SlideShare una empresa de Scribd logo

Ch08 8 Information Security Process it-slideshares.blogspot.com

P
phanleson

it-slideshares.blogspot.com

Tecnología
1 de 45
Descargar para leer sin conexión
Lesson 8-Information Security Process
Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing security. Conducting awareness training. Conducting audits.
Introduction to Information Security Process The process of information security
Conducting an Assessment An assessment determines: The total value of the organization’s information assets. The size of the threats with respect to confidentiality, integrity, availability, and accountability. The vulnerabilities of the information assets and the organization. The organization’s overall risk and recommended changes to current information security policy.
Conducting an Assessment While conducting an assessment of an organization, examine: Network. Staff. Physical security measures. Workload and employee Existing policies and attitude. procedures. Adherence. Precautions. Business. Awareness.
Network (1/3) The organization’s network is the easiest access point to information and systems. A network diagram helps examine each point of connectivity. Query network administrators to know the type of network management system in use. Perform a vulnerability scan of all systems.
Network (2/3) The protection mechanism within a network should include: Router access control lists and firewall rules on all Internet access points. Authentication mechanisms used for remote access. Protection mechanisms on access points to other organizations. Encryption mechanism used to protect portable computers and to transmit and store information.
Network (3/3) The protection mechanism within a network should include (continued): Anti-virus systems in place on servers, desktops, and e- mail systems. Server security configurations.
Physical Security Measures (1/2) Important physical security information includes identifying: The protection mechanisms to site, buildings, office space, paper records, and data center. The personnel responsible for the physical security. The critical and sensitive areas. The location of the communication lines within the building. The types of UPS in place and how long the current UPS will sustain.
Physical Security Measures (2/2) Important physical security information requires knowing: How power is supplied to the site and data center. The systems connected to the UPS. The environment controls attached to the UPS in the data center. The type of suppression system in the data center. The personnel who need to be notified incase of power or environment control failure.
Policies and Procedures Policies and procedures must be examined for relevance, appropriateness, and completeness. Procedures must define the way tasks are currently performed. Map requirements with stated goals. Update policies and procedures on a regular basis. Assess the organization’s security awareness program. Examine the recent incident and audit reports.
Precautions Precautions are used to restore operations when something goes wrong. Backup systems and disaster recovery plans are two components of precautions. Understand which backup system is used and how often is it used. Examine the disaster recovery plan for relevance and completeness.
Awareness Determine the staff’s level of awareness of security issues and policies. Create awareness of security threats, vulnerabilities, and signs indicating that a system is compromised. Ensure that the staff knows how to implement a disaster recovery plan.
People Examine whether the staff members have the necessary skills to implement a security program. They must understand policy work and latest security products. Administrator’s must be able to administer the organization’s systems and networks.
Workload and Employee Attitude Overworked employees do not contribute much to the security environment. Determine whether the workload is a temporary problem. Assess management attitude with regard to security issues. Identify responsible personnel for security within the organization. Employees must be aware of the management’s commitment to security.
Adherence While determining the intended security environment, identify the actual security environment. The intended security environment is defined by policy, attitudes, and existing mechanisms. Determine whether adherence to this policy requirement is lacking.
Business (1/2) Identify the cost if confidentiality, integrity, availability, or accountability of information is compromised. Measure vulnerabilities in monetary terms, downtime, lost reputation, or lost business. Identify the flow of information across the organization.
Business (2/2) Identify organizational interdependencies. Identify which systems and networks are important to the primary function of the organization. Identify the back-end systems.
Assessment Results Analyze the information. Assess all security vulnerabilities. Compile a complete set of risks in the order of high to low. Include a list of recommendations to manage each risk. Present potential cost in terms of money, time, resources, reputation, and lost business. Develop a security plan. Allocate and schedule resources to handle security.
Developing a Policy (1/2) Policies and procedures define the expected state of an organization’s security. It defines the tasks to be performed during implementation. Create policies for communication, security, system usage, backup, account management, incident handling, and disaster recovery plan. Choosing the order of policies to develop, depends on: The criticality of risks. The time each will take to complete. Ideally, the information policy should be completed early in the process.
Developing a Policy (2/2) Existing documents require frequent updating. Use these documents and identify deficiencies. Involve people who developed the policies.
Implementing Security (1/2) Implementation of organizational policies include: Identification and implementation of technical tools and physical controls. Hiring of security staff. Examination of each implementation and its interactions with other controls.
