INFORMATION SECURITY IN ORGANIZATIONS Ana Helena da Silva, MCI12017 Cristiana Coelho, MCI12013 2 SUMMARY 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Introduction The importance of IT in Organizations Principles of Security Information Security in Organizations Models and Security Policies in Organizations Importance of implementing a Security Policy in Organizations Identification and Authentication Access Control Software and Security Case Study Conclusions References 3 1. INTRODUCTION (1/1) • This study was done for the subject of Information Security. • Over recent years there have been many problems related with the information security. One of the keys of these problems is related to the increasement and diffusion of the Internet. • This happens because we are susceptible to infections by malicious software, intrusion systems, internal and external fraud, theft of proprietary information, among others. 4 2. THE IMPORTANCE OF IT IN ORGANIZATIONS (1/1) • The Information Tecnology (IT) plays an increasingly important role in an organization. • With the exponential growth of the information, the storage, processing and transmission of information have become increasingly relevant processes within a organization. Instituto de Informática – Carta de princípios de Segurança Informática e privacidade. [Em linha]. Lisboa : Ministério das Finanças, 2008. [Consult. 15 Novembro 2012]. Disponível em WWW: <URL: http://www.inst-informatica.pt/o-instituto/instrumentos-gestao/seguranca-informatica-e-privacidade> 5 3. PRINCIPLES OF SECURITY (1/2) • For the processing and storage of information in digital format, computer systems are used. Thus, the computer systems are safety related data and information. • Data represents a physical phenomenon in order to perform certain aspects of our real and conceptual world. These are used to deposit, disseminate and separate information by handling it with defined formal rules. MAMEDE, Henrique São - Segurança informática nas organizações. Lisboa: FCA - Editora de Informática, 2006. p.4-10 6 3. PRINCIPLES OF SECURITY (2/2) Prevention Detection Reaction Confidentiality Integrity Availability Registration Reliability MAMEDE, Henrique São - Segurança informática nas organizações. Lisboa: FCA - Editora de Informática, 2006. p.4-10 7 4. INFORMATION SECURITY IN ORGANIZATIONS (1/1) • Currently, we cannot say that every organization has sufficient security measures to become safe. • We are increasingly watching a variety of attacks that exploit software vulnerabilities, applicational or operating system. MAMEDE, Henrique São - Segurança informática nas organizações. Lisboa: FCA - Editora de Informática, 2006. p.377-383 8 5. MODELS AND SECURITY POLICIES IN ORGANIZATIONS (1/2) • The security policy in an organization will designate the security of a system. • A security policy should adapt to new realities that arise in the organization. • To implement the policy we have to follow several steps, the first being the evaluation and understanding of security needs. MAMEDE, Henrique São - Segurança informática nas organizações. Lisboa: FCA - Editora de Informática, 2006. p.38-66 9 5. MODELS AND SECURITY POLICIES IN ORGANIZATIONS (2/2) • A procedure that can prevent disasters in the organization and that is very important is the existence of backup copies of documents. • Should be carried out training and practice in security information with employees. • The system must be protected against all types of malware. MAMEDE, Henrique São - Segurança informática nas organizações. Lisboa: FCA - Editora de Informática, 2006. p.38-66 10 6. IMPORTANCE OF IMPLEMENTING A SECURITY POLICY IN ORGANIZATIONS (1/1) • Information provides an essential resource in an organization. • The loss of confidentiality, integrity or availability can cause a loss of confidence in the services that the firm provides. • Some measures should be taken in an organization. Instituto de Informática – Carta de princípios de Segurança Informática e privacidade. [Em linha]. Lisboa : Ministério das Finanças, 2008. [Consult. 15 Novembro 2012]. Disponível em WWW: <URL: http://www.inst-informatica.pt/o-instituto/instrumentos-gestao/seguranca-informatica-e-privacidade> 11 7. IDENTIFICATION AND AUTHENTICATION ACCESS CONTROL (1/2) • It is important to set access control, ie, limiting access to resources of a system. Preventive controls Reactive controls MAMEDE, Henrique São - Segurança informática nas organizações. Lisboa: FCA - Editora de Informática, 2006. p.69-80 12 7. IDENTIFICATION AND AUTHENTICATION ACCESS CONTROL (2/2) • There should be a security policy in organizations to protect information. Access control paradigm Security policy Paradigm control data flow MAMEDE, Henrique São - Segurança informática nas organizações. Lisboa: FCA - Editora de Informática, 2006. p.69-80 13 8. SOFTWARE AND SECURITY (1/2) Problems related to information security Malware MAMEDE, Henrique São - Segurança informática nas organizações. Lisboa: FCA - Editora de Informática, 2006. p.129-135 14 8. SOFTWARE AND SECURITY (2/2) Trojan Worms Spyware Malware Computer virus Hoaxes Logic bomb MAMEDE, Henrique São - Segurança informática nas organizações. Lisboa: FCA - Editora de Informática, 2006. p.129-135 15 9. CASE STUDY (1/1) Uses ISO 27001 to manage the security of your information Lower costs and incidents PwC Elimination of information loss Guarantee confidentiality of business information, employees and customers AMADOR, Cristina Pacheco – Testemunho: A importância de um sistema de gestão de segurança da informação. [Em linha]. [S.l : s.n.]. [Consult. 21 Novembro 2012]. Disponível em WWW: <URL:http://www.apcer.pt/index.php?option=com_content&view=article&id=326%3Atestemunhoa-importancia-de-um-sistema-de-gestao-de-seguranca-da-informacao&Itemid=491&lang=pt> 16 17 10. CONCLUSIONS (1/1) • Information security is an increasingly important priority in an organization. This is seen as an essential requirement for ensuring the long-term competitive advantages. • There is a need of security management in an organizational and operational context. • Thus, the implementation of a security policy to protect systems against malware is important. 18 All organizations have a system of Information Security? 19 11. REFERENCES (1/1) • AMADOR, Cristina Pacheco – Testemunho: A importância de um sistema de gestão de segurança da informação. [Em linha]. [S.l : s.n.]. [Consult. 21 Novembro 2012]. Disponível em WWW: <URL:http://www.apcer.pt/index.php?option=com_content&view=article&id=326%3Atestemu nho-a-importancia-de-um-sistema-de-gestao-de-seguranca-dainformacao&Itemid=491&lang=pt> • Instituto de Informática – Carta de princípios de Segurança Informática e privacidade. [Em linha]. Lisboa : Ministério das Finanças, 2008. [Consult. 15 Novembro 2012]. Disponível em WWW: <URL: http://www.inst-informatica.pt/o-instituto/instrumentos-gestao/segurancainformatica-e-privacidade> • MAMEDE, Henrique São - Segurança informática nas organizações. Lisboa: FCA - Editora de Informática, 2006. ISBN 978-972-722-441-8. • SELLA, Danilo (Org.) - Segurança da informação: um diferencial determinante na competitividade das corporações. São Paulo : Promon, 2005. [Consult. 19 Outubro 2012]. Disponível em WWW: <URL: http://www.promon.com.br/portugues/noticias/download/Seguranca_4Web.pdf> • VALDEZ, Fernando - Falar de tecnologia. [Em linha]. [S.l : s.n.]. [Consul.19 Outubro 2012]. Disponível em WWW: <URL: http://falardetecnologia.com/?p=1>