ISA 562 Summer 2008 1 Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.

Slides:

Advertisements

Similar presentations

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya

Advertisements

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

SIEP HSE Management System

Security and Personnel

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Security Controls – What Works

Information Security Policies and Standards

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Security Management Practices Keith A. Watson, CISSP CERIAS.

Information Systems Security Officer

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

Stephen S. Yau 1CSE Fall 2006 IA Policies.

Stephen S. Yau CSE , Fall Security Strategies.

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Session 3 – Information Security Policies

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Network security policy: best practices

Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.

Control environment and control activities. Day II Session III and IV.

Internal Auditing and Outsourcing

ISA 562 Internet Security Theory & Practice

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

SMS Operation.  Internal safety (SMS) audits are used to ensure that the structure of an SMS is sound.  It is also a formal process to ensure continuous.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.

Information Security Governance and Risk Management.

ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:

Information Systems Security Operational Control for Information Security.

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY Unit 4 IT 484 Networking Security Course Name – IT Networking Security 1203C Term Instructor.

Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.

Holistic Approach to Security

1 User Policy (slides from Michael Ee and Julia Gideon)

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

UNIT 15 WEEK 9 CLASS 1 LESSON OVERVIEW Pete Lawrence BTEC National Diploma Organisational System Security.

IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.

Strategic Approaches to Improving Ethical Behavior

Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.

Introduction to Information Security

Samantha Schreiner University of Illinois at Urbana- Champaign BA 559 – Professor Michael Shaw December 15 th, 2008 A Survey of IT Governance Through COBIT,

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.

Information Security IBK3IBV01 College 2 Paul J. Cornelisse.

Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.

Chapter 8 Auditing in an E-commerce Environment

HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.

Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.

The NIST Special Publications for Security Management By: Waylon Coulter.

Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.

HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.

Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.

1.  1. Introduction  2. Policy  3. Why Policy should be developed.  4. www policies 2.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.

Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.

COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.

Security Methods and Practice Principles of Information Security, Fourth Edition CET4884 Planning for Security Ch5 Part I.

SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.

Information Security Policy

MGMT 452 Corporate Social Responsibility

IS4680 Security Auditing for Compliance

Unit 7 – Organisational Systems Security

CompTIA Security+ Study Guide (SY0-501)

ISA 562 Information Security Theory and Practice

Drew Hunt Network Security Analyst Valley Medical Center

Presentation transcript:

ISA 562 Summer Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice

ISA 562Summer Course Outline An introductory course at the graduate level It covers the topics of The CISSP exam at varying depth But is NOT a CISSP courseTextbooks: Matt Bishop: Computer Security Art and Science Official ISC 2 Guide to the CISSP CBK

ISA 562Summer Objectives Roles and responsibilities of individuals in a security program Security planning in an organization Security awareness in the organization Differences between policies, standards, guidelines and procedures Risk Management practices and tools

ISA 562 Summer 2008 Syllabus of the Course Bishop’s book for the first part Papers for some classes IC 2 book for the second part Cover material relevant to the PhD qualifying examination in security

ISA 562 Summer 2008 Introduction Purpose of information security: –to protect an organization's information resources  data, hardware, and software. To increase organizational success: IS are critical assets supporting its mission

ISA 562 Summer 2008 Information Security TRIAD The Overhanging goals of information security are addressed through the AIC TRIAD.

ISA 562 Summer 2008 IT Security Requirements - I Security should be designed for two requirements: 1.Functional: Define behavior of the control means  based on risk assessment Properties: should not depend on another control: Why? fail safe by maintaining security during a system failure 2.Assurance: Provide confidence that security functions perform as expected. Internal/External Audit. Third Party reviews Compliance to best practices Examples –Functional: a network Firewall to permit or deny traffic. –Assurance: logs are generated, monitored, and reviewed

ISA 562 Summer 2008 Organizational & Business Requirements Focus on organizational mission: –Business or goals driven Depends on type of organization: –Military, Government, or Commercial. Must be sensible and cost effective –Solution considers the mission and environment  Trade-off

ISA 562 Summer 2008 IT Security Governance Integral part of corporate governance: –Fully integrated into overall risk-based threat analysis Ensure that IT infrastructure: –Meets all requirements. –Supports the strategies and objectives of the company. –Includes service level agreements [if outsourced].

