Presentation is loading. Please wait.

Presentation is loading. Please wait.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006."— Presentation transcript:

1 Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006

2 Presented at the “Privacy & Security in Government Information” Seminar Ottawa April 4, 2005

3 w w w. e l y t r a. c o m Prevalent attitude towards Information Security (IS) at Senior Management level:  At best a perceived inconvenience  At worst a compliance nightmare, exacerbated by PRIVACY issues

4 w w w. e l y t r a. c o m  Reality: IS is just another business element to be factored into the cost of doing business Should be approached from the perspective that, handled properly, IS is a potential enabler for competitive advantage

5 w w w. e l y t r a. c o m  Intent of this presentation is to provide some guidelines for planning and managing IS

6 w w w. e l y t r a. c o m Outline  Key elements of the IS Management System  Statement of Sensitivity, or what corporate assets need to be protected?  Building the IS team  Determining the Scope of the Security Management System  Metrics and Objectives for IT Security and Web-based Applications

7 w w w. e l y t r a. c o m Key Elements for Managing IS  Policy  Planning and Preparation  Protection – Implementation of Safeguards  Contingency Planning: Incident Response Business Continuity  Compliance

8 w w w. e l y t r a. c o m Statement of Sensitivity (1)  Sensitive assets: Personnel Physical Information Although this presentation focuses on the information aspect, personal security and physical security should be looked at concurrently.

9 w w w. e l y t r a. c o m Statement of Sensitivity (2)  Degree of sensitivity: Confidentiality Availability Integrity

10 w w w. e l y t r a. c o m Building the IS Team  Largely dependent on the size of the enterprise  CSO (Corporate Security Officer) should be responsible for all 3 aspects of security, not just IT  CSO should possess the CISSP or CISM professional security qualification

11 w w w. e l y t r a. c o m Scope of the IS Managing System  Assess current level of risk Establish a baseline  Determine what can impact the risks List the threats  Determine how risk (human, physical plant, IT) can be reduced at acceptable cost ROSI (return on security investment)  Follow-up with: Security awareness training Testing for: incident response, business continuity

12 w w w. e l y t r a. c o m Risk Reduction – Technical Safeguards  Myth:Often portrayed as a discipline beyond rocket science – something the CEO could never relate to  Reality: Established standards, e.g. –MITS for the Canadian federal government –ISO 17799 for industry and much of Europe –NIST in the USA

13 w w w. e l y t r a. c o m Basic Technical Safeguards  Anti-virus and firewalls (personal + corporate) in place  Patching strategy in place  Router Access Control Lists (ACL’s) enforced  SSL Encryption on VPN’s and wherever else feasible In general, CONFIGURATION CONTROL

14 w w w. e l y t r a. c o m Further Safeguards  Intrusion detection systems  Intrusion prevention systems  Vulnerability Assessment Software  ESM (Enterprise Security Management) platform to manage all of the above  Third party “Penetration Testing” to probe for weaknesses in the infrastructure and applications

15 w w w. e l y t r a. c o m Security Metrics  Generally, asset-focused  Measure of: What defenses are in place * How many systems protected against a specific threat * “Defense in depth”, or layers of security, is the key to an effective security architecture.

16 w w w. e l y t r a. c o m Sources of Information  International Systems Security Engineering Association – Capability Maturity Model (SSE-CMM)  Institute for Security and Open Methodologies (ISECOM) – Security Metrics and RAVs (Risk Assessment Values)  The Open Web Application Security Project (OWASP)  www.securitymetrics.org www.securitymetrics.org  NIST Special Publication (SP) 800-55, Security Metrics Guide for Information Technology Systems

17 w w w. e l y t r a. c o m Popular Metrics Tools  Microsoft Threat Scoring System  CERT Vulnerability Scoring  SANS Critical Vulnerability Analysis Scale Ratings  CVSS (Common Vulnerability Scoring System), an open framework

18 w w w. e l y t r a. c o m Advanced MetricsTools  Dashboards: Can be customized or configurable Basically a snapshot view of the enterprise’s state of security Includes metrics for monitoring security trends over time across the various applications

19 w w w. e l y t r a. c o m A practical example of a metric  E-mail SPAM Relatively easy to establish baseline on % of messaging traffic that is unwanted Many SPAM filters to choose from After filter application, remeasure Continue to fine-tune filter, reapply and remeasure Some slight risk that you will stop legitimate traffic – so reducing SPAM to zero is not necessarily the goal

20 Thank You Questions?

Download ppt "Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006."

Similar presentations

Information Technology – Guidelines for the Management of IT Security

Information Technology – Guidelines for the Management of IT Security
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.

A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
Security Controls – What Works

Security Controls – What Works
The State of Security Management By Jim Reavis January 2003.

The State of Security Management By Jim Reavis January 2003.
Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.

Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.
August 9, 2005 UCCSC -- 2005 IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.

August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Controls for Information Security

Controls for Information Security
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Security Governance Technology Executive Club

Security Governance Technology Executive Club
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Overview 4Core Technology Group, Inc. is a woman/ veteran owned full-service IT and Cyber Security firm based in Historic Petersburg, Virginia. Founded.

Overview 4Core Technology Group, Inc. is a woman/ veteran owned full-service IT and Cyber Security firm based in Historic Petersburg, Virginia. Founded.
Justice IT Security Issues

Justice IT Security Issues
Fraud Prevention and Risk Management

Fraud Prevention and Risk Management
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.

Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Similar presentations

Ads by Google