Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Slides:



Advertisements
Similar presentations
A Joint Code of Practice Objectives and Summary Presentation
Advertisements

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Secure Systems Research Group - FAU Process Standards (and Process Improvement)
ISMS standards and control processes ISO27001 & ISO27002
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Auditing Corporate Information Security John R. Robles Tuesday, November 1, Tel:
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Lecture 1: Overview modified from slides of Lawrie Brown.
ISO Information Security Management
Security Controls – What Works
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice
Stephen S. Yau CSE , Fall Security Strategies.
Chapter 3: Information Security Framework
Session 3 – Information Security Policies
Information Systems Controls for System Reliability -Information Security-
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Author: Andy Reedftp://topsurf.co.uk/reed FdSc IT/Computer Networking & IT(e-commerce) Communications Network Management An Introduction to Security.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Overview of Systems Audit
Information Security Issues at Casinos and eGaming
Evolving IT Framework Standards (Compliance and IT)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Prepared by: Dinesh Bajracharya Nepal Security and Control.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.
Information Systems Security Operational Control for Information Security.
I MPLEMENTING IT S ECURITY FOR S MALL AND M EDIUM E NTERPRISES Short Presentation by Subhash Uppalapati. - Edgar R. Weippl and Markus Klemen.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
Appendix C: Designing an Operations Framework to Manage Security.
Engineering Essential Characteristics Security Engineering Process Overview.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
IT Risks and Controls Revised on Content Internal Control  What is internal control?  Objectives of internal controls  Types of internal controls.
Introduction to Information Security
Chap1: Is there a Security Problem in Computing?.
ISO/IEC 27001:2013 Annex A.8 Asset management
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Welcome to the ICT Department Unit 3_5 Security Policies.
Handling Personal Data & Security of Information Paula Trim, Information Officer, Children’s Strategic Services, Mon – Thurs 9:15-2:15.
Information Security Management Goes Global
Principles Identified - UK DfT -
Risk management.
Design for Security Pepper.
Information Security Awareness
Cybersecurity Policies & Procedures ICA
Introduction to the Federal Defense Acquisition Regulation
INFORMATION SYSTEMS SECURITY and CONTROL
Anatomy of a Common Cyber Attack
Presentation transcript:

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global Ted Humphreys XiSEC Business continuity Corporate governance Compliance with legislation Information assets Policy & procedures Management of risk Incident handling Best practice Protecting on-line business Managing 3 rd party access

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Ensuring business continuity These global objectives of information security management are also stated in ISO/IEC Minimise business damage Maximise return on investments Global Business Objectives

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Achieving the objectives by managing the risk

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Assessing the Risk Risk is the potential that a threat will exploit a vulnerability and cause damage or loss to an asset The assessment includes: –the value of the asset –the level of corresponding vulnerabilities –the likelihood of the relevant threats –existing and planned controls which protect the asset

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Managing the Risks Expenditure on information security needs to be balanced against and appropriate to –The business value of the information and other business assets at risk, and –The business harm/impact likely to result from security failures

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Managing the Risk Risk acceptance Ignoring the risks Risk avoidance Risk transfer Risk reduction

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Managing the Risks with Controls Reduce the vulnerabilities –Reduce/eliminate the weaknesses Reduce the likelihood of occurrence –Reduce/eliminate the cause –Minimise the probability by preventative measures Reduce the consequences of impact –Ensuring effective monitoring –Taking steps to prevent, minimise or contain impact.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Preserving the Confidentiality, Integrity/ authenticity & Availability of information Targets Access control, user identification & authentication, encryption, digital signatures,message authentication, backups, capacity planning, regular maintenance, virus protection software, information handing procedures, physical security etc Means of achieving targets

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys What is ISO/IEC 17799? Its a standard on best practice for information security management A risk based approach for defining policy & procedures & selection of appropriate controls to manage risk NOT IT Security Its about Information Security

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Who looks after ISO/IEC 17799? is managed and maintain by ISO/IEC JTC 1/ SC 27 WG1 WG1 Convenor Ted Humphreys Editors Angelika Plate and Oliver Weissmann

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Some ISO/IEC History BS 7799 Part 1: 1999 BS 7799 Part 1: 1995 ISO/IEC 17799: 2000 WG1 managing 1st revision due 200x

