Security Controls – What Works

Slides:



Advertisements
Similar presentations
IT Security Policy Framework
Advertisements

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Information Security Policies and Standards
Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Computer Security: Principles and Practice
Session 3 – Information Security Policies
Fraud Prevention and Risk Management
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
Information Security Framework & Standards
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Information Security Training for Management Complying with the HIPAA Security Law.
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
Evolving IT Framework Standards (Compliance and IT)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
Confidentiality Integrity Accountability Communications Data Hardware Software Next.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Chapter Three IT Risks and Controls.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
1 Secure Commonwealth Panel Health and Medical Subpanel Debbie Condrey - Chief Information Officer Virginia Department of Health December 16, 2013 Virginia.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.
Web Security for Network and System Administrators1 Chapter 2 Security Processes.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
IT Security Policy Framework ● Policies ● Standards ● Procedures ● Guidelines.
Working with HIT Systems
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Chapter 8 Auditing in an E-commerce Environment
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
The Health Insurance Portability and Accountability Act of 1996 “HIPAA” Public Law
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Risk management.
Current ‘Hot Topics’ in Information Security Governance Auditing
Introduction to the Federal Defense Acquisition Regulation
County HIPAA Review All Rights Reserved 2002.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Introduction to the PACS Security
Presentation transcript:

Security Controls – What Works Southside Virginia Community College: Security Awareness

Session Overview Identification of Information Security Drivers Identification of Regulations and Acts Introduction to Security Standards Understanding Security Controls Technology Solutions Assisting in Regulatory Compliance

Identification of Information Security Drivers Identification of Regulations and Acts Introduction to Security Standards Understanding Security Controls Technology Solutions Assisting in Regulatory Compliance

Business Drivers What are the business drivers for information security: Facilitate Business Initiatives Protect Brand Image Protect Customer Confidence Reduce Costs and Improve Productivity Enhance Service Levels Technology Direction Comply with Regulations

Regulatory Compliance Drives Security Initiatives Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending. Key areas for compliance-related spending are associated with implementing an Information Security Management Framework and specifically include: Policies and Procedures Training and Awareness Security Event Management Tools Identity and Password Management Technologies

Information Security Management Framework What is an Information Security Management Framework: Key Set of Policies and Processes Supporting Information Security Organizational Structure and Governance for Information Security Implementation of Standard Security Controls Appropriate and Sufficient Security Tools and Technologies

Regulatory Benefits of Implementing an Information Security Management Framework Regulatory benefits of implementing an Information Security Management Framework include: Protecting the privacy of personally identifiable information (customer and employee) Protecting sensitive information and resources from being accessed or shared with unauthorized users Ensuring integrity of financial data Ensuring that data content is protected and tamper-resistant Ensuring well controlled systems Ensuring secure development and maintenance of software, systems, and applications

Information Security Management Framework Lifecycle The implementation of the Information Security Management Framework follows the concept of the Plan, Prevent, Detect, Respond cycle, common in other management frameworks, such as ISO 9001 and ISO 14001.

Information Security Management Framework Flow Regulatory Requirements and Security Standards help define the Organizations Security Environment. This environment dictates the Organizations Security Directive, which dictates the ultimate Information Security Management Framework. Information Security Framework (Security Controls) Organizational Directive for Information Security Technologies and Solutions Regulatory Requirements Business Initiatives Security Standards Technology Direction Business and Security Environment

Identification of Regulations and Acts Identification of Information Security Drivers Identification of Regulations and Acts Introduction to Security Standards Understanding of Security Controls Technology Solutions Assisting in Regulatory Compliance

Significant Regulations and Acts Some of the more significant security regulations and acts include: Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Sarbanes Oxley Act (SOX) European Union Data Protection Directive (EUDPD) Personal Data Act Computer Misuse Act Data Protection Act 21 CFR Part 11 BASEL II Various State Security Breach Laws

Security Objectives These regulations and acts specify information security objectives associated with: Security Policy, Organization, and Program Personnel, Human Resources, and Administrative security controls User, Network, System, and Physical access management Proactive vulnerability, risk, and threat assessment and management activities Intrusion Detection capabilities Event Logging and Monitoring and Incident Response programs and processes Encryption capabilities and the protection of information confidentiality and integrity Identification, authentication, and authorization controls to information and systems Asset classification and control Disaster Recovery and Business Continuity planning This is not an all inclusive list of all security regulatory goals, but rather a sample of the security objectives of these regulations

Introduction to Security Standards Identification of Information Security Drivers Identification of Regulations and Acts Introduction to Security Standards Understanding Security Controls Technology Solutions Assisting in Regulatory Compliance

Value Proposition of Security Standards Provide outlines of accepted best practice for security management Provide guidelines for the implementation of security measures Provide a framework for the management of information, network, and system security within an organization Provide a suggested code of practice Integrate security measures into an overall security architecture Can be used by organizations of all sizes, industries, and sectors Security Standard compliance is NOT required by law, though some contracts now require Certifications.

