Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Slides:



Advertisements
Similar presentations
Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Advertisements

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Security Controls – What Works
Information Security Policies and Standards
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE , Fall Security Strategies.
Cryptography and Network Security Chapter 1 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Session 3 – Information Security Policies
Network security policy: best practices
Computer Security: Principles and Practice
Introduction to Network Defense
Incident Response Updated 03/20/2015
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Basics of OHSAS Occupational Health & Safety Management System
Information Systems Security Computer System Life Cycle Security.
Cryptography and Network Security
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 1 – Overview.
Computer Security: Principles and Practice
Security Architecture
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Principles of Information Systems, Sixth Edition Systems Design, Implementation, Maintenance, and Review Chapter 13.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Information Systems Security Operational Control for Information Security.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Auditing Information Systems (AIS)
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Appendix C: Designing an Operations Framework to Manage Security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Note1 (Admi1) Overview of administering security.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Chapter 2 Securing Network Server and User Workstations.
Grid Operations Centre LCG SLAs and Site Audits Trevor Daniels, John Gordon GDB 8 Mar 2004.
Principles of Information Systems, Sixth Edition 1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Maintaining and Sustaining System Integrity Configuration Management for Transportation Management Systems Configuration management (CM) describes a series.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security tools for records managers Frank Rankin.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 16 – IT Security.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Organization and Implementation of a National Regulatory Program for the Control of Radiation Sources Program Performance Criteria.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Software Project Configuration Management
ISSeG Integrated Site Security for Grids WP2 - Methodology
Design for Security Pepper.
Introduction to the Federal Defense Acquisition Regulation
ISO/IEC 27001:2005 A brief introduction Kaushik Majumder
Cryptography and Network Security
How to Mitigate the Consequences What are the Countermeasures?
Principles and Practice
Cryptography and Network Security
CMGT/431 INFORMATION SYSTEMS SECURITY The Latest Version // uopcourse.com
CMGT 431 CMGT431 cmgt 431 cmgt431 Entire Course // uopstudy.com
Presentation transcript:

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security Controls, Plans and Procedures

Implementing IT Security Management

Controls or Safeguards  controls or safeguards are practices, procedures or mechanisms which may protect against a threat, reduce a vulnerability, limit the impact of an unwanted incident, detect unwanted incidents and facilitate recover practices, procedures or mechanisms which may protect against a threat, reduce a vulnerability, limit the impact of an unwanted incident, detect unwanted incidents and facilitate recover  classes of controls: management management operational operational technical technical

Technical Controls

Lists of Controls

Residual Risk

Cost-Benefit Analysis  conduct to determine appropriate controls greatest benefit given resources available greatest benefit given resources available  qualitative or quantitative  show cost justified by reduction in risk  contrast impact of implementing it or not  management chooses selection of controls  considers if it reduces risk too much or not enough, is too costly or appropriate  fundamentally a business decision

IT Security Plan  provides details of what will be done what will be done what resources are needed what resources are needed who is responsible who is responsible  should include risks, recommended controls, action priority risks, recommended controls, action priority selected controls, resources needed selected controls, resources needed responsible personnel, implementation dates responsible personnel, implementation dates

Implementation Plan

Security Plan Implementation  given plan documents what is required  identified personnel perform needed tasks to implement new or enhanced controls to implement new or enhanced controls may need system configuration changes, upgrades or new system installation may need system configuration changes, upgrades or new system installation or development of new / extended procedures or development of new / extended procedures with support from management with support from management  monitored to ensure process correct  when completed management approves

Security Training / Awareness  responsible personnel need training on details of design and implementation on details of design and implementation awareness of operational procedures awareness of operational procedures  also need general awareness for all spanning all levels in organization spanning all levels in organization essential to meet security objectives essential to meet security objectives lack leads to poor practices reducing security lack leads to poor practices reducing security aim to convince personnel that risks exist and breaches may have significant consequences aim to convince personnel that risks exist and breaches may have significant consequences

Security Awareness Issues  organization’s security objectives, strategies, policies  need for security, general risks to organization  understanding why security controls are used  roles and responsibilities for various personnel  the need to act in accordance with policy and procedures, consequences of unauthorized actions  the need to report any security breaches observed and to assist with their investigation

