Ravi Narsipur MBA, PMP, CISSP THIS PRESENTATION WILL FOCUS ON Quality and Security Interdependency PMI Westchester Quality SIG Feb 2016 Presentation.

Published bySheila Bryant Modified over 8 years ago

Similar presentations

Presentation on theme: "Ravi Narsipur MBA, PMP, CISSP THIS PRESENTATION WILL FOCUS ON Quality and Security Interdependency PMI Westchester Quality SIG Feb 2016 Presentation."— Presentation transcript:

1 Ravi Narsipur MBA, PMP, CISSP THIS PRESENTATION WILL FOCUS ON Quality and Security Interdependency PMI Westchester Quality SIG Feb 2016 Presentation

2 Major Security Tenets 2 CIA CONFIDENTIALITY If a security mechanism offers confidentiality, it offers a high level of assurance that data, objects, or resources are restricted from unauthorized subjects. High level of assurance that a system is secure and keep its secrets INTEGRITY For integrity to be maintained, objects must retain their veracity and be intentionally modified by only authorized subjects. AVAILABILITY Authorized subjects are granted timely and uninterrupted access to objects. If a security mechanism offers availability, it offers a high level of assurance that the data, objects, and resources are accessible to authorized subjects.

3 Major Security Tenets Additional Security Tenets Identification: The process by which a subject professes an identity and accountability is initiated. A subject must provide an identity to a system to start the process of authentication, authorization, and accountability (AAA). Once a subject has been identified (that is, once the subject’s identity has been recognized and verified), the identity is accountable for any further actions by that subject. Authentication: The process of verifiying the ID. Authentication is made up of factors such as Password. Must note that Identification and Authentication go hand in handling.First Identification is established and the Authentication is performed Authorization: It is the process that ensures access is granted to the specific resources based on Auth and ID. Therefore ID+ Authentication= Authorization Auditing: Monitoring the activity of the individual. Key Item here is the audit trail established. An log is maintained of all the activities. This is the result of Identification, Authentication and Authuorization Accountability: Subjects are held accountable for there action. The Auditing allow for accountability of the actions. Track and prove that subject is held accountable for the work.

4 Security Governance 4 Security Governance Principles: Ultimately, security governance is the implementation of a security solution and a management method that are tightly interconnected. Security governance directly oversees and gets involved in all levels of security. Security is not and should not be treated as an IT issue only Security Management: Security management needs to be top down. Need Management Support for security Need to define policies Develop procedures, baselines and standards Develop management plans

5 5 Organizations must meet the minimum security requirements in this standard by selecting the appropriate security controls and assurance requirements as described in NIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems. The process of selectingthe appropriate security controls and assurance requirements for organizational information systems to achieve adequate security is a multifaceted, risk-based activity involving management and operational personnel within the organization The seventeen areas represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting information and information systems. (i) access control; (ii) awareness and training; (iii) audit and accountability; (iv) certification, accreditation, and security assessments; (v) configuration management; (vi) contingency planning; (vii) identification and authentication; (viii) incident response; (ix) maintenance; (x) media protection; (xi) physical and environmental protection; (xii) planning; (xiii) personnel security; (xiv) risk assessment; (xv) systems and services acquisition; (xvi) system and communications protection; and (xvii) system and information integrity. Security Controls

6 Software Quality Assurance and Security The unification of software quality assurance (QA) and IT security results in a symbiotic relationship, yet only a few organizations have started to realize the benefits of these two separate teams working together. The alliance of quality assurance and IT security is natural, because IT security is a form of quality assurance at its basic level. A security exposure in any form is a quality assurance issue. Both IT security and quality assurance are concerned with removing risks. IT security teams work to remove security risks, and quality assurance teams work to remove risks to quality Organizations today tend to develop applications without any thought of security until the application is fully developed. This is the typical "let's throw it over the wall to the IT security team" scenario. The problem with this scenario is that any security problems identified just before deployment will cause either the development team or the IT security team big headaches QA teams figured out a long time ago that quality assurance professionals need to get involved in the early stages of the software development life cycle Security needs to be doing the same thing, working hand in hand with the QA team, systems analysts, and developers to help the systems analysts gather requirements and build the security design in the software design. IT security analysts need to also design the types of tests that need to be run at each stage

7 Security Quality Standards 7 Quality is an encompassing term comprising utility, objectivity, and integrity. Therefore, the guidelines sometimes refer to these four statutory terms, collectively, as "quality." Utility refers to the usefulness of the information to its intended users, including the public. Objectivity consists of two distinct elements: presentation and substance. The presentation element includes whether disseminated information is presented in an accurate, clear, complete, and unbiased manner and in a proper context. The substance element involves a focus on ensuring accurate, reliable, and unbiased information. Integrity refers to security – the protection of information from unauthorized access or revision, to ensure that the information is not compromised through corruption or falsification. Information means any communication or representation of knowledge such as facts or data, in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual forms.

8 What is QoS (Quality of Service) Quality of Service Quality of service (QoS) controls protect the integrity of data networks under load. Many different factors contribute to the quality of the end-user experience, and QoS attempts to manage all of those factors to create an experience that meets business requirements. Some of the factors contributing to QoS are as follows: Bandwidth: The network capacity available to carry communications. Latency: The time it takes a packet to travel from source to destination. Jitter: The variation in latency between different packets. Packet Loss Some packets may be lost between source and destination, requiring retransmission. Interference: Electrical noise, faulty equipment, and other factors may corrupt the contents of packets.

