Security Information

Management
Chapter 1
Basics of Information Security

Arti Sawant
HCSC701: Security Information Management
4 credits (4Hrs/week), ESE-60 Marks, MT- 20M, CA-20M
Course Outcomes
Curriculum
Curriculum
 Information Security
 The protection of information and
information systems from unauthorized
access, use, disclosure, disruption,
modification, or destruction to ensure
confidentiality, integrity, and availability
 Aspects of Security
 consider 3 aspects of information security:

security attack

security mechanism

security service
 Security Attack
 any action that compromises the security of
information owned by an organization
 information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
 often threat & attack used to mean same thing
 have a wide range of attacks
 can focus of generic types of attacks

passive

active
Passive Attacks
Active Attacks
 Security Service

Enhance security of data processing systems
and information transfers of an organization

Intended to counter security attacks

using one or more security mechanisms

often replicates functions normally associated
with physical documents
• which, for example, have signatures, dates; need
protection from disclosure, tampering, or
destruction; be notarized or witnessed; be
recorded or licensed
Model for Network Security
Model for Network Access
Security
 CIA Triad: Confidentiality,
Integrity & Availability
 Confidentiality: Only authorized parties
can access information
 Integrity: Ensures data is complete and
accurate
 Availability: Ensures information and
systems are accessible to authorized
users when needed
 Confidentiality
 Goals:
- Prevent sensitive information from being
seen by unauthorized parties.
- Maintain privacy of data in storage,
transmission, and processing
- Enforce proper data classification (e.g.,
public, internal, confidential, restricted).
 Attacks on confidentiality
Attacks Description
Sniffing Intercepting network traffic (e.g. packet sniffing)
Shoulder surfing Observing someone typing a password or PIN
Phishing Trick user in submitting passwords or other confidential
information
Data breach Unauthorized access to databases or storage (e.g.,
stolen credentials or weak access).
Malware/ Software that captures screen, keystrokes, or data from
Spyware user systems.
Improper Disposal Recovering sensitive info from discarded devices/media
without proper sanitization.
 Integrity
 Goals:
- Data should remain the same across systems
and over time unless changed deliberately.
- Users must be able to trust that the data hasn't
been tampered with.
- Only authorized personnel/systems can alter
data.
- Any unauthorized or accidental modification
should be detectable.
 Attacks on integrity
Attacks Description
Modification Attacks The attacker intercepts or accesses data and
changes it for personal gain
Masquerading (Spoofing) The attacker impersonates a legitimate user or
entity to gain unauthorized access.
Replaying Attacks The attacker captures a valid message and re-
sends it later to replicate its effect.
Repudiation One party denies having sent or received a
message, despite having done so
 Availability
 Goals:
- Ensure information and services are accessible
when needed
- Systems and services should operate
consistently and predictably
- Use of backup systems or components to
maintain service
- Ability to recover quickly from failures (e.g., fire,
flood, cyberattack)
 Attacks on availability
Attacks Description
Denial of Service (DoS) Overloads a system with excessive requests,
causing it to crash or slow down
Distributed DoS (DDoS) Similar to DoS but from multiple sources
(botnets) for greater impact
Ransomware Encrypts files/systems, making data unavailable
until ransom is paid
Hardware Failure Attacks Physically damaging servers, storage, or
networking hardware
 Administrative vs Technical Measures
Administrative Measures Technical Measures
Management-level policies and Hardware- or software-based
procedures put in place to define roles, mechanisms that enforce security
responsibilities, behavior, and guidelines policies and protect CIA
to secure the organization

