Legal, Ethical, and Professional Issues in Information Security PDF

Summary

This document is a presentation on legal, ethical, and professional issues in information security. The presentation covers topics such as security governance, policies, and standards. It also includes information on the components of information security governance and related definitions.

Full Transcript

LEGAL, ETHICAL, & PROFESSIONAL
ISSUES IN INFORMATION SECURITY

GROUP 1 – IQR1
Abonales | Ala-an | Aliñgasa | Antonio | Balladares | Boquilon | Cortes | Desoloc
BALLADARES & INFORMATION SECURITY
CORTES present
PLANNING & GOVERNANCE
INFORMATION SECURITY PLANNING & GOVERNANCE

UNDERSTANDING SECURITY GOVERNANCE
Definition: It refers to how an organization controls its approach to security.

Aim: The achievement of one or more predefined security goals.

Involves:
Procedures
Strategies
Other necessary programs

BALLADARES
INFORMATION SECURITY PLANNING & GOVERNANCE

UNDERSTANDING INFORMATION SECURITY GOVERNANCE
Definition: It refers to how an organization controls its approach to information security.

Aim: The protection of information through digital and cybersecurity measures.

Involves:
Policies
Practices
Strategies

BALLADARES
INFORMATION SECURITY PLANNING & GOVERNANCE

UNDERSTANDING INFORMATION SECURITY GOVERNANCE
Key Aspect: The implementation of security protocols and technologies for communications
and storage.

Notable Examples:
Hypertext Transfer Protocol - Secure (HTTPS)
Secure File Transfer Protocol (SFTP)
Advanced Encryption Standard (AES)
Enterprise File Protection (EFP)
Encrypting File System (EFS)

BALLADARES
INFORMATION SECURITY PLANNING & GOVERNANCE

MAIN COMPONENTS of INFORMATION SECURITY GOVERNANCE
1. Security Measures
2. Security Policies
3. Physical and Environmental Protection
4. Monitoring Processes and Systems
5. Asset Management

BALLADARES
INFORMATION SECURITY PLANNING & GOVERNANCE

MAIN COMPONENTS of INFORMATION SECURITY GOVERNANCE
1. Security Measures » Definition: These are protective measures to safeguard
organization information and systems from
2. Security Policies unauthorized access, malicious attacks, and
3. Physical and Environmental Protection potential breaches.
4. Monitoring Processes and Systems
Types:
5. Asset Management Encryption – process of converting data into an
unreadable format
Firewall – barrier and filter between external and
internal systems
Access Controls – encompasses authentication,
authorization, and monitoring of users
Intrusion Detection Systems (IDS) – network
traffic monitoring to find suspicious activity

BALLADARES
INFORMATION SECURITY PLANNING & GOVERNANCE

MAIN COMPONENTS of INFORMATION SECURITY GOVERNANCE
1. Security Measures Definition: These are rules and guidelines for protecting
organization information assets.
2. Security Policies »
3. Physical and Environmental Protection Involves:
4. Monitoring Processes and Systems Step-by-step instructions on implementing
security measures
5. Asset Management Step-by-step instructions on responding to
security threats and incidents
Consistent security practices

CORTES
INFORMATION SECURITY PLANNING & GOVERNANCE

MAIN COMPONENTS of INFORMATION SECURITY GOVERNANCE
1. Security Measures Definition: These are measures to secure physical assets
such as servers, data centers, and critical
2. Security Policies infrastructure.
3. Physical and Environmental Protection »
4. Monitoring Processes and Systems Aim: To protect against theft, damage, or disruption
caused by natural disasters and human error.
5. Asset Management
Involves:
Access controls
Surveillance systems
Environmental controls (temperature, humidity,
etc.)