Implementing Security (2/2) Security reporting systems. Authentication systems. Internet security. Intrusion detection systems. Encryption. Physical security. Staff.
Security Reporting Systems(1/3) It is a mechanism to track adherence to policies and procedures. It tracks the overall state of vulnerabilities within the organization. It can use manual or automated systems. Enforce computer use policies such as: Tracking Internet use. Restricting access while maintaining login attempts. Removing unwanted applications from the desktop installations.
Security Reporting Systems(2/3) System vulnerability scans include: Tracking the number of systems on the network. Tracking the number of vulnerabilities on these systems. Providing vulnerability reports to system administrators for correction or explanation.
Security Reporting Systems(3/3) Policy adherence is a time-consuming security task. It can be automated or manual. The automated checks require more time to set up and configure. They provide complete results in a timely manner. In manual system, a security personnel examines and monitors all facets of the security policy.
Authentication Systems Authentication systems are used to prove the identity of users accessing a network. These systems identify authorized users and grant them physical access to a facility. They should be implemented with proper planning. Password restrictions, smart cards, and biometrics are few examples of authenticated systems.
Internet Security The implementation of Internet security includes: Placing an access control device such as a firewall. Setting up virtual private networks (VPN). Changing network architecture.
Intrusion Detection Systems (IDS) IDS are designed to detect any unwarranted entry into a protected area. Choice of IDS depends on overall organization risks and available resources. Anti-virus software, manual and automated log examination, host-based and network-based intrusion detection software are a few IDS.
Encryption Encryption can be used to protect information in transit or while residing in storage. Choose well-known and well-reviewed algorithm. Private key encryption is faster than public key encryption. Include an effective key management technique such as link encryptors. A system must change keys periodically.
Physical Security Ensure that a proper procedure for authenticating users is in place. Restrict access to data center. Protect the data center from fire, high temperature, and power failure. Remodel the data center to implement fire suppression and temperature control. Plan for disruptions due to implementation of an UPS.
Staff Hire skilled staff: Who can handle the security implementation. To conduct awareness training programs. Who will be responsible for the security of the organization.
Conducting Awareness Training Conduct awareness training to provide necessary information to: Employees. Administrators. Developers. Executives. Security staff.
Employees Employees should know the importance of security. They must be trained to identify and protect sensitive information. Ensure that the employees are aware of the organization policy, password selection, and prevention of attacks.
Administrators System administrators must be updated on the latest hacker techniques, security threats, and security patches. Include updates in regular administration staff meetings. Send updates to administrators as and when they are prepared.
Developers Developers should know proper programming techniques to reduce security vulnerabilities. They should have a proper understanding of the security department’s role during the development process. Security issues must be addressed in the design phase.
Executives Management must be informed of the state of security and the progress of the program. Periodic presentations must include the results of recent assessments, and the status of various security projects. Metrics that indicate the risks to the organizations must be a part of such reports.
Security Staff Security staff must be kept up-to-date to help them provide appropriate services to the organization. Conduct both internal and external training programs. Include security-related topics in the training sessions.
Conducting Audits Audit is the final step in the information security process. It ensures that controls are configured correctly and map to the policy.
Types/Components of Audits Policy adherence audits. Periodic and new project assessments. Penetration tests.
Policy Adherence Audits The audit policy determines whether or not the system configurations adhered to the policy. They are the traditional audit function. Any variations are recorded as violations. Conduct periodic audits on implementation of information policy and storage of sensitive documents.
Periodic and New Project Assessments Changes in computer and network environments results in change in risks and assessments. Full assessment of the organization should be performed periodically. Major audits and assessment must be done by an external firm.
Penetration Tests Penetration test attempts to exploit an identified vulnerability to gain access to systems and information. Test effectiveness of controls using penetration tests. Physical penetration tests include individuals who attempt to gain unauthorized access to a facility. Social engineering tests include testing employees to divulge classified information. Products http://www.coresecurity.com/products/coreimpact/index.php http://www.immunitysec.com/products-canvas.shtml
Summary Conducting an information security assessment involves determining the value of an organization’s information assets. Policies and procedures define the work to be performed during implementation. The implementation of policy involves identification and implementation of tools and controls.
Summary Awareness training provides necessary security information to employees. Audits ensure that policies are being implemented and followed.

