Module 1 IAS - IntroductionToInformationAssuranceAndSecurity (20240814113543).pdf
Document Details
Uploaded by Deleted User
Pamantasan ng Cabuyao
Tags
Full Transcript
PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 1 Course Material No. 1 INFORMATION ASSURANCE AND SECURITY MS. KIER PANOLLERA Course Instructor PAMANTASAN NG CABUYAO |INFORMATIO...
PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 1 Course Material No. 1 INFORMATION ASSURANCE AND SECURITY MS. KIER PANOLLERA Course Instructor PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 2 The Need for Assurance and Security 1 LEARNING OUTCOMES At the end of this course material, the students should be able to: Demonstrate that information assurance and security is a business necessity for organization Recognize risks and threats to IAS Identify the challenges faced by software developers and admins in handling IAS activities RESOURCES NEEDED For this lesson, you would need the following resources: Information Assurance and Security Overview PowerPoint Presentation Links to videos: https://www.youtube.com/watch?v=KFsR8pCsoTo&list=PLDqK1viQBj WO7wYk6HvW_M8O5ESqDOcWp&index=2 (Introduction to Information Security) Links to websites: Reference materials, tools, and equipment PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 3 Before you start, try answering the following questions. MODULE CONTENTS 1. What is information assurance and security? ___________________________________ ___________________________________ Kick-off Pretest ___________________________________ ___________________________________ 3 ___________________________________ ___________________________________ 5 Pre-Activity Title ________________________________________ 2. What are differences between information assurance and information security?? 6 Your heading here _________________________________ ___________________________________ ___________________________________ 9 Your heading here ___________________________________ ___________________________________ ________________________________________ 3. How can admins strike a balance between 11 Your heading here information availability versus information access control? 14 Posttest ___________________________________ ___________________________________ ___________________________________ Key Terms ___________________________________ 15 ___________________________________ ________________________________________ 15 References PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 4 Answer the Riddle I'm a shield for data, both day and night, From threats and breaches, I ensure it's alright. I go beyond just locks and keys, Managing risks, ensuring trust with ease. I safeguard not just from hacks and prying eyes, But also from errors and deceitful lies. Compliance and accuracy are my game, In the world of data, I earn my name. What am I? ________________________________________ I'm bits and bytes, a digital dance, In computers and servers, I enhance. I hold your secrets, both big and small, Numbers, words, I collect them all. I travel through cables, invisible yet strong, In databases, I belong. Analyzing me, insights are found, In the vast digital playground. What am I? _______________________________ PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 5 Information -. INTRODUCTION IAS refers to a broad range of procedures, tools, and guidelines It is impossible to overestimate the significance of information assurance and for guaranteeing the privacy, security in the connected and data-driven world of today. Sensitive accuracy, and accessibility of digital data. information must be safeguarded against unauthorized access, manipulation, and theft as technology develops and businesses, governments, and Information assurance. Refers to individuals depend more and more on digital platforms. the systematic and comprehensive approach to safeguarding sensitive Information assurance and security (IAS) refers to a broad range of procedures, and critical information from tools, and guidelines for guaranteeing the privacy, accuracy, and accessibility unauthorized access, alteration, of digital data. This industry is essential to ensuring privacy, trust, and the disruption, or destruction. efficient operation of many industries, including finance, healthcare, communication, and national security. The study and application of efficient information assurance and security procedures have become crucial for Information security. Is commonly-defined as the process enterprises and individuals alike to confidently navigate the digital landscape of preventing unauthorized as cyber dangers continue to emerge. individuals from accessing, using, disclosing, disrupting, altering, or destroying digital information and data. INFORMATION ASSURANCE Confidentiality is the principle of keeping information secret from unauthorized individuals or Information assurance (IA) refers to the systematic and comprehensive entities. approach to safeguarding sensitive and critical information from unauthorized access, alteration, disruption, or destruction. It encompasses a range of strategies, practices, policies, and technologies designed to ensure the Unified system. K. confidentiality, integrity, availability, and authenticity of data. Put in another perspective, IA may also be defined as the practice of protecting