Driving Factors Security Risk Mgt Controls Compliance.

Slides:

Advertisements

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

Advertisements

Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

Database Administration and Security Transparencies 1.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Chapter 1 – Introduction

Information Security Policies and Standards

Security+ Guide to Network Security Fundamentals

SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.

Secure Data Transmission James Matheke Information Security Architect Ohio Department of Job and Family Services.

1 An Overview of Computer Security computer security.

MJ10/07041 Session 10 Accounting, Security Management Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Stephen S. Yau CSE , Fall Security Strategies.

Payment Card Industry (PCI) Data Security Standard

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

Information Security Technological Security Implementation and Privacy Protection.

SEC835 Database and Web application security Information Security Architecture.

Storage Security and Management: Security Framework

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Security Architecture

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

VoIP Security in Service Provider Environment Bogdan Materna Chief Technology Officer Yariba Systems.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Secure Data Sharing What is it Where is it What is the Risk – Strategic > What Policy should be enforced > How can the process be Audited > Ongoing Process.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

Database Security and Data Protection Suseel Pachalla, CISSP.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Data Security Assessment and Prevention AD660 – Databases, Security, and Web Technologies Marcus Goncalves Spring 2013.

12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,

What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

Module 6: Designing Security for Network Hosts

SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,

Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,

5/18/2006 Department of Technology Services Security Architecture.

Csci5233 computer security & integrity 1 An Overview of Computer Security.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.

RMGRR 042 – Mass Transition Process Necessary for PUCT Rule Review of ERCOT Comments Retail Market Subcommittee October 11, 2006 Adam Martinez Mgr,

Distributed Systems Ryan Chris Van Kevin. Kinds of Systems Distributed Operating System –Offers Transparent View of Network –Controls multiprocessors.

Technical and organisational measures for protecting data and ensuring data security Simon Rice Group Manager (Technology) 29 May 2014.

ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.

By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

Jeff Warnock COSC 352 Indiana University of Pennsylvania Spring 2010.

Vulnerability Analysis Dr. X. Computer system Design Implementation Maintenance Operation.

UNIT 7 SEMINAR Unit 7 Chapter 9, plus Lab 13 Course Name – IT482 Network Design Instructor – David Roberts – Office Hours: Tuesday.

Clouding with Microsoft Azure

Blackboard Security System

ISSeG Integrated Site Security for Grids WP2 - Methodology

Working at a Small-to-Medium Business or ISP – Chapter 8

Secure Software Confidentiality Integrity Data Security Authentication

I have many checklists: how do I get started with cyber security?

Cybersecurity Special Public Meeting/Commission Workshop for Natural Gas Utilities September 27, 2018.

How to Mitigate the Consequences What are the Countermeasures?

IS4680 Security Auditing for Compliance

Cyber Security For Civil Engineering

Presentation transcript:

Driving Factors Security Risk Mgt Controls Compliance

Risks, Threats, Vulnerabilities Risk – Generalized impact statement –Ex: disclosure of ratepayer data would be bad Threat – a generic method of exploiting a risk –Ex: interception of data in-flight or at rest Vulnerability – a specific, actual, existing technical issue that could be leveraged –Ex: an unencrypted customer information file on a server

Risk Profile: Confidential Data Generalized Risks: –Disclosure, Unauthorized Modification Threats: –Interception of data in-flight, at rest, after transformation, after export, before destruction Vulnerabilities: –Unencrypted data transport –Unencrypted storage in flat files or in DB –Unencrypted storage after export to external components –Unencrypted data prior to disposal or destruction

Reliability Engineering Security controls fail with individual unpredictability but consistently across large control sets or long periods of time Layered security controls limit the scope and impact of individual control failures Existing control set for this service –Firewalls, IDS, server hardening, patching, access request controls, authentication/authorization, filesystem access controls, virus scanning, enterprise hardening baseline analysis, OS software, service software, application software, maintenance scripts

Mapping Vulnerabilities to Controls Vulnerability: Unencrypted data transport –Control: use NAESB, SFTP, or encrypted CD Vulnerability: Unencrypted data storage –Control: Vulnerability: Unencrypted data after transformation –Control: Vulnerability: Unencrypted data prior to disposal –Control:

Data Transport Mechanisms NAESB +Current Market Standard +Existing management and maintenance infrastructure +Existing application infrastructure +Strong authentication/encryption SFTP +Strong transport encryption oPartially existing server infrastructure oPartially existing management infrastructure for static passwords -No existing management infrastructure for ssh-keys -Use of static passwords for authentication creates possibility for password recovery via brute-force or disclosure at endpoints -Reduced visibility from network security monitoring platform -Additional implementation risk -Additional management/maintenance risk

Data Transport Mechanisms CD-R / DVD-R +Easy -Transportation via licensed/bonded couriers? -Still need to address encryption of data in transit -Physical media destruction becomes an issue -Need to develop operational procedures -Need to develop physical infrastructure for accepting, handling, storing, and destroying media