Security Standards

Symbiosis International (Deemed University)

Security
• In general, security is “the quality or state of being secure--to be free from danger.” It
means to be protected from adversaries--from those who would do harm, intentionally or
otherwise.
What Is Security?
A successful organization should have the following multiple layers of security in place for the
protection of its operations:
• Physical security - to protect the physical items, objects, or areas of an organization from
unauthorized access and misuse.
• Personal security – to protect the individual or group of individuals who are authorized to
access the organization and its operations.
• Operations security – to protect the details of a particular operation or series of activities.
• Communications security – to protect an organization’s communications media,
technology, and content.
• Network security – to protect networking components, connections, and contents.
What is Security?
• Physical Security - to protect the physical items, objects, or areas of an
organization from unauthorized access and misuse.
• Personal Security – to protect the individual or group of individuals who are
authorized to access the organization and its operations.
• Operations Security – to protect the details of a particular operation or series of
activities.
• Communications Security – to protect an organization’s communications media,
technology, and content.
• Network Security – to protect networking components, connections, and
contents.
• Information Security – to protect information assets
History of Information Security
• 1960s: Organizations start to protect their computers
• 1970s: The first hacker attacks begin
• 1980s: Governments become proactive in the fight against cybercrime
• 1990s: Organized crime gets involved in hacking
• 2000s: Cybercrime becomes treated like a crime
• 2010s: Information security becomes serious
Critical Characteristics of Information

• The value of information comes from the

characteristics it possesses:
• Availability
• Accuracy
• Authenticity
• Confidentiality
• Integrity
• Utility
• Possession
 Critical Characteristics of Information
The value of information comes from the characteristics it
possesses.

Availability - enables users who need to access information to do

so without interference or obstruction and in the required format.
The information is said to be available to an authorized user when
and where needed and in the correct format.

Accuracy- free from mistake or error and having the value that the
end-user expects. If information contains a value different from the
user’s expectations due to the intentional or unintentional
modification of its content, it is no longer accurate.

Authenticity - the quality or state of being genuine or original, rather

than a reproduction or fabrication. Information is authentic when it
is the information that was originally created, placed, stored, or
transferred.
 Critical Characteristics of Information

Confidentiality - the quality or state of preventing disclosure or

exposure to unauthorized individuals or systems.

Integrity - the quality or state of being whole, complete, and

uncorrupted. The integrity of information is threatened when the
information is exposed to corruption, damage, destruction, or other
disruption of its authentic state.

Utility - the quality or state of having value for some purpose or

end. Information has value when it serves a particular purpose.
This means that if information is available, but not in a format
meaningful to the end-user, it is not useful.
 Critical Characteristics of Information

Possession - the quality or state of having ownership or control of

some object or item. Information is said to be in possession if one
obtains it, independent of format or other characteristic. While a
breach of confidentiality always results in a breach of possession, a
breach of possession does not always result in a breach of
confidentiality.
Information Security

Information Risk Information security

Threat
Opportunity
What is Information Security?
• The protection of information and its critical elements, including
systems and hardware that use, store, and transmit that information
• Necessary tools: policy, awareness, training, education, technology
• C.I.A. triangle was standard based on confidentiality, integrity, and
availability
• C.I.A. triangle now expanded into list of critical characteristics of
information
Fundamental principles of Information
Security
CIA Triad:

1. Confidentiality
ensures information is inaccessible to
unauthorized people
I
2. Integrity
ensures the data is accurate and trustworthy C
by preventing unauthorized modification

3. Availability A
ensures authorized people can access the
information when needed
 What is Information Security?
• When Information Security experts are developing policies
and procedures for an effective information security
program, they use the CIA triad as a guide. The
components of the CIA triad are:
• Confidentiality: ensures information is inaccessible to
unauthorized people—most commonly enforced through
encryption—which is available in many forms
• Integrity: protects information and systems from being modified
by unauthorized people; ensures the data is accurate and
trustworthy
• Availability: ensures authorized people can access the
information when needed and that all hardware and software are
maintained properly and updated when necessary

The CIA triad has become the de facto standard model for
keeping your organization secure. The three fundamental
principles help build a vigorous set of security controls to
preserve and protect your data.
What is an Information System?
A set of interrelated elements or components that collect (input), manipulate and
store (process), disseminate (output) data and information, and provide a feedback
mechanism to meet an objective.

• Hardware
• Software
• Network
• People
• Information
Components of IS (information Security)
Policies, Standards, and Practices
Key Information Security Concepts
• Access - a subject or object’s ability to use, manipulate, modify, or affect
another subject or object.
• Asset - the organizational resource that is being protected.
• Attack - an act that is an intentional or unintentional attempt to cause
damage or compromise to the information and/or the systems that support
it.
• Control, Safeguard, or Countermeasure - security mechanisms, policies, or
procedures that can successfully counter attacks, reduce risk, resolve
vulnerabilities, and otherwise improve the security within an organization.
• Exploit - to take advantage of weaknesses or vulnerability in a system.
• Exposure - a single instance of being open to damage.
• Hack - Good: to use computers or systems for enjoyment; Bad: to illegally
gain access to a computer or system.
• Object - a passive entity in the information system that receives or contains
information.
Key Information Security Concepts
• Risk - the probability that something can happen.
• Security Blueprint - the plan for the implementation of new
security measures in the organization.
• Security Model - a collection of specific security rules that
represents the implementation of a security policy.
• Security Posture or Security Profile - a general label for the
combination of all policies, procedures, technologies, and
programs that make up the total security effort currently in
place.
• Subject - an active entity that interacts with an information
system and causes information to move through the system for a
specific end purpose
• Threats - a category of objects, persons, or other entities that
represents a potential danger to an asset.
• Threat Agent - a specific instance or component of a more
general threat.
• Vulnerability - weaknesses or faults in a system or protection
mechanism that expose information to attack or damage.
Balancing Information Security and Access

