1 Managing the Security Function Chapter 11. 2 Figure 11-1: Organizational Issues Top Management Support  Top-Management security awareness briefing.

Slides:



Advertisements
Similar presentations
Security and Personnel
Advertisements

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Appendix B: Designing Policies for Managing Networks.
Security Controls – What Works
Information Security Policies and Standards
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Information Systems Security Officer
Lecture 11 Reliability and Security in IT infrastructure.
Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Network security policy: best practices
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.
Acquiring Information Systems and Applications
Introduction to Network Defense
IT Assurance and Reliability Why Should You Care? Richard Oppenheim, CPA, CITP President, SysTrust Services Corporation Presented to ISACA Regional Meeting.
Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
1 Deployment of Computer Security in an Organization CE-408 Sir Syed University of Engineering & Technology 99-CE-282, 257 & 260.
Project Risk Management. The Importance of Project Risk Management Project risk management is the art and science of identifying, analyzing, and responding.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
1 Figure 1-17: Security Management Security is a Primarily a Management Issue, not a Technology Issue Top-to-Bottom Commitment  Top-management commitment.
Chapter 13: Developing and Implementing Effective Accounting Information Systems
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Gathering Network Requirements Designing and Supporting Computer Networks – Chapter.
Information Systems Security Operational Control for Information Security.
Auditing Information Systems (AIS)
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.
Lecture 4. IS Planning & Acquisition To be covered: To be covered: – IS planning and its importance Cost-benefit analysis Cost-benefit analysis Funding.
SECURITY Professor Mona Mursi. ENVIRONMENT IT infrastructures are made up of many components, abstractly: IT infrastructures are made up of many components,
Chapter 11: Policies and Procedures Security+ Guide to Network Security Fundamentals Second Edition.
Introduction to Information Security
1 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets:
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
Security fundamentals Topic 12 Maintaining organisational security.
1 Managing the Security Function Chapter 11 2 Figure 11-1: Organizational Issues Top Management Support  Top-Management security awareness briefing.
Chap 8: Administering Security.  Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing.
Computer Security By Duncan Hall.
1 Figure 11-7: Mobilizing Users User Training  Security Awareness  Accountability Training  Self-Defense Training Social engineering threats and correct.
INFORMATION SECURITY MANAGEMENT L ECTURE 8: R ISK M ANAGEMENT C ONTROLLING R ISK You got to be careful if you don’t know where you’re going, because you.
Planning and Organizing Chapter 13. The Planning Function Planning for a business should stem from the company’s Business Plan – The business plan sets.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Security Outsourcing Melissa Karolewski. Overview Introduction Definitions Offshoring MSSP Outsourcing Advice Vendors MSSPs Benefits & Risks Security.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
System Development Life Cycle (SDLC). Activities Common to Software Projects Planning : Principles Principle #1. Understand the scope of the project.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Welcome to the ICT Department Unit 3_5 Security Policies.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Risk management.
ISSeG Integrated Site Security for Grids WP2 - Methodology
Security Management Practices
Business System Development
Figure 11-5: Control Principles
Security Threats Severity Analysis
Managing the Security Function
How to Mitigate the Consequences What are the Countermeasures?
Chapter # 3 COMPUTER AND INTERNET CRIME
Presentation transcript:

1 Managing the Security Function Chapter 11

2 Figure 11-1: Organizational Issues Top Management Support  Top-Management security awareness briefing (emphasis on brief)  Corporate security policy statement: Vision, not details  Follow-through when security must be upheld in conflicts  Business champions to give support and business advice

3 Figure 11-1: Organizational Issues Should You Place Security Within IT?  Pros Compatible technical skills Making the CIO responsible for security breaches gives accountability  Cons Difficult to blow the whistle on the IT staff Vendor preference differences with networking staff (e.g., Cisco vs Check Point)

4 Figure 11-1: Organizational Issues Should You Place Security Within IT?  Locating security outside IT Can blow the whistle on IT actions If a staff group, can only give advice

5 Figure 11-1: Organizational Issues Security and Auditing  IT Auditing has the skills to determine whether IT rules are enforced, but IT auditing does not set policy  Internal Auditing also can audit IT-related procedures, but it does not make policy

6 Figure 11-1: Organizational Issues Managed Security Service Providers (Figure 11-2)  On-site logging, off-site analysis  Practice-based expertise Get plenty of experience on a daily basis— like fire departments  Separation of responsibilities: Can blow whistle on IT, even the CIO

7 Figure 11-1: Organizational Issues Managed Security Service Providers (Figure 11-2)  What to Outsource? Typically, intrusion detection and vulnerability assessment Rarely policy and other control practices Not commonly antivirus protection and other aspects of security, but MSSPs are expanding

