INFORMATION ASSURANCE AND SECURITY.pdf

Full Transcript

INFORMATION ASSURANCE
AND SECURITY 2
KIM JEM S. IBUOS
 OBJECTIVES
1. Understand the core principles as a basis in the
development of an information assurance based on
size, complexity, and organizational environment;
2. Appreciate the need for information assurance to
secure information assets and infrastructure against
all forms of threats; and
3. Understand the fundamentals concepts, principles,
and expectations before and during the
implementation of security protection to the user
environment, independent of the size and nature of
the business;
INTRODUCTION

3
QUESTION :
WHAT DO YOU
THINK ARE THE
BIGGEST
CHALLENGES IN
PROTECTING
PERSONAL DATA
ONLINE, AND WHY
DO YOU BELIEVE
THESE CHALLENGES
EXIST?

4
QUESTION :
WHAT ARE THE KEY
DIFFERENCES
BETWEEN
INFORMATION
SECURITY AND
CYBERSECURITY,
AND WHY ARE THESE
DISTINCTIONS
IMPORTANT IN THE
FIELD OF
INFORMATION
ASSURANCE? 5
QUESTION :
WHY IS
CYBERSECURITY
IMPORTANT IN
OUR
INTERCONNECTED
WORLD TODAY,
AND WHAT ARE
SOME POTENTIAL
CONSEQUENCES
OF NEGLECTING
IT? 6
WHAT ARE THE CHALLENGES THAT
THE PHILIPPINES FACING RIGHT
NOW CONCERNING DATA
BREACHES?

7
According to PhilStar, the Philippines has
recently faced several significant data
breaches. One incident involved the
Philippine National Police (PNP), with
efforts by the Department of Information
and Communications Technology (DICT) to
mitigate the impact of the breach
The Department of Education
(DepEd) also experienced a breach
following a hacking incident, raising
concerns about the protection of
sensitive data within government
bodies.
Additionally, the Philippine Health
Insurance Corporation (PhilHealth)
was targeted in a cyberattack,
potentially exposing the personal
information of millions of Filipinos.
 INFORMATION
ASSURANCE AND
SECURITY

It is the management and
protection of knowledge,
information, and data.
− Information assurance focuses on
ensuring the availability, integrity,
authentication, confidentiality, and
non-repudiation of information and
systems. These measures may
include providing restoration of
information systems by incorporating
protection, detection, and reaction
capabilities.

− Information security centers on
protecting information and
information systems from
unauthorized access, use, disclosure,
disruption, modification, or
destruction to provide confidentiality,
integrity, and availability.
12
At its most fundamental level, IA involves
protecting the rights of people and
organizations. It can provide organizations with
the ability to protect the rights of other parties
that support and interact with them. These
parties include employees, the existing and
potential consumers of their products and
services, suppliers, and other organizations that
are allies as a result of partnerships and joint
ventures
 TEN CORE
PRINCIPLES
Ten Core Principles in Information
Assurance Strategy to fulfil the
Information Assurance Requirements and
Objectives of the enterprise. The size,
complexity, and organizational
environment will drive the relative
importance of each of the principles.

14
 COMPREHENSIVE
The information assurance strategy and policies and
programs that arise should encompass the subjects,
areas, and domains required of modern businesses.
Each policy's theme, domain, and region should be
sufficiently broad and detailed to facilitate strategic,
tactical, and operational execution.

15
 INDEPENDENT
The information assurance strategy of an organization should have distinct
topics and views on the defined mission. Organizations come in a variety
of sizes and rely on suppliers for products and services. An organization's
information assurance strategy should take a neutral stance on
information security to benefit a diverse population. Within organizations,
constituent components should define their assurance requirements and
create tactical and operational controls following the strategic plan.

16
 LEGAL AND REGULATORY
REQUIREMENTS
To be effective, an organization's information assurance
strategy must be compliant with all applicable laws and
regulations, including those governing information assurance in
the context of human resources and healthcare, finance,
disclosure, internal control, and privacy within the company. In
order to guarantee that CEOs understand how to comply with
regulatory responsibilities that are particular to their industry
or environment, information assurance plans should include
current legal frameworks and regulations into their plans.
17
 LIVING DOCUMENT
For an organization's information assurance strategy to be
effective, it must be consistent with existing laws and
regulations, which may include but are not limited to those
governing information assurance, human resources, healthcare,
finance, disclosure, internal control, and privacy in the context
of an organization. Organizations' information assurance plans
should incorporate current legal frameworks and laws to ensure
that executives understand how to comply with regulatory
obligations specific to their sector or environment.
18
 LONG LIFE SPAN
Even though information assurance is a dynamic discipline that
is constantly developing at a quick pace, it requires a solid
strategic basis. A company's information assurance strategy
must be focused on the foundations of information assurance
that stay consistent throughout time to improve the strategy's
value and relevance. Many tactical and operational components
help to make this possible.