CORTES
INFORMATION SECURITY PLANNING & GOVERNANCE

MAIN COMPONENTS of INFORMATION SECURITY GOVERNANCE
1. Security Measures General Requirements:
Access Controls – authentication, authorization,
2. Security Policies and monitoring of users (as previously defined)
3. Physical and Environmental Protection » Resilience – utilization of backup power, fire
4. Monitoring Processes and Systems suppression, and offsite data storage
Asset Management – inventory and prioritization
5. Asset Management of assets to allocate protective resources
effectively
Risk Assessment – vulnerability identification and
mitigation

CORTES
INFORMATION SECURITY PLANNING & GOVERNANCE

MAIN COMPONENTS of INFORMATION SECURITY GOVERNANCE
1. Security Measures Definition: These involve monitoring for the purpose of
detecting security incidents, unauthorized access
2. Security Policies attempts, and unusual activities.
3. Physical and Environmental Protection
4. Monitoring Processes and Systems » Involves:
Intrusion detection systems
5. Asset Management System log analysis
Security breach response tools

CORTES
INFORMATION SECURITY PLANNING & GOVERNANCE

MAIN COMPONENTS of INFORMATION SECURITY GOVERNANCE
1. Security Measures Definition: It refers to the identification and management
of organizational assets, namely hardware,
2. Security Policies software, data, and intellectual property.
3. Physical and Environmental Protection
4. Monitoring Processes and Systems Involves:
Asset inventory maintenance
5. Asset Management » Asset vulnerability assessments
Asset risk mitigation

CORTES
ANTONIO & INFORMATION SECURITY
BOQUILON present
POLICIES & STANDARDS
INFORMATION SECURITY POLICIES & STANDARDS

UNDERSTANDING the INFORMATION SECURITY POLICY (ISP)
Definition: It is a set of rules, guidelines, and procedures that outline how an organization
should manage, protect, and distribute its information assets.

Aim: The reduction of risks related to data breaches, unauthorized access, and other
security threats.

Importance:
Facilitates data integrity, availability, and confidentiality;
Protects sensitive data;
Minimizes the risk of security incidents;
Executes security programs throughout the organization;
Provides a clear security statement to third parties; and
Helps comply with regulatory requirements.

ANTONIO
INFORMATION SECURITY POLICIES & STANDARDS

MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP)
1. Purpose
2. Scope
3. Information Security Objectives
4. Authorization and Access Control Policy
5. Classification of Data
6. Data Support and Operations
7. Security Awareness Sessions
8. Responsibilities, Rights, and Duties of
Personnel

ANTONIO
INFORMATION SECURITY POLICIES & STANDARDS

MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP)
1. Purpose » Purpose: To provide a robust framework for protecting
data and systems.
2. Scope
3. Information Security Objectives Aim:
4. Authorization and Access Control Policy Set standards and best practices;
Prevent security breaches;
5. Classification of Data Protect the organization’s reputation; and
6. Data Support and Operations Protect user data.
7. Security Awareness Sessions
8. Responsibilities, Rights, and Duties of
Personnel

ANTONIO
INFORMATION SECURITY POLICIES & STANDARDS

MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP)
1. Purpose Definition: It refers to the audience to which the ISP
does/does not apply (may include data,
2. Scope » technologies, users, etc.).
3. Information Security Objectives
4. Authorization and Access Control Policy Note: Third-party vendors/affiliates may also be included.
5. Classification of Data
6. Data Support and Operations
7. Security Awareness Sessions
8. Responsibilities, Rights, and Duties of
Personnel

ANTONIO
INFORMATION SECURITY POLICIES & STANDARDS

MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP)
1. Purpose Objectives:
Confidentiality – only authorized users are
2. Scope allowed to access sensitive information.
3. Information Security Objectives » Integrity – information is protected from
4. Authorization and Access Control Policy unwanted alterations.
Availability – authorized users can freely and
5. Classification of Data quickly access information.
6. Data Support and Operations
7. Security Awareness Sessions
8. Responsibilities, Rights, and Duties of
Personnel

