Presentation is loading. Please wait.

Presentation is loading. Please wait.

Models of Security Management Matt Cupp. Overview What is Security Management? What is Security Management? ISO/IEC 17799 ISO/IEC 17799 NIST Special Publication.

Published byBruce Henry Modified over 8 years ago

Similar presentations

Presentation on theme: "Models of Security Management Matt Cupp. Overview What is Security Management? What is Security Management? ISO/IEC 17799 ISO/IEC 17799 NIST Special Publication."— Presentation transcript:

1 Models of Security Management Matt Cupp

2 Overview What is Security Management? What is Security Management? ISO/IEC 17799 ISO/IEC 17799 NIST Special Publication 800-12 NIST Special Publication 800-12 NIST Special Publication 800-14 NIST Special Publication 800-14 Other Models Other Models

3 Security Management The process of managing a defined level of security on information and services. The process of managing a defined level of security on information and services. The identification of an organization’s information assets and the development, documentation and implementation of policies, standards, procedures and guidelines. The identification of an organization’s information assets and the development, documentation and implementation of policies, standards, procedures and guidelines.

4 ISO/IEC 17799 Information security standard published and most recently revised in June 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Information security standard published and most recently revised in June 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Information security is defined within the standard in the context of the C-I-A triangle. Provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Information security is defined within the standard in the context of the C-I-A triangle.

5 CIA Triangle

6 ISO/IEC 17799 Sections 1 – 3: Introduction Sections 1 – 3: Introduction 4: Risk assessment and treatment - analysis of the organization's information security risks 4: Risk assessment and treatment - analysis of the organization's information security risks 5: Security policy - management direction 5: Security policy - management direction 6: Organization of information security - governance of information security 6: Organization of information security - governance of information security 7: Asset management - inventory and classification of information assets 7: Asset management - inventory and classification of information assets 8: Human resources security - security aspects for employees joining, moving and leaving an organization 8: Human resources security - security aspects for employees joining, moving and leaving an organization 9: Physical and environmental security - protection of the computer facilities 9: Physical and environmental security - protection of the computer facilities 10: Communications and operations management - management of technical security controls in systems and networks 10: Communications and operations management - management of technical security controls in systems and networks

7 ISO/IEC 17799 11: Access control - restriction of access rights to networks, systems, applications, functions and data 11: Access control - restriction of access rights to networks, systems, applications, functions and data 12: Information systems acquisition, development and maintenance - building security into applications 12: Information systems acquisition, development and maintenance - building security into applications 13: Information security incident management - anticipating and responding appropriately to information security breaches 13: Information security incident management - anticipating and responding appropriately to information security breaches 14: Business continuity management - protecting, maintaining and recovering business-critical processes and systems 14: Business continuity management - protecting, maintaining and recovering business-critical processes and systems 15: Compliance - ensuring conformance with information security policies, standards, laws and regulations 15: Compliance - ensuring conformance with information security policies, standards, laws and regulations

8 NIST Special Publication 800-12 Provides a broad overview of computer security and control areas. It also emphasizes the importance of the security controls and ways to implement them. Provides a broad overview of computer security and control areas. It also emphasizes the importance of the security controls and ways to implement them. Initially this document was aimed at the federal government although most practices in this document can be applied to the private sector as well. Specifically it was written for those people in the federal government responsible for handling sensitive systems. Initially this document was aimed at the federal government although most practices in this document can be applied to the private sector as well. Specifically it was written for those people in the federal government responsible for handling sensitive systems.

9 800-12 Identifies 17 controls organized into 3 categories Management Controls Management Controls Techniques and concerns that focus on managing the computer security program and the risk attributed to it Techniques and concerns that focus on managing the computer security program and the risk attributed to it Operational Controls Operational Controls Addresses security controls that are implemented and executed by people (not systems) Addresses security controls that are implemented and executed by people (not systems) Technical Controls Technical Controls Focuses on security controls that the computer system executes Focuses on security controls that the computer system executes

10

11 NIST Special Publication 800-14 A.K.A - Generally Accepted Principles and Practices for Securing Information Technology Systems A.K.A - Generally Accepted Principles and Practices for Securing Information Technology Systems Describes common security principles that are used. It provides a high level description of what should be incorporated within a computer security policy. Describes common security principles that are used. It provides a high level description of what should be incorporated within a computer security policy. Describes what can be done to improve existing security as well as how to develop a new security practice. Eight principles and fourteen practices are described within the document. Describes what can be done to improve existing security as well as how to develop a new security practice. Eight principles and fourteen practices are described within the document.