8 Figure 11-1: Organizational Issues Managed Security Service Providers (Figure 11-2)  Evaluating the MSSP Diligence: Is it really reading the logs? (Contracts often are vague) Skills and background of testers

9 Figure 11-1: Organizational Issues Security and Business Staffs  Cannot Just Lob Policies Over the Wall Security and Business Partners  Your Business Partner’s Security Affects You Uniformed Security Personnel  They are often called first by suspicious users  They support investigations

10 Figure 11-1: Organizational Issues Staffing and Training  Hiring staff: Expertise  Training is necessary because few people on the market are security experts  Certifications are good but vary in what they require and do not make up for lack of experience  Background checks should be done on the security staff

11 Figure 11-1: Organizational Issues Staffing and Training  All workers involved in IT should have background checks, including the maintenance staff, consultants, and contractors  Should you hire a hacker? They are likely to have the knowledge you need But would you be afraid to fire or lay off one?

12 Figure 11-2: Managed Security Service Provider (MSSP) Firm MSSP MSSP Logging Server Log File Security Manager 2. Encrypted & Compressed Log Data 3. Analysis 5. Vulnerability Test 4. Small Number of Alerts

13 Figure 11-3: Risk Analysis Financially Sensible Protections  Risk analysis: Balance risks and countermeasture costs Enumeration of Assets  Assets: Things to be protected (hosts, data, etc.)  Up-to-date asset lists must be created first (can be very difficult)  Asset responsibilities: Each asset should have someone accountable for it

14 Figure 11-3: Risk Analysis Asset Classification  Business continuity asset classifications Scope and degree of disruption: How many things, how bad the damage Financial impacts of a slowdown or shutdown  Cost of repairs asset classification

15 Figure 11-3: Risk Analysis Threat Assessment  Threat likelihood  Difficulty of estimation Responding to Risk  Risk reduction: Implement countermeasures  Risk acceptance: Do nothing; suitable for low- threat risks and expensive countermeasures  Risk transference: Get insurance. Good for low- probability risks

16 Figure 11-3: Risk Analysis Risk Analysis Calculations  Threat severity analysis (expected loss) Cost of attack if it succeeds times the probability that the attack will succeed Expressed in terms of some timer period, such as a year  Value of Protection Reduction in threat severity (benefit) minus the cost of the countermeasure Invest in a countermeasure only if the value of protection is positive

17 Figure 11-3: Risk Analysis Risk Analysis Calculations  Priority Invest in countermeasures with the greatest value of protection first  Return on investment (ROI) analysis For a single-year countermeasure, value of protection divided by the cost of the countermeasure

18 Figure 11-3: Risk Analysis Risk Analysis Calculations  Return on investment (ROI) analysis For multiple-year investments, discounted cash flow analysis of multi-year values of protection and countermeasure investments  ROI allows investments of difference sizes to be compared directly  There usually is a hurdle rate of 15% to 25%, and investments that fall below the hurdle rate will not be accepted

19 Figure 11-3: Risk Analysis Qualitative Risk Analysis  Danger of business termination: Can’t be put entirely into dollar terms  Loss of reputation: Difficult to quantify but very important

20 Figure 11-4: Corporate Security Architecture Security Architectures  Technical security architecture: Countermeasures and their organization into a system  Architectural decisions: Plan broadly before installing specific systems  Start in the design phase if possible: The earlier the better  Deal with legacy security technologies

21 Figure 11-4: Corporate Security Architecture Five Principles  Defense in depth Attacker must break through several defenses to succeed Safe even if a vulnerability is discovered in one line of defense. Can fix the vulnerability without break-ins

22 Figure 11-4: Corporate Security Architecture Five Principles  Single points of vulnerability The dangers of single points of vulnerability The need for central security management consoles may require accepting a single point of vulnerability (taking over the management system)

23 Figure 11-4: Corporate Security Architecture Five Principles  Diversity of Vendors Security effectiveness: Each product will miss some things; jointly will miss less Product vulnerabilities: Each will have some; jointly will have fewer Vendor Survival: If one vendor fails, others will continue

24 Figure 11-4: Corporate Security Architecture Five Principles  Minimizing security burdens on functional departments  Implementing planning, protecting, and responding phases well

25 Figure 11-4: Corporate Security Architecture Elements of a Security Architecture  Border management: Border firewalls, etc.  Internal site management: To protect against internal threats  Management of remote connections: Remote users and outsiders are difficult  Interorganizational systems: Linking the computer systems of two organizations  Centralized management: Control from a single place where information is gathered

26 Figure 11-5: Control Principles Policies  Brief visions statements  Cannot give details because the environment and technology keep changing Standards  Mandatory actions that MUST be followed Baselines  The application of standards to specific products  For example, steps to harden a LINUX server

27 Figure 11-5: Control Principles Guidelines  Voluntary recommended action  Although voluntary, must consider in making decisions  Good when the situation is too complex or uncertain for standards  Unfortunately, sometimes should be standards but lack of political power prevents this

28 Figure 11-5: Control Principles Procedures  Sets of action taken by people  Steps to do background checks on employees  Steps to add user on a server

29 Figure 11-5: Control Principles Employee Behavior Policies  For general corporate employees  Theft, sexual harassment, racial harassment, pornography, personal use of office equipment, revealing of trade secrets, etc.

