Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security: Model, Process and Outputs Presentation to PRIA WG November 10, 2006.

Published byHillary Hopkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security: Model, Process and Outputs Presentation to PRIA WG November 10, 2006."— Presentation transcript:

1 Information Security: Model, Process and Outputs Presentation to PRIA WG November 10, 2006

2 2 Agenda Information Security Method Example

3 3 Information Security Method The problem…simply stated? The solution: –Model –Process –Outputs

4 4 Problem: Managing Information Risk Severity: Low Likelihood: Low Severity: Moderate Likelihood: Low Severity: Low Likelihood: Moderate Severity: High Likelihood: Low Severity: Moderate Likelihood: Moderate Severity: Low Likelihood: High Severity: Moderate Likelihood: High Severity: High Likelihood: Moderate Severity: High Likelihood: High * In some cases, consequence severity may not change. The goal then is to drive “likelihood of occurrence” to zero. (increasing ) Severity of Consequence* Likelihood of Occurrence (increasing )

5 5 Security Solution: Model / Process / Outputs Five component security model Step-by-step security solution development process Ten “must have” outputs for understanding, managing and monitoring your security solution

6 6 Information Security Model Information Security Model 1. Business & Risk Description (Foundation) 2. Policy and Architecture (Framework) 3. Solution Specification (People, Processes & Technology) 4. Support (Testing, Maintenance & Sustainability) 5. Education (Initial and Continual)

7 7 Information Security Model (cont.) Business & Risk Description –Overall description of business scenario(s) –Understanding of information assets, users, and operational environment –Identification and summarization of business risks associated with information assets Framework –Definition of an information security policy Major statements (requirements) regarding information security Can be considered the “what is allowed / not allowed” document –Definition of an information security architecture The “big picture” that ties together information resources and how they should be protected Identifies the major information systems and the interconnectivity between those systems

8 8 Information Security Model (cont.) Solution –Detailed specifications Technology Procedures Personnel –Implementation planning –Implementation and test –Certification & accreditation Support Program –Follow-on Testing, Re-certification & Reporting –Maintenance & Monitoring –Insurance & Contingency Planning Awareness Program –General security literature –Specific “How to…” guides –Periodic “refresher” courses

9 9 Information Security Process Expands on the Model A step-by-step, manageable approach to defining, deploying, operating and maintaining an information security solution Generates the ten “must have” outputs Security Solution Information Security Model

10 10 Information Security Process (cont.) 1A Define Business Functions 1A Define Business Functions 1B Define Assets 1B Define Assets 1C Define Operational Environ. 1C Define Operational Environ. 1D Summarize Risks 1D Summarize Risks Business & Risk Description 2A Develop Policy 2A Develop Policy 2B Develop Solution Arch. 2B Develop Solution Arch. Framework 4C Develop Contingency Plans 4C Develop Contingency Plans 4B Monitor Solution 4B Monitor Solution 4A Maintain Solution 4A Maintain Solution Support Program 5 Educate Personnel 5 Educate Personnel Awareness Program 3A Specify Solution 3A Specify Solution 3B Implement Solution 3B Implement Solution Solution Assess and Re-assess Risk Throughout Process Major Executive Review

11 11 The Results A security solution: –Derived from business requirements –Derived from defined business risks –Results in appropriate protection of business assets Risk management capability –Each step after the risk summarization step forces a risk mitigation review for each identified risk –What one step cannot address, another step will address –The monitoring step ensures that risk management and monitoring always exists

12 12 The Results (cont.) Documented solution to support: –Change control –Awareness training –Audits and accreditation A review process: –Two major reviews Risk Summary Review Solution Specification Review –Major reviews intended for trade-off analyses –Risk mitigation reviews after each step following Risk Summarization Step –Other reviews can be performed as needed and in-line with already established corporate review procedures

13 13 The Results: Ten “Must Have” Outputs Business Description (Use Cases) Risk Summary Security Policy Security Architecture Security Solution Spec

14 14 The Results: Ten “Must Have” Outputs Solution Implement. Plan Solution Maint. Plan Solution Monit. Plan Contingency Plans Education Program Plan