Implementation Followup  security management is cyclic, repeated  need to monitor implemented controls  evaluate changes for security implications otherwise increase chance of security breach otherwise increase chance of security breach  have a number of aspects  which may indicate need for changes in previous stages of process

Maintenance  need continued maintenance and monitoring of implemented controls to ensure continued correct functioning and appropriateness  tasks include: periodic review of controls periodic review of controls upgrade of controls to meet new requirements upgrade of controls to meet new requirements check system changes do not impact controls check system changes do not impact controls address new threats or vulnerabilities address new threats or vulnerabilities  goal to ensure controls perform as intended

Security Compliance  audit process to review security processes  to verify compliance with security plan  using internal or external personnel  usually based on checklists to check suitable policies and plans were created suitable policies and plans were created suitable selection of controls were chosen suitable selection of controls were chosen that they are maintained and used correctly that they are maintained and used correctly  often as part of wider general audit

Change and Configuration Management  change management is the process to review proposed changes to systems evaluate security and wider impact of changes evaluate security and wider impact of changes part of general systems administration process part of general systems administration process cf. management of bug patch testing and install cf. management of bug patch testing and install may be informal or formal may be informal or formal  configuration management is keeping track of configuration and changes to each system to help restoring systems following a failure to help restoring systems following a failure to know what patches or upgrades might be relevant to know what patches or upgrades might be relevant also part of general systems administration process also part of general systems administration process

Incident Handling  need procedures specifying how to respond to a security incident given will most likely occur sometime given will most likely occur sometime  reflect range of consequences on org  codify action to avoid panic  e.g. mass worm exploiting vulnerabilities in common apps exploiting vulnerabilities in common apps propagating via in high volumes propagating via in high volumes should disconnect from Internet or not? should disconnect from Internet or not?

Types of Security Incidents  any action threatening classic security services  unauthorized access to a system unauthorized viewing by self / other of information unauthorized viewing by self / other of information bypassing access controls bypassing access controls using another users access using another users access denying access to another user denying access to another user  unauthorized modification of info on a system corrupting information corrupting information changing information without authorization changing information without authorization unauthorized processing of information unauthorized processing of information

Managing Security Incidents

Detecting Incidents  reports from users or admin staff encourage such reporting encourage such reporting  detected by automated tools e.g. system integrity verification tools, log analysis tools, network and host intrusion detection systems, intrusion prevention systems e.g. system integrity verification tools, log analysis tools, network and host intrusion detection systems, intrusion prevention systems updated to reflect new attacks or vulnerabilities updated to reflect new attacks or vulnerabilities costly so deployed if risk assess justifies costly so deployed if risk assess justifies  admins must monitor vulnerability reports

Responding to Incidents  need documented response procedures how to identify cause of the security incident how to identify cause of the security incident describe action taken to recover from it describe action taken to recover from it  procedures should identify typical categories of incidents and approach taken to respond identify typical categories of incidents and approach taken to respond identify management personnel responsible for making critical decisions and their contacts identify management personnel responsible for making critical decisions and their contacts whether to report incident to police / CERT etc whether to report incident to police / CERT etc

Documenting Incidents  need to identify vulnerability used  and how to prevent it occurring in future  recorded details for future reference  consider impact on org and risk profile may simply be unlucky may simply be unlucky more likely risk profile has changed more likely risk profile has changed hence risk assessment needs reviewing hence risk assessment needs reviewing followed by reviewing controls in use followed by reviewing controls in use

Case Study: Silver Star Mines  given risk assessment, identify controls clearly many categories not in use clearly many categories not in use  general issue of systems not being patched or upgraded  plus need for contingency plans  SCADA: add intrusion detection system  info integrity: better centralize storage  provide backup system

Implementation Plan

Summary  security controls or safeguards management, operational, technical management, operational, technical supportive, preventative, detection / recovery supportive, preventative, detection / recovery  IT security plan  implementation of controls implement plan, training and awareness implement plan, training and awareness  implementation followup maintenance, compliance, change / config management, incident handling maintenance, compliance, change / config management, incident handling

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.