ANTONIO
INFORMATION SECURITY POLICIES & STANDARDS

MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP)
1. Purpose Definition: This is an outline for information access
based on authority and hierarchy.
2. Scope
3. Information Security Objectives
4. Authorization and Access Control Policy »
5. Classification of Data
6. Data Support and Operations
7. Security Awareness Sessions
8. Responsibilities, Rights, and Duties of
Personnel

ANTONIO
INFORMATION SECURITY POLICIES & STANDARDS

MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP)
1. Purpose Classifications:
High Risk – financial data, payroll data, personnel
2. Scope data, and data protected by various laws
3. Information Security Objectives Confidential – sensitive/private data
4. Authorization and Access Control Policy Public – open data
5. Classification of Data »
6. Data Support and Operations
7. Security Awareness Sessions
8. Responsibilities, Rights, and Duties of
Personnel

BOQUILON
INFORMATION SECURITY POLICIES & STANDARDS

MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP)
1. Purpose Definition: These are outlines for operational practices
responsible for data protection.
2. Scope
3. Information Security Objectives Operations:
4. Authorization and Access Control Policy Implementing data protection regulations;
Backing up data; and
5. Classification of Data Moving/communicating/transferring data.
6. Data Support and Operations »
7. Security Awareness Sessions
8. Responsibilities, Rights, and Duties of
Personnel

BOQUILON
INFORMATION SECURITY POLICIES & STANDARDS

MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP)
1. Purpose Definition: These are sessions meant to train
organization staff.
2. Scope
3. Information Security Objectives Aim: To inform staff and make them aware of procedures
4. Authorization and Access Control Policy and mechanisms under the ISP to protect data.
5. Classification of Data
6. Data Support and Operations
7. Security Awareness Sessions »
8. Responsibilities, Rights, and Duties of
Personnel

BOQUILON
INFORMATION SECURITY POLICIES & STANDARDS

MAIN ELEMENTS of an INFORMATION SECURITY POLICY (ISP)
1. Purpose Definition: These are outlines for the conduct and duties
of personnel under the organization’s ISP.
2. Scope
3. Information Security Objectives
4. Authorization and Access Control Policy
5. Classification of Data
6. Data Support and Operations
7. Security Awareness Sessions
8. Responsibilities, Rights, and Duties of
Personnel »

BOQUILON
INFORMATION SECURITY POLICIES & STANDARDS

UNDERSTANDING POLICIES
Definition: They are “Living documents” that change according to evolving threat
landscapes, regulatory compliances, and stakeholder involvement.

Specifics:
Responsible Individual – there is typically a policy administrator to oversee and
modify a policy.
Schedule of Reviews – regular meetings must be held to ensure policy relevance and
effectiveness.
Review Procedures and Practices – individuals may have the ability to give policy
feedback.
Issuances and Revisions – there must be dates for policy issuances and revisions.
Automation – there may be capabilities to automate the policy modification process.

BOQUILON
INFORMATION SECURITY POLICIES & STANDARDS

UNDERSTANDING INFORMATION SECURITY STANDARDS
Definition: These are sets of documented processes/guidelines for implementing,
managing, and monitoring security measures.

Aim: To mitigate risks, reduce vulnerabilities, and meet regulatory requirements.

Notable Examples:
ISO 27000 Series
NIST SP 800-53
NIST CSF

BOQUILON
DESOLOC presents
THE INFORMATION
SECURITY BLUEPRINT
THE INFORMATION SECURITY BLUEPRINT

UNDERSTANDING the INFORMATION SECURITY BLUEPRINT
Definition: It is a system/framework for the design, selection, and implementation of
security attributes such as policy management plans, risk mitigation, security
protocols, and so on.

Aim: To provide top-grade security for the organization and its clients/customers.

Requirements for the Blueprint:
Scales according to organizational growth;
Is optimizable;
Satisfies organizational needs and standards; and
Is future-proof.

