Security in Practice Enterprise Security. Business Continuity Ability of an organization to maintain its operations and services in the face of a disruptive.

Slides:



Advertisements
Similar presentations
CWSP Guide to Wireless Security
Advertisements

Security and Control Soetam Rizky. Why Systems Are Vulnerable ?
Business Plug-In B4 MIS Infrastructures.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Security+ Guide to Network Security Fundamentals, Third Edition
Chapter 13: Advanced Security and Beyond Security+ Guide to Network Security Fundamentals Second Edition.
Chapter 13: Advanced Security and Beyond
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 14 Security Policies and Training.
Security Controls – What Works
Security Awareness: Applying Practical Security in Your World
Security+ Guide to Network Security Fundamentals, Fourth Edition
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 6 Enterprise Security.
1 Chapter 7 IT Infrastructures Business-Driven Technology
Security+ Guide to Network Security Fundamentals, Fourth Edition
Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin CHAPTER FIVE INFRASTRUCTURES: SUSTAINABLE TECHNOLOGIES CHAPTER.
Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies
Network security policy: best practices
CHAPTER OVERVIEW SECTION 5.1 – MIS INFRASTRUCTURE
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
Resiliency Rules: 7 Steps for Critical Infrastructure Protection.
Chapter 11: Policies and Procedures
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Disaster Recovery, Business Continuity, and Organizational Policies.
Section 11.1 Identify customer requirements Recommend appropriate network topologies Gather data about existing equipment and software Section 11.2 Demonstrate.
Concepts of Database Management Sixth Edition
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 13 Business Continuity.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Security Architecture
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Data Integrity Lesson 12. Skills Matrix Maintaining Data Integrity Maintaining data integrity is your most important responsibility. –Performing backups.
Chapter © 2006 The McGraw-Hill Companies, Inc. All rights reserved.McGraw-Hill/ Irwin Chapter 7 IT INFRASTRUCTURES Business-Driven Technologies 7.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
7-1 Management Information Systems for the Information Age Copyright 2004 The McGraw-Hill Companies, Inc. All rights reserved Chapter 7 IT Infrastructures.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
E.Soundararajan R.Baskaran & M.Sai Baba Indira Gandhi Centre for Atomic Research, Kalpakkam.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Service Level Agreements Service Level Statements NO YES The process of negotiating and defining the levels of user service (service levels) required.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
Group 2 Bernard Smith Thomas Laborde Hannah Prather Fault Tolerance Environment Power Topology and Connectivity Servers Hurricane Preparedness Network.
Chapter 11: Policies and Procedures Security+ Guide to Network Security Fundamentals Second Edition.
Chap1: Is there a Security Problem in Computing?.
Policies and Procedures Security+ Guide to Network Security Fundamentals Chapter 11.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 13 Business Continuity.
Install, configure and test ICT Networks
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Disaster Recovery Planning (DRP) DRP: The definition of business processes, their infrastructure supports and tolerances to interruptions, and formulation.
This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Information Technology Acceptable Use An Overview
Chapter 12: Disaster Recovery and Incident Response
CompTIA Security+ Study Guide (SY0-401)
CompTIA Security+ Study Guide (SY0-401)
Chapter 8 – Administering Security
Chapter 17 Risks, Security and Disaster Recovery
CompTIA Security+ Study Guide (SY0-501)
CompTIA Security+ Study Guide (SY0-501)
Presentation transcript:

Security in Practice Enterprise Security

Business Continuity Ability of an organization to maintain its operations and services in the face of a disruptive event –Computer attack –Natural disaster Many organizations are either unprepared or have not tested their plans Common elements –Redundancy planning –Disaster recovery procedures –Incident response procedures 2

Redundancy Planning Building excess capacity in order to protect against failures Servers –Protect against single point of failure –Redundant servers or parts May take too long to get back online –Server cluster Design the network infrastructure so that multiple servers are incorporated into the network Types: asymmetric and symmetric 3

Redundancy Planning (cont’d.) Server cluster 4

Redundancy Planning (cont’d.) Storage –Hard disk drives often are the first component of a system to fail –Implement RAID (Redundant Array of Independent Drives) technology Uses multiple hard disk drives for increased reliability and performance 5

Redundancy Planning (cont’d.) Networks –Redundant network ensures that network services are always accessible –Virtually all network components can also be duplicated 6

Redundancy Planning (cont’d.) Power –Uninterruptible power supply (UPS) Device that maintains power to equipment in the event of an interruption in the primary electrical power source On-line Off-line –Backup generator 7

Redundancy Planning (cont’d.) Sites –Hot site Run by a commercial disaster recovery service Allows a business to continue computer and network operations to maintain business continuity –Cold site Provides office space Customer must provide and install all the equipment needed to continue operations 8

