Security Beyond the Firewall Protecting Information in the Enterprise.

Slides:



Advertisements
Similar presentations
Basic Principles of GMP
Advertisements

Writing Good Use Cases - Instructor Notes
1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.
Chapter 14 Intranets & Extranets. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Introduction Technical Infrastructure Planning an Intranet.
1 Introduction to Safety Management April Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Presented to: By: Date: Federal Aviation Administration Registry/Repository in a SOA Environment SOA Brown Bag #5 SWIM Team March 9, 2011.
The Managing Authority –Keystone of the Control System
Module N° 7 – Introduction to SMS
Computer Security CIS326 Dr Rachel Shipsey.
Site Safety Plans PFN ME 35B.
Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?
MOSS ADAMS LLP | 1 W HAT I S S ENSITIVE D ATA ? Whats the Risk and What Do We Do About It? Weston Nelson Steve Fineberg Steven Gin.
Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
EMS Checklist (ISO model)
Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
1 Dr. Ashraf El-Farghly SECC. 2 Level 3 focus on the organization - Best practices are gathered across the organization. - Processes are tailored depending.
Effectively applying ISO9001:2000 clauses 6 and 7.
Copyright Critical Software S.A All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão.
Page 1 of 30 To the Create Assignment Request Online Training Course An assignment request is created by an assignor to initiate the electronic assignment.
Checking & Corrective Action
Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Internal Control and Control Risk
CIP Cyber Security – Security Management Controls
Security Controls – What Works
Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals
Factors to be taken into account when designing ICT Security Policies
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
INTERNET and CODE OF CONDUCT
Session 3 – Information Security Policies
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Introduction to Network Defense
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
HIPAA PRIVACY AND SECURITY AWARENESS.
Course ILT Computers and society Unit objectives Identify the main uses of computers in daily life, and identify the benefits of using Describe.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
BUSINESS B1 Information Security.
FORESEC Academy FORESEC Academy Security Essentials (II)
Security Architecture
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Information Systems Security Operational Control for Information Security.
Information Assurance Policy Tim Shimeall
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved INFORMATION SECURITY SECTION 4.2.
ISO DOCUMENTATION. ISO Environmental Management Systems2 Lesson Learning Goals At the end of this lesson you should be able to:  Name.
Information Systems, Security, and e-Commerce* ACCT7320, Controllership C. Bailey *Ch in Controllership : The Work of the Managerial Accountant,
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.
Introduction to Information Security
©Dr. Respickius Casmir Network Security Best Practices – Session 2 By Dr. Respickius Casmir.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Risk management.
Presentation transcript:

Security Beyond the Firewall Protecting Information in the Enterprise.

2 Security Beyond the Firewall Most organizations have the following: Firewall Antivirus software Intrusion Detection Intrusion Prevention Authentication technologies

3 Security Beyond the Firewall However the monitoring and assessment responsibilities are either overlooked, under funded or just not done properly or at all!

4 Security Beyond the Firewall An Information Security Policy is a collaboration of documents that states in writing how a company plans to protect the companys physical and information technology assets. It is considered to be a living document, meaning that the document is continuously updated as technology and employee requirements change.

5 Security Beyond the Firewall Most policies will include an Acceptable Use Policy which is a description of how the company plans to educate its employees about protecting the companys assets, an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the security policy to ensure the necessary corrections will be made. Source: searchSecurity.com

6 Security Beyond the Firewall What steps are required in writing an Information Security Policy? 1. Commitment 2. Risk Assessment 3. Risk Mitigation 4. The Policy Document

7 Security Beyond the Firewall COMMITMENT You need commitment from Upper Management. They must be made aware of the magnitude of losses in case of a security breach of the company network. You must understand the corporate vision and business objectives and how IT fits in with corporate plans. Analyze the following: What are the information assets of a company in terms of hardware and software, including network as well as the future investment plan it IT/IS. What is the companys dependence on IT in real measurable terms like financial benefits, better service to clients, improved image and market share. How much the company will suffer due to any loss, leakage or distortion of information.

8 Security Beyond the Firewall RISK ASSESSMENT Document every risk A company may have encountered in the past Companies in similar business Companies in the same geographical area Companies using the same technology Any other risk that may impact the companys business

9 Security Beyond the Firewall RISK MITIGATION Security can never be achieved through a single tier of defense. We need to have multiple layers to protect our assets. For each security risk that we have tabulated, we should identify the preventive measures that could be used to reduce the risk. The measures for risk mitigations could be: Administrative measures Physical Measures Technical Measures

10 Security Beyond the Firewall Administrative measures consists of policies, procedures, standards and guidelines; personnel screening, security awareness training. Physical measures could be perimeter control measures, physical access control, intruder detection, fire protection, environmental monitoring. Technical measures will include logical access control, network access controls, identification and authentication devices; data encryption.

