0% found this document useful (0 votes)

18 views133 pages

Information Security_Ch01

Uploaded by

Dung Vu

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

18 views133 pages

Information Security_Ch01

Uploaded by

Dung Vu

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

You are on page 1/ 133

Lecturer: Pham Thi Thanh Thuy

Email: [email protected]
Mobile Phone: 0915651748
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Principles of Information Security
Sixth Edition

Chapter1 Introduction to
Information Security
Chapter2 The Need for Security
Chapter3 Legal, Ethical, and
Professional Issues in
Information Security
Chapter4 Planning for Security
Chapter5 Risk Management

Chapter6 Security Technology:

Access Controls, Firewalls, and
VPNs
Chapter7 Security Technology:
Intrusion Detection and
Prevention Systems, and Other
Security Tools

Chapter8 Cryptography

Chapter9 Physical Security

Chapter10 Implementing
Information Security
Chapter11 Security and
Personnel
Chapter12 Information Security
Maintenance

Lab Exercises

Chapter1
Introduction to
Information
Security

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Learning Objectives
• Upon completion of this material, you
should be able to:
– Define information security
– Recount the history of computer security and
explain how it evolved into information security
– Define key terms and critical concepts of
information security
– Explain the role of security in the
systems development life cycle
– Describe the information security
roles of professionals within an
organization
Contents

1. What is the beginning concept of information

security?
Computer security

2. Why did computer security arise during World

War II?
Because the first mainframe computers were
developed, the enemy used them to break the
messages encrypted by cryptographic devices
like the Enigma.

• Where is the Enigma manufactured?

• Who did break Enigma? and when it is
broken?

Source. Bletchley Park Trust. Used with permission.

3. What is the information security in early stage?

Physical security and simple document
classification schemes

4. What are the primary threats to security in

early stage?
• Physical theft of equipment
• Espionage against products of the systems
• Sabotage.

• 1960s
• Advanced Research Projects Agency (ARPA)
began to examine the feasibility of redundant
networked communications.
• Larry Roberts developed the ARPANET from its
inception.
The history of information security

• 1970s and 80s

- ARPANET grew in popularity, as its potential for
misuse.
- What were fundamental problems with
ARPANET security identified?
 Vulnerability of password structure and
formats
 No safety procedures for dial-up connections to
ARPANET
 Nonexistent user identification and
authorization to system
 Phone numbers were widely distributed and openly
publicized on the walls of phone booths
The history of information security

• 1970s and 80s

- What made security go beyond protecting the
physical location of computing devices?
A single paper published by the RAND Corporation in
February 1970 for the Department of Defense.

- What were defined in RAND Report R-609?

The multiple controls and mechanisms necessary for the
protection of a computerized data processing system
The history of information security

• 1970s and 80s

- What were the scopes of computer security
beyond the safety of physical locations and
hardware?
 Securing the data
 Limiting random and unauthorized access to data
 Involving personnel from multiple levels of the
organization in information security
Table 1-1 Key Dates in Information
Security (1 of 2)
Date Document
1968 Maurice Wilkes discusses password security in Time - Sharing Computer
Systems.
1970 Willis H. Ware author the report Security Controls for Computer Systems:
Report of Defense Science Board Task Force on Computer Security—RAND
R.609 which was not declassified until 1979. I became known as the seminal
work identifying the need for computer Security.
1973 Schell, Downey, and Popek examine the need for additional security in
military systems in Preliminary Notes on the Design of Secure Military
Computer Systems.
1975 The Federal Information Processing Standards (FIPS) examines DES
(Digital Encryption Standard) In the Federal Register.
1978 Bisbey and Hollingsworth publish their study “Protection Analysis: Final
Report,” which discussed the Protection Analysis project created by ARPA to
better understand the vulnerabilities of operating system security and
examine the possibility of automated vulnerability detection techniques in
existing system software.

1979 Dennis Ritchie publishes “On the Security of UNIX” and “Protection of Data File
Contents,” which discussed secure user IDs, secure group IDs, and the problems
inherent in the systems.
1982 The US. Department of Defense Computer Security Evaluation Center publishes the first
version of the Trusted Computer Security (TCSEC) documents, which came to be known
as the Rainbow Series.
1982 Grampp and Morris write “The UNIX System: UNIX Operating System Security.” In this
report the authors examined four “important handles to computer security”: physical control
of primes and computer facilities, management commitment to security objectives,
education of employees, and administrative procedures aimed at increased security.

