Legal, Ethical, and Professional Issues in Information Security PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document is a presentation on legal, ethical, and professional issues in information security. The presentation covers topics such as security governance, policies, and standards. It also includes information on the components of information security governance and related definitions.
Full Transcript
LEGAL, ETHICAL, & PROFESSIONAL ISSUES IN INFORMATION SECURITY GROUP 1 – IQR1 Abonales | Ala-an | Aliñgasa | Antonio | Balladares | Boquilon | Cortes | Desoloc BALLADARES & INFORMATION SECURITY CORTES present PLANNING & GOVERNANCE INFORMATION...
LEGAL, ETHICAL, & PROFESSIONAL ISSUES IN INFORMATION SECURITY GROUP 1 – IQR1 Abonales | Ala-an | Aliñgasa | Antonio | Balladares | Boquilon | Cortes | Desoloc BALLADARES & INFORMATION SECURITY CORTES present PLANNING & GOVERNANCE INFORMATION SECURITY PLANNING & GOVERNANCE UNDERSTANDING SECURITY GOVERNANCE Definition: It refers to how an organization controls its approach to security. Aim: The achievement of one or more predefined security goals. Involves: Procedures Strategies Other necessary programs BALLADARES INFORMATION SECURITY PLANNING & GOVERNANCE UNDERSTANDING INFORMATION SECURITY GOVERNANCE Definition: It refers to how an organization controls its approach to information security. Aim: The protection of information through digital and cybersecurity measures. Involves: Policies Practices Strategies BALLADARES INFORMATION SECURITY PLANNING & GOVERNANCE UNDERSTANDING INFORMATION SECURITY GOVERNANCE Key Aspect: The implementation of security protocols and technologies for communications and storage. Notable Examples: Hypertext Transfer Protocol - Secure (HTTPS) Secure File Transfer Protocol (SFTP) Advanced Encryption Standard (AES) Enterprise File Protection (EFP) Encrypting File System (EFS) BALLADARES INFORMATION SECURITY PLANNING & GOVERNANCE MAIN COMPONENTS of INFORMATION SECURITY GOVERNANCE 1. Security Measures 2. Security Policies 3. Physical and Environmental Protection 4. Monitoring Processes and Systems 5. Asset Management BALLADARES INFORMATION SECURITY PLANNING & GOVERNANCE MAIN COMPONENTS of INFORMATION SECURITY GOVERNANCE 1. Security Measures » Definition: These are protective measures to safeguard organization information and systems from 2. Security Policies unauthorized access, malicious attacks, and 3. Physical and Environmental Protection potential breaches. 4. Monitoring Processes and Systems Types: 5. Asset Management Encryption – process of converting data into an unreadable format Firewall – barrier and filter between external and internal systems Access Controls – encompasses authentication, authorization, and monitoring of users Intrusion Detection Systems (IDS) – network traffic monitoring to find suspicious activity BALLADARES INFORMATION SECURITY PLANNING & GOVERNANCE MAIN COMPONENTS of INFORMATION SECURITY GOVERNANCE 1. Security Measures Definition: These are rules and guidelines for protecting organization information assets. 2. Security Policies » 3. Physical and Environmental Protection Involves: 4. Monitoring Processes and Systems Step-by-step instructions on implementing security measures 5. Asset Management Step-by-step instructions on responding to security threats and incidents Consistent security practices CORTES INFORMATION SECURITY PLANNING & GOVERNANCE MAIN COMPONENTS of INFORMATION SECURITY GOVERNANCE 1. Security Measures Definition: These are measures to secure physical assets such as servers, data centers, and critical 2. Security Policies infrastructure. 3. Physical and Environmental Protection » 4. Monitoring Processes and Systems Aim: To protect against theft, damage, or disruption caused by natural disasters and human error. 5. Asset Management Involves: Access controls Surveillance systems Environmental controls (temperature, humidity, etc.) CORTES INFORMATION SECURITY PLANNING & GOVERNANCE MAIN COMPONENTS of INFORMATION SECURITY GOVERNANCE 1. Security Measures General Requirements: Access Controls – authentication, authorization, 2. Security Policies and monitoring of users (as previously defined) 3. Physical and Environmental Protection » Resilience – utilization of backup power, fire 4. Monitoring Processes and Systems suppression, and offsite data storage Asset Management – inventory and prioritization 5. Asset Management of assets to allocate protective resources effectively Risk Assessment – vulnerability identification and mitigation CORTES INFORMATION SECURITY PLANNING & GOVERNANCE MAIN COMPONENTS of INFORMATION SECURITY GOVERNANCE 1. Security Measures Definition: These involve monitoring for the purpose of detecting security incidents, unauthorized access 2. Security Policies attempts, and unusual activities. 