Scribd Logo
Carica

Benvenuto in Scribd!

  • Information Security Management: Week #1

    Caricato da

    jeypop
    50 visualizzazioni32 pagine
    IMT

    Titolo originale

    Slide 1

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    IMT

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    50 visualizzazioni32 pagine

    Information Security Management: Week #1

    Caricato da

    jeypop
    IMT

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 32

    Information Security Management

    Week #1

    Lecturer

    Name : Yahya Peranginangin Email : yahya_pp@yahoo.fr Phone : 081320111556 (sms only) twitter: @jaqpopo

    Aturan Kelas

    Maksimal Ketidakhadiran 3x (dengan alasan APAPUN)

    Aturan Kelas

    Waktu kuliah : 13:00

    Learning Objectives
    Threats Risks Policies & procedure Physical & logical control Assets Classification

    Why does it matter?

    Information Security Management

    How to prevent?

    How to do it rights?

    How to recover?

    Silabus
    Pertemuan Ke1 2 3 4 5 6 7 8 Pokok Bahasan
    Information Security Overview Threats to Information Security and Logical Access The Structure of Information Security Information Security Policies and Procedures Information Security Policies and Procedures (Cont.) Asset Classifications Asset Classifications (Cont.)

    UTS

    Silabus
    Pertemuan Ke9 10 11 12 13 14 15 16
    Access Control Physical Security Risk Analysis and Risk Management Business Continuity and Disaster Recovery Business Continuity and Disaster Recovery (Cont.) Information Security Standard

    Pokok Bahasan
    Network Infrastructure Security

    UAS

    Referensi
    Buku
    Peltier, Thomas. R., Justin Peltier, and John Blackley. 2005. Information Security Fundamentals. Auerbach Publications. Publisher: CRC Press LLC. Calder, Alan, and Steve Watkins. 2008. IT Governance: A Managers Guide to Data Security and ISO 27001/ISO27002. Krause, Micki, and Harold F. Tipton. 2009. Handbook of Information Security Management. Auerbach Publications. Publisher: CRC Press LLC. CISA Review Manual 2009. ISACA. USA ISO 27000.

    Artikel/Jurnal
    Kasus dan selected readings yang akan ditentukan kemudian.

    Sistem Penilaian
    UTS : 30% UAS : 30% Tugas : 40%
    QUIZ Tugas Mandiri Tugas Kelompok

    INFORMATION SECURITY OVERVIEW

    Agenda
    Why is Information Security Necessary? Elements of Information Protection Roles and Responsibilities Common threats Risk Management Information Protection Program

    Why is Information Security Necessary? Information is CRITICAL


    Benefit for competitors Maintaining customer confidence

    In 2004, 87% of Business is highly dependent on electronic information and the systems that process it (compared to 76% in 2002)
    DTI Survey in UK

    Why is Information Security Necessary?

    Confidentiality

    Organizations Information

    Integrity

    Availability

    Why is Information Security Necessary?


    Threats to computer-based information security are increase.
    A strong trend towards mobile computing A growth in the use of the internet for business communication Computer literacy is becoming more widespread
    Better hacker tools Its not just for fun, but theres a lot of money to be made

    Wireless technology makes information and internet available cheaply and easily The falling price of computers

    Why is Information Security Necessary? Risks for Organization:


    Business will be disrupted Privacy will be violated Organization will suffer direct financial loss Regulation and compliance requirements will increase Reputations will be damaged

    Foxconn Case

    Hacker: Swagger (Swag Securities) Target: Foxconn (BeiJing) Trading Co.,Ltd. Costumer private data revealed

    Elements of Information Protection


    Information protection should support the business objectives or mission of the enterprise

    Elements of Information Protection


    Information protection is an integral element of due care: a duty of loyalty & a duty of care

    Elements of Information Protection


    Information protection must be cost effective

    Elements of Information Protection


    Information protection responsibilites and accountabilities should be made explicitly

    Elements of Information Protection


    System owners have information protection responsibilities outside their own organization

    Elements of Information Protection


    Information protection requires a comprehensive and integrated approach

    Elements of Information Protection


    Information protection should be periodically reassessed

    Elements of Information Protection


    Information protection is constrained by the culture of the organization

    Elements of Information Protection

    Security

    Flexibility

    Roles and Responsibilites


    CIO ISSO System Operation Physical Security Staff Other Group
    Directs the organizations management of information assets

    And/or Security Administrator Responsible for the day-to-day administration of the information protection program

    Implementing technical security on the computer systems

    Establishing and implementing controls, in application development and day-to-day operation

    Quality Assurance, Procurement group, Education and Training, Human Resources

    Common Threats
    Employee
    Errors and omissions: users, data entry personnel, system operators, programmers Sabotage: destroying hardware, planing malicious code, entering data incorrectly, deleting or altering data

    The loss of physical facility or the supporting infrastructure


    Power failures, fire, flood, etc

    External hackers or crackers

    Risk Management
    Risk Analysis Process
    Determine the asset to be reviewed Identify the risk, issues, threats, or vulnerabilities Assess the probability of risk occuring and the impact to the asset Identify controls that would bring the impact to an acceptable level
    Total Security = Zero Productivity

    Information Protection Program


    The beginning of IPP is the implementation of a policy
    Creates the organizations attitude toward information Announces internally and externally that information is an asset and the property or organization and is to be protected from unauthorized access, modification disclosure, and destruction

    Information Protection Program


    Typical IPP:
    Firewall control Virus control and virus response team Encryption Internet monitoring Disaster planning Secure single sign-on Contract personnel nondisclosure agreements Security awareness programs etc

    Tugas Kelompok
    Setiap kelompok terdiri atas 4-5 orang Cari contoh kasus Information Security:
    What did happen? Why did it happen? Who did the fraud? When did it happen? Where did it happen? How did it happen? How did it recover?

    Setiap kelompok kasusnya berbeda

    Tugas Kelompok
    Tugas dikumpulkan pada pertemuan ke-3 dalam bentuk print-out, minimal 3 halaman A4, font Arial 11 spasi 1,5 Setiap kelompok akan mempresentasikan tugasnya pada awal perkuliahan (15 menit) mulai pertemuan ke-3. 1 pertemuan, 2 kelompok

    Potrebbero piacerti anche