3. Protection of Information Assets (25%)

3. Protection of Information Assets (25%)
Protecting Personal & Institutional Information Assets & Data Extra Credit Project Jack Mason & July James Handout: Phil Zimmermann on PGP. Discuss who this class is for: Generally, home and small business users who have little or no experience in personal data security but want to learn more. Basically, an introduction to the world of security. Discuss concept of privacy with class. Poll of platform users. Poll of Netscape vs. MSIE users. Discuss Politics. 3. Protection of Information Assets (25%) 3. Protection of Information Assets 12/01/1999

(Content Area, Approximately 25% of exam) 3.1 Evaluate the design, implementation, and monitoring of logical access controls to ensure the integrity, confidentiality, and availability of information assets. 3.2 Evaluate network infrastructure security to ensure integrity, confidentiality, availability and authorized use of the network and the information transmitted. 3. Protection of Information Assets (25%)

3. Protection of Information Assets 2
3.3 Evaluate the design, implementation, and monitoring of environmental controls to prevent and/or minimize potential loss. 3.4 Evaluate the design, implementation, and monitoring of physical access controls to ensure that the level of protection for assets and facilities is sufficient to meet the organization's business objectives. 3. Protection of Information Assets (25%)

Knowledge Statements 1 3.01 Knowledge of the processes of design, implementation, and monitoring of security (e.g. gap analysis, baseline, tool selection) 3.02 Knowledge of encryption techniques (e.g. DES, RSA) 3.03 Knowledge of public key infrastructure (PKI) components (e.g. certification authorities (CA), registration authorities) 3.04 Knowledge of digital signature techniques 3. Protection of Information Assets (25%)

Knowledge Statements 2 3.05 Knowledge of physical security practices (e.g. biometrics, card swipes) 3.06 Knowledge of techniques for identification, authentication, and restriction of users to authorized functions and data (e.g. dynamic passwords, challenge/response, menus, profiles) 3. Protection of Information Assets (25%)

Knowledge Statements 3 3.07 Knowledge of security software (e.g. single sign-on, intrusion detection systems (IDS), automated permissioning, network address translation) 3.08 Knowledge of security testing and assessment tools (e.g. penetration testing, vulnerability scanning) 3.09 Knowledge of network and Internet security (e.g. SSL, SET, VPN, tunneling) 3. Protection of Information Assets (25%)

Some Possible Threats Interception Spoofing Web Data Interception Network & Volume Invasion Marketing Data / Spam & Junk Mail Viruses, Worms, Trojan Horses Password Cracking interception: The act of reading someone’s at a third party workstation in between the time that it was sent and the time that it arrives. spoofing: The act of pretending to be another person via . Impersonation with malicious intent. Web data interception: Stealing credit card info from online shopping. Network / Volume Invasion: Peeking into one’s disk drive space via either physical access or over a network or internet. Stealing personal info, deleting files, destructive attacks on system, etc. Marketing Data / Spam & Junk Mail: Info once gathered is sold and distributed. Measures to avoid Junk Mail & maintenance of personal privacy. Viruses: Viruses are those buggers you all have heard about so much. They are getting worse every year… Password Cracking: Password is like a key to your house. You don’t just give it out. Discuss Key Length. # of bits. 3. Protection of Information Assets (25%)

More Possible Threats Mail bomb Denial of Service (DoS) Piracy of Intellectual Property 3. Protection of Information Assets (25%)

Interception Methods Script Monitor Running a script on a server that receives traffic, monitoring s for certain keywords or number patterns. (I.E. “bomb + president” or credit card number patterns) Account Emulation Stealing someone’s user id and password to gain access to their account. Defenses Digital Certificates Digital certificates authenticate you as the sender and are extremely difficult to forge. Allows very strong encryption of communications. PGP “Pretty Good Privacy” allows strong encryption of your text. Can be incorporated easily into any text oriented program. Discuss how digital certificates and PGP work. Discuss privacy issues, NSA, other surveillance including insurance co’s. 3. Protection of Information Assets (25%)