Recomendados

Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policyphanleson
 
Ch09 Information Security Best Practices
Ch09 Information Security Best PracticesCh09 Information Security Best Practices
Ch09 Information Security Best Practicesphanleson
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
E1804012536
E1804012536E1804012536
E1804012536IOSR Journals
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 

Recomendados

Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policyphanleson
 
Ch09 Information Security Best Practices
Ch09 Information Security Best PracticesCh09 Information Security Best Practices
Ch09 Information Security Best Practicesphanleson
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniYaser Alrefai
 
Understanding the security_organization
Understanding the security_organizationUnderstanding the security_organization
Understanding the security_organizationDan Morrill
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
E1804012536
E1804012536E1804012536
E1804012536IOSR Journals
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Bis Chapter15
Bis Chapter15Bis Chapter15
Bis Chapter15Chun Hoi Lam
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessmentjenito21
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentAdetula Bunmi
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and proceduresCAS
 
Chapter008
Chapter008Chapter008
Chapter008Jeanie Delos Arcos
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessmentsJose Ivan Delgado, Ph.D.
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001Hiran Kanishka
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingMaganathin Veeraragaloo
 
Guide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuillermo Remache
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information SecuritySARJERAO Sarju
 
Security Policies
Security PoliciesSecurity Policies
Security Policiesphanleson
 
Simplifying IT Security for GDPR Compliance: Sharique M Rizvi
Simplifying IT Security for GDPR Compliance: Sharique M Rizvi Simplifying IT Security for GDPR Compliance: Sharique M Rizvi
Simplifying IT Security for GDPR Compliance: Sharique M Rizvi Sharique Rizvi
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringTieu Luu
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
R.a 1
R.a 1R.a 1
R.a 1jenito21
 
11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docx11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docxmoggdede
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentFaheem Ul Hasan
 
Cybersecurity Assessment Framework - Slideshare.pptx
Cybersecurity Assessment Framework - Slideshare.pptxCybersecurity Assessment Framework - Slideshare.pptx
Cybersecurity Assessment Framework - Slideshare.pptxAzra'ee Mamat
 

Más contenido relacionado

La actualidad más candente

Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessmentjenito21
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentAdetula Bunmi
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and proceduresCAS
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001Hiran Kanishka
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingMaganathin Veeraragaloo
 
Guide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuillermo Remache
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information SecuritySARJERAO Sarju
 
Security Policies
Security PoliciesSecurity Policies
Security Policiesphanleson
 
Simplifying IT Security for GDPR Compliance: Sharique M Rizvi
Simplifying IT Security for GDPR Compliance: Sharique M Rizvi Simplifying IT Security for GDPR Compliance: Sharique M Rizvi
Simplifying IT Security for GDPR Compliance: Sharique M Rizvi Sharique Rizvi
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringTieu Luu
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 

La actualidad más candente (18)

Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk Management
 
Bis Chapter15
Bis Chapter15Bis Chapter15
Bis Chapter15
 
Risk Assessment
Risk AssessmentRisk Assessment
Risk Assessment
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
 
It security controls, plans, and procedures
It security controls, plans, and proceduresIt security controls, plans, and procedures
It security controls, plans, and procedures
 
