Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Operations Security.

Slides:



Advertisements
Similar presentations
Database Administration and Security Transparencies 1.
Advertisements

Enhanced Availability With RAID CC5493/7493. RAID Redundant Array of Independent Disks RAID is implemented to improve: –IO throughput (speed) and –Availability.
9 - 1 Computer-Based Information Systems Control.
Security Controls – What Works
Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.
Sixth Edition 1 M a n a g e m e n t I n f o r m a t i o n S y s t e m s M a n a g I n g I n f o r m a t i o n T e c h n o l o g y i n t h e E – B u s i.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
Concepts of Database Management Seventh Edition
Stephen S. Yau CSE , Fall Security Strategies.
Fifth Edition 1 M a n a g e m e n t I n f o r m a t i o n S y s t e m s M a n a g I n g I n f o r m a t i o n T e c h n o l o g y i n t h e E – B u s i.
Session 3 – Information Security Policies
Servers Redundant Array of Inexpensive Disks (RAID) –A group of hard disks is called a disk array FIGURE Server with redundant NICs.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Information Resources and Communications University of California, Office of the President System-Wide Strategies for Achieving IT Security at the University.
Eleventh Edition 1 Introduction to Information Systems Essentials for the Internetworked E-Business Enterprise Irwin/McGraw-Hill Copyright © 2002, The.
November 2009 Network Disaster Recovery October 2014.
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.
Chapter 10: Computer Controls for Organizations and Accounting Information Systems
ISA Topic 9: Operations Security ISA 562 Internet Security Theory & Practice.
Security Operations. 2 Domain Objectives Protection and Control of Data Processing Resources Media Management Backups and Recovery Change Control Privileged.
Security of Data. Key Ideas from syllabus Security of data Understand the importance of and the mechanisms for maintaining data security Understand the.
Chapter 17: Computer Audits ACCT620 Internal Accounting Otto Chang Professor of Accounting.
Business Continuity and Disaster Recovery Chapter 8 Part 2 Pages 914 to 945.
Information Systems Security Computer System Life Cycle Security.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Security in Practice Enterprise Security. Business Continuity Ability of an organization to maintain its operations and services in the face of a disruptive.
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2015 Operations Security.
Operations Security Lisa M. True, CISSP January 12, 2004 Domain 7.
Asset & Security Management Chapter 9. IT Asset Management (ITAM) Is the process of tracking information about technology assets through the entire asset.
Chapter 16 Designing Effective Output. E – 2 Before H000 Produce Hardware Investment Report HI000 Produce Hardware Investment Lines H100 Read Hardware.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Operations Security CISSP Guide to Security Essentials Chapter 7.
Information Systems Security Operational Control for Information Security.
Module 9 Planning a Disaster Recovery Solution. Module Overview Planning for Disaster Mitigation Planning Exchange Server Backup Planning Exchange Server.
Information Systems Security Operations Security Domain #9.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
1 Chpt. 12: INFORMATION SYSTEM QUALITY, SECURITY, AND CONTROL.
Component 8/Unit 9bHealth IT Workforce Curriculum Version 1.0 Fall Installation and Maintenance of Health IT Systems Unit 9b Creating Fault Tolerant.
Module 9: Designing Security for Data. Overview Creating a Security Plan for Data Creating a Design for Security of Data.
Fault Tolerance and Disaster Recovery. Topics Using Antivirus software Fault tolerance –Power –Redundancy –Storage –Services Disaster Recovery –Backup/Restore.
Chapter 8 Auditing in an E-commerce Environment
Database Security Threats. Database An essential corporate resource Data is a valuable resource Must be strictly controlled, managed and secured May have.
Welcome to the ICT Department Unit 3_5 Security Policies.
Network-Attached Storage. Network-attached storage devices Attached to a local area network, generally an Ethernet-based network environment.
UNIT V Security Management of Information Technology.
Module 5: Designing Physical Security for Network Resources
ISA 400 Management of Information Security Philip Robbins – October 31, 2015 Application and Operations Security Information Security & Assurance Program.
Information Systems Security
Blackboard Security System
Risk management.
INFORMATION SYSTEMS SECURITY AND CONTROL.
ISSeG Integrated Site Security for Grids WP2 - Methodology
Processing Integrity and Availability Controls
RAID RAID Mukesh N Tekwani
CISSP Guide to Security Essentials
County HIPAA Review All Rights Reserved 2002.
INFORMATION SYSTEMS SECURITY and CONTROL
UNIT IV RAID.
Database Security &Threats
IS4680 Security Auditing for Compliance
Disaster Recovery at UNC
Security week 1 Introductions Class website Syllabus review
RAID RAID Mukesh N Tekwani April 23, 2019
Presentation transcript:

Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2011 Operations Security

Domain Objectives Protection and Control of Data Processing Resources Media Management Backups and Recovery Change Control Privileged Entity Control

