SlideShare una empresa de Scribd logo

1. security management practices

Descargar como PPT, PDF
7
7wounders

This document discusses security management practices, with a focus on information security management. It covers topics such as information classification, security policies, roles and responsibilities, risk management, and security awareness training. Specifically, it provides details on establishing an information classification process, including identifying information assets, analyzing risks, defining classifications, roles for information owners and custodians, and guidelines for classifying information and applications.

EducaciónTecnología
1 de 37
Security Management Practices
Security Management Practices  Information Security Management  The Big Three - CIA  The Information Classification process  Security Policy implementation  The roles and responsibilities of Security Administration  Risk Management Assessment tools  Security Awareness training
Information Security Management  To protect an organization’s valuable resources, such as information, hardware, and software  Identification of an organization’s information assets  The development, documentation, and implementation of policies, standards, procedures, and guidelines  Ensure Availability, Integrity and Confidentiality
Information Security Management Cont…  Through the selection and application of appropriate safeguards, Information Security helps the organization’s mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets  Information systems are often critical assets that support the mission of an organization  However, including Information Security considerations in the management of information systems does not completely eliminate the possibility that these assets will be harmed.
Availability, Integrity and Confidentiality Availability  Availability is the assurance that a computer system is accessible by authorized users whenever needed. The Threat  Denial of Service & Distributed Denial of Service  Natural disasters (e.g., fires, floods, storms, or earthquakes)  Human actions (e.g., bombs or strikes)
Availability Cont… The Action  Contingency planning — which may involve business resumption planning, alternative-site processing, or simply disaster recovery planning — provides an alternative means of processing, thereby ensuring availability.  Physical, Technical, and Administrative controls are important aspects of security initiatives The Physical controls  Restrict unauthorized persons from coming into contact with computing resources and Facilities
Availability Cont… The Technical controls  Fault-tolerance mechanisms (e.g., hardware redundancy, disk mirroring, and application checkpoint restart)  Electronic vaulting (i.e., automatic backup to a secure, off-site location)  Access control software to prevent unauthorized users The Administrative controls  access control policies, operating procedures, contingency planning, and user training
Integrity Integrity  Protection of Information System or Processes from intentional or accidental unauthorized changes  Protect the process or program used to manipulate the data from unauthorized modification. The Threat  Hackers, Masqueraders, Unauthorized user activity  Unprotected downloaded files, networks, and unauthorized programs (e.g., Trojan horses and viruses)  Authorized users can corrupt data and programs accidentally or intentionally
Integrity Cont… The Action  Granting access on a need-to-know (least privilege) basis  Separation of duties  Rotation of duties Need-to-Know Access (Least Privilege)  Grant access only to those files and programs that they absolutely need to perform their assigned job functions  Restrict through use of well-formed transactions (recording of data/ program modifications in a log)
Integrity Cont… Separation of Duties  No single employee has control of a transaction from beginning to end Rotation of Duties  Change Job assignments periodically  Works well when used in conjunction with a separation of duties  Helps organization when losing a key employee “The security program must employ a careful balance between ideal security and practical productivity”
Confidentiality Confidentiality  Protection of information within systems so that unauthorized people, resources, and processes cannot access that information The Threat  Hackers, Masqueraders, Unauthorized user activity  Unprotected downloaded files, networks, and unauthorized programs (e.g., Trojan horses and viruses)  Social Engineering The Action  Granting access on a need-to-know (least privilege) basis  Well-Formed Transaction  Awareness
Risk Analysis and Assessment Risk Management  The processes of identifying, analyzing and assessing, mitigating, or transferring risk are generally characterized as Risk Management Risk Management Process  What could happen (threat event)?  If it happened, how bad could it be (threat impact)?  How often could it happen (threat frequency, annualized)?  How certain are the answers to the first three questions (recognition of uncertainty)?  What can be done (risk mitigation)?  How much will it cost (annualized)?  Is it cost-effective (cost/benefit analysis)?
Risk Analysis and Assessment Cont… Risk Analysis  This term represents the process of analyzing a target environment and the relationships of its risk-related attributes Qualitative / Quantitative  Quantitative risk analysis attempts to assign independently objective numeric numbers (i.e., monetary values) to all elements of the risk analysis  Qualitative risk analysis, on the other hand, does not attempt to assign numeric values at all, but rather is scenario oriented
Risk Analysis and Assessment Cont… Risk Assessment  This term represents the assignment of value to assets, threat frequency (annualized), consequence (i.e., exposure factors), and other elements of chance Information Asset  Information is regarded as an intangible asset separate from the media on which it resides  Simple cost of replacing the information  The cost of replacing supporting software  Costs associated with loss of the information’s confidentiality, availability, and integrity  Supporting hardware and network
