Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Management Practices

Published byNorah Edwards Modified over 6 years ago

Similar presentations

Presentation on theme: "Security Management Practices"— Presentation transcript:

1 Security Management Practices
Risk Management Identifying, assessing, and reducing risk to an acceptable level Implementing mechanisms to maintain risk level Security Policies Security Education

2 Security Administration
Person or group must be responsible Clear reporting structure to senior management Information owners dictate who can access data Executive with management responsibilities Security Administrators ensure that’s what happens

3 Security Controls Administrative Controls Technical Controls
Policies & Standards Technical Controls Password & Resource Management Security Devices Physical Controls Locks, fences, walls

4 Failure – Managements fault?
Must have buy-in from Senior Management Security should not be viewed as expensive and unnecessary Lack of security controls much more expensive Foster a healthy relationship between Security & Senior Management

5 CIA Triad Confidentiality Integrity Availability
Only those that should see it can see it Integrity Assurance that data is accurate and reliable Availability Reliable and timely access to data

6 Definitions & the Security Circle of Life

7 Hacker Disgruntled Employee Enemy government Random actor Environment Virus They create….

8 Denial of Service Loss of data Changes to data Tornado Equipment failure Exploits…

9 Open firewall port Bug in software Lack of proper controls Lack of redundancy Leads to…

10 Low Medium High Can damage…

11 File Server Marketing plan Research Facility And causes an…

12 Wasted man hours to reproduce data
Lost sales Law suits Can be countermeasured by…

13 Firewall Hot backup site Fire suppression Directly affects…

14 And then it starts all over again

15 Top Down Security Planning Step 1
Assess Business Objectives Senior management must participate Operational Goals – Daily Tactical Goals – Near future Strategic Goals – Long term Budgets Benefits in other areas?

16 Top Down Security Planning Step 2
Vulnerability Assessment Report of where vulnerabilities exist Catalog each asset and system Research known vulnerabilities Accuracy is key Penetration Testing Active, systematic attack on owned assets Outsource or in-house

17 Top Down Security Planning Step 3
Risk Analysis Assign value to assets Costs to acquire or develop asset Cost to maintain asset Value to owners or users Value to adversaries Price others are willing to pay Cost to replace the asset if lost Loss of productivity if asset is unavailable Liability issues if the asset is compromised

18 Perform threat analysis
Estimate loss per risk Single Loss Expectancy (SLE) = asset value X exposure factor (EF) EF represents the estimated loss per occurrence Cost of recovery Cost of lost productivity Perform threat analysis Gather info about likelihood of each risk happening Past occurrences Industry occurrences Estimate Annualized Rate of Occurrence (ARO) = probability occurrence will take place during a given year 0.0 = never, 0.5 = every other year, 1.0 = always

19 Derive overall loss potential per risk
Annualized Loss Expectancy (ALE) = SLE X ARO Select countermeasures for each risk Quantify the Total Cost of Ownership (TCO) for each counter measure Acquirement Cost + Yearly Support Costs Reduce, assign, or accept each risk Reduction (need not be 100%) Install security controls Improve procedures Assignment Buy insurance Acceptance Live with the risk Is countermeasure TCO more expensive than ALE?

20 Things to Consider When Selecting a Countermeasure
Modularity Provides uniform protection Allows administrator to override Independence from asset and other safeguards Flexibility and functionality Clear distinctions between user classes Minimal human intervention needed Easily upgradeable Auditing functionality Able to be reset without affecting protection level Testable Does not introduce other compromises Acceptable negative affects on performance of users and systems Proper and flexible alerting facilities

21 Top Down Security Planning Step 4
Define protection requirements How aggressive will you be? Classify data Define data classes Assign data and assets to classes Identify data custodian Document, document, document Evaluate functionality of chosen countermeasures

22 Top Down Security Planning Step 5
Evaluate legal liabilities Who can sue you? Perform security awareness training Customize content for different audiences – Management, Staff, Technical Must be repeated continually Evaluate system reliability of countermeasures

23 Top Down Security Planning Step 5, con’t
Publish policies and procedures Policies Management Statements Organizational Issue Specific System Specific Standards Compulsory rules that must be followed Guidelines Recommended actions Procedures Detailed step-by-step actions to complete a specific task

24 Top Down Security Planning Step 5, con’t
Areas covered by Policies and Procedures Accountability controls Physical and environmental controls Administration controls Access controls Use and required types of cryptography BCP controls Computer operations Incident handling

25 Top Down Security Planning Step 6
Roll out selected countermeasures Be sure the roll out plan does not adversely affect users and customers Monitor countermeasures

26 Top Down Security Planning Step 7
Reevaluate and repeat regularly!

27 Layers of Security Responsibility
Senior Manager Person ultimately responsible for the security of the organization Security Professional Functionally responsible for security Data Owner Determines data classification of info Data Custodian Maintains the data according to classification guidelines User Uses data for daily tasks Auditor Regularly examines the security practices and mechanisms

28 More Terminology Due Care Due Diligence Nondisclosure agreements (NDA)
Organization has taken steps necessary to protect its assets from possible risks Due Diligence Accomplished by activities that ensure that countermeasures are continually maintained and operational Nondisclosure agreements (NDA) Job rotation

29 Homework Assignment Read Chapter 4 Paper
Choose and document 5 common vulnerabilities List (and justify if not obvious) the threat agent, threat, risk, possible affected asset, exposure, safeguard Stick to common vulnerabilities, but try to choose from the entire realm of security issues

Download ppt "Security Management Practices"

Similar presentations

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.

Web Security for Network and System Administrators1 Chapter 1 Introduction to Information Security.
Security+ All-In-One Edition Chapter 17 – Risk Management

Security+ All-In-One Edition Chapter 17 – Risk Management
IT Security Policy Framework

IT Security Policy Framework
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Chapter 5: Asset Classification

Chapter 5: Asset Classification
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
Information Systems Security Information Security & Risk Management.

Information Systems Security Information Security & Risk Management.
Introducing Computer and Network Security

Introducing Computer and Network Security
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Information Systems Security Officer

Information Systems Security Officer
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Lecture 8: Risk Management Controlling Risk

Lecture 8: Risk Management Controlling Risk
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
IT Assurance and Reliability Why Should You Care? Richard Oppenheim, CPA, CITP President, SysTrust Services Corporation Presented to ISACA Regional Meeting.

IT Assurance and Reliability Why Should You Care? Richard Oppenheim, CPA, CITP President, SysTrust Services Corporation Presented to ISACA Regional Meeting.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Similar presentations

Ads by Google