Security Environment Assessment. Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components.

Slides:



Advertisements
Similar presentations
Develop an Information Strategy Plan
Advertisements

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
IT Governance Capability Maturity within Government
Security Controls – What Works
Information Security Policies and Standards
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Secure Data Transmission James Matheke Information Security Architect Ohio Department of Job and Family Services.
ISS IT Assessment Framework
Developing Network Security Strategies Network Security D ESIGN Network Security M ECHANISMS.
© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 222 C HAPTER 7 Information Systems Controls for Systems.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Internet Protocol Security (IPSec)
IACT 901 Module 10 1 Plan Delivery. IACT 901 Module 10 2 Elements of IS & IT Plans Delivered Comprise Overall IS/IT vision Applications development plan.
Stephen S. Yau CSE , Fall Security Strategies.
Measuring the effectiveness of government IT systems Current ANAO initiatives to enhance IT Audit integration and support in delivering Audit outcomes.
Payment Card Industry (PCI) Data Security Standard
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Network security policy: best practices
VoIP Security Assessment Service Mark D. Collier Chief Technology Officer
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Module 14: Configuring Server Security Compliance
IIA_Tampa_ Beth Breier, City of Tallahassee1 IT Auditing in the Small Audit Shop Beth Breier, CPA, CISA City of Tallahassee
Chapter 6 of the Executive Guide manual Technology.
1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.
7-Oct-15 System Auditing. AUDITING Auditing is a systematic process of objectively obtaining and evaluating evidence regarding assertions about economic.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Office of Campus Information Security Driving a Security Architecture by Assessing Risk Stefan Wahe Sr. Information Security Analyst.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 MISA Model Douglas Petry Manager Information Security Architecture Methodist Health System Managed Information Security.
Example Incident Mgmt Initiation No recording of Incidents Users can approach different departments Solutions of previous incidents are not available.
Scott Teeters, Jr. MicroSolved, Inc. in partnership with Sogeti USA How to Fail A Penetration Test Concepts in Securing a Network.
Module 11: Designing Security for Network Perimeters.
Last Minute Security Compliance - Tips for Those Just Starting 10 th National HIPAA Summit April 7, 2005 Chris Apgar, CISSP – President Apgar &
Networked Systems Survivability CERT ® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA © 2002 Carnegie.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.
Information Security Framework Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory,
Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Importance of Physical Security Common Security Mistakes 1.Security Awareness 2.Incident Response 3.Poor Password Management 4.Bad administrative.
Installation and Maintenance of Health IT Systems Unit 8a Troubleshooting; Maintenance and Upgrades; and Interaction with Vendors, Developers, and Users.
IS3220 Information Technology Infrastructure Security
Information Security tools for records managers Frank Rankin.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
Security and resilience for Smart Hospitals Key findings
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment card industry data security standards
Cybersecurity - What’s Next? June 2017
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
IT Management Services Infrastructure Services
Global One Communications
Presentation transcript:

Security Environment Assessment

Outline  Overview  Key Sources and Participants  General Findings  Policy / Procedures  Host Systems  Network Components  Applications  Overall Assessment - Compliance with Policy  Next Steps

Overview  Objective  Broad sweep to find significant strengths / weaknesses  Baseline - not final statement of vulnerabilities  Approach  Interviews  Review of system configurations  Automated assessment tools (GFI)  Examined policy, procedures, host systems, network infrastructure, and some applications

General Findings - Strengths  Linksys Router /Firewall protects the network perimeter  Mostly Standardized Intel Platform with an OS, of which is XP  Customer security requirements have positively influenced security awareness  Regulatory requirements dictate due diligence

General Findings - Weaknesses  External (e.g., Internet) access is not restricted i.e. (Filter inappropriate network traffic)  Critical Identified internal systems are not isolated  Production systems are not subject to configuration management  Security program lacking key components and scope necessary to effectively influence all systems  Security staff not required but security knowledge and emphasis lacking technical expertise to perform effective oversight of all systems  Policies not used to guide internal activities  Security responsibilities not well defined  Available technical features not used to best advantage

Policy / Procedures - Weaknesses  System specific practices not tied to top-level policy  User account / password management practices  Access control decisions  Workstation policy not clear; basic features not implemented  High level policies for internet usage etc… does not exist  Procedures well defined for systems not defined  Training / user awareness for system specific features not provided  Training / user orientation emphasizes personal responsibility does not exist  Incident detection and response not addressed

General Findings - Weaknesses (cont)  System specific procedures lacking  Security not integrated with business processes  Security responsibility for new systems and applications not well defined  Staff lacks technical expertise to effectively influence design of new systems

Policy/Procedures  Strengths  High level policy has good components  Training / user orientation emphasizes personal responsibility  Procedures well defined for mainframe systems  Weaknesses  System-specific practices not tied to top-level policy  User account/password/access practices not consistent  No provisions for incident detection / response

Host Systems  Strengths  Privileged access limited  Security enhancements being implemented on some systems  Weaknesses  Available features not used to best advantage  Technical vulnerabilities on many systems  Unnecessary services are available  Configuration not guided by security policy

Network Infrastructure  Strengths  Firewall/address translator limits external access  Router filters limit access within the network  Weaknesses  Network security responsibility not well defined; configuration not guided by a security policy  No capability for encrypted internal communications, remote access, or Internet links  Dial-up access not well controlled or secured

Applications  Strengths  Development and production environments are segregated  Application security features are used to restrict access  Weaknesses  Password management practices are inconsistent  Personal accountability is not always maintained

Overall Assessment -- Compliance with Security Policies  Comparison of observed practice with the published “Information Security Policy”  Policy does not influence security configuration / management of non-mainframe systems  Most policy statements have not been implemented consistently across the enterprise

Next Steps  Reaction to vulnerabilities/weaknesses  Recommend, prioritize, and implement fixes  Implementation of Internet and remote access solution  Validate design; implement technical fixes, policy, and procedures  Define network security enhancements  Refine requirements; select and implement solution

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.