information and systems from unauthorized access, use, disclosure, disruption, modification, or destruction. It is a broad field that encompasses a wide range of security controls, including physical, technical, and administrative measures. IA goes beyond traditional cybersecurity measures, incorporating aspects of risk management, compliance, and continuity planning to establish a robust framework for protecting digital assets against a variety of threats, including cyberattacks, insider threats, data breaches, and natural disasters. The goal of IA is to establish a secure and resilient environment that enables organizations and individuals to operate and communicate confidently in today's interconnected digital world. PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 6 The major principles of information assurance: 1. Confidentiality The information must be kept secret from unauthorized individuals or entities. The data that are most-commonly subject to confidentiality are on health records, bank records, personal identification (and authentication credentials like usernames, passwords, PINs, etc.), data on personal assets, customer data, individual grades and academic evaluations. The Philippines has a number of laws that protect confidentiality, including: Data Privacy Act of 2012 (DPA). This law regulates the processing of personal data by private and public entities. It requires organizations to obtain consent from individuals before collecting, using, or disclosing their personal data. It also imposes security measures to protect personal data from unauthorized access, use, or disclosure. Bank Secrecy Act of 1975. This law prohibits banks and other financial institutions from disclosing information about their customers' accounts, except in certain circumstances, such as when required by law or when there is a legitimate business reason to do so. Electronic Commerce Act of 2000. This law regulates electronic transactions, including the use of electronic signatures and the storage of electronic data. It requires organizations to take reasonable security measures to protect electronic data from unauthorized access, use, or disclosure. Cybercrime Prevention Act of 2012. This law prohibits a number of cybercrimes, including unauthorized access to a computer system, data theft, and cyberstalking. It also imposes penalties for the breach of confidentiality of personal data. Civil Code of the Philippines. This law provides for the protection of privacy and confidentiality. It states that "every person shall respect the dignity, personality, privacy and peace of mind of his neighbors and other persons." It also prohibits the disclosure of confidential information obtained by a person in the course of his or her employment or profession. These are just some of the Philippine laws that protect confidentiality. By understanding these laws, organizations and individuals can help to protect their confidential information. PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 7 In addition to these laws, there are also a number of professional codes of ethics that impose obligations on individuals to protect confidentiality. For example, the Code of Ethics of the Philippine Medical Association states that "physicians shall respect the confidentiality of all information obtained in the course of their professional practice." By following the laws and ethical codes on confidentiality, organizations and individuals can help to protect their confidential information and prevent its unauthorized disclosure. 2. Integrity Integrity means being whole and with no incomplete parts. The information must be accurate and complete. In other words, data integrity is the assurance that data is correct, ample, and consistent. It is important to maintain data integrity because it ensures that the data is reliable and can be used for decision-making. Similarly, data and information integrity refer to the accuracy, reliability, and consistency of data over its entire lifecycle. It ensures that data remains unaltered, complete, and trustworthy from the point of creation or capture to the point of consumption or analysis. Maintaining information integrity is essential to ensure that data is not subject to unauthorized or accidental modifications, thereby preserving its value and credibility. Some common threats to data integrity may include: Human errors. Data entry errors are a common cause of data integrity problems. Software bugs/errors. Software bugs can cause data to be corrupted or lost. Hardware failures. Hardware failures, such as disk crashes, can also cause data loss. Natural disasters. Natural disasters, such as floods and fires, can also damage data. Cyberattacks. Cyberattacks can be used to steal or destroy data. 3. Availability The information must be accessible to authorized individuals or entities when needed. And inversely, data must be not available when not needed or when users access data in unauthorized manners. Data availability is a critical aspect of information management, particularly in today's data-driven world, where timely access to accurate information is essential for decision-making, operations, and innovation. PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 8 Data availability is crucial in various sectors, including finance, e- commerce, healthcare, and public services, where delays or disruptions in accessing data can have serious consequences. Organizations invest in robust IT infrastructure, backup solutions, and disaster recovery plans to ensure that data remains available and usable, even in challenging circumstances. 