Security Management Practices

Slides:



Advertisements
Similar presentations
Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Advertisements

Security+ All-In-One Edition Chapter 17 – Risk Management
IT Security Policy Framework
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Chapter 5: Asset Classification
Data Ownership Responsibilities & Procedures
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Information Systems Security Information Security & Risk Management.
Introducing Computer and Network Security
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Information Systems Security Officer
Computer Security: Principles and Practice
Lecture 8: Risk Management Controlling Risk
Session 3 – Information Security Policies
Network security policy: best practices
IT Assurance and Reliability Why Should You Care? Richard Oppenheim, CPA, CITP President, SysTrust Services Corporation Presented to ISACA Regional Meeting.
Internal Auditing and Outsourcing
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
General Awareness Training
Information Security and Risk Management
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
David N. Wozei Systems Administrator, IT Auditor.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Information Systems Security Operational Control for Information Security.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.
Working with HIT Systems
Alaa Mubaied Risk Management Alaa Mubaied
Introduction to Information Security
SecSDLC Chapter 2.
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Information Security Governance and Risk Chapter 2 Part 2 Pages 69 to 100.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Chapter 3: Business Continuity Planning. Planning for Business Continuity Assess risks to business processes Minimize impact from disruptions Maintain.
Chapter 1: Security Governance Through Principles and Policies
Dr. Bhavani Thuraisingham Information Security and Risk Management June 5, 2015 Lecture #5 Summary of Chapter 3.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
RISK MANAGEMENT: CONTROLLING RISK IN INFORMATION SECURITY By Collin Donaldson.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Principles of Information Security, Fourth Edition Risk Management Ch4 Part II.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
Principles of Information Security, Fourth Edition Chapter 1 Introduction to Information Security Part II.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
Risk Management Dr. Clive Vlieland-Boddy. Managements Responsibilities Strategy – Hopefully sustainable! Control – Hopefully maximising profits! Risk.
Information Security Management Goes Global
Information Systems Security
CS457 Introduction to Information Security Systems
Risk management «Once we know our weaknesses, they cease to do us any harm.» G.C. Lichtenberg.
Risk management.
Chapter 8 – Administering Security
TOPIC 3 RISK MANAGEMENT.
IS4680 Security Auditing for Compliance
Chapter 3: IRS and FTC Data Security Rules
I have many checklists: how do I get started with cyber security?
Security Threats Severity Analysis
Cybersecurity Threat Assessment
Chapter 1 Key Security Terms.
Presentation transcript:

Security Management Practices Risk Management Identifying, assessing, and reducing risk to an acceptable level Implementing mechanisms to maintain risk level Security Policies Security Education

Security Administration Person or group must be responsible Clear reporting structure to senior management Information owners dictate who can access data Executive with management responsibilities Security Administrators ensure that’s what happens

Security Controls Administrative Controls Technical Controls Policies & Standards Technical Controls Password & Resource Management Security Devices Physical Controls Locks, fences, walls

Failure – Managements fault? Must have buy-in from Senior Management Security should not be viewed as expensive and unnecessary Lack of security controls much more expensive Foster a healthy relationship between Security & Senior Management

CIA Triad Confidentiality Integrity Availability Only those that should see it can see it Integrity Assurance that data is accurate and reliable Availability Reliable and timely access to data

Definitions & the Security Circle of Life

Hacker Disgruntled Employee Enemy government Random actor Environment Virus They create….

Denial of Service Loss of data Changes to data Tornado Equipment failure Exploits…

Open firewall port Bug in software Lack of proper controls Lack of redundancy Leads to…

Low Medium High Can damage…

File Server Marketing plan Research Facility And causes an…

Wasted man hours to reproduce data Lost sales Law suits Can be countermeasured by…

Firewall Hot backup site Fire suppression Directly affects…

And then it starts all over again

Top Down Security Planning Step 1 Assess Business Objectives Senior management must participate Operational Goals – Daily Tactical Goals – Near future Strategic Goals – Long term Budgets Benefits in other areas?

Top Down Security Planning Step 2 Vulnerability Assessment Report of where vulnerabilities exist Catalog each asset and system Research known vulnerabilities Accuracy is key Penetration Testing Active, systematic attack on owned assets Outsource or in-house

Top Down Security Planning Step 3 Risk Analysis Assign value to assets Costs to acquire or develop asset Cost to maintain asset Value to owners or users Value to adversaries Price others are willing to pay Cost to replace the asset if lost Loss of productivity if asset is unavailable Liability issues if the asset is compromised

Perform threat analysis Estimate loss per risk Single Loss Expectancy (SLE) = asset value X exposure factor (EF) EF represents the estimated loss per occurrence Cost of recovery Cost of lost productivity Perform threat analysis Gather info about likelihood of each risk happening Past occurrences Industry occurrences Estimate Annualized Rate of Occurrence (ARO) = probability occurrence will take place during a given year 0.0 = never, 0.5 = every other year, 1.0 = always

Derive overall loss potential per risk Annualized Loss Expectancy (ALE) = SLE X ARO Select countermeasures for each risk Quantify the Total Cost of Ownership (TCO) for each counter measure Acquirement Cost + Yearly Support Costs Reduce, assign, or accept each risk Reduction (need not be 100%) Install security controls Improve procedures Assignment Buy insurance Acceptance Live with the risk Is countermeasure TCO more expensive than ALE?

Things to Consider When Selecting a Countermeasure Modularity Provides uniform protection Allows administrator to override Independence from asset and other safeguards Flexibility and functionality Clear distinctions between user classes Minimal human intervention needed Easily upgradeable Auditing functionality Able to be reset without affecting protection level Testable Does not introduce other compromises Acceptable negative affects on performance of users and systems Proper and flexible alerting facilities

Top Down Security Planning Step 4 Define protection requirements How aggressive will you be? Classify data Define data classes Assign data and assets to classes Identify data custodian Document, document, document Evaluate functionality of chosen countermeasures

Top Down Security Planning Step 5 Evaluate legal liabilities Who can sue you? Perform security awareness training Customize content for different audiences – Management, Staff, Technical Must be repeated continually Evaluate system reliability of countermeasures

Top Down Security Planning Step 5, con’t Publish policies and procedures Policies Management Statements Organizational Issue Specific System Specific Standards Compulsory rules that must be followed Guidelines Recommended actions Procedures Detailed step-by-step actions to complete a specific task

Top Down Security Planning Step 5, con’t Areas covered by Policies and Procedures Accountability controls Physical and environmental controls Administration controls Access controls Use and required types of cryptography BCP controls Computer operations Incident handling

Top Down Security Planning Step 6 Roll out selected countermeasures Be sure the roll out plan does not adversely affect users and customers Monitor countermeasures

Top Down Security Planning Step 7 Reevaluate and repeat regularly!

Layers of Security Responsibility Senior Manager Person ultimately responsible for the security of the organization Security Professional Functionally responsible for security Data Owner Determines data classification of info Data Custodian Maintains the data according to classification guidelines User Uses data for daily tasks Auditor Regularly examines the security practices and mechanisms

More Terminology Due Care Due Diligence Nondisclosure agreements (NDA) Organization has taken steps necessary to protect its assets from possible risks Due Diligence Accomplished by activities that ensure that countermeasures are continually maintained and operational Nondisclosure agreements (NDA) Job rotation

Homework Assignment Read Chapter 4 Paper Choose and document 5 common vulnerabilities List (and justify if not obvious) the threat agent, threat, risk, possible affected asset, exposure, safeguard Stick to common vulnerabilities, but try to choose from the entire realm of security issues

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.