Chapter008
Chapter008Chapter008
Chapter008
 
HIPAA security risk assessments
HIPAA security risk assessmentsHIPAA security risk assessments
HIPAA security risk assessments
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber security
 
Domain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and TestingDomain 6 - Security Assessment and Testing
Domain 6 - Security Assessment and Testing
 
Guide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information SystemsGuide for Applying The Risk Management Framework to Federal Information Systems
Guide for Applying The Risk Management Framework to Federal Information Systems
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
Security policy
Security policySecurity policy
Security policy
 
is_1_Introduction to Information Security
is_1_Introduction to Information Securityis_1_Introduction to Information Security
is_1_Introduction to Information Security
 
Security Policies
Security PoliciesSecurity Policies
Security Policies
 
Simplifying IT Security for GDPR Compliance: Sharique M Rizvi
Simplifying IT Security for GDPR Compliance: Sharique M Rizvi Simplifying IT Security for GDPR Compliance: Sharique M Rizvi
Simplifying IT Security for GDPR Compliance: Sharique M Rizvi
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous Monitoring
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 

Similar a Ch08 8 Information Security Process it-slideshares.blogspot.com

11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docx11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docxmoggdede
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentFaheem Ul Hasan
 
Cybersecurity Assessment Framework - Slideshare.pptx
Cybersecurity Assessment Framework - Slideshare.pptxCybersecurity Assessment Framework - Slideshare.pptx
Cybersecurity Assessment Framework - Slideshare.pptxAzra'ee Mamat
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Leon Blum
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimemuhammad awais
 
security and system mainatance
security and system mainatancesecurity and system mainatance
security and system mainatanceKudzi Chikwatu
 
Information security background
Information security backgroundInformation security background
Information security backgroundNicholas Davis
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security madunix
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniyaseraljohani
 
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docxRISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docxjoellemurphey
 
L11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxL11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxStevenTharp2
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxjenkinsmandie
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxmydrynan
 
Automated Incident Handling Using SIM
Automated Incident Handling Using SIMAutomated Incident Handling Using SIM
Automated Incident Handling Using SIMAnton Chuvakin
 
Security and Control Issues in Information System
Security and Control Issues in Information SystemSecurity and Control Issues in Information System
Security and Control Issues in Information SystemDaryl Conson
 
10 Ways For Mitigating Cybersecurity Risks In Project Management.docx
10 Ways For Mitigating Cybersecurity Risks In Project Management.docx10 Ways For Mitigating Cybersecurity Risks In Project Management.docx
10 Ways For Mitigating Cybersecurity Risks In Project Management.docxyoroflowproduct
 

Similar a Ch08 8 Information Security Process it-slideshares.blogspot.com (20)

R.a 1
R.a 1R.a 1
R.a 1
 
11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docx11What is Security 1.1 Introduction The central role of co.docx
11What is Security 1.1 Introduction The central role of co.docx
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
 
Cybersecurity Assessment Framework - Slideshare.pptx
Cybersecurity Assessment Framework - Slideshare.pptxCybersecurity Assessment Framework - Slideshare.pptx
Cybersecurity Assessment Framework - Slideshare.pptx
 
SDET UNIT 5.pptx
SDET UNIT 5.pptxSDET UNIT 5.pptx
SDET UNIT 5.pptx
 
Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016Information Security Identity and Access Management Administration 07072016
Information Security Identity and Access Management Administration 07072016
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
chapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crimechapter 3 ethics: computer and internet crime
chapter 3 ethics: computer and internet crime
 
security and system mainatance
security and system mainatancesecurity and system mainatance
security and system mainatance
 
Information security background
Information security backgroundInformation security background
Information security background
 
Fundamentals of-information-security
Fundamentals of-information-security Fundamentals of-information-security
Fundamentals of-information-security
 
Step by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohaniStep by-step for risk analysis and management-yaser aljohani
Step by-step for risk analysis and management-yaser aljohani
 
