Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2000, Marchany Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work Randy Marchany VA Tech Computing Center.

Published byJunior Gilbert Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright 2000, Marchany Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work Randy Marchany VA Tech Computing Center."— Presentation transcript:

1 Copyright 2000, Marchany Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 Randy.Marchany@vt.edu 540-231-9523 JCSC 2000

2 Copyright 2000, Marchany

3

4

5

6

7

8 The Auditor’s Goals u Ensure Assets are protected according to company, local,state and federal regulatory policies. u Determine what needs to be done to ensure the protection of the above assets. u Make life miserable for sysadmins…:-) – Not really. They can save a sysadmin if a problem occurs.

9 Copyright 2000, Marchany The Sysadmin’s Goals u Keep the systems up. u Keep users happy and out of our hair. u Keep auditors at arms’ length. u Get more resources to do the job properly. u Wear jeans or shorts to work when everyone else has to wear suits…….

10 Copyright 2000, Marchany The Sysadmin’s Audit Strategy u Turn a perceived weakness (the audit) into a strength (security checklists). u Develop a set of reporting matrices that can be used as audit reports or justification for security expenditures. u The above info can be used to help develop your incident response plan.

11 Copyright 2000, Marchany The Committee u Management and Technical Personnel from the major areas of IS – University Libraries – Educational Technologies – University Network Management Group – University Computing Center – Administrative Information Systems

12 Copyright 2000, Marchany The Committee’s Scope u Information Systems Division only u Identified and prioritized Assets – RISKS associated with those ASSETS – CONTROLS that may applied to the ASSETS to mitigate the RISKS u Did NOT specifically consider assets outside IS control. However, those assets are included as clients when considering access to assets we wish to protect

13 Copyright 2000, Marchany The Committee’s Charge u From our VP for Information Systems u “Establish whether IS units are taking all reasonable precautions to protect info resources and to assure the accurate & reliable delivery of service” u “Investigate and advise the VPIS as to the security of systems throughout the university….Provide documentation of the security measures in place.”

14 Copyright 2000, Marchany Identifying the Assets u Compiled a list of IS assets (+100 systems) u Categorize them as critical, essential, normal – Critical - VT can’t operate w/o this asset for even a short period of time. – Essential - VT could work around the loss of the asset for up to a week. The asset needs to be returned to service asap – Normal - VT could operate w/o this asset for a finite period but entities may need to identify alternatives.

15 Copyright 2000, Marchany Prioritizing the Assets u The network(router, bridges, cabling, etc.) was treated as a single entity and deemed critical. u X assets were classified as critical and then rank ordered using a matrix prioritization technique. Each asset was compared to the other and members voted on their relative importance. Members could split their vote.

16 Copyright 2000, Marchany Identifying the Risks u A RISK was selected if it caused an incident that would: – Be extremely expensive to fix – Result in the loss of a critical service – Result in heavy, negative publicity especially outside the university – Have a high probability of occurring. u Risks were prioritized using matrix prioritization technique.

17 Copyright 2000, Marchany Mapping Risks and Assets u We built a matrix that maps the ordered list of critical assets against the ordered list of risks regardless of whether or not – A particular risk actually applied to the asset – Controls exist and/or already in place. u The matrix provides general guidance about the order each asset/risk is examined. All assets/risks need to be examined eventually.

18 Copyright 2000, Marchany Identifying Controls u Specific controls identified by the committee were put in a matrix u The controls were then mapped against a list of risks and in those cells are the control ids that can mitigate a particular risk for a particular asset.

19 Copyright 2000, Marchany Recommendations u The process recommends a general order which IS should apply scarce resources to perform a cost benefit analysis for the various assets & risks. u For each asset, as directed by mgt, appropriate staff should: – Review the risks & controls – Add any further risks/controls not identified – Assess the potential cost of an incident – Assess the cost of control purchases and deployment – Analyze cost vs. benefit for each asset – Submit results to mgt which retains the responsibility to weigh investments and make implementation decisions

20 Copyright 2000, Marchany References u http://security.vt.edu u www.sans.org www.sans.org u www.nipc.gov www.nipc.gov u www.jmu.edu/info-security www.jmu.edu/info-security u www.cornell.edu/CPL www.cornell.edu/CPL u www.securityfocus.com www.securityfocus.com u www.insecure.org

