Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search Store documents

The best documents sold by students who completed their studies

Search through all study resources
Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

University Rankings

Discover the best universities in your country according to Docsity users

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

From our blog

Exams and Study
Go to the blog

Cryptography and Network Security (Unit-1 Introduction), Study notes of Cryptography and System Security

Sage UniversityCryptography and System Security

Topics to be covered:- Information Security Laws and Standards Payment Card Industry Data Security Standard (PCI DSS) Source Health Insurance Portability and Accountability Act (HIPAA) Information Security Policy (ISP) Cyber Law in Different Countries contingency plan Business continuity vs. business contingency plans Benefits of contingency plans

Typology: Study notes

2022/2023

Available from 09/07/2023

anshika-jaiswal-1
anshika-jaiswal-1 🇮🇳

1 document

1 / 13

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
UNIT-I Part -I
Information Security
Information security is “the state of the well-being of information and infrastructure in which the
possibility of theft, tampering, or disruption of information and services is kept low or tolerable.”
It relies on five major elements: confidentiality, integrity, availability, authenticity, and non-
repudiation.
ConfidentialityConfidentiality is the assurance that the information is accessible only to
authorized. Confidentiality breaches may occur due to improper data handling or a hacking
attempt. Confidentiality controls include data classification, data encryption, and proper
disposal of equipment (such as DVDs, USB drives, and Blu-ray discs).
IntegrityIntegrity is the trustworthiness of data or resources in the prevention of improper
and unauthorized changes—the assurance that information is sufficiently accurate for its
purpose. Measures to maintain data integrity may include a checksum (a number produced
by a mathematical function to verify that a given block of data is not changed) and access
control (which ensures that only authorized people can update, add, or delete data).
Availability Availability is the assurance that the systems responsible for delivering, storing,
andprocessing information are accessible when required by authorized users. Measures to
maintain data availability can include disk arrays for redundant systems and clustered
machines, antivirus software to combat malware, and distributed denial-of-service (DDoS)
prevention systems.
AuthenticityAuthenticity refers to the characteristic of communication, documents, or any
data that ensures the quality of being genuine or uncorrupted. The major role of
authentication is to confirm that a user is genuine. Controls such as biometrics, smart cards,
and digital certificates ensure the authenticity of data, transactions, communications, and
documents.
Non-Repudiation Non-repudiation is a way to guarantee that the sender of a message
cannot later deny having sent the message and that the recipient cannot deny having
received the message. Individuals and organizations use digital signatures to ensure non-
repudiation.
Information Security Laws and Standards
Laws are a system of rules and guidelines that are enforced by a particular country or community to
govern behaviour. A Standard is a “document established by consensus and approved by a
recognized body that provides, for common and repeated use, rules, guidelines, or characteristics
for activities or their results, aimed at the achievement of the optimum degree of order in a given
pf3
pf4
pf5
pf8
pf9
pfa
pfd

Partial preview of the text

Download Cryptography and Network Security (Unit-1 Introduction) and more Study notes Cryptography and System Security in PDF only on Docsity!

UNIT-I Part -I

Information Security

Information security is “the state of the well-being of information and infrastructure in which the possibility of theft, tampering, or disruption of information and services is kept low or tolerable.” It relies on five major elements: confidentiality, integrity, availability, authenticity, and non- repudiation.Confidentiality Confidentiality is the assurance that the information is accessible only to authorized. Confidentiality breaches may occur due to improper data handling or a hacking attempt. Confidentiality controls include data classification, data encryption, and proper disposal of equipment (such as DVDs, USB drives, and Blu-ray discs).  Integrity Integrity^ is^ the^ trustworthiness^ of^ data^ or^ resources^ in^ the^ prevention^ of^ improper and unauthorized changes—the assurance that information is sufficiently accurate for its purpose. Measures to maintain data integrity may include a checksum (a number produced by a mathematical function to verify that a given block of data is not changed) and access control (which ensures that only authorized people can update, add, or delete data).  Availability Availability is the assurance that the systems responsible for delivering, storing, andprocessing information are accessible when required by authorized users. Measures to maintain data availability can include disk arrays for redundant systems and clustered machines, antivirus software to combat malware, and distributed denial-of-service (DDoS) prevention systems.  Authenticity Authenticity refers to the characteristic of communication, documents, or any data that ensures the quality of being genuine or uncorrupted. The major role of authentication is to confirm that a user is genuine. Controls such as biometrics, smart cards, and digital certificates ensure the authenticity of data, transactions, communications, and documents.  Non-Repudiation Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. Individuals and organizations use digital signatures to ensure non- repudiation.