DESOLOC
THE INFORMATION SECURITY BLUEPRINT

MAIN CONCEPTS of an EFFECTIVE BLUEPRINT
In-depth Defense
Unified Security Solution
Mature AI and ML Algorithms
Technological Integration

DESOLOC
THE INFORMATION SECURITY BLUEPRINT

MAIN CONCEPTS of an EFFECTIVE BLUEPRINT
In-depth Defense » The defensive structure outlined by the Blueprint should
be layered and should contain the following components:
Unified Security Solution
Mature AI and ML Algorithms Risk analytics
Technological Integration Dampening and hardening of attack surfaces
Threat detection and response
Preventative technologies
Novel software to defend against spyware,
ransomware, and malware

DESOLOC
THE INFORMATION SECURITY BLUEPRINT

MAIN CONCEPTS of an EFFECTIVE BLUEPRINT
In-depth Defense The Blueprint should outline a unified security solution
because of the following benefits:
Unified Security Solution »
Mature AI and ML Algorithms Scalability of the defense layers is enabled due to
Technological Integration the unification of several components.
Security providers can cater to clients/customers
through one point of management.

DESOLOC
THE INFORMATION SECURITY BLUEPRINT

MAIN CONCEPTS of an EFFECTIVE BLUEPRINT
In-depth Defense With the advent of Artificial Intelligence (AI) and Machine
Learning (ML), novel security solutions can be built, and
Unified Security Solution they should be utilized for newer Blueprints.
Mature AI and ML Algorithms »
Technological Integration

DESOLOC
THE INFORMATION SECURITY BLUEPRINT

MAIN CONCEPTS of an EFFECTIVE BLUEPRINT
In-depth Defense Security solutions and defenses should integrate and
work with each other to close off attack vectors and
Unified Security Solution possible vulnerabilities.
Mature AI and ML Algorithms
Technological Integration »

DESOLOC
ALA-AN & SECURITY EDUCATION,
ABONALES present
TRAINING, & AWARENESS
SECURITY EDUCATION, TRAINING, & AWARENESS

UNDERSTANDING SECURITY EDUCATION, TRAINING, & AWARENESS PROGRAMS (SETAs)
Purpose:

Improve awareness amongst employees of the need to protect system resources;

Develop employee skills and knowledge to boost computer user performance and
security; and

Build in-depth knowledge of employees concerning design, implementation, and
operation of security programs for the organization.

ALA-AN
SECURITY EDUCATION, TRAINING, & AWARENESS

UNDERSTANDING SECURITY EDUCATION, TRAINING, & AWARENESS PROGRAMS (SETAs)
Elements:

Education – “insight stage” – help employees develop a true understanding of
organization operations regarding cybersecurity and other processes.

Training – “knowledge stage” – prepare employees to ensure they perform duties
sincerely and effectively.

Awareness – “information stage” – raise awareness of digital security amongst
employees to reduce the risk of negligence.

ALA-AN
SECURITY EDUCATION, TRAINING, & AWARENESS

UNDERSTANDING SECURITY EDUCATION, TRAINING, & AWARENESS PROGRAMS (SETAs)
Importance:
Improved response to digital security and cybersecurity incidents
Reduced rates/chances of breaches
Improved effectiveness of currently deployed security tools
Improved employee expertise
Increased awareness and understanding of emerging cyber threats
Nurturing of the next generation of cyber defenders
Raised social and personal responsibilities
Better compliance with standards and regulations

ABONALES
SECURITY EDUCATION, TRAINING, & AWARENESS

SAMPLE PROGRAM FRAMEWORK
EDUCATION TRAINING AWARENESS

ATTRIBUTE Why How What
LEVEL Insight Knowledge Information

OBJECTIVE Understanding Skill Exposure

TEACHING Theoretical Instructions Practical Instruction Media

Discussion Seminar,
Lecture, Case study
METHOD Background Reading, Videos, Newsletters
workshop, Posters
Hands-on Practice

True or False, Multiple
TEST MEASURE Essay Problem-solving
Choice

IMPACT FRAME Long-term Intermediate Short-term

ABONALES
ALIÑGASA presents
CONTINUITY
STRATEGIES
CONTINUITY STRATEGIES

UNDERSTANDING BUSINESS CONTINUITY STRATEGIES
Definition: These are planned series of actions that is enacted to maintain critical
organization functions during an incident/disruption.