Standard Encryption Text is encrypted and sent by the originator Ciphertext is decrypted by recipient Same key is used for encryption and decryption If key is intercepted or deciphered, encryption becomes useless This is how WWII was won... 3. Protection of Information Assets (25%)

Strong Cryptography “There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter.” -- Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C. 40 bit cryptography is considered weak. This can be intercepted and deciphered in seconds using today’s tools. By contrast, 128 bit cryptography is considered technically infeasible to crack. Most banks require a 128 bit browser for online banking. 3. Protection of Information Assets (25%)

Dual Key Cryptography Key pair is generated - public and private key. Public key is sent to server and exchanged with others Private key is guarded by the user 3. Protection of Information Assets (25%)

Dual Keys Continued Encrypted message is generated using recipients public key and your private key. Only the intended recipient with the corresponding private key will be able to decrypt. NSA hates this to be in the hands of the general public… but you have the right to privacy. 3. Protection of Information Assets (25%)

What is a Digital Certificate?
(X.509) Acts as a virtual signature Very hard to forge Can be used for encryption or authentication Resides in the Browser/ Client/OS Free digital certificates are available PGP Freeware is available Differences between PGP and Digital Certificates X.509 standard Document signing as well as encryption. Browser based. Cross platform issues. 3. Protection of Information Assets (25%)

What is PGP? Created by Phil Zimmerman PGP is now a subsidiary of Network Associates Secures and files Based on “Public Key” Cryptography Users whom have never met can exchange encrypted documents. Freeware How to get PGP. It’s history and popularity. Uses? Who can think up some uses for encryption of your own files? 3. Protection of Information Assets (25%)

How To Encrypt a Message (1)
Clicking on the Security button in Netscape Communicator opens the Security Window below: This will describe how to encrypt a message using Digital Certificates with Netscape Communicator. Obtain and install a certificate using the step by step instructions at the issuing website. Show websites where you can get certificates. 3. Protection of Information Assets (25%)

An that has a digital certificate attached will display this icon in Communicator. You can click on the icon to examine the cert. Certs ed to you are automatically added to Communicator’s database. Users must exchange “public keys”. Can be done via LDAP directory or exchange. Public key is used for encryption, private key is used for decryption. You can search for certificates on public directories (LDAP) directly from within Communicator 3. Protection of Information Assets (25%)

Once keys have been exchanged, address an to the other party. Click on the Security button and select the option for encrypting message. That’s it! Freedom and privacy. Thawte Web of Trust. Mention that you are a digital notary; Mark and I can sign keys if they come in to Xcert. 3. Protection of Information Assets (25%)

Certificate Fingerprint:E4:58:C8:8F:B5:90:4C:AC:AB:79:9C:6A:32:0C:3E:4E Spoofing Happens when someone impersonates an user, sending messages that appear to be from the victim’s address. Spoofing can be prevented by using your Digital Certificate or PGP to “Digitally Sign” your message. Even Certificates can be spoofed, although difficult. Check the “Certificate Fingerprint” of the message to be sure it’s authentic. Why would someone do this? 3. Protection of Information Assets (25%)

Shopping Securely You should never input sensitive info such as Credit Card numbers into a non-secure website. Make sure website is certified by a trusted Certificate Authority (CA) Ecommerce boom. Online revenues are increasing exponentially. World market. Trade issues. Language, national issues. List of default trusted CA’s in Communicator 3. Protection of Information Assets (25%)

