Download presentation
Presentation is loading. Please wait.
Published byDarcy Gilbert Modified over 9 years ago
1
Chap 8: Administering Security
2
Security is a combination Technical – covered in chap 1 Administrative Physical controls SE571 Security in Computing Dr. Ogara 2
3
Security Planning Risk analysis Policy Physical control/security SE571 Security in Computing Dr. Ogara 3
4
Effective security planning is essential for computer organization A Security plan is a document that describes how an organization will address its security needs: It is an official record of current security practices Blue print for review to improve those practices SE571 Security in Computing Dr. Ogara 4
5
To define and implement a security plan we concentrate on three aspects as follows: 1. Contents of security plan/what should be there? 2. Who are involved in security planning? 3. How to obtain support for a plan SE571 Security in Computing Dr. Ogara 5
6
Security plan should address seven issues 1) Policy – describes the goals and are people involved willing to attain these goals? 2) Current state – the status of security at the time of the plan 3) Requirements – recommends ways to meet the security goals 4) Recommended controls – mapping controls to the vulnerabilities identified in the policy and requirements 5) Accountability – who is responsible for each security activity 6) Timetable – when do different security functions take place? 7) Continuing attention – specify a structure to periodically update the security plan SE571 Security in Computing Dr. Ogara 6
7
The Software Engineering Institute at Carnegie Mellon University has created a framework for building a security plan 1) Identify enterprise knowledge 2) Identify operational area knowledge 3) Identify staff knowledge 4) Establish security requirements 5) Map high priority information assets to information infrastructure 6) Perform an infrastructure vulnerability evaluation 7) Develop a protection strategy SE571 Security in Computing Dr. Ogara 7
8
Explain what should be accomplished Are functional or performance demands placed on a system to ensure a desired level of security The inputs to a security plan are shown in the diagram SE571 Security in Computing Dr. Ogara 8
9
Plan should identify who are responsible for implementing security requirements Different groups can be responsible for different security roles, for example, PC Users: security of own machines Project leaders: security of data and computations Managers: seeing that the people they supervise implement security measures SE571 Security in Computing Dr. Ogara 9
10
Database administrators: access to and integrity of data in databases Information officers: creation and use of data, retention and proper disposal of data Personnel staff members: security involving employees SE571 Security in Computing Dr. Ogara 10
11
Membership should relate to different aspects of security Planning team should respect each of the following groups: Computer hardware group System administrators System programmers Application programmers Data entry personnel Physical security personnel Representative users SE571 Security in Computing Dr. Ogara 11
12
Ensure the security functions will be implemented and security activities carried out Three groups of people must contribute to making the plan success The planning team Those affected by the security recommendations Management: using and enforcing security Organizations can use a “business continuity plan” to deal with situations having two characteristics: Catastrophic situations: a computing capability is suddenly unavailable through fire or flood Long duration SE571 Security in Computing Dr. Ogara 12
13
Effective security planning includes careful risk planning Risks can be distinguished from other events interms of : Risk impact associated with an event The probability (P risk) of an incidence associated with each risk. 0 =< P risk <= 1; When P risk = 1 we say that there is a problem Risk control – the degree to which an outcome can be changed SE571 Security in Computing Dr. Ogara 13
14
The effects of a risk can be quantified by multiplying the risk impact by the risk probability, yielding the risk exposure: Risk Exposure – risk impact * P risk Example: P risk = 0.40; risk impact $10,000 (cost of cleaning the affected files) Risk Exposure = 0.4*10000 = $ 4,0000 So we can based on the calculation decide an antivirus software worth $400 is worth an investment SE571 Security in Computing Dr. Ogara 14
15
Three Strategies for Risk Reduction: Avoiding the risk Change security requirements Transferring the risk Allocate the risk to other systems, people, assets Buy insurance to cover any financial loss Assuming the risk Accept and control it with available resources Prepare to deal with the loss if it happens SE571 Security in Computing Dr. Ogara 15
