Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Management Chao-Hsien Chu, Ph.D.

Published byCharleen Charles Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Management Chao-Hsien Chu, Ph.D."— Presentation transcript:

1 Security Management Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 Theory Practice Learning by Doing IST 515

2 Environmental Security
Security Management Framework Organizational Security Policy Organizational Design Security Management Asset Classification and Control Access Control Compliance Personnel Security Awareness Education Physical and Environmental Security System Development and Maintenance Communications & Operations Mgmt. Business Continuity Management Operational

3 Objectives This module will familiarize you with the following:
Why securities? Essential security terminologies. Core information security principles. Security management framework. Information security management governance. Security policies, procedures, standards, guidelines and baselines Auditing frameworks for compliance

4 Readings NIST, “An Introduction to Computer Security,” SP (Oct. 1995). Chapters 2 & 4 (Required). Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the CISSP CBK, Auerbach, Domain 1 (Required). Bowen, P., Hash, J. and Wilson, M., “Information Security Handbook: A Guide for Managers,” NIST, SP (Oct. 2006). Chapter 2. von Solms, B. and von Solms, R., “The 10 Deadly Sins of Information Security Management,” Computers & Security (2004) 23, Wikipedia, Information Technology Infrastructure Library. Wikipedia, COSO Enterprise risk management, Wikipedia, ISO/IEC

5 Scenario Stephen used to be the most bullied guy in his circle of friends. Johnson, the neighborhood guy was part of the peer group and foremost in bullying Stephen. Stephen started developing hatred for Johnson. Johnson owned/hosted a personal website where he showcased his website development skills. He passed the IP address of his website to his peer group so that they could comment on it after viewing the pages. Stephen comes across an article on hacking on the Internet. Amazed by the potential of tools showcased in that article, he decides to try it hands on. With the downloaded scanning tools, Stephen started scanning the IP of Johnson’s website. What kind of information will Stephen be exposed to? Will the scan performed by Stephen affect Johnson’s Website?

6 Why Security? Evolution of technology focused on ease of use
Decreasing skill level needed for exploits Increased network environment and network based applications

7 Why Security? Direct impact of security breach on corporate asset base and goodwill. Increasing complexity of computer infrastructure administration and management.

8 Essential Security Terminologies

9 Essential Security Terminologies

10 Information Security Principles - CIA
Security rests on confidentiality, authenticity, integrity, and availability: Confidentiality. Only authorized individuals, processes, or systems have access to information on a need-to-know basis. Integrity. Information should be protected from intentional, unauthorized, or accidental changes. Availability. Information and resources are accessible when needed. (DoS, DDoS) Authenticity. The identification and assurance of the origin of information. (Hash function, MD5)

11 Confidentiality, Integrity and Availability
Security Integrity Availability

12 Reverse CIA Confidentiality:
Preventing unauthorized subjects from accessing information Integrity: Preventing unauthorized subjects from modifying information Availability: Preventing information and resources from being inaccessible when needed.

13 Trade-off Functionality Moving the ball towards
security means moving away from the functionality and ease of use Security Usability

14 Security/Risk Management Relationships
Determine Needs & Assess Risks Central Management Implement Policies & Control Monitor & Evaluate Promote Awareness

15 10 Deadly Sins of Security Management
Not realizing that information security is a corporate governance responsibility (the buck stops right at the top) Not realizing that information security is a business issue and not a technical issue Not realizing the fact that information security governance is a multi-dimensional discipline Not realizing that an information security plan must be based on identified risks Not realizing the important role of international best practices for information security management

16 10 Deadly Sins of Security Management
Not realizing that a corporate information security policy is absolutely essential Not realizing that information security compliance enforcement and monitoring is absolutely essential Not realizing that a proper information security governance structure is absolutely essential Not realizing the core importance of information security awareness amongst users Not empowering information security managers with the infrastructure, tools and supporting mechanisms to properly perform their responsibilities Lessons Learned

17 Multi-Dimension of Information Security
The Corporate Governance Dimension The Organizational Dimension The Policy Dimension The Best Practice Dimension The Ethical Dimension The Certification Dimension The Legal dimension The Insurance Dimension The Personnel/Human Dimension The Awareness Dimension The Technical Dimension The Measurement/Metrics (Compliance monitoring/Real time IT audit) Dimension The Audit Dimension

18 Security Management Practice
Security Governance. Security Policies, Procedures, Standards, Guidelines, and Baselines. Security Planning. Security Organization. Personnel Security. Security Audit and Control. Security Awareness, Training and Education. Risk Assessment and Management. Professional Ethics.

