INFORMATION ASSURANCE AND SECURITY.pdf
Document Details
Uploaded by WellBalancedParody
Tags
Full Transcript
INFORMATION ASSURANCE AND SECURITY 2 KIM JEM S. IBUOS OBJECTIVES 1. Understand the core principles as a basis in the development of an information assurance based on size, complexity, and organizational environment; 2. Appreciate the need for information assurance to secur...
INFORMATION ASSURANCE AND SECURITY 2 KIM JEM S. IBUOS OBJECTIVES 1. Understand the core principles as a basis in the development of an information assurance based on size, complexity, and organizational environment; 2. Appreciate the need for information assurance to secure information assets and infrastructure against all forms of threats; and 3. Understand the fundamentals concepts, principles, and expectations before and during the implementation of security protection to the user environment, independent of the size and nature of the business; INTRODUCTION 3 QUESTION : WHAT DO YOU THINK ARE THE BIGGEST CHALLENGES IN PROTECTING PERSONAL DATA ONLINE, AND WHY DO YOU BELIEVE THESE CHALLENGES EXIST? 4 QUESTION : WHAT ARE THE KEY DIFFERENCES BETWEEN INFORMATION SECURITY AND CYBERSECURITY, AND WHY ARE THESE DISTINCTIONS IMPORTANT IN THE FIELD OF INFORMATION ASSURANCE? 5 QUESTION : WHY IS CYBERSECURITY IMPORTANT IN OUR INTERCONNECTED WORLD TODAY, AND WHAT ARE SOME POTENTIAL CONSEQUENCES OF NEGLECTING IT? 6 WHAT ARE THE CHALLENGES THAT THE PHILIPPINES FACING RIGHT NOW CONCERNING DATA BREACHES? 7 According to PhilStar, the Philippines has recently faced several significant data breaches. One incident involved the Philippine National Police (PNP), with efforts by the Department of Information and Communications Technology (DICT) to mitigate the impact of the breach The Department of Education (DepEd) also experienced a breach following a hacking incident, raising concerns about the protection of sensitive data within government bodies. Additionally, the Philippine Health Insurance Corporation (PhilHealth) was targeted in a cyberattack, potentially exposing the personal information of millions of Filipinos. INFORMATION ASSURANCE AND SECURITY It is the management and protection of knowledge, information, and data. − Information assurance focuses on ensuring the availability, integrity, authentication, confidentiality, and non-repudiation of information and systems. These measures may include providing restoration of information systems by incorporating protection, detection, and reaction capabilities. − Information security centers on protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, and availability. 12 At its most fundamental level, IA involves protecting the rights of people and organizations. It can provide organizations with the ability to protect the rights of other parties that support and interact with them. These parties include employees, the existing and potential consumers of their products and services, suppliers, and other organizations that are allies as a result of partnerships and joint ventures TEN CORE PRINCIPLES Ten Core Principles in Information Assurance Strategy to fulfil the Information Assurance Requirements and Objectives of the enterprise. The size, complexity, and organizational environment will drive the relative importance of each of the principles. 14 COMPREHENSIVE The information assurance strategy and policies and programs that arise should encompass the subjects, areas, and domains required of modern businesses. Each policy's theme, domain, and region should be sufficiently broad and detailed to facilitate strategic, tactical, and operational execution. 15 INDEPENDENT The information assurance strategy of an organization should have distinct topics and views on the defined mission. Organizations come in a variety of sizes and rely on suppliers for products and services. An organization's information assurance strategy should take a neutral stance on information security to benefit a diverse population. Within organizations, constituent components should define their assurance requirements and create tactical and operational controls following the strategic plan. 16 LEGAL AND REGULATORY REQUIREMENTS To be effective, an organization's information assurance strategy must be compliant with all applicable laws and regulations, including those governing information assurance in the context of human resources and healthcare, finance, disclosure, internal control, and privacy within the company. In order to guarantee that CEOs understand how to comply with regulatory responsibilities that are particular to their industry or environment, information assurance plans should include current legal frameworks and regulations into their plans. 