1 I ntegrated S ite S ecurity for G rids www.isseg.eu © Members of the ISSeG Collaboration, EU-FP6 Project 026745 ISS e G Integrated Site Security for.

Slides:



Advertisements
Similar presentations
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Advertisements

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security.
Security Controls – What Works
Information Security Policies and Standards
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice
Stephen S. Yau CSE , Fall Security Strategies.
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
Session 3 – Information Security Policies
Network security policy: best practices
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.
HIPAA COMPLIANCE WITH DELL
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
E-Security: 10 Steps to Protect Your School’s Network NEN – the education network.
COBIT - IT Governance.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
Engineering Essential Characteristics Security Engineering Process Overview.
Note1 (Admi1) Overview of administering security.
The Impact of Evolving IT Security Concerns On Cornell Information Technology Policy.
Module 11: Designing Security for Network Perimeters.
Security fundamentals Topic 12 Maintaining organisational security.
ISO/IEC 27001:2013 Annex A.8 Asset management
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security.
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
1 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 WP2 - Methodology ISS e G Integrated Site Security.
HIPAA Compliance Case Study: Establishing and Implementing a Program to Audit HIPAA Compliance Drew Hunt Network Security Analyst Valley Medical Center.
1 François Fluckiger ISS e G I ntegrated S ite S ecurity for G rids EGEE04-Pisa-25 October 2005 ISS e G Integrated Site Security for Grids EU-FP6 Project.
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
Information Security tools for records managers Frank Rankin.
1 Information Governance (For Dental Practices) Norman Pottinger Information Governance Manager NHS Suffolk.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
Computer Security Sample security policy Dr Alexei Vernitski.
By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated.
Information Security Management Goes Global
ISSeG Integrated Site Security for Grids WP2 - Methodology
Cybersecurity - What’s Next? June 2017
Critical Security Controls
LAND RECORDS INFORMATION SYSTEMS DIVISION
Integrated Site Security for Grids
IS4680 Security Auditing for Compliance
How to Mitigate the Consequences What are the Countermeasures?
Drew Hunt Network Security Analyst Valley Medical Center
Presentation transcript:

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for Grids EU-FP6 Project Experience with Integrated Site Security Alan Silverman, CERN on behalf of the ISSeG project HEPiX 07, St Louis, 9 November 2007

2 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project The ISSeG project  EU co-funded project  3 partners  CERN  FZK, Forschungszentrum Karlsruhe GmbH  STFC, Science and Technology Facilities Council, UK (formally CCLRC, RAL)  Started in February 2006  Ends March 2008

3 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project What is ISS? Integrated Site Security - ISS  ISS is the concept of integrating the technical, administrative and educational aspects of information security at your site so that they work together to improve your overall site security.  While this is not specific to Grid environments, it is extremely relevant to all Grid sites as we all work together.

4 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS - Integrated Site Security Know who is using your network Close accounts when people leave Establish a computer Security Incident Response Team Require computer users to be officially registered Explain technical changes to users before, during and after implementation Create and maintain training and awareness campaigns for security polices and best practice. Raise awareness for security policies Use security mechanisms and tools, e.g. anti-virus, firewall management, central patch management, intrusion detection

5 I ntegrated S ite S ecurity for G rids What is ISSeG producing?

6 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Risk assessments Risk assessments – What are they and why bother? Organizations are often required to establish a process to manage risks as part of a corporate governance strategy. Risk assessment includes the following steps: Identify the assets and risks Analyse the existing security controls Implement any identified and resourced improvement plan Monitor the existing controls to see that they are effective

7 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISSeG questionnaire The ISSeG risk assessment questionnaire  can help you start the risk assessment process and identify what assets you have and some of the risks.  Based on ISO/IEC 17799:2005 standard (a long list of technical controls*)  Adapted as a result of practical experience at a number of Grid sites (CERN, FZK, STFC (ex CCLRC)) * A control is a means of managing risk. It can include policies, procedures, guidelines, practices or organizational structures, which may be of an administrative, technical, managerial or legal nature. The term control is also used as a synonym for a safeguard, mitigation, countermeasure.

8 I ntegrated S ite S ecurity for G rids ISSeG questionnaire  Security is not a “thing” you do, it is a continuous process. You need some way of working out where to start and measure progress.  The questionnaire helps you identify and prioritise what security controls need to be implemented first.  It has been developed as a Microsoft Excel® spreadsheet that requires the use of macros. (We hope you trust us!)  If not, just reading the questionnaire is a very useful exercise! © Members of the ISSeG Collaboration, EU-FP6 Project

9 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISSeG questionnaire training/RiskAssessment/RiskAssessment.htm

10 I ntegrated S ite S ecurity for G rids Recommendations, training material  Recommendations  Around 60 in total  Varying level of detail  Short, as PRACTICAL as possible  Training material  Targeted populations  System administrator  Developer  General user  Manager © Members of the ISSeG Collaboration, EU-FP6 Project

11 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Example Recommendations Broaden the use of centralised management  R1: Centrally manage accounts  R2: Centrally manage patches and system configurations  R3: Centrally manage Internet Services Integrate identity and resource management  R4: Provide integrated identity management  R5: Ensure resources link to the people in charge of them  R6: Define responsibilities using roles and groups Manage your network connectivity  R7: Restrict Intranet access to authorised devices  R8: Restrict Internet access to authorised connections  R9: Segregate networks dedicated to sensitive devices  R10: Expand the use of application gateways