1984 Reeds and Weinberger publish “File Security and the UNIX System Crypt Command.”
Their premise was: “No technique can be secure against wiretapping or is equivalent on
the computer. Therefore no technique can be secure against the system administrator or
other privileged users... the naive user have no chance.”
1992 Researchers for the Internet Engineering Task force, working at the Naval Research
Laboratory, develop the Simple Internet Protocol Plus (SIPP) Security protocols,
creating what is now known as IPSEC security.

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Figure 1-4 Illustration of computer network
vulnerabilities from RAND Report R-609

Source. RAND Report R-609-1. Used with permission.

• MULTICS
• Early focus of computer security research centered on a
system called Multiplexed Information and Computing
Service (MULTICS).
• The first operating system to integrate security into its
core functions.
• It was mainframe, time-sharing operating system
developed in the mid-1960s by General Electric (GE),
Bell Labs, and Massachusetts Institute of Technology
(MIT).
• Several MULTICS key players created UNIX.
 Primary purpose of UNIX was text processing.
The history of information security

• Late 1970s: What created a new age of

computing in the late 1970s?
 The microprocessor
What became the workhorse of modern computing?
 The PC became the workhorse of modern
computing, moving it out of the data center. This
decentralization of data processing systems in the
1980s gave rise to networking—which enabled the
entire computing community to make all its
resources work together.
The history of information security

• In the early 1980s: What events relating to

network happened in the early 1980s?

 TCP and IP were developed and became

the primary protocols for networking.
 DNS was developed.
 The first dial-up ISP came online, allowing
home users to access the Internet.
The history of information security

• In the mid-1980s: What were the key pieces of

legislation about computer security passed by the
U.S. government in the mid-1980s?
The U.S. Government passed several key pieces of
legislation that formalized the recognition of computer
security as a critical issue for federal information
systems.
The Computer Fraud and Abuse Act of 1986
and the Computer Security Act of 1987 defined
computer security and specified responsibilities and
associated penalties.
The history of information security

• In 1988
- The Defense Advanced Research Projects
Agency (DARPA) within the Department of
Defense created the Computer Emergency
Response Team (CERT) to address network
security.
The history of information security

• 1990s?
 Networks of computers became more common, as
did the need to connect them to each other.
 Internet became the first global network of networks.
 Initially, network connections were based on de facto
standards.
 In early Internet deployments, security was treated as
a low priority.
 In 1993, DEFCON conference was established for
those interested in information security.
The history of information security

• 2000 to Present?
 The Internet brings millions of unsecured computer
networks into continuous communication with each
other.
 The ability to secure a computer’s data was
influenced by the security of every computer to which
it is connected.
 Growing threat of cyber attacks has increased the
awareness of need for improved security.
Nation-states engaging in information warfare
Contents

Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
What Is Security? (2 of 2)
• The protection of information
and its critical elements,
including systems and
hardware that use, store, and
transmit that information
(Committee on National
Security Systems (CNSS)
• Includes information
security management,
data security, and
network security
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Factors of information security systems

How many factors can be contained in an

information security system?
C.I.A.N: standard based on confidentiality, integrity,
authentication, and non-repudiation
Factors of information security systems

• C.I.A.N
˗ Confidentiality
 Confidentiality measures protect information from
unauthorized access and misuse.
 Most information systems house information that has some
degree of sensitivity. It might be proprietary business
information that competitors could use to their advantage,
or personal information regarding an organization’s
employees, customers or clients.
Factors of information security systems

• C.I.A.N
– Integrity
 Measures protect information from unauthorized
alteration.
 These measures provide assurance in the accuracy
and completeness of data.
 The need to protect information includes both data
that is stored on systems and data that is transmitted
between systems such as email.
Factors of information security systems

• C.I.A.N
– Authentication
 Refers to the process of verifying the identity of a
user or entity.
 It is crucial for ensuring that only authorized
individuals or systems gain access to resources,
data, or services.
Factors of information security systems

• C.I.A.N
– Non-repudiation
 Prevent individuals or entities from denying their
involvement or actions in a transaction or
communication.
 It provides evidence that can be used to prove the
authenticity and integrity of a message or transaction
and protects against disputes or fraudulent claims.
Key Information Security Concepts

• How many key information security

concepts are there? And what are they?
Key Information Security Concepts

• Access • Risk
• Asset • Subjects and objects
• Attack of attack
• Control, safeguard, or • Threat
countermeasure • Threat agent
• Exploit • Threat event
• Exposure • Threat source
• Loss • Vulnerability
• Protection profile or
security posture

It is a mistake that gives an attacker indirect

1 access to an information system

A tool, software code, or method that takes

2 advantage of security flaws in software or
hardware to cause unintended behavior

A weakness in an IT system that can be

3 exploited by an attacker to deliver a
successful attack
Key Information Security Concepts

Any person or thing that conducts or has the

4 intent to conduct detrimental activities

Any data, information, knowledge, software,

5 hardware, IT service, data storage, IT
equipment that has value to the organization.

