5. Security Architecture OVERVIEW Sergey Grigorenko CISSP CISA CISM September 2009 Business requirements Regulatory requirements A N A L Y S I S * POLICIES * ** STANDARDS ** *** PROCEDURES AND GUIDELINES *** Administrative Controls MONITOR, REPORT AND IMPROVE GO-ITS 25.15 Technical Controls Firewalls Intrusion detection prevention Access control System Hardening Physical Controls Guards CCTV Lockers Alarm systems
6. OVERVIEW Sergey Grigorenko CISSP CISA CISM September 2009 The cost of data loss for 2008: $50.00 - $200.00 per a record – 215 million records lost since January 2008 = $11 to $430 Billion – $6.3 million per company incident. /Gartner/
7. OVERVIEW Sergey Grigorenko CISSP CISA CISM September 2009 The objective of GO-ITS 25.15 Standard is to ensure that the management and use of passwords to access Government of Ontario information and information technology is effective, and assists in the mitigation of unacceptable risks to those resources. “ Security Requirements for Password Management and Use” Standard number 25.15 has been created by Information Technology Standards Council ( ITSC ) to sets out security requirements for password management and use.
8.
9. Threats Against Passwords Sergey Grigorenko CISSP CISA CISM September 2009 In order to protect users and organization from a password attack, we have to understand of the various threats and tactics
10.
11.
12.
13.
14. September 2009 Sergey Grigorenko INFO@SERGRI.NET September 2009 QUESTIONS? References: NIST Special Publication 800-118 Guide to Enterprise Password Management Government of Ontario IT Standard (GO-ITS) 25.15 (V.1.3)