1 I ntegrated S ite S ecurity for G rids www.isseg.eu WP2 – Site Assessment Methodology, 20 June 2007 WP2 - Methodology ISS e G Integrated Site Security.

Slides:



Advertisements
Similar presentations
Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Advertisements

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Separate Domains of IT Infrastructure
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security.
Security Controls – What Works
Information Security Policies and Standards
IS Network and Telecommunications Risks
1 An Overview of Computer Security computer security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Computer Security: Principles and Practice
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Chapter 3: Information Security Framework
Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.
Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.
CHAPTER 4 Information Security. CHAPTER OUTLINE 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Security Risk Assessment Applied Risk Management July 2002.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Introducing Computer and Network Security. Computer Security Basics What is computer security? –Answer depends on the perspective of the person you’re.
1.1 System Performance Security Module 1 Version 5.
© 2001 Carnegie Mellon University S8A-1 OCTAVE SM Process 8 Develop Protection Strategy Workshop A: Protection Strategy Development Software Engineering.
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Computer Security “Measures and controls that ensure confidentiality, integrity, and availability of IS assets including hardware, software, firmware,
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
INFORMATION SECURITY & RISK MANAGEMENT SZABIST – Spring 2012.
Sample Security Model. Security Model Secure: Identity management & Authentication Filtering and Stateful Inspection Encryption and VPN’s Monitor: Intrusion.
Networks. A network is formed when a group of computers are connected together. Computers in a Local Area Network (LAN) are fairly close together, generally.
7 Information Security.
1 Smart Grid Cyber Security Annabelle Lee Senior Cyber Security Strategist Computer Security Division National Institute of Standards and Technology June.
Information Systems Security
Lesson 9-Information Security Best Practices. Overview Understanding administrative security. Security project plans. Understanding technical security.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
IS Network and Telecommunications Risks Chapter Six.
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
1 Chpt. 12: INFORMATION SYSTEM QUALITY, SECURITY, AND CONTROL.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Database Security Tampere University of Technology, Introduction to Databases. Oleg Esin.
Risk Assessment Richard Newman. Six Phases of Security Process 1. Identify assets 2. Analyze risk of attack 3. Establish security policy 4. Implement.
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Chap1: Is there a Security Problem in Computing?.
Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
IS3220 Information Technology Infrastructure Security
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated Site Security for.
Contingency Management Indiana University of Pennsylvania John P. Draganosky.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, EU-FP6 Project ISS e G Integrated.
Information Systems Security
WSU IT Risk Assessment Process
ISSeG Integrated Site Security for Grids WP2 - Methodology
Network Security Research Presentation
Lecture 14: Business Information Systems - ICT Security
CHAPTER 4 Information Security.
I have many checklists: how do I get started with cyber security?
INFORMATION SYSTEMS SECURITY and CONTROL
Mohammad Alauthman Computer Security Mohammad Alauthman
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
Presentation transcript:

1 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 WP2 - Methodology ISS e G Integrated Site Security for Grids Methodology for Site Security Assessment Lionel Cons CERN

2 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 Proposed Methodology (inputs on the left came initially from ISO-17799)

3 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 Step 1 – Find The Assets  Asset = Anything that has value to the organization [ISO]  Five identified asset categories:  Organizational (intellectual property rights, public image…)  Human  Information / data (administrative, personal, physics…)  Service (network, authentication, , office…)  Hardware  These are currently merged with “security requirements”

4 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 Baseline Assets  Preliminary list of asset types likely to be present everywhere:  Locally managed PC  Network  Backup  Office servers  Application servers  Centralized authentication

5 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 Specific Assets  Preliminary list of asset types that may be site specific:  Expensive and/or dangerous equipment  Provide services across Internet  Local service  Exchange confidential data  Stores confidential information  High-availability services  Internal resources available to visitors  External users  Centralized backup service

6 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 Step 2 – Find The Threats  Threat = Potential cause of an unwanted incident, which may result in harm to a system or organization [ISO]  A generic list of threats has been compiled  Around 50 threats identified  Need to set the relevance of each threat for the given site  Linked to the role profiles (user / admin / developer / manager) and the asset types

7 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 Examples of Threats Threat IdThreat descriptionRelevance 1 T1Faulty access rights management3 T2Password compromising3 T3Intrusion by scanning techniques3 T4Intrusion (unauthorized network access)3 T5Data interception techniques (sniffing/man in the middle attacks,...)3 T6Fraudulent connection (theft of credentials)3 T7Exploiting software vulnerabilities3 T8Fraudulent use of systems (misappropriation…)3 T9Repudiation (system usage)3 T10Repudiation (sending/receiving of data)3 T11Saturation of resources (accidental)3 T12Saturation of resources (intentional - denial of service)3 T13Software alteration (time bomb, worm, trojan, virus…)3 T14Theft of mobile equipment or media3 T15Propagation of false or misleading information3 T16Use of insecure/unauthorized software3 T17Hardware failure (computer, storage device, network equipment…)3 T18Hardware malfunction3 T19Software malfunction3 T20Network failure (cabling, network device…)3

8 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 Step 3 – Find The Risks  Risk = Combination of the probability of an event and its consequence [ISO]  We focus on threats  Threats are linked to asset types  Need to know the relative importance of the asset types  Threats are linked to controls (aka mitigation techniques)  Need to know how well the controls are applied  We could look at “best practices” too

9 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 Examples of Controls (based on ISO 17799)

10 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 Examples of Controls (based on ISO 17799)

11 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 Examples of Controls (based on OCTAVE) 1. Security Awareness and Training Step 3a StatementTo what extent is this statement reflected in your organization? Staff members understand their security roles and responsibilities. This is documented and verified. Very MuchSomewhatNot At AllDon’t Know There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified. Very MuchSomewhatNot At AllDon’t Know Security awareness, training, and periodic reminders are provided for all personnel. Staff understanding is documented and conformance is periodically verified. Very MuchSomewhatNot At AllDon’t Know Staff members follow good security practice, such as  securing information for which they are responsible  not divulging sensitive information to others (resistance to social engineering)  having adequate ability to use information technology hardware and software  using good password practices  understanding and following security policies and regulations  recognizing and reporting incidents Very MuchSomewhatNot At AllDon’t Know

12 I ntegrated S ite S ecurity for G rids WP2 – Site Assessment Methodology, 20 June 2007 Step 4 – Find The Countermeasures  Step 3 gives a prioritized list of threats  From threats, we can link to recommendations and best practices  Step 3 also gives the list of controls that can be improved and have a high impact on the overall security  From controls, we can also link to recommendations and best practices

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.