ISA 562 Summer 2008 Security Governance: Major parts 1.Leadership: Security leaders must be part of the company leadership -- where they can be heard. 2.Structure: occurs at many levels and should use a layered approach. 3.Processes: follow internationally accepted “ best practices ” : Job rotation, Separation of duties, least privilege, mandatory vacations, … etc. Examples of standards : ISO & ISO 27001:2005

ISA 562 Summer 2008 Security Blueprints Provide a structure for organizing requirements and solutions. –Ensure that security is considered holistically. To identify and design security requirements

ISA 562 Summer 2008 Policy Overview 1.Operational environment is a web of laws, regulations, requirements, and agreements or contracts with partners and competitors 2.Change frequently and interact with each other 3.Management must develop and publish security statements addressing policies and supporting elements, such as standards, baselines, and guidelines.

ISA 562 Summer 2008 Policy overview

ISA 562 Summer 2008 Functions of Security policy 1.Provide Management Goals and Objectives in writing 2.Ensure Document compliance 3.Create a security culture 4.Anticipate and protect others from surprises 5.Establish the security activity/function 6.Hold individuals responsible and accountable 7.Address foreseeable conflicts 8.Make sure employees and contractors aware of organizational policy and changes to it 9.Require incident response plan 10.Establish process for exception handling, rewards, and discipline

ISA 562 Summer 2008 Policy Infrastructure 1.High level policies interpreted into functional policies. 2.Functional polices derived from overarching policy and create the foundation for procedures, standards, and baselines to accomplish the objectives 3.Polices gain credibility by top management buy-in.

ISA 562 Summer 2008 Examples of Functional Policies 1.Data classification 2.Certification and accreditation 3.Access control 4.Outsourcing 5.Remote access 6.Acceptable mail and Internet usage 7.Privacy 8.Dissemination control 9.Sharing control

ISA 562 Summer 2008 Policy Implementation Standards, procedures, baselines, and guidelines turn management objectives and goals [functional policies] into enforceable actions for employees.

ISA 562 Summer 2008 Standards and procedure 1.Standards (local): Adoption of common hardware and software mechanism and products throughout the enterprise. Examples: Desktop, Anti-Virus, Firewall 2.Procedures: step by step actions that must be followed to accomplish a task. 3.Guidelines: recommendations for product implementations, procurement and planning, etc. Examples: ISO17799, Common Criteria, ITIL

ISA 562 Summer 2008 Security Baselines Benchmarks: to ensure that a minimum level of security configuration is provided across implementations and systems. –establish consistent implementation of security mechanisms. –Platform unique Examples: VPN Setup, IDS Configuration, Password rules

ISA 562 Summer 2008 Three Levels of security planning 1.Strategic: long term Focus on high-level, long-range organizational requirements –Example: overall security policy 2.Tactical: medium-term Focus on events that affect all the organization –Example: functional plans 3.Operational: short-term Fight fires at the keyboard level, directly affecting how the organization accomplishes its objectives.

ISA 562 Summer Organizational roles and responsibilities Everyone has a role: –with responsibility clearly communicated and understood Duties associated with the role must be assigned Examples: –Securing –Reviewing violation reports –Attending awareness training

ISA 562 Summer 2008 Specific Roles and Responsibilities (duties) Executive Management: –Publish and endorse security policy –Establish goals and objectives –State overall responsibility for asset protection. IS security professionals: –Security design, implementation, management, –Review of organization security policies. Owner: –Information classification –Set user access conditions –Decide on business continuity priorities Custodian: –Entrusted with the Security of the information IS Auditor: – Audit assurance guarantees. User: –Compliance with procedures and policies

ISA 562 Summer Personnel Security: Hiring staff Background check/Security clearance Check references/Educational records Sign Employment agreement –Non-disclosure agreements –Non-compete agreements Low level Checks Consult with HR Department Termination/dismissal procedure

ISA 562 Summer 2008 Third party considerations Include: –Vendors/Suppliers –Contractors –Temporary Employees –Customers Must established procedures for these groups.