Presentation is loading. Please wait.

Presentation is loading. Please wait.

TEL382 Greene Chapter 5.

Published byLillian Hunter Modified over 5 years ago

Similar presentations

Presentation on theme: "TEL382 Greene Chapter 5."— Presentation transcript:

1 TEL382 Greene Chapter 5

2 Outline What Are We Trying To Protect? Information Classification
Information Ownership Policy Information Classification Footprinting & Four-Step Hacking Process Information Classification Policy Information Classification Labeling and Handling Information Classification Program Lifecycle Classification Handling and Labeling Policy Value and Criticality of Information Systems Inventory of Information Systems Assets Policy 2/25/2019

3 Introduction How to protect something when we don’t know what it is worth and how sensitive it is How to determine how much time, effort and funds should we spend securing the asset 2/25/2019

4 What Are We Trying To Protect?
Databases Data Files Intellectual Property Operational & Support Procedures Research Documentation Archived Information Business Plans 2/25/2019

5 Information Ownership Policy
Information Custodian Manages Day-to-Day Controls Responsible for providing CIA for information ISO Recommends the Need for a Policy Information Security Officer (ISO) Provides Direction and Guidance 2/25/2019

6 Information Classification
Military Unclassified Confidential Secret Top Secret Commercial Public (Annual Reports, Product Documents, White Papers, etc.) Restricted (Policy Documentation, Procedure Manuals, Employee Lists, etc.) Sensitive (Personal/Privileged – Patient or Employee Records) Confidential (Business Strategies, Financial Position/Plans, Schematics, Formulas, Patents) 2/25/2019

7 Information Classification Labeling and Handling
Labels (Electronic, Print, Audio, Visual) Clear, Universally Understood Handle Information in Accordance with Its Classification Information Owner Defines Protection Information Custodian Implements Protection Information User Uses Information In Accordance with Label 2/25/2019

8 Information Classification Program Lifecycle
Information Classification Procedures Define asset and supporting information systems Characterize criticality of information system Identify information owner and information custodian Assign classification level Determine and implement corresponding level of controls Label information and information system appropriately Document handling procedures, including disposal Integrate handling procedures into information user security awareness program Declassify information when (and if) appropriate Information may be reclassified or declassified 2/25/2019

9 Value and Criticality of Information Systems
In Calculating Asset Value, Consider: Cost to acquire or develop Cost to maintain and protect Cost to replace Importance to owner Competitive advantage of information Marketability of information Impact on delivery of product or services Reputation Liability issues Regulatory compliance requirements 2/25/2019

10 Inventory of Information Systems Assets Policy
Hardware Computer Equipment Communication Equipment Storage Media Infrastructure Equipment Software OS Productivity Applications 2/25/2019

11 Asset Attributes Unique Identifier Asset Description
Manufacturer Imprint Physical and Logical Address Controlling Entity 2/25/2019

12 System Characterization
Understanding of System System Boundaries HW & SW Information Stored, Processed or Passing Through Ranking By: Protection Level – Safeguards Required Operations Importance (System Impact – How Important) 2/25/2019

13 Review Risk Assessment
2/25/2019

14 TEL382 Greene Chapter 9

15 Outline What is a Security Posture? Managing User Access
Access Control Policy Managing User Access User Access Management Policy Keeping Passwords Secure Password Use Policy User Authentication for Remote Connections User Authentication for Remote Connections Policy Mobile Computing Mobile Computing Policy Telecommunting Telecommunting Policy Monitoring System Access and Use Monitoring System Access and Use Policy 2/25/2019

16 Introduction Controlling Who (What) has Access to Which Information
Concepts Deny/Allow All Least Privilege Need-to-Know Etc. Methods Accounts Authentication Password Management 2/25/2019

17 What is a Security Posture?
Organization’s Attitude Toward Security Default Positions Secure (Default Deny) Reactive (Default Permit) Least Privilege Give User Least Amount of Access Required to Perform Job Functions Need-to-Know Demonstrated and Authorized Reasons for Access Few People Have Access to Critical Business Operations Individual Users Don’t Know More Than They Should 2/25/2019