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Whats in ISO/IEC 17799? Security policy Security organisation Asset classification & control Business continuity Personnel security Physical & environmental security Access control Compliance Communications & operations management Systems development & maintenance The Chapters Security policy Security organisation Asset classification & control Business continuity Personnel security Physical & environmental security Access control Compliance Communications & operations management Systems development & maintenance

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys ISO/IEC Chapter Structure Control Objective Control Implementation Guidance Other Information Control satisfies the requirements of the objective Advice and help on implementation of the control Other supporting help and information

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Control Example External facilities management Control Implementation Guidance Other Information The risks of using external facilities management services should be identified in advance, and appropriate controls agreed with the contractor, and incorporated into the contract. Particular issues that should be addressed include: a) I dentifying sensitive or critical applications better retained in-house, b) O btaining the approval of business application owners, c) I mplications for business continuity plans, d) S ecurity standards to be specified, and the process for measuring compliance, e) A llocation of specific responsibilities and procedures to effectively monitor all relevant security activities,responsibilities and procedures for reporting and handling security incidents The use of an external contractor to manage information processing facilities may introduce potential security exposures, such as the possibility of compromise, damage, or loss of data at the contractors site. See also and 4.3 for guidance on third party contracts involving access to organizational facilities and outsourcing contracts

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information security policy Access control Use of , Internet services & network connections Use of mobile computing ISO/IEC Policies & Procedures

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys ISO/IEC Policies & Procedures Security incident handling Business continuity Operational procedures Change control Housekeeping Information handling System acceptance

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys ISO/IEC Organisational Security To manage information security within the organisation –Security Forum –Allocation of roles and responsibilities –Co-ordination –Security of 3 rd party access Outsourcing, managed services etc Security conditions in contracts

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys ISO/IEC Asset Control Accountability of assets –To maintain an asset inventory –Information classification –Information handling procedures –Maintain appropriate protection of assets –Asset ownership and security responsibilities Delegation & accountability Outsourcing, managed services etc

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys ISO/IEC Operations Management Procedures to ensure correct and secure operation –Minimise the risk of system failures –Safeguard the integrity of company information and software –Maintain the integrity and availability of company services

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Ensure the protection of supporting system and networking infrastructures Prevent damage to computer media Incident management procedures System and capacity planning and acceptance Malicious software Backups ISO/IEC Operations Management

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys ISO/IEC – Security Incidents Responding to incidents –To minimise the damage from security incidents, system malfunctions, software weaknesses, virus attacks, denial of service attacks, breaches of law, data theft etc –Monitoring, detecting, reporting, responding to and learning from security incidents

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys ISO/IEC Controlling Access To control access to the companys information based on agreed access control policy and procedures –User access management –User registration –User responsibilities, rights and privileges, review

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Access policy, procedures and technical controls –Network services (internal and external), Web sites etc –Computer systems –Applications –On-site and off-site (remote) access –Monitoring system access and use ISO/IEC Controlling Access

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys ISO/IEC Systems Dev/Maintenance Building security into the companys systems and processes –Application systems Input/output data validation Internal processing validation Cryptographic mechanisms Non-cryptographic mechanisms

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Building security into the companys systems and processes –System files Control of software and protection of test data –Development and support environments Change control procedures Review of operating system changes Restrictions on software changes ISO/IEC Systems Dev/Maintenance

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys ISO/IEC Business Continuity To protect critical company processes and assets and to counteract interruptions to business activities from the effects of system failures, serious breaches of security, disasters etc

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys A managed planning process should be in place –Procedures (for handling customers/suppliers, relocation, emergency control, fallback, resumption and recovery etc) should be developed and regularly tested –Plans and procedures should be regularly reviewed and updated as necessary ISO/IEC Business Continuity

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys ISO/IEC Compliance Compliance with legislation and contractual requirements –To avoid breaches of any statutory, criminal or civil obligations and related security requirements

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys In Summary - Why use ISO/IEC 17799? Ensure business continuity Minimise business damage & protect business assets Maximise return on investments & business opportunities Good corporate governance –fit to manage risk

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Q&A La sécurité informatique Riktlinjer för ledning av informationssäkerhet Leitfaden zum Management von Informationssicherheit Managementsystem voor informatiebeveiliging Gestão da Segurança da Informação