Presentation is loading. Please wait.

Presentation is loading. Please wait.

Driving Factors Security Risk Mgt Controls Compliance.

Similar presentations

Presentation on theme: "Driving Factors Security Risk Mgt Controls Compliance."— Presentation transcript:

1 Driving Factors Security Risk Mgt Controls Compliance

2 Risks, Threats, Vulnerabilities Risk – Generalized impact statement –Ex: disclosure of ratepayer data would be bad Threat – a generic method of exploiting a risk –Ex: interception of data in-flight or at rest Vulnerability – a specific, actual, existing technical issue that could be leveraged –Ex: an unencrypted customer information file on a server

3 Risk Profile: Confidential Data Generalized Risks: –Disclosure, Unauthorized Modification Threats: –Interception of data in-flight, at rest, after transformation, after export, before destruction Vulnerabilities: –Unencrypted data transport –Unencrypted storage in flat files or in DB –Unencrypted storage after export to external components –Unencrypted data prior to disposal or destruction

4 Reliability Engineering Security controls fail with individual unpredictability but consistently across large control sets or long periods of time Layered security controls limit the scope and impact of individual control failures Existing control set for this service –Firewalls, IDS, server hardening, patching, access request controls, authentication/authorization, filesystem access controls, virus scanning, enterprise hardening baseline analysis, OS software, service software, application software, maintenance scripts

5 Mapping Vulnerabilities to Controls Vulnerability: Unencrypted data transport –Control: use NAESB, SFTP, or encrypted CD Vulnerability: Unencrypted data storage –Control: Vulnerability: Unencrypted data after transformation –Control: Vulnerability: Unencrypted data prior to disposal –Control:

6 Data Transport Mechanisms NAESB +Current Market Standard +Existing management and maintenance infrastructure +Existing application infrastructure +Strong authentication/encryption SFTP +Strong transport encryption oPartially existing server infrastructure oPartially existing management infrastructure for static passwords -No existing management infrastructure for ssh-keys -Use of static passwords for authentication creates possibility for password recovery via brute-force or disclosure at endpoints -Reduced visibility from network security monitoring platform -Additional implementation risk -Additional management/maintenance risk

7 Data Transport Mechanisms CD-R / DVD-R +Easy -Transportation via licensed/bonded couriers? -Still need to address encryption of data in transit -Physical media destruction becomes an issue -Need to develop operational procedures -Need to develop physical infrastructure for accepting, handling, storing, and destroying media

Download ppt "Driving Factors Security Risk Mgt Controls Compliance."

Similar presentations

Ads by Google