Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.

Published byAnnis Parks Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification."— Presentation transcript:

1 Security Standards and Threat Evaluation

2 Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification and accreditation

3 IT Governance A structure of relationships and processes to direct and control the enterprise in order to achieve the enterprise’s goals by adding value while balancing risk versus return over IT and its processes.

4 C & A The certification and accreditation (C&A) process focuses on federal IT systems processing, storing, and transmitting sensitive information, the associated tasks and subtasks, security controls, and verification techniques and procedures, have been broadly defined so as to be universally applicable to all types of IT systems, including national security or intelligence systems, if so directed by appropriate authorities.

5 Standards in Assessing Risk  Need a way to measure risk consistently  Need to cover multiple geographies  Needs to scale  Newly forming  Teaching

6 Methodologies  A Body of Practices, procedures and rules used by those who engage in an inquiry  Can include multiple frameworks  Overall approach used to measure something  Repeatable  Utilizes standards

7 Standards  Something that is widely recognized or employed, especially because of its excellence  An acknowledged measure of comparison for qualitative or quantitative value  Many different types of standards- even for the same elements needing to be measured

8 Framework  A set of assumptions, concepts, values and practices that constitutes a way of viewing reality  Building block for crafting approach  Encapsulates elements for performing a task  Acts as a guide- details can be plugged in for specific tasks

9 Standards  CoBit  ISO17999  Common Criteria  NIST

10 COBIT  www.isaca.org www.isaca.org Control Objectives for Information and related Technology  Framework, Standard or Good practice?  Includes: –Maturity models –Critical Success factors –Key Goal Indicators –Key Performance Indicators

11 COBIT COBIT is structured around four main fields of management implying 34 processes of management associated with information technology: 1.Planning and organization 2.Acquisition and implementation 3.Delivery and Support 4.Monitoring

12 ISO17999  “A detailed security Standard”  Ten major sections: –Business Continuity Planning –System Access Control –System Development and Maintenance –Physical and Environmental Security –Compliance –Personnel Security –Security organization –Computer and Network Management –Asset Classification –Security Policy

13 ISO17999  Most widely recognized security standard  Based on BS7799, last published in May 1999  Comprehensive security control objectives  UK based standard

14 SSECMM CIA Triad  Defines the “triad” as the following items:  Confidentiality  Integrity  Availability  Accountability  Privacy  Assurance

15 Common Criteria  Developed from TCSEC standard in 1980’s (Orange book)  International Standard  ISO took ITSEC (UK) TCSEC and CTCPEC (Canada) and combined them into CC (1996)  NIAP –National Information Assurance Partnership –http://niap.nist.gov/

16 Common Criteria  11 Functionality Classes: –Audit –Cryptographic Support –Communications –User Data Protection –Identification and Authentication –Security Management –Privacy –TOE Security functions –Resource utilization –TOE Access –Trusted Paths

17

18 Threat Approach

19 Threat Evaluation  Evaluation of level of threat to an asset  Based on: –Visibility, inherent weakness, location, personal/business values  Method: –Determine threats to assets (and their importance) –Determine cost of countermeasures –Implement countermeasures to reduce threat

20 Threats  Activity that represents possible danger  Can come in different forms  Can come from different places  Can’t protect from all threats  Protect against most likely or most worrisome such as: –Business mission –Data (integrity, confidentiality, availability)

21 Vulnerability Assessment  Evaluation of weakness in asset  Based on: –Known published weakness –Perceived / studied weakness –Assessed threats  Method: –Determined threats relevant to asset –Determined vulnerability to those threats –Determine vulnerability to theoretical threats –Fortify / accept vulnerabilities

Download ppt "Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification."

Similar presentations

Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
The International Security Standard

The International Security Standard
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.

PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Effective Design of Trusted Information Systems Luděk Novák,

Effective Design of Trusted Information Systems Luděk Novák,
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
1 Information Security Standards Gary Gaskell © 2001.

1 Information Security Standards Gary Gaskell © 2001.
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Stephen S. Yau CSE 465-591, Fall 2006 1 Evaluating Systems for Functionality and Assurance.

Stephen S. Yau CSE , Fall Evaluating Systems for Functionality and Assurance.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
The Information Systems Audit Process

The Information Systems Audit Process
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management

Similar presentations

Ads by Google