Uploaded byAbuHanifah59
56 views

Chapter 7 Managing Secure System.pdf

This document discusses information security policies and frameworks. It begins by explaining that information security policies are the foundation of an effective security program and outlines key aspects of developing policies, including that they must be properly supported and avoid conflicting with laws. The document then discusses several policy frameworks, notably the ISO 27000 series which provides requirements for an Information Security Management System (ISMS). It stresses that an ISMS should have continuous management support and treat security as an integral part of risk management. The role of training, awareness programs, and incident response planning are also covered.

Embed presentation

Download to read offline
LEGAL & ETHICAL ASPECTS OF INFORMATION SYSTEM IMS657 1
7. Managing secure system  Information Security Planning  Information Security Policy, Standards, and Practices  Security Education, Training, and Awareness  Continuity Strategies  Information Security Project Management  Staffing security function 2
3 The basic principles by which an organization/unit/department is guided. The declared objectives that a seeks to achieve and preserve in the interest of organization
 The success of any information security program lies in policy development  Policy is the essential foundation of an effective information security program  An effective information security training and awareness effort cannot be initiated without writing information security policies 4
 A quality information security program begins and ends with policy  Although information security policies are the least expensive means of control to execute, they are often the most difficult to implement 5
 Policy controls cost only the time and effort that the management team spends to create, approve and communicate them, and that employees spend integrating the policies into their daily activities  Cost of hiring a consultant is minimal compared to technical controls 6
 Policy should never conflict with law  Policy must be able to stand up in court, if challenged  Policy must be properly supported and administered  Example: Policy of shredding working papers by accountants 7
8 …policies are important reference documents for internal audits and for the resolution of legal disputes about management’s due diligence [and] policy documents can act as a clear statement of management’s intent…
• Policy represents the formal statement of the organization’s managerial policy, in case of our focus, the organization’s information security philosophy • Tradition communities of interest use policy to express their views which then becomes the basis of planning, management and maintenance of the information security profile 9
• Policies • Set of rules that dictate acceptable and unacceptable behavior within an organization • Must specify the penalties for unacceptable behavior and define an appeals process • To execute policy, organization must implement a set of standards that clarify and define exactly what is inappropriate in the workplace 10
 Standard  More detailed statement of what must be done to comply with policy  Technical controls and their associated procedures might be established  E.g.; Network blocks access to pornographic websites 11
12
 Rules for the protection of the information assets of the organization  Providing a vital support to security professionals  Reduce the risk both internal and external threats 13 ‘Information security policies are supposed to be read, understood and followed by all staff in the organization’
14  Operational policies, standards, guidelines and metrics intended to establish minimum requirements for the secure delivery of government services  Secure service delivery requires the assurance of confidentiality, integrity and availability of organizational information assets through:
15 1. Management and business processes that include and enable security processes; 2. Ongoing personnel awareness of security issues; 3. Physical security requirements for information systems; 4. Governance processes for information technology; 5. Reporting information security events and weaknesses; 6. Creating and maintaining business continuity plans; and, 7. Monitoring for compliance
 Based on NIST Special Publication 800-14, the three types of information security policies:  Enterprise information security program policy  Issue-specific security policies  System-specific security policies 16
General Information Security Document Shapes the philosophy of security in IT Executive-level document, usually drafted by or with CIO of the organization, 2-10 pages Typically addresses compliance in two areas • Ensure meeting requirements to establish program • Responsibilities assigned therein to various organizational components • Use of specified penalties and disciplinary action 17
Addresses specific areas of technology Requires frequent updates Contains a statement on the organization’s position on a specific issue 18
SysSPs frequently codified as standards and procedures used when configuring or maintaining systems Systems-specific policies fall into two groups • Access control lists (ACLs) • Configuration rules 19
The ISO/IEC 27000 Series 20
 Security Management Models  ISO 27000 Series  System Models (BLP, Biba, CWI, HRU, BN, etc).  NIST Models  Others (COBIT, COSO, ITIL, Corporate Governance) 21
 Part of ISO/IEC 27000 family of standards, is an Information Security Management System (ISMS) standard published by International Organizational for Standards (ISO) and the International ElectechnicalCommission (IEC).  Its full name is ISO/IEC 27001:2005  Information technology – Security techniques – Information security management systems – Requirements 22
ISO/IEC 27001 specifies a management system that is intended to bring information security under explicit management control 23
1. Risk Assessment andTreatment 2. Security policy 3. Organization of information security 4. Asset management 5. Human resources security 6. Physical and environmental security 7. Communications and operations management 8. Access control 9. Information systems acquisition, development and maintenance 10. Information security incident management 11. Business continuity management 12. Compliance 24
