Funda mental of information CHAPTER TWO.pptx

jamsibro140 9 views 28 slides Mar 02, 2025
Slide 1
Slide 1 of 28
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28

About This Presentation

Here is chapter 2 material use it

Size: 83.87 KB
Language: en
Added: Mar 02, 2025
Slides: 28 pages

Slide Content

CHAPTER TWO Fundamentals of Information System Security(ISS) 1. Core Principles of Information Security Confidentiality ensures that sensitive information is accessed only by authorized individuals . It protects data from unauthorized disclosure. Examples: Encryption : Using encryption algorithms like AES to encrypt sensitive files so that only authorized users with the decryption key can access the contents. Access Controls : Implementing role-based access control (RBAC) to limit access to financial records to only those in the finance department.

Cont .. Integrity Integrity ensures that data remains accurate and unaltered during storage and transmission. It helps maintain trust in data sources. Examples Hashing : Using SHA-256 to create a unique hash for a file. If the file is altered, the hash will change, indicating tampering. Digital Signatures : Utilizing digital signatures in emails to verify the sender's identity and confirm that the message has not been altered.

Cont .. Availability Availability ensures that information and resources are accessible to authorized users when needed. It involves maintaining system uptime and functionality. Examples Redundancy : Setting up redundant servers in different geographic locations to ensure that services remain available even if one server fails. Regular Maintenance : Conducting routine system updates and backups to prevent downtime and data loss.

2. Risk Management Risk management involves identifying, assessing, and mitigating risks to an organization’s information systems. It is a proactive approach to minimizing vulnerabilities and threats. Steps: Risk Assessment : Identifying assets (databases, applications ), vulnerabilities (outdated software ), and potential threats (cyberattacks). Example : Conducting a risk assessment to evaluate the likelihood of a data breach and the potential impact on the organization. Using security information and event management (SIEM) tools to monitor network traffic for suspicious activity.

Cont .. Risk Mitigation : Implementing controls to reduce risk levels. Example : Installing firewalls and intrusion detection systems to prevent unauthorized access. Continuous Monitoring : Regularly reviewing risk levels and the effectiveness of controls.

3 . Access control Mechanisms Access control mechanisms restrict access to information and resources based on user identity and roles. They help prevent unauthorized access. Types: Discretionary Access Control (DAC) : the owner of the resource (such as a file or system) has the authority to determine who can access it. Permissions can be granted or revoked at the owner's discretion. Example : A project manager can share project files with team members but restrict access to others.

Cont … Mandatory Access Control (MAC) : MAC enforces access controls based on a system-wide policy determined by an administrator. Users cannot change access permissions; they can only access resources based on their assigned security levels. Example : In a military setting, classified documents may have different security levels (e.g ., confidential, secret, top secret), and only users with the appropriate clearance can access them.

Cont .. Role-Based Access Control (RBAC) : Access is assigned based on roles within the organization. Example : Employees in the HR department can access employee records, while others cannot.

4 . Security Policies and Procedures is a set of rules and procedures that outline how an organization manages and protects its information. It's a high-level policy that includes directives, regulations, practices, and rules Security policies and procedures provide guidelines for acceptable use, data protection, and incident response. They are essential for ensuring compliance and establishing a security framework.

Cont … The different types of Security policy 1. Access Control Policy Purpose: To define who can access information systems and how. Key Points: User access is granted based on the principle of least privilege. All user accounts must have unique identifiers. Access reviews should be conducted in a timely basis.

Cont.. 2. Data Protection Policy Purpose: To safeguard sensitive data from unauthorized access and breaches. Key Points: Data encryption must be used for sensitive data in transit and at rest. Regular backups of critical data should be performed and tested. Retention schedules for data should be established and enforced.

Cont.. 3. Incident Response Policy Purpose: To outline the procedures for responding to security incidents. Key Points: Establish a response team responsible for managing security incidents . Define steps for identifying, containing, eradicating, and recovering from incidents. Conduct post-incident reviews to improve future responses.

Cont .. 4. Acceptable Use Policy Purpose: To provide guidelines for acceptable behavior when using organizational resources. Key Points: Employees must use company resources for legitimate business purposes only. Prohibitions on the use of unauthorized software and websites. Clear consequences for violations of the policy.

Cont .. 5. Password Policy Purpose: To ensure the security of user passwords. Key Points: Passwords must meet complexity requirements (length, symbols, etc.). Passwords should be changed every 90 days. Multi-factor authentication (MFA) should be implemented wherever possible.

Cont .. 6. Remote Access Policy Purpose: To secure remote access to the organization’s information systems. Key Points: Only approved devices may connect to the network remotely. Use of VPNs is mandatory for remote access. Regular audits of remote access logs should be conducted.