How to Shop Securely When you enter a secure site, Communicator’s Security icon will change as shown: Click on the Security button to examine which CA asserts that this site is safe. You should always take control of your own personal data security. Especially when putting info like a credit card or social security number into a web based form. Easier for people to retrieve this data since it’s computer based. Stealing info becomes automatic. Rather than tapping one phone line physically and taping or listening in, you can now run a script on a server and have hordes of this information feed into your own database, and even have an automatic feed of funds into a bank account. It’s all scriptable, so therefore in theory, it’s easy to do. The idea hasn’t yet caught on in the criminal world as a mainstream method, but it will very soon become a #1 problem. If you as a personal user take responsibility for your own security, then shopping online through secure servers is perfectly safe. I do it all the time. Especially, my wife does it all the time! I have her browser set up on her iMac so that it is very secure and safe. She finds tons of great deals on the internet. For instance: $199 roundtrip tickets from SFO to Taipei. Note: Attempting to enter a secure site that is not signed by a valid or default CA will result in a cautionary error message. 3. Protection of Information Assets (25%)

Hacking In to Your Computer
DSL and Cable internet access means round the clock connections of home and small business computers to the Internet. Greatly increases the chance of attack. Physical access is always a danger, too. Hackers can gain access to your personal files, Quicken data, etc. Always has been a problem, internet access just exposes it more. Encrypt every personally sensitive file if you can. 3. Protection of Information Assets (25%)

Stopping Hackers Set up a personal/home firewall. Encrypt your sensitive files!!! PGP, all platforms. Mac OS 9 Built-In Encryption Feature Don’t give out your passwords to anyone! Use difficult passwords - not simple dictionary style words. Use a spare computer to run as a firewall server. Encrypt using either PGP or Mac OS 9, or other products available. Don’t give out any passwords. Everyone in your family should have their own private account with their own private passwords. Multiple user computers can be set up. Again Mac OS 9 includes this feature and makes it really easy. Use very complex passwords, as random as possible. Another thing: Biometrics. Fingerprint access, voiceprint access, etc. 3. Protection of Information Assets (25%)

Password Strength Simple words out of a dictionary make bad passwords. Use mixed upper and lower case characters. Use non-alphanumeric characters such as: Avoid sharing passwords, even with friends and family. 3. Protection of Information Assets (25%)

Password Strength Examples
Using a simple passphrase such as “coffee” is simple to hack, takes about 40 minutes to break. Using random alphanumerics is significantly more difficult: A passphrase such as “bR1a9Az” takes about 22 years to crack. Using the full range of the keyboard with truly random characters is totally infeasible to crack. A passphrase like “,ThX1pD<V+” would take 3.8 x 108 years to crack. If you can, take the time to change all of your passwords to something really uncrackable. Mac OS 9 Keychain feature: Very cool idea, but one little problem: if someone gets your Keychain password, they have the keys to your kingdom. Therefore, if you use OS 9’s keychain, make it’s master password very, very secure and don’t give it out anywhere and do not write it down or forget. Make a big deal out of this and it will pay off in the long run. 3. Protection of Information Assets (25%)

Key Strength Comparison
Most browsers ship with a default of 40 bit encryption capabilities. You must upgrade to a 128 bit encryption capable browser for most online banking. If you can, everyone should take the time to upgrade their browser to 128 bit security. 3. Protection of Information Assets (25%)

Strong Encryption Browsers
Netscape Communicator is freely available for all platforms with 128 bit encryption capability and full features. 128 bit capable version of Microsoft Internet Explorer is available for Windows and Macintosh. (Mac version has limited features.) You may have to install additional plug ins to get 128 bit capabilities out of MSIE. Basically, Netscape uses it’s own API for security features, while MSIE uses the one built into windows. To avoid competition, Microsoft has made their full featured browser and client only available for Windows. The Mac version offers minimal security. MS will not write a version of IE for Linux, Unix, Java, Solaris, or any other platform. Therefore, I recommend Netscape. It gives you more freedom and more compliance with internet standards. 3. Protection of Information Assets (25%)

Viruses Computer viruses are 100% man made. Can be transmitted via , disk, network, etc… Most are harmless experiments. Some are intended to wreak havoc on individuals and networks. 3. Protection of Information Assets (25%)