Compliance and Certification To achieve compliance the organization must implement measures to address all control objectives. Formal certification is usually achieved through a formal audit conducted by a certified independent auditor. Certification offers internal and external confidence in the Information Security Management Framework. Certification demonstrates good governance and can provide evidence of due diligence for some requirements for regulatory compliance.

Compliance Achievement Process

Industry Accepted Security Standards Some of the more commonly accepted and implemented standards include: International Standard, ISO/IEC 17799:2005 (ISO 17799) Australian Standard, AS/NZS 7799.2:2003 (AS 7799) Payment Card Industry (PCI) Data Standard Common Criteria for IT Security Evaluation (ISO 9000) NIST Computer Security Standards

Understanding Security Controls Identification of Information Security Drivers Identification of Regulations and Acts Introduction to Security Standards Understanding Security Controls Technology Solutions Assisting in Regulatory Compliance

Security Controls Overview Security Controls address security issues that should be considered as part of the Information Security Management Framework. Security Policy Security Organization and Governance Asset Management Data Protection Personnel Security Physical and Environmental Communications and Operations Management Access Control Logging and Monitoring Vulnerability Management Incident Management Software & System Acquisition, Development, and Maintenance Business Continuity Management Compliance While there is no authoritative set of controls and titles, most security standards and best practices use similar titles and categories to define security controls.

Security Control Objectives - 1 Security Policy: Documented security objectives for the organization that is agreed and approved by management Security Organization and Governance: Assigning security responsibilities and accountability and a management forum for setting and approving security objectives

Security Control Objectives - 2 Asset Management: The management (identification, classification, and control) of information and hardware & software resources Data Protection: Effective controls for protecting the confidentiality, integrity, and availability of information and information resources

Security Control Objectives - 3 Personnel Security: The management of staff, terms of employment, termination processes, and awareness and training Physical and Environmental Security: Securing the human and system physical environment; including entry controls, fire and power controls, cable and rack security

Security Control Objectives - 4 Communications and Operations Management: Key security aspects of managing network and system components securely, including backups, anti-virus, patches, media and laptop security Access Control: The control of logical, physical, and remote access to information and resources; including identification and authentication, authorization, password and user management on applications, operating systems, and within networks

Security Control Objectives - 5 Logging and Monitoring: The collection, aggregation, normalization, correlation, mining, and tracking of security events Vulnerability Management: The performance of risk, threat, and vulnerability assessments

Security Control Objectives - 6 Incident Management: The detection, reporting, recording, handling, response, review, and management of security incidents Software & System Acquisition, Development, and Maintenance: The secure development and maintenance of software and systems for on-going secure operation

Security Control Objectives - 7 Business Continuity Management: Planning and defining the response in the event of a disaster or disruption in business to ensure continuity of operations Compliance: Ensuring the compliance with security and privacy legislative requirements

Technology Solutions Assisting In Regulatory Compliance Identification of Information Security Drivers Introduction to Security Standards Understanding of Security Controls Identification of Regulations and Acts Technology Solutions Assisting in Regulatory Compliance

Microsoft’s “The Regulatory Compliance Planning Guide” This guide provides technology solutions for assisting regulatory compliance. The technology solution categories include: Data Classification and Protection Solutions Identity Management Solutions Authentication, Authorization, and Access Control Solutions Training Solutions Physical Security Solutions Vulnerability Identification Solutions Monitoring and Reporting Solutions Disaster Recovery and Failover Solutions Incident Management and Trouble-Tracking Solutions Document Management Solutions Business Process Management Solutions Project Management Solutions Risk Assessment Solutions Change Management Solutions Network Security Controls Host Control Solutions Malicious Software Prevention Solutions Application Security Solutions Messaging and Collaboration Solutions

Session Summary Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending. ü Regulations and Acts specify information security objectives necessary for regulatory compliance. ü Any organization can use the guidance and requirements in Security Standards to improve aspects of their internal security management. ü Security Controls address security issues that should be considered as part of the Information Security Management Framework. Microsoft Products and Solutions support the implementation of security controls. ü Many Microsoft technology solutions assist in regulatory compliance ü

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.