3. Physical and Environmental Protection 4. Monitoring Processes and Systems » Involves: Intrusion detection systems 5. Asset Management System log analysis Security breach response tools CORTES INFORMATION SECURITY PLANNING & GOVERNANCE MAIN COMPONENTS of INFORMATION SECURITY GOVERNANCE 1. Security Measures Definition: It refers to the identification and management of organizational assets, namely hardware, 2. Security Policies software, data, and intellectual property. 3. Physical and Environmental Protection 4. Monitoring Processes and Systems Involves: Asset inventory maintenance 5. Asset Management » Asset vulnerability assessments Asset risk mitigation CORTES ANTONIO & INFORMATION SECURITY BOQUILON present POLICIES & STANDARDS INFORMATION SECURITY POLICIES & STANDARDS UNDERSTANDING the INFORMATION SECURITY POLICY (ISP) Definition: It is a set of rules, guidelines, and procedures that outline how an organization should manage, protect, and distribute its information assets. Aim: The reduction of risks related to data breaches, unauthorized access, and other security threats. Importance: Facilitates data integrity, availability, and confidentiality; Protects sensitive data; Minimizes the risk of security incidents; Executes security programs throughout the organization; Provides a clear security statement to third parties; and Helps comply with regulatory requirements. ANTONIO INFORMATION SECURITY POLICIES & STANDARDS MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP) 1. Purpose 2. Scope 3. Information Security Objectives 4. Authorization and Access Control Policy 5. Classification of Data 6. Data Support and Operations 7. Security Awareness Sessions 8. Responsibilities, Rights, and Duties of Personnel ANTONIO INFORMATION SECURITY POLICIES & STANDARDS MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP) 1. Purpose » Purpose: To provide a robust framework for protecting data and systems. 2. Scope 3. Information Security Objectives Aim: 4. Authorization and Access Control Policy Set standards and best practices; Prevent security breaches; 5. Classification of Data Protect the organization’s reputation; and 6. Data Support and Operations Protect user data. 7. Security Awareness Sessions 8. Responsibilities, Rights, and Duties of Personnel ANTONIO INFORMATION SECURITY POLICIES & STANDARDS MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP) 1. Purpose Definition: It refers to the audience to which the ISP does/does not apply (may include data, 2. Scope » technologies, users, etc.). 3. Information Security Objectives 4. Authorization and Access Control Policy Note: Third-party vendors/affiliates may also be included. 5. Classification of Data 6. Data Support and Operations 7. Security Awareness Sessions 8. Responsibilities, Rights, and Duties of Personnel ANTONIO INFORMATION SECURITY POLICIES & STANDARDS MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP) 1. Purpose Objectives: Confidentiality – only authorized users are 2. Scope allowed to access sensitive information. 3. Information Security Objectives » Integrity – information is protected from 4. Authorization and Access Control Policy unwanted alterations. Availability – authorized users can freely and 5. Classification of Data quickly access information. 6. Data Support and Operations 7. Security Awareness Sessions 8. Responsibilities, Rights, and Duties of Personnel ANTONIO INFORMATION SECURITY POLICIES & STANDARDS MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP) 1. Purpose Definition: This is an outline for information access based on authority and hierarchy. 2. Scope 3. Information Security Objectives 4. Authorization and Access Control Policy » 5. Classification of Data 6. Data Support and Operations 7. Security Awareness Sessions 8. Responsibilities, Rights, and Duties of Personnel ANTONIO INFORMATION SECURITY POLICIES & STANDARDS MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP) 1. Purpose Classifications: High Risk – financial data, payroll data, personnel 2. Scope data, and data protected by various laws 3. Information Security Objectives Confidential – sensitive/private data 4. Authorization and Access Control Policy Public – open data 5. Classification of Data » 6. Data Support and Operations 7. Security Awareness Sessions 8. Responsibilities, Rights, and Duties of Personnel BOQUILON INFORMATION SECURITY POLICIES & STANDARDS MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP) 1. Purpose Definition: These are outlines for operational practices responsible for data protection. 2. Scope 3. Information Security Objectives Operations: 4. Authorization and Access Control Policy Implementing data protection regulations; Backing up data; and 5. Classification of Data Moving/communicating/transferring data. 6. Data Support and Operations » 7. Security Awareness Sessions 8. Responsibilities, Rights, and Duties of Personnel BOQUILON INFORMATION SECURITY POLICIES & STANDARDS MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP) 1. Purpose Definition: These are sessions meant to train organization staff. 