Virus Protection Get a virus protection package and install it on your computer. Check the vendor’s website for downloadable updates and alerts on new viruses. Don’t open or attachments from unknown sources. 3. Protection of Information Assets (25%)

Safeguarding Customer Information Gramm-Leach-Bliley Act (GLBA) Compliance 3. Protection of Information Assets (25%)

Why was GLBA enacted? Section 501 of the Gramm-Leach-Bliley Act requires Financial Institutions to establish standards relating to administrative, technical and physical information safeguards to protect customer records and information. 3. Protection of Information Assets (25%)

Safeguard Objectives:
Ensure security and confidentially of customer records and information. Protect against any anticipated threats or hazards to the security of the records. Protect against unauthorized access or use of records or information which could result in harm or inconvenience to customer. 3. Protection of Information Assets (25%)

Information Security Plan
Written to insure security and confidentiality of non-public customer financial information (NPI). Protect against any anticipated threats and hazards. Protect against unauthorized access or use. 3. Protection of Information Assets (25%)

Non-public customer information (NPI)
Credit card numbers Social Security numbers Drivers license numbers Student loan data Income information Credit histories Customer files with NPI NPI Consumer information Bank Account data 3. Protection of Information Assets (25%)

Financial Institutions
Including Colleges and Universities must ensure that their security programs provide adequate protection to customer information in whatever format – electronic or hardcopy. 3. Protection of Information Assets (25%)

consumer’s information is not a privacy issue but is one of security.
FTC Ruling consumer’s information is not a privacy issue but is one of security. Compliance with FERPA does not exempt colleges and universities from GLBA safeguarding regulations. 3. Protection of Information Assets (25%)

FERPA vs.. GLBA The Family Education Rights and Privacy Act addresses the privacy of student information. Gramm- Leach-Bliley Act addresses the security of customer records and information. 3. Protection of Information Assets (25%)

University Actions Has established a committee to insure compliance. Committee meets regularly to review and insure compliance with the act. Performs risk assessment and regular testing. Oversees service providers and contracts. Trains staff to maintain security and confidentially. 3. Protection of Information Assets (25%)

Why Protect your Identity?
Identity Theft 3. Protection of Information Assets (25%)

Statistics on Identity Theft in New Jersey
4802 Complaints / year 1. Credit Card Fraud 2, % 2. Phone or Utilities Fraud % 3. Bank Fraud % 4. Government Documents/Benefits Fraud % 5. Loan Fraud % 6. Employment-Related Fraud % 7. Attempted Identity Theft % 8. Other % 3. Protection of Information Assets (25%)

What is Identity Theft? Under ID Theft Act, identity theft is defined very broadly as: knowingly using, without authority, a means of identification of another person to commit any unlawful activity. (unlawful activity: a violation of Federal law, or a felony under State or local law). What is Identity Theft? Broad, flexible definition provides a wide scope of activity to be included in identity theft offense. It is now the misuse of the victim’s personal information, not the misuse of their identifying documents, that is the basis for the offense It includes any unlawful activity that is a federal offense or a felony at the state or local level. Not limited to fraud involving financial services industry. (Talk more about that later.) Because misuse of the information alone is the key, it is a more flexible definition that will allow it to keep up with technological and economic changes as we move further into the information economy. 3. Protection of Information Assets (25%)

Identity Theft When someone steals your identity, they are usually using your credit to obtain goods and services for themselves that “you” will have to pay for. 3. Protection of Information Assets (25%)

How Does an Identity Thief Get Your Information?
Stealing files from places where you work, go to school, shop, get medical services, bank, etc. Stealing your wallet or purse. Stealing information from your home or car. Stealing from your mailbox or from mail in transit. Sending a bogus or calling with a false promise or fraudulent purpose. - For example: pretending to be from a bank, creating a false website, pretending to be a real company, fake auditing letters. 3. Protection of Information Assets (25%)

