Vous êtes sur la page 1sur 29

INFORMATION

SECURITY
INFOSEC Lecture Course (short version) – Polytechnic of Rijeka
What Is Information Security?
• Deals with several different "trust" aspects of information and its protection

• The U.S. Government’s National Information Assurance Glossary defines INFOSEC


as:
“Protection of information systems against unauthorized access to or modification of
information, whether in storage, processing or transit, and against the denial of service
to authorized users or the provision of service to unauthorized users, including those
measures necessary to detect, document, and counter such threats.”
Cyber vs Information Security
• Cyber Security is the use of various technologies and processes to
protect networks, computers, programs and data from attack,
damage or unauthorized access.

• Information Security is protecting information from unauthorized


access, use, disruption, modification or destruction regardless of how
the information is stored – electronic or physical
What Is Information Security?
• Three widely accepted elements or areas of focus (referred to as the
“CIA Triad”):

• Confidentiality
• Integrity
• Availability (Recoverability)
CIA Triad
• Confidentiality – Information should only be seen by those persons
authorized to see it. Information could be confidential because it is
proprietary information that is created and owned by the
organization or it may be customers’ personal information that must
be kept confidential due to legal responsibilities.
• Integrity – Information must not be corrupted, degraded, or
modified. Measures must be taken to insulate information from
accidental and deliberate change.
• Availability – Information must be kept available to authorized
persons when they need it.
Information security protects these attributes by:

- Protecting confidentiality
- Ensuring integrity
- Maintaining availability

• An organization succeeds in protecting these attributes by proper


planning.
• Proper planning before an incident will greatly reduce the risks of an
attack
Security in organizations
• The responsibility for information security should also be placed at
the manager level that is responsible for the business process.
• The responsibility for information security should not be placed at the
ICT department as they typically do not know all characteristics of the
business processes!!
• The “security officer’’ (CISO) is not responsible for information
security but making sure that other take their responsability.
Good Security Standards
follow the “90 / 10” Rule:
• 10% of security safeguards are technical
• 90% of security safeguards rely on the
computer user (people) to adhere to good
computing practices

