INTRODUCTION TO INFORMATION SECURITY

APC 2 – Information Security and Management CIA TRIAD

 SECURITY MEASURES  A key/fundamental concept in

- Includes protect measures such as information security that consist of
firewalls, antivirus software, three interconnected components.
encryption, and access controls to 1. Confidentiality
safeguard information and system 2. Integrity
from unauthorized access and 3. Availability
malicious attacks.  CONFIDENTALITY
 SECURITY POLICIES AND PROCEDURES - Ensures that sensitive information is
- Outlines rules and guidelines for only accessible to authorized
protecting information assets and individuals or systems.
provides step-by-step instructions  INTEGRITY
on implementing security measures - Ensures that data is accurate,
and responding to security complete, and not modified without
incidents. authorized.
 PHYSICAL AND ENVIRONMENTAL  AVAILABILTY
PROTECTION - Ensures that data and system are
- Protects physical assets and the accessible and usable when
environment from threats that needed.
could comprises information
TREATS IN INFORMATION SECURITY
security.
 MONITORING PROCESSES AND SYSTEM - Any potential occurrence that could
- Involves continuous monitoring of compromise the confidentiality,
systems and processes to detect integrity, or availability od an
and respond to security incidents organization’s information assets
promptly.
 ASSET MANAGEMENT TYPES OF THREATS
- Involves identifying classifying, and  Internal Threats
protecting organizational assets,  External Treats
such as physical and digital  Physical Treats
resources, to ensure their security  Environmental Treats
and integrity.  Social Engineering Threats
IMPORTANCE OF INFORMATION SECURITY INTERNAL THREATS
1. Protects Sensitive Information 1. INSIDER THREATS:
2. Prevents Financial Loss - Authorized individuals intentionally
3. Safeguards Reputation or unintentionally compromising
4. Compliance with Regulations security.
5. Protects National Security 2. EMPLOYEE NEGLIGENCE
6. Supports Business Continuity - Accidental data breaches or security
7. Protects Intellectual Property incidents caused by employee
mistakes.
 2. WATER DAMAGE
- Flooding or water leaks that can
3. DATA THEFT
damage equipment or facilities.
- Employees stealing sensitive
3. EXTREME TEMPERATURES
information for personal gain.
- High or low temperatures that can
EXTERNAL THREATS damage equipment or facilities.