• Impossible to obtain perfect security—it is a

process, not an absolute

• Security should be considered balance between

protection and availability

• To achieve balance, level of security must allow

reasonable access, yet protect against threats
Figure 1-6 – Balancing Security and Access
Importance of being Informed, Globally
Connected
1. Knowing About Cyber Threats
2. Money and Keeping Safe Online
3. Understanding Different Ways to Stay Safe
4. Politics and How it Affects Cybersecurity
5. New Technology and Online Risks
Importance of being Informed, Globally
Connected
7. Checking the Health of the Online World
8. Being a Good Internet User
9. Learning More About Cybersecurity
10. Getting Involved in Online Safety
In a world where digital connections and global links play a crucial role, not staying informed and globally aware can
have significant consequences for you, impacting both individuals and societies in several ways.
• Limited Awareness of Emerging Threats
• Economic Disadvantages
• Cultural Insensitivity
• Political Unawareness
• Technological Stagnation
• Environmental Neglect
• Health and Safety Risks
• Digital Vulnerability
• Missed Educational Opportunities
• Reduced Civic Engagement

In essence, being uninformed and disconnected from global realities can result in missed opportunities, increased
vulnerabilities, and a limited ability to navigate the challenges of our interconnected world. To thrive in this
globalized era, it is essential for you to embrace information and foster connections that transcend geographical
boundaries.
What is Risk?
• An uncertain future event or condition
which, if happens, affects the mission
objective.
A ship is safe in
harbour • Positive and Negative risks.
• Positive risks are called opportunities
but that’s not • Negative risks are threats

what ships are • If there is a risk, we need to put control in

place
for… Risk Cost/Price
 CLASSIFICATION OF SECURITY
VULNERABILITIES
The main vulnerabilities are caused by the following factors:
•Shortcomings of software or hardware
•Different characteristics of the structure of automated systems
in the information flow
•Some operational processes of the system are inadequate Types of
Vulnerabilities
•Inaccuracy of information exchange protocols and interface
•Difficult operating conditions and conditions in which the
information is located.
Most often the sources of threats are triggered in order to
obtain illegal benefits after damaging information. However, Objective Subjective Random
accidental effect of threats due to insufficient protection and
mass attack of a threatening factor is also possible.
If you eliminate or at least mitigate the impact from
vulnerabilities, you can avoid a significant threat meant to
damage the storage system.
Random vulnerabilities

These factors vary depending on unforeseen circumstances and features of the information environment. They
are almost impossible to predict in the information space, but you must be prepared to rapidly eliminate them.

Engineering and technical investigation or a response attack will help to mitigate the following problems:

1. System failures:
•Caused by malfunctions of technical means at different levels of processing and storage of information (including
those responsible for system performance and access to it).
•Malfunctions and obsolete elements (demagnetization of data carriers, such as diskettes, cables, connection lines
and microchips).
•Malfunctions of different software that supports all links in the chain of information storage and processing
(antiviruses, application and service programs).
•Malfunctions of auxiliary equipment of information systems (power transmission failures).

2. Factors weakening information security:

•Damage to communications such as water supply, electricity, ventilation and sewerage.
•Malfunctions of enclosing devices (fences, walls in buildings, housing of the equipment where information is
stored).
Objective vulnerabilities
They depend on the technical design of the equipment which is installed on the object requiring protection, as well as its
characteristics. It is impossible to escape all these factors, but their partial elimination can be achieved through engineering
techniques in the following cases:

1. Related to emission technical means:

•Electromagnetic techniques (side emission and signals from cable lines, elements of technical means).
•Sound versions (acoustic or with vibration signals).
•Electrical (slip of signals into the circuits of electrical network, through the induction into the lines and conductors, because of
uneven current distribution).

2. Activated:
•Malware, illegal programs, technological exits from programs which are together called ‘implant tools’.
•Hardware implants: introduced directly into telephone lines, electrical networks or premises.

3. Due to the characteristics of a protected object:

•Object location (visibility and absence of a controlled zone around the information object, presence of vibration or sound
reflecting elements around the object, presence of remote elements of the object).
•Arrangement of information exchange channels (use of radio channels, lease of frequencies or use of shared networks).

4. Those that depend on the characteristics of carriers:

•Parts with electro-acoustic modifications (transformers, telephone devices, microphones and loudspeakers, inductors).
•Elements under the influence of electromagnetic field (carriers, microcircuits and other elements).
Subjective vulnerabilities
In most cases, the vulnerabilities of this subtype result from inadequate employee actions at the level
of storage and protection system development. Eliminating such factors is possible using hardware
and software:

1. Inaccuracies and gross errors that violate information security:

•At the stage of loading the ready software or preliminary algorithm development, as well as during
its use (possibly, during daily use or during data entry).
•When managing programs and information systems (difficulties in the training to work with the
system, individual set up of services, manipulation of information flows).
•During the use of technical equipment (during switch-on or switch-off, the use of devices for
transmitting or receiving information).

2. System malfunctions in the information environment:

•The mode of protection of personal data (the problem may be caused by laid-off employees or
current employees during off-hours when they get unauthorized access to the system).
•Safety and security mode (when accessing facilities or technical devices).
•While working with devices (inefficient energy use or improper equipment maintenance).
•While working with data (change of information, its saving, search and destruction of data,
elimination of defects and inaccuracies).
Threats to information security
Thank You