25
 An information security management system (ISMS) is a set of policies concerned with information security management or IT related risks. 26 Principle of an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.
 Information technology security administrators should expect to devote approximately one-third of their time addressing technical aspects.  The remaining two-thirds should be spent developing policies and procedures, performing security reviews and analyzing risk, addressing contingency planning and promoting security awareness;  Security depends on people more than on technology; 27
 Employees are a far greater threat to information security than outsiders;  Security is like a chain. It is as strong as its weakest link;  The degree of security depends on three factors: the risk you are willing to take, the functionality of the system and the costs you are prepared to pay;  Security is not a status or a snapshot, but a running process. 28
29
1. Have continuous support and commitment from organization’s top management; 2. Be managed centrally, based on a common strategy and policy across the entire organization; 3. Be an integral part of overall management of the organization related to organization’s approach to risk management, the control objectives and controls and degree of assurance required; 4. Security objectives and activities based on business objectives and requirements 30
5. Undertake only necessary tasks and avoiding over-control and waste of valuable resources; 6. Fully comply with the organization philosophy and mindset by providing a system that instead of preventing people from doing what they are employed to do, it will enable employee to do it in control and demonstrate their fulfilled accountabilities; 7. Based on continuous training and awareness of staff and avoid the use of disciplinary measures and “police” or “military” practices; 8. Be a never ending process; 31
Everyone in an organization needs to be trained and aware of information security; not every member needs formal degree or certificate in information security When formal education for individuals in security is needed, an employee can identify curriculum available from local institutions of higher learning or continuing education A number of universities have formal coursework in information security 32
Involves providing members of organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely Management of information security can develop customized in-house training or outsource the training program 33
One of least frequently implemented but most beneficial programs is the security awareness program Designed to keep information security at the forefront of users’ minds Need not be complicated or expensive If the program is not actively implemented, employees begin to “tune out” and risk of employee accidents and failures increases 34
Continuous availability of info systems Probability high for attack Managers must be ready to act Contingency Plan (CP) • Prepared by organization • Anticipate, react to, & recover from attacks • Restore organization to normal operations 35
36 Contingency Planning Incident Response (IRPs) (Focus on immediate response) Disaster Recovery (DRPs) (Focus on restoring system) Business Continuity (BCPs) (Focus establish business functions at alternate site)
Investigate & assess impact of various attack First risk assessment – then BIA Prioritized list of threats & critical info Detailed scenarios of potential impact of each attack Answers question “if the attack succeeds, what do you do then?” 37
Incident response planning covers identification of, classification of, and response to an incident Attacks classified as incidents if they: • Are directed against information assets • Have a realistic chance of success • Could threaten confidentiality,integrity, or availability of information resources Incident response (IR) is more reactive, than proactive, with the exception of planning that must occur to prepare IR teams to be ready to react to an incident 38
Set of activities taken to plan for, detect, and correct the impact Incident planning • Requires understanding BIA scenarios • Develop series of predefined responses • Enables org to react quickly Incident detection • Mechanisms – intrusion detection systems, virus detection, system administrators, end users 39
 Possible indicators  Presence of unfamiliar files  Execution of unknown programs or processes  Unusual consumption of computing resources  Unusual system crashes 40
• Activities at unexpected times • Presence of new accounts • Reported attacks • Notification form IDS Probable indicators • Use of dormant accounts • Changes to logs • Presence of hacker tools • Notification by partner or peer • Notification by hackers Definite indicators 41
 Predefined Situation  Loss of availability  Loss of integrity  Loss of confidentiality  Violation of policy  Violation of law 42
Actions outlined in the IRP Guide the organization Stop the incident Mitigate the impact Provide information recovery Notify key personnel Document incident 43
Sever affected communication circuits Disable accounts Reconfigure firewall Disable process or service Take down email Stop all computers and network devices Isolate affected channels, processes, services, or computers 44
Get everyone moving and focused Assess Damage Recovery • Identify and resolve vulnerabilities • Address safeguards • Evaluate monitoring capabilities • Restore data from backups • Restore process and services • Continuously monitor system • Restore confidence 45
Provide guidance in the event of a disaster Clear establishment of priorities Clear delegation of roles & responsibilities Alert key personnel Document disaster Mitigate impact Evacuation of physical assets 46
Disaster recovery personnel must know their responses without any supporting documentation Actions taken during and after a disaster focusing on people involved and addressing viability of business Crisis management team responsible for managing event from an enterprise perspective and covers: • Support personnel and loved ones • Determine impact on normal operations • Keep public informed • Communicate with major players such as major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties 47
