The Other Side of Information Security Wilco van Ginkel – Ubizen

Slides:



Advertisements
Similar presentations
Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Advertisements

Protection of Information Assets I. Joko Dewanto 1.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.
Information security An introduction to Technology and law with focus on e-signature, encryption and third party service Yue Liu Feb.2008.
Security Controls – What Works
Information Security Policies and Standards
Advantages of IT Security Prof. Uldis Sukovskis, CISA Riga Information Technology Institute Secure information exchange in Electronic media Baltic IT&T.
Building a Successful Security Infrastructure
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
OPM Cybersecurity Competencies by Occupation (Technical Competencies) Information Technology Management Series Electronics Engineering.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Chapter 12 Strategies for Managing the Technology Infrastructure.
E-Government Security and necessary Infrastructures Dimitrios Lekkas Dept. of Systems and Products Design Engineering University of the Aegean
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Chapter 19 Security.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Introduction to IT Auditing
1 Introduction to Security and Cryptology Enterprise Systems DT211 Denis Manley.
COBIT®. COBIT - Control Objectives for Information and related Technology C OBI T was initially created by the Information Systems Audit & Control Foundation.
Adaptive Processes Simpler, Faster, Better 1 Adaptive Processes Understanding Information Security ISO / BS7799.
Gurpreet Dhillon Virginia Commonwealth University
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
Information Security Framework & Standards
SEC835 Database and Web application security Information Security Architecture.
Thomas Levy. Agenda 1.Aims: CIAN 2.Common Business Attacks 3.Information Security & Risk Management 4.Access Control 5.Cryptography 6.Physical Security.
Evolving IT Framework Standards (Compliance and IT)
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
1 Chapter Three IT Risks and Controls. 2 The Risk Management Process Identify IT Risks Assess IT Risks Identify IT Controls Document IT Controls Monitor.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
Security Management Chao-Hsien Chu, Ph.D.
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
Engineering Essential Characteristics Security Engineering Process Overview.
1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.
Security Engineering Assurance & Control Objectives Priyanka Vanjani ASU Id #
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Working with HIT Systems
1 MISA Model Douglas Petry Manager Information Security Architecture Methodist Health System Managed Information Security.
Example Incident Mgmt Initiation No recording of Incidents Users can approach different departments Solutions of previous incidents are not available.
Features Governmental organization Critically important ICT objects Distributed infrastructure Three levels of confidentiality Dozens of subsidiary organizations.
COBIT®. COBIT® - Control Objectives for Information and related Technology. C OBI T was initially created by the Information Systems Audit & Control Foundation.
SecSDLC Chapter 2.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
TMS - Cooperation partner of TÜV SÜD EFFECTIVE SERVICE MANAGEMENT based on ISO/IEC & ISO/IEC
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Chapter 1: Security Governance Through Principles and Policies
Getting to Grips with CobiT – Enterprise Architecture, a conseptual approach to IT Covernance or how to understand the difference between IT Governance.
Information Security tools for records managers Frank Rankin.
Chapter 8 : Management of Security Lecture #1-Week 13 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.
The Other Side of Information Security Wilco van Ginkel – Ubizen
1 Using CobiT to Enhance IT Security Governance LHS © John Mitchell John Mitchell PhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, CIA, CISA, QiCA, CFE LHS Business.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
Donald JG Chiarella, PhD, CISM, CDMP, PEM, CHS-CIA, MBA.
Final HIPAA Security Rule
ROB PROW MIPI/MCMI ALTERNATIVE SOLUTIONS LIMITED
How to Mitigate the Consequences What are the Countermeasures?
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
Presentation transcript:

The Other Side of Information Security Wilco van Ginkel – Ubizen

Purpose of the keynote Give the audience the other side of Information Security in a nutshell Nutshell because of time constraints

Agenda Introduction Business & Risk Assessment Security Policies & Procedures Security Standards Security Awareness Examples where Organisational meets Technical