9 QoS and the Internet 9 In its original conception, the internet was egalitarian with respect to service guarantees. Delivery on a best effort basis generally meant that the likelihood that a given user's packets would be dropped due to an overload on a segment was proportional to the user's contribution to the load As the bandwidth of data channels increased and transmission latencies were reduced, it became feasible to consider adding services with strict latency and jitter requirements to the internet traffic mix. One- and two-way audio and video are good examples For these services to be considered usable, both the time between transmission and delivery (delay) and the regularity with which delivery occurs (jitter) must be carefully controlled. This is often done by reserving the resources necessary to ensure that the delivery goals are met

10 QoS and Security 10 Security and Quality of Service mechanisms are not independent. Choices of security mechanisms impact the effectiveness of Quality of Service and visa versa. Security and Quality of Service (QoS) are two critical network services in today’s inter- networked world. Security mechanisms are used to provide proof of identity, preserve protected information, and ensure that information received has not been tampered with. Quality of Service enables multi-media and other real-time services to use public data networks instead of a more expensive dedicated networks. Implicit to the concept of Quality of Service is the notion of choice or variation. Security services also offer a range of choice both from the user perspective and among the underlying resources

11 Implication of no QoS 11 Inherently, QoS involves user requests for (levels of) services which are related to performance-sensitive variables in an underlying distributed system. For security to be a real part of QoS, then, security choices must be presented to users, and the QoS mechanism must be able to to provide predictable security service levels to those users There are several dimensions of Quality of Service described in the literature including, accuracy, precision and performance Quality of Service dimension to be supported means that users can request or specify a level of service for one or more attributes of these dimensions, and the underlying QoS is capable of entering into an agreement to deliver those services For example, a network-based multimedia application might be expected to deliver video frames so that the display is jitter-free

12 How does Security Impact Quality 12 QoS mechanisms can be more effective if, like response time and image fidelity, variable levels of security services and requirements can be presented to users Security choices within acceptable ranges, where “level of service” can indicate degrees of security with respect to assurance, mechanistic strength, administrative diligence If user security service requests are defined as ranges, then the underlying system can adapt more gracefully to changes in resource availability during the execution The enabling technology for both QoS and a security infrastructure is the ability of security mechanisms and services to allow the amount, kind or degree of security to vary, within predefined ranges based on user need.

13 An Example of QoS and Security 13 Suppose that a surgeon is performing a delicate brain operation remotely. To ensure that only the precise brain locations are affected, high fidelity is required. Additionally, there is a requirement for high integrity and availability to ensure that the video stream is not interrupted Confidentiality is also a requirement, the secure communication channel must be available Therefore the channels needs to provides both a high level of Confidentiality, Availability and Integrity the It also requires that the channel fidelity be very high This results in the QoS to be extreme and no variations are allowed. Hence a Secure and High Availability channels needs to be in place

14 Another Example of QoS and Security 14 Collaborative applications, such as video teleconferencing with shared electronic white boards,and application suites, also present communication QoS and Security Choices For example, if a group member is participating in the collaboration from a hotel room in a foreign country known for government support of corporate espionage, his security requirements and choices will be quite different than if he were in “friendly” territory. Similar QoS issues may arise if the user is connecting from a location that has bad infrastructure and connectivity cannot be established These security and quality choices may from a range from which the user or application can select, and can include different levels of authentication, confidentiality, and integrity.

15 NIST and ISO 15 NIST General Information From the smart electric power grid and electronic health records to atomic clocks, advanced nanomaterials, and computer chips, innumerable products and services rely in some way on technology, measurement, and standards provided by the National Institute of Standards and Technology. NIST 800 Standard ISO ISO International Standards Organization ensure that products and services are safe, reliable and of good quality. For business, they are strategic tools that reduce costs by minimizing waste and errors, and increasing productivity. They help companies to access new markets, level the playing field for developing countries and facilitate free and fair global trade ISO 9000

16 References 16 Quality of Security Service, Cynthia Irvine, Timothy Levin Naval Postgraduate School Anteon Corporation NIST: http://www.nist.gov/ http:// csrc.nist.gov/ publications/ PubsSPs.html. http://csrc.nist.gov/publications/PubsSPs.html#SP 800 http://csrc.nist.gov/publications/fips/fips200/FIPS-200-final-march.pdf ISO: http://www.iso.org/iso/home http://www.iso.org/iso/home/standards/management-standards/iso_9000.htm Stewart, James M.; Chapple, Mike; Gibson, Darril (2015-09-11). CISSP (ISC)2 Certified Information Systems Security Professional Official Study Guide Official Guidebook to the CISSP CBK – Third Edition

Download ppt "Ravi Narsipur MBA, PMP, CISSP THIS PRESENTATION WILL FOCUS ON Quality and Security Interdependency PMI Westchester Quality SIG Feb 2016 Presentation."

Similar presentations

Similar presentations

Develop an Information Strategy Plan

Develop an Information Strategy Plan
Overview of IS Controls, Auditing, and Security Fall 2005.

Overview of IS Controls, Auditing, and Security Fall 2005.
Enhancing Data Quality of Distributive Trade Statistics Workshop for African countries on the Implementation of International Recommendations for Distributive.

Enhancing Data Quality of Distributive Trade Statistics Workshop for African countries on the Implementation of International Recommendations for Distributive.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works

Security Controls – What Works
Laboratory Personnel Dr/Ehsan Moahmen Rizk.

Laboratory Personnel Dr/Ehsan Moahmen Rizk.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
IS Audit Function Knowledge

IS Audit Function Knowledge
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
 Network Management  Network Administrators Jobs  Reasons for using Network Management Systems  Analysing Network Data  Points that must be taken.

 Network Management  Network Administrators Jobs  Reasons for using Network Management Systems  Analysing Network Data  Points that must be taken.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Release & Deployment ITIL Version 3

Release & Deployment ITIL Version 3
Principles of Information Security, 2nd Edition1 Introduction.

Principles of Information Security, 2nd Edition1 Introduction.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Ads by Google