12 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Example Recommendations Use security mechanisms and tools  R11: Strengthen authentication and authorisation  R12: Increase the use of vulnerability assessment tools  R13: Adapt incident detection to meet evolving trends  R14: Strengthen and promote network monitoring tools  R15: Enhance span filter tools and mailing security  R16: Extend policy enforcement Strengthen administrative procedures and training  R17: Adapt training to requirements of users, developers and system administrators  R18:Integrate security training and best practice into organisational structures  R19:Maintain administrative procedures in step with evolving security needs  R20: Extend policy regulations  R21: Regulate the use and coexistence of legacy Operating Systems

13 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project And more recommendations  R51: Create an information security policy  R52: Review your information security policy  R53: Allocate information security responsibilities  R54: Establish confidentiality agreements  R55: Maintain contacts with special interest groups  R56: Maintain an inventory of assets  R57: Establish ownership of assets  R58: Define acceptable use for assets  R59: Establish information classification guidelines  R60: Develop information labeling and handling procedures  R61: Define terms and conditions of employment  R62: Encourage information security awareness, education and training  R63: Ensure access rights are up to date  R64: Establish a physical security perimeter  R65: Implement physical entry controls  R66: Provide physical protection and guidelines for working in secure areas  R67: Protect equipment from disruptions in supporting facilities  R68: Assure secure disposal or reuse of equipment  R69: Document your operating procedures  R70: Manage changes to information processing facilities and systems  R71: Separate you development, test, and operational facilities  R72: Implement capacity management  R73: Install and regularly update malicious code detection and repair software  R74: Manage the execution of mobile code  R75: Establish backup and restoration procedures  R76: Implement intrusion detection and prevention mechanisms  R77: Control access to your network  R78: Use cryptographic techniques for information confidentiality and integrity  R79: Establish agreements for exchange of information and software with external parties  R80: Enhance the security of your communications  R81: Protect the integrity of publicly available information  R82: Enable audit logging of user activities, exceptions and security events  R83: Establish procedures for monitoring system use and reviewing results  R84: Ensure protection of log information  R85: Establish an access control policy based on security requirements  R86: Establish a formal procedure to control the allocation of access rights  R87: Restrict and control the allocation of privileges  R88: Implement a formal management process for password allocation  R89: Enforce good practices in the selection and use of passwords  R90: Ensure that unattended equipment is appropriately protected  R91: Prevent unauthorized access to network services  R92: Implement strong authentication for external connections  R93: Adopt appropriate security measures for mobile computing  R94: Implement appropriate policy, procedures, and guidelines for teleworking  R95: Establish training and guidelines for secure programming  R96: Establish a formal application integration/qualification process  R97: Implement an automated patch managementS5: Strengthen administrative procedures and training (cont.)

14 I ntegrated S ite S ecurity for G rids Recommendations  Initial versions exist for all of them and the first batch of basic ones should be on the web site before the end of the year  Work will continue, adding the rest and improving them, until the project ends in March 2008  The web site will also be adapted to make it easier and quicker to access the most useful material © Members of the ISSeG Collaboration, EU-FP6 Project

15 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Recommendation structure  Common structure:  What  Why  How  Links

16 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Technical recommendations  Restrict Internet access to authorized connections  Closing firewall access impacts used applications  Update mechanism is required  Segregate networks dedicated to sensitive devices  Requires careful analysis of requirements and impact  Expand the use of application gateways  Reduces spread of incidents  Useful for untrusted devices  Restrict Intranet access to authorized devices  802.1x functionality  A mapping to the device owner is recommended Finance network Controls networks Campus network

17 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Administrative recommendations  Extend policy regulations  Policy writing requires both technical and administration knowledge  clarity is important for both users and administrators  Maintain administrative procedures in step with evolving security needs  Regular reviews need to be planned  ISS methodology is a useful tool  Examples:  Strengthened policies for controls networks  Strengthened firewall policies  Strengthened account policies  Use of application gateways  Use and coexistence of legacy operating systems  Define rights and duties for administrators

18 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Training recommendation  General users  Computer users just want to get on and use the systems. Security needs to invisible.  They need to know why security is relevant to them. this is not good security…

19 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project General users  General advice & material for users  Advice-General-Users.pdf Advice-General-Users.pdf

20 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Developers  Application developers  Check lists can be useful aids to secure software.

21 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Checklist for Developers Checklist addresses the various stages of the development process 1. Architecture 2. Design 3. Cryptography 4. Implementation 5. Coding 6. After Implementation

22 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Developers  General advice & material for developers  training/Training/DeveloperCheckList.htm training/Training/DeveloperCheckList.htm

23 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project System Administrators  System Administrators  Check lists can be useful aids

24 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Checklist for System Administrators 1. Harden the OS and Applications 2. Keep the OS and Applications up-to-date 3. Use a local firewall 4. Take advantage of the logs 5. Ensure that all passwords are secure 6. Take extra precautions for privileged accesses 7. Use security products when relevant 8. Take into account physical security 9. Keep your security knowledge up-to-date.

25 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project System Administrators  General advice & material for Sys. Admins.  training/Training/SysAdminCheckList.htm training/Training/SysAdminCheckList.htm

26 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Managers 

27 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project Managers How to sell security – working with managers  We want resources (staff time and money)  We need support  Managers want reassurance  Managers see security as a necessary evil Guidance notes are being developed  training/Recommendations/myRole_manager.htm training/Recommendations/myRole_manager.htm

28 I ntegrated S ite S ecurity for G rids Summary  All the ISSeG material is on the web site at  Risk assessment questionnaire  Checklist for system administrators  Checklist for developers  Training/advice for general users  Advice and material for managers  Recommendations – will be added soon! © Members of the ISSeG Collaboration, EU-FP6 Project

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.