Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1.

Published byOctavia Spencer Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1."— Presentation transcript:

1 Security Administration

2 Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1

3 Security Involves: Technical controls Administrative controls Physical controls

4 Major Chapter Topics Planning Risk analysis Policy Physical security

5 Security Plan Written document that describes how an organization will address its security needs

6 What Should a Security Plan Do? Identify what (vulnerabilities, threats, and risks) Specify how they will be handled (controls) Specify who will handle them Specify when they will be handled (timetable)

7 Issues Listed in Text Policy Current state Requirements Recommended controls Accountability Timetable Continuing attention (updates)

8 OCTAVE Operationally Critical Threat, Asset, and Vulnerability Evaluation Developed at Carnegie Mellon CERT Coordination Center First published in 1999

9 The OCTAVE Approach Self-directed Focused on risks to information assets Focused on practice-based mitigation Best practices from CERT/CC, NIST, laws and regulations (e.g., HIPPA), etc. Participation by both business and IT personnel

10 Different Scales OCTAVE – large organizations OCTAVE-S – small organizations

11 OCTAVE Steps 1. Identify enterprise knowledge 2. Identify operational area knowledge 3. Identify staff knowledge 4. Create threat profiles 5. Identify key components 6. Evaluate selected components 7. Conduct a risk analysis 8. Develop a protection strategy

12 Common Criteria (CC) Framework for evaluation of IT systems International effort United States United Kingdom France Germany The Netherlands Canada

13 Business Continuity Plan Plan for management of situations which are Catastrophic Long-lasting A single such incident can put a company out of business (even if handled well) Identify essential assets and functions

14 Incident Response Plan Plan for management of security incidents May not be catastrophic May not be long-lasting Many incidents will have minor impact on operations

15 Risk Analysis Risks closely related to threats Risk analysis attempts to quantify and measure problems associated with threats Many approaches to risk analysis have been developed

16 Quantifying Risk Risk probability How likely is the risk? Risk impact How much do we lose? Risk control Can the risk be avoided?

17 Risk Exposure Probability of Risk X Risk Impact Risk Impact – $100,000 Risk Probability – 0.5 Risk Exposure – $50,000

18 Risk Leverage (Exposure Before – Exposure After)/ Risk Control Cost Original Risk Exposure – $ 50,000 Cost of Control – $100 Revised Risk Exposure – $20,000 Risk Leverage – 300 (note: dimensionless)

19 Risk Analysis Steps Identify assets Determine vulnerabilities Estimate likelihood of exploitation Compute expected annual loss Survey applicable controls and their costs Project annual savings of control

20 Difficulties of Risk Analysis Probabilities hard to estimate Historical data Experts Delphi approach Some costs hard to quantify

21 Risk Analysis Approaches Many risk analysis approaches Usual common features: Checklists Organizational matrices Specification of procedures No dominant approach

22 Security Policy A written document describing goals for and constraints on a system Who can access what resources in what manner? High level management document Should not change often

23 Policy Considerations Stakeholders (beneficiaries) Users Owners Resources

24 Security Procedures/Guidelines Describe how security policy will be implemented More frequent changes than policy

25 Physical Security Protection that does not involve the system as a system Independent of Hardware Software Data

26 Possible Problems Natural disasters Floods Fires Power loss Human vandals Interception of sensitive information

27 Physical Security Controls Backups Backups!!!

28 Natural Disasters Careful building design System placement Fire extinguishers

29 Power Loss Uninterruptible power supply Surge suppressor

30 Human Vandals Guards Locks Authentication Reduced portability Theft detection

31 Information Interception Shredding Overwriting magnetic data Degaussing Destroy magnetic fields Tempest Prevent or control magnetic emanations

32 Contingency Plans Backup Offsite backup Networked storage Cold site Hot site

Download ppt "Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1."

Similar presentations

OCTAVESM Process 4 Create Threat Profiles

OCTAVESM Process 4 Create Threat Profiles
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Chapter 8 – Administering Security

Chapter 8 – Administering Security
S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.

S2-1 © 2001 Carnegie Mellon University OCTAVE SM Process 2 Identify Operational Area Management Knowledge Software Engineering Institute Carnegie Mellon.
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 © 2002 Carnegie.

Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213.

© 2001 by Carnegie Mellon University PPA-1 OCTAVE SM : Participants Briefing Software Engineering Institute Carnegie Mellon University Pittsburgh, PA
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,

S5-1 © 2001 Carnegie Mellon University OCTAVE SM Process 5 Identify Key Components Software Engineering Institute Carnegie Mellon University Pittsburgh,
Controls Definition: Process of exercising a restraining or guiding influence over the activities of an object, organism, or system.

Controls Definition: Process of exercising a restraining or guiding influence over the activities of an object, organism, or system.
Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.

Introduction Security is a major networking concern. 90% of the respondents to the 2004 Computer Security Institute/FBI Computer Crime and Security Survey.
23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.

23 January 2003© All rights Reserved, 2002 Understanding Facilitated Risk Analysis Process (FRAP) and Security Policies for Organizations Infocomm Security.
By: Ashwin Vignesh Madhu

By: Ashwin Vignesh Madhu
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Concepts of Database Management Seventh Edition

Concepts of Database Management Seventh Edition
The Information Systems Audit Process

The Information Systems Audit Process
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Introduction to Network Defense

Introduction to Network Defense
1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

1 BUSINESS CONTINUITY AND DISASTER RECOVERY PLANNING Reducing your Risk Profile MIDWEST DATA RECOVERY INC.

Similar presentations

Ads by Google