2. Scope 3. Information Security Objectives Aim: To inform staff and make them aware of procedures 4. Authorization and Access Control Policy and mechanisms under the ISP to protect data. 5. Classification of Data 6. Data Support and Operations 7. Security Awareness Sessions » 8. Responsibilities, Rights, and Duties of Personnel BOQUILON INFORMATION SECURITY POLICIES & STANDARDS MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP) 1. Purpose Definition: These are outlines for the conduct and duties of personnel under the organization’s ISP. 2. Scope 3. Information Security Objectives 4. Authorization and Access Control Policy 5. Classification of Data 6. Data Support and Operations 7. Security Awareness Sessions 8. Responsibilities, Rights, and Duties of Personnel » BOQUILON INFORMATION SECURITY POLICIES & STANDARDS UNDERSTANDING POLICIES Definition: They are “Living documents” that change according to evolving threat landscapes, regulatory compliances, and stakeholder involvement. Specifics: Responsible Individual – there is typically a policy administrator to oversee and modify a policy. Schedule of Reviews – regular meetings must be held to ensure policy relevance and effectiveness. Review Procedures and Practices – individuals may have the ability to give policy feedback. Issuances and Revisions – there must be dates for policy issuances and revisions. Automation – there may be capabilities to automate the policy modification process. BOQUILON INFORMATION SECURITY POLICIES & STANDARDS UNDERSTANDING INFORMATION SECURITY STANDARDS Definition: These are sets of documented processes/guidelines for implementing, managing, and monitoring security measures. Aim: To mitigate risks, reduce vulnerabilities, and meet regulatory requirements. Notable Examples: ISO 27000 Series NIST SP 800-53 NIST CSF BOQUILON DESOLOC presents THE INFORMATION SECURITY BLUEPRINT THE INFORMATION SECURITY BLUEPRINT UNDERSTANDING the INFORMATION SECURITY BLUEPRINT Definition: It is a system/framework for the design, selection, and implementation of security attributes such as policy management plans, risk mitigation, security protocols, and so on. Aim: To provide top-grade security for the organization and its clients/customers. Requirements for the Blueprint: Scales according to organizational growth; Is optimizable; Satisfies organizational needs and standards; and Is future-proof. DESOLOC THE INFORMATION SECURITY BLUEPRINT MAIN CONCEPTS of an EFFECTIVE BLUEPRINT In-depth Defense Unified Security Solution Mature AI and ML Algorithms Technological Integration DESOLOC THE INFORMATION SECURITY BLUEPRINT MAIN CONCEPTS of an EFFECTIVE BLUEPRINT In-depth Defense » The defensive structure outlined by the Blueprint should be layered and should contain the following components: Unified Security Solution Mature AI and ML Algorithms Risk analytics Technological Integration Dampening and hardening of attack surfaces Threat detection and response Preventative technologies Novel software to defend against spyware, ransomware, and malware DESOLOC THE INFORMATION SECURITY BLUEPRINT MAIN CONCEPTS of an EFFECTIVE BLUEPRINT In-depth Defense The Blueprint should outline a unified security solution because of the following benefits: Unified Security Solution » Mature AI and ML Algorithms Scalability of the defense layers is enabled due to Technological Integration the unification of several components. Security providers can cater to clients/customers through one point of management. DESOLOC THE INFORMATION SECURITY BLUEPRINT MAIN CONCEPTS of an EFFECTIVE BLUEPRINT In-depth Defense With the advent of Artificial Intelligence (AI) and Machine Learning (ML), novel security solutions can be built, and Unified Security Solution they should be utilized for newer Blueprints. Mature AI and ML Algorithms » Technological Integration DESOLOC THE INFORMATION SECURITY BLUEPRINT MAIN CONCEPTS of an EFFECTIVE BLUEPRINT In-depth Defense Security solutions and defenses should integrate and work with each other to close off attack vectors and Unified Security Solution possible vulnerabilities. Mature AI and ML Algorithms Technological Integration » DESOLOC ALA-AN & SECURITY EDUCATION, ABONALES present TRAINING, & AWARENESS SECURITY EDUCATION, TRAINING, & AWARENESS UNDERSTANDING SECURITY EDUCATION, TRAINING, & AWARENESS PROGRAMS (SETAs) Purpose: Improve awareness amongst employees of the need to protect system resources; Develop employee skills and knowledge to boost computer user performance and security; and Build in-depth knowledge of employees