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docxRISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
RISK MITIGATION AND THREAT IDENTIFICATIONIntroductionInforma.docx
 
L11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptxL11 Transition And Key Roles and SAT ROB IRP.pptx
L11 Transition And Key Roles and SAT ROB IRP.pptx
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docxRunning Head SECURITY AWARENESSSecurity Awareness .docx
Running Head SECURITY AWARENESSSecurity Awareness .docx
 
Essay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docxEssay QuestionsAnswer all questions below in a single document, pr.docx
Essay QuestionsAnswer all questions below in a single document, pr.docx
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docx
 
Automated Incident Handling Using SIM
Automated Incident Handling Using SIMAutomated Incident Handling Using SIM
Automated Incident Handling Using SIM
 
Security and Control Issues in Information System
Security and Control Issues in Information SystemSecurity and Control Issues in Information System
Security and Control Issues in Information System
 
10 Ways For Mitigating Cybersecurity Risks In Project Management.docx
10 Ways For Mitigating Cybersecurity Risks In Project Management.docx10 Ways For Mitigating Cybersecurity Risks In Project Management.docx
10 Ways For Mitigating Cybersecurity Risks In Project Management.docx
 

Más de phanleson

Learning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with SparkLearning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with Sparkphanleson
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewallsphanleson
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hackingphanleson
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocolsphanleson
 
E-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server AttacksE-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server Attacksphanleson
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applicationsphanleson
 
HBase In Action - Chapter 04: HBase table design
HBase In Action - Chapter 04: HBase table designHBase In Action - Chapter 04: HBase table design
HBase In Action - Chapter 04: HBase table designphanleson
 
HBase In Action - Chapter 10 - Operations
HBase In Action - Chapter 10 - OperationsHBase In Action - Chapter 10 - Operations
HBase In Action - Chapter 10 - Operationsphanleson
 
Hbase in action - Chapter 09: Deploying HBase
Hbase in action - Chapter 09: Deploying HBaseHbase in action - Chapter 09: Deploying HBase
Hbase in action - Chapter 09: Deploying HBasephanleson
 
Learning spark ch11 - Machine Learning with MLlib
Learning spark ch11 - Machine Learning with MLlibLearning spark ch11 - Machine Learning with MLlib
Learning spark ch11 - Machine Learning with MLlibphanleson
 
Learning spark ch10 - Spark Streaming
Learning spark ch10 - Spark StreamingLearning spark ch10 - Spark Streaming
Learning spark ch10 - Spark Streamingphanleson
 
Learning spark ch09 - Spark SQL
Learning spark ch09 - Spark SQLLearning spark ch09 - Spark SQL
Learning spark ch09 - Spark SQLphanleson
 
Learning spark ch07 - Running on a Cluster
Learning spark ch07 - Running on a ClusterLearning spark ch07 - Running on a Cluster
Learning spark ch07 - Running on a Clusterphanleson
 
Learning spark ch06 - Advanced Spark Programming
Learning spark ch06 - Advanced Spark ProgrammingLearning spark ch06 - Advanced Spark Programming
Learning spark ch06 - Advanced Spark Programmingphanleson
 
Learning spark ch05 - Loading and Saving Your Data
Learning spark ch05 - Loading and Saving Your DataLearning spark ch05 - Loading and Saving Your Data
Learning spark ch05 - Loading and Saving Your Dataphanleson
 
Learning spark ch04 - Working with Key/Value Pairs
Learning spark ch04 - Working with Key/Value PairsLearning spark ch04 - Working with Key/Value Pairs
Learning spark ch04 - Working with Key/Value Pairsphanleson
 
Learning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with SparkLearning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with Sparkphanleson
 
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about LibertagiaHướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagiaphanleson
 
Lecture 1 - Getting to know XML
Lecture 1 - Getting to know XMLLecture 1 - Getting to know XML
Lecture 1 - Getting to know XMLphanleson
 
