INFORMATION SECURITY AND AUDIT
1. Overview of information security
2. Information and Network Security Policies
3. Cryptography and PKI
4. Network security applications
5. Design Principles
6. Compliance, Evaluation system and Law
7. Malicious logic and attacks
8. Vulnerability analysis and IT Audit
9. Intrusion detection and log analysis
LAB WORK -ISA
SOLVED PRACTICE QUESTIONS
NEXT

INFORMATION SECURITY AND AUDIT

SECUIRTY POLICIES AND OBJECTIVES 

Security Policies

Security policies are formalized rules and procedures designed to protect information systems from threats and ensure compliance with laws and regulations.

Security Objectives

Security objectives are specific goals that an organization aims to achieve to maintain a secure information system environment. Key security objectives include:

  1. Confidentiality:
    • Ensures that sensitive information is accessible only to authorized individuals.
    • Implements encryption, access controls, and data masking techniques to protect data.
  2. Integrity:
    • Maintains the accuracy and completeness of information and systems.
    • Uses checksums, hashes, and data validation methods to detect and prevent unauthorized modifications.
  3. Availability:
    • Ensures that information systems and data are available when needed.
    • Implements redundancy, disaster recovery planning, and regular backups to maintain system availability.
  4. Authentication:
    • Verifies the identity of users, devices, and systems before granting access.
    • Utilizes multi-factor authentication, biometric verification, and secure tokens.
  5. Authorization:
    • Defines and enforces what authenticated users are allowed to do within the system.
    • Implements role-based access control (RBAC) and attribute-based access control (ABAC).
  6. Non-repudiation:
    • Ensures that actions and transactions can be traced to their origin.
    • Uses digital signatures and audit logs to prevent denial of actions or transactions.

 

Network Security Policy

Network security policies outline strict guidelines on how an organization uses, manages, and protects its network-based assets.

Information Security Policy

An information security policy is a set of rules and guidelines on how to use, manage, and protect sensitive data.

Need of Information Security Policy

  • Establish a general approach to information security
  • Document security measures and user access control policies
  • Detect and minimize the impact of compromised information assets such as misuse of data, networks, mobile devices, computers and applications
  • Protect the reputation of the organization
  • Comply with legal and regulatory requirements like NIST, GDPR, HIPAA
  • Protect their customer's data, such as credit card numbers
  • Provide effective mechanisms to respond to complaints and queries related to real or perceived cyber security risks such as phishing, malware and ransomware

Example of Security Policy 

Let X be a set of entities and let I be some information.

Then I has the property of confidentiality with respect to X  if no member of X can obtain information about I.

Then I has the property of integrity with respect to X if all  members of X trust I.

Then I has the property of availability with respect to X if  all members of X can access I.

A    security    mechanism     is    an    entity/procedure that enforces some part of the security policy.

Key Elements of Security Policy

  • Information security objectives
  • Purpose     
  • Data classification
  • Security awareness training
  • Audience
  • Authority and access control policy
  • Data support and operations
  • Responsibilities and duties of employees
NEXT