is3350 security issues in legal context
DESCRIPTION
IS3350 Security Issues in Legal Context. Unit 1 Information Systems Security Overview. Learning Objective. Recognize the legal aspects of the information security triad: Availability Integrity Confidentiality. Key Concepts. Availability, Integrity, and Confidentiality (AIC Triad) - PowerPoint PPT PresentationTRANSCRIPT
© ITT Educational Services, Inc. All rights reserved.
IS3350 Security Issues in Legal Context
Unit 1
Information Systems Security Overview
© ITT Educational Services, Inc. All rights reserved.Page 2IS3350 Security Issues in Legal Context
Learning Objective
Recognize the legal aspects of the information security triad: Availability Integrity Confidentiality
© ITT Educational Services, Inc. All rights reserved.Page 3IS3350 Security Issues in Legal Context
Key ConceptsAvailability, Integrity, and Confidentiality
(AIC Triad)Basic information system security conceptsRisk analysis and mitigationMechanisms for organizational information
securityData classifications requiring specialized
legal consideration
© ITT Educational Services, Inc. All rights reserved.Page 4IS3350 Security Issues in Legal Context
EXPLORE: CONCEPTS
© ITT Educational Services, Inc. All rights reserved.Page 5IS3350 Security Issues in Legal Context
Confidentiality
Integrity Availability
Information Security
CIA Triad
© ITT Educational Services, Inc. All rights reserved.Page 6IS3350 Security Issues in Legal Context
Shoulder Surfing Social Engineering Spear Phishing Malware Spyware Logic Bomb Back Door Denial of Service
Information Security Common Concerns
© ITT Educational Services, Inc. All rights reserved.Page 7IS3350 Security Issues in Legal Context
General Military Classification
General Corporate Classification
Top SecretCorporate
Confidential
Secret Client Confidential
Confidential Proprietary
RestrictedPublic
Unclassified
Data Classification
© ITT Educational Services, Inc. All rights reserved.Page 8IS3350 Security Issues in Legal Context
Legal Mechanisms to Ensure Information Security
Laws• Gramm-Leach-Bliley Act, HIPPA,
Sarbanes-Oxley (SOX), and others Information Regulations• Financial, credit card, health, etc.
Agencies• FTC, Banks, DHHS, SEC, DOE, etc.
© ITT Educational Services, Inc. All rights reserved.Page 9IS3350 Security Issues in Legal Context
Vulnerability ~ asset weaknesses
Mitigation ~ safeguard assets
Threat Agent ~ hacker or malware
Exploits ~ threats carried out
Risks ~ minimized by asset owner
Risk Management Concepts
© ITT Educational Services, Inc. All rights reserved.Page 10IS3350 Security Issues in Legal Context
EXPLORE: PROCESS
© ITT Educational Services, Inc. All rights reserved.Page 11IS3350 Security Issues in Legal Context
Owner
Safeguard
Vulnerability
Risk
Asset
Threat Agent
Threat
Risk Management Process
© ITT Educational Services, Inc. All rights reserved.Page 12IS3350 Security Issues in Legal Context
EXPLORE: ROLES
© ITT Educational Services, Inc. All rights reserved.Page 13IS3350 Security Issues in Legal Context
Senior Management
Information Technology Department
Legal Department
Chief Information Security Officer
Roles in Risk Management
© ITT Educational Services, Inc. All rights reserved.Page 14IS3350 Security Issues in Legal Context
EXPLORE: CONTEXT
© ITT Educational Services, Inc. All rights reserved.Page 15IS3350 Security Issues in Legal Context
Information Security in Different Contexts
Government Organizations
Corporations
High Interest in Confidentiality
High Interest in Availability
Mandatory Access
Lattice-Based Models
Discretionary Access
Role-Based Models
© ITT Educational Services, Inc. All rights reserved.Page 16IS3350 Security Issues in Legal Context
Discretionary Access Control (DAC):
discretion of the owner
Mandatory Access Control (MAC):
security labels & classifications
Role-Based Access Control (RBAC):
job function or role
Access Control Models
© ITT Educational Services, Inc. All rights reserved.Page 17IS3350 Security Issues in Legal Context
EXPLORE: RATIONALE
© ITT Educational Services, Inc. All rights reserved.Page 18IS3350 Security Issues in Legal Context
Cyberspace theft
Internet extortion
Online pedophilia
Jurisdiction issues
Electronic signature issues
Law and Information Security
© ITT Educational Services, Inc. All rights reserved.Page 19IS3350 Security Issues in Legal Context
Summary
Availability, Integrity, and Confidentiality (AIC Triad)
Basic information system security conceptsRisk analysis and mitigationMechanisms for organizational information
securityData classifications requiring specialized
legal consideration