The privilege or assigned permission to use

6
computer data or resources in some manner.
Key Information Security Concepts

A subject is compromised by an attack, or a

7
subject attack others

An event or situation that has the potential for

8
causing undesirable consequences or impact.

An event or occurrence that would impact the

9
information systems in a negative way.
Key Information Security Concepts

An information asset suffering damage or

10 destruction, unintended modification, or denial
of use
A measure of the extent to which an entity is
11 threatened by a potential circumstance or
event

A set of techniques and strategies designed to

12 prevent, detect and respond to threats to
information systems
Key Information Security Concepts

Any circumstance, event, or method used by

13 cybercriminals to compromise organizational
operations by exploiting any vulnerabilities

Policy, education, training and awareness, and

14 technology, that the organization implements
to protect the asset

15 Any kind of malicious activity that attempts to

collect, disrupt, deny, degrade, or destroy
information system resources
Key Information Security Concepts

• Access
- A subject or object’s ability to use, manipulate,
modify, or affect another subject or object.
- Authorized users have legal access to a
system, whereas hackers must gain illegal
access to a system. Access controls
regulate this ability
Key Information Security Concepts

• Asset
- The organizational resource that is being
protected.
- Logical asset
• Web site
• Software
• Data
- Physical asset
• A person
• Computer system
• Hardware..
Key Information Security Concepts

• Attack
- The act that can damage or otherwise
compromise information and the information
systems.
- Attacks can be
• Active or passive
• Intentional or unintentional
• Direct or indirect
Key Information Security Concepts

• Attack
- Attacks can be
• Active or passive
 Active: DoS, Cryptojacking
 Passive: release of message contents; traffic analysis
• Intentional or unintentional
 Intentional: APT (Advanced Persistent Threat) attack
 Unintentional: Human error, environmental hazards,
computer failures
• Direct or indirect
 Direct
 Indirect: botnet in DDoS attack
Key Information Security Concepts

• Attack
• A computer can be the subject of an attack and/or
the object of an attack.
– When it is the subject of an attack, the computer is
used as an active tool to conduct attack.
– When it is the object of an attack, the computer is the
entity being attacked.
Key Information Security Concepts

• Control, safeguard, or countermeasure

- Security mechanisms, policies, or procedures
for improving security within an organization
• Mechanism: firewall, VPN, Cryptography..
• Policy
 Computer Security Account Policies
 Password length, password complexity
 Disable unused account
• Procedure
 security policies, standards, guidelines
Key Information Security Concepts

• Exploit
- A technique used to compromise a system.
- Verb
• Attackers may attempt to exploit a system or other
information asset by using it illegally for their
personal gain.
- Noun
• a documented process to take advantage of a
vulnerability, usually in software. Exploits make use
of existing software tools or custom-made software
components.
Key Information Security Concepts

• Exposure
- A condition or state of being exposed
- In information security, exposure exists when a
vulnerability is known to an attacker.
Key Information Security Concepts

• Loss
- A single instance of an information asset
suffering damage or destruction, unintended or
unauthorized modification or disclosure, or
denial of use.
- When an organization’s information is stolen, it
has suffered a loss.
Key Information Security Concepts

• Protection profile or security posture

- The entire set of controls and safeguards,
including policy, education, training and
awareness, and technology, that the
organization implements to protect the asset.
Key Information Security Concepts

• Risk
- The probability of an unwanted occurrence,
such as an adverse event or loss.
- Organizations must minimize risk to match
their risk appetite—the quantity and nature of
risk they are willing to accept.
Key Information Security Concepts

• Subjects and objects of attack

- The subject of an attack
• An agent entity used to conduct the attack
- The object of an attack
• The target entity
- A computer can also be both the subject and
object of an attack. For example, it can be
compromised by an attack (object) and then
used to attack other systems (subject).
Key Information Security Concepts

• Threat
- Any event or circumstance that has the
potential to adversely affect operations and
assets.
• Threat agent
- The specific instance or a component of a
threat.
Key Information Security Concepts

• Threat event
- An occurrence of an event caused by a threat
agent.
• An example of a threat event might be damage
caused by a storm.
- This term is commonly used interchangeably
with the term attack.
Key Information Security Concepts

• Threat source
- A category of objects, people, or other entities
that represents the origin of danger to an asset
• Vulnerability
- A potential weakness in an asset or its
defensive control system(s).
• Flaw in a software package
Key Information Security Concepts

• Example
- You received an email with attach file from
stranger

Threat?

Vulnerability?

