information security nafis

8/9/2019 Information Security Nafis

1/10


2/10

unauthorized use.

*.'nsure the confidentiality of the customer"s and your processed data, and prevent

unauthorized disclosure or use.

+.'nsure the integrity of the customer"s and your processed data, and prevent the

unauthorized

). What is a security policy and why do we need one?

security policy is the essential !asis on which an effective and comprehensive

security program can !e developed. his critical component of the overall security

architecture, however, is often overloo(ed. security policy is the primary way in

which management"s e$pectations for security are translated into specific,

measura!le, and testa!le goals and o!-ectives. t is crucial to ta(e a top down

approach !ased on a well/stated policy in order to develop an effective security

architecture. 0onversely, if there isn"t a security policy defining and communicating th

decisions, then they will !e made !y the individuals !uilding, installing, and maintain

computer systems and this will result in a disparate and less than optimal security architect

!eing implemented.

he characteristics of good security policies are&

1.hey must !e implementa!le through system administration procedures,pu!lishing of accepta!le use guidelines, or other appropriate methods.2.hey must !e enforcea!le with security tools, where appropriate, and withsanctions, where actual prevention is not technically feasi!le.

).hey must clearly define the areas of responsi!ility for the users, administrators,and management.

*.hey must !e documented, distri!uted, and communicated.

*. What is the difference !etween logical and physical security? 0an you give an e$ample of !oth?

*. What are the most common types of attac( that threaten enterprise data security?

1. Spoofing.

2. Sniffing.

3. Mapping.

4. Hijacking.


3/10

5. Trojans.

6. DoS and DDoS.

7. Social engineering.

+. What is the difference !etween a threat and vulnera!ility?

. What is a security control?

3. What are the different types of security control?

4. What is incident management?

ncident management is a defined process for logging, recording and resolving incidents

he aim of incident management is to restore the service to the customer as %uic(ly as possi!le, often thro

a wor( around or temporary fi$es, rather than through trying to find a permanent solution

What are the differences !etween incident management and

pro!lem management?

Pro!lem management differs from incident management in that its main goal is the detection of the underly

causes of an incident and the !est resolution and prevention. n many situations, the goals of pro!lem

management

can !e in direct conflict with the goals of incident management.

5eciding which approach to ta(e re%uires careful consideration. sensi!le approach would !e to restore th

service

as %uic(ly as possi!le 6incident management7, !ut ensuring that all details are recorded. his will ena!le

pro!lem

management to continue once a wor(around has !een implemented.

5iscipline is re%uired, as the idea that the incident is fi$ed is li(ely to prevail. 8owever, the incident may w

appear

again if the resolution to the pro!lem is not found.

ncident versus pro!lem

n incident is where an error occurs& something doesn"t wor( the way it is e$pected.

his is often descri!ed as&

a fault

an error

it doesn"t wor(9

a pro!lem

!ut the : term used with is an incident.


4/10

pro!lem 6is different7 and can !e&

the occurrence of the same incident many times

an incident that affects many users

the result of networ( diagnostics revealing that some systems are not operating

in the e$pected way

pro!lem can e$ist without having immediate impact on the users, whereas incidents are usually more visi

and

the impact on the user is more immediate.; 0 S : & < ; 5 ' # = 0 5 ' = > = < '

' = 2

'$amples of incidents

;ser e$perienced incidents

pplication

Service not availa!le 6this could !e due to either the networ( or the application, !ut at first the user will no

!e

a!le to determine which7

'rror message when trying to access the application

pplication !ug or %uery preventing the user from wor(ing

5is( space full

echnical incident

8ardware

System down

Printer not printing=ew hardware, such as scanner, printer or digital camera, not wor(ing

echnical incident

echnical incidents

echnical incidents can occur without the user !eing aware of them. here may !e a slower response on the

networ(

or on individual wor(stations !ut, if this is a gradual decline, the user may not notice.

echnicians using diagnostics or proactive monitoring usually spot technical incidents. f a technical inciden

not

resolved, the impact can affect many users for a long time.

n time, e$perienced users and the service des( will spot these ncidents !efore the impact affects most user

'$amples of technical incidents&

5is( space nearly full 6this will affect users only when it is completely full7

=etwor( card intermittent fault sometimes it appears that the user cannot connect to the networ(, !ut on

a second attempt the connection wor(s. @eplacing the card !efore it stops wor(ing completely provides mo


