Presentation is loading. Please wait.

Presentation is loading. Please wait.

Driving Factors Security Risk Mgt Controls Compliance.

Published byRichard Freeman Modified over 10 years ago

Similar presentations

Presentation on theme: "Driving Factors Security Risk Mgt Controls Compliance."— Presentation transcript:

1 Driving Factors Security Risk Mgt Controls Compliance

2 Risks, Threats, Vulnerabilities Risk – Generalized impact statement –Ex: disclosure of ratepayer data would be bad Threat – a generic method of exploiting a risk –Ex: interception of data in-flight or at rest Vulnerability – a specific, actual, existing technical issue that could be leveraged –Ex: an unencrypted customer information file on a server

3 Risk Profile: Confidential Data Generalized Risks: –Disclosure, Unauthorized Modification Threats: –Interception of data in-flight, at rest, after transformation, after export, before destruction Vulnerabilities: –Unencrypted data transport –Unencrypted storage in flat files or in DB –Unencrypted storage after export to external components –Unencrypted data prior to disposal or destruction

4 Reliability Engineering Security controls fail with individual unpredictability but consistently across large control sets or long periods of time Layered security controls limit the scope and impact of individual control failures Existing control set for this service –Firewalls, IDS, server hardening, patching, access request controls, authentication/authorization, filesystem access controls, virus scanning, enterprise hardening baseline analysis, OS software, service software, application software, maintenance scripts

5 Mapping Vulnerabilities to Controls Vulnerability: Unencrypted data transport –Control: use NAESB, SFTP, or encrypted CD Vulnerability: Unencrypted data storage –Control: Vulnerability: Unencrypted data after transformation –Control: Vulnerability: Unencrypted data prior to disposal –Control:

6 Data Transport Mechanisms NAESB +Current Market Standard +Existing management and maintenance infrastructure +Existing application infrastructure +Strong authentication/encryption SFTP +Strong transport encryption oPartially existing server infrastructure oPartially existing management infrastructure for static passwords -No existing management infrastructure for ssh-keys -Use of static passwords for authentication creates possibility for password recovery via brute-force or disclosure at endpoints -Reduced visibility from network security monitoring platform -Additional implementation risk -Additional management/maintenance risk

7 Data Transport Mechanisms CD-R / DVD-R +Easy -Transportation via licensed/bonded couriers? -Still need to address encryption of data in transit -Physical media destruction becomes an issue -Need to develop operational procedures -Need to develop physical infrastructure for accepting, handling, storing, and destroying media

Download ppt "Driving Factors Security Risk Mgt Controls Compliance."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.

Copyright © 2007 Telcordia Technologies Challenges in Securing Converged Networks Prepared for : Telcordia Contact: John F. Kimmins Executive Director.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
Chapter 1 – Introduction

Chapter 1 – Introduction
Information Security Policies and Standards

Information Security Policies and Standards
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.

SECURITY What does this word mean to you? The sum of all measures taken to prevent loss of any kind.
Secure Data Transmission James Matheke Information Security Architect Ohio Department of Job and Family Services.

Secure Data Transmission James Matheke Information Security Architect Ohio Department of Job and Family Services.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
MJ10/07041 Session 10 Accounting, Security Management Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used.

MJ10/07041 Session 10 Accounting, Security Management Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Similar presentations

Ads by Google