IT Security

3 June 2013

Overview
Information held in IT systems is increasingly

a critical resource in enabling organisations to achieve their goals Expectation of privacy and protection from harm Expectation that the systems will perform their functions efficiently whilst exercising proper control of the information
2 3 June 2013

Managements Concern about IT Security

Dependence on IT systems Information systems which can provide accurate services when and where they are required are the key to the survival of most modern businesses Exposure of IT systems IT systems need a stable environment Organisations rely upon the accuracy of information provided by their systems Investment in IT systems Information systems are costly both to develop and maintain, and management should protect their investment like any other valuable asset
3 3 June 2013

Balance of Protecting IT Assets

Appropriate to an organisations business

needs yet comprehensive in its coverage Justified to the extent that it will reduce perceived risks to the level that management are willing to accept Effective against actual threats

3 June 2013

Objective of IT Security
Information is accessible only to those

authorised to have access (confidentiality) Safeguarding the accuracy and completeness of information and processing methods (integrity) Ensuring that authorised users have access to information and associated assets when required (availability)
5 3 June 2013

IT Security Standards & Frameworks

ISO/IEC 17799

COBIT
etc

3 June 2013

ISO/IEC 17799
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.

Risk assessment and treatment Security policy Organisation of information security Asset management Human resources security Physical and environmental security Communications and operations management Access control Information systems acquisition, development and maintenance Information security incident management Business continuity management Compliance

3 June 2013

COBIT
Control Objectives for Information and Related Technology
Newest: COBIT 5 Widely used: COBIT 4.1 Framework Control Objectives Management Guidelines Maturity Models
8 3 June 2013

IT Risk Analysis
Objective identify the various ways in

which data, the information system, and network which support it, are exposed to risk Involves assessing the possibility that each of a wide range of threats End result security requirement for each type of threat that could affect the system

3 June 2013

Risk
Risk in IT combination of threat,

vulnerability, and impact

Threat an unwanted that could remove,

disable, damage, or destroy an IT asset Vulnerability a weakness that could be exploited by a threat Impact the consequences of a vulnerability in a system being exploited by a threat
10 3 June 2013

Risk Analysis & Risk Management

11

3 June 2013

Risk Analysis Principles

Business modelling to determine which information

systems support which business functions Impact analysis to determine the sensitivity of key business functions to a breach of confidentiality, integrity or availability Dependency analysis to determine points of access to information systems and assets that must be in place to deliver a service to a business function Threat and vulnerability analysis to determine points of weakness in the system configuration and the likelihood of events
12 3 June 2013

Components of IT Risk

13

3 June 2013

Reviewing IT risks
IT risk analysis involves identifying IT assets that are at risk: What type of threats do they face? What are their likely causes and their probable impact(s)? What is the likelihood of the threat succeeding? How would we know if the threat did succeed? What can we do to prevent the impact? What can we do to recover if the threat does succeed?
14 3 June 2013

Risk Management
Involves the identification, selection, and

implementation of countermeasures that are designed to reduce the identified levels of risk to acceptable levels It is impossible to reduce all risks to zero (by term of cost-effective RM)

15

3 June 2013

Types of Countermeasures
Reduce the threat

Reduce the vulnerability

Reduce the impact Detect an incident Recover from the impact

16

3 June 2013

Risk Management Process

Prioritize actions Based on the risk levels presented in the risk assessment report, the implementation actions are prioritized. Evaluate recommended control actions The technical feasibility and effectiveness of all identified controls should be evaluated so that the most appropriate control is chosen. Conduct cost-benefit analysis To allocate resources and implement cost-effective solutions, organisations should conduct a cost-benefit analysis for each proposed control. Select control On the basis of the results of the cost-benefit analysis, management selects the cost-effective controls for reducing risks.
17 3 June 2013

Risk Management Process

Assign responsibility Responsibility should be assigned to in-house experts or an outside agency which have the appropriate skill set and expertise to implement the selected control. Develop safeguard implementation plan The safeguard implementation plan prioritizes the implementation actions and projects the start dates and the target completion dates. Implement selected controls The selected controls should be implemented so that the risks are brought down within the acceptable levels.
18 3 June 2013

Organisation of Information Security

Information security structure

Security of third party access

Outsourcing

19

3 June 2013

1. Information Security Structure

The objective is to deal with management of

information security within the organisation. A management framework should be established to initiate and control the implementation of information security within the organisation
Review to IS Management course
20 3 June 2013

2. Security of 3rd Party Access

The objective is to maintain security of

organisational information processing facilities accessed by third parties. Access to organisations information processing facilities by third parties should be controlled

21

3 June 2013

3. Outsourcing
The objective is to maintain security of information when responsibility for processing is outsourced

22

3 June 2013

Types of Information Systems Assets

Information assets databases and data files,

system documentation, user manuals, training material, operational or support procedures, continuity plans, fallback arrangements, archived information Software assets application software, system software, development tools and utilities Physical assets computer equipment (processors, monitors, laptops, modems), communication equipment (routers, PABX, fax machines), magnetic media (tapes and disks) Services computing and communication services, general utilities, e.g. heating, lighting, power, airconditioning
23 3 June 2013

(Networking & Communication) New Threats and Risks

Data loss Data may be deleted or lost in transmission Data corruption Data errors can occur during transmission System unavailability Network links may be easily damaged A loss of a hub can affect the processing ability of many users Communications lines often extend beyond the boundaries of control of the client, e.g. the client may rely on the local telephone company for ISDN lines
24 3 June 2013

25

3 June 2013

Tugas
Buatlah makalah mengenai isu-isu audit

keamanan informasi Tugas kelompok (gunakan kelompok yang sudah ada) Delivery:
Presentasi tgl 26 Maret Laporan dalam bentuk hard copy dikumpulkan

ketika UTS

26

3 June 2013