4. Authenticity The trait of being sincere, reliable, and trustworthy is referred to as authenticity. Authenticity in the context of data and information assures that the data is accurate in representing its source and origin and has not been tampered with or altered. Maintaining trust, making educated judgments, and avoiding fraud or false information all depend on the authenticity of the data. It is essential that the data be accurate and unaltered. Ensuring authenticity is particularly important in fields like finance, healthcare, legal proceedings, and scientific research, where accurate and unaltered information is critical. Organizations implement various technical and procedural measures to maintain data authenticity and protect against unauthorized alterations or fraudulent activities. Some ways to determine authenticity: Verification of Source. Authentic data can be traced back to a reliable and credible source. Verifying the source helps establish the accuracy and legitimacy of the data. Requiring Digital Signatures. Digital signatures use cryptographic techniques to authenticate the sender of a message and ensure that the content has not been altered during transmission. Timestamps. Timestamping data records helps establish when the data was created, modified, or accessed, enhancing its credibility and authenticity. Utilizing Authentication Protocols. Implementing authentication protocols, such as multi-factor authentication, ensures that users are who they claim to be, preventing unauthorized access. Public Key Infrastructure (PKI). PKI involves the use of public and private keys to encrypt and sign data, ensuring its authenticity and confidentiality. PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 9 Watermarking and Seals. Watermarks, digital signatures, or seals can be added to documents or media to indicate their authenticity and origin. Declaration of Chain of Custody: In legal and forensic contexts, maintaining a clear chain of custody ensures the authenticity and admissibility of evidence. Having Secure Data Transmission: Using encrypted channels for data transmission helps prevent data tampering during communication. Provision of Audit Trails: Keeping detailed records of data access, modifications, and interactions helps maintain the authenticity of data and allows for accountability. 5. Non-repudiation The originator or sender of the information cannot deny having sent it. Systems must have in them some built-in mechanisms to ensure that data interchanges and their corresponding metadata are recorded and are quite accessible to both sender and receiver. This is quite critical to business processes like payment systems wherein an undeniable proof is required as an invoice or receipt. 6. Dynamism IA activities should not be static. The threats and vulnerabilities that information faces are constantly changing. As a result, the IA controls that are implemented must also be constantly updated. Some systems process data in real-time. This enables the provision of the most UpToDate version of data. For instance, ATMs need to reflect the most updated version of a client bank account data to ensure that clients have the best options for ATM transactions. 7. Complexity and feasibility IA approaches are not always easy to achieve. There is always a trade-off between security and usability. For example, making information more secure may make it more difficult to access. The inverse is also corollary: easier access means greater security risks. 8. Mutual Inclusivity PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 10 IA principles are not always mutually exclusive. For example, it is possible to have both confidentiality and availability of information. And it is usually a requirement among information systems to be available at a highly-secured manner. These principles are interrelated and must be balanced to achieve an appropriate level of IA. For example, increasing confidentiality may reduce availability, and vice versa. IA is an ongoing process that requires constant monitoring and evaluation. As threats and vulnerabilities change, IA controls must be consequently updated to ensure that they remain effective. INFORMATION SECURITY Information security is commonly-defined as the process of preventing unauthorized individuals from accessing, using, disclosing, disrupting, altering, or destroying digital information and data. It includes a wide range of strategies, procedures, tools, and procedures aimed at protecting sensitive data and preserving its confidentiality, accuracy, and accessibility. Some key aspects of information security include: 1. Confidentiality Ensuring that data and/or information is only accessible to authorized, verified, identified or properly-certified individuals or entities. This involves measures such as access controls, encryption, and data classification. 2. Integrity Integrity of data refers to the wholeness of data as when it was generated. Preventing unauthorized modifications or alterations of data. Data integrity measures include checksums, digital signatures, and version controls. 