Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.

Published byAlicia Watkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion."— Presentation transcript:

1 Sample Security Model

2 Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion Detection and Response Content-Based Detection and Response Employee monitoring Audit: Security Posture Assessment Vulnerability Scanning Patch verification/Application audit Manage: Secure Device Management Event / Data Analysis and Reporting Network Security Intelligence POLICY Manage Monitor Audit Secure

3 Information Warfare Definition "Actions taken to achieve information superiority by affecting adversary information, information-based processes, information system, and computer-based networks while defending one's own information, information-based systems, information systems and computer-based systems."

4 Information Warfare Definition(s) Information warfare is the offensive and defensive use of information and information systems to deny, exploit, corrupt, or destroy, an adversary's information, information-based processes, information systems, and computer-based networks while protecting one's own. Such actions are designed to achieve advantages over military or business adversaries.(Dr Ivan Goldman)

5 Skill vs Technology Decreasing Skill and Knowledge and resources Increasing Tools, Power and Sophistication 19402004

6 Code cleanup License selection Development environment & portal Training Implementation Objective Metrics Architecture Cost / Benefit Analysis Community Relevance Risk Mitigation Business Case Launch Planning Community Awareness Competitive Participation Marketing Measuring Ongoing Marketing Strategic Direction Maintenance Outbound Open Source

7 Levels of Concern (Low, Moderate, High)  Level of concern for confidentiality  Based on the tolerance for unauthorized disclosure or compromise of information on the system  Level of concern for integrity  Based on the tolerance for unauthorized modification or destruction of information on the system  Level of concern for availability  Based on the tolerance for delay in the processing, transmission, or storage of information on the system or the tolerance for the disruption or denial of a service provided by the system

8 Levels of Concern (Low, Moderate, High)  Level of concern for external exposure  Based on the definitions in SP 800-37 (user access methods, backend connections, number of users)  Level of concern for internal exposure  Based on the definitions in SP 800-37 (security background assurances/clearances, access approvals, need-to-know)  Level of concern for total system exposure  Based on the values assigned to both external and internal exposure factors as defined in SP 800-37

9 System Characterization Levels of concern for confidentiality, integrity, availability and system exposure determine:  Security controls for the IT system  Security certification level

10 Classes of Security Controls  Management Controls  Controls that address the security management aspects of the IT system and the management of risk for the system  Operational Controls  Controls that address the security mechanisms primarily implemented and executed by people (as opposed to systems)  Technical Controls  Controls that address security mechanisms contained in and executed by the computer system

11 A Comprehensive Approach Linking Critical Assessment Activities

12 INFORMATION ASSURANCE (IA) Objectives of the IA Program Employ efficient and cost-effective security features to protect information system resources Adopt a risk-based life cycle management approach Conduct an assessment of threats, identify and apply appropriate safeguards Security Risks = (Threats x Vulnerabilities) - Countermeasures Exposure

13 Objectives of the IA Program (Continued) Protect the information with regard to: Confidentiality Integrity Availability Authentication Non-repudiation

14 What is the threat? Internal –Intentional (Disgruntled Employee) –Unintentional (Employee Error) External –Intentional (Terrorists, Hackers) –Unintentional (Natural Disaster)

15 IA Program Personnel Designated Approving Authority (DAA) Information Systems Security Manager (ISSM) Network Security Officer (NSO) Information Systems Coordinator (ISC) Information Systems Security Coordinator (ISSC) YOU

16

17 YOUR Responsibilities Computer & Network Security Information Security Software Security Physical Security Communications & Emanations Security Personnel / Administration Security

18 YOUR Responsibilities Computer & Network Security Log-On Information Warning Banner Use of Corporate Systems

19 YOUR Responsibilities Computer & Network Security P A S S W L O G O F F R D

20 YOUR Responsibilities Computer & Network Security System Configuration Information Virus Detection Firewalls

21 YOUR Responsibilities Information Security Classification level of information Back-ups Off-Site Storage Media Protection

22 YOUR Responsibilities Software Security DO NOT install unapproved software Software Accountability / Inventory Software Copyright

23 YOUR Responsibilities Physical Security DRMO/Destruction Housekeeping Media Protection Ensure adequate physical controls

24 YOUR Responsibilities Communications & Emanations Security Sending Sensitive data over the Internet Encryption TEMPEST

25 YOUR Responsibilities Personnel & Administration Security Operating Procedures Training System Accreditation Incident Reporting Need-to-know Audit Trails Contingency Planning Adequate Environmental Controls

26 SUMMARY We must incorporate a security mindset in our day-to- day operations You are the most important asset in the fight to provide adequate security of our Information Systems

Download ppt "Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion."

Similar presentations

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
MSIA 711 1 Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.

MSIA Introduction to Information Systems Security Training and Policy Week 1 Live Session Presentation.
Security Controls – What Works

Security Controls – What Works
Chapter 1 – Introduction

Chapter 1 – Introduction
Information Security Policies and Standards

Information Security Policies and Standards
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Introduction (Pendahuluan)  Information Security.

Introduction (Pendahuluan)  Information Security.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Similar presentations

Ads by Google