Risk Analysis and Assessment Cont… Exposure Factor (EF)  A measure of the magnitude of loss or impact on the value of an asset  A percent, ranging from 0 to 100%, of asset value loss arising from a threat event Single Loss Expectancy Single Loss Expectancy = Asset Value X Exposure Factor Annualized Rate of Occurrence (ARO)  The frequency with which a threat is expected to occur  For example, a threat occurring once in ten years has an ARO of 1/10 or 0.1
Risk Analysis and Assessment Cont… Annualized Loss Expectancy (ALE) Annualized Loss Expectancy = Single Loss Expectancy X Annualized Rate of Occurrence Probability  The chance or likelihood that an event will occur  For example, the probability of getting a 6 on a single roll of a die is 1/6, or 0.16667  The Probability can between 0 to 1 Safeguard  Risk Analysis and Assessment Cont… occurrence of a specified threat or category of threats
Risk Analysis and Assessment Cont… Safeguard Effectiveness  The degree, expressed as a percent, from 0 to 100%, to which a safeguard can be characterized as effectively mitigating a vulnerability and reducing associated loss risks Uncertainty  The degree, expressed as a percent, from 0.0% to 100%, to which there is less than complete confidence in the value of any element of the risk assessment
Tasks of Information Risk Management Establish Information Risk Management Policy  IRM policy should begin with a high-level policy statement and supporting objectives, scope, constraints, responsibilities, and approach  Communicate and Enforce Establish an IRM Team  Top Down Approach will work well Establish IRM Methodology and Tools  Determine current status of Information Security  Plan Strategic risk assessment Identify and Measure Risk  Perform Risk Assessment based on the IRM policy and IRM methodology & tools
Information Protection Environment  Threat Analysis  Asset Identification and Valuation  Vulnerability Analysis  Risk Evaluation  Risk Evaluation  Interim Reports and Recommendations  Establish Risk Acceptance Criteria  Example : do not accept more than a 1 in 100 chance of losing $1,000,000  Mitigate Risk  Safeguard Selection and Risk Mitigation Analysis  Cost/Benefit Analysis  Final Report  Monitor Information Risk Management Performance
Security Technology and Tools Qualitative versus Quantitative Approach  The Qualitative Approach is much more subjective approach to the valuation of information assets and the scaling of risk  In General the risks are described as “low,” “medium,” or “high”  The Quantitative is talks about real numbers  Uses Algorithms  ALE=ARO X (Asset Value X Exposure Factor = SLE)  Assume the asset value is $1M, the exposure factor is 50%, and the annualized rate of occurrence is 1/10 (once in ten years)  ($1M X 50% = $500K) X 1/10 = $50K
Pros an Cons of Qualitative Approach Pros  Calculations, if any, are simple  Usually not necessary to determine the monetary value of Information (CIA)  Not necessary to determine quantitative threat frequency and impact data  Not necessary to estimate the cost of recommended risk mitigation measures and calculate cost/benefit because the process is not quantitative.  A general indication of significant areas of risk Cons  The risk assessment and results are essentially subjective in both process and metrics  The perception of value may not realistically reflect actual value at risk  Only subjective indication of a problem  It is not possible to track risk management performance objectively when all measures are subjective
Pros and Cons of Quantitative Approach Pros  Meaningful statistical analysis is supported  The value of information (CIA), as expressed in monetary terms with supporting rationale, is better understood. Thus, the basis for expected loss is better understood  Information security budget decision making is supported  Risk management performance can be tracked and evaluated.  Risk assessment results are derived and expressed in management’s language, monetary value, percentages, and probability annualized. Thus, risk is better understood. Cons  Calculations are complex.  Not practical to execute a quantitative risk assessment without using a recognized automated tool and associated knowledge bases,  A substantial amount of information gathering is required  Standard, independent Threat population and threat frequency knowledgebase not yet developed and maintained, so vendor dependent
Information Classification Information Protection Requirements  Data confidentiality, integrity, and availability are improved because appropriate controls are used for all data across the enterprise  The organization gets the most for its information protection dollar because protection mechanisms are designed and implemented where they are needed most, and less costly controls can be put in place for non-critical information  The quality of decisions is improved because the data upon which the decisions are made can be trusted  The company is provided with a process to review all business functions and informational requirements on a periodic basis to determine appropriate data classifications
Data Classification  Classification is part of a mandatory access control model to ensure that sensitive data is properly controlled and secured  DoD multi-level security policy has 4 classifications:  Top Secret  Secret  Confidential  Unclassified  Other levels in use are:  Eyes only  Officers only  Company confidential  Public
Data Classification Cont…  Top Secret - applies to the most sensitive business information which is intended strictly for use within the organization. Unauthorized disclosure could seriously and adversely impact the company, stockholders, business partners, and/or its customers  Secret - Applies to less sensitive business information which is intended for use within a company. Unauthorized disclosure could adversely impact the company, its stockholders, its business partners, and/or its customers  Confidential - Applies to personal information which is intended for use within the company. Unauthorized disclosure could adversely impact the company and/or its employees  Unclassified - Applies to all other information which does not clearly fit into any of the above three classifications. Unauthorized disclosure isn’t expected to seriously or adversely impact the company
