INFORMATION SECURITY AND PRIVACY
description
Transcript of INFORMATION SECURITY AND PRIVACY
INFORMATION SECURITY AND PRIVACY
Presented By: Jason Rottler Mengmeng Zhao Vijak Pongtippun Weiwei Huang Ju Yang
AgendaIntroduction
IT Security Spending
IT Security Threats
Chief Information Security Officer (CISO)
Case Studies
Best Practices
2
What is IT SecurityInformation security means protecting information and information system from unauthorized access, use, disclosure, disruption, modification or destruction.
http://en.wikipedia.org/wiki/It_security
“In the case of information security, the goals of confidentiality, integrity, and availability (CIA) must be balanced against organizational priorities and the negative consequences of security breaches.”
http://proquest.umi.com/pqdweb?index=2&did=901411&SrchMode=1&sid=1&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257803955&clientId=45249
3
http://proquest.umi.com/pqdweb?index=0&did=1374511721&SrchMode=1&sid=1&Fmt=6&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257259579&clientId=45249
Three dimensions: 1. Confidentiality, integrity, and availability (CIA triangle) 2.Policy, education, and technology3. Storage, processing, and transmission
NSTISSC Security Model ( McCumber Cube)
What is IT Security
Policy
Edu
cation
Techn
ology
Storage Processing Transmission
Confidentiality
Integrity
Availability
http://en.wikipedia.org/wiki/McCumber_cube4
“Security is, I would say, our top priority because for all the exciting things you will be able to do with computers - organizing your lives, staying in touch with people, being creative - if we don't solve these security problems, then people will hold back.” ----Bill gates
http://www.billgatesmicrosoft.com/
http://chinadigitaltimes.net/china/bill-gates/
Why is IT Security important
5
Security Breach Example
Wireless Security and the TJX Data Breach
6
IT Security breaches happen everyday
http://www.privacyrights.org/ar/ChronDataBreaches.htm#2009
2009 NAME NUMBER OF RECORDS
19-Jan-09 Forcht Bank 8,500
3-Feb-09 SRA International Unknown
12-Mar-09 US Army 1,600
16-Apr-09 Myspace Unknown
4-May-09 Virginia Health Data Potentially 530,000
7-Jun-09 T-Mobile USA Unknown
8-Jul-09 AT&T 2,100
14-Aug-09 American Express Unknown
2-Sep-09 Naval Hospital Pensacola 38,000
2-Oct-09 U.S. Military Veterans 76 Million
Why is IT Security important
7
IT security breaches may be from
outsider’s and Insider’s breaches. “As the network expand, including online,
it will become harder to know whether market-moving information originated improperly through an insider’s breach or properly through gathering of information in other ways”
http://business.timesonline.co.uk/tol/business/industry_sectors/technology/article6861965.eceThe Times October 6, 2009
http://proquest.umi.com/pqdweb?index=0&did=1886259131&SrchMode=1&sid=5&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257262182&clientId=45249
Why is IT Security important
8
Consequences of poor Security in
Organization
Why is IT Security important Unreliable Systems Unauthorized Access By Employee Reduced Employee Productivity Financial Embezzlement & Lost Revenue Theft of Customer Records
9http://www.alliedacademies.org/Public/Proceedings/Proceedings21/AIMS%20Proceedings.pdf
Reno, NV, “Academy of Information and Management Sciences” Vol.11 No.2 (October 2007) p.51-53
In 2008 losses resulting from IT security breaches averaged 289,000
2008 CSI Computer Crime & Security Survey, Robert Richardson, GoCSI.com
Losses from IT Security BreachesWhy is IT Security important
10
AgendaIntroduction
IT Security Spending
IT Security Threats
Chief Information Security Officer (CISO)
Case Studies
Best Practices
11
31%
31% of companies spend more than 5% of their overall IT budget on information security in 2008.
IT Security Spending
2008 CSI Computer Crime & Security Survey, Robert Richardson, GoCSI.com
12
IT Budget Vs. Information Security Budget
The projected percentage cut in IT spending for 2009 is greater overall than the relative projected percentage cut in security spending.