Define rules for acceptable use, access, Protects data in transit and at rest
mobile devices, data handling
Educating employees on phishing, Using Passwords, biometrics, tokens,
password hygiene, incident response MFA for authentication
Define procedures to handle breaches Role-based access control (RBAC),
and incidents ACLs
Determine who gets access, how, and Control network traffic between zones
when
Identify, evaluate, and prioritize security Detect and remove malicious software
risks
SIEM (Security Information and Event
Ensure adherence to standards (e.g.,
Management) -Correlates logs to detect
ISO 27001, GDPR, HIPAA)
threats
 Policies
 An information security policy is a formal, high-
level statement that outlines an organization's
rules and commitment to protecting its
information assets.
 Sets the overall direction and intent.
 Provides management support for security.
 Provides management support for security.
 E.g. Accepted Use Policy, Password policy,
Data protection policy etc.
 Procedures
 Procedures are step-by-step instructions that
explain how to implement a policy.
 Translate policies into concrete actions.
 Ensure tasks are performed consistently and
securely.
 Detailed, task-specific, and operational.
 Focused on "how" rather than "why".
 May vary between departments based on
context.
 Guidelines
 Guidelines are recommendations or best
practices that help users make informed
decisions, but they are not mandatory.
 Offer flexibility while promoting secure behavior.
 Suggest improvements beyond minimum
compliance.
 Optional but encouraged.
 Can be tailored to specific needs.
 Not enforceable, but highly valuable.
 Standards
 Standards are formal rules or criteria that define
uniform specifications, methods, or requirements for
consistent implementation.
 Ensure uniformity and quality across systems and
processes.
 Enforce technical consistency with policies and
procedures.
 Precise and measurable.
 Often based on industry frameworks (e.g., ISO, NIST)
 Mandatory when adopted by the organization.
 Information Security: People,
Process, and Technology (PPT)
 The People, Process, Technology model
is a widely accepted triad framework used
in cybersecurity and information security to
build a balanced and effective security
strategy.
 It emphasizes that true security is
achieved not just by implementing
technology, but also by aligning it with the
right people and processes.
 "People" refers to employees, users,
administrators, security professionals, and
leadership within an organization who interact
with or manage information systems.
 People are the first line of defense — and often
the weakest link.
 Human errors such as clicking phishing links,
using weak passwords, or mishandling data can
lead to security breaches.
 Key Considerations
 Security Awareness Training: Regular education on
cyber threats, phishing, social engineering, etc.
 Roles and Responsibilities: Defining clear accountability
for security.
 Insider Threat Management: Detecting and mitigating
threats from within the organization.
 User Access Management: Assigning only required
privileges based on job roles.
 E.g. A well-trained employee may recognize a phishing
email and report it — preventing a potential data breach.
 Processes refer to the policies, procedures, and
workflows that define how security is managed,
enforced, and monitored across the organization
 Processes ensure that security tasks are
repeatable, consistent, and compliant with
standards.
 They define "how" and "when" security is applied
— reducing the dependency on individual
decision-making.
 Key processes
 Incident Response Plan: Steps to detect, respond to,
and recover from security incidents.
 Risk Management: Identifying and mitigating security
risks.
 Change Management: Secure implementation of
changes to systems.
 Compliance Monitoring: Ensuring alignment with laws
like GDPR, HIPAA, ISO 27001.
 E.g. A documented and tested incident response
process allows a company to quickly isolate a malware-
infected system and avoid further damage.
 "Technology" refers to the tools, platforms,
software, and hardware used to protect, monitor,
and respond to security threats.
 Technology automates and enforces security
controls.
 Provides real-time detection and protection from
cyberattacks.
 Key technologies
 Firewalls & IDS/IPS: Network protection and monitoring.
 Antivirus/Anti-malware: Endpoint defense.
 Encryption: Protects data at rest and in transit
 Authentication Systems (MFA, biometrics): Controls
access
 Security Information and Event Management (SIEM):
Centralized threat analysis and logging.
 E.g. An organization installs an endpoint detection tool
that automatically quarantines systems infected with
ransomware.
 IT Act, 2000
 Enacted by the Indian Parliament in May 2000,
the IT Act provides the legal foundation for
e‑governance and e‑commerce, granting official
recognition to electronic records and digital
signatures
 It amended several laws—including the Indian
Penal Code and the Evidence Act—to
streamline legal recognition of digital documents
and authentication
 Features of Act
 Legal Recognition of Electronic Transactions: Section 4
declares electronic records legally valid and Section 5 validates
digital signatures as legally binding
 Regulatory Framework: Establishes a Controller of Certifying
Authorities (CCA) to oversee digital signature issuance and
compliance
 Cybercrime Offenses & Penalties: Covers hacking, data theft,
identity theft, misrepresentation, cyber‑terrorism, publishing
obscene content, etc. Penalties range from fines to
imprisonment .
 E.g. Civil liability for damage caused by unauthorized access is
covered under Section 43, which allows compensation up to ₹1
crore
 The Act applies to actions involving Indian computer systems,
even if committed abroad
 Case study
 Shreya Singhal v. Union of India (2015)
 IT Act 2008
 The Information Technology (Amendment) Act,
2008 is a major update to the Information
Technology Act, 2000. It was passed by the Indian
Parliament in December 2008 and came into effect
on 27 October 2009.
 To modernize India's cyber laws in response to:

