Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information security planning

Published by应约 简 Modified over 5 years ago

Similar presentations

Presentation on theme: "Information security planning"— Presentation transcript:

1 Information security planning
By: Ungana-Afrika Copyright: Creative Commons Attribution-NonCommercial-ShareAlike ItrainOnline MMTK Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

2 ItrainOnline MMTK www.itrainonline.org
Session overview Provide basic understanding of the process for information security planning Furnish the participants with enough knowledge for them to be able to facilitate the planning process for an organisation Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

3 ItrainOnline MMTK www.itrainonline.org
Contents Group Exercise Overview Process Preparation Phase Introduction Phase Assessment Phase Break Process (cont.) Planning Phase Evaluation Phase Update Phase Group Exercise Closing Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

4 ItrainOnline MMTK www.itrainonline.org
Setting the scene Group Exercise 1 Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

5 Information security planning
Process, not a product End products Information security plan Policy documents Most of the organisations can combine information security planning into strategic technology planning Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

6 Inputs for technology planning
Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

7 Inputs for information security planning
Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

8 ItrainOnline MMTK www.itrainonline.org
Process Core phases Introduction Assessment Planning High-level process same for both technology and information security planning Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

9 ItrainOnline MMTK www.itrainonline.org
Preparation phase Basic requirements before starting the process Knowledge of ICT Security, NGO Sector, etc Understanding of the process, basic tools and templates Exercise Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

10 ItrainOnline MMTK www.itrainonline.org
Introduction phase Buy-in from the organisation Agenda for a visit Introduction of information security and planning Objectives of the process Roles and requirements during the process Planned timeline Composition of an information security team Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

11 ItrainOnline MMTK www.itrainonline.org
Introduction phase (2) Information security team Team with broad knowledge of organisations programs and security processes Committed to implement Collect valuable information Strategic and Operational plans, policies, ICT infrastructure description, etc. Exercise Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

12 ItrainOnline MMTK www.itrainonline.org
Assessment phase Before planning you should know the direction as well as current position Information Security Needs Current state of the information security from an objective perspective Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

13 ItrainOnline MMTK www.itrainonline.org
Assessment phase Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

14 Identify and assess assets
Assets are anything of value to your organization: computer hardware and software, information… Once assets have been identified, rank their importance as low, medium and high Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

15 ItrainOnline MMTK www.itrainonline.org
Identify threats A threat is “anyone or anything that can exploit a vulnerability to obtain, alter, or deny access to an asset” (Vishal Visintine, 2003) Threats can be natural or human, intentional or unintentional: floods, user error, cracking… Rate seriousness of threats as low, medium, high Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

16 Identify vulnerabilities
A vulnerability is “anything that could be exploited to gain or deny access to an asset or otherwise compromise an asset” (Vishal Visintine, 2003) E.g. not running anti-virus software and lack of staff awareness are vulnerabilities Network vulnerability scanning tools Survey staff skills to see where lack of knowledge creates vulnerabilities Rank vulnerabilities as low, medium, high Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

17 Identify safeguards/barriers
Identify what is currently being done to protect your assets – for example physical barriers to computer theft, policies, firewalls etc. Exercise Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

18 Assessment - conclusion
After the assessment process the information security team should have an understanding where the organisation stands now (what works, what doesn't work, etc.) Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

19 ItrainOnline MMTK www.itrainonline.org
Break Training will continue after <x> minutes Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

20 ItrainOnline MMTK www.itrainonline.org
Risk assessment Risk is “a combination of the asset value, the vulnerabilities with respect to the asset, and the threats that can exploit the vulnerabilities. If all are high, then the risk is high” (Vishal Visintine, 2003). Relative Risk = Asset Value x Vulnerability x Threat Focus on the most critical assets and the most likely threats. Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

21 ItrainOnline MMTK www.itrainonline.org
Planning phase Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

22 Determine safeguards and barriers required
After prioritizing risks, decide what steps are needed to reduce the risks, e.g. software, hardware, physical measures, policies, training… Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