Risk?
Critical Characteristics of Information
• The value of information comes from the
characteristics it possesses:
Accuracy Integrity
Authenticity Personally identifiable
Availability information (PII)
Confidentiality Possession
Utility

• Accuracy
- How data is free of errors and has the value
that the user expects.
Critical Characteristics of Information

• Authenticity
- How data is genuine or original rather than
reproduced or fabricated.
Critical Characteristics of Information

• Availability
- How data is accessible and correctly formatted
for use without interference or obstruction.
Critical Characteristics of Information

• Confidentiality
- How data is protected from disclosure or
exposure to unauthorized individuals or
systems.
•.
Critical Characteristics of Information

• Integrity
- How data is whole, complete, and uncorrupted.

https://www.virtualbox.org/wiki/Downloads
Critical Characteristics of Information

• Personally identifiable information (PII)

- A set of information that could uniquely identify
an individual.
Critical Characteristics of Information

• Possession
- How the data’s ownership or control is
legitimate or authorized.
Critical Characteristics of Information

• Utility
- How data has value or usefulness for an end
purpose.
Contents

• The McCumber Cube

- Created by John McCumber in 1991
- Provides a graphical representation of the
architectural approach widely used in
computer and information security
- it is now known as the McCumber Cube
Contents

• Software
- Software includes system software and
application software.
- Software is perhaps the most difficult IS
component to secure.
- The exploitation of errors in software
programming accounts for a substantial portion
of the attacks on information
Components of an Information System

• Hardware
- The physical technology that houses and
executes the software, stores and transports
the data, and provides interfaces for the entry
and removal of information from the system.
• Data
- Data and information
• People
- IT officer and normal User
Components of an Information System

– Procedures
– Written instructions for accomplishing a
specific task.
– Most organizations distribute procedures
to employees
 Password Policy, Email Usage Policy
Components of an Information System

– Networks
– Created much of the need for increased
computer and information security
– Security solutions for network
– Installing and configuring firewalls
– Implementing intrusion detection systems
Contents

A type of SDLC in which each phase of the process “flows

from” the information gained in the previous phase, with
multiple opportunities to return to previous phases and
make adjustments.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Security in the Systems Development Life
Cycle
• Investigation
• What problem is the system being developed
to solve?
• Objectives, constraints, and scope of project
are specified.
• Preliminary cost-benefit is analyzed.
• At the end of this phase and at every phase
afterward, a process is undertaken to assess
economic, technical, and behavioral
feasibilities and ensure implementation is
worth the time and effort.
Security in the Systems Development Life
Cycle
• Analysis
• Consists of assessments of:
– The organization
– Current systems
– Capability to support proposed systems
• Analysts determine what the new system is
expected to do and how it will interact with
existing systems.
• Analysis ends with documentation of findings
and an update of feasibility.
Security in the Systems Development Life
Cycle
• Logical Design
• The first and driving factor is the business
need.
- Applications are selected to provide needed
services.
• Data support and structures capable of
providing the needed inputs are identified.
Security in the Systems Development Life
Cycle
• Logical Design
• Specific technologies are delineated to
implement the physical solution.
• Analysts generate estimates of costs and
benefits to allow comparison of available
options.
• Feasibility analysis is performed at the end.
Security in the Systems Development Life
Cycle
• Physical Design
• Specific technologies are selected to support
the alternatives identified and evaluated in the
logical design.
• Selected components are evaluated on make-
or- buy decision.
• Feasibility analysis is performed.
• Entire solution is presented to organization’s
management for approval.
Security in the Systems Development Life
Cycle
• Implementation
• Needed software is created.
• Components are ordered, received, and
tested.
• Users are trained and supporting
documentation created.
• Feasibility analysis is prepared.
- Sponsors are presented with the system
for a performance review and
acceptance test.
Security in the Systems Development Life
Cycle
• Maintenance and Change
• Longest and most expensive phase
• Consists of the tasks necessary to support and
modify the system for the remainder of its useful
life
• Life cycle continues until the team determines
the process should begin again from the
investigation phase
• When current system can no longer support
the organization’s mission, a new project is
implemented
Security in the Systems Development Life
Cycle
• Software Assurance
• A methodological approach to the development of
software that seeks to build security into the
development life cycle rather than address it at
later stages.
• SA attempts to intentionally create software free
of vulnerabilities and provide effective, efficient
software that users can deploy with confidence.
Security in the Systems Development Life
Cycle
• Software Assurance
• U.S. Department of Defense and Department
of Homeland Security supported the Software
Assurance Initiative, which resulted in the
publication of Secure Software Assurance
(SwA) Common Body of Knowledge (CBK).
• SwA CBK serves as a strongly recommended
guide for developing more secure applications.
Security in the Systems Development Life
Cycle
• Software Assurance
• SwA CBK, which is a work in progress,
contains the following sections:
• Nature of Dangers
• Fundamental Concepts and Principles
• Ethics, Law, and Governance
• Secure Software Requirements
• Secure Software Design
• Secure Software Construction
Security in the Systems Development Life
Cycle
• Software Assurance
• SwA CBK, which is a work in progress,
contains the following sections:
• Secure Software Verification, Validation, and
Evaluation
• Secure Software Tools and Methods
• Secure Software Processes
• Secure Software Project Management
• Acquisition of Secure Software
• Secure Software Sustainment
Security in the Systems Development Life
Cycle
• Software Design Principles
- Good software development results in secure
products that meet all design specifications.
- Some commonplace security principles
• Keep design simple and small
• Access decisions by permission not exclusion
• Every access to every object checked for authority
• Design depends on possession of keys/passwords
Security in the Systems Development Life
Cycle
• Software Design Principles
- Good software development results in secure
products that meet all design specifications.
- Some commonplace security principles
• Protection mechanisms require two keys to unlock
• Programs/users utilize only necessary privileges
• Minimize mechanisms common to multiple users
• Human interface must be easy to use so users
routinely/automatically use protection mechanisms
The NIST Approach for Securing the SDLC