18 Access Control Policy Access Models Classification Models
MAC DAC RBAC Classification Models TS, S, C, U R, S, C, P Security Clearance Level, Access Privilege, Need-to-Know 2/25/2019

19 Managing User Access User Access Management Starting Work
Promotions, Terminations, Transfers, etc. 2/25/2019

20 Keeping Passwords Secure
Don’t Share Don’t Write It Down Anywhere Change Frequently Change From Admin Assigned Value Immediately Process for Reissuing (I Forgot!!) Change if Compromise is Suspected Don’t Allow Applications or Web Sites to Remember Don’t Use Same Password for Different Purposes 2/25/2019

21 User Authentication for Remote Connections
Risk Assessment Dial-Up vs. Internet Access VPN IPSec Authentication Server RADIUS TACACS+ Hardware Tokens Private Lines Dial-back 2/25/2019

22 Mobile Computing Risk Assessment Approved Devices
How Data is Stored on Portable Devices Mandating Connectivity Means Protection Malware Theft/Loss 2/25/2019

23 Telecommunting Controls Ensuring CIA (Same as “on-premises”)
Secure Equipment from Accidental and Intentional Misuse Equipment Not to be Used For Non-business Purposes Classification Guidelines Equipment Must be Physically Secured 2/25/2019

24 Monitoring System Access and Use
Parameters to Monitor Authorized Access Privileged Operations Unauthorized Attempts System Alerts or Failures Review and Retention Legalities 2/25/2019

25 TEL382 Greene Chapter 10

26 Outline What Are The Risks to the Organization?
Security Requirements of Systems Security Requirements of Systems Policy The Things That Should Never Happen To Sensitive Data Sloppy Code vs. Secure Code Security in Applications Systems Policy Risk Assessments and Cryptography Breaking the Caesar Cipher Cryptographic Controls Policy Operating System and Application Software Stability Security of System Files, Development, and Support Processes Policy 2/25/2019

27 What Are The Risks to the Organization?
Business and Mission-Critical Applications Organizational Risks Loss of Productivity Loss of Trust Systems Development Systems Maintenance 2/25/2019

28 Security Requirements of Systems
Risk Assessments Third-Party Consultants Advantages/Disadvantages Separation of Duties Adding Controls After Implementation 2/25/2019

29 The Things That Should Never Happen To Sensitive Data
Loss Modification Misuse 2/25/2019

30 Code Sloppy vs. Secure System Owner Responsibilities Techniques
Input Validation Data Validation Output Validation 2/25/2019

31 Cryptography Risk Assessments CIA Plus Non-repudiation Key Management
Digital Signatures Key Management 2/25/2019

32 Operating System and Application Software Stability
Thorough Testing Testing Environment No Live Data Only Stable Versions Updates Rollback Policy When To/Who Install(s) Updates 2/25/2019

Download ppt "TEL382 Greene Chapter 5."

Similar presentations

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.

What is GARP®? GARP® is an Acronym for Generally Accepted Recordkeeping Principles ARMA understands that records must be.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)

Secure Systems Research Group - FAU Process Standards (and Process Improvement)
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Chapter 5: Asset Classification

Chapter 5: Asset Classification
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Access Control Methodologies

Access Control Methodologies
Security Controls – What Works

Security Controls – What Works
© Prentice Hall 2002 14.1 CHAPTER 14 Managing Technological Resources.

© Prentice Hall CHAPTER 14 Managing Technological Resources.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.

Social Engineering Jero-Jewo. Case study Social engineering is the act of manipulating people into performing actions or divulging confidential information.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
کامیار نیرومند کارشناس تیم تجهیزات مرکز تخصصی آپا دانشگاه صنعتی اصفهان پاییز 1388 1.

کامیار نیرومند کارشناس تیم تجهیزات مرکز تخصصی آپا دانشگاه صنعتی اصفهان پاییز
Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Information Asset Classification

Information Asset Classification
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Auditing Logical Access in a Network Environment Presented By, Eric Booker and Mark Ren New York State Comptroller’s Office Network Security Unit.

Similar presentations

Ads by Google