ISSeG Integrated Site Security for Grids WP2 - Methodology

Slides:



Advertisements
Similar presentations
Separate Domains of IT Infrastructure
Advertisements

Lecture 1: Overview modified from slides of Lawrie Brown.
Security Controls – What Works
Information Security Policies and Standards
IS Network and Telecommunications Risks
1 An Overview of Computer Security computer security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Computer Security: Principles and Practice
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Chapter 3: Information Security Framework
Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.
Storage Security and Management: Security Framework
CHAPTER 4 Information Security. CHAPTER OUTLINE 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Security Risk Assessment Applied Risk Management July 2002.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Networks. A network is formed when a group of computers are connected together. Computers in a Local Area Network (LAN) are fairly close together, generally.
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Information Systems Security
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
IS Network and Telecommunications Risks Chapter Six.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
1 Chpt. 12: INFORMATION SYSTEM QUALITY, SECURITY, AND CONTROL.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Chapter 1 COMPUTER AND NETWORK SECURITY PRINCIPLES.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Chap1: Is there a Security Problem in Computing?.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.
NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.
1 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 WP2 - Methodology ISS e G Integrated Site Security.
IS3220 Information Technology Infrastructure Security
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Information Systems Security
Physical Security Governance Model
Information Security, Theory and Practice.
WSU IT Risk Assessment Process
Fusion Center ITS security and Privacy Operations Joe Thomas
Network Security Research Presentation
Cybersecurity - What’s Next? June 2017
Evaluating Existing Systems
Information Security Awareness
Evaluating Existing Systems
Lecture 14: Business Information Systems - ICT Security
INFORMATION SECURITY The protection of information from accidental or intentional misuse of a persons inside or outside an organization Comp 212 – Computer.
CHAPTER 4 Information Security.
Integrated Site Security for Grids
Risk Assessment Richard Newman
Security in Networking
I have many checklists: how do I get started with cyber security?
County HIPAA Review All Rights Reserved 2002.
Chapter 9 E-Commerce Security and Fraud Protection
INFORMATION SYSTEMS SECURITY and CONTROL
Information Security Awareness
How to Mitigate the Consequences What are the Countermeasures?
Net301 LECTURE 11 11/23/2015 Lect13 NET301.
Mohammad Alauthman Computer Security Mohammad Alauthman
Presentation transcript:

ISSeG Integrated Site Security for Grids WP2 - Methodology Methodology for Site Security Assessment JSPG Meeting, 27 June 2007 Lionel Cons, CERN © Members of the ISSeG Collaboration, 27 June 2007

(inputs on the left came initially from ISO-17799:2005) Proposed Methodology (inputs on the left came initially from ISO-17799:2005) © Members of the ISSeG Collaboration, 27 June 2007

Step 1 – Find The Assets Asset = Anything that has value to the organization [ISO 13335-1:2004] Five identified asset categories: Organizational (intellectual property rights, public image…) Human Information / data (administrative, personal, physics…) Service (network, authentication, email, office…) Hardware These are currently merged with “security requirements” © Members of the ISSeG Collaboration, 27 June 2007

Baseline Assets Preliminary list of asset types likely to be present everywhere: Locally managed PC Network Backup Office servers Application servers Centralized authentication © Members of the ISSeG Collaboration, 27 June 2007

Specific Assets Preliminary list of asset types that may be site specific: Expensive and/or dangerous equipment Provide services across Internet Local email service Exchange confidential data Stores confidential information High-availability services Internal resources available to visitors External users Centralized backup service © Members of the ISSeG Collaboration, 27 June 2007

Step 2 – Find The Threats Threat = Potential cause of an incident that may result in harm to a system or organization [ISO 13335-1:2004 section 2.25] A generic list of threats has been compiled Around 50 threats identified Need to set the relevance of each threat for the given site Linked to the role profiles (user / admin / developer / manager) and the asset types © Members of the ISSeG Collaboration, 27 June 2007

Examples of Threats Threat Id Threat description Relevance1 T1 Faulty access rights management 3 T2 Password compromising T3 Intrusion by scanning techniques T4 Intrusion (unauthorized network access) T5 Data interception techniques (sniffing/man in the middle attacks,...) T6 Fraudulent connection (theft of credentials) T7 Exploiting software vulnerabilities T8 Fraudulent use of systems (misappropriation…) T9 Repudiation (system usage) T10 Repudiation (sending/receiving of data) T11 Saturation of resources (accidental) T12 Saturation of resources (intentional - denial of service) T13 Software alteration (time bomb, worm, trojan, virus…) T14 Theft of mobile equipment or media T15 Propagation of false or misleading information T16 Use of insecure/unauthorized software T17 Hardware failure (computer, storage device, network equipment…) T18 Hardware malfunction T19 Software malfunction T20 Network failure (cabling, network device…) © Members of the ISSeG Collaboration, 27 June 2007

Step 3 – Find The Risks Risk = Combination of the probability of an event and its consequence [based on the ISO standards] We focus on threats Threats are linked to asset types Need to know the relative importance of the asset types Threats are linked to controls (aka mitigation techniques) Need to know how well the controls are applied We could look at “best practices” too © Members of the ISSeG Collaboration, 27 June 2007

Examples of Controls (based on ISO 17799) © Members of the ISSeG Collaboration, 27 June 2007

Examples of Controls (based on ISO 17799) © Members of the ISSeG Collaboration, 27 June 2007

Examples of Controls (based on OCTAVE) 1. Security Awareness and Training Step 3a Statement To what extent is this statement reflected in your organization? Staff members understand their security roles and responsibilities. This is documented and verified. Very Much Somewhat Not At All Don’t Know There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified. Security awareness, training, and periodic reminders are provided for all personnel. Staff understanding is documented and conformance is periodically verified. Staff members follow good security practice, such as securing information for which they are responsible not divulging sensitive information to others (resistance to social engineering) having adequate ability to use information technology hardware and software using good password practices understanding and following security policies and regulations recognizing and reporting incidents © Members of the ISSeG Collaboration, 27 June 2007

Step 4 – Find The Countermeasures Step 3 gives a prioritized list of threats From threats, we can link to recommendations and best practices Step 3 also gives the list of controls that can be improved and have a high impact on the overall security From controls, we can also link to recommendations and best practices © Members of the ISSeG Collaboration, 27 June 2007

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.