Outlines reestablishment of critical business operations during a disaster that impacts operations If disaster has rendered the business unusable for continued operations, there must be a plan to allow business to continue functioning Development of BCP somewhat simpler than IRP or DRP; consists primarily of selecting a continuity strategy and integrating off-site data storage and recovery functions into this strategy 48
There are a number of strategies for planning for business continuity Determining factor in selecting between options usually cost In general there are three exclusive options: hot sites; warm sites; and cold sites Three shared functions: time-share; service bureaus; and mutual agreements 49
Hot sites • Fully configured computer facilities • All services & communication links • Physical plant operations Warm sites • Does not include actual applications • Application may not be installed and configured • Required hours to days to become operational Cold sites • Rudimentary services and facilities • No hardware or peripherals • empty room 50
Time-shares • Hot, warm, or cold • Leased with other orgs Service bureau • Provides service for a fee Mutual agreements • A contract between two or more organizations that specifies how each will assist the other in the event of a disaster. 51
To get sites up and running quickly, organization must have ability to port data into new site’s systems Electronic vaulting • Transfer of large batches of data • Receiving server archives data • Fee Journaling • Transfer of live transactions to off-site • Only transactions are transferred • Transfer is real time 52
 Shadowing  Duplicated databases  Multiple servers  Processes duplicated  3 or more copies simultaneously 53
54
 Information security is a process, not a project  However, each element of a security program can be managed as a project (managed processes) 55
The application of knowledge, skills, tools, and techniques to project activitiesto meet project requirements Applicationto Security • Use of PMBoK The Project Management Institute (PMI)Cert. The Project Management Professional (PMP) CertifiedAssociate in Project Management (CAPM) 56
Source:Course Technology/CengageLearning 57  Project Management Book of Knowledge (PMBoK)
 Members of the development team  Champion  Team leader  Security policy developers  Risk assessment specialists  Security professionals  Systems administrators  End users 58
The security function can be placed within: • IT function • Physical security function • Administrative services function • Insurance and risk management function • Legal department Organizations balance needs of enforcement with needs for education, training, awareness, and customer service 59
Selecting personnel is based on many criteria, including supply and demand Many professionals enter security market by gaining skills, experience, and credentials At present, information security industry is in period of high demand 60
 Organizations typically look for technically qualified information security generalist  Organizations look for information security professionals who understand:  How an organization operates at all levels  Information security usually a management problem, not a technical problem  Strong communications and writing skills  The role of policy in guiding security efforts 61
 Most mainstream IT technologies  The terminology of IT and information security  Threats facing an organization and how they can become attacks  How to protect organization’s assets from information security attacks  How business solutions can be applied to solve specific information security problems 62
Many information security professionals enter the field through one of two career paths: • Law enforcement and military • Technical, working on security applications and processes Today, students select and tailor degree programs to prepare for work in information security Organizations can foster greater professionalism by matching candidates to clearly defined expectations and position descriptions 63
64
65
 Chief Information SecurityOfficer (CISO or CSO)  Top information security position; frequently reports to Chief InformationOfficer  Manages the overall information security program  Drafts or approves information security policies  Works with the CIO on strategic plans 66
 Develops information security budgets  Sets priorities for information security projects and technology  Makes recruiting, hiring, and firing decisions or recommendations  Acts as spokesperson for information security team  Typical qualifications: accreditation; graduate degree; experience 67
 Security Manager  Accountable for day-to-day operation of information security program  Accomplish objectives as identified by CISO  Typical qualifications: not uncommon to have accreditation; ability to draft middle and lower level policies, standards and guidelines; budgeting, project management, and hiring and firing; manage technicians 68
 SecurityTechnician  Technically qualified individuals tasked to configure security hardware and software  Tend to be specialized  Typical qualifications: ▪ Varied; organizations prefer expert, certified, proficient technician ▪ Some experience with a particular hardware and software package ▪ Actual experience in using a technology usually required 69
Many organizations seek recognizable certifications Most existing certifications are relatively new and not fully understood by hiring organizations Certifications include: CISSP and SSCP;CISA andCISM;GIAC; SCP; TICSA; Security+;Certified Information Forensics Investigator 70
Better certifications can be very expensive Even experienced professionals find it difficult to take an exam without some preparation Many candidates teach themselves through trade press books; others prefer structure of formal training Before attempting a certification exam, do all homework and review exam criteria, its purpose, and requirements in order to ensure that the time and energy spent pursuing certification are well spent 71
72
Always remember: business before technology Technology provides elegant solutions for some problems, but adds to difficulties for others Never lose sight of goal: protection Be heard and not seen Know more than you say; be more skillful than you let on Speak to users, not at them Your education is never complete 73