19 Security Management Governance
Security Governance is the organizational processes and relationships to guarantee that the appropriate information security activities are being performed to ensure that the risks are appropriately reduced, the information security investments are appropriated directed, and the executive management has visibility into the program and is asking the appropriate questions to determine the effectiveness of the program. Policies, Procedures, Standards, Guidelines, Baselines Organizational Structures Roles and Responsibilities

20 Policies, Standards, Procedures, Baselines, & Guidelines
Laws, Regulations, Requirements, Organizational Goals & Objectives Procedures, standards, and guidelines are used to describe how these policies will be implemented within an organization. General Organizational Policies Management’s Security Statement Functional Implementing Policies Management’s Security Directives Standards Procedures Baselines Guidelines Specific Hardware & Software Step-by-Step Instructions Consistent Level of Security Recommendations

21 Audit Frameworks for Compliance
COSO – The Committee of Sponsoring Organization of the Treadway Commission (1985). ITIL – The IT Infrastructure Library ( ). ISO 17799/BS 7799 (1995) ISO/IE (2005) COBIT – Control Objectives for Information and Related Technology.

22 COSO Integrated Framework
Internal Environment Monitoring Objective Setting Enterprise Risk Management Information & Communication Risk Identification Control Activities Risk Assessment Risk Response

23 The COSO Cube

24 ITIL Service Management Processes
(

25 ITIL Framework (

26

27 ITIL V3 Processes and Functions
Service Strategy Service Design Service Transition Service Operation Continual Service Improvement Demand Mgmt. Service Level Mgmt. Knowledge Mgmt. Service Desk F Service Measurement Financial Mgmt. Change Mgmt. Event Mgmt. Capacity Mgmt. Service Reporting Strategic Generation Asset and Configuration Mgmt. Incident Mgmt. Availability Mgmt. Service Improvement Request Fulfillment Service Portfolio Mgmt. IT Service Continuity Mgmt. Release and Deployment Mgmt. Return on Investment Problem Mgmt. Information Security Mgmt. Transition Planning and Support Access Mgmt. Business Questions Supplier Mgmt. IT Operations Mgmt. F Service Catalogue Mgmt. Service Validation and Testing F Applications Mgmt. F are functions Evaluation Technical Mgmt. F (

28 ISO 17799 Standards Information security policy.
Organizing information security. Asset management. Human resources security. Physical and environmental security. Communications and operations management. Access control. Information systems acquisition, development and maintenance. Information security incident management. Business continuity management. Compliance

29 ISO Framework

30 COBIT Business Objectives Governance Objectives Information Monitor &
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability Monitor & Evaluate Plan & Organize IT Resources Deliver & Support Acquire & Implement Application Information Infrastructure People

31 Summary of Audit Frameworks
COSO – The Committee of Sponsoring Organization of the Treadway Commission (1985). ITIL – The IT Infrastructure Library ( ). ISO 17799/BS 7799 (1995) ISO/IE (2005) COBIT – Control Objectives for Information and Related Technology.

32 Possible Projects Develop a security audit plan.
Compliance testing according to a standard (e.g., HIPAA, ISO 27000, COBIT, etc.). Awareness education for HIPAA, ISO 27000, COBIT compliance. A comparative analysis of different security compliance frameworks.

Download ppt "Security Management Chao-Hsien Chu, Ph.D."

Similar presentations

Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Security and Personnel

Security and Personnel
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
TI BISNIS ITG using COBIT &

TI BISNIS ITG using COBIT &
COBIT - II.

COBIT - II.
Www.isaca-malta.org Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.

Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Security Management Practices Keith A. Watson, CISSP CERIAS.

Security Management Practices Keith A. Watson, CISSP CERIAS.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
The 10 Deadly Sins of Information Security Management

The 10 Deadly Sins of Information Security Management
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Information Technology Service Management

Information Technology Service Management
Introduction to IT Auditing

Introduction to IT Auditing
Information Security Framework & Standards

Information Security Framework & Standards

Similar presentations

Ads by Google