3. Availability Ensuring that data and systems are accessible and usable when needed. And inversely, same data set must be kept inaccessible when not needed. This involves practices like redundancy checks, disaster recovery planning, and network resilience. PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 11 4. Authentication Verifying the identity of users, devices, or systems to prevent unauthorized access. Authentication mechanisms include passwords, usernames, CAPTCHA, certificates, badges, biometrics, and multi-factor authentication. 5. Authorization Granting appropriate permissions and privileges to authorized users, limiting their access to only the data and resources they need. Authorization may come in several forms like in permissions, privileges, roles, responsibilities, access control/revocation, audit and accountability. 6. Data Protection Implementing security measures to protect data at rest, in transit, and during processing. This includes encryption, data masking, and secure data disposal. Data protection may come in several forms such as in encryption, masking, back-ups, anonymization, secure data transmission, data loss prevention, data classification, data retention policies and data regulations. 7. Network Security Protecting networks from unauthorized access, cyberattacks, and malicious activities using firewalls, intrusion detection systems, and intrusion prevention systems. Network security may also come in other forms such as in network segmentation, VPNs, network access controls, network monitoring and logging, network hardening, network patch management, etc. 8. Endpoint Security Securing individual devices like computers, smartphones, and IoT devices to prevent malware infections, data breaches, and unauthorized access. Endpoint security also involves other measures such as blacklisting/whitelisting, security updates, device controls, etc. 9. Security Awareness Training Educating employees and users about security best practices, phishing awareness, and the importance of data protection. 10.Incident Response PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 12 When something untoward happens in the information systems, admins should already have in place certain ways to respond to or deal with them. Since information systems are subject to attacks, it should no longer be a surprise for admins when such incidents occur. Developing plans and procedures to effectively respond to and mitigate security incidents, such as data breaches or cyberattacks. 11.Vulnerability Management Identifying and patching vulnerabilities in software and systems to prevent exploitation by malicious actors. Penetration testing (pen test) is the most common means of identifying and dealing with vulnerabilities. 12.Security Policies and Compliance Establishing security policies, standards, and guidelines to ensure that security measures align with industry regulations and best practices. Procedures are put in place to guide admins, staff, technicians and users as to the proper utilization of the systems. 13.Threat Detection and Prevention Using tools like intrusion detection systems, antivirus software, and behavior analytics to identify and prevent security threats. 14.Security Audits and Assessments Conducting regular audits and assessments to evaluate the effectiveness of security measures and identify areas for improvement. INFORMATION SECURITY INFORMATION ASSURANCE VS. INFORMATION SECURITY Although they have some similarities, information assurance and information security have different certain differences, especially in terms of scope, purpose, approaches, goals and objectives when it comes to safeguarding digital data. The following are some differences between the two terms: 1. Scope and Purpose Information security primarily focuses on protecting the confidentiality, integrity, and availability of information from unauthorized access, breaches, and attacks while information assurance encompasses a PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 13 broader perspective that not only includes security but also emphasizes managing risks, ensuring compliance, maintaining data accuracy, and promoting overall trust in the information. 2. Approaches Information security focuses on implementing technical measures such as firewalls, encryption, intrusion detection systems, and access controls to prevent unauthorized access and protect against cyber threats. Information assurance takes a holistic approach that combines technical, managerial, and operational measures to not only secure information but also ensure its accuracy, reliability, and proper utilization. 3. Goals Information security primarily concerned with preventing unauthorized access, mitigating vulnerabilities, and responding to security incidents. Information assurance aims to ensure the reliability, trustworthiness, and proper use of information through measures that go beyond security, including risk assessment, compliance with regulations, and disaster recovery. 4. Risk Management Information security emphasizes mitigating risks related to security breaches and cyberattacks while information assurance extends risk management to cover broader aspects, including data accuracy, regulatory compliance, operational continuity, and strategic planning. 