Waterfall SDLC phases NIST SDLC phases

Investigation
Initiation
Analysis
Logical Design
Development/Acquisition
Physical Design
Implementation Implementation/Assessment
Operation/Maintenance
Maintenance and Change
Disposal
The NIST Approach for Securing the SDLC

• Initiation
- Security at this point is looked at in terms of
business risks, with information security office
providing input.
The NIST Approach for Securing the SDLC

• Initiation
• Key security activities include:
– Delineation of business requirements in terms
of confidentiality, integrity, and availability
– Determination of information categorization and
identification of known special handling
requirements to transmit, store, or create
information
– Determination of any privacy requirements
Figure 1-14 Relating security
considerations in the Initiation
phase

Source: NIST SP 800-64 Rev. 2: Security Considerations in the

System Development Life Cycle.

• Development/Acquisition
• Key security activities
– Conducting risk assessment and using results to
supplement baseline security controls
– Analyzing security requirements
– Performing functional and security testing
– Preparing initial documents for system certification
and accreditation
– Designing security architecture
Figure 1-15 Relating security considerations
in the Development/Acquisition phase

Source: NIST SP 800-64 Rev. 2: Security Considerations in the System

Development Life Cycle.

• Implementation/Assessment
- System is installed and evaluated in
operational environment.
- Key security activities
– Integrating information system into its environment
– Planning and conducting system certification
activities in synchronization with testing of security
controls
– Completing system accreditation activities
Figure 1-16 Relating security
considerations in the
Implementation/Assessment phase

Source: NIST SP 800-64 Rev. 2: Security Considerations in the

System Development Life Cycle.

• Maintenance
• Systems are in place and operating
• Enhancements and/or modifications to the
system are developed and tested
• Hardware and/or software are added or
replaced.
The NIST Approach for Securing the SDLC

• Maintenance
• Key security activities include:
• Conducting operational readiness review
• Managing configuration of system
• Instituting process and procedure for assured
operations and continuous monitoring of
information system’s security controls
• Performing reauthorization as required
Figure 1-17 Relating security
considerations in the
Operation/Maintenance phase

Source: NIST SP 800-64 Rev. 2: Security Considerations in the

System Development Life Cycle.

• Disposal
• Provides for disposal of system and closeout
of any contracts in place
• Key security activities include
– Building and executing disposal/transition plan
– Archival of critical information
– Sanitization of media
– Disposal of hardware and software
Figure 1-18 Relating security
considerations in the Disposal phase

Source: NIST SP 800-64 Rev. 2: Security Considerations in the System

Development Life Cycle.

• “Prevention is better than cure”,

organizations are moving towards more
security-focused development approaches,
looking to improve not only the functionality
of existing systems but also consumer trust
for their products.
Microsoft’s SDLC

• Microsoft has developed its own Security

Development Lifecycle, which uses a
seven-phase, 16-step methodology that
culminates in an executed incident
response plan
Microsoft’s SDLC

• Seven-phase, 16-step methodology of

Microsoft SDLC
Microsoft’s SDLC

• Training
– Core security training
• Requirements
– Establish security requirements
– Create quality gates/bug bars
– Perform security and privacy risk assessments
Microsoft’s SDLC

• Design
– Establish design requirements
– Perform attack surface analysts/ reduction
– Use threat modeling
• Implementation:
• Use approved tools
• Deprecate unsafe functions
• Perform static analysis
Microsoft’s SDLC