12 Other Models NIST Special Publication 800-18 NIST Special Publication 800-18 Guide for Developing Security Plans for Information Technology Systems Guide for Developing Security Plans for Information Technology Systems NIST Special Publication 800-26 NIST Special Publication 800-26 Security Self-Assessment Guide for Information Technology Systems Security Self-Assessment Guide for Information Technology Systems NIST Special Publication 800-30 NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems Risk Management Guide for Information Technology Systems Hybrid Models by combining multiple methods Hybrid Models by combining multiple methods

13 Conclusion What is Security Management? What is Security Management? ISO/IEC 17799 ISO/IEC 17799 NIST Special Publication 800-12 NIST Special Publication 800-12 NIST Special Publication 800-14 NIST Special Publication 800-14 Other Models Other Models

14 References Francisco, Wayne. GHD Infrastructure Security. April 2004.. Francisco, Wayne. GHD Infrastructure Security. April 2004.. Guttman, Barbara. Swanson, Marianne. Generally Accepted Principles and Practices for Securing Information Technology Systems. September 1996.. Guttman, Barbara. Swanson, Marianne. Generally Accepted Principles and Practices for Securing Information Technology Systems. September 1996.. www.dream-catchers-inc.com/White%20Papers/glossary_of_terms- AM.htm www.dream-catchers-inc.com/White%20Papers/glossary_of_terms- AM.htm en.wikipedia.org/wiki/Security_management en.wikipedia.org/wiki/Security_management http://en.wikipedia.org/wiki/Cyber_security_standards#NIST http://en.wikipedia.org/wiki/Cyber_security_standards#NIST http://en.wikipedia.org/wiki/ISO_17799 http://en.wikipedia.org/wiki/ISO_17799

Download ppt "Models of Security Management Matt Cupp. Overview What is Security Management? What is Security Management? ISO/IEC 17799 ISO/IEC 17799 NIST Special Publication."

Similar presentations

The Conceptual Framework of mLearning Security for University in Thailand Sarawut Ramjan Department of e-Commerce Management North-Chiang Mai university.

The Conceptual Framework of mLearning Security for University in Thailand Sarawut Ramjan Department of e-Commerce Management North-Chiang Mai university.
Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
EMS Checklist (ISO model)

EMS Checklist (ISO model)
Agenda What is Compliance? Risk and Compliance Management

Agenda What is Compliance? Risk and Compliance Management
Information Technology – Guidelines for the Management of IT Security

Information Technology – Guidelines for the Management of IT Security
NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.

NOTE: To change the image on this slide, select the picture and delete it. Then click the Pictures icon in the placeholde r to insert your own image. Cybersecurity.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
1 Copyright © 2010 M. E. Kabay. All rights reserved. Security Audits, Standards, & Inspections CSH5 Chapter 54 “Security Audits, Standards and Inspections”

1 Copyright © 2010 M. E. Kabay. All rights reserved. Security Audits, Standards, & Inspections CSH5 Chapter 54 “Security Audits, Standards and Inspections”
Getting Your EMS Started: Policy Statements EPA Regions 9 & 10 and The Federal Network for Sustainability.

Getting Your EMS Started: Policy Statements EPA Regions 9 & 10 and The Federal Network for Sustainability.
ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk 14.06.2005.

ISO 17799&ITS APPLICATION Prepared by Çağatay Boztürk
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Geneva, Switzerland, 14 November 2014 Data Protection for Public Cloud (International Standard ISO 27018) Stéphane Guilloteau Engineer Expert, Orange Labs.

Geneva, Switzerland, 14 November 2014 Data Protection for Public Cloud (International Standard ISO 27018) Stéphane Guilloteau Engineer Expert, Orange Labs.
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.

Affiliated Information Security Collaborative An Affiliated Enterprise Approach to Information Security Deans and Vice Presidents Meeting April 17, 2014.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Copyright © Center for Systems Security and Information Assurance Lesson Eight Security Management.

Similar presentations

Ads by Google