Incident/Disruption Life Cycle:
1. Prevention – take proactive measures to prevent or minimize the impact of potential
disruptions.
2. Preparedness – prepare the organization as a whole for impending disruptions.
3. Response – take the necessary, planned actions when a disruption occurs.
4. Recovery – once the disruption has passed, bring the organization back to a normal
or new stable state.
5. Mitigation – (overlaps with recovery) reduce the impact and risk of similar, future
disruptions.

ALIÑGASA
CONTINUITY STRATEGIES

DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY
1. Risk and impact assessment
2. Comprehensive strategy development
3. Stakeholder involvement
4. Employee training
5. Regular strategy testing
6. Regular strategy updating
7. Strategy communication
8. System backups
9. Partner collaboration
10. Strategy review and improvement

ALIÑGASA
CONTINUITY STRATEGIES

DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY
1. Risk and impact assessment » A. Identify the possible risks that could disrupt
organization operations.
2. Comprehensive strategy development B. Identify the impacts of those disruptions.
3. Stakeholder involvement C. Create detailed analyses of the risks and their
4. Employee training impacts.
5. Regular strategy testing
6. Regular strategy updating
7. Strategy communication
8. System backups
9. Partner collaboration
10. Strategy review and improvement

ALIÑGASA
CONTINUITY STRATEGIES

DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY
1. Risk and impact assessment A. Identify critical organization functions.
B. Assess the impact of the aforementioned risks on
2. Comprehensive strategy development » these functions.
3. Stakeholder involvement C. Figure out methods/plans to protect critical
4. Employee training functions during disruptions.
5. Regular strategy testing
6. Regular strategy updating
7. Strategy communication
8. System backups
9. Partner collaboration
10. Strategy review and improvement

ALIÑGASA
CONTINUITY STRATEGIES

DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY
1. Risk and impact assessment A. Gather risk information from stakeholders
(employees, clients, suppliers, etc.)
2. Comprehensive strategy development B. Update the strategy to include this information.
3. Stakeholder involvement »
4. Employee training
5. Regular strategy testing
6. Regular strategy updating
7. Strategy communication
8. System backups
9. Partner collaboration
10. Strategy review and improvement

ALIÑGASA
CONTINUITY STRATEGIES

DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY
1. Risk and impact assessment A. Train employees to understand potential risks.
B. Train employees to understand their
2. Comprehensive strategy development responsibilities.
3. Stakeholder involvement C. Train employees on emergency procedures.
4. Employee training »
5. Regular strategy testing
6. Regular strategy updating
7. Strategy communication
8. System backups
9. Partner collaboration
10. Strategy review and improvement

ALIÑGASA
CONTINUITY STRATEGIES

DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY
1. Risk and impact assessment A. Regularly run drills to push the strategy to its
limits and build familiarity for the employees.
2. Comprehensive strategy development B. Identify vulnerabilities and areas of improvements
3. Stakeholder involvement in the strategy.
4. Employee training C. Adjust the strategy accordingly.
5. Regular strategy testing »
6. Regular strategy updating
7. Strategy communication
8. System backups
9. Partner collaboration
10. Strategy review and improvement

ALIÑGASA
CONTINUITY STRATEGIES

DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY
1. Risk and impact assessment A. Update the strategy to adjust for evolving
technologies.
2. Comprehensive strategy development B. Update the strategy to adjust for evolving threat
3. Stakeholder involvement landscapes.
4. Employee training C. Update the strategy to adjust for regulatory
changes.
5. Regular strategy testing
6. Regular strategy updating »
7. Strategy communication
8. System backups
9. Partner collaboration
10. Strategy review and improvement