• Verification:
• Perform dynamic analysis
• Perform fuzz testing
• Conduct attack surface review
Microsoft’s SDLC

• Release:
– Create an incident response plan
– Conduct nal security review
– Certify release and archive
• Response:
– Execute incident response plan
Contents

• Introduction
• The History of Information Security
• What Is Security
• CNSS Security Model
• Components of an Information System
• Balancing Information Security and Access
• Approaches to Information Security Implementation
• Security in the Systems Development Life Cycle
• Security Professionals and the Organization
• Communities of Interest
• Information Security: Is It an Art or a Science?
Security Professionals and the
Organization
• Wide range of professionals are required
to support a diverse information security
program.
• Senior management is the key component.
• Additional administrative support and
technical expertise are required to
implement details of the IS program.
Security Professionals and the
Organization
• Senior Management
- Chief information officer (CIO)
• Senior technology officer
• Primarily responsible for advising the senior
executives on strategic planning
- Chief information security officer (CISO)
• Has primary responsibility for assessment,
management, and implementation of IS in the
organization
• Usually reports directly to the CIO
Security Professionals and the
Organization
• Information Security Project Team
- A small functional team of people who are
experienced in one or multiple facets of
required technical and nontechnical areas
• Champion
• Team leader
• Security policy developers
• Risk assessment specialists
• Security professionals
• Systems administrators
• End users
Security Professionals and the
Organization
• Data Responsibilities
- Data owners: senior management responsible
for the security and use of a particular set of
information
- Data custodians: responsible for the
information and systems that process,
transmit, and store it
- Data users: individuals with an information
security role
Contents

• Communities of Interest
- Group of individuals united by similar
interests/values within an organization
• Information security management and
professionals
• Information technology management and
professionals
• Organizational management and professionals
Contents

• Introduction
• The History of Information Security
• What Is Security
• CNSS Security Model
• Components of an Information System
• Balancing Information Security and Access
• Approaches to Information Security Implementation
• Security in the Systems Development Life Cycle
• Security Professionals and the Organization
• Communities of Interest
• Information Security: Is It an Art or a Science?
Information Security: Is It an Art or
a Science?
• Implementation of information security
is often described as a combination of
art and science.
• “Security artisan” idea: based on the way
individuals perceive system technologists
and their abilities.
Information Security: Is It an Art or
a Science?
• Security as Art
- No hard and fast rules nor many universally
accepted complete solutions
- No manual for implementing security through
entire system
Information Security: Is It an Art or
a Science?
• Security as Science
- Dealing with technology designed for rigorous
performance levels.
- Specific conditions cause virtually all actions in
computer systems.
- Almost every fault, security hole, and systems
malfunction is a result of interaction of specific
hardware and software.
- If developers had sufficient time, they could
resolve and eliminate faults.
Information Security: Is It an Art or
a Science?
• Security as a Social Science
- Social science examines the behavior of
individuals interacting with systems.
- Security begins and ends with the people that
interact with the system, intentionally or
otherwise.
- Security administrators can greatly reduce the
levels of risk caused by end users and create
more acceptable and supportable security
profiles.
Summary (1 of 2)
• Computer security began immediately after
the first mainframes were developed.
• Successful organizations have multiple
layers of security in place: physical,
personal, operations, communications,
network, and information.
• Security should be considered a balance
between protection and availability.
Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as
permitted in a license distributed with a certain product or service or otherwise on a password-protected
website for classroom use.
Summary (2 of 2)
• Information security must be managed
similar to any major system implemented in
an organization using a methodology like
the SDLC.
• Implementation of information security is
often described as a combination of art
and science.

1. What is security?
2. What is the critical elements need to be
protected in an organization?
3. What are the factors that need to be
ensured in an information security system?

