Security Management Chao-Hsien Chu, Ph.D.

Slides:



Advertisements
Similar presentations
Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Advertisements

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Chapter 10 Accounting Information Systems and Internal Controls
Security and Personnel
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
TI BISNIS ITG using COBIT &
COBIT - II.
Roger Southgate Past President of ISACA London Chapter Member of the BSI Committees for Service Management and IT Governance Leader.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Security Controls – What Works
Information Security Policies and Standards
Security Management Practices Keith A. Watson, CISSP CERIAS.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
The 10 Deadly Sins of Information Security Management
Information Systems Controls for System Reliability -Information Security-
Information Technology Service Management
Introduction to IT Auditing
Information Security Framework & Standards
SEC835 Database and Web application security Information Security Architecture.
Evolving IT Framework Standards (Compliance and IT)
Chapter 9: Introduction to Internal Control Systems
Company Confidential How to implement privacy and security requirements in practice? Tobias Bräutigam, OTT Senior Legal Counsel, Nokia 8 October
Transitioning to the COSO 2013 Update.  Released on May 14, 2013  Designed to build upon the foundation of the 1992 Framework  Will supersede the 1992.
ISA 562 Internet Security Theory & Practice
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
Vijay V Vijayakumar.  SOX Act  Difference between IT Management and IT Governance  Internal Controls  Frameworks for Implementing SOX  COSO - Committee.
The Challenge of IT-Business Alignment
Chapter Three IT Risks and Controls.
COBIT - IT Governance.
Roles and Responsibilities
Learning Objectives LO5 Illustrate how business risk analysis is used to assess the risk of material misstatement at the financial statement level and.
CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
Committee of Sponsoring Organizations of The Treadway Commission Formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting “Internal.
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
Copyright © 2007 Pearson Education Canada 1 Chapter 1: The Demand for Auditing and Assurance Services.
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
Everyone’s Been Hacked Now What?. OakRidge What happened?
Engineering Essential Characteristics Security Engineering Process Overview.
Version 3.3 ITIL – IT Service Management An overview program for IT Service Management good practices.
IT GOVERNANCE  Objective : The objective of this area is to ensure that the Certified Information Systems Auditor ( CISA ) candidate understands and can.
1 MISA Model Douglas Petry Manager Information Security Architecture Methodist Health System Managed Information Security.
Chapter 9: Introduction to Internal Control Systems
Samantha Schreiner University of Illinois at Urbana- Champaign BA 559 – Professor Michael Shaw December 15 th, 2008 A Survey of IT Governance Through COBIT,
Lecture 29 Information Security
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
TMS - Cooperation partner of TÜV SÜD EFFECTIVE SERVICE MANAGEMENT based on ISO/IEC & ISO/IEC
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Chapter 1: Security Governance Through Principles and Policies
Deck 5 Accounting Information Systems Romney and Steinbart Linda Batch February 2012.
Dr. Mark Gaynor, Dr. Feliciano Yu, Bryan Duepner.
Information Security tools for records managers Frank Rankin.
The NIST Special Publications for Security Management By: Waylon Coulter.
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
COBIT. The Control Objectives for Information and related Technology (COBIT) A set of best practices (framework) for information technology (IT) management.
Models of Security Management Matt Cupp. Overview What is Security Management? What is Security Management? ISO/IEC ISO/IEC NIST Special Publication.
Serving IT up with ITIL By Thane Price. IT is the laboratory’s pit crew  Goal : Make technology transparent while accomplishing valuable internal customer.
BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.
Integrated Management System and Certification
Information Technology Service Management
IS4680 Security Auditing for Compliance
Presentation transcript:

Security Management Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu Theory  Practice Learning by Doing IST 515

Environmental Security Security Management Framework Organizational Security Policy Organizational Design Security Management Asset Classification and Control Access Control Compliance Personnel Security Awareness Education Physical and Environmental Security System Development and Maintenance Communications & Operations Mgmt. Business Continuity Management Operational

Objectives This module will familiarize you with the following: Why securities? Essential security terminologies. Core information security principles. Security management framework. Information security management governance. Security policies, procedures, standards, guidelines and baselines Auditing frameworks for compliance

Readings NIST, “An Introduction to Computer Security,” SP 800-12 (Oct. 1995). Chapters 2 & 4 (Required). Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the CISSP CBK, Auerbach, 2007. Domain 1 (Required). Bowen, P., Hash, J. and Wilson, M., “Information Security Handbook: A Guide for Managers,” NIST, SP 800-100 (Oct. 2006). Chapter 2. von Solms, B. and von Solms, R., “The 10 Deadly Sins of Information Security Management,” Computers & Security (2004) 23, 371-376. Wikipedia, Information Technology Infrastructure Library. http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library Wikipedia, COSO Enterprise risk management, http://en.wikipedia.org/wiki/Enterprise_risk_management#COSO_ERM_framework Wikipedia, ISO/IEC 27000. http://en.wikipedia.org/wiki/Iso27000

Scenario Stephen used to be the most bullied guy in his circle of friends. Johnson, the neighborhood guy was part of the peer group and foremost in bullying Stephen. Stephen started developing hatred for Johnson. Johnson owned/hosted a personal website where he showcased his website development skills. He passed the IP address of his website to his peer group so that they could comment on it after viewing the pages. Stephen comes across an article on hacking on the Internet. Amazed by the potential of tools showcased in that article, he decides to try it hands on. With the downloaded scanning tools, Stephen started scanning the IP of Johnson’s website. What kind of information will Stephen be exposed to? Will the scan performed by Stephen affect Johnson’s Website?

Why Security? Evolution of technology focused on ease of use Decreasing skill level needed for exploits Increased network environment and network based applications

Why Security? Direct impact of security breach on corporate asset base and goodwill. Increasing complexity of computer infrastructure administration and management.