From: PNC Bank Sent: May 17, :31 PM To: Subject: To All PNC bank users Dear PNC user, During our regular update and verification of the user data, you must confirm your credit card details. Please confirm you information by clicking link below. pncfeatures/cardmember access.shtml 3. Protection of Information Assets (25%)

How Does an Identity Thief Use Your Information?
Obtains Credit Cards in your name or makes charges on your existing accounts (42%). Obtains Wireless or telephone equipment or services in your name (20%). Forges checks, makes unauthorized EFTs, or open bank accounts in your name (13%). Works in your name (9%). Obtains personal, student, car and mortgage loans, or cashes convenience checks in your name (7%). Other uses: obtains drivers license in your name. Why would someone work in someone else’s name, or file bankruptcy in someone else’s name? Work - if you are trying to evade detection in your own name - deadbeat dads, undocumented aliens, etc. Bankruptcy - filing in bankruptcy stays all civil proceedings, including eviction 3. Protection of Information Assets (25%)

Victims of Identity Theft
If your identity is stolen, do the following immediately: Contact the fraud department of the three major credit bureaus (Equifax, Experian, Trans Union). Contact your creditors and check your accounts. File a police report. - File a complaint with the FTC. 3. Protection of Information Assets (25%)

Recovery Take back control of your identity: Close any fraudulent accounts. Put passwords on your accounts. Change old passwords and create new PIN codes. 3. Protection of Information Assets (25%)

Prevention Protect yourself Protect others Guard against fraud: Sign cards as soon as they arrive. Keep records of account numbers and phone numbers. Keep an eye on your card during transactions. Also be aware of who is around you, is anyone else listening? Check your credit report and credit card monthly statements. 3. Protection of Information Assets (25%)

Annual credit bureau report
New Jersey residents are entitled to one free annual credit report. If you are denied credit, you are allowed to request one free copy of your credit report. Check your report for accurate information, open accounts, balance information, loan information, etc. 3. Protection of Information Assets (25%)

Credit Bureau Links Equifax – To order a report, To report fraud, Experian – To order a report, To report fraud, Trans Union – To order a report, To report fraud, 3. Protection of Information Assets (25%)

Have you been a Victim? 3. Protection of Information Assets (25%)

You may be a victim if: You are denied credit. You stop getting mail. You start getting collection calls/mail. You start getting new bills for accounts you do not have or services you did not authorize. Your bank account balances drops. 3. Protection of Information Assets (25%)

Damages Time Money Credit rating Reputation 3. Protection of Information Assets (25%)

Good Practices Photocopy the contents of your wallet/purse. Photocopy your passport (keep a copy at home and one with you when you travel). Empty your wallet/purse of non-essential identifiers. Do not use any information provided by the people who may be trying to scam you look it up yourself. Shred documents before you depose of them. 3. Protection of Information Assets (25%)

GLBA requires us to PROTECT CONSUMERS from substantial harm or inconvenience. 3. Protection of Information Assets (25%)

What can we do to guard NPI?
Keep confidential information private. Use care when asking or giving SSN. Use secure disposal methods. Protect the privacy of data transmissions. Improve procedures. 3. Protection of Information Assets (25%)

Actions to prevent Others from becoming Victims
Determine what information you need. Provide a secure workplace. Always ask for a student’s ID or debtors account number. Keep prying eyes away from customer’s information. Don’t expose NPI information to the outside world. 3. Protection of Information Assets (25%)

Actions to prevent Others from becoming Victims
Take care when you provide employee’s or customers’ personal information to others. Know & explain how you handle personal information. Ask for written permission prior to sharing personal information. Report problems or concerns to managers or supervisors. 3. Protection of Information Assets (25%)

Remember to always maintain confidentiality, security and integrity : Avoid unauthorized disclosure removing information from your office sharing information tossing information in the trash down loading or ing information. 3. Protection of Information Assets (25%)

General Privacy Do not provide correcting information for account verification questions. Be suspicious. Be paranoid. Don’t be afraid to say no when asked for information that is not required to conduct the current business transaction. 3. Protection of Information Assets (25%)

