Download presentation
Presentation is loading. Please wait.
Published byIsabel Hodges Modified over 9 years ago
1
Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA 20170-4227 Phone: (703)742-8877 | FAX: (703)742-7200 www.systemsandsoftware.org Best Practices for Information Security Management Bob Small, CISSP, CEH small@software.org March 2006
2
2 Take-away Messages Defense in depth solutions Effective security requires a rigorous risk management process Must be effective and cost effective Think about it from the adversary’s perspective
3
March 2006 3 Key Elements of Security Integrity AvailabilityConfidentiality People Process Technology
4
March 2006 4 Defense In Depth Speed bumps are a better metaphor for information security than bank vaults
5
March 2006 5 Risk Management Process Degree of Assurance Required Asset Identification and Valuation Identification of Vulnerabilities Identification of Threats Evaluation of Impacts Business Risks Risk Assessment Ranking of Risks Likelihood of Occurrence Review of existing security controls Risk Mitigation Identification of new security controls Policy and Procedures Implement Controls to Reduce Risk Risk Acceptance (Residual Risk) Gap analysis
6
March 2006 6 International Standards for ISMS Confidentiality Integrity Availability People, process, tools Plan | Do | Check | Act Tangible assets Intangible assets Information Security Management System ISO 17799, Code of Practice For Information Security Management ISO 27001, Information Security Management Systems – Requirement These standards are accepted as industry best practices
7
March 2006 7 Control Areas In ISO 17799 133 controls in 11 areas Security PolicyOrganization of Information Security Asset ManagementHuman Resource Security Physical and Environmental Security Communications and Operations Management Access Control Information Systems Acquisition, Development and Maintenance Information Security Incident Management Business Continuity Management Compliance
8
March 2006 8 Security Policy Objective: Provide management direction and support for information security in accordance with business requirements and relevant laws and regulations It must be written It must be reviewed periodically
9
March 2006 9 Security Must Be Managed In All Relationships ISMS Scope Internal Support Functions Facilities HR F&A Legal Marketing IT Support Audit Data Archiving Consultants External Support Functions Each arrow represents a contract, MOA, SLA, etc. Customers
10
March 2006 10 Information Assets Must Be Managed Inventory of Assets Tangible Intangible Acceptable UseOwnership Information Labeling and Handling Classification Guidelines
11
March 2006 11 Human Resources Security Termination or Change of Employment During Employment Prior to Employment
12
March 2006 12 Think Creatively About Information Security Catch Me If You Can The Shawshank Redemption The Italian Job
13
March 2006 13 ISMS Resources ISO 17799, Code of Practice for Information Security Management ISO 27001, Information Security Management Systems – Requirements http://www.iso.org http://csrc.nist.gov National Institute for Standards & Technology SP 800-70, The NIST Security Configuration Checklists Program SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule SP 800-30, Risk Management Guide for Information Technology Systems http://www.incits.org INCITS CS1 (Cybersecurity)
14
March 2006 14 Thank You ? ? ? ? ? ? ? ? ?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.