cb2190/html5/thumbnails/12.jpg)
Baselines
• Baselines are similar to standards but account for differences in technologies and versions from different vendors
• Operating system security baselines– FreeBSD 6.2, Mac OS X Panther, Solaris 10, Red
Hat Enterprise Linux 5, Windows 2000, Windows XP, Windows Vista, etc
12