Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISSeG Integrated Site Security for Grids WP2 - Methodology

Published byAda Thomas Modified over 6 years ago

Similar presentations

Presentation on theme: "ISSeG Integrated Site Security for Grids WP2 - Methodology"— Presentation transcript:

1 ISSeG Integrated Site Security for Grids WP2 - Methodology
Methodology for Site Security Assessment JSPG Meeting, 27 June 2007 Lionel Cons, CERN © Members of the ISSeG Collaboration, 27 June 2007

2 (inputs on the left came initially from ISO-17799:2005)
Proposed Methodology (inputs on the left came initially from ISO-17799:2005) © Members of the ISSeG Collaboration, 27 June 2007

3 Step 1 – Find The Assets Asset = Anything that has value to the organization [ISO :2004] Five identified asset categories: Organizational (intellectual property rights, public image…) Human Information / data (administrative, personal, physics…) Service (network, authentication, , office…) Hardware These are currently merged with “security requirements” © Members of the ISSeG Collaboration, 27 June 2007

4 Baseline Assets Preliminary list of asset types likely to be present everywhere: Locally managed PC Network Backup Office servers Application servers Centralized authentication © Members of the ISSeG Collaboration, 27 June 2007

5 Specific Assets Preliminary list of asset types that may be site specific: Expensive and/or dangerous equipment Provide services across Internet Local service Exchange confidential data Stores confidential information High-availability services Internal resources available to visitors External users Centralized backup service © Members of the ISSeG Collaboration, 27 June 2007

6 Step 2 – Find The Threats Threat = Potential cause of an incident that may result in harm to a system or organization [ISO :2004 section 2.25] A generic list of threats has been compiled Around 50 threats identified Need to set the relevance of each threat for the given site Linked to the role profiles (user / admin / developer / manager) and the asset types © Members of the ISSeG Collaboration, 27 June 2007

7 Examples of Threats Threat Id Threat description Relevance1 T1
Faulty access rights management 3 T2 Password compromising T3 Intrusion by scanning techniques T4 Intrusion (unauthorized network access) T5 Data interception techniques (sniffing/man in the middle attacks,...) T6 Fraudulent connection (theft of credentials) T7 Exploiting software vulnerabilities T8 Fraudulent use of systems (misappropriation…) T9 Repudiation (system usage) T10 Repudiation (sending/receiving of data) T11 Saturation of resources (accidental) T12 Saturation of resources (intentional - denial of service) T13 Software alteration (time bomb, worm, trojan, virus…) T14 Theft of mobile equipment or media T15 Propagation of false or misleading information T16 Use of insecure/unauthorized software T17 Hardware failure (computer, storage device, network equipment…) T18 Hardware malfunction T19 Software malfunction T20 Network failure (cabling, network device…) © Members of the ISSeG Collaboration, 27 June 2007

8 Step 3 – Find The Risks Risk = Combination of the probability of an event and its consequence [based on the ISO standards] We focus on threats Threats are linked to asset types Need to know the relative importance of the asset types Threats are linked to controls (aka mitigation techniques) Need to know how well the controls are applied We could look at “best practices” too © Members of the ISSeG Collaboration, 27 June 2007

9 Examples of Controls (based on ISO 17799)
© Members of the ISSeG Collaboration, 27 June 2007

10 Examples of Controls (based on ISO 17799)
© Members of the ISSeG Collaboration, 27 June 2007

11 Examples of Controls (based on OCTAVE)
1. Security Awareness and Training Step 3a Statement To what extent is this statement reflected in your organization? Staff members understand their security roles and responsibilities. This is documented and verified. Very Much Somewhat Not At All Don’t Know There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified. Security awareness, training, and periodic reminders are provided for all personnel. Staff understanding is documented and conformance is periodically verified. Staff members follow good security practice, such as securing information for which they are responsible not divulging sensitive information to others (resistance to social engineering) having adequate ability to use information technology hardware and software using good password practices understanding and following security policies and regulations recognizing and reporting incidents © Members of the ISSeG Collaboration, 27 June 2007

12 Step 4 – Find The Countermeasures
Step 3 gives a prioritized list of threats From threats, we can link to recommendations and best practices Step 3 also gives the list of controls that can be improved and have a high impact on the overall security From controls, we can also link to recommendations and best practices © Members of the ISSeG Collaboration, 27 June 2007

Download ppt "ISSeG Integrated Site Security for Grids WP2 - Methodology"

Similar presentations

Separate Domains of IT Infrastructure

Separate Domains of IT Infrastructure
Lecture 1: Overview modified from slides of Lawrie Brown.

Lecture 1: Overview modified from slides of Lawrie Brown.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Chapter 3: Information Security Framework

Chapter 3: Information Security Framework
Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.

Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.

© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
CHAPTER 4 Information Security. CHAPTER OUTLINE 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate.

CHAPTER 4 Information Security. CHAPTER OUTLINE 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Security Risk Assessment Applied Risk Management July 2002.

Security Risk Assessment Applied Risk Management July 2002.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Similar presentations

Ads by Google