I MPLEMENTING IT S ECURITY FOR S MALL AND M EDIUM E NTERPRISES Short Presentation by Subhash Uppalapati. - Edgar R. Weippl and Markus Klemen.

Slides:



Advertisements
Similar presentations
ETHICAL HACKING A LICENCE TO HACK
Advertisements

Museum Presentation Intermuseum Conservation Association.
Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Auditing Computer Systems
9 - 1 Computer-Based Information Systems Control.
Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.
Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.
Security Controls – What Works
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Information Systems Security Officer
Computer Security: Principles and Practice
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Stephen S. Yau CSE , Fall Security Strategies.
Risk Management Vs Risk avoidance William Gillette.
1 Lesson 3 Computer Protection Computer Literacy BASICS: A Comprehensive Guide to IC 3, 3 rd Edition Morrison / Wells.
Session 3 – Information Security Policies
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.
Network security policy: best practices
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Introduction to Network Defense
Information Asset Classification
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
Security Architecture
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Information Systems Security Operational Control for Information Security.
Information Systems Security Operations Security Domain #9.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
INFORMATION SECURITY MANAGEMENT L ECTURE 3: P LANNING FOR C ONTINGENCIES You got to be careful if you don’t know where you’re going, because you might.
ITU CoE/ARB 11 th Annual Meeting of the Arab Network for Human Resources 16 – 18 December 2003; Khartoum - Sudan 1 The content is based on New OECD Guidelines.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
ISO/IEC 27001:2013 Annex A.8 Asset management
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 1 Security Architecture.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.
DRP Disaster Recovery Planning. Social Networking... It's the way the 21st century communicates today.
Cyber Security in the Mobile Era KEEPING ENTERPRISE DATA SAFE IN THE BYOD ERA.
Risk Management Issues in Information Security Amanda Kershishnik COSC April 2007.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Risk Controls in IA Zachary Rensko COSC 481. Outline Definition Risk Control Strategies Risk Control Categories The Human Firewall Project OCTAVE.
Business Continuity Planning 101
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Welcome to the ICT Department Unit 3_5 Security Policies.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Dr. Gerry Firmansyah CID Business Continuity and Disaster Recovery Planning for IT (W-XIV)
Information Security Management Goes Global
Cybersecurity: Risk Management
Information Systems Security
CS457 Introduction to Information Security Systems
Security Standard: “reasonable security”
Security Engineering.
Presentation transcript:

I MPLEMENTING IT S ECURITY FOR S MALL AND M EDIUM E NTERPRISES Short Presentation by Subhash Uppalapati. - Edgar R. Weippl and Markus Klemen

I NTRODUCTION Small and Medium Enterprises(SMEs) < 400 employees Fewer Resources and less expertise in IT security Limited Know-how regarding IT security

F OUR L EVELS OF S ECURITY IN SME S

A P RAGMATIC A PPROACH FOR SME S Aspect 1: Inspection Aspect 2: Protection Aspect 3: Detection Aspect 4: Reaction Aspect 5: Reflection

A SPECT 1: I NSPECTION Inspection: “ To determine which key processes and corporate functions are essential, the capabilities they require and their interaction with one another ”. This aspect consists of five steps: 1.Resource inventory Thorough inventory of company’s resources and assets. 2.Threat assessment Identifies what threatens the identified assets. Threats categories (human error, natural disasters, system failures, malicious acts, and collateral damage)

A SPECT 1: I NSPECTION ( CONTD …) 3.Loss analysis Potential angles to focus are theft of resources, deletion of information, theft of information, disclosure of information, corruption of information etc. 4. Identification of vulnerabilities Where are weaknesses in the company? These might be technical(security design flaws) or organizational weakness(e.g., social engineering). 5. Assignment of safeguards Avoidance, mitigation, transference or acceptance 6. Evaluation of current status After the above five steps, re-assess and test.

A SPECT 2: P ROTECTION Protection: “ The objects that need protection, the required level of protection, and how to reach this level by creating a comprehensive security design ”. This aspect consists of five steps: 1.Awareness Awareness training for 1 or 2 hours once in a year 2. Access Physical + logical

A SPECT 2: P ROTECTION ( CONTD …) 3.Authentication and Authorization Using existing access control technologies like Kerberos, Active directory 4.Availability Lack of redundant server systems lead to developing and updating outage emergency plans. 5.Confidentiality Information is the important asset.

A SPECT 3: D ETECTION Detection: “ Process that intend to minimize the losses from a security incident that could interrupt the core business processes ”. This aspect consists of three steps: 1.Classify intruder types Who is likely to attack from outside? How tough is the competition in the branch? 2.Enumerate intrusion methods Most probable intrusion methods and the corresponding process Requires highly know-how of intrusion detection and recommends consulting specialists.

A SPECT 3: D ETECTION ( CONTD …) 3.Assess intrusion detection methods Logging, Simple Network Management Protocol(SNMP)

A SPECT 4: R EACTION Reaction: “ How to respond to security incidents. It must define the process of reacting to certain threat scenarios ”. This aspect consists of three steps. 1.Develop response plan Guidelines on how to proceed in case of emergency 2.Assessing the damage Administrator should thoroughly assess the damage before starting the recovery procedures.

A SPECT 4: R EACTION ( CONTD …) 3.Incident recovery procedures Recovery procedures should be defined, management- approved, and tested.

A SPECT 5: R EFLECTION Reflection: “ After security incidents are handled, follow- up steps should be taken to put incidents behind and continue normal operations ”. Only one main step 1. Incident documentation and evaluation Incident should be documented properly and discussed with partners and colleagues. Incident response should be evaluated and if improvements are necessary, should be added to the IR plan.

M AIN COMMUNICATION PATH FOR IT SECURITY - RELATED ISSUES IN SME S Stakeholders 1. Decision maker 2. IT administrator 3. User 4. External consultants

IT ADMINISTRATOR Responsibilities like changing printer toner, assigning and modifying user rights in operating systems, setting up and maintaining internet connections etc. Can neglect security with so many responsibilities Recognizes the impact once the company has been hit by a serious incident. Three scenarios of the amount of IT personnel resource 1. No dedicated administrator 2. One dedicated administrator 3. More than one dedicated administrator

IT USER Believe it or not 77% of information theft is caused by company employees(Cox, 2001) Not appropriate – restrictions on web surfing, private ing, or individual desktop settings Apply restrictions with care and communicate the reason Gain the employee understanding and support

W ORKFLOW L EVEL

W ORKFLOW L EVEL ( CONTD …)

I NFORMATION L EVEL

Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.