21 Copyright 2000, Marchany APPENDIX 1 u The following matrices are examples of your matrix reports – Exhibit A (ASSET Matrix) – Exhibit B (ASSET WEIGHT Matrix) – Exhibit C (RISKS Matrix) – Exhibit D (RISK WEIGHT Matrix) – Exhibit E (ASSET-RISK Matrix) – Exhibit F (CONTROLS Matrix)

22 Copyright 2000, Marchany APPENDIX 2 The following spreadsheets are the compliance reports. Overall Compliance Report that lists the general vulnerabilities a system has. This is a quick 1 page report for mgt. or the auditors. Asset/Risk Matrix list whether a system is affected by a risk. The risks are more specific. Controls Matrix lists what controls are in place for a given system. Individual Action Matrix lists the details of an audit for each node. Did the system comply?

23 Copyright 2000, Marchany APPENDIX 3 u The following checklist gives the detailed commands to be performed in the “audit”. u The categories are based on the Risk Matrices in Appendix 1. u The results of the checklist commands are inserted in the Compliance matrices of Appendix 2. u This checklist and the matrices form the overall audit/security checklist package.

24 Copyright 2000, Marchany APPENDIX 4 u Your company’s response policy will dictate the degree of audit record keeping you’ll have to maintain. u There are 2 strategies: – Protect and Proceed – Pursue and Prosecute

25 Copyright 2000, Marchany Incident Handling: Protect and Proceed? - Which strategy should your organization follow to handle an incident? This dictates the level of record keeping needed to fulfill the strategy. (RFC2196) - the protection and preservation of site facilities - return to normal operations as soon as possible - actively interfere with intruder attempts - begin immediate damage assessment and recovery Use if: - assets are not well protected - continued penetration could result in financial risk - possibility or willingness to prosecute is not present - user community is unknown - unsophisticated users and their work is vulnerable - the site is vulnerable to lawsuits from users if their resources are undermined

26 Copyright 2000, Marchany Incident Handling: Pursue and Prosecute? - allow intruders to continue their activity until the site can identify them. This is recommended by law enforcement agencies - Use if: - system assets are well protected - good backups are available - Asset risks are outweighed by risk of future penetrations - it's a concentrated and frequent attack - the site has a natural attraction to intruders, e.g. university, bank - the site is willing to spend the money and risk to catch the guy - intruder access can be controlled - well-developed monitoring tools are available - you have a technically competent support staff - management is willing to prosecute - system administrators know in general what evidence will aid in prosecution - there is established contact with law enforcement agencies - the site has involved their legal staff

Download ppt "Copyright 2000, Marchany Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work Randy Marchany VA Tech Computing Center."

Similar presentations

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
Software Quality Assurance Plan

Software Quality Assurance Plan
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
The Islamic University of Gaza

The Islamic University of Gaza
CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,

CERT ® System and Network Security Practices Presented by Julia H. Allen at the NCISSE 2001: 5th National Colloquium for Information Systems Security Education,
Information Security Policies Larry Conrad September 29, 2009.

Information Security Policies Larry Conrad September 29, 2009.
Educause MARC 2003Copyright 2002, Marchany1 Risk Analysis Know what to protect before protecting it…. Unit 2 – Security, Targetting & Analysis of Risk.

Educause MARC 2003Copyright 2002, Marchany1 Risk Analysis Know what to protect before protecting it…. Unit 2 – Security, Targetting & Analysis of Risk.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Randy Marchany VA Tech Computing Center

Randy Marchany VA Tech Computing Center
The Information Systems Audit Process

The Information Systems Audit Process
Network security policy: best practices

Network security policy: best practices
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
A SOUND INVESTMENT IN SUCCESSFUL VR OUTCOMES FINANCIAL MANAGEMENT FINANCIAL MANAGEMENT.

A SOUND INVESTMENT IN SUCCESSFUL VR OUTCOMES FINANCIAL MANAGEMENT FINANCIAL MANAGEMENT.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,

INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
General Awareness Training

General Awareness Training

Similar presentations

Ads by Google