19
 CUSTOMIZABLE AND
PRAGMATIC
Organizations should develop flexible information assurance
strategies. It should be appropriate for a wide range of company
operations, regardless of their size or complexity, and should
reflect various objectives and a range of infrastructural
necessities. Organizations should adopt and adjust their tactical
and operational strategies to reflect recognized organizational
information assurance requirements and risk profiles. While
controls have been offered throughout this work, they should
act as recommendations.
20
 RISK-BASED APPROACH
A risk-based strategy identifies and prioritizes risk for each
company. Organizations have varying risk profiles, which
necessitates controls that match the organization's risk
tolerance. In addition to informing sub-components with varied
risk profiles, an organization's information assurance strategy
must be comprehensive enough to provide clear advice for the
entire enterprise. In effect, this is similar to a risk portfolio in
finance that reflects the combined risk of each investment
within a portfolio.
21
 ORGANIZATIONALLY
SIGNIFICANT
In terms of strategy and current operations, organizations should
see information assurance as vital. Information assurance is a
substantial investment and an area of concern for every business.
Just like fundamental accounting, information assurance is an
essential element of every company. More specifically, businesses
will face potential penalties and shareholder difficulties because
of their choice to disregard accounting, but they will also face
fraud and internal controls. Organizations have information
assurance procedures in place concerning critical assets, providing
insight into operational and strategic risk.
22
 STRATEGIC, TACTICAL, AND
OPERATIONAL
This organization's information assurance strategy
supports the strategic (long-term) planning and choices
of top managers and executives. Providing information
to help in tactical (midterm) planning and choices for
managers allow managers to achieve their strategic
goals better. Also, the organization's information
assurance strategy provides employees and line
managers with relevant information for short-term
operational planning and choices. 23
 CONCISE, WELL-STRUCTURED,
AND EXTENSIBLE

Information assurance strategies should cover various information
assurance subjects, each presented methodically to maximize advantages.
A strategy document should make it easy for users to get and use the
content. The structure and contents of the organization's information
assurance strategy should demonstrate high cohesion and low coupling.
Each topic should be discussed to the appropriate level entirely on its own
(high cohesion), and its contents should not be highly dependent (low
coupling) on other topics. This approach makes the policy extensible by
enabling new information (topics) and providing a modular approach to
information assurance for the user.
24
ACCORDING TO THE
STATISTICS OF SONY
CORPORATION IN
2011, SONY
REPORTED A DATA
BREACH THAT HAD
RESULTED IN THE
LOSS OF PERSONAL
DETAILS OF 77
MILLION CUSTOMERS.

25
A MONTH BEFORE THE 2016
NATIONAL ELECTIONS, THE
COMMISSION ON ELECTIONS
(COMELEC) SUFFERED A LARGE-
SCALE ATTACK MANY CONSIDER
THE MOST SIGNIFICANT
GOVERNMENT-RELATED DATA
BREACH. IT INVOLVED HACKERS
ACCESSING AND COMPROMISING
DATA FROM ROUGHLY 70
MILLION PEOPLE—MORE THAN
HALF OF THE COUNTRY'S
POPULATION—INCLUDING:

-FINGERPRINT DATA
-PASSPORT INFORMATION
-EMAIL ADDRESSES
-POSTAL ADDRESSES
-BIRTHPLACE
-HEIGHT AND WEIGHT
-GENDER
-MARITAL STATUS
-PARENTS' NAMES 26
INFORMATION SECURITY

Information Security

Knowledge acquired through The state of being secure;
experience or study;
Precautions are taken to ensure
against theft, espionage, etc.
Computing
a. the meaning given to data by how
it is interpreted.
b. another word for data.
27
 INFORMATION SECURITY
Information Security is a discipline, the main aim of which is
to keep knowledge, data and its meaning free from
undesirable events, such as theft, espionage, damage,
threats and other dangers. Information Security includes all
actions, taken in advance, to prevent undesirable events
from happening to the knowledge, data and its meaning so
that the knowledge, data and its meaning can be relied on.

28
29