Preface
Information: most valuable asset of company. Distinguishes one
business from another.
Information security: process of protecting intellectual
property.
- materials
- methods
- products
- plans
- customers, suppliers, partners info.
5 "phases"
- Inspection current status & right level of security
- Protection proactively create secure environment. 10
building blocks
- Detection reactively detect bad activities and alert
responsible people
- Reaction responding to incident to minimize impact
- Reflection feedback to improve security.
Prologue
Changing business environment, relationships, information, IT means
greater threat and thus more security needed.
- disgruntled employees (greatest threat)
- economic espionage (corporate & governmental)
- national laws, attitudes about info
- bleeding edge tech for competitive advantage but:
critical business processes on unproven, insecure, buggy IT. Employee
training/awareness, improper/inadequate administration (part of most
security incidents)
- more outsourcing, temps, consultants, partnerships, short-lived &
changing, complicate security
- core business transactions with employees, customers, suppliers on Internet
- E-commerce: online sales to customers. Public discomfort still?
- E-business: online interaction within and between businesses.
Corporate intranet for automation of internal processes. Internet for
b2b: automate supply chain purchasing
Near-future: ubiquitous information: all info appliances
integrated, sharing data
IT: globally distributed infrastructure, interconnected networks,
portable devices/ mobile employees/ virtual offices
Migrate from centralized to distributed computing.
Migrate from corporate network to Internet (not private, impersonal,
not accountable but cheap and ubiquitous)
Introduction
Info is a business asset. Security is a business process. Info
security is a business requirement.
Info security evaluated like any other business process to determine
how much security is needed to protect the info asset.
3 attributes/goals
- Confidentiality: info accessible on need-to-know basis. Not made
available or disclosed to unauthorized entities.
- Accuracy: 1. start with good (reliable, verifiable) info
2. Integrity: stays good. Not corrupted, degraded, lost, modified
unauthorizedly or accidentally.
- Availability: usable presence. Usable and accessible upon
demand by authorized entities.
security as a weak-link problem: total security no better than the
weakest point.
security as trade-offs: more security needed -- more admin & controls --
-- less ease of use
"Aspects"
- Access method of getting to the data
- Identification uniquely distinguish an entity
- Authentication prove that the entity is what it claims to
be. Basis of trust.
- Authorization what data an entity can utilize.
- Accountability associate activities with who performed
them.
- non-repudiation: can not claim did not do it.
- auditability: evaluate activites after the fact
- Awareness of security processes by users
- Administration managing security
Security plan: reasonable & prudent
- business impact analysis: info of greatest impact
- risk analysis: probabilty of harm & extent of damage
- disaster planning: method to minimize harm
- business continuity plan: how to continue to conduct business
5 phases again
- Inspection evaluates security needs & current level of preparation
- Protection what needs protection, how much protection is
needed, how to implement this level
- Detection of misuses: attacker, methods of attack,
technologies to detect
- Reaction emergency/incident response plan: how to respond
- Reflection identify improvements