Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Thread Relevant to all Levels of the EA Cube

Published byMorris Rodgers Modified over 6 years ago

Similar presentations

Presentation on theme: "A Thread Relevant to all Levels of the EA Cube"— Presentation transcript:

1 A Thread Relevant to all Levels of the EA Cube
Security and EA A Thread Relevant to all Levels of the EA Cube Copyright © 2013 Curt Hill

2 Introduction EA Security has a broader perspective than IT security
EA Security include IT security It needs to be considered at every level IT security typically lives in the Applications and Systems as well as the Network and Infrastructure levels You should have previously seen something on IT security Copyright © 2013 Curt Hill

3 Types of Threats Physical threats Personal threats Accidents
Fire, flood, earthquake, etc Personal threats Unhappy employees, hackers, terrorists Accidents Programming errors, unintentional mistakes Copyright © 2013 Curt Hill

4 Dangers The insider attack is particularly deadly for the insider knows the defense It is impossible to completely secure the enterprise from all threats Typically too expensive Instead we must always balance probability and cost of a risk with the expense to defend against the risk Copyright © 2013 Curt Hill

5 Where to start? Historically, security is an afterthought
After we get burned, we make sure we do not get burned again Enterprises now live in a world of forest fires It is not a question of if a problem will occur, but when Therefore security should be considered in every project From the very beginning Demand security content in every project Copyright © 2013 Curt Hill

6 IT Security Program Every enterprise that can afford an Enterprise Architecture program needs an IT Security Program This includes one or more IT professionals with IT security training and experience They are involved in every IT project in at least a consulting role The also advise the EA team on security considerations Copyright © 2013 Curt Hill

7 Security Program For each project (proposed or existing) they
Describe the threats and their sources Possible countermeasures They also produce Standard Operating Procedures To certify IT projects Run existing installations Respond to incidents Copyright © 2013 Curt Hill

8 IT Security Plan A guide discussing the security for the enterprise
Produced by the Security Program Has a number of sections that address various groups within the enterprise Executives Operations It contains: How to report incidents Standard Operating Procedures Threats Copyright © 2013 Curt Hill

9 Areas of Interest The Security Program needs to deal specifically with the following areas of interest Information security Personnel security Operational security Physical security These are now considered in more detail Copyright © 2013 Curt Hill

10 Information security Design Assurance Authentication Access
Projects must be required to have a reasonable security element Assurance The quality of data must be protected from unauthorized or accidental change Authentication Data changes must be verified to prevent incorrect access Access Ability to control who views and uses Copyright © 2013 Curt Hill

11 Personnel security Authentication – users and administrators must be verified What form must this take Security Training – Users must be informed about security issues Procedures – What is the proper way to use and access the system How to recognize, avoid and report breaches Copyright © 2013 Curt Hill

12 Operational security Risk assessment Component evaluation Remediation
From highest to lowest levels of the cube Component evaluation Component testing for vulnerabilities Remediation Patching vulnerabilities found by evaluation Certification A process to verify that components have fixed all known vulnerabilities Copyright © 2013 Curt Hill

13 Operational security Standard Operating Procedures Recovery
Those involved in operations must be familiar with SOP Recovery Assessing and recovering from events that disrupt operations Operational continuity After serious damage has occurred, how operations would be restored Copyright © 2013 Curt Hill

14 Physical security Building security Server rooms and network closets
Any room where the access is better than from the internet Server rooms and network closets Protecting areas of particular sensitivity A network closet is particularly vulnerable and seldom visited Cabling Like a network closet, they are easy to tap and seldom observed Copyright © 2013 Curt Hill

15 Your Turn What sort of attacks would be easiest at VCSU?
What is the likelihood of such attacks? What would an attacker gain? Copyright © 2013 Curt Hill

16 Conclusions The reason we have an IT security problem is that we have underestimated the danger Prudent management requires consideration of security at all levels The identification and mitigation of threats is the task of those properly trained Copyright © 2013 Curt Hill

Download ppt "A Thread Relevant to all Levels of the EA Cube"

Similar presentations

Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 

11 ASSESSING THE NEED FOR SECURITY Chapter 1. Chapter 1: Assessing the Need for Security2 ASSESSING THE NEED FOR SECURITY  Security design concepts 
Security Controls – What Works

Security Controls – What Works
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.

Copyright © 2002 Pearson Education, Inc. Slide 5-1 PERTEMUAN 8.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Information Assurance and Security: Overview. Information Assurance “Measures that protect and defend information and information systems by ensuring.

Information Assurance and Security: Overview. Information Assurance “Measures that protect and defend information and information systems by ensuring.
Introduction to Network Defense

Introduction to Network Defense
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.

Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.

Similar presentations

Ads by Google