Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISA 562 Summer 2008 1 Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ISA 562 Summer 2008 1 Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice."— Presentation transcript:

1 ISA 562 Summer 2008 1 Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice

2 ISA 562Summer 2008 2 Course Outline An introductory course at the graduate level It covers the topics of The CISSP exam at varying depth But is NOT a CISSP courseTextbooks: Matt Bishop: Computer Security Art and Science Official ISC 2 Guide to the CISSP CBK

3 ISA 562Summer 2008 3 Objectives Roles and responsibilities of individuals in a security program Security planning in an organization Security awareness in the organization Differences between policies, standards, guidelines and procedures Risk Management practices and tools

4 ISA 562 Summer 2008 Syllabus of the Course Bishop’s book for the first part Papers for some classes IC 2 book for the second part Cover material relevant to the PhD qualifying examination in security

5 ISA 562 Summer 2008 Introduction Purpose of information security: –to protect an organization's information resources  data, hardware, and software. To increase organizational success: IS are critical assets supporting its mission

6 ISA 562 Summer 2008 Information Security TRIAD The Overhanging goals of information security are addressed through the AIC TRIAD.

7 ISA 562 Summer 2008 IT Security Requirements - I Security should be designed for two requirements: 1.Functional: Define behavior of the control means  based on risk assessment Properties: should not depend on another control: Why? fail safe by maintaining security during a system failure 2.Assurance: Provide confidence that security functions perform as expected. Internal/External Audit. Third Party reviews Compliance to best practices Examples –Functional: a network Firewall to permit or deny traffic. –Assurance: logs are generated, monitored, and reviewed

8 ISA 562 Summer 2008 Organizational & Business Requirements Focus on organizational mission: –Business or goals driven Depends on type of organization: –Military, Government, or Commercial. Must be sensible and cost effective –Solution considers the mission and environment  Trade-off

9 ISA 562 Summer 2008 IT Security Governance Integral part of corporate governance: –Fully integrated into overall risk-based threat analysis Ensure that IT infrastructure: –Meets all requirements. –Supports the strategies and objectives of the company. –Includes service level agreements [if outsourced].

10 ISA 562 Summer 2008 Security Governance: Major parts 1.Leadership: Security leaders must be part of the company leadership -- where they can be heard. 2.Structure: occurs at many levels and should use a layered approach. 3.Processes: follow internationally accepted “ best practices ” : Job rotation, Separation of duties, least privilege, mandatory vacations, … etc. Examples of standards : ISO 17799 & ISO 27001:2005

11 ISA 562 Summer 2008 Security Blueprints Provide a structure for organizing requirements and solutions. –Ensure that security is considered holistically. To identify and design security requirements

12 ISA 562 Summer 2008 Policy Overview 1.Operational environment is a web of laws, regulations, requirements, and agreements or contracts with partners and competitors 2.Change frequently and interact with each other 3.Management must develop and publish security statements addressing policies and supporting elements, such as standards, baselines, and guidelines.

13 ISA 562 Summer 2008 Policy overview

14 ISA 562 Summer 2008 Functions of Security policy 1.Provide Management Goals and Objectives in writing 2.Ensure Document compliance 3.Create a security culture 4.Anticipate and protect others from surprises 5.Establish the security activity/function 6.Hold individuals responsible and accountable 7.Address foreseeable conflicts 8.Make sure employees and contractors aware of organizational policy and changes to it 9.Require incident response plan 10.Establish process for exception handling, rewards, and discipline

15 ISA 562 Summer 2008 Policy Infrastructure 1.High level policies interpreted into functional policies. 2.Functional polices derived from overarching policy and create the foundation for procedures, standards, and baselines to accomplish the objectives 3.Polices gain credibility by top management buy-in.

16 ISA 562 Summer 2008 Examples of Functional Policies 1.Data classification 2.Certification and accreditation 3.Access control 4.Outsourcing 5.Remote access 6.Acceptable mail and Internet usage 7.Privacy 8.Dissemination control 9.Sharing control

17 ISA 562 Summer 2008 Policy Implementation Standards, procedures, baselines, and guidelines turn management objectives and goals [functional policies] into enforceable actions for employees.

18 ISA 562 Summer 2008 Standards and procedure 1.Standards (local): Adoption of common hardware and software mechanism and products throughout the enterprise. Examples: Desktop, Anti-Virus, Firewall 2.Procedures: step by step actions that must be followed to accomplish a task. 3.Guidelines: recommendations for product implementations, procurement and planning, etc. Examples: ISO17799, Common Criteria, ITIL

19 ISA 562 Summer 2008 Security Baselines Benchmarks: to ensure that a minimum level of security configuration is provided across implementations and systems. –establish consistent implementation of security mechanisms. –Platform unique Examples: VPN Setup, IDS Configuration, Password rules

20 ISA 562 Summer 2008 Three Levels of security planning 1.Strategic: long term Focus on high-level, long-range organizational requirements –Example: overall security policy 2.Tactical: medium-term Focus on events that affect all the organization –Example: functional plans 3.Operational: short-term Fight fires at the keyboard level, directly affecting how the organization accomplishes its objectives.

21 ISA 562 Summer 2008 21 Organizational roles and responsibilities Everyone has a role: –with responsibility clearly communicated and understood Duties associated with the role must be assigned Examples: –Securing email –Reviewing violation reports –Attending awareness training

22 ISA 562 Summer 2008 Specific Roles and Responsibilities (duties) Executive Management: –Publish and endorse security policy –Establish goals and objectives –State overall responsibility for asset protection. IS security professionals: –Security design, implementation, management, –Review of organization security policies. Owner: –Information classification –Set user access conditions –Decide on business continuity priorities Custodian: –Entrusted with the Security of the information IS Auditor: – Audit assurance guarantees. User: –Compliance with procedures and policies

23 ISA 562 Summer 2008 23 Personnel Security: Hiring staff Background check/Security clearance Check references/Educational records Sign Employment agreement –Non-disclosure agreements –Non-compete agreements Low level Checks Consult with HR Department Termination/dismissal procedure

24 ISA 562 Summer 2008 Third party considerations Include: –Vendors/Suppliers –Contractors –Temporary Employees –Customers Must established procedures for these groups.

Download ppt "ISA 562 Summer 2008 1 Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice."

Similar presentations

Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.

TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
SIEP HSE Management System

SIEP HSE Management System
Security and Personnel

Security and Personnel
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Security Management Practices Keith A. Watson, CISSP CERIAS.

Security Management Practices Keith A. Watson, CISSP CERIAS.
Information Systems Security Officer

Information Systems Security Officer
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Stephen S. Yau 1CSE465-591 Fall 2006 IA Policies.

Stephen S. Yau 1CSE Fall 2006 IA Policies.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Similar presentations

Ads by Google