A business guide to information security Alan Calder Threats This book s purpose is to arm non-tehnical business executives and

computer users everywhere with the basic information they need if they are to ensure that they and their business stay safe online. Pentru a fi in siguranta in mediul online, utilizatorii trebuie sa respecte o combinatie de comportamente si unelte care sunt cuvenite si proportionate in ceea ce privesc amenintarile cibernetice. Punctul nostru de plecare ar trebui sa fie intelegerea amenintarilor si riscurilor. O amenintare este o cauza potentiala al unui incident nedorit, care poate dauna unui sistem al unei organizatii, iar un risc este combinatia probabilitatilor uni eveniment si consecintele sale. A threat and a rist are not in other words the same thing. There are many threats that pose no rist to individual organizations (for instance the hacker threat poses no risk to someone who doesn t use a computer, and the grave cyber-terrorism threat poses a limited risk to a small organization whose only use of the internet is for e-mail). We will deal here with threats and in the next chapter with risks and risk assessment. Threats in the digital world, as in the analogue one originate wih people. These people fall into five groups: y y y y y Pag 11 So, what is information security? Information security is according to the internationally recognized code of information security best practice, ISO 17799:2005, the preservation of the confidentiality, intergrity and availability informationl in addition, other properties, such as authenticity, accountability, non-repudiation and reliability can also be involved. Information is the life blood of the modern business. All organizations possess cirtical or sensitive information. According to a 2000 UK Departament of Trade and Industry suvey, 49% of organizations belive that information is critical or sensitive because it will be of benefit to competitors, while 49% belive that it is critical maintaining costumer confidence. The 2 4 survey indetified the fact that, while 58% of all business had highly confidential information stored on their computer systems, 77% of large businesses were in this category. Roughly nin-tenths of UK businesses now send e-mail across internet browse the web and have a website; and 87% of themnow identify themselves as highly dependent on electronic information and the system that process it compared with 76 per cent in 2002. Information and information systems are in other words at the heart of any organization trying to operate in the high-speed wired wirld if the 21st century. Criminals(thieves, fraudsters, organized crime) Malefactors(hackers, vandals, terrorists, cyber-warriors, some ex-employees and other disgruntled or vangeful individuals) Spies Underisables The incompetent or the simply unware

The profilation of increasingly complex, sophisticated and global threats to this information and its systems, in combination with the compliance requirements of a flood of computer and privacyrelated regulation around the world is forcing organizations to take a more joined-up view of information security. Hardware, software and vendor driven solutions to individual information ecurity challenges no longer cut the mustard. Now headlines about hackers viruses and online fraud are ust the public tip of the data insecurity iceberg. Business losses through computer failure or major interruption to their data and operating systems, or the theft or loss of intelectual property or key bussiness data, are more significant and more expresive.

Information security timothy p. layton Pag 7 Terminology It is easy to get bogged down in all these terms and tehnical jargon. I felt it was important to set a baseline of understanding by providing high-level denifnitions of the most relevant information security risk assessment and management terms before we move into the actual model. There are varying definitions for many of these concepts and phrases that I present in this chapter. To esteblish a baseline of understanding, I have included definitions for several of the information security risk assessment terms. The majority of these terms nd phrases are understiid to be industry standard, and their meaning and intent should basically be the same here or anywhere else they are used within the context of information security risk assessment. y Information security risk assessment the business process of identifying potential threats, vulnerabilities, impact, and risks to the organisation and the likelihood of their occurrence. Results can be expressed in qualitative or quantitative terms or a combination of both. Information security risk assessment is one component of risk management. Risk the likelihood, impact, and consequence of negative events the organization must consider as part of its operations. Risk management a comprehensive business process an organization utilizes to indentify, evaluate, and select controls and safeguards for the purpose of reducing, mitigationg, or transferring known risks at a reasonable cost to the organization. The cost of a control or controls should not outweight the value of the asset. Risk mitigation the priorization and implementation of the identified controls to ower identified risks via the rist assessment process. Vulnerability a flaw or weakness in an information system, associated procedure, or existing control that has the potential to be exercised (accidentally triggered or intentionally exploited) and result in breach or violation of the information security policy. Vulnerabilities have no impact if a revelant threat is not present. Threat the potential for a threat to be exercised, either accidentally or intentionally, for the purpose of exploiting or a specific vulnerabilit. Impact the extent to which an exercised vulnerability affects the organization.

y y

y y

y y

y y y y

Likehood the probabiility an event will occur. Control management, tehnical, or operational mechanism addressing a specitic threat and vulnerability pair. Asset anything tangible or intangible, that has value to the organization