Documente Academic
Documente Profesional
Documente Cultură
3 June 2013
Overview
Information held in IT systems is increasingly
a critical resource in enabling organisations to achieve their goals Expectation of privacy and protection from harm Expectation that the systems will perform their functions efficiently whilst exercising proper control of the information
2 3 June 2013
needs yet comprehensive in its coverage Justified to the extent that it will reduce perceived risks to the level that management are willing to accept Effective against actual threats
3 June 2013
Objective of IT Security
Information is accessible only to those
authorised to have access (confidentiality) Safeguarding the accuracy and completeness of information and processing methods (integrity) Ensuring that authorised users have access to information and associated assets when required (availability)
5 3 June 2013
COBIT
etc
3 June 2013
ISO/IEC 17799
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.
Risk assessment and treatment Security policy Organisation of information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition, development and maintenance Information security incident management Business continuity management Compliance
3 June 2013
COBIT
Control Objectives for Information and Related Technology
Newest: COBIT 5 Widely used: COBIT 4.1 Framework Control Objectives Management Guidelines Maturity Models
8 3 June 2013
IT Risk Analysis
Objective identify the various ways in
which data, the information system, and network which support it, are exposed to risk Involves assessing the possibility that each of a wide range of threats End result security requirement for each type of threat that could affect the system
3 June 2013
Risk
Risk in IT combination of threat,
disable, damage, or destroy an IT asset Vulnerability a weakness that could be exploited by a threat Impact the consequences of a vulnerability in a system being exploited by a threat
10 3 June 2013
11
3 June 2013
systems support which business functions Impact analysis to determine the sensitivity of key business functions to a breach of confidentiality, integrity or availability Dependency analysis to determine points of access to information systems and assets that must be in place to deliver a service to a business function Threat and vulnerability analysis to determine points of weakness in the system configuration and the likelihood of events
12 3 June 2013
Components of IT Risk
13
3 June 2013
Reviewing IT risks
IT risk analysis involves identifying IT assets that are at risk: What type of threats do they face? What are their likely causes and their probable impact(s)? What is the likelihood of the threat succeeding? How would we know if the threat did succeed? What can we do to prevent the impact? What can we do to recover if the threat does succeed?
14 3 June 2013
Risk Management
Involves the identification, selection, and
implementation of countermeasures that are designed to reduce the identified levels of risk to acceptable levels It is impossible to reduce all risks to zero (by term of cost-effective RM)
15
3 June 2013
Types of Countermeasures
Reduce the threat
16
3 June 2013
19
3 June 2013
information security within the organisation. A management framework should be established to initiate and control the implementation of information security within the organisation
Review to IS Management course
20 3 June 2013
organisational information processing facilities accessed by third parties. Access to organisations information processing facilities by third parties should be controlled
21
3 June 2013
3. Outsourcing
The objective is to maintain security of information when responsibility for processing is outsourced
22
3 June 2013
system documentation, user manuals, training material, operational or support procedures, continuity plans, fallback arrangements, archived information Software assets application software, system software, development tools and utilities Physical assets computer equipment (processors, monitors, laptops, modems), communication equipment (routers, PABX, fax machines), magnetic media (tapes and disks) Services computing and communication services, general utilities, e.g. heating, lighting, power, airconditioning
23 3 June 2013
25
3 June 2013
Tugas
Buatlah makalah mengenai isu-isu audit
keamanan informasi Tugas kelompok (gunakan kelompok yang sudah ada) Delivery:
Presentasi tgl 26 Maret Laporan dalam bentuk hard copy dikumpulkan
ketika UTS
26
3 June 2013