Lecture 4 - Adding XTHML for the Web
Lecture 4 - Adding XTHML for the WebLecture 4 - Adding XTHML for the Web
Lecture 4 - Adding XTHML for the Webphanleson
 

Más de phanleson (20)

Learning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with SparkLearning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with Spark
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocols
 
E-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server AttacksE-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server Attacks
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
HBase In Action - Chapter 04: HBase table design
HBase In Action - Chapter 04: HBase table designHBase In Action - Chapter 04: HBase table design
HBase In Action - Chapter 04: HBase table design
 
HBase In Action - Chapter 10 - Operations
HBase In Action - Chapter 10 - OperationsHBase In Action - Chapter 10 - Operations
HBase In Action - Chapter 10 - Operations
 
Hbase in action - Chapter 09: Deploying HBase
Hbase in action - Chapter 09: Deploying HBaseHbase in action - Chapter 09: Deploying HBase
Hbase in action - Chapter 09: Deploying HBase
 
Learning spark ch11 - Machine Learning with MLlib
Learning spark ch11 - Machine Learning with MLlibLearning spark ch11 - Machine Learning with MLlib
Learning spark ch11 - Machine Learning with MLlib
 
Learning spark ch10 - Spark Streaming
Learning spark ch10 - Spark StreamingLearning spark ch10 - Spark Streaming
Learning spark ch10 - Spark Streaming
 
Learning spark ch09 - Spark SQL
Learning spark ch09 - Spark SQLLearning spark ch09 - Spark SQL
Learning spark ch09 - Spark SQL
 
Learning spark ch07 - Running on a Cluster
Learning spark ch07 - Running on a ClusterLearning spark ch07 - Running on a Cluster
Learning spark ch07 - Running on a Cluster
 
Learning spark ch06 - Advanced Spark Programming
Learning spark ch06 - Advanced Spark ProgrammingLearning spark ch06 - Advanced Spark Programming
Learning spark ch06 - Advanced Spark Programming
 
Learning spark ch05 - Loading and Saving Your Data
Learning spark ch05 - Loading and Saving Your DataLearning spark ch05 - Loading and Saving Your Data
Learning spark ch05 - Loading and Saving Your Data
 
Learning spark ch04 - Working with Key/Value Pairs
Learning spark ch04 - Working with Key/Value PairsLearning spark ch04 - Working with Key/Value Pairs
Learning spark ch04 - Working with Key/Value Pairs
 
Learning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with SparkLearning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with Spark
 
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about LibertagiaHướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
 
Lecture 1 - Getting to know XML
Lecture 1 - Getting to know XMLLecture 1 - Getting to know XML
Lecture 1 - Getting to know XML
 
Lecture 4 - Adding XTHML for the Web
Lecture 4 - Adding XTHML for the WebLecture 4 - Adding XTHML for the Web
Lecture 4 - Adding XTHML for the Web
 

Último

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Último (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Ch08 8 Information Security Process it-slideshares.blogspot.com