Internet Security E-Book
No ratings yet
Internet Security E-Book
128 pages
IS Chapter 2
No ratings yet
IS Chapter 2
44 pages
UNIT - I (IS)
No ratings yet
UNIT - I (IS)
117 pages
History of Is
No ratings yet
History of Is
6 pages
01-Cybersecurity Fundamentals and Principles
No ratings yet
01-Cybersecurity Fundamentals and Principles
111 pages
CHP1
No ratings yet
CHP1
44 pages
The History of Information Security - Chapter 1
No ratings yet
The History of Information Security - Chapter 1
8 pages
3 Topics Remaining
No ratings yet
3 Topics Remaining
119 pages
Io Schedulers
No ratings yet
Io Schedulers
52 pages
Lecture 01 Chapter 01 Whiteman (1)
No ratings yet
Lecture 01 Chapter 01 Whiteman (1)
81 pages
IS.chap01
No ratings yet
IS.chap01
46 pages
Module 01
No ratings yet
Module 01
56 pages
Info - Security U1 Ch.1 Introduction
No ratings yet
Info - Security U1 Ch.1 Introduction
75 pages
Sample Questions for Salesforce Certified Agentforce Specialist Exam by Valentine Copy
No ratings yet
Sample Questions for Salesforce Certified Agentforce Specialist Exam by Valentine Copy
16 pages
Lecture 1 & 2
No ratings yet
Lecture 1 & 2
52 pages
unit 1
No ratings yet
unit 1
62 pages
UNIT 1 Part-I
No ratings yet
UNIT 1 Part-I
54 pages
SQAT - Ch.06 - Software Testing
No ratings yet
SQAT - Ch.06 - Software Testing
21 pages
Android UI Developer (M - W - D) - Apply
No ratings yet
Android UI Developer (M - W - D) - Apply
4 pages
Lecture-1 and 2
No ratings yet
Lecture-1 and 2
22 pages
chapter1-221122094930-ea188277 (1)
No ratings yet
chapter1-221122094930-ea188277 (1)
44 pages
Chapter 1 - PPT - ch01 Fa LL 2016
No ratings yet
Chapter 1 - PPT - ch01 Fa LL 2016
58 pages
Chapter 1 InfoSec
No ratings yet
Chapter 1 InfoSec
60 pages
Chapter 5 Lab 5-2, Configure IP SLA Tracking and Path Control Topology
No ratings yet
Chapter 5 Lab 5-2, Configure IP SLA Tracking and Path Control Topology
13 pages
Principles of Information Security 4th Edition Whitman Chapter 1 Solutions PDF
No ratings yet
Principles of Information Security 4th Edition Whitman Chapter 1 Solutions PDF
51 pages
AIPT practical exam codes
No ratings yet
AIPT practical exam codes
12 pages
InfoSec_Lect1
No ratings yet
InfoSec_Lect1
21 pages
Đề cương Tiếng Anh Chuyên NgànhVer2
No ratings yet
Đề cương Tiếng Anh Chuyên NgànhVer2
27 pages
Unit 1 DIS
No ratings yet
Unit 1 DIS
20 pages
Information Security
100% (1)
Information Security
28 pages
IS Chapter 1
No ratings yet
IS Chapter 1
44 pages
EY Eu General Data Protection Regulation Are You Ready
No ratings yet
EY Eu General Data Protection Regulation Are You Ready
16 pages
Principles of Information Security, Fourth Edition
No ratings yet
Principles of Information Security, Fourth Edition
54 pages
ServiceNow - Quick Set Up Guide
No ratings yet
ServiceNow - Quick Set Up Guide
13 pages
Web Hacking 3
No ratings yet
Web Hacking 3
37 pages
reviewer IAS - Copy
No ratings yet
reviewer IAS - Copy
20 pages
IS Unit - I
No ratings yet
IS Unit - I
15 pages
Information Security Fundamentals Leture 01 Part 2
No ratings yet
Information Security Fundamentals Leture 01 Part 2
25 pages
IEC_62304_Compliance_Checklist
No ratings yet
IEC_62304_Compliance_Checklist
4 pages
Enhanced AODV Routing Protocol With Reduced Overhead and Delay
No ratings yet
Enhanced AODV Routing Protocol With Reduced Overhead and Delay
27 pages
PPT Ch01
No ratings yet
PPT Ch01
65 pages
Week#01.... Lecture#01
No ratings yet
Week#01.... Lecture#01
24 pages
Windows 10 and Storage Sense Best Cleaner
No ratings yet
Windows 10 and Storage Sense Best Cleaner
13 pages
Principles of Information Security 4th Edition Whitman Chapter 1 Solutions
73% (11)
Principles of Information Security 4th Edition Whitman Chapter 1 Solutions
51 pages
Soal LKS Nasional 2017 PDF
No ratings yet
Soal LKS Nasional 2017 PDF
20 pages
Is Unit1
No ratings yet
Is Unit1
38 pages
BCA II E-commeres
No ratings yet
BCA II E-commeres
4 pages
Introduction Security One
No ratings yet
Introduction Security One
47 pages
4471 Lecture 1
No ratings yet
4471 Lecture 1
20 pages
PPT Ch01
No ratings yet
PPT Ch01
49 pages
BHIM-Aadhaar-Baroda-Pay
No ratings yet
BHIM-Aadhaar-Baroda-Pay
2 pages
Workflow in SAP MM
