Presentation is loading. Please wait.

Presentation is loading. Please wait.

ITSC Writing an Operational Security Plan E. Jane Powanda FISSEA 2005 Conference March 22, 2005 301 513-0143.

Published byHelena Washington Modified over 8 years ago

Similar presentations

Presentation on theme: "ITSC Writing an Operational Security Plan E. Jane Powanda FISSEA 2005 Conference March 22, 2005 301 513-0143."— Presentation transcript:

1 ITSC Writing an Operational Security Plan E. Jane Powanda FISSEA 2005 Conference March 22, 2005 jpowanda@itsc.org 301 513-0143

2 2 Roadmap for Management and Operations The Operational Security Plan

3 3 Why Have a Security Plan Documents implemented security measures Documents planned security measures Documents security goals based on threats and risk Documents security roles and responsibilities for staff Identifies security requirements for inclusion in formal agreements with partners and other organizations that may provide application services Documents security decisions made by management

4 4 Security Guiding Principles (Philosophy) Personal accountability Authority Responsibility Policy update and review Management commitment Security goals Data sensitivity Special Features Procedures Standards/Guidelines Plans Security Implementation Security Plan in the Security Framework

5 5 Writing the Security Plan Demonstrates due diligence! Changes with technology Based on policy Directives for staff action Dessert? Based on our recent risk assessment Will justify our security budget

6 6 Resources NIST SP 800-18 - Guide for Developing Security Plans for Information Technology Systems, December, 1998. Other resources at http://csrc.nist.gov ISO 17799 - Information Technology - Code of practice for information security management CIO Council – experience of other agencies

7 7 Writing the Security Plan Introduction The Application and its Environment Roles and Responsibilities Operational Security Controls Other Optional Topics Glossary

8 8 Introduction Scope Purpose Intended audience Plan maintenance Points of contact Relevant policies and guidelines Document organization The introduction provides the basis for both the plan and the document, and addresses some management aspects of the planning process

9 9 Scope Sets the bounds for the plan Is this a new system or an addition to the current system? Is this for a single application or a general use system? What is not included in the plan?

10 10 Purpose Why the Plan exists Provides a compendium of security measures currently implemented Documents measures taken by management to demonstrate due diligence with respect to security

11 11 Intended Audience Who might be reading this document? Program management IT management Program operational staff IT staff Program partners Auditors

12 12 Plan Maintenance Who updates this plan? How often is it updated? Who reviews and authorizes updates to the plan?

13 13 Point of Contact Name or position of person who can provide more information about the plan Phone number or e-mail address

14 14 Relevant Policies and Guidelines Federal legislation or guidelines on which plan is based State legislation or guidelines on which plan is based Internal policies or guidelines

15 15 Document Organization Description of each of the sections of the plan

16 16 The System and its Environment Functional description of the application or system Program orgnization Hardware Software Operational environment Data sensitivity Threats to the system Security goals This section provides information about the system and the environment in which it operates. It sets the stage for the plan.

17 17 System Functional Description Hours of operation End user interfaces Paper Web E-mail IVR The services provided to users Internal staff External clients Identify what the system does from a layman’s point of view.

18 18 Hardware List the hardware elements that belong to this system Mainframe Servers Storage devices Workstations Firewalls

19 19 Software List software elements Operating system Network software if applicable Application software Language written in Size and complexity of software Architecture or how organized Mainframe Client / server Web based

20 20 IT Operational Environment Describe the infrastructure Firewalls Subnets Connecting networks External interfaces Dial in access Provide a drawing that shows the different parts of the system on a network diagram

21 21 Data Sensitivity Business need for sharing or restricting information Business impact of failure to protect sensitive data What kind of information is considered sensitive? Are privacy laws and regulations applicable? Describe the different categories or types of sensitive data Describe implications of sensitivity with respect to Confidentiality Integrity Availability

22 22 Threats Major threats and security concerns Examples Hacker attacks Insider fraud External fraud Physical attack Employee discontent

23 23 Security Goals Discuss security objectives with respect to each of the following Availability of service Confidentiality of client information Accountability of actions Integrity of data operations Rate the goals in order of importance

24 24 Security Operational Controls Assignment of roles and responsibilities Management controls Operational controls Technical controls

25 25 Roles and Responsibilities Program organization Business staff Technical staff Management staff Operational staff The IT organization Other agency organizations that provide services Data sharing partners Internet application system users Examples of security functional responsibilities Who does the backups Who does security training Who authorizes system access Who sets policy Who maintains this plan

26 26 Management Controls Risk management Incident handling Contingency plans

27 27 Risk Management Has there ever been a security assessment performed on the system? When was it done, by whom, how extensive? Generally describe the methods used for resolving security problems identified What management procedures are in place to periodically review and contain security risk? Update the plan when new controls are implemented or planned Never document security vulnerabilities in the plan

28 28 Incident Handling What is considered to be a “security incident”? Identify procedures in place to deal with a security incident Detection Reporting Resolution What actions are taken to ensure that staff can recognize and respond to a security incident?

29 29 Contingency Plans Business continuity plan How will the business continue to operate in spite of disaster? Who is responsible the plan and its execution? When was the last time it was updated and tested? When will it be tested again? Disaster recovery plan How will IT operations be brought back to normal? Who is responsible for the plan? When was the last time it was updated and tested? When will it be tested again?

