Information System Security Plan Steps. STEP ONE – Understand the A sset Philosophically, we believe that “security should follow data” But we know that.

Slides:



Advertisements
Similar presentations
Driving Factors Security Risk Mgt Controls Compliance.
Advertisements

Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning.
Innovation or Necessity? ISM 158 By: Sepehr Saeb.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
© Peter Readings Data Leakage Pete Readings CISSP.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
PII Breach Management and Risk Assessment
Chapter 5: Asset Classification
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
Security Controls – What Works
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security+ Guide to Network Security Fundamentals
Secure Data Transmission James Matheke Information Security Architect Ohio Department of Job and Family Services.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Assessment Frameworks
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Planning for Information Security and HIPAA Compliance “Security should follow data” Leo Howell, CISSP John Baines, CISSP IAS-Information Assurance & Security.
Information Security Technological Security Implementation and Privacy Protection.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
Security Risk Assessment Applied Risk Management July 2002.
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
Risk Analysis vs Security Controls. Security Controls Risk assessment is a flawed safeguard selection method. There is a tendency to confuse security.
CAIRA is a quantitative vulnerability assessment tool for examining the physical security of energy systems (electrical, natural gas, steam and water)
ENCRYPTION Team 2.0 Pamela Dornan, Thomas Malone, David Kotar, Nayan Thakker, and Eddie Gallon.
U of Maryland, Baltimore County Risk Analysis of Critical Process –Financial Aid Adapted STAR model –Focus on process and information flow –Reduced analysis.
Securing Critical Chemical Assets: The Responsible Care ® Security Code Protection of Hazardous Installations from Intentional Adversary Acts European.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Database Security and Data Protection Suseel Pachalla, CISSP.
Everyone’s Been Hacked Now What?. OakRidge What happened?
Internet Security Breach & Its Impact on Business Operations Kim Nguyen Manish Shirke Wa Mo Saravanan Velrajan.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Prepared by Dept. of Information Technology & Telecommunications, November 19, 2015 Application Security Business Risk and Data Protection Gregory Neuhaus.
Risk Assessment Richard Newman. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Chapter 1 COMPUTER AND NETWORK SECURITY PRINCIPLES.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Presentation to the CIO PREPARED BY: JOSHUA SMITH, GARY FAULKNER, BRANDON VAN GUILDER, AND ERIC RUSCH.
Chap1: Is there a Security Problem in Computing?.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
CYBERSECURITY: RISK AND LIABILITY March 2, 2016 Joshua A. Mooney Co-chair-Cyber Law and Data Protection White and Williams LLP (215)
Your Cyber Security: The scope of your risk is broad and growing To understand the nature of the risk landscape look at the presentations here today-begin.
ASHRAY PATEL Securing Public Web Servers. Roadmap Web server security problems Steps to secure public web servers Securing web servers and contents Implementing.
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Computer Science / Risk Management and Risk Assessment Nathan Singleton.
Jeff Warnock COSC 352 Indiana University of Pennsylvania Spring 2010.
UNIT 7 SEMINAR Unit 7 Chapter 9, plus Lab 13 Course Name – IT482 Network Design Instructor – David Roberts – Office Hours: Tuesday.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
The Business of Information Security Introducing the RSA Security Practice of EMC Consulting Dennis Pinkerton March 17, 2010 Happy St. Patrick’s Day.
Blackboard Security System
Chapter 7. Identifying Assets and Activities to Be Protected
Physical Security Governance Model
VIRTUALIZATION & CLOUD COMPUTING
Information Security Awareness
Leverage What’s Out There
Cyber Protections: First Step, Risk Assessment
Information Security based on International Standard ISO 27001
Risk Assessment Richard Newman
Security measures Introducing Risk Assessment in GDPR
Securing Critical Chemical Assets: The Responsible Care® Security Code
RISK RATING GUIDE APPENDIX C LIKELIHOOD RATING Rating Description
Security Policies and Implementation Issues
Presentation transcript:

Information System Security Plan Steps

STEP ONE – Understand the A sset Philosophically, we believe that “security should follow data” But we know that not all data were created equal Effective security begins with a solid understanding of the protected asset and its value DATA is identified as our primary asset

STEP TWO – Identify and prioritize T hreats Governance: policy breach rebellion Physical: data theft equipment theft/damage Endpoint: theft social engineering Infrastructure & Application: theft disclosure DoS unauthorized access Data: unauthorized access corruption/destruction

STEP THREE – Identify and rank V ulnerabilities Governance: policy loopholes Physical: weak perimeter open access Endpoint: ignorance Infrastructure & Application: “open” network unpatched systems/OS misconfiguration Data: unencrypted storage insecure transmission

STEP FOUR – Quantify Relative Risk, R R = µVAT The greater the number of vulnerabilities the bigger the risk The greater the value of the asset the bigger the risk The greater the threat the bigger the risk V = vulnerability A = asset T = threat µ = likelihood of T

Higher Classification implies Increased Security STEP FIVE – Develop a strategy Types of data stored, accessed, processed or transmitted dictates OPZ High - Significantly business impact - financial loss - regulatory compliance Moderate - adversely affects business and reputation Normal - minimal adverse effect on business - authorization required to modify or copy 3 virtual operational protection zones, OPZ based on Data Classification Server with Moderate data Laptop with High data

STEP SIX – Establish target standards Amount and stringency of security controls at each level varies with data classification Seven layers of protection per zones based on COBIT, ISO 27002, FIPS 200 and NIST Management & Governance 2. Access control 3. Physical security 4. Endpoint security 5. Infrastructure security 6. Application security 7. Data security

Snippet from Data Security Standard Security ControlRed ZoneYellow ZoneGreen Zone Encrypt stored data MandatoryRecommendedOptional Limit data stored to external media MandatoryRecommendedOptional Encrypt transmitted data Mandatory Recommended

STEP SEVEN – Document the plan Identify realistic solutions for applying the appropriate security controls at each level. Create a list of action items for the next 3 to 5 years Prioritize the list based on risk and reality Forecast investment Beg, kick and scream to get funding Implement the plan over time

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.