Information Security Laws and Standards

Laws are a system of rules and guidelines that are enforced by a particular country or community to govern behaviour. A Standard is a “document established by consensus and approved by a recognized body that provides, for common and repeated use, rules, guidelines, or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given

context.” This section deals with the various laws and standards dealing with information security in different countries.

Payment Card Industry Data Security Standard (PCI DSS) Source:

https://www.pcisecuritystandards.org The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. This standard offers robust and comprehensive standards and supporting materials to enhance payment card data security. These materials include a framework of specifications, tools, measurements, and support resources to help organizations ensure the safe handling of cardholder information. PCI DSS applies to all entities involved in payment card processing, including merchants, processors, acquirers, issuers, and service providers, as well as all other entities that store, process or transmit cardholder data. PCI DSS comprises a minimum set of requirements for protecting cardholder data. The Payment Card Industry (PCI) Security Standards Council has developed and maintains a high-level overview of PCI DSS requirements. Table Showing the PCI Data Security Standard—High-Level Overview Failure to meet PCI DSS requirements may result in fines or the termination of payment-card processing privileges.

ISO/IEC 27001:2013 Source:

 Privacy Rule: The HIPAA Privacy Rule establishes national standards to protect people’s medical records and other personal health information and applies to health plans, health care clearinghouses, and health care providers that conduct certain health care transactions electronically. The rule requires appropriate safeguards to protect the privacy of personal health information. It sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The rule also gives patients rights over their health information, including the right to examine and obtain a copy of their health records and to request corrections.  Security^ Rule:^ The^ HIPAA^ Security^ Rule^ establishes^ national^ standards^ to^ protect^ individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronically protected health information.  Employer Identifier Standard: The HIPAA requires that each employer has a standard national number that identifies them on standard transactions.  National Provider Identifier Standard (NPI): The National Provider Identifier (NPI) is a HIPAA Administrative Simplification Standard. The NPI is a unique identification number assigned to covered health care providers. Covered health care providers and all health plans and health care clearinghouses must use the NPIs in the administrative and financial transactions adopted under HIPAA. The NPI is a 10-position, intelligence-free numeric identifier (10-digit number). This means that the numbers do not carry other information about healthcare providers, such as the state in which they live or their medical specialty.  Enforcement Rule: The HIPAA Enforcement Rule contains provisions relating to compliance and investigation, as well as the imposition of civil monetary penalties for violations of the HIPAA Administrative Simplification Rules and procedures for hearings. Information Security (^) Policy (ISP) An information security policy (ISP) is a set of rules, policies and procedures designed to ensure all end users and networks within an organization meet minimum IT security and data protection security requirements. ISPs should address all data, programs, systems, facilities, infrastructure, authorized users, third parties and fourth parties of an organization. What is the Purpose of an Information Security Policy? An information security policy aims to enact protections and limit the distribution of data to only those with authorized access. Organizations create ISPs to:  Establish a general approach to^ information security  Document security measures and user access control policies  Detect^ and^ minimize^ the^ impact^ of^ compromised^ information^ assets^ such^ as^ misuse^ of^ data, networks, mobile devices, computers and applications

