Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Slides:



Advertisements
Similar presentations
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Advertisements

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Security Controls – What Works
Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Disaster Prevention and Recovery. Team Members   Gwenn Cooper   Kristy Short   John knieling   Carissa Vancleave   Matthew Owens.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice
Controls for Information Security
Factors to be taken into account when designing ICT Security Policies
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Stephen S. Yau CSE , Fall Security Strategies.
Payment Card Industry (PCI) Data Security Standard
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Session 3 – Information Security Policies
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Incident Response Updated 03/20/2015
Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Confidentiality Integrity Accountability Communications Data Hardware Software Next.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Describe How Software and Network Security Can Keep Systems and Data Secure P3. M2 and D1 Unit 7.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Chapter 6 of the Executive Guide manual Technology.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
Information Systems Security
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Lesson 7-Managing Risk. Overview Defining risk. Identifying the risk to an organization. Measuring risk.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Appendix C: Designing an Operations Framework to Manage Security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Note1 (Admi1) Overview of administering security.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Working with HIT Systems
Chapter 2 Securing Network Server and User Workstations.
Module 11: Designing Security for Network Perimeters.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
CPT 123 Internet Skills Class Notes Internet Security Session B.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Access Control for Security Management BY: CONNOR TYGER.
Computer Security Sample security policy Dr Alexei Vernitski.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
ISSeG Integrated Site Security for Grids WP2 - Methodology
Data and database administration
Secure Software Confidentiality Integrity Data Security Authentication
LAND RECORDS INFORMATION SYSTEMS DIVISION
THE STEPS TO MANAGE THE GRID
County HIPAA Review All Rights Reserved 2002.
PLANNING A SECURE BASELINE INSTALLATION
Presentation transcript:

Lesson 8-Information Security Process

Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing security. Conducting awareness training. Conducting audits.

Introduction to Information Security Process The process of information security

Conducting an Assessment An assessment determines: The total value of the organization’s information assets. The size of the threats with respect to confidentiality, integrity, availability, and accountability. The vulnerabilities of the information assets and the organization. The organization’s overall risk and recommended changes to current information security policy.

Conducting an Assessment While conducting an assessment of an organization, examine: Network. Physical security measures. Existing policies and procedures. Precautions. Awareness.

Conducting an Assessment While conducting an assessment of an organization, examine (continued): Staff. Workload and employee attitude. Adherence. Business.

Network The organization’s network is the easiest access point to information and systems. A network diagram helps examine each point of connectivity. Query network administrators to know the type of network management system in use. Perform a vulnerability scan of all systems.

Network The protection mechanism within a network should include: Router access control lists and firewall rules on all Internet access points. Authentication mechanisms used for remote access. Protection mechanisms on access points to other organizations. Encryption mechanism used to protect portable computers and to transmit and store information.

Network The protection mechanism within a network should include (continued): Anti-virus systems in place on servers, desktops, and e- mail systems. Server security configurations.

Physical Security Measures Important physical security information includes identifying: The protection mechanisms to site, buildings, office space, paper records, and data center. The personnel responsible for the physical security. The critical and sensitive areas. The location of the communication lines within the building. The types of UPS in place and how long the current UPS will sustain.

Physical Security Measures Important physical security information requires knowing: How power is supplied to the site and data center. The systems connected to the UPS. The environment controls attached to the UPS in the data center. The type of suppression system in the data center. The personnel who need to be notified incase of power or environment control failure.

Policies and Procedures Policies and procedures must be examined for relevance, appropriateness, and completeness. Procedures must define the way tasks are currently performed. Map requirements with stated goals. Update policies and procedures on a regular basis. Assess the organization’s security awareness program. Examine the recent incident and audit reports.

Precautions Precautions are used to restore operations when something goes wrong. Backup systems and disaster recovery plans are two components of precautions. Understand which backup system is used and how often is it used. Examine the disaster recovery plan for relevance and completeness.

Awareness Determine the staff’s level of awareness of security issues and policies. Create awareness of security threats, vulnerabilities, and signs indicating that a system is compromised. Ensure that the staff knows how to implement a disaster recovery plan.

People Examine whether the staff members have the necessary skills to implement a security program. They must understand policy work and latest security products. Administrator’s must be able to administer the organization’s systems and networks.

Workload and Employee Attitude Overworked employees do not contribute much to the security environment. Determine whether the workload is a temporary problem. Assess management attitude with regard to security issues. Identify responsible personnel for security within the organization. Employees must be aware of the management’s commitment to security.

Adherence While determining the intended security environment, identify the actual security environment. The intended security environment is defined by policy, attitudes, and existing mechanisms. Determine whether adherence to this policy requirement is lacking.

Business Identify the cost if confidentiality, integrity, availability, or accountability of information is compromised. Measure vulnerabilities in monetary terms, downtime, lost reputation, or lost business. Identify the flow of information across the organization.

Business Identify organizational interdependencies. Identify which systems and networks are important to the primary function of the organization. Identify the back-end systems.