5/10

!enefit to the users

>onitor flic(ering it is more trou!lesome in some applications than others

lthough the flic(er may !e easy to live with or ignore, the monitor will not usually last more than a few

wee(s in this state

Why use incident management?

here are ma-or !enefits to !e gained !y implementing an incident management process&

improved information to customersAusers on aspects of service %uality

improved information on the relia!ility of e%uipment

!etter staff confidence that a process e$ists to (eep services wor(ing

certainty that incidents logged will !e addressed and not forgotten

reduction of the impact of incidents on the !usinessAorganisation

resolving the ncident first rather than the pro!lem, which will help in (eeping the service availa!le 6!ut

!eware of too many %uic( fi$es that pro!lem management does not ultimately resolve7

wor(ing with (nowledge a!out the configuration and any changes made, which will ena!le you to identify

the

cause of incidents %uic(ly

improved monitoring and a!ility to interpret the reports, which will help to identify ncidents !efore they

have

an impact

B. What is !usiness continuity management? 8ow does it relate to security?

1C. What is an security audit?11. What is the difference !etween authentication and authorization?

12. What is a firewall?

1). What are the layers of the #S model?

1*. What information security challenges are faced in a cloud computing environment?

1+. he typical responsi!ilities of a 0hief Security #fficer 60S#7?

the individual primarily responsi!le for the assessment, management, and implementation of securing the

information in the organization. he 0S# may also !e referred to as the >anager for Security, the Security

dministrator, or a similar title.

1. n your opinion, what are the top five information securities threats facing an organization such as ours?


6/10

13.What is Sensitive 5ata?

Sensitive data encompasses a wide range of information and can include& your ethnic or ra

origin political opinion religious or other similar !eliefs mem!erships physical or men

health details personal life or criminal or civil offences. hese e$amples of information are

protected !y your civil rights. Sensitive data can also include information that relates to you

a consumer, client, employee, patient or student and it can !e identifying information as wyour contact information, identification cards and num!ers, !irth date, and parents" names.

ll of this data !elongs to you. Dou have full rights to access and use this information and y

also have rights to (now how others are doing the same. Dou should !e protective of t

information, -ust li(e you would !e of your other !elongings.

Sensitie 'ata

Sensitive 5ata is information covering&

he racial or ethnic origin of the 5ata Su!-ect

Political opinions

@eligious or other !eliefs of a similar nature

>em!ership of trade unions

Physical or mental health or condition

Se$ual :ife

he commission of any offence or criminal records

Sensitive data must !e collected using an opt/in and should !e carefully handled. #ther clas

of data which might !e regarded as sensitive are data relating to children and finan

information.

14.Why 5ata =eeds Protecting?

ns&With the advent of the nternet and new technologies that allow easier, %uic(er, as wel

anonymous access to more information than ever


7/10

!efore, people have now !ecome more aware of identity theft and ma(e conscious decisions

how to protect themselves. f the information is sensitive, it"s li(ely to !e protected !y law

regulations, or policies. 8owever, you can ta(e an active approach to ma(ing sure y

information has not fallen into the hands of those who would misuse it for financial gain

other reasons. dentity theft and online crime have now surpassed any other form of crime

profits earned, including drug/related crimes, so it is important to !e wary of how e$posed y

information really is. Protecting Einancial nformation Felow are some tips to minimize

e$posure of your personal financial information.

Ghe nternet& Hnow with whom you"re doing !usiness, especially when you provide

financial or identity information. #nly deal with we! sites that provide secure we! pages, i.e

those addresses that start with IhttpsJ rather than Ihttp,J for your transactions. :egitimate si

will provide contact information and signed certificates for your verification. When logging

to financial accounts, use a strong password that you change on a regular !asis.

G0redit cards online& 0onsider designating only one of your credit cards for online purchas

f a pro!lem occurs with that card, you can cancel it and still have other cards. Dou can also

re%uest that your credit card limit !e set to a level consistent with your credit card activities

6rather than the high line of credit the company assigns7. Fut, don"t set it so low that you"ll

have to use a second credit card.