Control Categories Preventive Detective Corrective Deterrent Recovery Directive Compensating

Application-related Controls Transaction Input Processing Output Test Supervision / balancing Job-flow Logging Licensing

Operations Security Focus Areas Auditors Support staff Vendors Security Programmers Operators Engineers Administrators

Domain Agenda Resource Protection Continuity of Operations Change Control Management Privileged Entity Control

Facility Support Systems The support systems in centralized and decentralized operation centers must be protected Hardware Software Storage media Cabling Physical security

Facility Support Systems (cont.) Fire protection HVAC Electrical power goals

Facility Support Systems (cont.) Water Communications Alarm systems

Media Management Storage Encryption Retrieval Disposal

Object Reuse Securely reassigned Disclosure Contamination Recoverability

Clearing of Magnetic Media Overwriting Degaussing Physical destruction

Media Management Practices Sensitive Media Controls Destroying Marking Labeling Handling Storing Declassifying

Misuse Prevention Threats Countermeasures Personal use Acceptable use policy, workstation controls, web content filtering, email filtering Theft of media Appropriate media controls Fraud Balancing of input/output reports, separation of duties, verification of information Sniffers Encryption

Records Management Consideration for records management program development Guidelines for developing a records management program Records retention

Domain Agenda Resource Protection Continuity of Operations Change Control Management Privileged Entity Control

Adequate Software & Data Backup Operations controls ensure adequate backups of: Data Operating systems Applications Transactions Configurations Reports Backups must be tested Alternate site recovery plan

Fault Tolerance Hardware failure is planned for System recognizes a failure Automatic corrective action Standby systems Cold – configured, not on, lost connections Warm – On, some lost data or transactions (TRX) Hot – ready – failover

RAID – Redundant Array of Independent Discs Hardware-based Software-based Hot spare

RAID Level 0 Two or more disks No redundancy Performance only

RAID Level 1 Exact copy (or mirror) Two or more disks Fault tolerant 200% cost

RAID Level 2 Striping of data with error correcting codes (ECC) Requires more disks than RAID 3/4/5 Not used, not commercially viable

RAID Level 3 Byte level stripes 1 drive for parity All other drives are for data

RAID Level 4 Block level stripes 1 drive for parity All other drives are for data

RAID Level 5 Block level stripes Data and parity interleaved amongst all drives The most popular RAID implementation

RAID Level 6 Block level stripes All drives used for data AND parity 2 parity types Higher cost More fault tolerant than RAID implementations 2 - 5

RAID Level 0+1 Mirroring and striping Higher cost Higher speed

RAID Level 10 Mirroring and striping Higher cost Higher speed

Redundant Array of Independent Taps (RAIT) Using tapes not disk Rea-time mirroring

Hot Spares Waiting for disaster Global Dedicated

Backup Types File image System image Data mirroring Electronic vaulting Remote journaling Database shadowing Redundant servers Standby services

System Recovery – Trusted Recovery Correct implementation Failures don’t compromise a system’s secure operation

Types of Trusted Recovery System reboot Emergency system restart System cold start

Fail Secure Cause little or no harm to personnel System remains secure

Operational Incident Handling First line of defense Logging, tracking and analysis of incidents Escalation and notification

Incident Response Team Benefits Protection of assets Profitability Regulations Avoiding downstream damage Limit exposure Priorities Life safety Labeled data Communication Reduce disruption

Contingency Plans Business continuity plans and procedures Power failure System failure Denial of service Intrusions Tampering Communication Production delay I/O errors

Domain Agenda Resource Protection Continuity of Operations Change Control Management Privileged Entity Control

Change Control Management Business and technology balance Defines Process of changes Ownership of changes Changes are reviewed for impact on security

Change Control Committee Responsibilities Management Business impact Regulations Risk management Approval Accreditation Technical Request process Functional impact Access control Testing Rollback Certification

Change Control Procedures Request Impact assessment Approval Build/test Implement Monitor

Configuration Management Elements Hardware inventory Hardware configuration chart Software Firmware Documentation requirements Testing

Patch Management Knowledge of patches Testing Deployment Zero-day challenges

Protection of Operational Files Library Maintenance Backups Source code Object code Configuration files Librarian

Domain Agenda Resource Protection Continuity of Operations Change Control Management Privileged Entity Control

Operator Privileges Data input and output Data maintenance Labeling Inventory

Administrator Privileges Systems administrators Network administrators Audit highly-privileged accounts

Security Administrator Privileges Security administration include: Policy Development Implementation Maintenance and compliance Vulnerability assessments Incident response

Control Over Privileged Entities Review of access rights Supervision Monitoring/audit

Domain Summary Resource Protection Continuity of Operations Change Control Management Privileged Entity Control

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.