Information security planning

Slides:

Advertisements

Similar presentations

Achieve Benefit from IT Projects. Aim This presentation is prepared to support and give a general overview of the ‘How to Achieve Benefits from IT Projects’

Advertisements

U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy.

The Commissioning Toolkit. Aims and Objectives Commissioners to leave with an understanding of; The Commissioning Journey The Commissioning Process Familiarisation.

State Homeland Security Assessment and Strategy Program State Process and SHSS.

Introducing Computer and Network Security

Empowering Staff Through Institute Planning (ESTIP) Executive Workshop Institute Name: XXXXXX Presenter: XXXXXX Date: XXXXXX.

Managing the Information Technology Resource Jerry N. Luftman

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 18-1 Accounting Information Systems 9 th Edition Marshall.

Computer Security: Principles and Practice

1 Secure Your Business PATCH MANAGEMENT STRATEGY.

Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Planning. SDLC Planning Analysis Design Implementation.

Release & Deployment ITIL Version 3

Continuity of Operations Planning COOP Overview for Leadership (Date)

SEC835 Database and Web application security Information Security Architecture.

1 Information Technology Security Services at The University of Michigan Paul Howell Chief Information Technology Security Officer.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Test Organization and Management

Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.

© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.

Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Dr. Jana Jagodick Polytechnic of Namibia, 2012 Project Management Chapter 8 Project Resource Management Resource Planning.

Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

UN/CS/RAI/USAA/DB01/ Development of a Strategic Plan for a Digital Archives Programme Common Services Working Group on Archives and Records.

InWEnt | Qualified to shape the future1 Internet based Human Resource Development Management Platform Human Resource Development Programme in Natural Disaster.

April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.

1 Thank you for visiting our site and welcome to the “Introduction to ISO 22000” Presentation that you requested. For more information.

CC3020N Fundamentals of Security Management CC3020N Fundamentals of Security Management Lecture 2 Risk Identification and Risk Assessment.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

1 ISA&D7‏/8‏/ ISA&D7‏/8‏/2013 The Analysis Phase System Requirements Models and Modelling of requirements Stakeholders as a source of requirements.

Appendix C: Designing an Operations Framework to Manage Security.

Information Security What is Information Security?

GROUP N. 1 Three documents / presentations reflecting Labour education policy of a national trade union centre Basic structure and design of a national.

Introduction to Information Security

T Software Development Project I Customer Info Jari Vanhanen Ohjelmistoliiketoiminnan ja –tuotannon laboratorio Software Business and.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

SecSDLC Chapter 2.

Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.

Project Management Training

Risk Identification and Risk Assessment

State of Georgia Release Management Training

Objectives  Legislation:  Understand that implementation of legislation will impact on procedures within an organisation.  Describe.

E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.

INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.

Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.

Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.

OCLC Online Computer Library Center 1 Introduction.

Last updated: 28 April, 2006 Tomas B. Krag ItrainOnline MMTK: 1 Linux based Infrastructure Developed by: Tomas B. Krag, wire.less.dk.

Presenter: Igna Visser Date: Wednesday, 18 March 2015

Office 365 Security Assessment Workshop

ISSeG Integrated Site Security for Grids WP2 - Methodology

Pre-Course Assignment

Institute of Municipal Finance Officers & Related Professions

How to Run a Successful RFP

Firewall Management Task Force

COMP3357 Managing Cyber Risk

QUALITY IMPROVEMENT FINAL QUARTERLY COLLABORATIVE WORKSHOP

Understand mechanisms to control organisational IT security

2 Selecting a Healthcare Information System.

CMGT 431 Competitive Success/snaptutorial.com

Cyber security Policy development and implementation

Guarding against loss of data

Understand mechanisms to control organisational IT security

HIPAA Security A Quantitative and Qualitative Risk Assessment

Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.