23 Costs, timelines and responsibilities
Estimate how long each step will take and what it will cost Decide who will be responsible for meeting each objective Think about Hardware Software Setup charges (wiring, furniture, facility modifications) Ongoing service fees Service contracts and maintenance Insurance Operating expenses Personnel costs (in-house support staff, consultants) Staff development and training Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

24 Final implementation plan
Cost was not taken into account when prioritizing threats and risks Now, weigh up costs – for each objective decide whether it’s worth the time, money and effort Document plan Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

25 ItrainOnline MMTK www.itrainonline.org
Evaluation phase Ongoing evaluation is important Implementation team should meet regularly and assess progress and effectiveness Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

26 ItrainOnline MMTK www.itrainonline.org
Update phase Risks change over time Regular assessment of the existing security barriers, policies, and skills needed Especially important for high-risk organisations Possible triggers New program areas New technologies Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

27 Information security planning: ongoing process
Group Exercise 2 Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

28 ItrainOnline MMTK www.itrainonline.org
Closing Final comments, questions and thoughts Sunday, 14 April 2019Sunday, 14 April 2019 ItrainOnline MMTK

Download ppt "Information security planning"

Similar presentations

Achieve Benefit from IT Projects. Aim This presentation is prepared to support and give a general overview of the ‘How to Achieve Benefits from IT Projects’

Achieve Benefit from IT Projects. Aim This presentation is prepared to support and give a general overview of the ‘How to Achieve Benefits from IT Projects’
U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy.

U.Va.’s IT Security Risk Management Program (ITS-RM) April 2004 LSP Conference Brian Davis OIT, Security and Policy.
The Commissioning Toolkit. Aims and Objectives Commissioners to leave with an understanding of; The Commissioning Journey The Commissioning Process Familiarisation.

The Commissioning Toolkit. Aims and Objectives Commissioners to leave with an understanding of; The Commissioning Journey The Commissioning Process Familiarisation.
State Homeland Security Assessment and Strategy Program State Process and SHSS.

State Homeland Security Assessment and Strategy Program State Process and SHSS.
Introducing Computer and Network Security

Introducing Computer and Network Security
Empowering Staff Through Institute Planning (ESTIP) Executive Workshop Institute Name: XXXXXX Presenter: XXXXXX Date: XXXXXX.

Empowering Staff Through Institute Planning (ESTIP) Executive Workshop Institute Name: XXXXXX Presenter: XXXXXX Date: XXXXXX.
Managing the Information Technology Resource Jerry N. Luftman

Managing the Information Technology Resource Jerry N. Luftman
©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 18-1 Accounting Information Systems 9 th Edition Marshall.

©2003 Prentice Hall Business Publishing, Accounting Information Systems, 9/e, Romney/Steinbart 18-1 Accounting Information Systems 9 th Edition Marshall.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
1 Secure Your Business PATCH MANAGEMENT STRATEGY.

1 Secure Your Business PATCH MANAGEMENT STRATEGY.
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.

Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
Planning. SDLC Planning Analysis Design Implementation.

Planning. SDLC Planning Analysis Design Implementation.
Release & Deployment ITIL Version 3

Release & Deployment ITIL Version 3
Continuity of Operations Planning COOP Overview for Leadership (Date)

Continuity of Operations Planning COOP Overview for Leadership (Date)
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
1 Information Technology Security Services at The University of Michigan Paul Howell Chief Information Technology Security Officer.

1 Information Technology Security Services at The University of Michigan Paul Howell Chief Information Technology Security Officer.
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
Test Organization and Management

Test Organization and Management
Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.

Process for Analysis  Choose a standard / type  Qualitative / Quantitative Or  Formal / Informal  Select access controls  Match outcome to project.

Similar presentations

Ads by Google