What are university assets?
3. Protection of Information Assets (25%)

University Assets Are customer information and records assets? 3. Protection of Information Assets (25%)

Safeguarding Information
Information takes many forms. Information is stored in various ways. Data assets have unique risks. 3. Protection of Information Assets (25%)

Your Role: Ensure Physical Security. Select and Protect hard to guess passwords. Avoid traps and disclosures. Back up files. Log off your computer when not in use. Do not open s with attachments from unknown sources. Obliterate data before giving up your computer. Recognize social engineering tactics. 3. Protection of Information Assets (25%)

Your role as a user…. What else can you do? 3. Protection of Information Assets (25%)

Check your work area! Do you leave NPI reports on your desk? Is NPI stored in unlocked file cabinets? Keep computer disks secure. Do not save NPI on your computer C drive. 3. Protection of Information Assets (25%)

Your role…. The University has many policies and procedures to help you, learn them. 3. Protection of Information Assets (25%)

University Regulations & Guidelines related to Safeguarding
Standards for University Operations Handbook Confidentiality Accounting for Financial Resources Acceptable Use of Network &Computing Resources: Agreement for Accessing Information Acceptable Use Policy Guidelines for Interpretation of Acceptable Use Acceptable Use Supplement Basics 3. Protection of Information Assets (25%)

Potential Damages to Any U.
Reputation Violation of federal and state laws Fines Reparation costs Recovery costs Increased prevention costs Georgia Tech accidental release of credit card to the internet cost them over $1,000,000. 3. Protection of Information Assets (25%)

Expectations All University employees are responsible for securing and caring for University property, resources and other assets. University relies on the attention and cooperation of every member of the community to prevent, detect and report the misuse of university assets. 3. Protection of Information Assets (25%)

Prevention Protect yourself Protect others 3. Protection of Information Assets (25%)

Safeguarding customer information and university assets is everyone’s job! 3. Protection of Information Assets (25%)

ISO - International Standardization Organization
Information Security Management (ISO/IEC 17799:2000) & Certified Risk Analysis Methodology Management (CRAMM) ISO - International Standardization Organization 3. Protection of Information Assets (25%) 3. Protection of Information Assets 12/01/1999

Migrating Migrating from compliance with the IM&T (Info. Management Tech) Security Manual to compliance with BS7799 Overview Implementation - assistance available 3. Protection of Information Assets (25%)

What is Information Security Management (ISM)?
An enabling mechanism whose application ensures that information may be shared in a manner which ensures the appropriate protection of that information & associated information assets 3. Protection of Information Assets (25%)

Basic Components Confidentiality: protecting sensitive information from unauthorized disclosure Integrity: safeguarding the accuracy and completeness of information/data Availability: ensuring that information and associated services are available to users when required 3. Protection of Information Assets (25%)

Problem Until early 90’s information was handled by many organizations in an ad hoc and, generally, unsatisfactory manner In a period of increasing need to share information, there was little or no assurance that such information could or would be safeguarded What control measures there were focussed almost entirely on computer data, to the exclusion of other forms of information 3. Protection of Information Assets (25%)

Code of Practice 1993: in conjunction with a number of leading UK companies and organizations produced an ISM Code of Practice - incorporating the best information security practices in general use. Addressed all forms of information;e.g. computer data, written, spoken, microfiche etc 3. Protection of Information Assets (25%)

Code of Practice - Aims To provide A common basis for organizations to develop, implement, and measure effective information security management practice Confidence in inter-organisational dealings 3. Protection of Information Assets (25%)

Balance A common concern amongst organizations is that the application of security measures often has an adverse impact on, or interferes with, operational processes BS7799 processes are flexible enough to ensure that the right balance can be struck - security with operational efficiency! 3. Protection of Information Assets (25%)

Assets - Examples Software Physical Services Information
Application software, system software, development tools Computer equipment, magnetic media, furniture, accommodation Physical Services Heating, lighting, power, air-conditioning Information Databases, system documentation, data files, user manuals, continuity plans, backup processes 3. Protection of Information Assets (25%)

