Download presentation
Presentation is loading. Please wait.
1
ISA 562 Summer 2008 1 Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice
2
ISA 562Summer 2008 2 Course Outline An introductory course at the graduate level It covers the topics of The CISSP exam at varying depth But is NOT a CISSP courseTextbooks: Matt Bishop: Computer Security Art and Science Official ISC 2 Guide to the CISSP CBK
3
ISA 562Summer 2008 3 Objectives Roles and responsibilities of individuals in a security program Security planning in an organization Security awareness in the organization Differences between policies, standards, guidelines and procedures Risk Management practices and tools
4
ISA 562 Summer 2008 Syllabus of the Course Bishop’s book for the first part Papers for some classes IC 2 book for the second part Cover material relevant to the PhD qualifying examination in security
5
ISA 562 Summer 2008 Introduction Purpose of information security: –to protect an organization's information resources data, hardware, and software. To increase organizational success: IS are critical assets supporting its mission
6
ISA 562 Summer 2008 Information Security TRIAD The Overhanging goals of information security are addressed through the AIC TRIAD.
7
ISA 562 Summer 2008 IT Security Requirements - I Security should be designed for two requirements: 1.Functional: Define behavior of the control means based on risk assessment Properties: should not depend on another control: Why? fail safe by maintaining security during a system failure 2.Assurance: Provide confidence that security functions perform as expected. Internal/External Audit. Third Party reviews Compliance to best practices Examples –Functional: a network Firewall to permit or deny traffic. –Assurance: logs are generated, monitored, and reviewed
8
ISA 562 Summer 2008 Organizational & Business Requirements Focus on organizational mission: –Business or goals driven Depends on type of organization: –Military, Government, or Commercial. Must be sensible and cost effective –Solution considers the mission and environment Trade-off
9
ISA 562 Summer 2008 IT Security Governance Integral part of corporate governance: –Fully integrated into overall risk-based threat analysis Ensure that IT infrastructure: –Meets all requirements. –Supports the strategies and objectives of the company. –Includes service level agreements [if outsourced].
10
ISA 562 Summer 2008 Security Governance: Major parts 1.Leadership: Security leaders must be part of the company leadership -- where they can be heard. 2.Structure: occurs at many levels and should use a layered approach. 3.Processes: follow internationally accepted “ best practices ” : Job rotation, Separation of duties, least privilege, mandatory vacations, … etc. Examples of standards : ISO 17799 & ISO 27001:2005
11
ISA 562 Summer 2008 Security Blueprints Provide a structure for organizing requirements and solutions. –Ensure that security is considered holistically. To identify and design security requirements
12
ISA 562 Summer 2008 Policy Overview 1.Operational environment is a web of laws, regulations, requirements, and agreements or contracts with partners and competitors 2.Change frequently and interact with each other 3.Management must develop and publish security statements addressing policies and supporting elements, such as standards, baselines, and guidelines.
13
ISA 562 Summer 2008 Policy overview
14
ISA 562 Summer 2008 Functions of Security policy 1.Provide Management Goals and Objectives in writing 2.Ensure Document compliance 3.Create a security culture 4.Anticipate and protect others from surprises 5.Establish the security activity/function 6.Hold individuals responsible and accountable 7.Address foreseeable conflicts 8.Make sure employees and contractors aware of organizational policy and changes to it 9.Require incident response plan 10.Establish process for exception handling, rewards, and discipline
15
ISA 562 Summer 2008 Policy Infrastructure 1.High level policies interpreted into functional policies. 2.Functional polices derived from overarching policy and create the foundation for procedures, standards, and baselines to accomplish the objectives 3.Polices gain credibility by top management buy-in.
16
ISA 562 Summer 2008 Examples of Functional Policies 1.Data classification 2.Certification and accreditation 3.Access control 4.Outsourcing 5.Remote access 6.Acceptable mail and Internet usage 7.Privacy 8.Dissemination control 9.Sharing control
17
ISA 562 Summer 2008 Policy Implementation Standards, procedures, baselines, and guidelines turn management objectives and goals [functional policies] into enforceable actions for employees.
18
ISA 562 Summer 2008 Standards and procedure 1.Standards (local): Adoption of common hardware and software mechanism and products throughout the enterprise. Examples: Desktop, Anti-Virus, Firewall 2.Procedures: step by step actions that must be followed to accomplish a task. 3.Guidelines: recommendations for product implementations, procurement and planning, etc. Examples: ISO17799, Common Criteria, ITIL
19
ISA 562 Summer 2008 Security Baselines Benchmarks: to ensure that a minimum level of security configuration is provided across implementations and systems. –establish consistent implementation of security mechanisms. –Platform unique Examples: VPN Setup, IDS Configuration, Password rules
20
ISA 562 Summer 2008 Three Levels of security planning 1.Strategic: long term Focus on high-level, long-range organizational requirements –Example: overall security policy 2.Tactical: medium-term Focus on events that affect all the organization –Example: functional plans 3.Operational: short-term Fight fires at the keyboard level, directly affecting how the organization accomplishes its objectives.
21
ISA 562 Summer 2008 21 Organizational roles and responsibilities Everyone has a role: –with responsibility clearly communicated and understood Duties associated with the role must be assigned Examples: –Securing email –Reviewing violation reports –Attending awareness training
22
ISA 562 Summer 2008 Specific Roles and Responsibilities (duties) Executive Management: –Publish and endorse security policy –Establish goals and objectives –State overall responsibility for asset protection. IS security professionals: –Security design, implementation, management, –Review of organization security policies. Owner: –Information classification –Set user access conditions –Decide on business continuity priorities Custodian: –Entrusted with the Security of the information IS Auditor: – Audit assurance guarantees. User: –Compliance with procedures and policies
23
ISA 562 Summer 2008 23 Personnel Security: Hiring staff Background check/Security clearance Check references/Educational records Sign Employment agreement –Non-disclosure agreements –Non-compete agreements Low level Checks Consult with HR Department Termination/dismissal procedure
24
ISA 562 Summer 2008 Third party considerations Include: –Vendors/Suppliers –Contractors –Temporary Employees –Customers Must established procedures for these groups.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.