Assessment Results Analyze the information. Assess all security vulnerabilities. Compile a complete set of risks in the order of high to low. Include a list of recommendations to manage each risk.

Assessment Results Present potential cost in terms of money, time, resources, reputation, and lost business. Develop a security plan. Allocate and schedule resources to handle security.

Developing a Policy Policies and procedures define the expected state of an organization’s security. It defines the tasks to be performed during implementation. Create policies for communication, security, system usage, backup, account management, incident handling, and disaster recovery plan.

Developing a Policy Choosing the order of policies to develop, depends on: The criticality of risks. The time each will take to complete. Ideally, the information policy should be completed early in the process.

Developing a Policy Existing documents require frequent updating. Use these documents and identify deficiencies. Involve people who developed the policies.

Implementing Security Implementation of organizational policies include: Identification and implementation of technical tools and physical controls. Hiring of security staff. Examination of each implementation and its interactions with other controls.

Implementing Security Security reporting systems. Authentication systems. Internet security. Intrusion detection systems. Encryption. Physical security. Staff.

Security Reporting Systems It is a mechanism to track adherence to policies and procedures. It tracks the overall state of vulnerabilities within the organization. It can use manual or automated systems.

Security Reporting Systems Enforce computer use policies such as: Tracking Internet use. Restricting access while maintaining login attempts. Removing unwanted applications from the desktop installations.

Security Reporting Systems System vulnerability scans include: Tracking the number of systems on the network. Tracking the number of vulnerabilities on these systems. Providing vulnerability reports to system administrators for correction or explanation.

Security Reporting Systems Policy adherence is a time-consuming security task. It can be automated or manual. The automated checks require more time to set up and configure. They provide complete results in a timely manner. In manual system, a security personnel examines and monitors all facets of the security policy.

Authentication Systems Authentication systems are used to prove the identity of users accessing a network. These systems identify authorized users and grant them physical access to a facility. They should be implemented with proper planning. Password restrictions, smart cards, and biometrics are few examples of authenticated systems.

Internet Security The implementation of Internet security includes: Placing an access control device such as a firewall. Setting up virtual private networks (VPN). Changing network architecture.

Intrusion Detection Systems (IDS) IDS are designed to detect any unwarranted entry into a protected area. Choice of IDS depends on overall organization risks and available resources. Anti-virus software, manual and automated log examination, host-based and network-based intrusion detection software are a few IDS.

Encryption Encryption can be used to protect information in transit or while residing in storage. Choose well-known and well-reviewed algorithm. Private key encryption is faster than public key encryption. Include an effective key management technique such as link encryptors. A system must change keys periodically.

Physical Security Ensure that a proper procedure for authenticating users is in place. Restrict access to data center. Protect the data center from fire, high temperature, and power failure. Remodel the data center to implement fire suppression and temperature control. Plan for disruptions due to implementation of an UPS.

Staff Hire skilled staff: Who can handle the security implementation. To conduct awareness training programs. Who will be responsible for the security of the organization.

Conducting Awareness Training Conduct awareness training to provide necessary information to: Employees. Administrators. Developers. Executives. Security staff.

Employees Employees should know the importance of security. They must be trained to identify and protect sensitive information. Ensure that the employees are aware of the organization policy, password selection, and prevention of attacks.

Administrators System administrators must be updated on the latest hacker techniques, security threats, and security patches. Include updates in regular administration staff meetings. Send updates to administrators as and when they are prepared.

Developers Developers should know proper programming techniques to reduce security vulnerabilities. They should have a proper understanding of the security department’s role during the development process. Security issues must be addressed in the design phase.

Executives Management must be informed of the state of security and the progress of the program. Periodic presentations must include the results of recent assessments, and the status of various security projects. Metrics that indicate the risks to the organizations must be a part of such reports.

Security Staff Security staff must be kept up-to-date to help them provide appropriate services to the organization. Conduct both internal and external training programs. Include security-related topics in the training sessions.

Conducting Audits Audit is the final step in the information security process. It ensures that controls are configured correctly and map to the policy.

Types/Components of Audits Policy adherence audits. Periodic and new project assessments. Penetration tests.

Policy Adherence Audits The audit policy determines whether or not the system configurations adhered to the policy. They are the traditional audit function. Any variations are recorded as violations. Conduct periodic audits on implementation of information policy and storage of sensitive documents.

Periodic and New Project Assessments Changes in computer and network environments results in change in risks and assessments. Full assessment of the organization should be performed periodically. Major audits and assessment must be done by an external firm.

Penetration Tests Penetration test attempts to exploit an identified vulnerability to gain access to systems and information. Test effectiveness of controls using penetration tests. Physical penetration tests include individuals who attempt to gain unauthorized access to a facility. Social engineering tests include testing employees to divulge classified information.

Summary Conducting an information security assessment involves determining the value of an organization’s information assets. Policies and procedures define the work to be performed during implementation. The implementation of policy involves identification and implementation of tools and controls.

Summary Awareness training provides necessary security information to employees. Audits ensure that policies are being implemented and followed.