Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Slides:



Advertisements
Similar presentations
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Advertisements

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
MSIA Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.
Security Controls – What Works
Chapter 1 – Introduction
Information Security Policies and Standards
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Computer Security: Principles and Practice
Introduction (Pendahuluan)  Information Security.
Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Information Security Update CTC 18 March 2015 Julianne Tolson.
Information Security Issues at Casinos and eGaming
Information Systems Security Computer System Life Cycle Security.
HIPAA COMPLIANCE WITH DELL
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 1 – Overview.
Computer Security: Principles and Practice
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Chapter 8 Technology and Auditing Systems: Hardware and Software Defenses.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
April 14, A Watershed Date in HIPAA Privacy Compliance: Where Should You Be in HIPAA Security Compliance and How to Get There… John Parmigiani National.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Information Systems Security Operations Security Domain #9.
1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Engineering Essential Characteristics Security Engineering Process Overview.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Module 11: Designing Security for Network Perimeters.
Scott Charney Cybercrime and Risk Management PwC.
Information Security: Model, Process and Outputs Presentation to PRIA WG November 10, 2006.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Chapter 8 Auditing in an E-commerce Environment
Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
The Art of Information Security: A Strategy Brief Uday Ali Pabrai, CISSP, CHSS.
The NIST Special Publications for Security Management By: Waylon Coulter.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
OFFICE OF VA ENTERPRISE ARCHITECTURE VA EA Cybersecurity Content Line of Sight Report April 29, 2016.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Working at a Small-to-Medium Business or ISP – Chapter 8
Introduction to the Federal Defense Acquisition Regulation
Final HIPAA Security Rule
County HIPAA Review All Rights Reserved 2002.
How to Mitigate the Consequences What are the Countermeasures?
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
Presentation transcript:

Sample Security Model

Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion Detection and Response Content-Based Detection and Response Employee monitoring Audit: Security Posture Assessment Vulnerability Scanning Patch verification/Application audit Manage: Secure Device Management Event / Data Analysis and Reporting Network Security Intelligence POLICY Manage Monitor Audit Secure

Information Warfare Definition "Actions taken to achieve information superiority by affecting adversary information, information-based processes, information system, and computer-based networks while defending one's own information, information-based systems, information systems and computer-based systems."

Information Warfare Definition(s) Information warfare is the offensive and defensive use of information and information systems to deny, exploit, corrupt, or destroy, an adversary's information, information-based processes, information systems, and computer-based networks while protecting one's own. Such actions are designed to achieve advantages over military or business adversaries.(Dr Ivan Goldman)

Skill vs Technology Decreasing Skill and Knowledge and resources Increasing Tools, Power and Sophistication

Code cleanup License selection Development environment & portal Training Implementation Objective Metrics Architecture Cost / Benefit Analysis Community Relevance Risk Mitigation Business Case Launch Planning Community Awareness Competitive Participation Marketing Measuring Ongoing Marketing Strategic Direction Maintenance Outbound Open Source

Levels of Concern (Low, Moderate, High)  Level of concern for confidentiality  Based on the tolerance for unauthorized disclosure or compromise of information on the system  Level of concern for integrity  Based on the tolerance for unauthorized modification or destruction of information on the system  Level of concern for availability  Based on the tolerance for delay in the processing, transmission, or storage of information on the system or the tolerance for the disruption or denial of a service provided by the system

Levels of Concern (Low, Moderate, High)  Level of concern for external exposure  Based on the definitions in SP (user access methods, backend connections, number of users)  Level of concern for internal exposure  Based on the definitions in SP (security background assurances/clearances, access approvals, need-to-know)  Level of concern for total system exposure  Based on the values assigned to both external and internal exposure factors as defined in SP

System Characterization Levels of concern for confidentiality, integrity, availability and system exposure determine:  Security controls for the IT system  Security certification level

Classes of Security Controls  Management Controls  Controls that address the security management aspects of the IT system and the management of risk for the system  Operational Controls  Controls that address the security mechanisms primarily implemented and executed by people (as opposed to systems)  Technical Controls  Controls that address security mechanisms contained in and executed by the computer system

A Comprehensive Approach Linking Critical Assessment Activities

INFORMATION ASSURANCE (IA) Objectives of the IA Program Employ efficient and cost-effective security features to protect information system resources Adopt a risk-based life cycle management approach Conduct an assessment of threats, identify and apply appropriate safeguards Security Risks = (Threats x Vulnerabilities) - Countermeasures Exposure

Objectives of the IA Program (Continued) Protect the information with regard to: Confidentiality Integrity Availability Authentication Non-repudiation

What is the threat? Internal –Intentional (Disgruntled Employee) –Unintentional (Employee Error) External –Intentional (Terrorists, Hackers) –Unintentional (Natural Disaster)

IA Program Personnel Designated Approving Authority (DAA) Information Systems Security Manager (ISSM) Network Security Officer (NSO) Information Systems Coordinator (ISC) Information Systems Security Coordinator (ISSC) YOU

YOUR Responsibilities Computer & Network Security Information Security Software Security Physical Security Communications & Emanations Security Personnel / Administration Security

YOUR Responsibilities Computer & Network Security Log-On Information Warning Banner Use of Corporate Systems

YOUR Responsibilities Computer & Network Security P A S S W L O G O F F R D

YOUR Responsibilities Computer & Network Security System Configuration Information Virus Detection Firewalls

YOUR Responsibilities Information Security Classification level of information Back-ups Off-Site Storage Media Protection

YOUR Responsibilities Software Security DO NOT install unapproved software Software Accountability / Inventory Software Copyright

YOUR Responsibilities Physical Security DRMO/Destruction Housekeeping Media Protection Ensure adequate physical controls

YOUR Responsibilities Communications & Emanations Security Sending Sensitive data over the Internet Encryption TEMPEST

YOUR Responsibilities Personnel & Administration Security Operating Procedures Training System Accreditation Incident Reporting Need-to-know Audit Trails Contingency Planning Adequate Environmental Controls

SUMMARY We must incorporate a security mindset in our day-to- day operations You are the most important asset in the fight to provide adequate security of our Information Systems

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.