Introduction The four fundamental questions The components of a total security solution Trend in the market The Security Triangle The Domains

The Four Questions Most organisations ask the question: ‘How should I protect’ More important is to ask first: 1. Why should I need protection? 2. How difficult will it be to protect? 3. What and against who should I protect? 4. Then

Components Security Solution TechnicalOrganisational Assessment Policies Procedures Awareness Legal 20%80%

Trend Security is considered more and more as part of the normal business process We are not talking ‘Rocket Science’ Does this mean that technology is dead or something? Most organisations don’t know how to do it…

Security Triangle Assessment & Policies Security Awareness Cryptography

The Domains Security Requirements Business Requirements 2 46 Domains: 1. I.T. 2. Physical 3. Environmental 4. Human 5. Organizational 6. Administrative 7. Legal

The first step ‘Meet the parents’ Because: They decide about security They should backup and support security They have authority They are responsible… How: Perform Business & Risk Assessment

Business Assessment - 1 Why should I need protection: Discuss the stakes Discuss the different types of information Discuss the Security Requirements (CIAR) Discuss strategic questions, like: Replacement value of IT Targets Is IT just support or strategic for the organisation …

Business Assessment - 2 How difficult will it be to protect? Evaluate the constraints, like Financial Internal knowledge Dependency on partners Calendar …

Risk Assessment - 1 Against what and who should I protect? Perform Risk Assessment Be aware of terminology: Risk Identification (RI) Risk Assessment (RASS = RI + ‘value’) Risk Management (RM = How should we protect) Risk Analysis (RASS + RM)

Risk Assessment - 2 Some attention points: Different Risk Assessment/Analysis methodologies Sometimes difficult to determine the ‘value’ Make sure that you’ve the right people, meaning: Who know the business processes Who have authority to decide

Security Policies First things first: the CSP Formalisation of the Security Strategy and objectives High Level

Security Policies - 2 System Security Policies: General description of the Information System Security around the Information System Security on the Information System Technical security settings (OS, database, application) Other important policies are, for example: Asset Classification Malicious Software Policy …

Security Policies – 3 Make sure that: The policy is supported by the System Owner You avoid the ‘Ivory Tower Syndrome’ The policy is clearly communicated The policy is useful and pragmatic

Security Procedures Who is doing what, why and when? Important procedures are, for example: Boarding Process Incident & Escalation Back-up/Recovery Change & Configuration Management …

Security Standards - 1 Are we on our own? No, there are standards out there A set of best practices Can be a good starting point and prevents to re-invent the wheel However, be careful not to implement a security standard blindly…

Security Standards - 2 Some well-known examples are: BS/7799 part (ISO/7799-1) Cobit-3 ITIL ISO Common Criteria (ISO-15408) NIST IETF … Interesting could be certification

Security Awareness The most critical success factor of Information Security Mind set Awareness should be at any level in the organisation Relation with psychology…

Organisational meets technical - 1 Example: CSP  Accountability principle Authentication Policy  strong authentication Counter measure  Tokens

Organisational meets technical - 2 Example: CSP  Information across untrusted networks should be protected Cryptography Policy  Symmetric Encryption at least 128 bits, preferred choice 3-DES Counter Measure  Hardware Encryptors

Organisational meets technical - 3 Example: Within the business process ‘Electronic Transactions’, there is a high security requirement for Integrity and Non-repudiation Defined risks are: Unauthorised change of the transaction Denial of sending the transaction Digital signatures Crypto Policy: Use RSA, minimum key length at least 1024 bits

Useful links

Reading stuff to fill long winter nights… ISO TR13335 General Management of IT Security ISO Common Criteria for evaluation and certification of IT security Baseline Protection Manual (BSI.DE) BS7799: Code of practice for Information Security Management (two parts) CobiT: Governance, Control and Audit for Information and Related Technology (ISACA) SSE-CMM: System Security Engineering - Capability Maturity Model

Questions, Discussions, ….

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.