Joint Application Development (JAD)

Presentation transcript:

Information security planning By: Ungana-Afrika Copyright: Creative Commons Attribution-NonCommercial-ShareAlike ItrainOnline MMTK Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

ItrainOnline MMTK www.itrainonline.org Session overview Provide basic understanding of the process for information security planning Furnish the participants with enough knowledge for them to be able to facilitate the planning process for an organisation Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

ItrainOnline MMTK www.itrainonline.org Contents Group Exercise Overview Process Preparation Phase Introduction Phase Assessment Phase Break Process (cont.) Planning Phase Evaluation Phase Update Phase Group Exercise Closing Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

ItrainOnline MMTK www.itrainonline.org Setting the scene Group Exercise 1 Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

Information security planning Process, not a product End products Information security plan Policy documents Most of the organisations can combine information security planning into strategic technology planning Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

Inputs for technology planning Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

Inputs for information security planning Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

ItrainOnline MMTK www.itrainonline.org Process Core phases Introduction Assessment Planning High-level process same for both technology and information security planning Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

ItrainOnline MMTK www.itrainonline.org Preparation phase Basic requirements before starting the process Knowledge of ICT Security, NGO Sector, etc Understanding of the process, basic tools and templates Exercise Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

ItrainOnline MMTK www.itrainonline.org Introduction phase Buy-in from the organisation Agenda for a visit Introduction of information security and planning Objectives of the process Roles and requirements during the process Planned timeline Composition of an information security team Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

ItrainOnline MMTK www.itrainonline.org Introduction phase (2) Information security team Team with broad knowledge of organisations programs and security processes Committed to implement Collect valuable information Strategic and Operational plans, policies, ICT infrastructure description, etc. Exercise Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

ItrainOnline MMTK www.itrainonline.org Assessment phase Before planning you should know the direction as well as current position Information Security Needs Current state of the information security from an objective perspective Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

ItrainOnline MMTK www.itrainonline.org Assessment phase Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

Identify and assess assets Assets are anything of value to your organization: computer hardware and software, information… Once assets have been identified, rank their importance as low, medium and high Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

ItrainOnline MMTK www.itrainonline.org Identify threats A threat is “anyone or anything that can exploit a vulnerability to obtain, alter, or deny access to an asset” (Vishal Visintine, 2003) Threats can be natural or human, intentional or unintentional: floods, user error, cracking… Rate seriousness of threats as low, medium, high Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

Identify vulnerabilities A vulnerability is “anything that could be exploited to gain or deny access to an asset or otherwise compromise an asset” (Vishal Visintine, 2003) E.g. not running anti-virus software and lack of staff awareness are vulnerabilities Network vulnerability scanning tools Survey staff skills to see where lack of knowledge creates vulnerabilities Rank vulnerabilities as low, medium, high Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

Identify safeguards/barriers Identify what is currently being done to protect your assets – for example physical barriers to computer theft, policies, firewalls etc. Exercise Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

Assessment - conclusion After the assessment process the information security team should have an understanding where the organisation stands now (what works, what doesn't work, etc.) Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

ItrainOnline MMTK www.itrainonline.org Break Training will continue after <x> minutes Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

ItrainOnline MMTK www.itrainonline.org Risk assessment Risk is “a combination of the asset value, the vulnerabilities with respect to the asset, and the threats that can exploit the vulnerabilities. If all are high, then the risk is high” (Vishal Visintine, 2003). Relative Risk = Asset Value x Vulnerability x Threat Focus on the most critical assets and the most likely threats. Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

ItrainOnline MMTK www.itrainonline.org Planning phase Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

Determine safeguards and barriers required After prioritizing risks, decide what steps are needed to reduce the risks, e.g. software, hardware, physical measures, policies, training… Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

Costs, timelines and responsibilities Estimate how long each step will take and what it will cost Decide who will be responsible for meeting each objective Think about Hardware Software Setup charges (wiring, furniture, facility modifications) Ongoing service fees Service contracts and maintenance Insurance Operating expenses Personnel costs (in-house support staff, consultants) Staff development and training Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

Final implementation plan Cost was not taken into account when prioritizing threats and risks Now, weigh up costs – for each objective decide whether it’s worth the time, money and effort Document plan Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

ItrainOnline MMTK www.itrainonline.org Evaluation phase Ongoing evaluation is important Implementation team should meet regularly and assess progress and effectiveness Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

ItrainOnline MMTK www.itrainonline.org Update phase Risks change over time Regular assessment of the existing security barriers, policies, and skills needed Especially important for high-risk organisations Possible triggers New program areas New technologies Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

Information security planning: ongoing process Group Exercise 2 Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org

ItrainOnline MMTK www.itrainonline.org Closing Final comments, questions and thoughts Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK www.itrainonline.org