Security Management Practices Keith A. Watson, CISSP CERIAS.

Slides:



Advertisements
Similar presentations
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
Advertisements

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems
Audit Committee in Albania Legal framework Law 9226 /2006 “On banks in Republic of Albania” Law 9901/2008 “On entrepreneurs and commercial companies” Corporate.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works
ISA 562 Summer Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Information Systems Security Information Security & Risk Management.
Unit # 3: Information Security and Risk Management
Information Systems Security Officer
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
An Overview of Risk Management based on a Disclosure from an Annual Report Jon Wu, November 19, 2014.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Session 3 – Information Security Policies
Risk Analysis COEN 250.
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Chapter 7 Database Auditing Models
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.
Chapter 9: Introduction to Internal Control Systems
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
COBIT - IT Governance.
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Information Systems Security Operational Control for Information Security.
Risk Management. IT Controls Risk management process Risk management process IT controls IT controls IT Governance Frameworks IT Governance Frameworks.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 7 Database Auditing Models.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
© ITT Educational Services, Inc. All rights reserved.Page 1 IS3230 Access Security © ITT Educational Services, Inc. All rights reserved. IS3230 Access.
IT Controls Global Technology Auditing Guide 1.
Lecture 29 Information Security
ISO/IEC 27001:2013 Annex A.8 Asset management
Module 10: Implementing Administrative Templates and Audit Policy.
Privilege Management Chapter 22.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Cyber Risk Management Solutions Fall 2015 Thomas Compliance Associates, Inc
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Chapter 1: Security Governance Through Principles and Policies
Dr. Bhavani Thuraisingham Information Security and Risk Management June 5, 2015 Lecture #5 Summary of Chapter 3.
Risk Management Issues in Information Security Amanda Kershishnik COSC April 2007.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Business Continuity Planning 101
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
SUNY Maritime Internal Control Program. New York State Internal Control Act of 1987 Establish and maintain guidelines for a system of internal controls.
CPA Gilberto Rivera, VP Compliance and Operational Risk
Cyber Security Enterprise Risk Management: Key to an Organization’s Resilience Richard A. Spires CEO, Learning Tree International Former CIO, IRS and.
Errors, Fraud, Risk Management, and Internal Controls
Domain 2 – Asset Security
IS4680 Security Auditing for Compliance
LAND RECORDS INFORMATION SYSTEMS DIVISION
Chapter 9 Control, security and audit
Figure 11-5: Control Principles
IT Development Initiative: Status and Next Steps
IS4680 Security Auditing for Compliance
IS4680 Security Auditing for Compliance
Adding Value Across the Board
IS4680 Security Auditing for Compliance
An overview of Internal Controls Structure & Mechanism
CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com
CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com
Presentation transcript:

Security Management Practices Keith A. Watson, CISSP CERIAS

2 Overview  The CIA  Security Governance Policies, Procedures, etc. Organizational Structures Roles and Responsibilities  Information Classification  Risk Management

3 The CIA: Information Security Principles  Confidentiality Allowing only authorized subjects access to information  Integrity Allowing only authorized subjects to modify information  Availability Ensuring that information and resources are accessible when needed

4 Reverse CIA  Confidentiality Preventing unauthorized subjects from accessing information  Integrity Preventing unauthorized subjects from modifying information  Availability Preventing information and resources from being inaccessible when needed

5 Using the CIA  Think in terms of the core information security principles  How does this threat impact the CIA?  What controls can be used to reduce the risk to CIA?  If we increase confidentiality, will we decrease availability?

6 Security Governance  Security Governance is the organizational processes and relationships for managing risk Policies, Procedures, Standards, Guidelines, Baselines Organizational Structures Roles and Responsibilities

7 Policy Mapping Functional Policies ProceduresStandardsGuidelinesBaselines Laws, Regulations, Requirements, Organizational Goals, Objectives General Organizational Policies

8 Policies  Policies are statements of management intentions and goals  Senior Management support and approval is vital to success  General, high-level objectives  Acceptable use, internet access, logging, information security, etc

9 Procedures  Procedures are detailed steps to perform a specific task  Usually required by policy  Decommissioning resources, adding user accounts, deleting user accounts, change management, etc

10 Standards  Standards specify the use of specific technologies in a uniform manner  Requires uniformity throughout the organization  Operating systems, applications, server tools, router configurations, etc

11 Guidelines  Guidelines are recommended methods for performing a task  Recommended, but not required  Malware cleanup, spyware removal, data conversion, sanitization, etc

12 Baselines  Baselines are similar to standards but account for differences in technologies and versions from different vendors  Operating system security baselines FreeBSD 6.2, Mac OS X Panther, Solaris 10, Red Hat Enterprise Linux 5, Windows 2000, Windows XP, Windows Vista, etc

13 Organizational Structure  Organization of and official responsibilities for security vary BoD, CEO, BoD Committee CFO, CIO, CSO, CISO Director, Manager  IT/IS Security  Audit

14 Typical Org Chart Board of Directors/TrusteesPresident CIO Security Director Project Security Architect Enterprise Security Architect Security AnalystSystem Auditor

15 Security-Oriented Org Chart Board of Directors/TrusteesPresident CIO Security Director Project Security Architect Enterprise Security Architect Security Analyst System Auditor IT Audit Manager

16 Further Separation Audit Committee Board of Directors/TrusteesPresident CIO Security Director Project Security Architect Enterprise Security Architect Security Analyst System Auditor IT Audit Manager Internal Audit

17 Organizational Structure  Audit should be separate from implementation and operations Independence is not compromised  Responsibilities for security should be defined in job descriptions  Senior management has ultimate responsibility for security  Security officers/managers have functional responsibility

18 Roles and Responsibilities  Best Practices: Least Privilege Mandatory Vacations Job Rotation Separation of Duties

19 Roles and Responsibilities  Owners Determine security requirements  Custodians Manage security based on requirements  Users Access as allowed by security requirements

20 Information Classification  Not all information has the same value  Need to evaluate value based on CIA  Value determines protection level  Protection levels determine procedures  Labeling informs users on handling

21 Information Classification  Government classifications: Top Secret Secret Confidential Sensitive but Unclassified Unclassified

22 Information Classification  Private Sector classifications: Confidential Private Sensitive Public

23 Information Classification  Criteria: Value Age Useful Life Personal Association

24 Risk Management  Risk Management is identifying, evaluating, and mitigating risk to an organization It’s a cyclical, continuous process Need to know what you have Need to know what threats are likely Need to know how and how well it is protected Need to know where the gaps are

25 Identification  Assets  Threats Threat-sources: man-made, natural  Vulnerabilities Weakness  Controls Safeguard

26 Analysis/Evaluation  Quantitative Objective numeric values Cost-Benefit analysis Guesswork low  Qualitative Subjective intangible values Time involved low Guesswork high

27 Remedy/Mitigation  Reduce Use controls to limit or reduce threat  Remove Stop using it  Transfer Get insurance or outsource it  Accept Hope for the best

28 Summary  Security Management practices involve balancing security processes and proper management and oversight  Risk Management is a big part of managing holistic security of an organization

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.