 Protect the reputation of the organization  Comply with legal and regulatory requirements like NIST,^ GDPR,^ HIPAA^ and^ FERPA  Protect their customer's data, such as credit card numbers  Provide^ effective^ mechanisms^ to^ respond^ to^ complaints^ and^ queries^ related^ to^ real^ or perceived cyber security risks such as phishing, malware and ransomware  Limit access to key information technology assets to those who have an acceptable use Why is an Information Security Policy is Important? Creating an effective information security policy and that meets all compliance requirements is a critical step in preventing security incidents like data leaks and data breaches. ISPs are important for new and established organizations. Increasing digitalization means every employee is generating data and a portion of that data must be protected from unauthorized access. Depending on your industry, it may even be protected by laws and regulations. Sensitive data, personally identifiable information (PII), and intellectual property must be protected to a higher standard than other data. Whether you like it or not, information security (InfoSec) is important at every level of your organization. And outside of your organization. Increased outsourcing means third-party vendors have access to data too. This is why third-party risk management and vendor risk management is part of any good information security policy. Third- party risk, fourth-party risk and vendor risk are no joke.

What are the Key Elements of an Information Security Policy?

An information security policy can be as broad as you want it to be. It can cover IT security

and/or physical security, as well as social media usage, lifecycle management and security

training. In general, an information security policy will have these nine key elements:

  1. Purpose

Outline the purpose of your information security policy which should:

 Preserve your organization's information security.  Detect and preempt information security breaches caused by third-party vendors, misuse of networks, data, applications, computer systems and mobile devices.  Protect the organization's reputation  Uphold ethical, legal and regulatory requirements  Protect^ customer^ data^ and^ respond^ to^ inquiries^ and^ complaints^ about^ non-compliance^ of security requirements and data protection

  1. Audience

Define who the information security policy applies to and who it does not apply to. You may

be tempted to say that third-party vendors are not included as part of your information

security policy.

  1. Level 4: Information has a high risk of causing serious harm to individuals or your organization if disclosed
  2. Level 5: Information will cause severe harm to individuals or your organization if disclosed

In this classification, levels 2-5 would be classified as confidential information and would

need some form of protection.

Read our full guide on data classification here.

  1. Data Support and Operations

Once data has been classified, you need to outline how data is each level will be handled.

There are generally three components to this part of your information security policy:

  1. Data protection regulations: Organizations that store personally identifiable information (PII) or sensitive data must be protected according to organizational standards, best practices, industry compliance standards and regulation
  2. Data backup requirements: Outlines how data is backed up, what level of encryption is used and what third-party service providers are used
  3. Movement of data: Outlines how data is communicated. Data that is deemed classified in the above data classification should be securely communicated with encryption and not transmitted across public networks to avoid man-in-the-middle attacks
  4. Security Awareness Training

A perfect information security policy that no one follows is no better than having no policy

at all. You need your staff to understand what is required of them. Training should be

conducted to inform employees of security requirements, including data protection, data

classification, access control and general security threats.

Security training should include:

Social engineering: Teach your employees about phishing, spearphishing and other common social engineering cyber attacks  Clean desk policy: Laptops should be taken home and documents shouldn't be left on desks at the end of the work day  Acceptable^ usage:^ What^ can^ employees^ use^ their^ work^ devices^ and^ Internet^ for^ and^ what^ is restricted?

  1. Responsibilities and Duties of Employees

This is where you operationalize your information security policy. This part of your

information security policy needs to outline the owners of:

 Security programs  Acceptable use policies  Network security  Physical security  Business continuity

 Access management  Security awareness  Risk assessments  Incident response  Data security  Disaster recovery  Incident management

  1. Other Items an ISP May Include

Virus protection procedure, malware protection procedure, network intrusion detection

procedure, remote work procedure, technical guidelines, consequences for non-compliance,

physical security requirements, references to supporting documents, etc.

