By: Vivek Gujral Shruti Goyal Shalu Welling Tripti Pandey Sahil Gupta Radhika Sharma Rohan Mehta

Sourav Singh

What is an Information What is Information Security Information Security Vulnerability and Computer Crimes Protecting Information System Disaster Recovery Planning Auditing

Information is an asset which, like other important business assets, has value to an organization and consequently needs to be suitably protected.

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. Information security is concerned with the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms.

PEOPLE

PROCESSES

TECHNOLOGY

People who use or interact with the Information include:

Share Holders / Owners Management Employees Business Partners Service providers Contractors Customers / Clients Regulators etc

The processes refer to "work practices" or workflow. Processes are the repeatable steps to accomplish business objectives. Typical process in our IT Infrastructure could include:

Helpdesk / Service management Incident Reporting and Management Change Requests process Request fulfillment Access management Identity management Service Level / Third-party Services Management IT procurement process etc...

Network Infrastructure:
Cabling, Data/Voice Networks and equipment Telecommunications services (PABX), including VoIP services ,

ISDN , Video Conferencing Server computers and associated storage devices Operating software for server computers Communications equipment and related hardware. Intranet and Internet connections VPNs and Virtual environments Remote access services Wireless connectivity

Application software:

Finance and assets systems, including Accounting packages, Inventory management, HR systems, Assessment and reporting systems Software as a service (Sass) - instead of software as a packaged or custom-made product. Etc.. CCTV Cameras Clock in systems / Biometrics Environmental management Systems: Humidity Control, Ventilation , Air Conditioning, Fire Control systems Electricity / Power backup Desktop computers Laptops, ultra-mobile laptops and PDAs Thin client computing. Digital cameras, Printers, Scanners, Photocopier etc.

Physical Security components:

Access devices:

 Confidentiality

Ensuring that information is accessible only to those authorized to have access

Safeguarding the accuracy and completeness of information and processing methods Ensuring that authorized users have access to information and associated assets when required

Integrity

Availability

Protects information from a range of threats Ensures business continuity Minimizes financial loss Optimizes return on investments Increases business opportunities

Risk: A possibility that a threat exploits a vulnerability in an asset and causes damage or loss to the asset. Threat: Something that can potentially cause damage to the organization, IT Systems or network. Vulnerability: A weakness in the organization, IT Systems, or network that can be exploited by a threat.

Computer crime, or cybercrime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers to criminal exploitation of the Internet.

 Agent : The catalyst that performs the threat.

Human Machine Nature

Motive : Something that causes the agent to act.

Accidental Intentional Only motivating factor that can be both accidental and intentional is human

Results : The outcome of the applied threat. The results normally lead to the loss of CIA
Confidentiality Integrity Availability

Source

Motivation
Challenge Ego Game Playing Deadline Financial problems Disenchantment

Threat
System hacking Social engineering Dumpster diving Backdoors Fraud Poor documentation System attacks Social engineering Letter bombs Viruses Denial of service Corruption of data Malicious code introduction System bugs Unauthorized access

External Hackers

Internal Hackers

Terrorist

Revenge Political

Poorly trained employees

Unintentional errors Programming errors Data entry errors

Risk Analysis
Risk acceptance Risk limitation Risk transference

Controls

General Physical control

Access control Data security control Administrative control Firewalls Virus controls Application Controls Input controls Processing control Output controls

Disaster recovery is the chain of events linking planning to protection and to recovery. The purpose of recovery plan is to keep the business running after a disaster occurs, a process called business continuity.

It is oriented towards prevention. The idea is to minimize the chances of avoidable disasters such as arson or other human threats. For eg. Many companies use a device called Uninterrupted Power Supply (UPS), which provides backup power in case of a power outage.

Information System Auditing is primarily an examination of the system controls within an IT architecture It is the process of evaluating the suitability and validity of an organization's IT configurations, practices and operations. Information System Auditing has been developed to allow an enterprise to achieve goals effectively and efficiently through assessing whether computer systems safeguard assets and maintain data integrity.

Internal Auditor: Information Systems auditing is usually a part of accounting internal auditing, and it is frequently performed by corporate internal auditors. External Auditor: As external auditor reviews the findings of the internal auditor as well as the inputs, processing, and outputs of information systems. It is the part of the overall external auditing performed by a Certified Public Accounting (CPA) firm.