concerning design, implementation, and operation of security programs for the organization. ALA-AN SECURITY EDUCATION, TRAINING, & AWARENESS UNDERSTANDING SECURITY EDUCATION, TRAINING, & AWARENESS PROGRAMS (SETAs) Elements: Education – “insight stage” – help employees develop a true understanding of organization operations regarding cybersecurity and other processes. Training – “knowledge stage” – prepare employees to ensure they perform duties sincerely and effectively. Awareness – “information stage” – raise awareness of digital security amongst employees to reduce the risk of negligence. ALA-AN SECURITY EDUCATION, TRAINING, & AWARENESS UNDERSTANDING SECURITY EDUCATION, TRAINING, & AWARENESS PROGRAMS (SETAs) Importance: Improved response to digital security and cybersecurity incidents Reduced rates/chances of breaches Improved effectiveness of currently deployed security tools Improved employee expertise Increased awareness and understanding of emerging cyber threats Nurturing of the next generation of cyber defenders Raised social and personal responsibilities Better compliance with standards and regulations ABONALES SECURITY EDUCATION, TRAINING, & AWARENESS SAMPLE PROGRAM FRAMEWORK EDUCATION TRAINING AWARENESS ATTRIBUTE Why How What LEVEL Insight Knowledge Information OBJECTIVE Understanding Skill Exposure TEACHING Theoretical Instructions Practical Instruction Media Discussion Seminar, Lecture, Case study METHOD Background Reading, Videos, Newsletters workshop, Posters Hands-on Practice True or False, Multiple TEST MEASURE Essay Problem-solving Choice IMPACT FRAME Long-term Intermediate Short-term ABONALES ALIÑGASA presents CONTINUITY STRATEGIES CONTINUITY STRATEGIES UNDERSTANDING BUSINESS CONTINUITY STRATEGIES Definition: These are planned series of actions that is enacted to maintain critical organization functions during an incident/disruption. Incident/Disruption Life Cycle: 1. Prevention – take proactive measures to prevent or minimize the impact of potential disruptions. 2. Preparedness – prepare the organization as a whole for impending disruptions. 3. Response – take the necessary, planned actions when a disruption occurs. 4. Recovery – once the disruption has passed, bring the organization back to a normal or new stable state. 5. Mitigation – (overlaps with recovery) reduce the impact and risk of similar, future disruptions. ALIÑGASA CONTINUITY STRATEGIES DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY 1. Risk and impact assessment 2. Comprehensive strategy development 3. Stakeholder involvement 4. Employee training 5. Regular strategy testing 6. Regular strategy updating 7. Strategy communication 8. System backups 9. Partner collaboration 10. Strategy review and improvement ALIÑGASA CONTINUITY STRATEGIES DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY 1. Risk and impact assessment » A. Identify the possible risks that could disrupt organization operations. 2. Comprehensive strategy development B. Identify the impacts of those disruptions. 3. Stakeholder involvement C. Create detailed analyses of the risks and their 4. Employee training impacts. 5. Regular strategy testing 6. Regular strategy updating 7. Strategy communication 8. System backups 9. Partner collaboration 10. Strategy review and improvement ALIÑGASA CONTINUITY STRATEGIES DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY 1. Risk and impact assessment A. Identify critical organization functions. B. Assess the impact of the aforementioned risks on 2. Comprehensive strategy development » these functions. 3. Stakeholder involvement C. Figure out methods/plans to protect critical 4. Employee training functions during disruptions. 5. Regular strategy testing 6. Regular strategy updating 7. Strategy communication 8. System backups 9. Partner collaboration 10. Strategy review and improvement ALIÑGASA CONTINUITY STRATEGIES DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY 1. Risk and impact assessment A. Gather risk information from stakeholders (employees, clients, suppliers, etc.) 2. Comprehensive strategy development B. Update the strategy to include this information. 3. Stakeholder involvement » 4. Employee training 5. Regular strategy testing 6. Regular strategy updating 7. Strategy communication 8. System backups 9. Partner collaboration 10. Strategy review and improvement ALIÑGASA CONTINUITY STRATEGIES DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY 1. Risk and impact assessment A. Train employees to understand potential risks. B. Train employees to understand their 2. Comprehensive strategy development responsibilities. 3. Stakeholder involvement C. Train employees on emergency procedures. 