- Rapid advancements in digital technology.

- Emergence of new cybercrimes.
- The need for better data protection and cyber law
enforcement.
 Amendments in IT Act,2008
 Several new cybercrimes were formally defined:
Section Offence Description
Sending offensive/false content electronically
66A Offensive messages
(struck down in 2015).
Dishonest receipt of stolen Penalty for knowingly receiving stolen digital
66B
computer resources assets.

Using someone else's digital signature,

66C Identity theft
password, or other unique ID.

Fraud using computer resources (e.g.,

66D Cheating by personation
phishing).
Capturing/publishing private images without
66E Privacy violation
consent.

Acts intended to threaten sovereignty or

66F Cyber terrorism integrity of India using computer systems.
Punishable with life imprisonment.
 Continue..
 Data Protection: Section 43A

Companies that collect, store, or process sensitive personal
data must implement "reasonable security practices".
 Privacy Safeguard: Section 72A

Punishment for disclosure of personal information without
consent.

Penalty: Up to 3 years imprisonment or ₹5 lakh fine, or both.
 Intermediary Liability: Section 79

Defines the responsibilities of intermediaries (e.g., ISPs, web
hosting services, social media platforms).

Updated in 2021 through IT Rules to impose stricter content
regulation and accountability
 Continue..
 Cybersecurity Institutions Established

Section 70A: Created the National Critical Information Infrastructure
Protection Centre (NCIIPC) under NTRO to protect key sectors like energy,
finance, and transport.

Section 70B: Officially designated CERT-In as the national nodal agency
for cybersecurity incident response.
 Government Surveillance Powers: Section 69

Enables government agencies to intercept, monitor, or decrypt information
for reasons like: Sovereignty and integrity of India, National security.
 Legal Recognition of Electronic Evidence

The amendment made electronic records and digital signatures admissible
as evidence in court.

Strengthened provisions of the Indian Evidence Act and Indian Penal Code.
 IT Act 2000 vs IT Act 2008

Feature IT Act 2000 IT Act 2008 (Amended)

E-commerce, legal validity of Cybercrime, data protection,
Scope
e-records privacy
Identity theft, cyber terrorism,
New Crimes Defined Few (e.g., hacking)
phishing

Data Privacy Not addressed Sections 43A and 72A added

Defined with legal protection

Intermediaries Not well-defined
(Sec 79)
Controller of Certifying
Institutions Added CERT-In, NCIIPC
Authorities
Govt powers under Sec 69
Surveillance Not addressed
introduced
 Class Assignment 1 Date: 22/7/2025
 Q1. Analyse the given case study using following points-
 Case introduction,
 Facts
 Issue
 Decision
 Impact
 Sections applicable in case
 Case study on “Shreya Singhal v. Union of India (2015)”
 Case study on “Avnish Bajaj vs State ([Link])”
 Google India Pvt. Ltd. v. Visaka Industries (2020)