G0redit card receipts& lways chec( your credit card receipts and other financial paperwor(

hey should not have the complete credit card num!er listed, only the last four digits. f the

full num!er is listed, as( that it !e truncated in the future.

GDour credit report& Dou should get a report at least once a year. Eederal law entitles citiz

to a free credit report per year from each of the three national credit !ureaus. f you thin( y

are in a high/ris( category for identity theft, !e sure to get a copy of your credit report o

every three months.

1B. 8ow s 5ata '$posed?

ns&8ere are three ways your data can !e e$posed&

ntrusion& ntruders can gain access to your data through a wea(ness in your computer syste

o protect against this, (eep your operating system updated, and use virus protection and

strong passwords.

GPhishing& his is a clever method of e$tracting information from unsuspecting individuals

n e/mail, designed to loo( li(e it originated from a reputa!le company, usually a !an( or

online store, will tell you that there is a pro!lem with your account. f lin(s appear in this (in

of e/mail message, never clic( on them regardless of how I!elieva!leJ they seem or who the

source is. f you have an account with the organization, it"s !etter to call your service

representative and verify the authenticity of the e/mail. f it is legitimate, as( to complete the


8/10

process !y phone. his eliminates the need to send your sensitive data over an unprotected

networ( connection.

GSocial engineering& Sometimes swindlers attempt to gather sensitive information, such as

!irthplace or mother"s maiden name, !y posing as a representative of a legitimate organizati

Dou should always !e wary of unsolicited re%uests from your !an( or financial institution in

which you are as(ed for information that could potentially !e used for fraudulent purposes.

SK never as(s you to provide your username and password in e/mail or over the phone. E

lin(s and further information, see the rear panel of this pamphlet

2C. 5efine security Policy and write the goals of security policy?

21. What are the characteristics of good security policies?

22. Write the Structure Security Policy.

2). 8ow we can protect of computer from virus infection?

2*. '$plain Security Policy for ccess 0ontrol.

2+. What are the different methods for 0omputer Liruses 5etection and @emoval?

2 .Write are the Security Policy for 5ata!ase.

23. Write a note on nformation Systems udit Policy.

24.What are the sources of threats to information systems?

ns7

The sources of threats to any organization can be both internal and external. The main

threats to your information assets can be categorized as follows:

Internal and Unintentional

Uninformed workers - mistakes can be made, information can be destroyed, condentiadata exposed

Uninformed contract workers - not fully briefed, hence security can be compromised.

Internal and Intentional

isgruntled employees - lea!ing bugs behind in your system

"ontract workers trying to increase their employment !alue


9/10

"ontract workers re#uiring access to get the $ob done despite opening your company tsecurity risk

External and Technical

%olitical acti!ist &acti!ists&

'ackers looking to steal credit card numbers

(nformation &brokers&

2B.Why cy!er attac(s have !een on the rise?)C. (hat is Pacet Sniffing?

)1. What is information security management) What are the !enefits of S>S?

What is S>S?

nformation Security >anagement Systems 6S>S7 is a systematic and structuredapproach to managing information so that it remains secure. S>S

implementation includes policies, processes, procedures, organizational

structures and software and hardware functions. he S>S implementation

should !e directly influenced !y the organization"s o!-ectives, securityre%uirements, processes employed, size and structure.

Why do we need S>S?#rganizations and their information systems and networ(s are e$posed with

security 8@'S such as fraud, espionage, fire, flood and sa!otage from a wide

range of sources. he increasing num!er of security !reaches has led to

increasing information security concerns among organizations worldwide.

1. Provides the means for information security corporate governance2. mproves the effectiveness of the information security environment

). llows for mar(et differentiation due to a positive influence on company prestige and image, as we

a possi!le effect on the asset or share value of the company

*. Provides satisfaction and confidence of that customers" information security re%uirements are !eing +. llows for focused staff responsi!ilities

. 'nsures compliance with mandates and laws

3. @educes lia!ility and ris( due to implemented or enforced policies and procedures, which demonstdue diligence

4. Potentially lowers rates on insuranceB. Eacilitates !etter awareness of security throughout the organization1C. Provides competitive advantages and reduction in costs connected with the improvement of pro

efficiency and the management of security costs

*+. plain the Security Systems Development Life Cycle.

33.What are 0ommon =etwor( Security Pro!lems?


10/10

information security nafis

Documents