INFORMATION
SECURITY
MANAGEMEN
T
Decision and Risk Analysis
Lecture notes and slides
,Information Security Management – Lecture Notes and Slides
Lecture 1
Introduction
Packet switching
Describe the internet with one word: Packet switching.
Packet switching was the basic idea behind arpa net.
If you ‘send’ something, it is divided in packets and these packets are sent
away.
Nowadays there’s just one kind of packet. There are some more, but not
common.
Arpa.net
Arpa net was a project financed by DoD (department of defense).
DoD was the largest investor in projects in defense since WW II.
Bell labs
Bell labs was the big one of one of the big telephone companies in the
United States. They had some labs that were very great in discovering new
items in communicating and computing. Linux is coming from them.
PARC
PARC was a research centre, owned by Xerox. They invented the mouse
and the graphical interface. At first they didn’t do anything with it.
IPv4 Internet protocol
Example: 137.056.xxx.xxx, is TilburgUniversity.edu
Five or six years ago, we didn’t have any addresses left. Thus, al most then
years ago they came up with IPv6. This means 32 digits in stead of 12.
Zero’s are omitted, but they might add them.
Internet of things:
A lot of other things than computers are connected to the internet. Almost
everybody has three communication devices, so you already need three
addresses. Everything will be connected to the internet. You might be able
to command and manage them from a distance. Companies will do that
with their plants and machinery.
Information security
Cybercrime: when people/groups of people use the internet to get to your
data; thieves.
Why do we need information security ?
national security
privacy
all private and company owned data has to be protected
, We need IS to have reliable data in our society.
If data is not reliable, managers will take wrong decisions because of
wrong data.
Difference between information systems and information technology
Information technology is mainly hardware, software, infrastructure etc.
There’s one element that has to be added before we talk about
information systems: people/organizations. So: hardware, software and
people/organization.
Difference between IT security and IS security
People are the weakest part of all the security. People will not always
exactly do what you tell them to; computers/devices will.
Lecture 2
Information security management
How to create a successful ISM program ?
Have a good understanding if what the business is about. It has to
be fit for the company.
Investment analysis. Develop some kind of business case to justify
the money spent on information security.
To find out what the specifics are of the regulations for our company.
Identify the regular and legal requirements.
Look for somebody who will agree on the idea. Obtain commitment
of senior management. You need somebody at the top level from
whom you can obtain authority. They have to permit to this program.
Start finding a structure, including reporting mechanisms and try to
‘roll out’ a program on information security.
You have to make some structure and define the roles, tasks and
responsibilities throughout the organization, on different levels.
Are there organization that don’t necessarily have to follow all the steps ?
Some organizations have more legal possession to do something. Also,
some organizations already have some security management in place;
they are aware that they have to be precious about some information. Two
obvious ones are hospitals (privacy related data; dangerous operations)
and the petrol chemical industry (production process can’t explode).
Corporate governance
Corporate governance means ‘goed bestuur’ (in Dutch) / ‘good
management’. All the important aspects of good organizations are in the
definition of corporate governance.
Main problem of corporate governance
The principal agency problem. The difference between shareholders and
management.
SECURITY
MANAGEMEN
T
Decision and Risk Analysis
Lecture notes and slides
,Information Security Management – Lecture Notes and Slides
Lecture 1
Introduction
Packet switching
Describe the internet with one word: Packet switching.
Packet switching was the basic idea behind arpa net.
If you ‘send’ something, it is divided in packets and these packets are sent
away.
Nowadays there’s just one kind of packet. There are some more, but not
common.
Arpa.net
Arpa net was a project financed by DoD (department of defense).
DoD was the largest investor in projects in defense since WW II.
Bell labs
Bell labs was the big one of one of the big telephone companies in the
United States. They had some labs that were very great in discovering new
items in communicating and computing. Linux is coming from them.
PARC
PARC was a research centre, owned by Xerox. They invented the mouse
and the graphical interface. At first they didn’t do anything with it.
IPv4 Internet protocol
Example: 137.056.xxx.xxx, is TilburgUniversity.edu
Five or six years ago, we didn’t have any addresses left. Thus, al most then
years ago they came up with IPv6. This means 32 digits in stead of 12.
Zero’s are omitted, but they might add them.
Internet of things:
A lot of other things than computers are connected to the internet. Almost
everybody has three communication devices, so you already need three
addresses. Everything will be connected to the internet. You might be able
to command and manage them from a distance. Companies will do that
with their plants and machinery.
Information security
Cybercrime: when people/groups of people use the internet to get to your
data; thieves.
Why do we need information security ?
national security
privacy
all private and company owned data has to be protected
, We need IS to have reliable data in our society.
If data is not reliable, managers will take wrong decisions because of
wrong data.
Difference between information systems and information technology
Information technology is mainly hardware, software, infrastructure etc.
There’s one element that has to be added before we talk about
information systems: people/organizations. So: hardware, software and
people/organization.
Difference between IT security and IS security
People are the weakest part of all the security. People will not always
exactly do what you tell them to; computers/devices will.
Lecture 2
Information security management
How to create a successful ISM program ?
Have a good understanding if what the business is about. It has to
be fit for the company.
Investment analysis. Develop some kind of business case to justify
the money spent on information security.
To find out what the specifics are of the regulations for our company.
Identify the regular and legal requirements.
Look for somebody who will agree on the idea. Obtain commitment
of senior management. You need somebody at the top level from
whom you can obtain authority. They have to permit to this program.
Start finding a structure, including reporting mechanisms and try to
‘roll out’ a program on information security.
You have to make some structure and define the roles, tasks and
responsibilities throughout the organization, on different levels.
Are there organization that don’t necessarily have to follow all the steps ?
Some organizations have more legal possession to do something. Also,
some organizations already have some security management in place;
they are aware that they have to be precious about some information. Two
obvious ones are hospitals (privacy related data; dangerous operations)
and the petrol chemical industry (production process can’t explode).
Corporate governance
Corporate governance means ‘goed bestuur’ (in Dutch) / ‘good
management’. All the important aspects of good organizations are in the
definition of corporate governance.
Main problem of corporate governance
The principal agency problem. The difference between shareholders and
management.
