Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA Phone: (703) | FAX: (703) Best Practices for Information Security Management Bob Small, CISSP, CEH March 2006
2 Take-away Messages Defense in depth solutions Effective security requires a rigorous risk management process Must be effective and cost effective Think about it from the adversary’s perspective
March Key Elements of Security Integrity AvailabilityConfidentiality People Process Technology
March Defense In Depth Speed bumps are a better metaphor for information security than bank vaults
March Risk Management Process Degree of Assurance Required Asset Identification and Valuation Identification of Vulnerabilities Identification of Threats Evaluation of Impacts Business Risks Risk Assessment Ranking of Risks Likelihood of Occurrence Review of existing security controls Risk Mitigation Identification of new security controls Policy and Procedures Implement Controls to Reduce Risk Risk Acceptance (Residual Risk) Gap analysis
March International Standards for ISMS Confidentiality Integrity Availability People, process, tools Plan | Do | Check | Act Tangible assets Intangible assets Information Security Management System ISO 17799, Code of Practice For Information Security Management ISO 27001, Information Security Management Systems – Requirement These standards are accepted as industry best practices
March Control Areas In ISO controls in 11 areas Security PolicyOrganization of Information Security Asset ManagementHuman Resource Security Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance
March Security Policy Objective: Provide management direction and support for information security in accordance with business requirements and relevant laws and regulations It must be written It must be reviewed periodically
March Security Must Be Managed In All Relationships ISMS Scope Internal Support Functions Facilities HR F&A Legal Marketing IT Support Audit Data Archiving Consultants External Support Functions Each arrow represents a contract, MOA, SLA, etc. Customers
March Information Assets Must Be Managed Inventory of Assets Tangible Intangible Acceptable UseOwnership Information Labeling and Handling Classification Guidelines
March Human Resources Security Termination or Change of Employment During Employment Prior to Employment
March Think Creatively About Information Security Catch Me If You Can The Shawshank Redemption The Italian Job
March ISMS Resources ISO 17799, Code of Practice for Information Security Management ISO 27001, Information Security Management Systems – Requirements National Institute for Standards & Technology SP , The NIST Security Configuration Checklists Program SP , An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule SP , Risk Management Guide for Information Technology Systems INCITS CS1 (Cybersecurity)
March Thank You ? ? ? ? ? ? ? ? ?