  • 2. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing security. Conducting awareness training. Conducting audits.
  • 3. Introduction to Information Security Process The process of information security
  • 4. Conducting an Assessment An assessment determines: The total value of the organization’s information assets. The size of the threats with respect to confidentiality, integrity, availability, and accountability. The vulnerabilities of the information assets and the organization. The organization’s overall risk and recommended changes to current information security policy.
  • 5. Conducting an Assessment While conducting an assessment of an organization, examine: Network. Staff. Physical security measures. Workload and employee Existing policies and attitude. procedures. Adherence. Precautions. Business. Awareness.
  • 6. Network (1/3) The organization’s network is the easiest access point to information and systems. A network diagram helps examine each point of connectivity. Query network administrators to know the type of network management system in use. Perform a vulnerability scan of all systems.
  • 7. Network (2/3) The protection mechanism within a network should include: Router access control lists and firewall rules on all Internet access points. Authentication mechanisms used for remote access. Protection mechanisms on access points to other organizations. Encryption mechanism used to protect portable computers and to transmit and store information.
  • 8. Network (3/3) The protection mechanism within a network should include (continued): Anti-virus systems in place on servers, desktops, and e- mail systems. Server security configurations.
  • 9. Physical Security Measures (1/2) Important physical security information includes identifying: The protection mechanisms to site, buildings, office space, paper records, and data center. The personnel responsible for the physical security. The critical and sensitive areas. The location of the communication lines within the building. The types of UPS in place and how long the current UPS will sustain.
  • 10. Physical Security Measures (2/2) Important physical security information requires knowing: How power is supplied to the site and data center. The systems connected to the UPS. The environment controls attached to the UPS in the data center. The type of suppression system in the data center. The personnel who need to be notified incase of power or environment control failure.
  • 11. Policies and Procedures Policies and procedures must be examined for relevance, appropriateness, and completeness. Procedures must define the way tasks are currently performed. Map requirements with stated goals. Update policies and procedures on a regular basis. Assess the organization’s security awareness program. Examine the recent incident and audit reports.
  • 12. Precautions Precautions are used to restore operations when something goes wrong. Backup systems and disaster recovery plans are two components of precautions. Understand which backup system is used and how often is it used. Examine the disaster recovery plan for relevance and completeness.
  • 13. Awareness Determine the staff’s level of awareness of security issues and policies. Create awareness of security threats, vulnerabilities, and signs indicating that a system is compromised. Ensure that the staff knows how to implement a disaster recovery plan.
  • 14. People Examine whether the staff members have the necessary skills to implement a security program. They must understand policy work and latest security products. Administrator’s must be able to administer the organization’s systems and networks.
  • 15. Workload and Employee Attitude Overworked employees do not contribute much to the security environment. Determine whether the workload is a temporary problem. Assess management attitude with regard to security issues. Identify responsible personnel for security within the organization. Employees must be aware of the management’s commitment to security.
  • 16. Adherence While determining the intended security environment, identify the actual security environment. The intended security environment is defined by policy, attitudes, and existing mechanisms. Determine whether adherence to this policy requirement is lacking.
  • 17. Business (1/2) Identify the cost if confidentiality, integrity, availability, or accountability of information is compromised. Measure vulnerabilities in monetary terms, downtime, lost reputation, or lost business. Identify the flow of information across the organization.
  • 18. Business (2/2) Identify organizational interdependencies. Identify which systems and networks are important to the primary function of the organization. Identify the back-end systems.
  • 19. Assessment Results Analyze the information. Assess all security vulnerabilities. Compile a complete set of risks in the order of high to low. Include a list of recommendations to manage each risk. Present potential cost in terms of money, time, resources, reputation, and lost business. Develop a security plan. Allocate and schedule resources to handle security.
  • 20. Developing a Policy (1/2) Policies and procedures define the expected state of an organization’s security. It defines the tasks to be performed during implementation. Create policies for communication, security, system usage, backup, account management, incident handling, and disaster recovery plan. Choosing the order of policies to develop, depends on: The criticality of risks. The time each will take to complete. Ideally, the information policy should be completed early in the process.
  • 21. Developing a Policy (2/2) Existing documents require frequent updating. Use these documents and identify deficiencies. Involve people who developed the policies.
  • 22. Implementing Security (1/2) Implementation of organizational policies include: Identification and implementation of technical tools and physical controls. Hiring of security staff. Examination of each implementation and its interactions with other controls.