More Related Content

PPT
Chapter 5 Planning for Security-students.ppt
byShruthi48
 
PPTX
Introduction to Information security ppt
bykrishkiran2408
 
PPTX
Introduction to Information security ppt
bykrishkiran2408
 
PPTX
Business information security requirements
bygurneyhal
 
PPTX
ISO27k Awareness presentation.pptx
byharigopala
 
PPTX
D1 security and risk management v1.62
byAlliedConSapCourses
 
PPTX
Human Factors_MODULE_2.pptx
byShreeveni
 
PDF
Isms info
byAbhisek Gupta
 
Chapter 5 Planning for Security-students.ppt
byShruthi48
 
Introduction to Information security ppt
bykrishkiran2408
 
Introduction to Information security ppt
bykrishkiran2408
 
Business information security requirements
bygurneyhal
 
ISO27k Awareness presentation.pptx
byharigopala
 
D1 security and risk management v1.62
byAlliedConSapCourses
 
Human Factors_MODULE_2.pptx
byShreeveni
 
Isms info
byAbhisek Gupta
 

Similar to Chapter 7 Managing Secure System.pdf

PDF
Solve the exercise in security management.pdf
bysdfghj21
 
PPTX
crisc_wk_2a.pptx
bydotco
 
PDF
1 info sec+risk-mgmt
bymadunix
 
PPTX
Dancyrityshy 1foundatioieh
byAnne Starr
 
PDF
1. Security and Risk Management
bySam Bowne
 
PPTX
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
byJustinNickaf3
 
PDF
1678784047-mid_sem-2.pdf
byRimurutempest594985
 
PPTX
Information security: importance of having defined policy & process
byInformation Technology Society Nepal
 
PDF
Introduction to the management of information security
bySammer Qader
 
PDF
Information security policy how to writing
byPasangdolmoTamang
 
PDF
1. Security and Risk Management
bySam Bowne
 
PDF
ISO / IEC 27001:2005 – An Intorduction
byn|u - The Open Security Community
 
PPTX
ISO27k Awareness presentation v2.pptx
byNapoleon NV
 
PDF
Chapter 12 iso 27001 awareness
bynewbie2019
 
PPTX
Security Foundation and Incident Mgmt and BCMS.pptx
byMohsenMojabi1
 
PDF
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
byIGN MANTRA
 
PPTX
ISO27k_Awareness_presentation_v2xxxx.pptx
byimed11
 
PPT
Information Security Identity and Access Management Administration 07072016
byLeon Blum
 
PPTX
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
byn|u - The Open Security Community
 
PPT
MIS chap # 9.....
bySyed Muhammad Zeejah Hashmi
 
Solve the exercise in security management.pdf
bysdfghj21
 
crisc_wk_2a.pptx
bydotco
 
1 info sec+risk-mgmt
bymadunix
 
Dancyrityshy 1foundatioieh
byAnne Starr
 
1. Security and Risk Management
bySam Bowne
 
ISO 27001 2022 REQUIREMENTS EXPLAINED 4.pptx
byJustinNickaf3
 
1678784047-mid_sem-2.pdf
byRimurutempest594985
 
Information security: importance of having defined policy & process
byInformation Technology Society Nepal
 
Introduction to the management of information security
bySammer Qader
 
Information security policy how to writing
byPasangdolmoTamang
 
1. Security and Risk Management
bySam Bowne
 
ISO / IEC 27001:2005 – An Intorduction
byn|u - The Open Security Community
 
ISO27k Awareness presentation v2.pptx
byNapoleon NV
 
Chapter 12 iso 27001 awareness
bynewbie2019
 
Security Foundation and Incident Mgmt and BCMS.pptx
byMohsenMojabi1
 
ISO 27001 Awareness IGN Mantra 2nd Day, 1st Session.
byIGN MANTRA
 
ISO27k_Awareness_presentation_v2xxxx.pptx
byimed11
 
Information Security Identity and Access Management Administration 07072016
byLeon Blum
 
Overview of ISO 27001 [null Bangalore] [Dec 2013 meet]
byn|u - The Open Security Community
 
MIS chap # 9.....
bySyed Muhammad Zeejah Hashmi
 

Recently uploaded

PDF
[DSC Europe 25] Elena Menshikova - AI-Powered Operational Excellence: Revolut...
byDataScienceConferenc1
 
PDF
Safely Managing Old Gmail Accounts in 2026.pdf
bynewpvait.com
 
PDF
[DSC Europe 25] Danilo Djukanovic - From Vibes to KPIs: Turning Culture Into ...
byDataScienceConferenc1
 
PDF
Top 11 Best Sites Buy Gmail Accounts_ A Complete Guide 2025–26.pdf
bynewpvait.com
 