IT Security Spending
http://metrosite.files.wordpress.com/2008/06/information_security_spending_survey_2009.pdf 13
Business services
Financial services
Government sectors
Education Health Care Primary Industries
10.8B 10.4B9.9B
3.6B 3.2B2.5B
IT Security Spend in the U.S. 2006
IT departments in U.S. enterprises spent US$61 billion on security in 2006, representing 7.3% of total IT spending in the U.S.
http://proquest.umi.com/pqdweb?index=4&did=1162465461&SrchMode=1&sid=4&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257727916&clientId=45249#indexing
IT Security Spending
14
http://proquest.umi.com/pqdweb?index=4&did=1162465461&SrchMode=1&sid=4&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257727916&clientId=45249#indexing
"IT security has become a higher priority over the last few years, with a greater proportion of the overall IT budget being spent on security equipment and services."
------ Ed Daugavietis
IT Security Spending
15
AgendaIntroduction
IT Security Spending
IT Security Threats
Chief Information Security Officer (CISO)
Case Studies
Best Practices
16
Top 9 Network Security Threats
1. Malicious Insiders – Rising Threat2. Malware – Steady Threat3. Exploited Vulnerabilities – Weakening Threat4. Social Engineering – Rising Threat5. Careless Employees – Rising Threat6. Reduced Budgets – Rising Threat7. Remote workers – Steady Threat8. Unstable Third Party Providers – Strong Rising Threat9. Download Software Including Open Source & P2P
Files – Steady Threat
CSOonline.com is the website that provides news, analysis and research on a broad range of security and risk management topics. Areas of focus include information security, physical security, business continuity, identity and access management, loss prevention and more.
http://www.csoonline.com/article/print/472866 17
Rising Threat
Weakening Threat
Strong Rising Threat - Unstable Providers
Rising Threat - Malicious Insiders - Social Engineering - Careless Employees - Reduced Budgets
Steady Threat - Malware - Remote workers - Download Software
Weakening Threat - Exploited Vulnerabilities
Top 9 Network Security Threats
18
MalwareMalware (Malicious Software) is a genetic term for programs that try to secretly install themselves on your computer.
US China (inc HK)
Russia Germany
South Korea Ukraine
UK Turkey
Czech Republic Thailand
Other
37.00%27.70%
9.10%2.30%2.10%1.80%1.70%1.50%1.30%1.20%
14.30%
Top 10 malware hosting countries in 2008http://www.msun.edu/its/security/threats.htmhttp://www.sophos.com/sophos/.../sophos-security-threat-report-jan-2009-na.pdf
Type of IT Security Threats
19
Type of Malware Viruses Worms Trojan horses Spyware Adware
DamageSome viruses delete files, reformat the hard disk. Worms consume bandwidth and can cause degraded network performance. Spyware can collect various types of personal information such as credit card number, or username and password.http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx
http://proquest.umi.com/pqdweb?index=0&did=1783184381&SrchMode=1&sid=5&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257726601&clientId=45249
Type of IT Security Threats
20
Social Engineering Social engineering is a term is used to describe the art of persuading people to divulge information, such as usernames, and passwords. Identity Theft steal and sell identity information.
Phishing a fake web page.
DamageCriminals can use a person’s detail to make transactions or create fake accounts in victim’s name.
http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx
Type of IT Security Threats
21
SPAMSPAM is electronic junk email. E-mail addresses are collected from chat rooms, websites, newsgroups.
DamageSPAM can clog a personal mailbox, overload mail servers and impact network performance.
http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx
Type of IT Security Threats
22
Denial of Service Attack (DoS Attack) DoS Attack is an attempt to make a computer resource
such as a website or web service unavailable to use..
DamageDos attacks typically target large businesses or government institutions. They can make a website or web service temporarily unavailable (for minutes, hours, or days) with ramifications for sales or customer service.
http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx
Criminals frequently use Bot to launch DoS Attack
Type of IT Security Threats
23
Malware Use antivirus and anti spyware software. Keep current with latest security updates or patches Be wary of opening unexpected e-mails
Social Engineering Never disclose any personal information Use Strong passwords. Never e-mail personal or financial information. Check your statements often.
http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx
Prevention of IT Threats
24
SPAM Use spam filters Use a form of e-mail authentication. Using reasonable mailing and ensuring relevant e-mails. Make sure your e-mails look right in multiple e-mail clients.