What are the Best Practices for Information Security Management? A mature information security policy will outline or refer to the following policies:

  1. Acceptable use policy (AUP): Outlines the constraints an employee must agree to use a corporate computer and/or network
  2. Access control policy (ACP): Outlines access controls to an organization's data and information systems
  3. Change management policy: Refers to the formal process for making changes to IT, software development and security
  4. Information security policy: High-level policy that covers a large number of security controls
  5. Incident response (IR) policy: An organized approach to how the organization will manage and remediate an incident
  6. Remote access policy: Outlines acceptable methods of remotely connecting to internal networks
  7. Email/communication policy: Outlines how employees can use the business's chosen electronic communication channel such as email, slack or social media
  8. Disaster recovery policy: Outlines the organization's cybersecurity and IT teams input into an overall business continuity plan
  9. Business continuity plan (BCP): Coordinates efforts across the organization and is used in the event of a disaster to restore the business to a working order
  10. Data classification policy: Outlines how your organization classifies its data
  11. IT operations and administration policy: Outlines how all departments and IT work together to meet compliance and security requirements.
  12. SaaS and cloud policy: Provides the organization with clear cloud and SaaS adoption guidelines, this helps mitigate third-party and fourth-party risk
  13. Identity access and management (IAM) policy: Outlines how IT administrators authorize systems and applications to the right employees and how employees create passwords to comply with security standards
  14. Data security policy: Outlines the technical requirements and acceptable minimum standards for data security to comply with relevant laws and regulations
  15. Privacy regulations: Outlines how the organization complies with government-enforced regulations such as GDPR that are designed to protect customer privacy
  16. Personal and mobile devices policy: Outlines if employees are allowed to use personal devices to access company infrastructure and how to reduce the risk of exposure from employee-owned assets

contingency plan A contingency plan is a course of action designed to help an organization respond effectively to a significant future incident, event or situation that may or may not happen.A contingency plan is sometimes referred to as "Plan B" or a backup plan because it can also be used as an alternative action if expected results fail to materialize. Contingency planning is a component of business continuity (BC), disaster recovery (DR) and risk management. Contingency planning and technology DR plan development are closely related concepts. The National Institute of Standards and Technology (NIST) standard for IT disaster recovery planning includes contingency in its title.

Over the years, the contingency planning process has been connected to other types of business- readiness plans based on standards developed around the world. These standards address issues related to BC, incident response (IR), cybersecurity, continuity of operations, critical infrastructure, crisis communications, emergency response, natural disaster response and organizational resilience. Organizational resilience has evolved over the past couple decades, and some experts view it as an umbrella term for contingency plans and the other plan types discussed here. Example of a contingency plan A contingency plan can focus on one specific part of an organization's operations. For example, it can be the measures taken to back up all critical data. Another example would be work-from-home provisions put in place in case a facility is out of commission. The COVID-19 pandemic demonstrated to many organizations the importance of having comprehensive contingency plans in place across an organization prior to an unplanned event. Companies with adequate plans were able to react faster when the pandemic started to escalate. 7 steps of a contingency plan Contingency planning standards include a framework and structure for plan design and development. The plan structure is a repeatable format that simplifies the development of contingency and other plans. A popular IT contingency plan model is defined in NIST SP 800-34 Rev. 1 (2010), "Contingency Planning Guide for Federal Information Systems." In includes the following seven steps:

  1. Contingency planning policy statement. This policy provides the outline and authorization to develop a contingency plan.
  2. Business impact analysis. BIA identifies and prioritizes the systems that are important to an organization's business functions.
  3. Preventive controls. Proactive measures that prevent system outages and disruptions can ensure system availability and reduce costs related to contingency measures and lifecycle.
  4. Contingency strategies. Thorough recovery strategies ensure that a system may be recovered fast and completely after a disruption.

Business continuity. If contingency planning activities are insufficient to restore business operations, it may be necessary to declare a disaster and launch a longer-term business continuity plan as well as a technology disaster recovery plan. BC plans are designed to facilitate the recovery and resumption of business activities to as close to normal operations as possible. Learn the five basic steps of business continuity planning. Benefits of contingency plans When a disruptive or negative event occurs, contingency plans provide a structure for assessment and actions to recover from such unexpected events. The faster the recovery, the less potential there is for damage to occur to the organization and its employees. Speed in recovery also helps maintain a company's financial status, competitive position and reputation.