16
In addition to impact cost there is also costs associated with reducing it Risk leverage is the difference in risk exposure divided by the cost of reducing the risk Risk leverage = (risk exposure before reduction – risk exposure after reduction)/cost of risk reduction SE571 Security in Computing Dr. Ogara 16
17
So if the leverage value of a proposed action is not high enough then we need to find a less costly strategy The parameters in Risk Leverage equation demand the risk analysis process to identify and list all exposures in the computing system For each exposure we need to identify possible controls and their costs Finally we need to carry out a cost–benefit analysis SE571 Security in Computing Dr. Ogara 17
18
The basic steps of risk analysis are: 1. Identify the assets 2. Determine vulnerabilities 3. Estimate likelihood of exploitation 4. Compute expected annual loss 5. Survey applicable controls and their costs 6. Project annual savings of control SE571 Security in Computing Dr. Ogara 18
19
US Army – OPSEC used during Vietnam War 1) Identify critical information to be protected 2) Analyze the threats 3) Analyze the vulnerabilities 4) Asses the risks 5) Apply countermeasures SE571 Security in Computing Dr. Ogara 19
20
US Airforce – Operational Risk Management Procedure (AIROO) 1) Identify hazards 2) Assess hazards 3) Make risk decisions 4) Implement controls 5) Supervise SE571 Security in Computing Dr. Ogara 20
21
Indicating the goals of a computer security effort and the willingness of the people involved to work to achieve those goals. SE571 Security in Computing Dr. Ogara 21
22
Document to inform users of the objectives and constraints on using a system Purpose of policy document Recognize sensitive information assets Clarify security responsibilities Promote awareness for existing staff Provide guidelines to new employees SE571 Security in Computing Dr. Ogara 22
23
A security policy must address the following: The audience – who can gets access? Contents – which resources Characteristics of good security policy – how? SE571 Security in Computing Dr. Ogara 23
24
Three groups of audience Users Owners Beneficiaries (e.g. customers, clients) Audience uses the security policy in important but different ways For each policy define the degree of confidentiality, integrity, and the continuous availability in the computing resources provided to them SE571 Security in Computing Dr. Ogara 24
25
The risk analysis identified the assets that are to be protected These assets (computers, networks, data) should be listed in the policy document The policy should also indicate: Who should have access to protected resources How unauthorized people will be denied access How that access will be ensured SE571 Security in Computing Dr. Ogara 25
26
Coverage – should be comprehensive ad general Durability – survive system’s growth and expansion…applicable to new situations Realism – realistic/feasible to implement Usefulness – should be concise, clear and direct SE571 Security in Computing Dr. Ogara 26
27
Examples: Data sensitivity policy U.S. Government Agency IT Security Policy Internet Security Policy The U.S. government Email Policy SE571 Security in Computing Dr. Ogara 27
28
Describes protection needed outside the computer system Physical security can be in one of this forms: Natural disasters Power loss Human vandals Contingency planning is key to successful recovery: Backups, offsite backups, network storage, etc SE571 Security in Computing Dr. Ogara 28
29
Describing the status of security at the time of the plan Risk analysis – a careful investigation of the system, its environment, and the things that might go wrong SE571 Security in Computing Dr. Ogara 29
30
Recommending ways to meet the security goals Heart of the security plan Organizational needs SE571 Security in Computing Dr. Ogara 30
31
Mapping controls to the vulnerabilities identified in the policy and requirements SE571 Security in Computing Dr. Ogara 31
32
Describing who is responsible for each security activity Personal computer Project leaders Managers Database administrators Information officers Personnel staff SE571 Security in Computing Dr. Ogara 32
33
Describing who is responsible for each security activity Personal computer Project leaders Managers Database administrators Information officers Personnel staff SE571 Security in Computing Dr. Ogara 33
34
Identifying when different security functions are to be done Show how and when the element of the plan will be performed SE571 Security in Computing Dr. Ogara 34
35
Specifying a structure for periodically updating the security plan SE571 Security in Computing Dr. Ogara 35
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.