DOS Attack Plan ahead Use Firewalls to allow or deny protocols, ports, or IP
addresses. Utilize routers and switches
http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspxhttp://proquest.umi.com/pqdweb?index=0&did=1876359931&SrchMode=1&sid=13&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257728149&clientId=45249&cfc=1
Prevention of IT Threats
25
AgendaIntroduction
IT Security Spending
IT Security Threats
Chief Information Security Officer (CISO)
Case Studies
Best Practices
26
Chief Security Officer (CSO)
The executive responsible for the organization's entire security posture, both physical and digital.
The title Chief Security Officer (CSO) was first used principally inside the information technology function to designate the person responsible for IT security.
http://www.csoonline.com/article/221739/What_is_a_Chief_Security_Officer_?page=1,viewed October 10,200927
Chief Information Security Officer (CISO) A more accurate description of a job
that focuses on information security within an organization , and today the CISO title is becoming more prevalent for leaders with an exclusive info security focus.
http://www.csoonline.com/article/221739/What_is_a_Chief_Security_Officer_?page=1,viewed October 10,2009 28
Roles & Responsibilities of a CISO Communications and Relationship
Risk and Control Assessment
Threat and Vulnerability Management
Identity and Access Management
http://en.wikipedia.org/wiki/Chief_information_security_officer, Viewed October 10,200929
CISO: Skills Required for Success
Literature Review
1. CISO should first think of themselves as Business professionals and secondly as security specialist.
2. Partake in continuing security education3. Soft skills4. Management5. Problem solving6. Understand of the security threats and risks
Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18
30
Interviews with Eight Executives
1. The executives were basically in agreement that the skills which emerged from the analysis were important.
2. They suggested the addition of two items: * disaster recovery planning * security breach investigation
The interviews were conducted over a two month periodbetween December,2005 and January,2006
CISO: Skills Required for Success
31
Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18
CISO: Skills Required for Success
Duties % of listing included
Oversee IT security policy 70%Management 58%IT security education 42%Maintain currency 39%Vendor relations 36%Disaster recovery planning 27%Security breach investigations
27%
Frequency of Duties on Job Listings
A review of 33 recent CISO job listing posted at Chief Security Officer magazine (http://www.CSOonline.com)
32
Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18
CISO: Skills Required for Success
Duties % of listing included
IT security skills 76%Communication skills 61%System experience 61%Leadership skills 39%Investigative experience 27%
Frequency of Background Experience on Job Listing
A review of 33 recent CISO job listing posted at Chief Security Officer magazine (http://www.CSOonline.com)
33
Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18
Lit. Review CISO Interview Job ListingManagement Skills
Management (D)Leadership skills (B/E)Maintain Currency (D)
IT Security Education
IT Security Education (D)Maintain Currency (D)
Soft Skills Communication skills (B/E)IT Security Oversee IT Security Policy (D)
IT Security Skills (B/E)
Problem Solving
No Match
Business Strategy
No Match
Disaster Recovery Planning
Disaster Recovery Planning (D)
Security Breach Investigations
Security Breach Investigations (D)Investigation Experience (B/E)System Experience (B/E) No MatchVendor Relations (D) No Match
CISO: Skills Required for Success
34Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18
CISO: Skills Required for Success
Conclusion Business strategy was given the high level of
importance by the literature and executives, but it was not in the job listing surveys.
Many of the organizations searching for new CISOs during the research period didn’t fully understand the importance of including in the business strategy formulation.
Organizations currently employing a CISO should consider the duties and responsibilities included in these results as perfunctory in their position requirement.
