Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Beyond the Firewall Protecting Information in the Enterprise.

Published byDevin McCullough Modified over 10 years ago

Similar presentations

Presentation on theme: "Security Beyond the Firewall Protecting Information in the Enterprise."— Presentation transcript:

1 Security Beyond the Firewall Protecting Information in the Enterprise.

2 2 Security Beyond the Firewall Most organizations have the following: Firewall Antivirus software Intrusion Detection Intrusion Prevention Authentication technologies

3 3 Security Beyond the Firewall However the monitoring and assessment responsibilities are either overlooked, under funded or just not done properly or at all!

4 4 Security Beyond the Firewall An Information Security Policy is a collaboration of documents that states in writing how a company plans to protect the companys physical and information technology assets. It is considered to be a living document, meaning that the document is continuously updated as technology and employee requirements change.

5 5 Security Beyond the Firewall Most policies will include an Acceptable Use Policy which is a description of how the company plans to educate its employees about protecting the companys assets, an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the security policy to ensure the necessary corrections will be made. Source: searchSecurity.com

6 6 Security Beyond the Firewall What steps are required in writing an Information Security Policy? 1. Commitment 2. Risk Assessment 3. Risk Mitigation 4. The Policy Document

7 7 Security Beyond the Firewall COMMITMENT You need commitment from Upper Management. They must be made aware of the magnitude of losses in case of a security breach of the company network. You must understand the corporate vision and business objectives and how IT fits in with corporate plans. Analyze the following: What are the information assets of a company in terms of hardware and software, including network as well as the future investment plan it IT/IS. What is the companys dependence on IT in real measurable terms like financial benefits, better service to clients, improved image and market share. How much the company will suffer due to any loss, leakage or distortion of information.

8 8 Security Beyond the Firewall RISK ASSESSMENT Document every risk A company may have encountered in the past Companies in similar business Companies in the same geographical area Companies using the same technology Any other risk that may impact the companys business

9 9 Security Beyond the Firewall RISK MITIGATION Security can never be achieved through a single tier of defense. We need to have multiple layers to protect our assets. For each security risk that we have tabulated, we should identify the preventive measures that could be used to reduce the risk. The measures for risk mitigations could be: Administrative measures Physical Measures Technical Measures

10 10 Security Beyond the Firewall Administrative measures consists of policies, procedures, standards and guidelines; personnel screening, security awareness training. Physical measures could be perimeter control measures, physical access control, intruder detection, fire protection, environmental monitoring. Technical measures will include logical access control, network access controls, identification and authentication devices; data encryption.

11 11 Security Beyond the Firewall Designing, documenting, implementing and monitoring security policies is a lot of administrative work. In fact, security is 75 percent administrative grind and only 25 percent technical efforts. Not a very glamorous affair, but essential. Policies are the preventive controls. Source: The importance of having an Information Security policy is now being acknowledged even by top management. But how do you go about writing an Information Security policy? by Avinash Kadam

12 12 Security Beyond the Firewall Natural and Environmental Threats: Disaster recovery (*Business Continuity Planning) Backup and recovery WAN recovery Human Threats: Password Security & Controls Internet access and security

13 13 Security Beyond the Firewall Email security: Technical controls Logical Access Controls Program Change Controls Version Controls Application Software Security Database Security: Network & Telecommunication Security Administration Data Access Roles

14 14 Security Beyond the Firewall Operating Systems Security: Firewall Security Data Classification Web server Security Intranet Security Virus-Protection E-commerce Security Data encryption

15 15 Security Beyond the Firewall Administrative Controls: Physical Security Incidence Response management Punitive actions

16 16 Security Beyond the Firewall THE POLICY DOCUMENT The Information Security Policy has to be understood and followed by all employees. It should be brief but cover all aspects.

17 17 Security Beyond the Firewall Policy Statement: Outline the objective of the policy. Emphasize the actual risks that will be addressed by this policy. Make it as near to the company's business as possible so that the reader is convinced about the necessity of the policy. Policy Scope: Specify the areas of concern which the policy will address. This will list the organizational units, individuals and technical system covered by the policy. Validity: Define the life-span for the policy and when it will be reviewed next. The review must be done at least once a year to keep the policy current.

18 18 Security Beyond the Firewall Owner: Author of the policy should be a respected IS professional. This will ensure responsibility and accountability. This is even more important while drafting policies of a technical nature. Review-details: Record of previous review and the changes therein.

19 19 Security Beyond the Firewall Compliance requirements: Punitive actions that should be taken if the policy is not adhered to. This of course needs clearance from HR, but absence of this will make the polices 'best ignored practices' instead of 'best practices'. Names of the appointed persons who will enforce these policies. Policy details: After the above preamble, here is the real policy.

20 20 Security Beyond the Firewall Specific issues that the policy is addressing: Give the background, describe the risks that have been identified, state the security expectations that the policy will fulfill. Best practices: Give a detailed list of recommended best practices. Mandatory practices: This is the minimum standard which has to be implemented.

21 21 Security Beyond the Firewall Procedure for implementation: A step-by-step procedure which will be followed for implementation of the policy. There will be references to forms, templates, standards, guidelines etc. which could be given as annexure. Monitoring and reporting mechanism to ensure proper implementation: How the compliance will be monitored. How non-compliance will be reported and what actions would be taken.