ALIÑGASA
CONTINUITY STRATEGIES

DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY
1. Risk and impact assessment A. Communicate the strategy with all relevant
stakeholders.
2. Comprehensive strategy development B. Establish protocols for communication of the
3. Stakeholder involvement strategy with external stakeholders.
4. Employee training
5. Regular strategy testing
6. Regular strategy updating
7. Strategy communication »
8. System backups
9. Partner collaboration
10. Strategy review and improvement

ALIÑGASA
CONTINUITY STRATEGIES

DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY
1. Risk and impact assessment A. Establish system backups for critical systems.
B. Establish data recovery processes for
2. Comprehensive strategy development post-disruption scenarios.
3. Stakeholder involvement C. Establish regular backup schedules within the
4. Employee training strategy.
5. Regular strategy testing
6. Regular strategy updating
7. Strategy communication
8. System backups »
9. Partner collaboration
10. Strategy review and improvement

ALIÑGASA
CONTINUITY STRATEGIES

DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY
1. Risk and impact assessment A. Collaborate with partners (suppliers, distributors,
service providers, etc.) who can potentially
2. Comprehensive strategy development provide support during disruptions.
3. Stakeholder involvement B. Ensure all involved partners are prepared for all
4. Employee training possible disruptions.
5. Regular strategy testing
6. Regular strategy updating
7. Strategy communication
8. System backups
9. Partner collaboration »
10. Strategy review and improvement

ALIÑGASA
CONTINUITY STRATEGIES

DEVELOPING an EFFECTIVE BUSINESS CONTINUITY STRATEGY
1. Risk and impact assessment A. Study the impacts of a disruption once it has
passed.
2. Comprehensive strategy development B. Identify the strengths and weaknesses of the
3. Stakeholder involvement strategy.
4. Employee training C. Involve all relevant stakeholders.
D. Update the strategy as needed and future-proof it.
5. Regular strategy testing
6. Regular strategy updating
7. Strategy communication
8. System backups
9. Partner collaboration
10. Strategy review and improvement »

ALIÑGASA
QUESTIONS?
REFERENCES
REFERENCES

INFORMATION SECURITY PLANNING and GOVERNANCE
https://www.mossadams.com/articles/2021/

https://www.kiteworks.com/secure-file-transfer/security-governance

https://www.kiteworks.com/cybersecurity-risk-management

https://www.6clicks.com/resources

https://www.isms.online/glossary/governance-of-information-security

BALLADARES | CORTES
REFERENCES

INFORMATION SECURITY POLICIES and STANDARDS
https://www.hackerone.com/knowledge-center/information-security-policy

https://www.exabeam.com/explainers/information-security/the-12-elements-of-an-information-security-policy/

https://www.infosecinstitute.com/resources/management-compliance-auditing/key-elements-information-security-policy/

ANTONIO | BOQUILON
REFERENCES

THE INFORMATION SECURITY BLUEPRINT
https://www.channelfutures.com/security/what-s-included-in-a-security-blueprint

https://www.scribd.com/document/542857659/The-Information-Security-Blueprint

ALIÑGASA | DESOLOC
REFERENCES

SECURITY EDUCATION, TRAINING, and AWARENESS
https://www.cyberranges.com/security-education-training-awareness/

https://www.scribd.com/document/542857745/Security-Education-Training-and-Awareness-Program

https://study.com/academy/lesson/implementing-security-education-training-awareness-programs.html#quiz-course-links

ABONALES | ALA-AN
REFERENCES

CONTINUITY STRATEGIES
https://continuity2.com/blog/10-best-practices-for-effective-business-continuity-strategy

ALIÑGASA