-People, Process and Technology

-Information as Asset

KowshikMadhuMayur

ShariqueVidyashankar

Introduction• Information security is the practice of

defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

• The elements are Integrity – maintaining accuracyAvailability – available when neededAuthenticity – ensure genuine dataNon-repudiation – two way transactions

People-Process-Technology• The fundamental principles of any business

operation are “people,” “processes,” and “technology.” Attention to all three are required to have significant and lasting change on how the organization operates.

• Strong processes can often help to overcome potential vulnerabilities in a security product, while poor implementation can render good technologies ineffective.

• Antivirus software is a good example of how people-process-technology all have roles in its effectiveness.

People In IT Security

Process in IT Security

Adopting International standards for IT security

• ISO27001 : Protect , preserve information under confidentiality, integrity, availability.

• ISO22301 : Focuses both on the recovery from disasters, but also on maintaining access to and security of information.

Process in IT Security

Process in IT Security

Technology in IT Security

1. To improve productivity, efficiency, and process consistency.

2. Develop technical requirements for the submission of change

requests, evaluation, approval, and evidence retention.

3. Migrate proven change control procedures and forms into the

technology platform. Verify consistency with paper-based methods.

4. Implement technology to identify and track configuration of all

hardware's and software’s.

TOP 10 TECHNOLOGIES FOR INFORMATION SECURITY Cloud Access Security Brokers.

Adaptive Access Control.

Pervasive Sandboxing (Content Detonation) and IOC Confirmation.

Endpoint Detection and Response Solutions.

Big Data Security Analytics at the Heart of Next-generation Security

Platforms.

Machine-readable Threat Intelligence, Including Reputation Services.

Containment and Isolation as a Foundational Security Strategy.

Software-defined Security.

Interactive Application Security Testing.

Security Gateways, Brokers and Firewalls to Deal with the Internet of

Things.

“Information as Asset”• Like any other corporate asset, an organization's information assets have

financial value. The value of asset increases in direct relationship to the number of people who are able to make use of the information

• An information asset can be classified according to any criteria, not only by its relative importance or frequency of use. For example, data can be broken down according to topic, when it was created, where it was created or which personnel or departments use it the most. A data classification system can be implemented to make the organization's information assets easy to find, share and maintain

• The major steps required for asset classification and controls are:– A. Identification of the assets– B. Accountability of assets– C. Preparing a schema for information classification– D. Implementing the classification schema

A. Identification of assets• Information assets• Software assets• Physical assets• Services

B. Accountability of assets• Identifying owners

C. Preparing a schema for classification• Confidentiality – Confidential, Company Only, Shared, Unclassified• Value• Time• Access rights• Destruction

D. Implementation of the classification schema• Uniform way of identifying the information• Right amount of protection

Conclusion• Information security is the ongoing process of

exercising due care and due diligence to protect information, and information systems, from unauthorized access, use, disclosure, destruction, modification, or disruption or distribution.

• Circling back to the beginning of presentation – a focus on only technical security controls may leave you with a system that is not maintained (e.g., insufficient man-power, and/or training for people) and it is not very effective (e.g., poor processes and policies).