Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Published byDebra Millicent Andrews Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and."— Presentation transcript:

1 Security Baseline

2 Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and improvements in the system Periodic risk assessments will provide current state & effectiveness Security baseline is used in risk assessment procedures

3 The Threats and Monitoring Plans Security Monitoring Computer Virus Controls Microcomputer Security License management Other security Physical and Environmental Security Backup and Recovery

4 Security Monitoring Plan Purpose is to identify suspected access violations and attempted system intrusions. A sample plan is: Daily review of remote access log-ins to identify failed access attempts Review of system access logs for access to systems during non-work hours Review of traffic on external gateways Review of access to application system utilities and privileged user activities Review of access to sensitive files or data

5 Computer Virus Controls An effective plan should include: Downloading current definitions from the appropriate sources on a timely basis Test virus software before distribution Distribute and upload current definitions to all platforms (servers, mail servers, firewalls, and workstations) Validate that distribution of software and definition files is effective Ensure compliance with all anti-virus software procedures Assess the communication mechanism between administrators and users on potential viruses and the reporting of suspected viruses

6 Microcomputer Security License management: Monitoring licenses registered versus licenses used Inventorying PC software Developing and distributing approved software lists Developing software usage policies

7 Microcomputer Security Other Areas to Be Monitored: Prevent the use of unauthorized software Provided training to all PC users Ensure physical and logical security of PCs used for critical business operations Ensure PC software development adherence to approved software development and maintenance methodologies Provide adequate documentation of PC applications to users Ensure the integrity of all data, applications, and information processes on the PC Provide for backup and contingency plans for PC hardware, software, and peripherals

8 Physical and Environmental Security A physical security plan should check the use of: Cipher or key pad locks Fencing Guards Monitoring devices Maintaining authorized personnel access lists Limiting access to only essential operations personnel Maintaining sign-in logs Badges

9 Physical and Environmental Security An environmental security plan should check/provide for: Backup power (UPS) Air conditioning Fire suppression devices (fire extinguishers, halon, other) Fire detection devices (sensors) Heat detection devices Business continuity plans Alternate processing facilities Disaster recovery plans System and data backups

10 Backup and Recovery Backups are critical Backups must be performed so that system, program, or information loss or damage can be efficiently restored Backups should be stored away from the processing facilities Tape management techniques need review

11 Checking Third-party access Check for: Who, when and how third-party vendors obtain, transport, and store those critical data Ensure accountability is established for transfer, transport, and storage Review third-party’s procedures periodically Ensure that vendors are suitably placed to perform disaster recovery Ensure that they sign non-disclosure agreements as they have access to critical business data If tapes are internally managed, then ensure proper labeling procedure

12 Network Assessment Checklist Obtain an understanding of the network architecture Review network diagrams and documentation Interview data network administrators Interview network device administrators Review standards relating to networked systems Review planned migration to new technologies Review network software inventory Review network hardware inventory Identify business functions utilizing the network

13 Network Assessment… Obtain an understanding of network management Identify network management tools and other utility software used in managing network Identify how network management tools are used Identify the devices managed through network Identify plans or changes to network managers

14 Network Assessment… Obtain an understanding of network security administration: Identify policies, procedures, standards, and guidelines for network security administration Identify responsibilities for network security administration Identify monitoring capabilities and reports used in network security administration

15 Network assessment… Obtain an understanding of outage/threat response capabilities: Identify tools and approaches to reducing risks Identify responsibility for emergency response Identify tools/strategies for responding to emergency conditions Identify threat incidents and priorities

16 Operating System Security Assessment Checklist includes Security policies System configuration System change control Domains and trust relationships Networking Remote access Physical access Log-on and log-off controls

17 Operating System Security Assessment… User management Group management Password management Directory and file system security System privileges and utilities Maintenance and operations Logging Backup and recovery Security administration

18 Things that can make IS difficult Lack of project sponsor and executive management support Security implementations, projects, and architectures need to be clearly understood by management and appropriate support should be provided Executive Management’s lack of understanding of realistic risk Less time and effort appropriated as a result Security audits should be used in a timely manner Lack of resources Check listing and assessing is a time/resource consuming process

19 Things that can make IS difficult Impact of mergers and acquisitions on disparate systems Different tools running on different platforms may need to interact together Different security practices can cause problems, 1+1 < 2 in security!! A detailed audit takes time and often systems start failing in the new environment before the audit finishes Independent operations throughout business units Different units of the same company can work autonomously Interoperability can create security problems

20 Things that can make IS difficult Discord between mainframe versus distributed computing cultures Mainframes provided central point of security Now security is distributed all over the place Fostering trust in the organization To foster trust organizations tend to loosen security requirements

21 Things that can make IS difficult Third-party and remote network management Outsourcing of network operations Following points can be used to bind the third- party Requirement to sign and accept internal confidentiality agreements Accepting and abiding by the contracting organization’s security policies and standards Validation and authentication of users Intrusion detection requirements, tools etc …

Download ppt "Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.

Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Appendix B: Designing Policies for Managing Networks.

Appendix B: Designing Policies for Managing Networks.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
NIST framework vs TENACE Protect Function (Sestriere, 21-23 Gennaio 2015)

NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Concepts of Database Management Seventh Edition

Concepts of Database Management Seventh Edition
Auditing 81.3550 Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.

Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Initial Findings  Secure all contracts with third party vendors immediately  Develop a strong understanding of the ‘Flow of PHI’ within and outside of.

Initial Findings  Secure all contracts with third party vendors immediately  Develop a strong understanding of the ‘Flow of PHI’ within and outside of.
Network security policy: best practices

Network security policy: best practices
Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.

Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.

Similar presentations

Ads by Google