Information Classification Cont… Information Protection Environment  Getting started: questions to ask • Is there an executive sponsor for this project? • What are you trying to protect, and from what? • Are there any regulatory requirements to consider? • Has the business accepted ownership responsibilities for the data?  Policy • An essential tool in establishing a data classification scheme • Define information as an asset of the business unit • Declare local business managers as the owners of information • Establish IT as the custodians of corporate information • Clearly define roles and responsibilities of those involved in the ownership and classification of information • Define the classifications and criteria that must be met for each • Determine the minimum range of controls to be established for each classification
Information Classification Cont…  Risk Analysis  Identify major functional areas of information  Analyze the classification requirements  Determine the risk associated  Determine the effect of loss  Build a table  Establishing classifications  Public: information that, if disclosed outside the company, would not harm the organization, its employees, customers, or business partners.  Internal Use Only: information that is not sensitive to disclosure within the organization, but could harm the company if disclosed externally.  Company Confidential: sensitive information that requires “need- toknow” before access is given
Information Classification Cont…  Defining roles and responsibilities  Information owner - A business executive or business manager who is responsible for a company business information asset  Information custodian - The information custodian, usually an information technology or operations person, is the system administrator or operator for the Information Owner, with primary responsibilities dealing with running the program for the owner and backup and recovery of the business information  Application owner - Manager of the business unit who is fully accountable for the performance of the business function served by the application  User manager - The immediate manager or supervisor of an employee
Information Classification Cont…  Defining roles and responsibilities  Security administrator - Any company employee who owns an “administrative” user ID that has been assigned attributes or privileges that are associated with any type of access control system  Security analyst - Person responsible for determining the data security directions (strategies, procedures, guidelines) to ensure information is controlled and secured based on its value, risk of loss or compromise, and ease of recoverability  Change control analyst - Person responsible for analyzing requested changes to the Information Technology infrastructure and determining the impact on applications  Data analyst - This person analyzes the business requirements to design the data structures and recommends data definition standards and physical platforms
Information Classification Cont… ► Defining roles and responsibilities  Solution provider - Person who participates in the solution (application) development and delivery processes in deploying business solutions  End user - Any employee, contractor, or vendor of the company who uses information systems resources as part of their job  Process owner - This person is responsible for the management, implementation, and continuous improvement of a process that has been defined to meet a business need  Product line manager - Person responsible for understanding business requirements and translating them into product requirements, working with the vendor/user area
Information Classification Cont…  Identifying owners  The proper owner must be from the business  Senior management support is a key success factor  Information owners must be given the necessary authority  Classifying information and applications  Collect the metadata about their business functions  Review the definitions for the information classifications  Ongoing monitoring  Ensure compliance with policy and established procedures  periodically review the data to ensure they are still appropriately classified
Policies, Procedures, Standards, Baselines  Policy - An information security policy contains senior management’s directives to create an information security program, establish its goals, measures, and target and assign responsibilities  Standards - Standards are mandatory activities, actions, rules, or regulations designed to provide policies with the support structure and specific direction they require to be meaningful and effective  Procedures - Procedures spell out the step-by-step specifics of how the policy and the supporting standards and guidelines will actually be implemented in an operating environment  Guidelines - Guidelines are more general statements designed to achieve the policy’s objectives by providing a framework within which to implement controls not covered by procedures
The Policy Chart
Awareness Program  Security policies, standards, procedures, baselines, and guidelines  Threats to physical assets and stored information  Threats to open network environments  Laws and regulations they are required to follow  Specific organization or department policies they are required to follow  How to identify and protect sensitive (or classified) information  How to store, label, and transport information  Who they should report security incidents to, regardless of whether it is just a suspected or an actual incident  Email/Internet policies and procedures  Social engineering
Implementation (Delivery) Options  Posters  Posting motivational and catchy slogans  Videotapes  Classroom instruction  Computer-based delivery, such as CD-ROM, DVD, intranet access, Web-based access, etc.  Brochures/flyers  Pens/pencils/keychains (any type of trinket) with motivational slogans  Post-it notes with a message on protecting the Information Technology system  Stickers for doors and bulletin boards
Implementation (Delivery) Options Cont…  Cartoons/articles published monthly or quarterly in an in- house newsletter or specific department notices  Special topical bulletins (security alerts in this instance)  Monthly email notices related to security issues or email broadcasts of security advisories  Security banners or pre-logon messages that appear on the computer monitor  Distribution of items as an incentive
?

