Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Controls – What Works

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Controls – What Works"— Presentation transcript:

1 Security Controls – What Works
Southside Virginia Community College: Security Awareness

2 Session Overview Identification of Information Security Drivers
Identification of Regulations and Acts Introduction to Security Standards Understanding Security Controls Technology Solutions Assisting in Regulatory Compliance

3 Identification of Information Security Drivers
Identification of Regulations and Acts Introduction to Security Standards Understanding Security Controls Technology Solutions Assisting in Regulatory Compliance

4 Business Drivers What are the business drivers for information security: Facilitate Business Initiatives Protect Brand Image Protect Customer Confidence Reduce Costs and Improve Productivity Enhance Service Levels Technology Direction Comply with Regulations

5 Regulatory Compliance Drives Security Initiatives
Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending. Key areas for compliance-related spending are associated with implementing an Information Security Management Framework and specifically include: Policies and Procedures Training and Awareness Security Event Management Tools Identity and Password Management Technologies

6 Information Security Management Framework
What is an Information Security Management Framework: Key Set of Policies and Processes Supporting Information Security Organizational Structure and Governance for Information Security Implementation of Standard Security Controls Appropriate and Sufficient Security Tools and Technologies

7 Regulatory Benefits of Implementing an Information Security Management Framework
Regulatory benefits of implementing an Information Security Management Framework include: Protecting the privacy of personally identifiable information (customer and employee) Protecting sensitive information and resources from being accessed or shared with unauthorized users Ensuring integrity of financial data Ensuring that data content is protected and tamper-resistant Ensuring well controlled systems Ensuring secure development and maintenance of software, systems, and applications

8 Information Security Management Framework Lifecycle
The implementation of the Information Security Management Framework follows the concept of the Plan, Prevent, Detect, Respond cycle, common in other management frameworks, such as ISO 9001 and ISO

9 Information Security Management Framework Flow
Regulatory Requirements and Security Standards help define the Organizations Security Environment. This environment dictates the Organizations Security Directive, which dictates the ultimate Information Security Management Framework. Information Security Framework (Security Controls) Organizational Directive for Information Security Technologies and Solutions Regulatory Requirements Business Initiatives Security Standards Technology Direction Business and Security Environment

10 Identification of Regulations and Acts
Identification of Information Security Drivers Identification of Regulations and Acts Introduction to Security Standards Understanding of Security Controls Technology Solutions Assisting in Regulatory Compliance

11 Significant Regulations and Acts
Some of the more significant security regulations and acts include: Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Sarbanes Oxley Act (SOX) European Union Data Protection Directive (EUDPD) Personal Data Act Computer Misuse Act Data Protection Act 21 CFR Part 11 BASEL II Various State Security Breach Laws

12 Security Objectives These regulations and acts specify information security objectives associated with: Security Policy, Organization, and Program Personnel, Human Resources, and Administrative security controls User, Network, System, and Physical access management Proactive vulnerability, risk, and threat assessment and management activities Intrusion Detection capabilities Event Logging and Monitoring and Incident Response programs and processes Encryption capabilities and the protection of information confidentiality and integrity Identification, authentication, and authorization controls to information and systems Asset classification and control Disaster Recovery and Business Continuity planning This is not an all inclusive list of all security regulatory goals, but rather a sample of the security objectives of these regulations

13 Introduction to Security Standards
Identification of Information Security Drivers Identification of Regulations and Acts Introduction to Security Standards Understanding Security Controls Technology Solutions Assisting in Regulatory Compliance

14 Value Proposition of Security Standards
Provide outlines of accepted best practice for security management Provide guidelines for the implementation of security measures Provide a framework for the management of information, network, and system security within an organization Provide a suggested code of practice Integrate security measures into an overall security architecture Can be used by organizations of all sizes, industries, and sectors Security Standard compliance is NOT required by law, though some contracts now require Certifications.

15 Compliance and Certification
To achieve compliance the organization must implement measures to address all control objectives. Formal certification is usually achieved through a formal audit conducted by a certified independent auditor. Certification offers internal and external confidence in the Information Security Management Framework. Certification demonstrates good governance and can provide evidence of due diligence for some requirements for regulatory compliance.

