Beruflich Dokumente
Kultur Dokumente
Sourav Singh
What is an Information What is Information Security Information Security Vulnerability and Computer Crimes Protecting Information System Disaster Recovery Planning Auditing
Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected.
Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.
PEOPLE
PROCESSES
TECHNOLOGY
Share Holders / Owners Management Employees Business Partners Service providers Contractors Customers / Clients Regulators etc
The processes refer to "work practices" or workflow. Processes are the repeatable steps to accomplish business objectives. Typical process in our IT Infrastructure could include:
Helpdesk / Service management Incident Reporting and Management Change Requests process Request fulfillment Access management Identity management Service Level / Third-party Services Management IT procurement process etc...
Network Infrastructure:
Cabling, Data/Voice Networks and equipment Telecommunications services (PABX), including VoIP services ,
ISDN , Video Conferencing Server computers and associated storage devices Operating software for server computers Communications equipment and related hardware. Intranet and Internet connections VPNs and Virtual environments Remote access services Wireless connectivity
Application software:
Finance and assets systems, including Accounting packages, Inventory management, HR systems, Assessment and reporting systems Software as a service (Sass) - instead of software as a packaged or custom-made product. Etc.. CCTV Cameras Clock in systems / Biometrics Environmental management Systems: Humidity Control, Ventilation , Air Conditioning, Fire Control systems Electricity / Power backup Desktop computers Laptops, ultra-mobile laptops and PDAs Thin client computing. Digital cameras, Printers, Scanners, Photocopier etc.
Access devices:
Confidentiality
Integrity
Availability
Protects information from a range of threats Ensures business continuity Minimizes financial loss Optimizes return on investments Increases business opportunities
Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Threat: Something that can potentially cause damage to the organization, IT Systems or network. Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.
Computer crime, or cybercrime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers to criminal exploitation of the Internet.
Results : The outcome of the applied threat. The results normally lead to the loss of CIA
Confidentiality Integrity Availability
Source
Motivation
Challenge Ego Game Playing Deadline Financial problems Disenchantment
Threat
System hacking Social engineering Dumpster diving Backdoors Fraud Poor documentation System attacks Social engineering Letter bombs Viruses Denial of service Corruption of data Malicious code introduction System bugs Unauthorized access
External Hackers
Internal Hackers
Terrorist
Revenge Political
Risk Analysis
Risk acceptance Risk limitation Risk transference
Controls
Disaster recovery is the chain of events linking planning to protection and to recovery. The purpose of recovery plan is to keep the business running after a disaster occurs, a process called business continuity.
It is oriented towards prevention. The idea is to minimize the chances of avoidable disasters such as arson or other human threats. For eg. Many companies use a device called Uninterrupted Power Supply (UPS), which provides backup power in case of a power outage.
Information System Auditing is primarily an examination of the system controls within an IT architecture It is the process of evaluating the suitability and validity of an organization's IT configurations, practices and operations. Information System Auditing has been developed to allow an enterprise to achieve goals effectively and efficiently through assessing whether computer systems safeguard assets and maintain data integrity.
Internal Auditor: Information Systems auditing is usually a part of accounting internal auditing, and it is frequently performed by corporate internal auditors. External Auditor: As external auditor reviews the findings of the internal auditor as well as the inputs, processing, and outputs of information systems. It is the part of the overall external auditing performed by a Certified Public Accounting (CPA) firm.