The Standard And Personnel Security. Measures to reduce risks of human error, theft, fraud or misuse of facilities Physical/Environmental Security. Prevention of unauthorized access, interference to IT services and damage Computer and Network Management. To Ensure correct and secure operation of computer and network facilities 3. Protection of Information Assets (25%)

The Standard …………. System Access Control. Controls to prevent unauthorized access to computer systems System Development and Maintenance. A security program complementing development/maintenance of IT systems BCP. Measures to protect critical business processes from major failures and disasters Compliance. To avoid breaches of statutory or contractual requirements and ensure the ISMS is operational 3. Protection of Information Assets (25%)

Controls Each of these Categories contains a number of security controls, mandatory or otherwise, which can be implemented as part of the information security risk management strategy The same controls will not, necessarily apply across the board, owing to the varying nature of organizations, risk factors etc 3. Protection of Information Assets (25%)

The Crux of the Matter Information is subject to numerous risks; which can be grouped together under the generic headings of: Accidental Natural Deliberate A risk being the product, in this case, of the threat to information and its assets, and vulnerability to the threats 3. Protection of Information Assets (25%)

Risk Analysis The point is: An effective risk management strategy cannot be implemented until the risks are identified and measured (that is, analyzed) It almost goes without saying, that Analysis should be based upon a sound and proven methodology therefore the we will use CRAMM 3. Protection of Information Assets (25%)

CRAMM Developed in 1985, CRAMM Risk Analysis Methodology is a complete package, containing: the risk analysis process itself associated documentation (inc. report functionality; results and conclusions) training software support tools 3. Protection of Information Assets (25%)

3 Stages CRAMM offers a 3-staged approach that allows an organization to: 1. Identify and value assets 2. Assess the threats and vulnerabilities to those assets 3. Select appropriate recommended countermeasures Fine, so far…………………….. 3. Protection of Information Assets (25%)

CRAMM Version 4.0 This version, the latest, includes Full support for BS7799 including GAP analysis Implementation of a security improvement program Statement of Applicability Risk Modeling for multi-role organizations AND undertake a Risk Analysis ! A fit with BS7799: Part 2 3. Protection of Information Assets (25%)

Management Framework: ISMS Policy Document Define the Policy Step 1 Scope of ISMS Step 2 Define Scope of ISMS Information Assets Risk Assessment Undertake RA Step 3 T. V. I. Results & Conclusions Step 4 Degree of Assurance Required Manage Risk Select Control Options Control Objectives Step 5 Select Controls Additional Controls Statement Statement of Applicability Step 6 (NB: Additional controls would incorporate DPA 1998, Caldicott and Info Governance requirements) 3. Protection of Information Assets (25%)

And then…….. Develop and implement security policies which comply with your specific requirements in terms of BS7799 Review and Maintain Simple, isn’t it? No, it is appreciated that compliance with BS7799 is a significant undertaking But, as the benefits themselves are significant…it is not only good practice, but makes good sense to adopt the standard 3. Protection of Information Assets (25%)

You are Not Alone CRAMM risks models are being developed for specific organizations (e.g. Acute Trusts) Such models will encompass approximately % of organizations Pioneer Projects - results of which will be fed into the overall implementation process Training Development and maintenance program FAQs Help Desk User Groups 3. Protection of Information Assets (25%)

Thanks for Coming! Feel free to contact me at this address if you have further questions and would like to learn more! For further information, contact: Dr. A. Rush, Ph.D. 3. Protection of Information Assets (25%)

3. Protection of Information Assets (25%)

Similar presentations

Presentation on theme: "3. Protection of Information Assets (25%)"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

3. Protection of Information Assets (25%)

Similar presentations

Presentation on theme: "3. Protection of Information Assets (25%)"— Presentation transcript:

Similar presentations

About project

Feedback