PDF
Importance of Python language in Data Science
byfathymanoushad2005
 
PDF
Nepal's Health Policies: From 1991 to 2024 - A Complete Analysis of Nepal's H...
byPublic Health Concern Nepal
 
PDF
AWS Certified Data Engineer Slides - For AWS
byDiogoCataPreta
 
PPTX
GROUP20720-20SCIENCE20THE20GALAXY203-2.pptx
bycasinoruxlloydjude
 
PDF
Machines, Language & Intelligence: The Evolution of NLP
byayesha butalia
 
PPTX
Introduction-to-Microsoft-Excel-by-imran-uos.pptx
byImranHaider416699
 
PDF
Time Travel on ACID - A Gentle Introduction To Apache Iceberg
byMichal Gancarski
 
PPTX
Analyzing the Impact of Sleep Behavior on Academic (1).pptx
byuswaihsan1
 
PPTX
Data Storytelling with Power BI: From Raw Data to Executive Dashboards
bysaharmughal9
 
PDF
Extract Google Restaurant Menu Data Using APIs
byFoodspark - Food Data & Insights
 
PPTX
Narratives of Makuapo A narrative Study.pptx
byAiraAntonetteVZarcil
 
PPTX
_(2) ppt 2021-2022 Protein Metabolism_.pptx
byenghebayousif87
 
PPTX
Student Ready Program , Rural Agricultural Work Experience by SOUGATA ROY (IA...
bySougata Roy
 
PPTX
GrantGreenberg_metagenomic.metagenomics principles and basics
byssuser67fbfc
 
PPTX
Hepatitis.pptx slideshare by me myself and you nknkhk
byPB2013DhanashreeNaik
 
PPTX
Investigatory-Project-on-Drug-Addiction-Final.pptx
byYashAggarwal233278
 
[DSC Europe 25] Elena Menshikova - AI-Powered Operational Excellence: Revolut...
byDataScienceConferenc1
 
Safely Managing Old Gmail Accounts in 2026.pdf
bynewpvait.com
 
[DSC Europe 25] Danilo Djukanovic - From Vibes to KPIs: Turning Culture Into ...
byDataScienceConferenc1
 
Top 11 Best Sites Buy Gmail Accounts_ A Complete Guide 2025–26.pdf
bynewpvait.com
 
Importance of Python language in Data Science
byfathymanoushad2005
 
Nepal's Health Policies: From 1991 to 2024 - A Complete Analysis of Nepal's H...
byPublic Health Concern Nepal
 
AWS Certified Data Engineer Slides - For AWS
byDiogoCataPreta
 
GROUP20720-20SCIENCE20THE20GALAXY203-2.pptx
bycasinoruxlloydjude
 
Machines, Language & Intelligence: The Evolution of NLP
byayesha butalia
 
Introduction-to-Microsoft-Excel-by-imran-uos.pptx
byImranHaider416699
 
Time Travel on ACID - A Gentle Introduction To Apache Iceberg
byMichal Gancarski
 
Analyzing the Impact of Sleep Behavior on Academic (1).pptx
byuswaihsan1
 
Data Storytelling with Power BI: From Raw Data to Executive Dashboards
bysaharmughal9
 
Extract Google Restaurant Menu Data Using APIs
byFoodspark - Food Data & Insights
 
Narratives of Makuapo A narrative Study.pptx
byAiraAntonetteVZarcil
 
_(2) ppt 2021-2022 Protein Metabolism_.pptx
byenghebayousif87
 
Student Ready Program , Rural Agricultural Work Experience by SOUGATA ROY (IA...
bySougata Roy
 
