Presentation is loading. Please wait.

Presentation is loading. Please wait.

I MPLEMENTING IT S ECURITY FOR S MALL AND M EDIUM E NTERPRISES Short Presentation by Subhash Uppalapati. - Edgar R. Weippl and Markus Klemen.

Published byShannon Ferguson Modified over 8 years ago

Similar presentations

Presentation on theme: "I MPLEMENTING IT S ECURITY FOR S MALL AND M EDIUM E NTERPRISES Short Presentation by Subhash Uppalapati. - Edgar R. Weippl and Markus Klemen."— Presentation transcript:

1 I MPLEMENTING IT S ECURITY FOR S MALL AND M EDIUM E NTERPRISES Short Presentation by Subhash Uppalapati. - Edgar R. Weippl and Markus Klemen

2 I NTRODUCTION Small and Medium Enterprises(SMEs) < 400 employees Fewer Resources and less expertise in IT security Limited Know-how regarding IT security

3 F OUR L EVELS OF S ECURITY IN SME S

4 A P RAGMATIC A PPROACH FOR SME S Aspect 1: Inspection Aspect 2: Protection Aspect 3: Detection Aspect 4: Reaction Aspect 5: Reflection

5 A SPECT 1: I NSPECTION Inspection: “ To determine which key processes and corporate functions are essential, the capabilities they require and their interaction with one another ”. This aspect consists of five steps: 1.Resource inventory Thorough inventory of company’s resources and assets. 2.Threat assessment Identifies what threatens the identified assets. Threats categories (human error, natural disasters, system failures, malicious acts, and collateral damage)

6 A SPECT 1: I NSPECTION ( CONTD …) 3.Loss analysis Potential angles to focus are theft of resources, deletion of information, theft of information, disclosure of information, corruption of information etc. 4. Identification of vulnerabilities Where are weaknesses in the company? These might be technical(security design flaws) or organizational weakness(e.g., social engineering). 5. Assignment of safeguards Avoidance, mitigation, transference or acceptance 6. Evaluation of current status After the above five steps, re-assess and test.

7 A SPECT 2: P ROTECTION Protection: “ The objects that need protection, the required level of protection, and how to reach this level by creating a comprehensive security design ”. This aspect consists of five steps: 1.Awareness Awareness training for 1 or 2 hours once in a year 2. Access Physical + logical

8 A SPECT 2: P ROTECTION ( CONTD …) 3.Authentication and Authorization Using existing access control technologies like Kerberos, Active directory 4.Availability Lack of redundant server systems lead to developing and updating outage emergency plans. 5.Confidentiality Information is the important asset.

9 A SPECT 3: D ETECTION Detection: “ Process that intend to minimize the losses from a security incident that could interrupt the core business processes ”. This aspect consists of three steps: 1.Classify intruder types Who is likely to attack from outside? How tough is the competition in the branch? 2.Enumerate intrusion methods Most probable intrusion methods and the corresponding process Requires highly know-how of intrusion detection and recommends consulting specialists.

10 A SPECT 3: D ETECTION ( CONTD …) 3.Assess intrusion detection methods Logging, Simple Network Management Protocol(SNMP)

11 A SPECT 4: R EACTION Reaction: “ How to respond to security incidents. It must define the process of reacting to certain threat scenarios ”. This aspect consists of three steps. 1.Develop response plan Guidelines on how to proceed in case of emergency 2.Assessing the damage Administrator should thoroughly assess the damage before starting the recovery procedures.

12 A SPECT 4: R EACTION ( CONTD …) 3.Incident recovery procedures Recovery procedures should be defined, management- approved, and tested.

13 A SPECT 5: R EFLECTION Reflection: “ After security incidents are handled, follow- up steps should be taken to put incidents behind and continue normal operations ”. Only one main step 1. Incident documentation and evaluation Incident should be documented properly and discussed with partners and colleagues. Incident response should be evaluated and if improvements are necessary, should be added to the IR plan.

14 M AIN COMMUNICATION PATH FOR IT SECURITY - RELATED ISSUES IN SME S Stakeholders 1. Decision maker 2. IT administrator 3. User 4. External consultants

15 IT ADMINISTRATOR Responsibilities like changing printer toner, assigning and modifying user rights in operating systems, setting up and maintaining internet connections etc. Can neglect security with so many responsibilities Recognizes the impact once the company has been hit by a serious incident. Three scenarios of the amount of IT personnel resource 1. No dedicated administrator 2. One dedicated administrator 3. More than one dedicated administrator

16 IT USER Believe it or not 77% of information theft is caused by company employees(Cox, 2001) Not appropriate – restrictions on web surfing, private e-mailing, or individual desktop settings Apply restrictions with care and communicate the reason Gain the employee understanding and support

17 W ORKFLOW L EVEL

18 W ORKFLOW L EVEL ( CONTD …)

19 I NFORMATION L EVEL

20 Thank you

Download ppt "I MPLEMENTING IT S ECURITY FOR S MALL AND M EDIUM E NTERPRISES Short Presentation by Subhash Uppalapati. - Edgar R. Weippl and Markus Klemen."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Museum Presentation Intermuseum Conservation Association.

Museum Presentation Intermuseum Conservation Association.
Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.

Information System protection and Security. Need for Information System Security §With the invent of computers and telecommunication systems, organizations.
Auditing Computer Systems

Auditing Computer Systems
9 - 1 Computer-Based Information Systems Control.

9 - 1 Computer-Based Information Systems Control.
Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.

Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.
Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.

Some general principles in computer security Tomasz Bilski Chair of Control, Robotics and Computer Science Poznań University.
Security Controls – What Works

Security Controls – What Works
CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.

CST 481/598 Many thanks to Jeni Li.  Potential negative impact to an asset  Probability of a loss  A function of three variables  The probability.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Information Systems Security Officer

Information Systems Security Officer
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Risk Management Vs Risk avoidance William Gillette.

Risk Management Vs Risk avoidance William Gillette.

Similar presentations

Ads by Google