After studying this chapter you will be able to understand: The CIA; security governance; policies, procedures, etc; organizational structures; roles and responsibilities; information classification; risk management. | Professional Practices in Information Technology HandBook COMSATS Institute of Information Technology (Virtual Campus) Islamabad, Pakistan Lecture 29 Information Security Overview The CIA Security Governance – Policies, Procedures, etc. – Organizational Structures – Roles and Responsibilities Information Classification Risk Management The CIA: Information Security Principles Confidentiality – Allowing only authorized subjects access to information Integrity – Allowing only authorized subjects to modify information Availability – Ensuring that information and resources are accessible when needed Reverse CIA Confidentiality – Preventing unauthorized subjects from accessing information Integrity – Preventing unauthorized subjects from modifying information Availability – Preventing information and resources from being inaccessible when needed Using the CIA – Think in terms of the core information security principles – How does this threat impact the CIA? – What controls can be used to reduce the risk to CIA? – If we increase confidentiality, will we decrease availability? Security Governance Security Governance is the organizational processes and relationships for managing risk – Policies, Procedures, Standards, Guidelines, Baselines – Organizational Structures – Roles and Responsibilities Policy Mapping Figure : Policy Mapping Policies – Policies are statements of management intentions and goals – Senior Management support and approval is vital to success – General, high-level objectives – Acceptable use, internet access, logging, information security, etc Procedures – Procedures are detailed steps to perform a specific task – Usually required by policy – Decommissioning resources, adding user accounts, deleting user accounts, change management, etc Standards – Standards specify the use of specific technologies in a uniform manner – Requires uniformity throughout the organization – Operating systems, applications, server tools, router configurations, etc Guidelines – Guidelines are recommended methods for performing a task – Recommended, but not required – Malware cleanup, spyware removal, data conversion, sanitization, etc Baselines – Baselines are similar to standards but account for differences in technologies and versions from different vendors – Operating system security baselines – FreeBSD , Mac OS X Panther, Solaris 10, Red Hat Enterprise Linux 5, Windows 2000, Windows XP, Windows Vista, etc Professional Practices in Information Technology CSC 110