GrantGreenberg_metagenomic.metagenomics principles and basics
byssuser67fbfc
 
Hepatitis.pptx slideshare by me myself and you nknkhk
byPB2013DhanashreeNaik
 
Investigatory-Project-on-Drug-Addiction-Final.pptx
byYashAggarwal233278
 

Chapter 7 Managing Secure System.pdf

  • 1.
    LEGAL & ETHICALASPECTS OF INFORMATION SYSTEM IMS657 1
  • 2.
    7. Managing securesystem  Information Security Planning  Information Security Policy, Standards, and Practices  Security Education, Training, and Awareness  Continuity Strategies  Information Security Project Management  Staffing security function 2
  • 3.
    3 The basic principlesby which an organization/unit/department is guided. The declared objectives that a seeks to achieve and preserve in the interest of organization
  • 4.
     The successof any information security program lies in policy development  Policy is the essential foundation of an effective information security program  An effective information security training and awareness effort cannot be initiated without writing information security policies 4
  • 5.
     A qualityinformation security program begins and ends with policy  Although information security policies are the least expensive means of control to execute, they are often the most difficult to implement 5
  • 6.
     Policy controlscost only the time and effort that the management team spends to create, approve and communicate them, and that employees spend integrating the policies into their daily activities  Cost of hiring a consultant is minimal compared to technical controls 6
  • 7.
     Policy shouldnever conflict with law  Policy must be able to stand up in court, if challenged  Policy must be properly supported and administered  Example: Policy of shredding working papers by accountants 7
  • 8.
    8 …policies are importantreference documents for internal audits and for the resolution of legal disputes about management’s due diligence [and] policy documents can act as a clear statement of management’s intent…
  • 9.
    • Policy representsthe formal statement of the organization’s managerial policy, in case of our focus, the organization’s information security philosophy • Tradition communities of interest use policy to express their views which then becomes the basis of planning, management and maintenance of the information security profile 9
  • 10.
    • Policies • Setof rules that dictate acceptable and unacceptable behavior within an organization • Must specify the penalties for unacceptable behavior and define an appeals process • To execute policy, organization must implement a set of standards that clarify and define exactly what is inappropriate in the workplace 10
  • 11.
     Standard  Moredetailed statement of what must be done to comply with policy  Technical controls and their associated procedures might be established  E.g.; Network blocks access to pornographic websites 11
  • 12.
  • 13.
     Rules forthe protection of the information assets of the organization  Providing a vital support to security professionals  Reduce the risk both internal and external threats 13 ‘Information security policies are supposed to be read, understood and followed by all staff in the organization’
  • 14.
    14  Operational policies,standards, guidelines and metrics intended to establish minimum requirements for the secure delivery of government services  Secure service delivery requires the assurance of confidentiality, integrity and availability of organizational information assets through:
  • 15.
    15 1. Management andbusiness processes that include and enable security processes; 2. Ongoing personnel awareness of security issues; 3. Physical security requirements for information systems; 4. Governance processes for information technology; 5. Reporting information security events and weaknesses; 6. Creating and maintaining business continuity plans; and, 7. Monitoring for compliance
  • 16.
     Based onNIST Special Publication 800-14, the three types of information security policies:  Enterprise information security program policy  Issue-specific security policies  System-specific security policies 16
  • 17.
    General Information SecurityDocument Shapes the philosophy of security in IT Executive-level document, usually drafted by or with CIO of the organization, 2-10 pages Typically addresses compliance in two areas • Ensure meeting requirements to establish program • Responsibilities assigned therein to various organizational components • Use of specified penalties and disciplinary action 17
  • 18.
    Addresses specific areasof technology Requires frequent updates Contains a statement on the organization’s position on a specific issue 18
  • 19.
    SysSPs frequently codifiedas standards and procedures used when configuring or maintaining systems Systems-specific policies fall into two groups • Access control lists (ACLs) • Configuration rules 19
  • 20.
  • 21.
     Security ManagementModels  ISO 27000 Series  System Models (BLP, Biba, CWI, HRU, BN, etc).  NIST Models  Others (COBIT, COSO, ITIL, Corporate Governance) 21
  • 22.
     Part ofISO/IEC 27000 family of standards, is an Information Security Management System (ISMS) standard published by International Organizational for Standards (ISO) and the International ElectechnicalCommission (IEC).  Its full name is ISO/IEC 27001:2005  Information technology – Security techniques – Information security management systems – Requirements 22
  • 23.
    ISO/IEC 27001 specifies amanagement system that is intended to bring information security under explicit management control 23
  • 24.
    1. Risk AssessmentandTreatment 2. Security policy 3. Organization of information security 4. Asset management 5. Human resources security 6. Physical and environmental security 7. Communications and operations management 8. Access control 9. Information systems acquisition, development and maintenance 10. Information security incident management 11. Business continuity management 12. Compliance 24
  • 25.
  • 26.
     An informationsecurity management system (ISMS) is a set of policies concerned with information security management or IT related risks. 26 Principle of an ISMS is that an organization should design, implement and maintain a coherent set of policies, processes and systems to manage risks to its information assets, thus ensuring acceptable levels of information security risk.
  • 27.