35
Dwayne Whitten(2008),”The Chief Information Security Officer”: An analysis of the skills required for success”, Journal of Computer Information Systems, Page 15-18
AgendaIntroduction
IT Security Spending
IT Security Threats
Chief Information Security Officer (CISO)
Case Studies
Best Practices
36
IT & Security Compliance Manager of:
Mining Company
Case StudiesChief Information Security Officer (CISO) of:
Compal Communication, Inc. (CCI)
37
Mining Company in St. Louis
Part 1 Overview
Compal Communication, Inc. (CCI)
38
Mining Company
• Size:• 4,600 employees
• Revenues:• $2.9 Billion • $350 Million in profits
• Background:• 2nd largest in their industry• Ships and provide product to 35
states and 20+ countries worldwide
39IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009
• Background:• Manufacturers and trades
wireless handsets and other telecommunication equipment
• Size:• 4,000 employees
• Revenues:• $3.25 Billion• $380 Million in Profit
Compal Communication, Inc. (CCI)
http://www.compalcomm.com/40
Mr. Qin, CISO of Compal Communication, Inc. interviewed by phone, by Mengmeng Zhao, Oct, 29, 2009
Mining Company in St. Louis
Part 2 Reporting Structures
Compal Communication, Inc. (CCI)
41
Mining Company
Sr. VP. Strategic Development
VP & CIO
IS Support Administrator
Mgr. IT Security &
Compliance
42IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009
Compal Communication, Inc. (CCI)
CEO
CIO CISO
43Mr. Qin, CISO of Compal Communication, Inc. interviewed by phone, by Mengmeng Zhao, Oct, 29, 2009
Mining Company in St. Louis
Part 3 The Role of CISO
Compal Communication, Inc. (CCI)
44
Manager IT Security and Compliance
• In current position for 4 years• In charge of security for past 2
• Responsibilities• Overseeing IS departments of
Security, Change Management, Business Continuity, and Compliance
45IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009
Chief Information Security Officer• In current position for 2 years
• In charge of security for past 4
• Responsibilities• Develop and structure information
security policies, change management, help with integrating security skills
46Mr. Qin, CISO of Compal Communication, Inc. interviewed by phone, by Mengmeng Zhao, Oct, 29, 2009
Mining Company in St. Louis
Part 4 Threats & Risks
Compal Communication, Inc. (CCI)
47
Threat Examples and Mitigation
Risk Mitigation Practice
Improper Access to Data Automated Access form that is routed to requestor’s supervisor for approval. Quarterly review of user access by Administrator.
Un-patched Software Weekly scans for vulnerabilities are performed on IS assets and reported to the administrators.
Improper Physical Access Data center access is limited to only those needing access. Entry and data centers have surveillance.
Use of social engineering to gain access
End user security training
48IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009
Security Issues and Threats
Issues and/or Threats
System Reliability
SQL of Injection
Unauthorized Access by Employees
49Mr. Qin, CISO of Compal Communication, Inc. interviewed by phone, by Mengmeng Zhao, Oct, 29, 2009
Mining Company in St. Louis
Part 5 IT Security Policies
Compal Communication, Inc. (CCI)
50
IT Security Policies• Samples of policies in place:
• Information Security Policy• Risk Assessment• ID and Password Access Account• Third Party Access• Information Security Incident
Management• Data Access• Data Sharing• Mobile Device• Encryption
51IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009
IT Security Policies• Samples of policies in place:
• No visitors allowed in Information Security Department
• Flash drives can only be readable, not writable
• Emergency services• Access Control System• Monitoring control from Security
Operation Center
52Mr. Qin, CISO of Compal Communication, Inc. interviewed by phone, by Mengmeng Zhao, Oct, 29, 2009
Mining Company in St. Louis
Part 6 Lessons Learned
Compal Communication, Inc. (CCI)
53
Lessons Learned• “No silver bullets to security nirvana”
• Security evolves as risk evolves• Use a layered approach
54IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009
Lessons Learned• Importance of security education for EACH
user• Employees must understand risks• Provide company-wide security training• 50+ slides going through 3 tenants of
security• CIA Model
55IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009
Lessons Learned
• Keep in line with international information security practice
• Integrate security needs with business objectives
• Make appropriate adjustments according to business strategy change
56Mr. Qin, CISO of Compal Communication, Inc. interviewed by phone, by Mengmeng Zhao, Oct, 29, 2009
2008/ISO2701 Certificate
Mining Company in St. Louis
Part 7 Plans for the Future
Compal Communication, Inc. (CCI)
57
Plans for the Future• Integrate different “specialties” into
overall Governance, Risk, and Compliance (GRC) Model
58IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009
Plans for the Future• Review security at
each location for operational equipment
• Document standards and procedures related to IT policies
• Example: What to do if you need a user ID?
59IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009
Plans for the Future
• Information security program for business processes that is “tailor-made” for the company
• Employee internet management
60Mr. Qin, CISO of Compal Communication, Inc. interviewed by phone, by Mengmeng Zhao, Oct, 29, 2009
Mining Company in St. Louis
Part 8 Summary Comparison
Compal Communication, Inc. (CCI)
61
Summary ComparisonMining
CompanyCCI
Revenues $2.9 Billion $3.25 BillionSecurity Mgr Reports to:
VP/CIO CIO
Interviewee in charge of Security for:
2 years 3 years
Policy examples IS Incident Mgmt, ID & Password,
Risk Assessment, Data Access, etc.
Data Access, Monitoring, Emergency
Services, etc.Top Threats Improper access
to dataUnauthorized access to data
Lessons Learned Layered Approach
IS in-line w/business
strategyFuture Plans GRC Model Info security
program for business processes62
AgendaIntroduction
IT Security Spending
IT Security Threats
Chief Information Security Officer (CISO)
Case Studies
Best Practices
63
Best Practices from Case Studies
• Access• Allow on a “least privilege” basis
• Review security as systems are installed• Follow CIA• Depth of Security
• Layered approach• Integrate security
needs with business objective
• Adjust according to business strategy
64IT Security and Compliance Manager of a Mining Company in St Louis, interviewed in person, by Jason Rottler, Oct, 14,2009
Mr. Qin, CISO of Compal Communication, Inc. interviewed by phone, by Mengmeng Zhao, Oct, 29, 2009
• Align process with policy• Achieve “essential” then worry about
“excellent”• Create a data retention plan• Control data with transaction zones• Monitor event logs• Incident Response Plan• Increase awareness and testing
65
The Verizon Business Risk Team:Proper Security Measures
Study of over 500 breaches from 2004 – 2007 found 87% could have been prevented
Swartz, N.. (2008). Study: Most Data Breaches Preventable. Information Management Journal, 42(5), pg 7.
THANK YOU
Jason RottlerMengmeng ZhaoVijak PongtippunWeiwei HuangJu Yang
References1. http://en.wikipedia.org/wiki/It_security2. Principles of Information Security By Michael E. Whitman, Herbert J. Mattord
http://books.google.com/books?id=gPonBssSm0kC&pg=PA13&lpg=PA13&dq=nstissc+security+model&source=bl&ots=cZ8bUHvAnV&sig=mLSw8gGbD6wrhoP2u9R4t2dLcmg&hl=en&ei=6jnrSu3SCJW6Noj8rYQM&sa=X&oi=book_result&ct=result&resnum=6&ved=0CBcQ6AEwBQ#v=onepage&q=nstissc%20security%20model&f=false
*3. Security as a contributor to knowledge management success By Murray E. Jennex & Suzanne Zyngier Published online: 9 October 2007, # Springer Science + Business Media, LLC 2007 http://proquest.umi.com/pqdweb?index=0&did=1374511721&SrchMode=1&sid=1&Fmt=6&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257259579&clientId=45249
4. http://www.billgatesmicrosoft.com/5. http://chinadigitaltimes.net/china/bill-gates/6.http://www.youtube.com/watch?
v=6tnnuGRT088&feature=PlayList&p=3D4EE8E264394E75&playnext=1&playnext_from=PL&index=21
*7. Information Age: 'Outsider Trading' and Too Much Information By L. Gordon Crovitz. Wall Street Journal. (Eastern edition). New York, N.Y.: Oct 26, 2009. pg. A.17 http://proquest.umi.com/pqdweb?index=0&did=1886259131&SrchMode=1&sid=5&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257262182&clientId=45249
8. http://www.privacyrights.org/ar/ChronDataBreaches.htm#2009*9. THE CHIEF INFORMATION SECURITY OFFICER: AN ANALYSIS OF THE SKILLS
REQUIRED FOR SUCCESS BY Dwayne Whitten. The Journal of Computer Information Systems. Stillwater: Spring 2008. Vol. 48, Iss. 3; pg. 15, 5 pgs http://proquest.umi.com/pqdweb?index=0&did=1481115001&SrchMode=1&sid=2&Fmt=4&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257639426&clientId=45249
10. 2008 CSI Computer Crime & Security Survey, Robert Richardson, CoCSI.com http://i.cmpnet.com/v2.gocsi.com/pdf/CSIsurvey2008.pdf
67
References11.Information security spending survey 2009 results By Dov Yoran, Partner, Metrosite Group
http://metrosite.files.wordpress.com/2008/06/information_security_spending_survey_2009.pdf
*12. IT Security Spending by U.S. Companies Will Hit US$61 Billion for 2006, Says Info-Tech Research Group PR Newswire. New York: Nov 15, 2006. http://proquest.umi.com/pqdweb?index=4&did=1162465461&SrchMode=1&sid=4&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257727916&clientId=45249#indexing
13. http://www.baselinemag.com/c/a/Security/Top-IT-Security-Spending-Priorities-for-2009/
14. Information Technology Services: Types of Net Threats, from http://www.msun.edu/its/security/threats.htm15. Sophos security threat report 2009, from
http://www.sophos.com/sophos/docs/eng/marketing_material/sophos-security-threat-report-jan-2009-na.pdf