Recomendados

Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Physical Security
Physical SecurityPhysical Security
Physical SecurityKriscila Yumul
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.pptFaheem Ul Hasan
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 

Recomendados

Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Physical Security
Physical SecurityPhysical Security
Physical SecurityKriscila Yumul
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Physical security.ppt
Physical security.pptPhysical security.ppt
Physical security.pptFaheem Ul Hasan
 
Information security
Information securityInformation security
Information securityLusungu Mkandawire CISA,CISM,CGEIT,CPF,PRINCE2
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Data security
Data securityData security
Data securityAbdulBasit938
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptxGulnurAzat
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk AssessmentsJoAnna Cheshire
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
Information security
Information securityInformation security
Information securityAlaaMahmoud108
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Physical security
Physical securityPhysical security
Physical securityDhani Ahmad
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 pptvasanthimuniasamy
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Cyber security
Cyber securityCyber security
Cyber securityRishav Sadhu
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesKroll
 
Cyber security
Cyber securityCyber security
Cyber securityAnkush Verma
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeJeff Johnson
 
Information classification
Information classificationInformation classification
Information classificationHoward Diesel (CDMP BI, DW, DBA, Msc Elec Eng)
 

Más contenido relacionado

La actualidad más candente

INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays worldSibghatullah Khattak
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptxGulnurAzat
 
information security management
information security managementinformation security management
information security managementGurpreetkaur838
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and AttacksSachin Darekar
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Ernest Staats
 
Physical security
Physical securityPhysical security
Physical securityDhani Ahmad
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 pptvasanthimuniasamy
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance BOC Group
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesKroll
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 

La actualidad más candente (20)

INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
 
Data security
Data securityData security
Data security
 
Information security in todays world
Information security in todays worldInformation security in todays world
Information security in todays world
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
The CIA triad.pptx
The CIA triad.pptxThe CIA triad.pptx
The CIA triad.pptx
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
information security management
information security managementinformation security management
information security management
 
Information security
Information securityInformation security
Information security
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
Information security and Attacks
Information security and AttacksInformation security and Attacks
Information security and Attacks
 
Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security Risk Management Approach to Cyber Security
Risk Management Approach to Cyber Security
 
Information security
Information securityInformation security
Information security
 
Physical security
Physical securityPhysical security
Physical security
 
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
 
Information Security Lecture #1 ppt
Information Security Lecture #1 pptInformation Security Lecture #1 ppt
Information Security Lecture #1 ppt
 
What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance What is GRC – Governance, Risk and Compliance
What is GRC – Governance, Risk and Compliance
 
Cyber security
Cyber securityCyber security
Cyber security
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
 
Cyber security
Cyber securityCyber security
Cyber security
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 

Destacado

Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeJeff Johnson
 
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramSlide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramFRSecure
 
Classification, Tagging & Search
Classification, Tagging & SearchClassification, Tagging & Search
Classification, Tagging & SearchJames Melzer
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeterBen Rothke
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
 
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...Par-Tec S.p.A.
 
COBIT and IT Policy Presentation
COBIT and IT Policy PresentationCOBIT and IT Policy Presentation
COBIT and IT Policy PresentationSarah Cortes
 
Oss. Informaton Security & Privacy
Oss. Informaton Security & PrivacyOss. Informaton Security & Privacy
Oss. Informaton Security & PrivacyAlessandro Piva
 
Cyber risk e assicurazioni
Cyber risk e assicurazioniCyber risk e assicurazioni
Cyber risk e assicurazioniGiulio Coraggio
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesSam Bowne
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Introduction to Cyber law (IT Act 2000)
Introduction to Cyber law (IT Act 2000)Introduction to Cyber law (IT Act 2000)
Introduction to Cyber law (IT Act 2000)Ambar Deo
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk ManagementHamed Moghaddam
 
Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Dinesh O Bareja
 
Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3FRSecure
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2FRSecure
 

Destacado (20)

Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To Consume
 
Information classification
Information classificationInformation classification
Information classification
 
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramSlide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
 
Classification, Tagging & Search
Classification, Tagging & SearchClassification, Tagging & Search
Classification, Tagging & Search
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic Planning
 
Securing your presence at the perimeter
Securing your presence at the perimeterSecuring your presence at the perimeter
Securing your presence at the perimeter
 
Purple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration TestingPurple Teaming - The Collaborative Future of Penetration Testing
Purple Teaming - The Collaborative Future of Penetration Testing
 
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...
Forum ICT Security 2016 - Regolamento EU 2016/679: le tecnologie a protezione...
 
