Chapter 6 of the Executive Guide manual Technology.

Slides:

Advertisements

Similar presentations

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

Advertisements

Guide to Network Defense and Countermeasures Second Edition

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Security Controls – What Works

Network Security Philadelphia UniversityAhmad Al-Ghoul Module 11 Exploring Secure Topologies  MModified by :Ahmad Al Ghoul  PPhiladelphia.

Security+ Guide to Network Security Fundamentals

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Chapter 7 HARDENING SERVERS.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Know the Client Own the Problem Share the Solution The 2005 Case for Information Technology Security October 14, 2004.

Factors to be taken into account when designing ICT Security Policies

Stephen S. Yau CSE , Fall Security Strategies.

Payment Card Industry (PCI) Data Security Standard

Installing and Configuring a Secure Web Server COEN 351 David Papay.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Chapter 11: Dial-Up Connectivity in Remote Access Designs

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

Uday O. Ali Pabrai, CISSP, CHSS Chief executive, HIPAA Academy Health care & HIPAA Security Remediation.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

PBA. Observations  Growth, projects, busy-ness –Doing an incredible amount of work  Great Quality of work  Concern about being perfect  Attitudes.

1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Intranet, Extranet, Firewall. Intranet and Extranet.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

DISCOVER IT PEACE OF MIND Staying HIPAA-Compliant Revised: April 13, 2015.

Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.

Module 14: Configuring Server Security Compliance

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.

Safeguarding OECD Information Assets Frédéric CHALLAL Head, Systems Engineering Team OECD.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.

Working with HIT Systems

Small Business Security Keith Slagle April 24, 2007.

Module 11: Designing Security for Network Perimeters.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

5/18/2006 Department of Technology Services Security Architecture.

Security fundamentals Topic 10 Securing the network perimeter.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.

SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #

Managed IT Services JND Consulting Group LLC

Security fundamentals

Information Systems Security

OIT Security Operations

Working at a Small-to-Medium Business or ISP – Chapter 8

BUILDING A PRIVACY AND SECURITY PROGRAM FOR YOUR NON-PROFIT

IS4550 Security Policies and Implementation

IS4680 Security Auditing for Compliance

How to Mitigate the Consequences What are the Countermeasures?

IS4680 Security Auditing for Compliance

PLANNING A SECURE BASELINE INSTALLATION

Presentation transcript:

Chapter 6 of the Executive Guide manual Technology

Intro & Overview Its’ important to deploy few products successfully than to implement all security product with minimal success. Its also important to have process and procedures to ensure on-going effectiveness of security products implemented. You must evaluate current environment to plan for future desire environment. Need to assess technology strategy, components and administration to determine effectiveness of Security program

Technology Strategy Constant changes in business requires IT regularly update it’s IT security strategy as well. IT architecture should address best practice & growth opportunities via Zone & Layering security schema. – Zone & Layering restrict access & protect critical systems at the gateway, servers & client levels.

Technology Components Complexity of deployed technology depends on the business and maturity of the security program. Basic technology starts with Authentication, Authorization and Accounting (AAA) Then anti-virus, firewalls – Anti-virus can protects the gateway, server & client – Firewall filter for authorized traffic

Technology Components Cont. Vulnerability management & intrusion detection/prevention (IDS/IPS) tools works to monitor and protect systems against viruses/intrusions. Small Co may not have the resources or tools necessary to security information assets. Outsource is a option but make sure to do Due Diligence on the vendor to ensure they meet your requirements.

Technology Administration Independent evaluation of your security program is important and can include: – Penetration tests – Risk assessment – Audits Metrics reporting is critical to provide Executive Management and Board for their support & funding Change management is important to stay current on changing threats & requirements.

Design Future state of Technology Strategy Separate your infrastructure into digital zones and layering Digital zone is to divide environment into zones with defined security levels & priority. – Mission critical zone requiring highest level of security standards to be applied – Critical zone requiring medium security application See Figure 6-1 for graphic layout

Extranet Allows customers and business partners to access limited resources to conduct business Extranet connects to the Internet so it’s best practice to deploy a few tools including: – Network-based intrusion detection – Network vulnerability management – Host – based intrusion detection – Network- intrusion prevention

Intranet This is where most normal front-end business activities are processed by employee, contractors, consultants, business partners… Deployed security should include – Role base user administrations (access based on job responsibilities and least privilege concept) – Access control with user ID and password at minimum – Required periodic password changes – Deactivate account after 60 days of inactivates – Connection Scan

Mission-Critical Zone This zone contains critical applications, databases, systems that is vital to the continued operation of your business. Security controls should include: – Full suite of intrusion detection/prevention and vulnerability management tools. – Updated anti-virus tools – Restricted access and periodic monitoring of privilege accounts – System performance monitoring – Daily/Weekly back up

Defense-in-Depth Gateway, Server & Clients level Gateway- connection btw sections of systems Security controls should include: – Firewalls, – Anti-virus – DMZ area – Honeypot – Monitoring

Server Share computer that performs functions for multiple end users (printers, ERP applications, databases, etc.). Security controls should includes: – Anti-virus – Intrusion detection/prevention – Vulnerability management tools – Back-up & recovery – Capacity monitoring – Access controls

Client Individual laptops, desktops, PDAs Security controls should/can includes: – Anti-virus – Encryption – Access Controls – Image scan – Restrict external storage connections – Time-out screen lock – Monitoring

Mixed Solutions Select the tools the can integrate & support your organization model Implement a few good tools well Monitor and fine-tune the tools for effective security controls End Goal is to Be Open yet Secure

Practical Deployment of Technology Authentication/Authorization/Accounting Firewalls Anti-Virus Vulnerability Management IDS/IPS

Technology Administration Regular scaning & remediation program Periodic penetration tests Audit of information security program Regular updates of anti-virus Change management Metric & Report to Executive Management & Board

Technology summary Technology is an essential component of Information Security program Program must support current and future business models Basic security includes AAA, firewalls, anti-virus, vulnerability management, IDS/IPS, encryption, monitoring Regular risk assessment, vulnerability scans, pen test is important to ensure security program remains effective. Metrics & report to Executive get support & resource for program.