• Effective and robust information security


requires an information security
management system (ISMS) built on three
pillars: people, processes and technology.
Security is a process (NIST Framework - National
Institute of Standards and Technology)
• Identify – Develop the institutional understanding of
which organizational systems, assets, data, and
capabilities need to be protected, determine priority in
light of organizational mission and establish processes to
achieve risk management goals.
• Protect – Develop and implement the appropriate
safeguards, prioritized through the organization’s risk
management process to ensure delivery of critical
infrastructure services.
• Detect – Develop and implement the appropriate
activities to identify the occurrence of a cybersecurity
event .
• Respond – Develop and implement the appropriate
activities, prioritized through the organization’s risk
management process (including effective planning) to
take action regarding a detected cybersecurity event..
• Recover - Develop and implement the appropriate
activities, prioritized through the organization’s risk
management process to restore the appropriate
capabilities that were impaired through a cybersecurity
event.
Prevention
• It is always better to prevent, then to pursue and
prosecute. Preventing an incident requires careful analysis
and planning.
• Information is an asset that requires protection
commensurate with its value. Security measures must be
taken to protect information from unauthorized
modification, destruction, or disclosure whether accidental
or intentional. During the prevention phase, security
policies, controls and processes should be designed and
implemented.
• Security policies, security awareness programs and
access control procedures, are all interrelated and should
be developed early on. The information security policy is the
cornerstone from which all else is built.
Security Policy
• The first objective in developing a prevention strategy is to
determine “what” must be protected and document these
“whats” in a formal policy.
• The policy must define the responsibilities of the
organization, the employees and management. It should
also fixresponsibility for implementation, enforcement,audit
and review. Additionally, the policy must be clear, concise,
coherent and consistent in order to be understood. Without
clear understanding, the policy will be poorly implemented
and subsequent enforcement, audit and review will be
ineffective. Once management endorses a completed policy,
the organization needs to be made aware of its
requirements .
Security awareness
• is a process that educates employees on the
importance of security, the use of security measures,
reporting procedures for security violations, and their
responsibilities as outlined in the information security
policy.
• Security awareness programs should be utilized for this
purpose. The program should be a continuous process
that maintains an awareness level for all employees.
The program should be designed to address
organization wide issues as well as more focused
specialized training needs. The program should stress
teamwork and the importance of active participation.
Access Controls
• Access is the manner by which the user utilizes the
information systems to get information. Naturally all
users should not have the ability to access all systems
and its information. Access should be restricted and
granted on a need to know basis. To manage this
access we establish user accounts by issuing
identifiers, authentication methods to verify these
identifiers and authorization rules that limit access to
resources.
• Identification – Identification is a unique identifier.
• It is what a user – (person, client, software application, hardware, or
network) uses to differentiate itself from other objects.
• A user presents identification to show who he/she is. Identifiers that
are created for users should not be shared with any other users or
groups. Once a user has an identifier the next step taken to access a
resource is authentication.
• Authentication – Authentication is the process of validating the
identity of a user. When a user presents its identifier, prior to gaining
access, the identifier (identification) must be authenticated.
• Authentication verifies identities thereby providing a level of trust.
There are three basic factors used to authenticate an identity. They
are:
1. Something you know – The password is the most common form used.
However, secret phrases and PIN numbers are also utilized. This is known as
one-factor or single authentication. This form is weakened due to poor
password selection and storage.
2. Something you have – This authentication factor is something you have,
such as an identification card, smartcard or token. Each requiring the user to
possess “something” for authentication. A more reliable authentication
process would require two factors such as something you know with
something you have. This form is known as the two-factor or multilevel
authentication.
3. Something you are – The strongest authentication factor is something you
are. This is a unique physical characteristic such as a fingerprint, retina
pattern or DNA. The measuring of these factors is called biometrics.
• Authorization – Authorization is the process of allowing users who
have been identified and authenticated to use certain resources.
• Limiting access to resources by establishing permission rules provides
forbetter control over users actions. Authorization should be granted
on the principle of least privilege. Least privilege is granting no more
privilege than is required to perform a task/job, and the privilege
should not extend beyond the minimum time required to complete
the task. This restrictive process limits access, creates a separation of
duties and increases accountability.
Standards and Frameworks
• ISO – International Organization for Standardization 27000 Series –
ISO27K
• NIST – National Institute for Standards and Technology Special
Publication 800 Series Cybersecurity framework
• CoBIT – Control Objectives for Information and Related Technology
• ITIL – Information Technology Infrastructure Library
ISO/IEC 27002:2013 Information technology —
Security techniques — Code of practice for
information security controls

Source: (read more) http://www.iso27001security.com/html/27002.html


Introduction
ISO/IEC 27002 is a popular, internationally-recognized standard of good practice for
information security. ISO/IEC 27002’s lineage stretches back more than 30 years to the
precursors of BS 7799.
Scope

Like governance and risk management, information security management is a broad


topic with ramifications throughout all organizations. Information security, and hence
ISO/IEC 27002, is relevant to all types of organization including commercial enterprises
of all sizes (from one-man-bands up to multinational giants), not-for-profits, charities,
government departments and quasi-autonomous bodies - in fact any organization that
handles and depends on information. The specific information risk and control
requirements may differ in detail but there is a lot of common ground, for instance most
organizations need to address the information risks relating to their employees plus
contractors, consultants and the external suppliers of information services.

The standard is explicitly concerned with information security, meaning the security of all
forms of information (e.g. computer data, documentation, knowledge and intellectual
property) and not just IT/systems security or “cybersecurity” as is the fashion of the day.
Structure and format of ISO/IEC 27002:2013
ISO/IEC 27002 is a code of practice - a generic, advisory document, not a formal
specification such as ISO/IEC 27001. It recommends information security controls
addressing information security control objectives arising from risks to the
confidentiality, integrity and availability of information. Organizations that adopt ISO/IEC
27002 must assess their own information risks, clarify their control objectives and apply
suitable controls (or indeed other forms of risk treatment) using the standard for
guidance.