COBIT and IT Policy Presentation
COBIT and IT Policy PresentationCOBIT and IT Policy Presentation
COBIT and IT Policy Presentation
 
Oss. Informaton Security & Privacy
Oss. Informaton Security & PrivacyOss. Informaton Security & Privacy
Oss. Informaton Security & Privacy
 
Cyber risk e assicurazioni
Cyber risk e assicurazioniCyber risk e assicurazioni
Cyber risk e assicurazioni
 
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and PoliciesCISSP Prep: Ch 1: Security Governance Through Principles and Policies
CISSP Prep: Ch 1: Security Governance Through Principles and Policies
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
 
Introduction to Cyber law (IT Act 2000)
Introduction to Cyber law (IT Act 2000)Introduction to Cyber law (IT Act 2000)
Introduction to Cyber law (IT Act 2000)
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
Cissp- Security and Risk Management
Cissp- Security and Risk ManagementCissp- Security and Risk Management
Cissp- Security and Risk Management
 
Cyber Laws
Cyber LawsCyber Laws
Cyber Laws
 
Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document Information Security Management Education Program - Concept Document
Information Security Management Education Program - Concept Document
 
Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3Slide Deck CISSP Class Session 3
Slide Deck CISSP Class Session 3
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2
 

Similar a 1. security management practices

Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30timmcguinness
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security BackgroundNicholas Davis
 
Information security background
Information security backgroundInformation security background
Information security backgroundNicholas Davis
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentFaheem Ul Hasan
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overviewdr_edw777
 
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docxChapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docxwalterl4
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber securityInderjeet Singh
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docxgilbertkpeters11344
 
Threat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesThreat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesFrédéric Sagez
 
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptxREPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptxJakeariesMacarayo
 
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptxIAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptxJakeariesMacarayo
 
Cybersecurity risk management 101
Cybersecurity risk management 101Cybersecurity risk management 101
Cybersecurity risk management 101Srinivasan Vanamali
 
Ch07 Managing Risk
Ch07 Managing RiskCh07 Managing Risk
Ch07 Managing Riskphanleson
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security AssessmentGary Bahadur
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsInformation Technology
 

Similar a 1. security management practices (20)

Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30Risk Assessment Process NIST 800-30
Risk Assessment Process NIST 800-30
 
Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
Dj24712716
Dj24712716Dj24712716
Dj24712716
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
Information security background
Information security backgroundInformation security background
Information security background
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
 
Chapter 1 overview
Chapter 1 overviewChapter 1 overview
Chapter 1 overview
 
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docxChapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
Chapter 1Managing RiskTHE FOLLOWING COMPTIA SECURITY+ EXAM OBJ.docx
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber security
 
Cissp combined notes
Cissp combined notesCissp combined notes
Cissp combined notes
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
4Brian DennisonJohn DensonIT454 -1504B-01Mon, 121415.docx
 
Threat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devicesThreat Modelling and managed risks for medical devices
Threat Modelling and managed risks for medical devices
 
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptxREPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
REPORTING IAS101djfjfjffjfjfjjfjfjjf.pptx
 
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptxIAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
IAS101REPORTINGINFORMATIONRISKBSIT3B.pptx
 
Cybersecurity risk management 101
Cybersecurity risk management 101Cybersecurity risk management 101
Cybersecurity risk management 101
 
Ch07 Managing Risk
Ch07 Managing RiskCh07 Managing Risk
Ch07 Managing Risk
 
Physical Security Assessment
Physical Security AssessmentPhysical Security Assessment
Physical Security Assessment
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
 

Más de 7wounders

10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics7wounders
 
8. operations security
8. operations security8. operations security
8. operations security7wounders
 
7. physical sec
7. physical sec7. physical sec
7. physical sec7wounders
 
6. cryptography
6. cryptography6. cryptography
6. cryptography7wounders
 
5. telecomm & network security
5. telecomm & network security5. telecomm & network security
5. telecomm & network security7wounders
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models7wounders
 
2. access control
2. access control2. access control
2. access control7wounders
 

Más de 7wounders (8)

Cissp why
Cissp whyCissp why
Cissp why
 
10. law invest & ethics
10. law invest & ethics10. law invest & ethics
10. law invest & ethics
 
8. operations security
8. operations security8. operations security
8. operations security
 
7. physical sec
7. physical sec7. physical sec
7. physical sec
 
6. cryptography
6. cryptography6. cryptography
6. cryptography
 
5. telecomm & network security
5. telecomm & network security5. telecomm & network security
5. telecomm & network security
 
3. security architecture and models
3. security architecture and models3. security architecture and models
3. security architecture and models
 
2. access control
2. access control2. access control
2. access control
 

Último

The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxShobhayan Kirtania
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 

Último (20)

The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptx
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 