15 15 Ongoing Process… There is no “one-time” solution to managing information security risks Conditions change  Risks change Each output is a living document that needs to be reviewed for accuracy and relevancy –Periodically (i.e., time-driven events) –Ad hoc (i.e., event-driven events) Reapply process (or portions of process) as needed based on changing risks

16 16 Example: eRecording (Business Analysis) County Recorder (eRecording System) eRec Docs Settlement Agent Assets:eRecording Documents Participants:Settlement Agent and County Recorder Workflow:Electronic Recording of a Closed eMortgage Communications:Internet based Applications:Web Browser / eRecording System

17 17 Example: eRecording (Risk Analysis) Potential vulnerabilities: –Unprotected eRecording documents –Unprotected communications –Insecure eRecording System Potential threats: –Untrustworthy settlement agent –Man-in-the-Middle (phishing, pharming, etc.) –Internet based attacks (worms, viruses, etc.) Potential risks (i.e., threats exploiting vulnerabilities) –Corrupted eRecording documents –Exposure of settlement agent’s eRecording account information –eRecording System is down and unavailable All potential risks can be bubbled up to be financial, reputation or safety risks.

18 18 Example: eRecording (Policy & Architecture) Secure the eRecording documents (integrity, authentication) Secure the communications (authentication, confidentiality) Secure the eRecording System (integrity, authentication, availability) County Recorder (eRecording System) eMtg Settlement Agent

19 19 Example: eRecording (Technology & Procedures) Secure the eRecording Documents: –Technology:XML Digital Signature –Procedure:Trusted Personnel Program for Settlement Agents Secure the Communications: –Technology:SSL/VPN –Procedure:Trusted Procedure for Issuing and Managing Accounts at the eRecording System Secure the eRecording System: –Technology:Crypto, Redundancy –Procedure:Secure Configuration, Ensure Security Patches are Installed and Up to Date, Trusted Personnel Program for eRecording Operators

20 20 Example: eRecording (Maintenance) Maintenance: –eRecording System maintenance Performance testing Security patches –eRecording Documents maintenance Standards updates Updates to data in eRecording documents (e.g., privacy issues?)

21 21 Example: eRecording (Monitoring) Monitoring –Identify security incidents of concern: Multiple failed attempts to authenticate to eRecording System eRecording System downtime Integrity check failures within eRecording System Integrity check failures within eRecording Documents –Determine reporting procedures for security incidents Audit and review lower level security incidents Alerts and notifications for higher level security incidents –Internal notifications –External notifications

22 22 Example: eRecording (Business Continuity) Disaster recovery procedures for eRecording System –Temporary operations –Fully restored operations Failover operations for non-disaster events at eRecording System –Smooth switch over to temporary operations –Process for converting back to original operations

23 23 Example: eRecording (Education) Educate settlement agents: –Importance of secured eRecording Documents –Importance of acting as a trustworthy settlement agent –Accessing and using the eRecording System –Identifying and reporting security incidents Educate eRecording System operators: –Importance of a secured and available eRecording System –Operating, maintaining and monitoring the eRecording System –Security incident response procedures –Business continuity and disaster recovery procedures

24 Thank you! Questions? Yuriy Dzambasow A&N Associates, Inc. 410-859-5449 x107 yuriy@anassoc.com www.anassoc.com

Download ppt "Information Security: Model, Process and Outputs Presentation to PRIA WG November 10, 2006."

Similar presentations

A Joint Code of Practice Objectives and Summary Presentation

A Joint Code of Practice Objectives and Summary Presentation
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.

Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.

1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
Evolving IT Framework Standards (Compliance and IT)

Evolving IT Framework Standards (Compliance and IT)
Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.

Overview Of Information Security Management By BM RAO Senior Technical Director National Informatics Centre Ministry of Communications and Information.
Basics of OHSAS Occupational Health & Safety Management System

Basics of OHSAS Occupational Health & Safety Management System
SMS Operation.  Internal safety (SMS) audits are used to ensure that the structure of an SMS is sound.  It is also a formal process to ensure continuous.

SMS Operation.  Internal safety (SMS) audits are used to ensure that the structure of an SMS is sound.  It is also a formal process to ensure continuous.
HIPAA COMPLIANCE WITH DELL

HIPAA COMPLIANCE WITH DELL

Similar presentations

Ads by Google