22 22 Security Beyond the Firewall Essential Policies: List the essential policies under various and applicable controls. Source: The importance of having an Information Security policy is now being acknowledged even by top management. But how do you go about writing an Information Security policy? by Avinash Kadam

23 23 Security Beyond the Firewall Example of a Information Security Policy concentrating on e- mail. The Policy Details section should cover the following: Confidentiality of information E-mail should not be used for confidential information exchange Sender will be totally responsible for the content of the information No sensitive information like password, PIN, credit card details should ever be sent by e-mail

24 24 Security Beyond the Firewall Appropriate Use: Use of e-mail will be restricted for business use only No obscene or profane message should be sent E-mail should not be used for sending spam mail E-mail should not be used to transmit chain mails, greetings, graphics etc. E-mails should not be automatically forwarded to addresses outside the company Size of the e-mail should be restricted within approved limits

25 25 Security Beyond the Firewall Management Authority: Management could use its right to monitor the e-mails Management could store the e-mails for retrieval at a later date for any legal purpose Any encryption done to e-mail attachments should be with the company's approval and the encryption key should be stored for retrieval when necessary

26 26 Security Beyond the Firewall Disclaimer Notice: Since e-mail is not a secure medium and it is very easy to read, copy or alter an e-mail, put a disclaimer similar to the one given below. The company can at least protect itself from any misuse.

27 27 Security Beyond the Firewall "The information in this mail is confidential and is intended solely for the addressee. Access to this mail by anyone else is unauthorized. Any copying or further distribution beyond the original recipient is not intended and may be unlawful. The opinion expressed in this mail is that of the sender and does not necessarily reflect that of the XXX company."

28 28 Security Beyond the Firewall U.S. Federal Security Legislation and Regulations: http://www.bakernet.com/ecommerce/fedlegis-s.htm The U.S. National Strategy to Secure Cyberspace http://www.whitehouse.gov/pipb/ SANS Internet Storm Center http://isc.incidents.org/ InfraGard http://www.infragard.org

29 29 Security Beyond the Firewall Eric D. Jordan ejordan@firmtechnology.net Ernesto T. Negron enegron@firmtechnology.net

Download ppt "Security Beyond the Firewall Protecting Information in the Enterprise."

Similar presentations

Basic Principles of GMP

Basic Principles of GMP
Writing Good Use Cases - Instructor Notes

Writing Good Use Cases - Instructor Notes
1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.

1 Senn, Information Technology, 3 rd Edition © 2004 Pearson Prentice Hall James A. Senns Information Technology, 3 rd Edition Chapter 7 Enterprise Databases.
Chapter 14 Intranets & Extranets. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Introduction Technical Infrastructure Planning an Intranet.

Chapter 14 Intranets & Extranets. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES Introduction Technical Infrastructure Planning an Intranet.
1 Introduction to Safety Management April 2006. 2 Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.

1 Introduction to Safety Management April Objective The objective of this presentation is to highlight some of the basic elements of Safety Management.
HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.

HIPAA Security Presentation to The American Hospital Association Dianne Faup Office of HIPAA Standards November 5, 2003.
Presented to: By: Date: Federal Aviation Administration Registry/Repository in a SOA Environment SOA Brown Bag #5 SWIM Team March 9, 2011.

Presented to: By: Date: Federal Aviation Administration Registry/Repository in a SOA Environment SOA Brown Bag #5 SWIM Team March 9, 2011.
The Managing Authority –Keystone of the Control System

The Managing Authority –Keystone of the Control System
Module N° 7 – Introduction to SMS

Module N° 7 – Introduction to SMS
Computer Security CIS326 Dr Rachel Shipsey.

Computer Security CIS326 Dr Rachel Shipsey.
Site Safety Plans PFN ME 35B.

Site Safety Plans PFN ME 35B.
Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?

Understanding the benefits and the risks. Presented by Corey Nachreiner, CISSP BYOD - Bring Your Own Device or Bring Your Own Danger?
MOSS ADAMS LLP | 1 W HAT I S S ENSITIVE D ATA ? Whats the Risk and What Do We Do About It? Weston Nelson Steve Fineberg Steven Gin.

MOSS ADAMS LLP | 1 W HAT I S S ENSITIVE D ATA ? Whats the Risk and What Do We Do About It? Weston Nelson Steve Fineberg Steven Gin.
Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
EMS Checklist (ISO model)

EMS Checklist (ISO model)
Dr Lami Kaya LamiKaya@gmail.com ISO 27001 Information Security Management System (ISMS) Certification Overview Dr Lami Kaya LamiKaya@gmail.com.

Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
1 Dr. Ashraf El-Farghly SECC. 2 Level 3 focus on the organization - Best practices are gathered across the organization. - Processes are tailored depending.

1 Dr. Ashraf El-Farghly SECC. 2 Level 3 focus on the organization - Best practices are gathered across the organization. - Processes are tailored depending.
Effectively applying ISO9001:2000 clauses 6 and 7.

Effectively applying ISO9001:2000 clauses 6 and 7.
Copyright Critical Software S.A. 1998-2008 All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão.

Copyright Critical Software S.A All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão.

Similar presentations

Ads by Google