No ratings yet
Workflow in SAP MM
7 pages
1 ITE403 Whitman Ch01
No ratings yet
1 ITE403 Whitman Ch01
39 pages
Critical Characteristics of Information in Information Security
50% (6)
Critical Characteristics of Information in Information Security
49 pages
Information Security Reviewer Midterm
No ratings yet
Information Security Reviewer Midterm
7 pages
Cyber Law and Security: UNIT-2
No ratings yet
Cyber Law and Security: UNIT-2
48 pages
About The Presentations
No ratings yet
About The Presentations
55 pages
AIS 7 - C12
No ratings yet
AIS 7 - C12
4 pages
History of Information Security
100% (1)
History of Information Security
13 pages
Principles of Information Security Chapter 1
100% (2)
Principles of Information Security Chapter 1
58 pages
HL7 Class Notes:: HL7 Specifications & Naming Conventions Can Be Found at
No ratings yet
HL7 Class Notes:: HL7 Specifications & Naming Conventions Can Be Found at
10 pages
Chapter 1 - Introduction To Information Security
No ratings yet
Chapter 1 - Introduction To Information Security
13 pages
Jio 5g
No ratings yet
Jio 5g
3 pages
CH 1
100% (1)
CH 1
45 pages
2018 - Marking - HNDIT2313 Object Oriented Analysis and Design
No ratings yet
2018 - Marking - HNDIT2313 Object Oriented Analysis and Design
9 pages
Information Security
No ratings yet
Information Security
29 pages
Data Steaming Sylll
No ratings yet
Data Steaming Sylll
12 pages
CH 01
No ratings yet
CH 01
9 pages
About The Presentations
No ratings yet
About The Presentations
55 pages
Introduction To Information Security: Do Not Figure On Opponents Not Attacking Worry About Your Own Lack of Preparation
No ratings yet
Introduction To Information Security: Do Not Figure On Opponents Not Attacking Worry About Your Own Lack of Preparation
47 pages
0 Trainee Name E.G. Evaluation@hrdcorp - Gov.my012-3456789 3 4 3 4 3 4 3 4 3 4 Write Your Review Write Your Review Write Your Review
No ratings yet
0 Trainee Name E.G. Evaluation@hrdcorp - Gov.my012-3456789 3 4 3 4 3 4 3 4 3 4 Write Your Review Write Your Review Write Your Review
6 pages
OCP - SQL&PL - SQL (Vol2)
No ratings yet
OCP - SQL&PL - SQL (Vol2)
348 pages
CP5603 Lecture 01 2011-07-26
No ratings yet
CP5603 Lecture 01 2011-07-26
90 pages
Chapter 1 - PPT - ch01
No ratings yet
Chapter 1 - PPT - ch01
58 pages
Check Point CCSA NG Exam: 156-210: Demo Edition
No ratings yet
Check Point CCSA NG Exam: 156-210: Demo Edition
10 pages
Job Description (Granite EPIK)
No ratings yet
Job Description (Granite EPIK)
1 page
CEH Master Brochure
No ratings yet
CEH Master Brochure
14 pages
Introduction To Information Security
No ratings yet
Introduction To Information Security
25 pages
BIS303/03 Management Information Systems September 2021 Course Assessment (Ca) Assignment 2
No ratings yet
BIS303/03 Management Information Systems September 2021 Course Assessment (Ca) Assignment 2
4 pages
Modifications by Prof. Dong Xuan and Adam C. Champion: Principles of Information Security, 5th Edition 1
100% (1)
Modifications by Prof. Dong Xuan and Adam C. Champion: Principles of Information Security, 5th Edition 1
21 pages
Week 01-03 B. Learning Materials 1.1-1 PDF
No ratings yet
Week 01-03 B. Learning Materials 1.1-1 PDF
12 pages
Information Security Chapter 1
No ratings yet
Information Security Chapter 1
44 pages
Hm0fthbr Hack Instagram Account Password
67% (3)
Hm0fthbr Hack Instagram Account Password
3 pages
SAP SD 1year Experience
No ratings yet
SAP SD 1year Experience
6 pages
District Network Diagram: Administrative Building Stokes Elementary School
No ratings yet
District Network Diagram: Administrative Building Stokes Elementary School
6 pages
IAS - Week 1
No ratings yet
IAS - Week 1
8 pages
Cobit in Relation To Others International Standards
No ratings yet
Cobit in Relation To Others International Standards
4 pages
Byte Guardians: A Cybersecurity Handbook
From Everand
Byte Guardians: A Cybersecurity Handbook
Qasim
No ratings yet
Alice and Bob Learn Secure Coding
From Everand
Alice and Bob Learn Secure Coding
Tanya Janca
No ratings yet
Cybersecurity: Issues of Today, a Path for Tomorrow
From Everand
Cybersecurity: Issues of Today, a Path for Tomorrow
Daniel Reis
No ratings yet