17 LIVING DOCUMENT For an organization's information assurance strategy to be effective, it must be consistent with existing laws and regulations, which may include but are not limited to those governing information assurance, human resources, healthcare, finance, disclosure, internal control, and privacy in the context of an organization. Organizations' information assurance plans should incorporate current legal frameworks and laws to ensure that executives understand how to comply with regulatory obligations specific to their sector or environment. 18 LONG LIFE SPAN Even though information assurance is a dynamic discipline that is constantly developing at a quick pace, it requires a solid strategic basis. A company's information assurance strategy must be focused on the foundations of information assurance that stay consistent throughout time to improve the strategy's value and relevance. Many tactical and operational components help to make this possible. 19 CUSTOMIZABLE AND PRAGMATIC Organizations should develop flexible information assurance strategies. It should be appropriate for a wide range of company operations, regardless of their size or complexity, and should reflect various objectives and a range of infrastructural necessities. Organizations should adopt and adjust their tactical and operational strategies to reflect recognized organizational information assurance requirements and risk profiles. While controls have been offered throughout this work, they should act as recommendations. 20 RISK-BASED APPROACH A risk-based strategy identifies and prioritizes risk for each company. Organizations have varying risk profiles, which necessitates controls that match the organization's risk tolerance. In addition to informing sub-components with varied risk profiles, an organization's information assurance strategy must be comprehensive enough to provide clear advice for the entire enterprise. In effect, this is similar to a risk portfolio in finance that reflects the combined risk of each investment within a portfolio. 21 ORGANIZATIONALLY SIGNIFICANT In terms of strategy and current operations, organizations should see information assurance as vital. Information assurance is a substantial investment and an area of concern for every business. Just like fundamental accounting, information assurance is an essential element of every company. More specifically, businesses will face potential penalties and shareholder difficulties because of their choice to disregard accounting, but they will also face fraud and internal controls. Organizations have information assurance procedures in place concerning critical assets, providing insight into operational and strategic risk. 22 STRATEGIC, TACTICAL, AND OPERATIONAL This organization's information assurance strategy supports the strategic (long-term) planning and choices of top managers and executives. Providing information to help in tactical (midterm) planning and choices for managers allow managers to achieve their strategic goals better. Also, the organization's information assurance strategy provides employees and line managers with relevant information for short-term operational planning and choices. 23 CONCISE, WELL-STRUCTURED, AND EXTENSIBLE Information assurance strategies should cover various information assurance subjects, each presented methodically to maximize advantages. A strategy document should make it easy for users to get and use the content. The structure and contents of the organization's information assurance strategy should demonstrate high cohesion and low coupling. Each topic should be discussed to the appropriate level entirely on its own (high cohesion), and its contents should not be highly dependent (low coupling) on other topics. This approach makes the policy extensible by enabling new information (topics) and providing a modular approach to information assurance for the user. 24 ACCORDING TO THE STATISTICS OF SONY CORPORATION IN 2011, SONY REPORTED A DATA BREACH THAT HAD RESULTED IN THE LOSS OF PERSONAL DETAILS OF 77 MILLION CUSTOMERS. 25 A MONTH BEFORE THE 2016 NATIONAL ELECTIONS, THE COMMISSION ON ELECTIONS (COMELEC) SUFFERED A LARGE- SCALE ATTACK MANY CONSIDER THE MOST SIGNIFICANT GOVERNMENT-RELATED DATA BREACH. IT INVOLVED HACKERS ACCESSING AND COMPROMISING DATA FROM ROUGHLY 70 MILLION PEOPLE—MORE THAN HALF OF THE COUNTRY'S POPULATION—INCLUDING: -FINGERPRINT DATA -PASSPORT INFORMATION -EMAIL ADDRESSES -POSTAL ADDRESSES -BIRTHPLACE -HEIGHT AND WEIGHT -GENDER -MARITAL STATUS -PARENTS' NAMES 26 INFORMATION SECURITY Information Security Knowledge acquired through The state of being secure; experience or study; Precautions are taken to ensure against theft, espionage, etc. Computing a. the meaning given to data by how it is interpreted. b. another word for data. 27 INFORMATION SECURITY Information Security is a discipline, the main aim of which is to keep knowledge, data and its meaning free from undesirable events, such as theft, espionage, damage, threats and other dangers. Information Security includes all actions, taken in advance, to prevent undesirable events from happening to the knowledge, data and its meaning so that the knowledge, data and its meaning can be relied on. 28 29