1. security management practices

  • 2. Security Management Practices  Information Security Management  The Big Three - CIA  The Information Classification process  Security Policy implementation  The roles and responsibilities of Security Administration  Risk Management Assessment tools  Security Awareness training
  • 3. Information Security Management  To protect an organization’s valuable resources, such as information, hardware, and software  Identification of an organization’s information assets  The development, documentation, and implementation of policies, standards, procedures, and guidelines  Ensure Availability, Integrity and Confidentiality
  • 4. Information Security Management Cont…  Through the selection and application of appropriate safeguards, Information Security helps the organization’s mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets  Information systems are often critical assets that support the mission of an organization  However, including Information Security considerations in the management of information systems does not completely eliminate the possibility that these assets will be harmed.
  • 5. Availability, Integrity and Confidentiality Availability  Availability is the assurance that a computer system is accessible by authorized users whenever needed. The Threat  Denial of Service & Distributed Denial of Service  Natural disasters (e.g., fires, floods, storms, or earthquakes)  Human actions (e.g., bombs or strikes)
  • 6. Availability Cont… The Action  Contingency planning — which may involve business resumption planning, alternative-site processing, or simply disaster recovery planning — provides an alternative means of processing, thereby ensuring availability.  Physical, Technical, and Administrative controls are important aspects of security initiatives The Physical controls  Restrict unauthorized persons from coming into contact with computing resources and Facilities
  • 7. Availability Cont… The Technical controls  Fault-tolerance mechanisms (e.g., hardware redundancy, disk mirroring, and application checkpoint restart)  Electronic vaulting (i.e., automatic backup to a secure, off-site location)  Access control software to prevent unauthorized users The Administrative controls  access control policies, operating procedures, contingency planning, and user training
  • 8. Integrity Integrity  Protection of Information System or Processes from intentional or accidental unauthorized changes  Protect the process or program used to manipulate the data from unauthorized modification. The Threat  Hackers, Masqueraders, Unauthorized user activity  Unprotected downloaded files, networks, and unauthorized programs (e.g., Trojan horses and viruses)  Authorized users can corrupt data and programs accidentally or intentionally
  • 9. Integrity Cont… The Action  Granting access on a need-to-know (least privilege) basis  Separation of duties  Rotation of duties Need-to-Know Access (Least Privilege)  Grant access only to those files and programs that they absolutely need to perform their assigned job functions  Restrict through use of well-formed transactions (recording of data/ program modifications in a log)
  • 10. Integrity Cont… Separation of Duties  No single employee has control of a transaction from beginning to end Rotation of Duties  Change Job assignments periodically  Works well when used in conjunction with a separation of duties  Helps organization when losing a key employee “The security program must employ a careful balance between ideal security and practical productivity”
  • 11. Confidentiality Confidentiality  Protection of information within systems so that unauthorized people, resources, and processes cannot access that information The Threat  Hackers, Masqueraders, Unauthorized user activity  Unprotected downloaded files, networks, and unauthorized programs (e.g., Trojan horses and viruses)  Social Engineering The Action  Granting access on a need-to-know (least privilege) basis  Well-Formed Transaction  Awareness
  • 12. Risk Analysis and Assessment Risk Management  The processes of identifying, analyzing and assessing, mitigating, or transferring risk are generally characterized as Risk Management Risk Management Process  What could happen (threat event)?  If it happened, how bad could it be (threat impact)?  How often could it happen (threat frequency, annualized)?  How certain are the answers to the first three questions (recognition of uncertainty)?  What can be done (risk mitigation)?  How much will it cost (annualized)?  Is it cost-effective (cost/benefit analysis)?
  • 13. Risk Analysis and Assessment Cont… Risk Analysis  This term represents the process of analyzing a target environment and the relationships of its risk-related attributes Qualitative / Quantitative  Quantitative risk analysis attempts to assign independently objective numeric numbers (i.e., monetary values) to all elements of the risk analysis  Qualitative risk analysis, on the other hand, does not attempt to assign numeric values at all, but rather is scenario oriented
  • 14. Risk Analysis and Assessment Cont… Risk Assessment  This term represents the assignment of value to assets, threat frequency (annualized), consequence (i.e., exposure factors), and other elements of chance Information Asset  Information is regarded as an intangible asset separate from the media on which it resides  Simple cost of replacing the information  The cost of replacing supporting software  Costs associated with loss of the information’s confidentiality, availability, and integrity  Supporting hardware and network
  • 15. Risk Analysis and Assessment Cont… Exposure Factor (EF)  A measure of the magnitude of loss or impact on the value of an asset  A percent, ranging from 0 to 100%, of asset value loss arising from a threat event Single Loss Expectancy Single Loss Expectancy = Asset Value X Exposure Factor Annualized Rate of Occurrence (ARO)  The frequency with which a threat is expected to occur  For example, a threat occurring once in ten years has an ARO of 1/10 or 0.1
