Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA 20170-4227 Phone: (703)742-8877 | FAX: (703)742-7200 www.systemsandsoftware.org Best.

Slides:



Advertisements
Similar presentations
The Conceptual Framework of mLearning Security for University in Thailand Sarawut Ramjan Department of e-Commerce Management North-Chiang Mai university.
Advertisements

1 IT Risk Management in Government Jonathan Smith Sr. Risk Manager Commonwealth Security and Risk Management October 1,
Information Technology – Guidelines for the Management of IT Security
CSF Support for HIPAA and NIST Implementation and Compliance Presented By Bryan S. Cline, Ph.D. Presented For HITRUST.
Control and Accounting Information Systems
Auditing Corporate Information Security John R. Robles Tuesday, November 1, Tel:
Security and Personnel
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works
Information Security Policies and Standards
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
First Practice - Information Security Management System Implementation and ISO Certification.
Risk Assessment Frameworks
Session 3 – Information Security Policies
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
CUAV Conference Risk Assessment May 18, 2015
Compliance: A Traditional Risk-Based Audit Approach GR-ISSA Lloyd Guyot, MCS GSEC Sarbanes-Oxley USA PATRIOT Act Gramm-Leach-Bliley … more November, 2005.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Consultancy.
Information Security Framework & Standards
SecureAware Building an Information Security Management System.
SEC835 Database and Web application security Information Security Architecture.
Topic: Information Security Risk Management Framework: China Aerospace Systems Engineering Corporation (Case Study) Supervisor: Dr. Raymond Choo Student:
Evolving IT Framework Standards (Compliance and IT)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
ISMS for Mobile Devices Page 1 ISO/IEC Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.
CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 5 Tom Olzak, MBA, CISSP.
OVERVIEW OF INFORMATION SYSTEM (IS) AUDITING NORHAFIZAH BINTI ABDUL MUDALIP YAP YONG TECK TAN YUAN JUE TAY QIU JIE GROUP MEMBER:
Challenges in Infosecurity Practices at IT Organizations
7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.
© 2013 Cambridge Technical CommunicatorsSlide 1 ISO/IEC Standard for Information Security Management Systems.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
ISA–The Instrumentation, Systems, and Automation Society ISA SP-99 Introduction: Manufacturing and Control Systems Security -- Kickoff Meeting Call to.
Eliza de Guzman HTM 520 Health Information Exchange.
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
Engineering Essential Characteristics Security Engineering Process Overview.
Working with HIT Systems
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Jeff Miller Tamra Pawloski IT Procurement Summit headline news…
The IT Vendor: HIPAA Security Savior for Smaller Health Plans?
ISO/IEC 27001:2013 Annex A.8 Asset management
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
ISMS Implementation Workshop Adaptive Processes Consulting Pvt. Ltd.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
TMS - Cooperation partner of TÜV SÜD EFFECTIVE SERVICE MANAGEMENT based on ISO/IEC & ISO/IEC
Information Security tools for records managers Frank Rankin.
Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Lecture 5 Control and AIS Copyright © 2012 Pearson Education 7-1.
Models of Security Management Matt Cupp. Overview What is Security Management? What is Security Management? ISO/IEC ISO/IEC NIST Special Publication.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
Primary Steps for Achieving ISO Certification.
An Information Security Management System
Risk management.
What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.
Information Security Awareness
ESSENTIALS OF A PHYSICAL SECURITY SYSTEMS RISK ASSESSMENT
سيستم مديريت امنيت اطلاعات
MBUG 2018 Session Title: NIST in Higher Education
Must cost less than possible Impact
Cyber Risk & Cyber Insurance - Overview
Presentation transcript:

Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA Phone: (703) | FAX: (703) Best Practices for Information Security Management Bob Small, CISSP, CEH March 2006

2 Take-away Messages Defense in depth solutions Effective security requires a rigorous risk management process Must be effective and cost effective Think about it from the adversary’s perspective

March Key Elements of Security Integrity AvailabilityConfidentiality People Process Technology

March Defense In Depth Speed bumps are a better metaphor for information security than bank vaults

March Risk Management Process Degree of Assurance Required Asset Identification and Valuation Identification of Vulnerabilities Identification of Threats Evaluation of Impacts Business Risks Risk Assessment Ranking of Risks Likelihood of Occurrence Review of existing security controls Risk Mitigation Identification of new security controls Policy and Procedures Implement Controls to Reduce Risk Risk Acceptance (Residual Risk) Gap analysis

March International Standards for ISMS Confidentiality Integrity Availability People, process, tools Plan | Do | Check | Act Tangible assets Intangible assets Information Security Management System ISO 17799, Code of Practice For Information Security Management ISO 27001, Information Security Management Systems – Requirement These standards are accepted as industry best practices

March Control Areas In ISO controls in 11 areas Security PolicyOrganization of Information Security Asset ManagementHuman Resource Security Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance

March Security Policy Objective: Provide management direction and support for information security in accordance with business requirements and relevant laws and regulations It must be written It must be reviewed periodically

March Security Must Be Managed In All Relationships ISMS Scope Internal Support Functions Facilities HR F&A Legal Marketing IT Support Audit Data Archiving Consultants External Support Functions Each arrow represents a contract, MOA, SLA, etc. Customers

March Information Assets Must Be Managed Inventory of Assets Tangible Intangible Acceptable UseOwnership Information Labeling and Handling Classification Guidelines

March Human Resources Security Termination or Change of Employment During Employment Prior to Employment

March Think Creatively About Information Security Catch Me If You Can The Shawshank Redemption The Italian Job

March ISMS Resources ISO 17799, Code of Practice for Information Security Management ISO 27001, Information Security Management Systems – Requirements National Institute for Standards & Technology SP , The NIST Security Configuration Checklists Program SP , An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule SP , Risk Management Guide for Information Technology Systems INCITS CS1 (Cybersecurity)

March Thank You ? ? ? ? ? ? ? ? ?