  • 23. Implementing Security (2/2) Security reporting systems. Authentication systems. Internet security. Intrusion detection systems. Encryption. Physical security. Staff.
  • 24. Security Reporting Systems(1/3) It is a mechanism to track adherence to policies and procedures. It tracks the overall state of vulnerabilities within the organization. It can use manual or automated systems. Enforce computer use policies such as: Tracking Internet use. Restricting access while maintaining login attempts. Removing unwanted applications from the desktop installations.
  • 25. Security Reporting Systems(2/3) System vulnerability scans include: Tracking the number of systems on the network. Tracking the number of vulnerabilities on these systems. Providing vulnerability reports to system administrators for correction or explanation.
  • 26. Security Reporting Systems(3/3) Policy adherence is a time-consuming security task. It can be automated or manual. The automated checks require more time to set up and configure. They provide complete results in a timely manner. In manual system, a security personnel examines and monitors all facets of the security policy.
  • 27. Authentication Systems Authentication systems are used to prove the identity of users accessing a network. These systems identify authorized users and grant them physical access to a facility. They should be implemented with proper planning. Password restrictions, smart cards, and biometrics are few examples of authenticated systems.
  • 28. Internet Security The implementation of Internet security includes: Placing an access control device such as a firewall. Setting up virtual private networks (VPN). Changing network architecture.
  • 29. Intrusion Detection Systems (IDS) IDS are designed to detect any unwarranted entry into a protected area. Choice of IDS depends on overall organization risks and available resources. Anti-virus software, manual and automated log examination, host-based and network-based intrusion detection software are a few IDS.
  • 30. Encryption Encryption can be used to protect information in transit or while residing in storage. Choose well-known and well-reviewed algorithm. Private key encryption is faster than public key encryption. Include an effective key management technique such as link encryptors. A system must change keys periodically.
  • 31. Physical Security Ensure that a proper procedure for authenticating users is in place. Restrict access to data center. Protect the data center from fire, high temperature, and power failure. Remodel the data center to implement fire suppression and temperature control. Plan for disruptions due to implementation of an UPS.
  • 32. Staff Hire skilled staff: Who can handle the security implementation. To conduct awareness training programs. Who will be responsible for the security of the organization.
  • 33. Conducting Awareness Training Conduct awareness training to provide necessary information to: Employees. Administrators. Developers. Executives. Security staff.
  • 34. Employees Employees should know the importance of security. They must be trained to identify and protect sensitive information. Ensure that the employees are aware of the organization policy, password selection, and prevention of attacks.
  • 35. Administrators System administrators must be updated on the latest hacker techniques, security threats, and security patches. Include updates in regular administration staff meetings. Send updates to administrators as and when they are prepared.
  • 36. Developers Developers should know proper programming techniques to reduce security vulnerabilities. They should have a proper understanding of the security department’s role during the development process. Security issues must be addressed in the design phase.
  • 37. Executives Management must be informed of the state of security and the progress of the program. Periodic presentations must include the results of recent assessments, and the status of various security projects. Metrics that indicate the risks to the organizations must be a part of such reports.
  • 38. Security Staff Security staff must be kept up-to-date to help them provide appropriate services to the organization. Conduct both internal and external training programs. Include security-related topics in the training sessions.
  • 39. Conducting Audits Audit is the final step in the information security process. It ensures that controls are configured correctly and map to the policy.
  • 40. Types/Components of Audits Policy adherence audits. Periodic and new project assessments. Penetration tests.
  • 41. Policy Adherence Audits The audit policy determines whether or not the system configurations adhered to the policy. They are the traditional audit function. Any variations are recorded as violations. Conduct periodic audits on implementation of information policy and storage of sensitive documents.
  • 42. Periodic and New Project Assessments Changes in computer and network environments results in change in risks and assessments. Full assessment of the organization should be performed periodically. Major audits and assessment must be done by an external firm.
  • 43. Penetration Tests Penetration test attempts to exploit an identified vulnerability to gain access to systems and information. Test effectiveness of controls using penetration tests. Physical penetration tests include individuals who attempt to gain unauthorized access to a facility. Social engineering tests include testing employees to divulge classified information. Products http://www.coresecurity.com/products/coreimpact/index.php http://www.immunitysec.com/products-canvas.shtml
  • 44. Summary Conducting an information security assessment involves determining the value of an organization’s information assets. Policies and procedures define the work to be performed during implementation. The implementation of policy involves identification and implementation of tools and controls.
  • 45. Summary Awareness training provides necessary security information to employees. Audits ensure that policies are being implemented and followed.