Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information System Security Plan Steps. STEP ONE – Understand the A sset Philosophically, we believe that “security should follow data” But we know that.

Published byDale Bryant Modified over 8 years ago

Similar presentations

Presentation on theme: "Information System Security Plan Steps. STEP ONE – Understand the A sset Philosophically, we believe that “security should follow data” But we know that."— Presentation transcript:

1 Information System Security Plan Steps

2 STEP ONE – Understand the A sset Philosophically, we believe that “security should follow data” But we know that not all data were created equal Effective security begins with a solid understanding of the protected asset and its value DATA is identified as our primary asset

3 STEP TWO – Identify and prioritize T hreats Governance: policy breach rebellion Physical: data theft equipment theft/damage Endpoint: theft social engineering Infrastructure & Application: theft disclosure DoS unauthorized access Data: unauthorized access corruption/destruction

4 STEP THREE – Identify and rank V ulnerabilities Governance: policy loopholes Physical: weak perimeter open access Endpoint: ignorance Infrastructure & Application: “open” network unpatched systems/OS misconfiguration Data: unencrypted storage insecure transmission

5 STEP FOUR – Quantify Relative Risk, R R = µVAT The greater the number of vulnerabilities the bigger the risk The greater the value of the asset the bigger the risk The greater the threat the bigger the risk V = vulnerability A = asset T = threat µ = likelihood of T

6 Higher Classification implies Increased Security STEP FIVE – Develop a strategy Types of data stored, accessed, processed or transmitted dictates OPZ High - Significantly business impact - financial loss - regulatory compliance Moderate - adversely affects business and reputation Normal - minimal adverse effect on business - authorization required to modify or copy 3 virtual operational protection zones, OPZ based on Data Classification Server with Moderate data Laptop with High data

7 STEP SIX – Establish target standards Amount and stringency of security controls at each level varies with data classification Seven layers of protection per zones based on COBIT, ISO 27002, FIPS 200 and NIST 800-53 1. Management & Governance 2. Access control 3. Physical security 4. Endpoint security 5. Infrastructure security 6. Application security 7. Data security

8 Snippet from Data Security Standard Security ControlRed ZoneYellow ZoneGreen Zone Encrypt stored data MandatoryRecommendedOptional Limit data stored to external media MandatoryRecommendedOptional Encrypt transmitted data Mandatory Recommended

9 STEP SEVEN – Document the plan Identify realistic solutions for applying the appropriate security controls at each level. Create a list of action items for the next 3 to 5 years Prioritize the list based on risk and reality Forecast investment Beg, kick and scream to get funding Implement the plan over time

Download ppt "Information System Security Plan Steps. STEP ONE – Understand the A sset Philosophically, we believe that “security should follow data” But we know that."

Similar presentations

Driving Factors Security Risk Mgt Controls Compliance.

Driving Factors Security Risk Mgt Controls Compliance.
Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning.

Department of Information Systems Brigham and Womens Hospital Laptop Encryption Catherine McGoldrick Schroeder Corp. Mgr, BWH IS Management & Planning.
Innovation or Necessity? ISM 158 By: Sepehr Saeb.

Innovation or Necessity? ISM 158 By: Sepehr Saeb.
Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.
© Peter Readings 2007 1 Data Leakage Pete Readings CISSP.

© Peter Readings Data Leakage Pete Readings CISSP.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
PII Breach Management and Risk Assessment

PII Breach Management and Risk Assessment
Chapter 5: Asset Classification

Chapter 5: Asset Classification
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
Security Controls – What Works

Security Controls – What Works
Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.

Course ILT Security overview Unit objectives Discuss network security Discuss security threat trends and their ramifications Determine the factors involved.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Secure Data Transmission James Matheke Information Security Architect Ohio Department of Job and Family Services.

Secure Data Transmission James Matheke Information Security Architect Ohio Department of Job and Family Services.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Risk Assessment Frameworks

Risk Assessment Frameworks
Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.

Obtaining, Storing and Using Confidential Data October 2, 2014 Georgia Department of Audits and Accounts.
Planning for Information Security and HIPAA Compliance “Security should follow data” Leo Howell, CISSP John Baines, CISSP IAS-Information Assurance & Security.

Planning for Information Security and HIPAA Compliance “Security should follow data” Leo Howell, CISSP John Baines, CISSP IAS-Information Assurance & Security.

Similar presentations

Ads by Google