1. HACKER SOCIAL ENGINEERING THREATS

- Unauthorized individuals
1. PRETEXTING
attempting to access or disrupt
- Creating a false scenario to tricks
systems.
users into revealing sensitive
2. MALWARE
information.
- Software designed to harm or
2. BAITING
exploit system, such as viruses,
- Leaving malware-infected devices or
Trojan horses, and ransomware.
storage media in public areas to
3. PHISHING
trick users into installing.
- Social engineering attacks to trick
3. QUID PRO QUO
users into revealing sensitive
- Offering services or benefit in
information.
exchange for sensitive information.
4. DENIAL OF SERVICES (DOS)
- Overwhelming systems with traffic HOW TO MITIGATE THESE THREATS
to make them unavailable.
 RISK ASSESSMENT
5. MAN-IN-THE MIDDLE (MitM)
- Identifying and assessing potential
- Intercepting communication
threats and vulnerabilities.
between two parties to steal
 SECURITY POLICIES
sensitive information.
- Establishing clear security policies
PHYSICAL THREATS and procedures.
 EMPLOYEE TRAINING
1. THEFT
- Educating employees on security
- Physical theft devices, equipment,
best practices and procedures.
or media containing sensitive
 ACCESS CONTROLS
information.
- Implementing access controls, such
2. VANDALISM
as authentication and authorization.
- Intentional damage to equipment or
 ENCRYPTING
facilities.
- Encrypting sensitive data to protect
3. NATURAL DISASTER
it from unauthorized access.
- Floods, fires, earthquakes, or other
 INTRUSION DETECTION AND
natural disasters that can damage
PREVENTION
equipment or facilities.
- Implementing intrusion detection
ENVIRONMENTAL THREATS and prevention systems to detect
and prevent attacks.
1. POWER FAILURES  INCIDENT RESPONSE
- Loss of power that can disrupt - Establishing an incident response
system and data availability. plan respond to security incidents.
 attackers to intercept and read
sensitive data.
4. LACK OF SEGMENTATION
VULNERABILITIES IN INFORMATION SECURITY
- Failing to segment networks,
- Refers to weaknesses or flaws in a making it easier for attackers to
system, network or application that move laterally.
can be exploited by attackers to
PHYSICAL VULNERABLITIES
comprise security.
1. PHYSICAL ACCESS
TYPES OF VULNEBILITIES
- Unauthorized physical access to
 Human-centric Vulnerabilities devices, networks, or facilities.
 Network and System Vulnerabilities 2. DEVICE THEFT
 Physical Vulnerabilities - Theft of devices containing sensitive
 Process and Policy Vulnerabilities information.
3. ENVIRONMENTAL FACTORS
HUMAN-CENTIC VULNERABLITIES - Exposures to environmental factors,
1. PHISHING such as extreme temperatures or
- Tricking users into revealing humidity.
sensitive information, such a PROCESS AND POLICY VULNERABILITIES
passwords or credit card numbers.
2. SOCIAL ENGINEERING 1. INADEQUATE POLICIES
- Manipulating users into performing - Lack of or inadequate security
certain actions or revealing sensitive policies, leading to confusion and
information. inconsistent security practices.
3. INSIDER THERATS 2. INADEQUATE TRAINING
- Authorized individuals intentionally - Insufficient training for employees
or unintentionally comprising on security policies and procedures.
security. 3. LACK OF INCIDENT RESPONSE
4. PASSWORD WEAKNESS - Failing to have an incident response
- Using weak or easily guessable plan in place, leading to delayed or
password. ineffective response to security
incidents.
NETWORK AND SYSTEM VULNERABLITIES
RISK MANAGEMENT AND SECURITY POLICIES
1. UNPATCHED SOFTWARE
- Failing to apply security patches to - Risk management and security
software, leaving vulnerabilities policies are critical components of
open to exploitation. an organization’s approach to
2. MISCONFIGURED NETWORKS protecting its assets, data, and
- Incorrectly configured networks operations.
devices or setting, allowing
RISK ASSESSMENT TECHNIQUES
unauthorized access.
3. WEAK ENCRYPTION - Risk assessment techniques in the
- Using weak or outdated encryption context of risk management and
algorithms, making it easier for security policies are methods used
 to identify, evaluate, and prioritize threats such as emerging
risks that could affect an cybersecurity threats or
organization’s ability to meet its vulnerabilities.
objectives, both form an
operational and security 2. QUANTITATIVE RISK ASSESSMENT
perspective. TECHNIQUES
- Quantitative techniques use
numerical data, statistical models,
KEY RISK ASSESSMENT TECHNIQUES
and simulations to evaluate risks.
COMMONLY USED TO EVALUATE AND SHAPE
They are objective and often
RISKS MANAGEMNT AND SECURITY POLICIES:
provide precise measurements that
can support data-driven decision-
making.
1. QUALITATIVE RISK ASSESSMENT
TECHNIQUES 3. SCENARIO ANALYSIS AND SIMULATION
- These techniques are based on - Scenario analysis involves
subjective judgement, often used considering possible future events
when limited data is available or the (both normal and extreme) and
situation is complex and difficult to analysis their potential impacts.
quantify. Simulation techniques allow for
RISK MATRIX testing these scenarios in a
controlled environment.
- A risk is a visual tool used to assess
risks based on their likelihood 4. SPECIALIZED RISK ASSESSMENT
(probability) and impact (severity). TECHNIQUES FOR SECURITY
SWOT ANALYSIS (STRENGTHS, WEAKNESSES, - Security specific techniques are
OPPURTUNITIES, AND THREATS) designed to evaluate risks unique to
cybersecurity, physical security, and
- SWOT analysis helps identify data protection.
internal strengths and weaknesses
and external opportunities and PENENTRATION TESTING
threats. It is a strategic tool used to - Simulating a cyberattack to identify
understand the context of risks. vulnerabilities in IT system,
APPLICATION IN RISK MANAGEMENT & networks, or applications.
SECURITY Penetration testing often includes
both manual and automated testing
 RISK MANAGEMENT to identify exploitable weaknesses.
- Helps evaluate internal and external
factors that could expose the 5. HYBRID RISK ASSESSMENT
organization to various types of TECHNIQUES
risks. - Combining various techniques to
 SECURITY POLICIES form a comprehensive risk
- Helps in identifying weaknesses in assessment process.
security infrastructure and external
 - A hybrid of fault tree analysis (FTA) engineering, and safe handling of
and event tree analysis (ETA), sensitive information.
bowtie analysis visually represents
the relationship between the causes
of a risk and its consequences.