The standard is structured logically around groups of related security controls. Many
controls could have been put in several sections but, to avoid duplication and conflict,
they were arbitrarily assigned to one and, in some cases, cross-referenced from
elsewhere. For example, a card-access-control system for, say, a computer room or
archive/vault is both an access control and a physical control that involves technology
plus the associated management/administration and usage procedures and policies. This
has resulted in a few oddities (such as section 6.2 on mobile devices and teleworking
being part of section 6 on the organization of information security) but it is at least a
reasonably comprehensive structure. It may not be perfect but it is good enough on the
whole.
Contents of ISO/IEC 27002:2013 - the
standard’s 19 (+2) sections
Structure
Security control clauses
Of the 21 sections or chapters of the standard, 14 specify control objectives and controls. These 14 are
the ‘security control clauses’.
There is a standard structure within each control clause: one or more first-level subsections, each one
stating a control objective, and each control objective being supported in turn by one or more stated
controls, each control followed by the associated implementation guidance and, in some cases, additional
explanatory notes. The amount of detail is responsible for the standard being nearly 90 A4 pages in
length.
35 control objectives
ISO/IEC 27002 specifies some 35 control objectives (one per ’security control category’) concerning
the need to protect the confidentiality, integrity and availability of information.
The control objectives are at a fairly high level and, in effect, comprise a generic functional requirements
specification for an organization’s information security management architecture.
Few professionals would seriously dispute the validity of the control objectives, or, to put that another
way, it would be difficult to argue that an organization need not satisfy the stated control objectives in
general. However, some control objectives are not applicable in every case and their generic wording is
unlikely to reflect the precise requirements of every organization, especially given the very wide range of
organizations and industries to which the standard applies.
Structure
114+++ controls
Each of the control objectives is supported by at least one control, giving a total of 114.
However, the headline figure is somewhat misleading since the implementation guidance
recommends numerous actual controls in the details.
The control objective relating to the relatively simple sub-subsection 9.4.2 “Secure log-
on procedures”, for instance, is supported by choosing, implementing and using suitable
authentication techniques, not disclosing sensitive information at log-on time, data entry
validation, protection against brute-force attacks, logging, not transmitting passwords in
clear over the network, session inactivity timeouts, and access time restrictions. Whether
you consider that to be one or several controls is up to you. It could be argued that
ISO/IEC 27002 recommends literally hundreds of distinct information security controls,
although some support multiple control objectives, in other words some controls have
several purposes.
Furthermore, the wording throughout the standard clearly states or implies that this is
not a totally comprehensive set. An organization may have slightly different or
completely novel information security control objectives, requiring other controls
(sometimes known as ‘extended control sets’) in place of or in addition to those stated in
the standard.
PDCA cycle
PDCA cycle is basically a concept developed about 60 years
ago by a famous consultant and quality management guru Or, using an example – when I
called William Edwards Deming. Essentially, it says the purchase a car I have an idea on
following: how much it should cost, what
color it should be, maximum fuel
• Before you start implementing anything, you should know consumption, etc. (Plan phase);
exactly what you really need, and exactly what it is you want to
then I start driving it (Do phase),
achieve (objectives) – this is the Plan phase.
• Once you know what you want to achieve, you can start and realize that the fuel
implementing your information security, business continuity, consumption is much higher than
quality procedures, or whatever the ISO standard is focused on expected (Check phase) – then,
– this is the Do phase. basically, I have 2 options: to
• However, the whole effort does not stop here – you want to drive more easily in order to
make sure you have achieved what you have planned for, so consume less fuel, or change the
you need to monitor your system and measure if you achieved targeted consumption (Act
your objectives – this is the Check phase.
phase).
• Finally, if and when you realize that what you achieved is not
what you have planned for, you have to fill the gap – this is
called the Act phase.
Attention
- Management shall provide evidence of its commitment

- The organization shall determine and provide the resources needed.

- Management shall review the organization’s ISMS at planned intervals (at least once a
year)

- The organization shall continually improve the effectiveness of the ISMS

- ISO 27001 requires the formulation of a Statement of Applicability (SoA) that includes:

• the control objectives and controls selected as part of the risk assessment and the reasons
for their selection;
• the control objectives and controls currently implemented and
• the exclusion of any control objectives and controls in ISO 27002 and the justification for
their exclusion.
ISO 27001

Vous aimerez peut-être aussi