Cont .. 7. Security Awareness Training Policy Purpose: To educate employees about security risks and best practices. Key Points: All employees must complete security awareness training annually. Training should cover topics such as phishing, social engineering, and data protection. Ongoing updates and refreshers should be provided as needed.

Cont … 8. Change Management Policy Purpose: To manage changes to information systems in a controlled manner. Key Points: All changes must be documented and approved before implementation. Changes should be tested in a controlled environment before deployment. A rollback plan must be in place for critical changes.

Cont .. 9. Physical Security Policy Purpose: To protect physical assets and facilities. Key Points: Access to sensitive areas must be restricted to authorized personnel only. Surveillance systems should be in place to monitor critical areas. Procedures for visitor access should be established and enforced.

Cont … 10. Mobile Device Management Policy Purpose: To secure mobile devices that access organizational resources. Key Points: All mobile devices must be enrolled in a mobile device management (MDM) system. Devices must be configured to require PINs or passwords. Lost or stolen devices must be reported immediately, and appropriate actions taken.

11. Encryption Encryption: is the process of converting information into a secure format that is unreadable without the correct decryption key. It protects data confidentiality. Types: Symmetric Encryption: Same key for encryption and decryption. Example: AES (Advanced Encryption Standard) is commonly used for encrypting files and communications.

Cont … Asymmetric Encryption: Uses a pair of keys (public and private). Example: RSA ( Rivest -Shamir- Adleman ) is used for secure data transmission where the public key encrypts data and the private key decrypts it.

12. Security Awareness training This training educates employees about security risks and best practices to reduce human error, which is often a significant factor in security breaches.

13. Compliance and Legal Considerations Organizations must adhere to various laws and regulations that govern data protection and privacy. Compliance is crucial for avoiding legal penalties and protecting the organization’s reputation. Examples : GDPR (General Data Protection Regulation): Affects organizations that handle the personal data of EU citizens, requiring strict data protection measures. HIPAA (Health Insurance Portability and Accountability Act): Governs the protection of sensitive patient health information in the U.S. PCI DSS (Payment Card Industry Data Security Standard): Regulates the security of credit card transactions.

14. Physical Security Physical security measures protect physical assets and facilities from unauthorized access and damage, ensuring that information systems are safe from environmental threats and intrusions. Components: Access Controls: Implementing key card systems to restrict entry to sensitive areas. Surveillance: Using CCTV cameras to monitor entry points and sensitive areas. Environmental Controls: Installing fire suppression systems and climate control to protect hardware from damage.

Principles of Information Systems Security The core principles guiding IS Security include: Least Privilege : Users should have the minimum level of access necessary to perform their job functions. Separation of Duties : Dividing responsibilities among different individuals to reduce the risk of fraud or error. Fail-Safe Defaults : Systems should be configured to deny access by default, only allowing access when explicitly granted. Auditing and Monitoring : Continuous logging and monitoring of systems to detect and respond to security incidents.

Plan, Design, and Implement IS Security The process of planning, designing, and implementing IS Security involves several steps: Assessment : Conducting a thorough risk assessment to identify vulnerabilities and threats to information assets. Strategic Planning : Developing a security strategy that aligns with organizational goals and risk tolerance .

Cont … Designing Security Controls : Selecting appropriate technical and administrative controls based on the assessed risks. Implementation : Deploying security measures, training employees, and establishing security policies. Monitoring and Review : Continuously monitoring security systems and policies to ensure effectiveness and making adjustments as necessary.

END OF CHAPTER TWO
Tags
for university students
Categories
Education Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 9
  • Slides 28
  • Age 275 days
Related Slideshows
TLE-9-Prepare-Salad-and-Dressing.pptxkkk 11
TLE-9-Prepare-Salad-and-Dressing.pptxkkk
MaAngelicaCanceran
31 views
LESSON 1 ABOUT MEDIA AND INFORMATION.pptx 12
LESSON 1 ABOUT MEDIA AND INFORMATION.pptx
JojitGueta
24 views
GRADE-8-AQUACULTURE-WEEKQ1.pdfdfawgwyrsewru 60
GRADE-8-AQUACULTURE-WEEKQ1.pdfdfawgwyrsewru
MaAngelicaCanceran
39 views
Feelings PP Game FOR CHILDREN IN ELEMENTARY SCHOOL.pptx 26
Feelings PP Game FOR CHILDREN IN ELEMENTARY SCHOOL.pptx
KaistaGlow
39 views
Jeopardy_Figures_of_Speech_Template.pptx [Autosaved].pptx 54
Jeopardy_Figures_of_Speech_Template.pptx [Autosaved].pptx
acecamero20
23 views
Jeopardy_Figures_of_Speech.pptxvdsvdsvsdvsd 7
Jeopardy_Figures_of_Speech.pptxvdsvdsvsdvsd
acecamero20
24 views
View More in This Category