6. RISK REGISTER 6. DISASTER RECOVERY AND BUSINESS

- A risk register is a central repository CONTINUITY
that tracts all identified risks, their - Developing strategies to restore
likelihood, impact, mitigation operations after disruptions (e.g.,
actions, and ownership. data backups, recovery sites,
continuity planning).
SECURITY POLICIES 7. THIRD-PARTY SECURITY
- Ensuring that third-party vendors
- Security policies govern the
and partners meet the same
protection of the organization’s
security standards (e.g., through
digital and physical resources. They
audits, contracts, and access
provide guidelines for safeguards
controls).
data, networks, and systems from
unauthorized access, use, ORGANIZATIONAL ROLE
disclosure, destruction, or
alteration. - Refers to the responsibilities,
1. ACCESS CONTROL functions, and positions within an
- Defining user access rights and organization that are dedicated to
authentication mechanisms. (e.g., identifying, assessing, mitigating,
multi-factor authentication, role- and managing risks.
based access control). 1. RISKS MANAGEMENT ROLES
2. DATA PROTECTION AND PRIVACY - These roles focus on identifying,
- Establishing rules to safeguards assessing, and managing risks to the
sensitive data (e.g., encryption, organization’s operations, assets,
secure storage, and disposal of and objectives.
data).  CHIEF RISK OFFICER (CRO)
3. INCIDENT RESPONSE - Responsibilities: The CRO is
- Developing procedures for responsible for overseeing the
identifying, response to, and entire risk management process
recovering from security incidents within an organization.
(e.g., breaches, malware attacks).  RISK MANAGER
4. NETWORKS SECURITY - Responsibilities: Risk managers
- Defining the use of firewalls, support the CRO coordinating the
intrusion detection/prevention implementation of risk
systems, and secure protocols (e.g., management strategies and
VPNs, SSL). procedures within the organization.
5. EMPLOYEE SECURITY AWARENESS  RISK ANALYST
- Educating employees on security - Risk Analyst are responsible for
risks such as phishing, social analyzing and quantifying risks.
They use various risk assessment
 tools to evaluate the likelihood and - These roles ensure that the
impact of risks and contribute to organization adheres to relevant
creating strategies for managing laws, regulations, and industry
them. standards related risk and security.

2. SECURITY ROLES
- These roles are more focused on  COMPLIANCE OFFICER
protecting an organization’s assets, - Compliance officer ensure that the
information, and infrastructure organizations adhere to relevant
form threats like cyber-attacks, data laws, regulations, and standards
breaches, or physical security regarding risk management and
breaches. security.
 INTERNAL AUDITOR
CHIEF INFORMATION SECURITY OFFICER (CISO) - Internal Auditors assess the
effectiveness of risk management
- The CISO is responsible for the
and internal controls within an
overall security posture of the
organization.
organization, particularly in relation
to its IT infrastructure and data.
4. OPERATIONAL ROLES
SECURITY MANAGER - These roles focus on the
implementation of risk
- Security Manager oversee day-to-
management and security strategies
day security operations. They
within specific business units or
ensure the implementation of
operational functions.
security policies and procedures,
manage security personnel, and BUSINESS CONTINUITY MANAGER
acts as a liaison between security
- A Business Continuity Manger
teams and other departments.
ensures that the organization can
SECURITY ANALYST continue its critical operation during
and after a disruption, such as a
- Security Analyst are responsible for
cyberattack or natural disaster.
monitoring systems for security
threats and responding to incidents. HUMAN RESOURCES (HR)

SECURITY ENGINEER - HR plays a role in risk management

and security by managing the
- IT Security Engineering are
human elements risk. They are
responsible for designing,
involved in creating a security-
implementing, and maintaining an
conscious culture and ensuring that
organization’s IT security
employees understand their roles in
infrastructure, including firewalls,
risk prevention.
intrusion detection systems, and
5. SENIOR LEADERSHIP ROLES
encryption protocols.
3. COMPLIANCE AND AUDIT ROLES
- Senior leadership, such as the CEO
and Board of Directors, plays a
crucial role in setting the tone for
risk management and security
within the organizations.