5. Compliance and Governance Information security involves adhering to security standards and best practices to safeguard data from breaches and unauthorized access. Information assurance incorporates regulatory compliance, legal requirements, and adherence to industry standards as part of a comprehensive strategy to ensure the proper use and handling of information. 6. Business Objectives Integration Information security is often viewed as a technical function aimed at protecting information from threats. Information assurance aligns with business goals by ensuring that information supports decision-making, is accurate, and contributes to the organization's overall success. PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 14 In summary, while both information security and information assurance are concerned with protecting digital assets, information assurance takes a broader view that encompasses security as well as aspects like data accuracy, compliance, and risk management to foster a comprehensive and trustworthy information environment. SUMMARY Information assurance and security encompass the strategies, practices, and technologies designed to protect sensitive information from unauthorized access, disclosure, alteration, or destruction. These disciplines ensure the confidentiality, integrity, and availability of data, guarding against cyber threats, data breaches, and malicious activities. Information assurance involves managing risks, implementing controls, and adhering to compliance frameworks to safeguard digital assets. Security measures span various aspects, including network security, endpoint security, data protection, and user authentication. By maintaining information assurance and security, organizations ensure trust, mitigate risks, and foster a secure digital environment in an increasingly interconnected world. Information assurance (IA) and information security (IS) are complementary disciplines that work together to protect information and information systems. IA focuses on ensuring the confidentiality, integrity, and availability of information, while IS focuses on preventing unauthorized access, use, disclosure, disruption, modification, or destruction of information. IA and IS are essential for organizations of all sizes, in all industries. In today's digital world, information is a valuable asset that can be used for competitive advantage. By protecting their information, organizations can reduce the risk of financial loss, reputational damage, and other negative consequences. PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 15 KEY TERMS information security network security information assurance authentication information system information assurance and security POSTTEST Directions: Encircle the letter corresponding to your answer. 1. What does information assurance primarily focus on? a) Protecting hardware devices b) Ensuring data availability c) Preventing physical security breaches d) Enhancing user experience 2. Which term refers to the accuracy and consistency of data over its lifecycle? a) Data integrity b) Data availability c) Data confidentiality d) Data authenticity 3. Which principle dictates that users should be granted the minimum level of access necessary to perform their tasks? a) Access control b) Least privilege c) Data masking d) Authentication 4. Encryption is used primarily for: a) Preventing physical theft b) Protecting data during transmission and storage c) Enhancing user experience d) Managing network traffic 5. What does a firewall primarily do? PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 16 a) Encrypt data at rest b) Manage access controls for devices c) Block unauthorized network traffic based on rules d) Monitor employee activities 6. What does a VPN provide? a) Physical security for devices b) Secure remote access to a network c) Protection against phishing attacks d) Intrusion detection capabilities 7. What is the main purpose of an Intrusion Detection System (IDS)? a) Encrypt data transmission b) Prevent unauthorized access to devices c) Block malware from entering the network d) Detect and alert about potential security breaches 8. Which term refers to the practice of securing individual devices connected to a network? a) Network security b) Data protection c) Endpoint security d) Access control 9. What is the primary goal of data loss prevention (DLP) solutions? a) Preventing unauthorized access to networks b) Blocking malicious emails c) Monitoring and controlling data transfers to prevent leakage d) Encrypting data at rest 10. What principle involves incorporating privacy and security considerations into the design of systems and applications? a) Principle of least privilege b) Privacy by design c) Role-based access control d) Intrusion detection PAMANTASAN NG CABUYAO |INFORMATION ASSURANCE AND SECURITY 17 REFERENCES Andrews, J., Shelton, J., & West, J. (2019). CompTIA A+ Guide to IT Technical Support. Cengage Learning. Ciampa, M. (2021). CompTIA security+ guide to network security fundamentals. Cengage Learning. West, J. (2021). CompTIA Network+ guide to networks. Cengage Learning. Whitman, M. E., & Mattord, H. J. (2020). Management of information security. Cengage Learning. Whitman, M. E., & Mattord, H. J. (2021). Principles of information security. Cengage learning.