30 30 Operational Controls Application maintenance Access to system and privileges Authentication of users Audits Backup and recovery Disposal of information and equipment Security training Integrity controls Physical security Personnel security

31 31 Application Maintenance Software maintenance Describe the change management process Who writes code, tests it, approves it, installs it on the production system? Is security testing performed? How is configuration control maintained? Source code Executable code Hardware maintenance How much downtime can be tolerated? What measures are taken to ensure hardware availability?

32 32 Access to System and Privileges Identify who authorizes access to systems and software Describe how new access authorizations get implemented Identify who makes the changes on the system What procedures are in place to terminate access for those that no longer need it?

33 33 Audit Data What activities will be audited? Selected staff actions All administrator actions Partner access and/or modification of data Customer actions How long is audit data kept? Is it stored in a safe place? How is it protected from viewing and modification? Is enough buffer space allocated for audit data to prevent overwrite? Is someone assigned to review audit data on a regular basis?

34 34 Backup and Recovery Enterprise data backup Identify what data is backed up by the system and considered recoverable Identify how often data is backed up Discuss existence of offsite backup and how long it would take to retrieve it in the event of an emergency What is the tape rotation schedule – how many tapes or other media are used? Personal backup What backup responsibilities do users have? Restoration How will data be restored and how long will it take? When was the last time a successful recovery from a backup was demonstrated?

35 35 Handling of Information & Equipment Security markings on information and equipment Equipment disposal Computers Workstations Storage media Equipment Maintenance Outside repair In-house repair Information disposal What information must be disposed of securely? Procedures for destroying information on paper with sensitive information Procedures for destroying floppy disks or CDs containing sensitive information

36 36 Security Training How is security awareness conveyed to staff? Annual security awareness training Monthly security bulletins Security posters How is security training provided for IT staff and programmers? Prevent web coding flaws Firewalls and network architecture How is security training provided to administrators Locking down servers Reviewing audit information Performing vulnerability scans including wireless Patch management Other specific role or job based security training

37 37 Integrity Controls Identify features implemented to ensure that the system has not been modified without authorization Software checksums or signatures Other security software Identify the virus software and vulnerability scans used on the system, how often they run, and how often they are updated Patch management documented plan Who monitors for new patch releases and installs them? How often are patches installed? Number of vendors to monitor

38 38 Physical Security Facility security Describe the personnel entry system and how access rules are enforced for building access, building protections Computer room security Describe the personnel entry system and possible contingency entry in event of emergency Communications room security Describe the personnel entry system and possible contingency entry in event of emergency Other locked areas (storage of software, blank checks, etc.) Describe the personnel entry system and possible contingency entry in event of emergency Workstation Security Use of UPS to prevent damage during power interruption Preventing laptop theft Computer room environmental controls

39 39 Personnel Security Staff background checks Staff security requirements Badges Reporting suspicious activity Visitor control Sign in log Escort requirements Maintenance staff After hours activity – preventing theft and disclosure of sensitive information Confidentiality agreements Expected behavior agreements

40 40 Technical Controls Identification and Authentication Access Control Audit Encryption Addresses technology used to implement these controls

41 41 Identification & Authentication User IDs Describe how staff are authenticated Biometrics – fingerprint Password Tokens Describe how authorized non-staff are authenticated for both web access and direct system access Describe how customers/clients are authenticated when accessing the system over the web

42 42 Logical Access Controls Mainframe access controls Client server access controls Web transaction access controls

43 43 Audit What automated audit features are provided? Operating system based Application based Other What automated analysis tools are used?

44 44 Encryption Usage Network transmissions Web transactions Database Passwords Algorithms used Products used within the organization

45 45 Other Optional Topics Personnel Safety Rules of Behavior Others?

46 46 Personnel Safety Evacuation plan in event of emergency Evacuating and accounting for personnel in building After hours activity Identify special measures for after hours activity in work areas including escorts to parking lot Protection of personal property Who to notify for suspected theft Fire extinguishers Location and plan to ensure readiness Emergency phone numbers Both during and after work hours Medical emergency Phone numbers and identification of trained medical professionals in building

47 47 Security Plan Closing Thoughts It is not necessary, or even desirable, to actually have all the topics fully covered in the plan (300 pound books are difficult to carry around). A reference to the information documented elsewhere is sufficient. The list of topics presented here is not all-inclusive, definitive or mandatory. If a topic not covered here is important – Add it If a topic covered here is irrelevant – Drop it Build a plan to fit YOUR needs. Keep it brief

48 48 Contact Information: Jane Powandajpowanda@mitretek.orgjpowanda@mitretek.org jpowanda@itsc.org 301 513-0143

Download ppt "ITSC Writing an Operational Security Plan E. Jane Powanda FISSEA 2005 Conference March 22, 2005 301 513-0143."

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Information Systems Security Officer

Information Systems Security Officer
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Concepts of Database Management Seventh Edition

Concepts of Database Management Seventh Edition
Factors to be taken into account when designing ICT Security Policies

Factors to be taken into account when designing ICT Security Policies
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices

Similar presentations

Ads by Google