Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Slides:



Advertisements
Similar presentations
Information Technology – Guidelines for the Management of IT Security
Advertisements

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
A Covenant University Presentation By Favour Femi-Oyewole, BSc, MSc (Computer Science), MSc (Information Security) Certified COBIT 5 Assessor /Certified.
Security Controls – What Works
The State of Security Management By Jim Reavis January 2003.
Advanced Metering Infrastructure AMI Security Roadmap April 13, 2007.
August 9, 2005 UCCSC IT Security at the University of California A New Initiative Jacqueline Craig. Director of Policy Information Resources and.
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Computer Security: Principles and Practice
Controls for Information Security
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Security Governance Technology Executive Club
Stephen S. Yau CSE , Fall Security Strategies.
Overview 4Core Technology Group, Inc. is a woman/ veteran owned full-service IT and Cyber Security firm based in Historic Petersburg, Virginia. Founded.
Justice IT Security Issues
Fraud Prevention and Risk Management
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
Complying With The Federal Information Security Act (FISMA)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
Financial Advisory & Litigation Consulting Services Risk Management 2006 September 14-15, 2006 The Metropolitan Club, New York, NY Workshop B: Information.
SANS Technology Institute - Candidate for Master of Science Degree Establishing a Security Metrics Program Tiger Team Final Report Chris Cain & Erik Couture.
SEC835 Database and Web application security Information Security Architecture.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA Phone: (703) | FAX: (703) Best.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
IS Network and Telecommunications Risks Chapter Six.
Project co-funded by the European Commission within the 7th Framework Program (Grant Agreement No ) Business Convergence WS#2 Smart Grid Technologies.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
1 MISA Model Douglas Petry Manager Information Security Architecture Methodist Health System Managed Information Security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
What Can Go Wrong During a Pen-test? Effectively Engaging and Managing a Pen-test.
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Scott Charney Cybercrime and Risk Management PwC.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
SecSDLC Chapter 2.
Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Sicherheitsaspekte beim Betrieb von IT-Systemen Christian Leichtfried, BDE Smart Energy IBM Austria December 2011.
Information Security tools for records managers Frank Rankin.
RISK MANAGEMENT: CONTROLLING RISK IN INFORMATION SECURITY By Collin Donaldson.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
Program Overview and 2015 Outlook Finance & Administration Committee Meeting February 10, 2015 Sheri Le, Manager of Cybersecurity RTD.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Information Security in Laurier Grant Li Wilfrid Laurier University.
Primary Steps for Achieving ISO Certification.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
OIT Security Operations
Presenter: Mohammed Jalaluddin
Cybersecurity - What’s Next? June 2017
Capabilities Matrix Access and Authentication
Compliance with hardening standards
San Francisco IIA Fall Seminar
I have many checklists: how do I get started with cyber security?
AMI Security Roadmap April 13, 2007.
Security week 1 Introductions Class website Syllabus review
Cyber Security in a Risk Management Framework
IT Management Services Infrastructure Services
Presentation transcript:

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006

Presented at the “Privacy & Security in Government Information” Seminar Ottawa April 4, 2005

w w w. e l y t r a. c o m Prevalent attitude towards Information Security (IS) at Senior Management level:  At best a perceived inconvenience  At worst a compliance nightmare, exacerbated by PRIVACY issues

w w w. e l y t r a. c o m  Reality: IS is just another business element to be factored into the cost of doing business Should be approached from the perspective that, handled properly, IS is a potential enabler for competitive advantage

w w w. e l y t r a. c o m  Intent of this presentation is to provide some guidelines for planning and managing IS

w w w. e l y t r a. c o m Outline  Key elements of the IS Management System  Statement of Sensitivity, or what corporate assets need to be protected?  Building the IS team  Determining the Scope of the Security Management System  Metrics and Objectives for IT Security and Web-based Applications

w w w. e l y t r a. c o m Key Elements for Managing IS  Policy  Planning and Preparation  Protection – Implementation of Safeguards  Contingency Planning: Incident Response Business Continuity  Compliance

w w w. e l y t r a. c o m Statement of Sensitivity (1)  Sensitive assets: Personnel Physical Information Although this presentation focuses on the information aspect, personal security and physical security should be looked at concurrently.

w w w. e l y t r a. c o m Statement of Sensitivity (2)  Degree of sensitivity: Confidentiality Availability Integrity

w w w. e l y t r a. c o m Building the IS Team  Largely dependent on the size of the enterprise  CSO (Corporate Security Officer) should be responsible for all 3 aspects of security, not just IT  CSO should possess the CISSP or CISM professional security qualification

w w w. e l y t r a. c o m Scope of the IS Managing System  Assess current level of risk Establish a baseline  Determine what can impact the risks List the threats  Determine how risk (human, physical plant, IT) can be reduced at acceptable cost ROSI (return on security investment)  Follow-up with: Security awareness training Testing for: incident response, business continuity

w w w. e l y t r a. c o m Risk Reduction – Technical Safeguards  Myth:Often portrayed as a discipline beyond rocket science – something the CEO could never relate to  Reality: Established standards, e.g. –MITS for the Canadian federal government –ISO for industry and much of Europe –NIST in the USA

w w w. e l y t r a. c o m Basic Technical Safeguards  Anti-virus and firewalls (personal + corporate) in place  Patching strategy in place  Router Access Control Lists (ACL’s) enforced  SSL Encryption on VPN’s and wherever else feasible In general, CONFIGURATION CONTROL

w w w. e l y t r a. c o m Further Safeguards  Intrusion detection systems  Intrusion prevention systems  Vulnerability Assessment Software  ESM (Enterprise Security Management) platform to manage all of the above  Third party “Penetration Testing” to probe for weaknesses in the infrastructure and applications

w w w. e l y t r a. c o m Security Metrics  Generally, asset-focused  Measure of: What defenses are in place * How many systems protected against a specific threat * “Defense in depth”, or layers of security, is the key to an effective security architecture.

w w w. e l y t r a. c o m Sources of Information  International Systems Security Engineering Association – Capability Maturity Model (SSE-CMM)  Institute for Security and Open Methodologies (ISECOM) – Security Metrics and RAVs (Risk Assessment Values)  The Open Web Application Security Project (OWASP)   NIST Special Publication (SP) , Security Metrics Guide for Information Technology Systems

w w w. e l y t r a. c o m Popular Metrics Tools  Microsoft Threat Scoring System  CERT Vulnerability Scoring  SANS Critical Vulnerability Analysis Scale Ratings  CVSS (Common Vulnerability Scoring System), an open framework

w w w. e l y t r a. c o m Advanced MetricsTools  Dashboards: Can be customized or configurable Basically a snapshot view of the enterprise’s state of security Includes metrics for monitoring security trends over time across the various applications

w w w. e l y t r a. c o m A practical example of a metric  SPAM Relatively easy to establish baseline on % of messaging traffic that is unwanted Many SPAM filters to choose from After filter application, remeasure Continue to fine-tune filter, reapply and remeasure Some slight risk that you will stop legitimate traffic – so reducing SPAM to zero is not necessarily the goal

Thank You Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.