Essential Security Terminologies

Essential Security Terminologies

Information Security Principles - CIA Security rests on confidentiality, authenticity, integrity, and availability: Confidentiality. Only authorized individuals, processes, or systems have access to information on a need-to-know basis. Integrity. Information should be protected from intentional, unauthorized, or accidental changes. Availability. Information and resources are accessible when needed. (DoS, DDoS) Authenticity. The identification and assurance of the origin of information. (Hash function, MD5)

Confidentiality, Integrity and Availability Security Integrity Availability

Reverse CIA Confidentiality: Preventing unauthorized subjects from accessing information Integrity: Preventing unauthorized subjects from modifying information Availability: Preventing information and resources from being inaccessible when needed.

Trade-off Functionality Moving the ball towards security means moving away from the functionality and ease of use Security Usability

Security/Risk Management Relationships Determine Needs & Assess Risks Central Management Implement Policies & Control Monitor & Evaluate Promote Awareness

10 Deadly Sins of Security Management Not realizing that information security is a corporate governance responsibility (the buck stops right at the top) Not realizing that information security is a business issue and not a technical issue Not realizing the fact that information security governance is a multi-dimensional discipline Not realizing that an information security plan must be based on identified risks Not realizing the important role of international best practices for information security management

10 Deadly Sins of Security Management Not realizing that a corporate information security policy is absolutely essential Not realizing that information security compliance enforcement and monitoring is absolutely essential Not realizing that a proper information security governance structure is absolutely essential Not realizing the core importance of information security awareness amongst users Not empowering information security managers with the infrastructure, tools and supporting mechanisms to properly perform their responsibilities Lessons Learned

Multi-Dimension of Information Security The Corporate Governance Dimension The Organizational Dimension The Policy Dimension The Best Practice Dimension The Ethical Dimension The Certification Dimension The Legal dimension The Insurance Dimension The Personnel/Human Dimension The Awareness Dimension The Technical Dimension The Measurement/Metrics (Compliance monitoring/Real time IT audit) Dimension The Audit Dimension

Security Management Practice Security Governance. Security Policies, Procedures, Standards, Guidelines, and Baselines. Security Planning. Security Organization. Personnel Security. Security Audit and Control. Security Awareness, Training and Education. Risk Assessment and Management. Professional Ethics.

Security Management Governance Security Governance is the organizational processes and relationships to guarantee that the appropriate information security activities are being performed to ensure that the risks are appropriately reduced, the information security investments are appropriated directed, and the executive management has visibility into the program and is asking the appropriate questions to determine the effectiveness of the program. Policies, Procedures, Standards, Guidelines, Baselines Organizational Structures Roles and Responsibilities

Policies, Standards, Procedures, Baselines, & Guidelines Laws, Regulations, Requirements, Organizational Goals & Objectives Procedures, standards, and guidelines are used to describe how these policies will be implemented within an organization. General Organizational Policies Management’s Security Statement Functional Implementing Policies Management’s Security Directives Standards Procedures Baselines Guidelines Specific Hardware & Software Step-by-Step Instructions Consistent Level of Security Recommendations

Audit Frameworks for Compliance COSO – The Committee of Sponsoring Organization of the Treadway Commission (1985). ITIL – The IT Infrastructure Library (1989-1992). ISO 17799/BS 7799 (1995) ISO/IE 27000 (2005) COBIT – Control Objectives for Information and Related Technology.

COSO Integrated Framework Internal Environment Monitoring Objective Setting Enterprise Risk Management Information & Communication Risk Identification Control Activities Risk Assessment Risk Response

The COSO Cube

ITIL Service Management Processes (http://www.securityfocus.com/print/infocus/1815)

ITIL Framework (http://iwi.uibk.ac.at/wikiwi/index.php?title=Image:Itil.jpg)

ITIL V3 Processes and Functions Service Strategy Service Design Service Transition Service Operation Continual Service Improvement Demand Mgmt. Service Level Mgmt. Knowledge Mgmt. Service Desk F Service Measurement Financial Mgmt. Change Mgmt. Event Mgmt. Capacity Mgmt. Service Reporting Strategic Generation Asset and Configuration Mgmt. Incident Mgmt. Availability Mgmt. Service Improvement Request Fulfillment Service Portfolio Mgmt. IT Service Continuity Mgmt. Release and Deployment Mgmt. Return on Investment Problem Mgmt. Information Security Mgmt. Transition Planning and Support Access Mgmt. Business Questions Supplier Mgmt. IT Operations Mgmt. F Service Catalogue Mgmt. Service Validation and Testing F Applications Mgmt. F are functions Evaluation Technical Mgmt. F (http://krpm.wordpress.com/reports/)

ISO 17799 Standards Information security policy. Organizing information security. Asset management. Human resources security. Physical and environmental security. Communications and operations management. Access control. Information systems acquisition, development and maintenance. Information security incident management. Business continuity management. Compliance

ISO 27000 Framework

COBIT Business Objectives Governance Objectives Information Monitor & Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability Monitor & Evaluate Plan & Organize IT Resources Deliver & Support Acquire & Implement Application Information Infrastructure People

Summary of Audit Frameworks COSO – The Committee of Sponsoring Organization of the Treadway Commission (1985). ITIL – The IT Infrastructure Library (1989-1992). ISO 17799/BS 7799 (1995) ISO/IE 27000 (2005) COBIT – Control Objectives for Information and Related Technology.

Possible Projects Develop a security audit plan. Compliance testing according to a standard (e.g., HIPAA, ISO 27000, COBIT, etc.). Awareness education for HIPAA, ISO 27000, COBIT compliance. A comparative analysis of different security compliance frameworks.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.