Redundancy Planning (cont’d.) –Warm site All of the equipment installed Does not have active Internet or telecommunications facilities Does not have current backups of data 9

Disaster Recovery Procedures Procedures and processes for restoring an organization’s operations following a disaster Focuses on restoring computing and technology resources to their former state Planning –Disaster recovery plan (DRP) Written document Details the process for restoring computer and technology resources 10

Disaster Recovery Procedures (cont’d.) Common features of DRP –Purpose and scope –Recovery team –Preparing for a disaster –Emergency procedures –Restoration procedures 11

Disaster Recovery Procedures (cont’d.) Sample from a DRP 12

Disaster Recovery Procedures (cont’d.) Disaster exercises –Test the effectiveness of the DRP –Objectives Test the efficiency of interdepartmental planning and coordination in managing a disaster Test current procedures of the DRP Determine the strengths and weaknesses in disaster responses 13

Disaster Recovery Procedures (cont’d.) Enterprise data backups –Significantly different than those for a home user –Disk to disk (D2D) –Continuous data protection (CDP) 14

Incident Response Procedures What is forensics? –Forensics Application of science to questions that are of interest to the legal profession –Computer forensics Attempt to retrieve information that can be used in the pursuit of the attacker or criminal Importance of computer forensics is due in part to –High amount of digital evidence –Increased scrutiny by the legal profession –Higher level of computer skill by criminals 15

Incident Response Procedures (cont’d.) Responding to a computer forensics incident –Secure the crime scene Response team must be contacted immediately Document physical surroundings Take custody of computer Interview users and document information –Preserve the evidence First capture any volatile data –Random access memory (RAM) Mirror image backup or bit-stream backup 16

Incident Response Procedures (cont’d.) –Establish the chain of custody Documents that the evidence was under strict control at all times No unauthorized person was given the opportunity to corrupt the evidence –Examine the evidence Mirror image is examined to reveal evidence Mine and expose hidden clues –Windows page file –Slack –Metadata 17

Slack 18

Security Policies Plans and policies must be established by the organization –To ensure that people correctly use the hardware and software defenses Organizational security policy 19

What Is a Security Policy? Document that outlines the protections that should be enacted Functions –Communicates organization’s information security culture and acceptable information security behavior –Detail specific risks and how to address them –Help to create a security-aware organizational culture –Ensure that employee behavior is directed and monitored to ensure compliance with security requirements 20

Balancing Trust and Control Approaches to trust –Trust everyone all of the time –Trust no one at any time –Trust some people some of the time Deciding on the level of control for a specific policy is not always clear Not all users have positive attitudes toward security policies 21

Balancing Trust and Control (cont’d.) Possible negative attitudes toward security 22

Designing a Security Policy Definition of a policy –Characteristics Communicate a consensus of judgment Define appropriate behavior for users. Identify what tools and procedures are needed Provide directives for Human Resource action in response to inappropriate behavior May be helpful in the event that it is necessary to prosecute violators 23

Designing a Security Policy (cont’d.) Due care –Obligations imposed on owners and operators of assets –Exercise reasonable care of the assets and take necessary precautions to protect them –Care that a reasonable person would exercise under the circumstances –Examples 24

Designing a Security Policy (cont’d.) The security policy cycle –Three-phase cycle Performing a risk management study –Asset identification –Threat identification –Vulnerability appraisal –Risk assessment –Risk mitigation Creating a security policy based on the information from the risk management study Reviewing the policy for compliance 25

Designing a Security Policy (cont’d.) Security policy cycle 26

Types of Security Policies Acceptable use policy (AUP) –Defines the actions users may perform while accessing systems and networking equipment –Unacceptable use may also be outlined by the AUP Security-related human resource policy –Include statements regarding how an employee’s information technology resources will be addressed –Presented at an orientation session when the employee is hired –May contain due process statement 27

Types of security policies 28

Types of Security Policies (cont’d.) Personally identifiable information (PII) policy –Outlines how the organization uses personal information it collects Disposal and destruction policy –Addresses the disposal of resources that are considered confidential 29

Types of Security Policies (cont’d.) Sample PII (privacy) policy 30

Types of Security Policies (cont’d.) Ethics policy –Refocus attention on ethics in the enterprise –Written code of conduct –Central guide and reference for employees in support of day-to-day decision making 31

Summary Redundancy planning –Building excess capacity in order to protect against failures Disaster recovery –Procedures and processes for restoring an organization’s operations following a disaster Forensic science –Application of science to questions that are of interest to the legal profession 32

Summary (cont’d.) Security policy –Written document that states how an organization plans to protect the company’s information technology assets 33

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.