  • 16. Risk Analysis and Assessment Cont… Annualized Loss Expectancy (ALE) Annualized Loss Expectancy = Single Loss Expectancy X Annualized Rate of Occurrence Probability  The chance or likelihood that an event will occur  For example, the probability of getting a 6 on a single roll of a die is 1/6, or 0.16667  The Probability can between 0 to 1 Safeguard  Risk Analysis and Assessment Cont… occurrence of a specified threat or category of threats
  • 17. Risk Analysis and Assessment Cont… Safeguard Effectiveness  The degree, expressed as a percent, from 0 to 100%, to which a safeguard can be characterized as effectively mitigating a vulnerability and reducing associated loss risks Uncertainty  The degree, expressed as a percent, from 0.0% to 100%, to which there is less than complete confidence in the value of any element of the risk assessment
  • 18. Tasks of Information Risk Management Establish Information Risk Management Policy  IRM policy should begin with a high-level policy statement and supporting objectives, scope, constraints, responsibilities, and approach  Communicate and Enforce Establish an IRM Team  Top Down Approach will work well Establish IRM Methodology and Tools  Determine current status of Information Security  Plan Strategic risk assessment Identify and Measure Risk  Perform Risk Assessment based on the IRM policy and IRM methodology & tools
  • 19. Information Protection Environment  Threat Analysis  Asset Identification and Valuation  Vulnerability Analysis  Risk Evaluation  Risk Evaluation  Interim Reports and Recommendations  Establish Risk Acceptance Criteria  Example : do not accept more than a 1 in 100 chance of losing $1,000,000  Mitigate Risk  Safeguard Selection and Risk Mitigation Analysis  Cost/Benefit Analysis  Final Report  Monitor Information Risk Management Performance
  • 20. Security Technology and Tools Qualitative versus Quantitative Approach  The Qualitative Approach is much more subjective approach to the valuation of information assets and the scaling of risk  In General the risks are described as “low,” “medium,” or “high”  The Quantitative is talks about real numbers  Uses Algorithms  ALE=ARO X (Asset Value X Exposure Factor = SLE)  Assume the asset value is $1M, the exposure factor is 50%, and the annualized rate of occurrence is 1/10 (once in ten years)  ($1M X 50% = $500K) X 1/10 = $50K
  • 21. Pros an Cons of Qualitative Approach Pros  Calculations, if any, are simple  Usually not necessary to determine the monetary value of Information (CIA)  Not necessary to determine quantitative threat frequency and impact data  Not necessary to estimate the cost of recommended risk mitigation measures and calculate cost/benefit because the process is not quantitative.  A general indication of significant areas of risk Cons  The risk assessment and results are essentially subjective in both process and metrics  The perception of value may not realistically reflect actual value at risk  Only subjective indication of a problem  It is not possible to track risk management performance objectively when all measures are subjective
  • 22. Pros and Cons of Quantitative Approach Pros  Meaningful statistical analysis is supported  The value of information (CIA), as expressed in monetary terms with supporting rationale, is better understood. Thus, the basis for expected loss is better understood  Information security budget decision making is supported  Risk management performance can be tracked and evaluated.  Risk assessment results are derived and expressed in management’s language, monetary value, percentages, and probability annualized. Thus, risk is better understood. Cons  Calculations are complex.  Not practical to execute a quantitative risk assessment without using a recognized automated tool and associated knowledge bases,  A substantial amount of information gathering is required  Standard, independent Threat population and threat frequency knowledgebase not yet developed and maintained, so vendor dependent
  • 23. Information Classification Information Protection Requirements  Data confidentiality, integrity, and availability are improved because appropriate controls are used for all data across the enterprise  The organization gets the most for its information protection dollar because protection mechanisms are designed and implemented where they are needed most, and less costly controls can be put in place for non-critical information  The quality of decisions is improved because the data upon which the decisions are made can be trusted  The company is provided with a process to review all business functions and informational requirements on a periodic basis to determine appropriate data classifications
  • 24. Data Classification  Classification is part of a mandatory access control model to ensure that sensitive data is properly controlled and secured  DoD multi-level security policy has 4 classifications:  Top Secret  Secret  Confidential  Unclassified  Other levels in use are:  Eyes only  Officers only  Company confidential  Public
  • 25. Data Classification Cont…  Top Secret - applies to the most sensitive business information which is intended strictly for use within the organization. Unauthorized disclosure could seriously and adversely impact the company, stockholders, business partners, and/or its customers  Secret - Applies to less sensitive business information which is intended for use within a company. Unauthorized disclosure could adversely impact the company, its stockholders, its business partners, and/or its customers  Confidential - Applies to personal information which is intended for use within the company. Unauthorized disclosure could adversely impact the company and/or its employees  Unclassified - Applies to all other information which does not clearly fit into any of the above three classifications. Unauthorized disclosure isn’t expected to seriously or adversely impact the company
