Presentation is loading. Please wait.

Presentation is loading. Please wait.

Need of Enterprise- Wide Information Assurance Planning COEN 250 Fall 2007 T. Schwarz, S.J.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Need of Enterprise- Wide Information Assurance Planning COEN 250 Fall 2007 T. Schwarz, S.J."— Presentation transcript:

1 Need of Enterprise- Wide Information Assurance Planning COEN 250 Fall 2007 T. Schwarz, S.J.

2 First Perspective: Reactive / Intruder Based Long term attack trends:  Amount of time for new attacks to emerge is declining Melissa (1999) took days to spread Love letter (2000), Code Red (2001), Nimda (2001), hours Slammer (2003), Blaster (2003), minutes

3 First Perspective: Reactive / Intruder Based CERT Cataloged Vulnerabilities

4 First Perspective: Reactive / Intruder Based

5 Long term attack trends:  Increase in the number of detected vulnerabilities  Increased sophistication of attackers

6 First Perspective: Reactive / Intruder Based Reactive Security  Patch systems after vulnerability arises Only feasible if  attacks would be rare  ample warning be given  patches can be simply installed

7 Second Perspective: Holistic Security Security is hard to measure  Absence of incidents can be result of good security inability to see incidents  No accepted metrics for characterizing security

8 Second Perspective: Holistic Security Security is expensive  Added costs  Diminished performance  Inconvenience Benefits of security are cost avoidance Question: Was Y2K just hype or did the effort pay off?

9 Second Perspective: Holistic Security Security Incidents are not the main cause of system unavailability  “Who Needs Hackers?” NY Times 9/12/07 Complex systems break causing spectacular failures  Customs computer failure LAX, August 2007  Skype restart login deluge on MS patch day August 16, 2007  IDC 2001Downtime Analysis Malicious Events 3% Environmental Issues 19% Operator and application errors 78%

10 Second Perspective: Holistic Security Organizations need  framework, model, yardstick, roadmap … to place and measure themselves (current state) compare with others (future state)  to decide their desired security state or condition  improvement approaches and a path to reach their desired state  coherent, organized community of practitioners and artifacts to help guide their work

11 Second Perspective: Holistic Security Current / pending legislation affecting organizatorial infrastructure management and protection of information  Family Educational Rights Privacy Amendment  Federal Information Systems Management Act  Health Insurance Portability and Accountability Act  Gramm-Leach-Bliley Act (financial institutions)  Sarbanes Oxley (publicly traded institutions)  Child Online Privacy Protection Act  Basel II Capital Accord (financial institutions)  California’s Database Security Breach Notification Act

12 Second Perspective: Holistic Security Vulnerability Management  Reactive  Tool driven  Focused on Technology  Localized decision making, unconnected to business drivers  Vulnerabilities change daily Risk Management  A link to business drivers  Focus on critical assets and threats to assets  Risk identification and prioritization based on threats to assets, vulnerabilities, and impacts Enterprise Security Management  Select, execute, improve activities to reliably achieve and sustain a desired security state  NOT focused on symptoms instead of root causes  encompasses all organizational practices relevant to security Time / Complexity Vul Man Risk Man ESM Security Desired State

13 Second Perspective: Holistic Security www.cert.org/octave  Operationally Critical Threat, Asset, and Vulnerability Evaluation  focuses on organizational risks and strategy Federal Agencies

14 Information Security Governance Federal Information Security Practices are governed by laws, regulations, and directives  U.S. Congress  Office of Management and Budget (OMB) Standards and Implementation Guidelines through  National Institute of Standards and Technology  Government Accountability Office (GAO)

15 Information Security Governance Federal Agency Governance Requirements  Government Performance and Results Act (GPRA), 1993  Paperwork Reduction Act (PRA) of 1995  Federal Financial Management Improvement Act (FFMIA) of 1996  Federal Managers Financial Integrity Act (FMFIA) of 1982  Clinger-Cohen Act of 1996 Disciplined capital planning and investment control to acquire, use, maintain, and dispose of IT resources Establishes role of Chief Information Officer (CIO)  E-Government Act of 2002  Federal Information Security Management (FISMA) Act  OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources  Homeland Security Presidential Directive 12 (HSPD-12)

16 Information Security Governance Key Legislative, Regulatory, and Oversight Roles

17 Information Security Governance Components Agencies need to integrate INFOSEC with overall agency structure and activities  Strategic planning  organization design and development  establishment of roles and responsibilities  integration with enterprise architecture  documentation of security objectives in policies and guidance