30 Figure 11-5: Control Principles Best Practices and Recommended Practices  Best practices are descriptive of what the best firms do  Recommended practices are prescriptions for what the firm should do  Both allow a firm to know, at a broad level, if it is doing what it should be doing

31 Figure 11-6: Operations Security Operations  The day-to-day work of the IT department and other departments  Systems administration (server administration) especially  Entering data, upgrading programs, adding users, assigning access permissions, etc.

32 Figure 11-6: Operations Security Principles  Clear roles Who should do what in each step Assign tasks to roles, then assign individuals to roles as needed

33 Figure 11-6: Operations Security Principles  Separation of duties and mandatory vacations to prevent people from maintaining deceptions  Prospects for collusion: Reduce them Check family and personal relationships assigning people to duties

34 Figure 11-6: Operations Security Accountability  Accountability and roles Owner: Responsible for the asset Custodian: Delegated responsibility  Auditable protections and controls for specific assets If not auditable, can you tell if they work?  Exception handling with documentation and audit of who took what actions

35 Figure 11-6: Operations Security Managing Development and Change for Production Servers  Tiers of Servers Development Server: Server on which software is developed and changed  Developers need extensive permissions Staging (Testing) Server: Server on which changes are tested and vetted for security  Testers should have access permissions; developers should not

36 Figure 11-6: Operations Security Managing Development and Change for Production Servers  Tiers of Servers Production Servers: Servers that run high- volume production operations  Neither developers nor testers should have access permissions

37 Figure 11-6: Operations Security Managing Development and Change for Production Servers  Change Management Control Limit who can request changes Implement procedures for controlling changes Have security examine all candidate changes for potential problems (bad encryption, lack of authentication, etc.)

38 Figure 11-6: Operations Security Managing Development and Change for Production Servers  Auditing Development for individual programs Do detailed line-by-line code inspection for security issues

39 Figure 11-7: Mobilizing Users User Training  Security Awareness  Accountability Training  Self-Defense Training Social engineering threats and correct responses Make users early warning scouts who know whom to inform if breach suspected In general, mobilize as partners

40 Figure 11-7: Mobilizing Users Authentication  Nontechnical Problems in Providing Access Permissions Who may submit people for usernames and passwords? Limit it Human resources know when people are hired and fired

41 Figure 11-7: Mobilizing Users Authentication  Nontechnical Problems in Providing Access Permissions But on specific servers, many people might submit needs to sys admin  Project managers for projects on the server  For many people: Individual employees, contractors, consultants, temp hires

42 Figure 11-7: Mobilizing Users Authentication  Terminating Authentication Credentials People often do not have their permissions terminated when they no longer need them Person who requests their permissions should have to periodically review them for continuation

43 Figure 11-8: Vulnerability Testing Vulnerability Testing Technology  Using Attacker Technology Designed to do damage  Using Commercial Vulnerability Testing Tools Not as up-to-date as attacker tools Less likely to do damage as side effect Focus on reporting

44 Figure 11-8: Vulnerability Testing Vulnerability Testing Technology  Reporting and Follow-Up Tools Reports should clearly list vulnerabilities and suggested fixes Follow-up report should document which vulnerabilities fixed, not fixed

45 Figure 11-8: Vulnerability Testing Vulnerability Testing Contracts  Need a contract before the testing begins to cover everyone involved  What Will Be Tested: Specifics  How It Will Be Tested: Specifics  Hold Blameless for Side Effects

46 Figure 11-8: Vulnerability Testing Reducing False Positives with Tuning  Avoid meaningless tests, for instance, Apache threat on Microsoft Windows Server

47 Figure 11-8: Vulnerability Testing Who Should Do Vulnerability Testing?  Outside Firms Expertise Use of reformed hackers?  The IT or Security Department Has good knowledge of internal systems If IT staff is the attacker, can hide wrongdoing

48 Figure 11-8: Vulnerability Testing Who Should Do Vulnerability Testing?  IT Auditing Departments Trained to audit whether standards and procedures are being followed Have to upgrade their specific vulnerability testing skills

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.