  • 26. Information Classification Cont… Information Protection Environment  Getting started: questions to ask • Is there an executive sponsor for this project? • What are you trying to protect, and from what? • Are there any regulatory requirements to consider? • Has the business accepted ownership responsibilities for the data?  Policy • An essential tool in establishing a data classification scheme • Define information as an asset of the business unit • Declare local business managers as the owners of information • Establish IT as the custodians of corporate information • Clearly define roles and responsibilities of those involved in the ownership and classification of information • Define the classifications and criteria that must be met for each • Determine the minimum range of controls to be established for each classification
  • 27. Information Classification Cont…  Risk Analysis  Identify major functional areas of information  Analyze the classification requirements  Determine the risk associated  Determine the effect of loss  Build a table  Establishing classifications  Public: information that, if disclosed outside the company, would not harm the organization, its employees, customers, or business partners.  Internal Use Only: information that is not sensitive to disclosure within the organization, but could harm the company if disclosed externally.  Company Confidential: sensitive information that requires “need- toknow” before access is given
  • 28. Information Classification Cont…  Defining roles and responsibilities  Information owner - A business executive or business manager who is responsible for a company business information asset  Information custodian - The information custodian, usually an information technology or operations person, is the system administrator or operator for the Information Owner, with primary responsibilities dealing with running the program for the owner and backup and recovery of the business information  Application owner - Manager of the business unit who is fully accountable for the performance of the business function served by the application  User manager - The immediate manager or supervisor of an employee
  • 29. Information Classification Cont…  Defining roles and responsibilities  Security administrator - Any company employee who owns an “administrative” user ID that has been assigned attributes or privileges that are associated with any type of access control system  Security analyst - Person responsible for determining the data security directions (strategies, procedures, guidelines) to ensure information is controlled and secured based on its value, risk of loss or compromise, and ease of recoverability  Change control analyst - Person responsible for analyzing requested changes to the Information Technology infrastructure and determining the impact on applications  Data analyst - This person analyzes the business requirements to design the data structures and recommends data definition standards and physical platforms
  • 30. Information Classification Cont… ► Defining roles and responsibilities  Solution provider - Person who participates in the solution (application) development and delivery processes in deploying business solutions  End user - Any employee, contractor, or vendor of the company who uses information systems resources as part of their job  Process owner - This person is responsible for the management, implementation, and continuous improvement of a process that has been defined to meet a business need  Product line manager - Person responsible for understanding business requirements and translating them into product requirements, working with the vendor/user area
  • 31. Information Classification Cont…  Identifying owners  The proper owner must be from the business  Senior management support is a key success factor  Information owners must be given the necessary authority  Classifying information and applications  Collect the metadata about their business functions  Review the definitions for the information classifications  Ongoing monitoring  Ensure compliance with policy and established procedures  periodically review the data to ensure they are still appropriately classified
  • 32. Policies, Procedures, Standards, Baselines  Policy - An information security policy contains senior management’s directives to create an information security program, establish its goals, measures, and target and assign responsibilities  Standards - Standards are mandatory activities, actions, rules, or regulations designed to provide policies with the support structure and specific direction they require to be meaningful and effective  Procedures - Procedures spell out the step-by-step specifics of how the policy and the supporting standards and guidelines will actually be implemented in an operating environment  Guidelines - Guidelines are more general statements designed to achieve the policy’s objectives by providing a framework within which to implement controls not covered by procedures
  • 34. Awareness Program  Security policies, standards, procedures, baselines, and guidelines  Threats to physical assets and stored information  Threats to open network environments  Laws and regulations they are required to follow  Specific organization or department policies they are required to follow  How to identify and protect sensitive (or classified) information  How to store, label, and transport information  Who they should report security incidents to, regardless of whether it is just a suspected or an actual incident  Email/Internet policies and procedures  Social engineering
  • 35. Implementation (Delivery) Options  Posters  Posting motivational and catchy slogans  Videotapes  Classroom instruction  Computer-based delivery, such as CD-ROM, DVD, intranet access, Web-based access, etc.  Brochures/flyers  Pens/pencils/keychains (any type of trinket) with motivational slogans  Post-it notes with a message on protecting the Information Technology system  Stickers for doors and bulletin boards
  • 36. Implementation (Delivery) Options Cont…  Cartoons/articles published monthly or quarterly in an in- house newsletter or specific department notices  Special topical bulletins (security alerts in this instance)  Monthly email notices related to security issues or email broadcasts of security advisories  Security banners or pre-logon messages that appear on the computer monitor  Distribution of items as an incentive
  • 37. ?