4. Employee training » 5. Regular strategy testing 6. Regular strategy updating 7. Strategy communication 8. System backups 9. Partner collaboration 10. Strategy review and improvement ALIÑGASA CONTINUITY STRATEGIES DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY 1. Risk and impact assessment A. Regularly run drills to push the strategy to its limits and build familiarity for the employees. 2. Comprehensive strategy development B. Identify vulnerabilities and areas of improvements 3. Stakeholder involvement in the strategy. 4. Employee training C. Adjust the strategy accordingly. 5. Regular strategy testing » 6. Regular strategy updating 7. Strategy communication 8. System backups 9. Partner collaboration 10. Strategy review and improvement ALIÑGASA CONTINUITY STRATEGIES DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY 1. Risk and impact assessment A. Update the strategy to adjust for evolving technologies. 2. Comprehensive strategy development B. Update the strategy to adjust for evolving threat 3. Stakeholder involvement landscapes. 4. Employee training C. Update the strategy to adjust for regulatory changes. 5. Regular strategy testing 6. Regular strategy updating » 7. Strategy communication 8. System backups 9. Partner collaboration 10. Strategy review and improvement ALIÑGASA CONTINUITY STRATEGIES DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY 1. Risk and impact assessment A. Communicate the strategy with all relevant stakeholders. 2. Comprehensive strategy development B. Establish protocols for communication of the 3. Stakeholder involvement strategy with external stakeholders. 4. Employee training 5. Regular strategy testing 6. Regular strategy updating 7. Strategy communication » 8. System backups 9. Partner collaboration 10. Strategy review and improvement ALIÑGASA CONTINUITY STRATEGIES DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY 1. Risk and impact assessment A. Establish system backups for critical systems. B. Establish data recovery processes for 2. Comprehensive strategy development post-disruption scenarios. 3. Stakeholder involvement C. Establish regular backup schedules within the 4. Employee training strategy. 5. Regular strategy testing 6. Regular strategy updating 7. Strategy communication 8. System backups » 9. Partner collaboration 10. Strategy review and improvement ALIÑGASA CONTINUITY STRATEGIES DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY 1. Risk and impact assessment A. Collaborate with partners (suppliers, distributors, service providers, etc.) who can potentially 2. Comprehensive strategy development provide support during disruptions. 3. Stakeholder involvement B. Ensure all involved partners are prepared for all 4. Employee training possible disruptions. 5. Regular strategy testing 6. Regular strategy updating 7. Strategy communication 8. System backups 9. Partner collaboration » 10. Strategy review and improvement ALIÑGASA CONTINUITY STRATEGIES DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY 1. Risk and impact assessment A. Study the impacts of a disruption once it has passed. 2. Comprehensive strategy development B. Identify the strengths and weaknesses of the 3. Stakeholder involvement strategy. 4. Employee training C. Involve all relevant stakeholders. D. Update the strategy as needed and future-proof it. 5. Regular strategy testing 6. Regular strategy updating 7. Strategy communication 8. System backups 9. Partner collaboration 10. Strategy review and improvement » ALIÑGASA QUESTIONS? REFERENCES REFERENCES INFORMATION SECURITY PLANNING and GOVERNANCE https://www.mossadams.com/articles/2021/ https://www.kiteworks.com/secure-file-transfer/security-governance https://www.kiteworks.com/cybersecurity-risk-management https://www.6clicks.com/resources https://www.isms.online/glossary/governance-of-information-security BALLADARES | CORTES REFERENCES INFORMATION SECURITY POLICIES and STANDARDS https://www.hackerone.com/knowledge-center/information-security-policy https://www.exabeam.com/explainers/information-security/the-12-elements-of-an-information-security-policy/ https://www.infosecinstitute.com/resources/management-compliance-auditing/key-elements-information-security-policy/ ANTONIO | BOQUILON REFERENCES THE INFORMATION SECURITY BLUEPRINT https://www.channelfutures.com/security/what-s-included-in-a-security-blueprint https://www.scribd.com/document/542857659/The-Information-Security-Blueprint ALIÑGASA | DESOLOC REFERENCES SECURITY EDUCATION, TRAINING, and AWARENESS https://www.cyberranges.com/security-education-training-awareness/ https://www.scribd.com/document/542857745/Security-Education-Training-and-Awareness-Program https://study.com/academy/lesson/implementing-security-education-training-awareness-programs.html#quiz-course-links ABONALES | ALA-AN REFERENCES CONTINUITY STRATEGIES https://continuity2.com/blog/10-best-practices-for-effective-business-continuity-strategy ALIÑGASA