16 Compliance Achievement Process

17 Industry Accepted Security Standards
Some of the more commonly accepted and implemented standards include: International Standard, ISO/IEC 17799:2005 (ISO 17799) Australian Standard, AS/NZS :2003 (AS 7799) Payment Card Industry (PCI) Data Standard Common Criteria for IT Security Evaluation (ISO 9000) NIST Computer Security Standards

18 Understanding Security Controls
Identification of Information Security Drivers Identification of Regulations and Acts Introduction to Security Standards Understanding Security Controls Technology Solutions Assisting in Regulatory Compliance

19 Security Controls Overview
Security Controls address security issues that should be considered as part of the Information Security Management Framework. Security Policy Security Organization and Governance Asset Management Data Protection Personnel Security Physical and Environmental Communications and Operations Management Access Control Logging and Monitoring Vulnerability Management Incident Management Software & System Acquisition, Development, and Maintenance Business Continuity Management Compliance While there is no authoritative set of controls and titles, most security standards and best practices use similar titles and categories to define security controls.

20 Security Control Objectives - 1
Security Policy: Documented security objectives for the organization that is agreed and approved by management Security Organization and Governance: Assigning security responsibilities and accountability and a management forum for setting and approving security objectives

21 Security Control Objectives - 2
Asset Management: The management (identification, classification, and control) of information and hardware & software resources Data Protection: Effective controls for protecting the confidentiality, integrity, and availability of information and information resources

22 Security Control Objectives - 3
Personnel Security: The management of staff, terms of employment, termination processes, and awareness and training Physical and Environmental Security: Securing the human and system physical environment; including entry controls, fire and power controls, cable and rack security

23 Security Control Objectives - 4
Communications and Operations Management: Key security aspects of managing network and system components securely, including backups, anti-virus, patches, media and laptop security Access Control: The control of logical, physical, and remote access to information and resources; including identification and authentication, authorization, password and user management on applications, operating systems, and within networks

24 Security Control Objectives - 5
Logging and Monitoring: The collection, aggregation, normalization, correlation, mining, and tracking of security events Vulnerability Management: The performance of risk, threat, and vulnerability assessments

25 Security Control Objectives - 6
Incident Management: The detection, reporting, recording, handling, response, review, and management of security incidents Software & System Acquisition, Development, and Maintenance: The secure development and maintenance of software and systems for on-going secure operation

26 Security Control Objectives - 7
Business Continuity Management: Planning and defining the response in the event of a disaster or disruption in business to ensure continuity of operations Compliance: Ensuring the compliance with security and privacy legislative requirements

27 Technology Solutions Assisting In Regulatory Compliance
Identification of Information Security Drivers Introduction to Security Standards Understanding of Security Controls Identification of Regulations and Acts Technology Solutions Assisting in Regulatory Compliance

28 Microsoft’s “The Regulatory Compliance Planning Guide”
This guide provides technology solutions for assisting regulatory compliance. The technology solution categories include: Data Classification and Protection Solutions Identity Management Solutions Authentication, Authorization, and Access Control Solutions Training Solutions Physical Security Solutions Vulnerability Identification Solutions Monitoring and Reporting Solutions Disaster Recovery and Failover Solutions Incident Management and Trouble-Tracking Solutions Document Management Solutions Business Process Management Solutions Project Management Solutions Risk Assessment Solutions Change Management Solutions Network Security Controls Host Control Solutions Malicious Software Prevention Solutions Application Security Solutions Messaging and Collaboration Solutions

29 Session Summary Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending. ü Regulations and Acts specify information security objectives necessary for regulatory compliance. ü Any organization can use the guidance and requirements in Security Standards to improve aspects of their internal security management. ü Security Controls address security issues that should be considered as part of the Information Security Management Framework. Microsoft Products and Solutions support the implementation of security controls. ü Many Microsoft technology solutions assist in regulatory compliance ü

Download ppt "Security Controls – What Works"

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Information Security Policies and Standards

Information Security Policies and Standards
Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.

Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Chapter 20 20-1 © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Similar presentations

Ads by Google