     Information technologysecurity administrators should expect to devote approximately one-third of their time addressing technical aspects.  The remaining two-thirds should be spent developing policies and procedures, performing security reviews and analyzing risk, addressing contingency planning and promoting security awareness;  Security depends on people more than on technology; 27
  • 28.
     Employees area far greater threat to information security than outsiders;  Security is like a chain. It is as strong as its weakest link;  The degree of security depends on three factors: the risk you are willing to take, the functionality of the system and the costs you are prepared to pay;  Security is not a status or a snapshot, but a running process. 28
  • 29.
  • 30.
    1. Have continuoussupport and commitment from organization’s top management; 2. Be managed centrally, based on a common strategy and policy across the entire organization; 3. Be an integral part of overall management of the organization related to organization’s approach to risk management, the control objectives and controls and degree of assurance required; 4. Security objectives and activities based on business objectives and requirements 30
  • 31.
    5. Undertake onlynecessary tasks and avoiding over-control and waste of valuable resources; 6. Fully comply with the organization philosophy and mindset by providing a system that instead of preventing people from doing what they are employed to do, it will enable employee to do it in control and demonstrate their fulfilled accountabilities; 7. Based on continuous training and awareness of staff and avoid the use of disciplinary measures and “police” or “military” practices; 8. Be a never ending process; 31
  • 32.
    Everyone in anorganization needs to be trained and aware of information security; not every member needs formal degree or certificate in information security When formal education for individuals in security is needed, an employee can identify curriculum available from local institutions of higher learning or continuing education A number of universities have formal coursework in information security 32
  • 33.
    Involves providing membersof organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely Management of information security can develop customized in-house training or outsource the training program 33
  • 34.
    One of leastfrequently implemented but most beneficial programs is the security awareness program Designed to keep information security at the forefront of users’ minds Need not be complicated or expensive If the program is not actively implemented, employees begin to “tune out” and risk of employee accidents and failures increases 34
  • 35.
    Continuous availability ofinfo systems Probability high for attack Managers must be ready to act Contingency Plan (CP) • Prepared by organization • Anticipate, react to, & recover from attacks • Restore organization to normal operations 35
  • 36.
    36 Contingency Planning Incident Response (IRPs) (Focus on immediate response) Disaster Recovery(DRPs) (Focus on restoring system) Business Continuity (BCPs) (Focus establish business functions at alternate site)
  • 37.
    Investigate & assessimpact of various attack First risk assessment – then BIA Prioritized list of threats & critical info Detailed scenarios of potential impact of each attack Answers question “if the attack succeeds, what do you do then?” 37
  • 38.
    Incident response planningcovers identification of, classification of, and response to an incident Attacks classified as incidents if they: • Are directed against information assets • Have a realistic chance of success • Could threaten confidentiality,integrity, or availability of information resources Incident response (IR) is more reactive, than proactive, with the exception of planning that must occur to prepare IR teams to be ready to react to an incident 38
  • 39.
    Set of activitiestaken to plan for, detect, and correct the impact Incident planning • Requires understanding BIA scenarios • Develop series of predefined responses • Enables org to react quickly Incident detection • Mechanisms – intrusion detection systems, virus detection, system administrators, end users 39
  • 40.
     Possible indicators Presence of unfamiliar files  Execution of unknown programs or processes  Unusual consumption of computing resources  Unusual system crashes 40
  • 41.
    • Activities atunexpected times • Presence of new accounts • Reported attacks • Notification form IDS Probable indicators • Use of dormant accounts • Changes to logs • Presence of hacker tools • Notification by partner or peer • Notification by hackers Definite indicators 41
  • 42.
     Predefined Situation Loss of availability  Loss of integrity  Loss of confidentiality  Violation of policy  Violation of law 42
  • 43.
    Actions outlined inthe IRP Guide the organization Stop the incident Mitigate the impact Provide information recovery Notify key personnel Document incident 43
  • 44.
    Sever affected communicationcircuits Disable accounts Reconfigure firewall Disable process or service Take down email Stop all computers and network devices Isolate affected channels, processes, services, or computers 44
  • 45.
    Get everyone movingand focused Assess Damage Recovery • Identify and resolve vulnerabilities • Address safeguards • Evaluate monitoring capabilities • Restore data from backups • Restore process and services • Continuously monitor system • Restore confidence 45
  • 46.
    Provide guidance inthe event of a disaster Clear establishment of priorities Clear delegation of roles & responsibilities Alert key personnel Document disaster Mitigate impact Evacuation of physical assets 46
  • 47.
    Disaster recovery personnelmust know their responses without any supporting documentation Actions taken during and after a disaster focusing on people involved and addressing viability of business Crisis management team responsible for managing event from an enterprise perspective and covers: • Support personnel and loved ones • Determine impact on normal operations • Keep public informed • Communicate with major players such as major customers, suppliers, partners, regulatory agencies, industry organizations, the media, and other interested parties 47
  • 48.