18 Information Security Governance Components

19 INFO SEC Strategic Planning GPRA (Government Performance and Results Act) requires federal agencies to  strategic plan for program activities  prepare an annual performance plan covering each program activity set forth in the budget of such agency INFO SEC strategy should be integrated and provide  Clear and comprehensive mission, vision, goals, and objectives and how they relate to agency mission;  High-level plan for achieving information security goals and objectives short- and mid-term objectives and performance targets specific for each goal and objective used throughout the life of this plan to manage progress toward successfully fulfilling the identified objectives; and  Performance measures to continuously monitor accomplishment of identified goals and objectives and their progress toward stated targets.

20 Information Security Governance Structures Centralized Decentralized

21 Security Activities within the Systems Design Life Cycle Initiation Phase  Needs Determination  Security Categorization NIST SP 800-60, FIPS 199  Initial description of basic security needs of the system Threat environment determination

22 Security Activities within the Systems Design Life Cycle Development / Acquisition Phase  In-depth study of need  Develop / incorporate security requirements into specifications  Analyze functional requirements including security functional requirements  Conduct formal risk assessment

23 Security Activities within the Systems Design Life Cycle Development / Acquisition Phase  Determine costs of information security over life cycle of the system  Security Planning Document agreed-upon security controls Develop system security plan Develop necessary documentation Develop awareness and training requirements  Security Control Development  Security Tests and Evaluation

24 Security Activities within the Systems Design Life Cycle Implementation Phase  Security Test and Evaluation Develop test data Test unit, subsystem, and entire system Ensure system undergoes technical evaluation  Inspection and Acceptance  System Integration / Installation  Security Certification

25 Security Activities within the Systems Design Life Cycle System Implementation  Security Accreditation Authorization granted by senior organization official Based on verified effectiveness of security control

26 Security Activities within the Systems Design Life Cycle Operations / Maintenance Phase  Configuration Management and Control Adequate consideration of potential security impacts due to changes to system or environment  Develop Configuration Management Plan Establish baselines Identify configuration Describe configuration control process Identify schedule for configuration audits

27 Security Activities within the Systems Design Life Cycle Continuous Monitoring  Monitor security controls  Perform security audits or other assessments automated tools internal control audits security checklists penetration testing  Monitor system and/or users review system logs review change management monitor external sources perform periodic reaccreditation

28 Security Activities within the Systems Design Life Cycle Disposal Phase  Information Preservation Determine archive, discard, or destroy information  Based on legal requirements / federal records requ.  Beware of obsolete technology  Ensure long-term storage of cryptographic keys for encrypted data Media Sanitization Hardware and Software Disposal

Download ppt "Need of Enterprise- Wide Information Assurance Planning COEN 250 Fall 2007 T. Schwarz, S.J."

Similar presentations

Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
COBIT - II.

COBIT - II.
Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.

Presented By: Thelma Ameyaw Security Management TEL2813 4/18/2008Thelma Ameyaw TEL2813.
Enterprise Architecture. 2 Agenda What is Enterprise Architecture (EA)? Roles in EA? Why is EA Important? Tangible Benefits from EA? What Do We Need to.

Enterprise Architecture. 2 Agenda What is Enterprise Architecture (EA)? Roles in EA? Why is EA Important? Tangible Benefits from EA? What Do We Need to.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works

Security Controls – What Works
NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.

NLRB: Information Security & FISMA Daniel Wood, Chief IT Security February 19, 2004.
Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.

Overarching Roles of Critical Partners In A Project 9:30 – 10:00 Rob Curlee, FMO Joseph Dominque, OCISO Mike Perry, EA.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Information Systems Security Officer

Information Systems Security Officer
Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.

Chapter 10 Information Systems Management. Agenda Information Systems Department Plan the Use of IT Manage Computing Infrastructure Manage Enterprise.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Risk Assessment Frameworks

Risk Assessment Frameworks
Risk Analysis COEN 250.

Risk Analysis COEN 250.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Information Technology Audit

Information Technology Audit
SDLC: System Development Life Cycle cs5493. SDLC Classical Model Linear Sequential – Aka waterfall model.

SDLC: System Development Life Cycle cs5493. SDLC Classical Model Linear Sequential – Aka waterfall model.

Similar presentations

Ads by Google