11 Security Beyond the Firewall Designing, documenting, implementing and monitoring security policies is a lot of administrative work. In fact, security is 75 percent administrative grind and only 25 percent technical efforts. Not a very glamorous affair, but essential. Policies are the preventive controls. Source: The importance of having an Information Security policy is now being acknowledged even by top management. But how do you go about writing an Information Security policy? by Avinash Kadam

12 Security Beyond the Firewall Natural and Environmental Threats: Disaster recovery (*Business Continuity Planning) Backup and recovery WAN recovery Human Threats: Password Security & Controls Internet access and security

13 Security Beyond the Firewall security: Technical controls Logical Access Controls Program Change Controls Version Controls Application Software Security Database Security: Network & Telecommunication Security Administration Data Access Roles

14 Security Beyond the Firewall Operating Systems Security: Firewall Security Data Classification Web server Security Intranet Security Virus-Protection E-commerce Security Data encryption

15 Security Beyond the Firewall Administrative Controls: Physical Security Incidence Response management Punitive actions

16 Security Beyond the Firewall THE POLICY DOCUMENT The Information Security Policy has to be understood and followed by all employees. It should be brief but cover all aspects.

17 Security Beyond the Firewall Policy Statement: Outline the objective of the policy. Emphasize the actual risks that will be addressed by this policy. Make it as near to the company's business as possible so that the reader is convinced about the necessity of the policy. Policy Scope: Specify the areas of concern which the policy will address. This will list the organizational units, individuals and technical system covered by the policy. Validity: Define the life-span for the policy and when it will be reviewed next. The review must be done at least once a year to keep the policy current.

18 Security Beyond the Firewall Owner: Author of the policy should be a respected IS professional. This will ensure responsibility and accountability. This is even more important while drafting policies of a technical nature. Review-details: Record of previous review and the changes therein.

19 Security Beyond the Firewall Compliance requirements: Punitive actions that should be taken if the policy is not adhered to. This of course needs clearance from HR, but absence of this will make the polices 'best ignored practices' instead of 'best practices'. Names of the appointed persons who will enforce these policies. Policy details: After the above preamble, here is the real policy.

20 Security Beyond the Firewall Specific issues that the policy is addressing: Give the background, describe the risks that have been identified, state the security expectations that the policy will fulfill. Best practices: Give a detailed list of recommended best practices. Mandatory practices: This is the minimum standard which has to be implemented.

21 Security Beyond the Firewall Procedure for implementation: A step-by-step procedure which will be followed for implementation of the policy. There will be references to forms, templates, standards, guidelines etc. which could be given as annexure. Monitoring and reporting mechanism to ensure proper implementation: How the compliance will be monitored. How non-compliance will be reported and what actions would be taken.

22 Security Beyond the Firewall Essential Policies: List the essential policies under various and applicable controls. Source: The importance of having an Information Security policy is now being acknowledged even by top management. But how do you go about writing an Information Security policy? by Avinash Kadam

23 Security Beyond the Firewall Example of a Information Security Policy concentrating on e- mail. The Policy Details section should cover the following: Confidentiality of information should not be used for confidential information exchange Sender will be totally responsible for the content of the information No sensitive information like password, PIN, credit card details should ever be sent by

24 Security Beyond the Firewall Appropriate Use: Use of will be restricted for business use only No obscene or profane message should be sent should not be used for sending spam mail should not be used to transmit chain mails, greetings, graphics etc. s should not be automatically forwarded to addresses outside the company Size of the should be restricted within approved limits

25 Security Beyond the Firewall Management Authority: Management could use its right to monitor the s Management could store the s for retrieval at a later date for any legal purpose Any encryption done to attachments should be with the company's approval and the encryption key should be stored for retrieval when necessary

26 Security Beyond the Firewall Disclaimer Notice: Since is not a secure medium and it is very easy to read, copy or alter an , put a disclaimer similar to the one given below. The company can at least protect itself from any misuse.

27 Security Beyond the Firewall "The information in this mail is confidential and is intended solely for the addressee. Access to this mail by anyone else is unauthorized. Any copying or further distribution beyond the original recipient is not intended and may be unlawful. The opinion expressed in this mail is that of the sender and does not necessarily reflect that of the XXX company."

28 Security Beyond the Firewall U.S. Federal Security Legislation and Regulations: The U.S. National Strategy to Secure Cyberspace SANS Internet Storm Center InfraGard

29 Security Beyond the Firewall Eric D. Jordan Ernesto T. Negron