16. The 11 most common computer security threats… And what you can do to protect yourself from them.
http://www.symantec-norton.com/11-most-common-computer-security-threats_k13.aspx*17. Kevin Prince, “Top 9 Network Security Threats in 2009”, from http://www.csoonline.com/article/print/472866*18. Reno, NV, “Academy of Information and Management Sciences” Vol.11 No.2 (October
2007) p.51-53 http://www.alliedacademies.org/Public/Proceedings/Proceedings21/AIMS%20Proceedings.pdf
19. McAfee logo, from http://strategyhealth.com/computer_help/mcafee_logo_1.jpg
68
References20. Symantec logo, from http://www.cstoncall.com/images/upload/symantec-logo-300dpi.jpg21. Ad-aware logo, from http://www.weatherbug.com/aws/imagesHmPg0604/img_logo_adaware.gif 22. http://www.csoonline.com/article/221739/What_is_a_Chief_Security_Officer_?page=1,viewed
October 10,200923. http://en.wikipedia.org/wiki/Chief_information_security_officer, Viewed October 10,200924. Interview with IT Manager at Mining Company.
http://www.corporatecomplianceinsights.com/2009/grc-management-best-practices-framework-for-more-effective-governance-risk-and-compliance-management
*25. Group Test: Anti-malware Michael Lipinski. SC Magazine. New York: Jan 2009. Vol. 20, Iss. 1; pg. 42, 2 pgshttp://proquest.umi.com/pqdweb?index=0&did=1783184381&SrchMode=1&sid=5&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257726601&clientId=45249
*26. Five ways to make sure your e-mail isn't flagged as spam Phil Fernandez. B to B. Chicago: Sep 28, 2009. Vol. 94, Iss. 12; pg. 18, 1 pgs
http://proquest.umi.com/pqdweb?index=0&did=1876359931&SrchMode=1&sid=13&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257728149&clientId=45249&cfc=1
*27. Information security - The CIA model by Le Roux, Yves. Director. London: Aug 1993. pg. 53, 4 pgs http://proquest.umi.com/pqdweb?index=2&did=901411&SrchMode=1&sid=1&Fmt=3&VInst=PROD&VType=PQD&RQT=309&VName=PQD&TS=1257803955&clientId=45249
28. http://www.cert.org/cert/29. http://www.compalcomm.com/30. http://en.wikipedia.org/wiki/McCumber_cube 69
References
* Represents the documents from referred journals
70
*31. Swartz, N.. (2008). Study: Most Data Breaches Preventable. Information Management Journal, 42(5), pg 7.
32. CISO PICTURES, from “INFORMATION SECURITY - TOPIC AND SPEAKERS”http://images.google.com/imgres?imgurl=http://www.isacasv.org/speaker_images/
kenbaylo.jpg&imgrefurl=http://www.isacasv.org/SpringConferenceSecTopic2007.html&usg=__8NPq9rC9j7B_wFC9Pl36YIQMww=&h=385&w=350&sz=27&hl=zhCN&start=92&tbnid=6LVk3Bf6CFqSyM:&tbnh=123&tbnw=112&prev=/images%3Fq%3DCISO%26gbv%3D2%26ndsp%3D20%26hl%3Dzh-CN%26sa%3DN%26start%3D80