Week 3

Recap of Information Security

• Last week focused on the objectives of information security.

• Emphasis on the lack of a canonical definition of information security.

• Key takeaway: Protecting data and ensuring only desired actions occur with that data.

Information Security Standards and Frameworks

• Many standards exist, defined by various international bodies (e.g., NIST, ISO).

• Standards serve to bundle collective knowledge about potential security problems and solutions.

• Frameworks aim to cover similar content but differ in structure and approach.

Categories of Information Security Standards

Technical Security Controls

1. Asset Management

   • Management of devices holding sensitive data.

   • Key issues:

     • Loss of devices without tracking (e.g., laptops, USB keys).

     • Unauthorized devices connecting to the network.

     • Secure disposal of devices.

   • Solutions include:

     • Asset tracking systems, lifecycle management, and inventory controls.

2. Physical and Environmental Security

   • Protecting physical assets from unauthorized access and environmental risks (e.g., fire, flooding).

   • Controls include:

     • Badge systems, access control guards, fire detection, and suppression systems.

3. Logical Access Control

   • Defining who has access to what data.

   • Components:

     • Authentication: verifying user identity.

     • Authorization: managing what authenticated users can do.

   • Key transitions include managing access for joiners, movers, and leavers.

4. Communication Security

   • Monitoring and controlling network traffic.

   • Use of firewalls, VPNs, and secure traffic protocols.

5. Cryptography

   • Securing communications through encryption and proper key management.

   • Importance of maintaining valid certificates and avoiding man-in-the-middle attacks.

Incident and Vulnerability Management

1. Incident Management

   • Responding to security breaches: detection, containment, mitigation, and post-incident review.

2. Vulnerability Management

   • Regularly updating software to fix vulnerabilities and address malware threats.

   • Includes managing patches and monitoring for malware updates.

Software Development Security

• Implementing secure coding practices and performing security tests (static and dynamic analysis).

• Importance of incorporating security practices early in the software development lifecycle.

• Peer reviews to identify vulnerabilities before deployment.

Human Resources Security

• Ensuring individuals in sensitive roles are vetted and trained.

• Addressing insider threats through employee monitoring and background checks.

Systems Acquisition and Business Continuity

• Evaluating the security of third-party services and systems.

• Ensuring business operations can continue during disruptions (e.g., natural disasters).

Information Security Management and Compliance

• Assigning roles and responsibilities for security management.

• Establishing policies that reflect desired security practices and measuring against those standards.

• Compliance with legal and regulatory responsibilities regarding data protection.

Unique Areas within Information Security

• Embedded Systems Security: Managing security for devices that are integral and not easily accessible post-deployment.

• Cash and ATM Security: Addressing specific concerns related to physical cash transactions and device tampering.

• Cloud Security: Maintaining data security as assets move to cloud environments, establishing access protocols.

• Regulatory Frameworks: Distinguishing between prescriptive and principles-based regulations affecting security practices.

Conclusion

• Overview of the various aspects of information security highlights the necessity of a structured approach.

• Encouragement to relate specific security frameworks and principles to practical applications in diverse environments.