    Outlines reestablishment ofcritical business operations during a disaster that impacts operations If disaster has rendered the business unusable for continued operations, there must be a plan to allow business to continue functioning Development of BCP somewhat simpler than IRP or DRP; consists primarily of selecting a continuity strategy and integrating off-site data storage and recovery functions into this strategy 48
  • 49.
    There are anumber of strategies for planning for business continuity Determining factor in selecting between options usually cost In general there are three exclusive options: hot sites; warm sites; and cold sites Three shared functions: time-share; service bureaus; and mutual agreements 49
  • 50.
    Hot sites • Fullyconfigured computer facilities • All services & communication links • Physical plant operations Warm sites • Does not include actual applications • Application may not be installed and configured • Required hours to days to become operational Cold sites • Rudimentary services and facilities • No hardware or peripherals • empty room 50
  • 51.
    Time-shares • Hot, warm,or cold • Leased with other orgs Service bureau • Provides service for a fee Mutual agreements • A contract between two or more organizations that specifies how each will assist the other in the event of a disaster. 51
  • 52.
    To get sitesup and running quickly, organization must have ability to port data into new site’s systems Electronic vaulting • Transfer of large batches of data • Receiving server archives data • Fee Journaling • Transfer of live transactions to off-site • Only transactions are transferred • Transfer is real time 52
  • 53.
     Shadowing  Duplicateddatabases  Multiple servers  Processes duplicated  3 or more copies simultaneously 53
  • 54.
  • 55.
     Information securityis a process, not a project  However, each element of a security program can be managed as a project (managed processes) 55
  • 56.
    The application ofknowledge, skills, tools, and techniques to project activitiesto meet project requirements Applicationto Security • Use of PMBoK The Project Management Institute (PMI)Cert. The Project Management Professional (PMP) CertifiedAssociate in Project Management (CAPM) 56
  • 57.
    Source:Course Technology/CengageLearning 57  ProjectManagement Book of Knowledge (PMBoK)
  • 58.
     Members ofthe development team  Champion  Team leader  Security policy developers  Risk assessment specialists  Security professionals  Systems administrators  End users 58
  • 59.
    The security functioncan be placed within: • IT function • Physical security function • Administrative services function • Insurance and risk management function • Legal department Organizations balance needs of enforcement with needs for education, training, awareness, and customer service 59
  • 60.
    Selecting personnel isbased on many criteria, including supply and demand Many professionals enter security market by gaining skills, experience, and credentials At present, information security industry is in period of high demand 60
  • 61.
     Organizations typicallylook for technically qualified information security generalist  Organizations look for information security professionals who understand:  How an organization operates at all levels  Information security usually a management problem, not a technical problem  Strong communications and writing skills  The role of policy in guiding security efforts 61
  • 62.
     Most mainstreamIT technologies  The terminology of IT and information security  Threats facing an organization and how they can become attacks  How to protect organization’s assets from information security attacks  How business solutions can be applied to solve specific information security problems 62
  • 63.
    Many information securityprofessionals enter the field through one of two career paths: • Law enforcement and military • Technical, working on security applications and processes Today, students select and tailor degree programs to prepare for work in information security Organizations can foster greater professionalism by matching candidates to clearly defined expectations and position descriptions 63
  • 64.
  • 65.
  • 66.
     Chief InformationSecurityOfficer (CISO or CSO)  Top information security position; frequently reports to Chief InformationOfficer  Manages the overall information security program  Drafts or approves information security policies  Works with the CIO on strategic plans 66
  • 67.
     Develops informationsecurity budgets  Sets priorities for information security projects and technology  Makes recruiting, hiring, and firing decisions or recommendations  Acts as spokesperson for information security team  Typical qualifications: accreditation; graduate degree; experience 67
  • 68.
     Security Manager Accountable for day-to-day operation of information security program  Accomplish objectives as identified by CISO  Typical qualifications: not uncommon to have accreditation; ability to draft middle and lower level policies, standards and guidelines; budgeting, project management, and hiring and firing; manage technicians 68
  • 69.
     SecurityTechnician  Technicallyqualified individuals tasked to configure security hardware and software  Tend to be specialized  Typical qualifications: ▪ Varied; organizations prefer expert, certified, proficient technician ▪ Some experience with a particular hardware and software package ▪ Actual experience in using a technology usually required 69
  • 70.
    Many organizations seekrecognizable certifications Most existing certifications are relatively new and not fully understood by hiring organizations Certifications include: CISSP and SSCP;CISA andCISM;GIAC; SCP; TICSA; Security+;Certified Information Forensics Investigator 70
  • 71.
    Better certifications canbe very expensive Even experienced professionals find it difficult to take an exam without some preparation Many candidates teach themselves through trade press books; others prefer structure of formal training Before attempting a certification exam, do all homework and review exam criteria, its purpose, and requirements in order to ensure that the time and energy spent pursuing certification are well spent 71
  • 72.
  • 73.
    Always remember: businessbefore technology Technology provides elegant solutions for some problems, but adds to difficulties for others Never lose sight of goal: protection Be heard and not seen Know more than you say; be more skillful than you let on Speak to users, not at them Your education is never complete 73