Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 I ntegrated S ite S ecurity for G rids www.isseg.eu WP2 – Site Assessment Methodology, 20 June 2007 WP2 - Methodology ISS e G Integrated Site Security.

Published byGarry Walsh Modified over 8 years ago

Similar presentations

Presentation on theme: "1 I ntegrated S ite S ecurity for G rids www.isseg.eu WP2 – Site Assessment Methodology, 20 June 2007 WP2 - Methodology ISS e G Integrated Site Security."— Presentation transcript:

1 1 I ntegrated S ite S ecurity for G rids www.isseg.eu WP2 – Site Assessment Methodology, 20 June 2007 WP2 - Methodology ISS e G Integrated Site Security for Grids Methodology for Site Security Assessment Lionel Cons CERN

2 2 I ntegrated S ite S ecurity for G rids www.isseg.eu WP2 – Site Assessment Methodology, 20 June 2007 Proposed Methodology (inputs on the left came initially from ISO-17799)

3 3 I ntegrated S ite S ecurity for G rids www.isseg.eu WP2 – Site Assessment Methodology, 20 June 2007 Step 1 – Find The Assets  Asset = Anything that has value to the organization [ISO]  Five identified asset categories:  Organizational (intellectual property rights, public image…)  Human  Information / data (administrative, personal, physics…)  Service (network, authentication, email, office…)  Hardware  These are currently merged with “security requirements”

4 4 I ntegrated S ite S ecurity for G rids www.isseg.eu WP2 – Site Assessment Methodology, 20 June 2007 Baseline Assets  Preliminary list of asset types likely to be present everywhere:  Locally managed PC  Network  Backup  Office servers  Application servers  Centralized authentication

5 5 I ntegrated S ite S ecurity for G rids www.isseg.eu WP2 – Site Assessment Methodology, 20 June 2007 Specific Assets  Preliminary list of asset types that may be site specific:  Expensive and/or dangerous equipment  Provide services across Internet  Local email service  Exchange confidential data  Stores confidential information  High-availability services  Internal resources available to visitors  External users  Centralized backup service

6 6 I ntegrated S ite S ecurity for G rids www.isseg.eu WP2 – Site Assessment Methodology, 20 June 2007 Step 2 – Find The Threats  Threat = Potential cause of an unwanted incident, which may result in harm to a system or organization [ISO]  A generic list of threats has been compiled  Around 50 threats identified  Need to set the relevance of each threat for the given site  Linked to the role profiles (user / admin / developer / manager) and the asset types

7 7 I ntegrated S ite S ecurity for G rids www.isseg.eu WP2 – Site Assessment Methodology, 20 June 2007 Examples of Threats Threat IdThreat descriptionRelevance 1 T1Faulty access rights management3 T2Password compromising3 T3Intrusion by scanning techniques3 T4Intrusion (unauthorized network access)3 T5Data interception techniques (sniffing/man in the middle attacks,...)3 T6Fraudulent connection (theft of credentials)3 T7Exploiting software vulnerabilities3 T8Fraudulent use of systems (misappropriation…)3 T9Repudiation (system usage)3 T10Repudiation (sending/receiving of data)3 T11Saturation of resources (accidental)3 T12Saturation of resources (intentional - denial of service)3 T13Software alteration (time bomb, worm, trojan, virus…)3 T14Theft of mobile equipment or media3 T15Propagation of false or misleading information3 T16Use of insecure/unauthorized software3 T17Hardware failure (computer, storage device, network equipment…)3 T18Hardware malfunction3 T19Software malfunction3 T20Network failure (cabling, network device…)3

8 8 I ntegrated S ite S ecurity for G rids www.isseg.eu WP2 – Site Assessment Methodology, 20 June 2007 Step 3 – Find The Risks  Risk = Combination of the probability of an event and its consequence [ISO]  We focus on threats  Threats are linked to asset types  Need to know the relative importance of the asset types  Threats are linked to controls (aka mitigation techniques)  Need to know how well the controls are applied  We could look at “best practices” too

9 9 I ntegrated S ite S ecurity for G rids www.isseg.eu WP2 – Site Assessment Methodology, 20 June 2007 Examples of Controls (based on ISO 17799)

10 10 I ntegrated S ite S ecurity for G rids www.isseg.eu WP2 – Site Assessment Methodology, 20 June 2007 Examples of Controls (based on ISO 17799)

11 11 I ntegrated S ite S ecurity for G rids www.isseg.eu WP2 – Site Assessment Methodology, 20 June 2007 Examples of Controls (based on OCTAVE) 1. Security Awareness and Training Step 3a StatementTo what extent is this statement reflected in your organization? Staff members understand their security roles and responsibilities. This is documented and verified. Very MuchSomewhatNot At AllDon’t Know There is adequate in-house expertise for all supported services, mechanisms, and technologies (e.g., logging, monitoring, or encryption), including their secure operation. This is documented and verified. Very MuchSomewhatNot At AllDon’t Know Security awareness, training, and periodic reminders are provided for all personnel. Staff understanding is documented and conformance is periodically verified. Very MuchSomewhatNot At AllDon’t Know Staff members follow good security practice, such as  securing information for which they are responsible  not divulging sensitive information to others (resistance to social engineering)  having adequate ability to use information technology hardware and software  using good password practices  understanding and following security policies and regulations  recognizing and reporting incidents Very MuchSomewhatNot At AllDon’t Know

12 12 I ntegrated S ite S ecurity for G rids www.isseg.eu WP2 – Site Assessment Methodology, 20 June 2007 Step 4 – Find The Countermeasures  Step 3 gives a prioritized list of threats  From threats, we can link to recommendations and best practices  Step 3 also gives the list of controls that can be improved and have a high impact on the overall security  From controls, we can also link to recommendations and best practices

Download ppt "1 I ntegrated S ite S ecurity for G rids www.isseg.eu WP2 – Site Assessment Methodology, 20 June 2007 WP2 - Methodology ISS e G Integrated Site Security."

Similar presentations

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.

Copyright © XiSEC, All rights reserved, 2002 Secure Computing Best Lifetime Achievement Award 2002 Ted Humphreys Information Security Management Goes Global.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Separate Domains of IT Infrastructure

Separate Domains of IT Infrastructure
1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security.

1 I ntegrated S ite S ecurity for G rids © Members of the ISSeG Collaboration, 2008 See: ISS e G Integrated Site Security.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.

© 2003 by Carnegie Mellon University page 1 Information Security Risk Evaluation for Colleges and Universities Carol Woody Senior Technical Staff Software.
Chapter 3: Information Security Framework

Chapter 3: Information Security Framework
Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.

Comptroller of the Currency Administrator of National Banks E- Security Risk Mitigation: A Supervisor’s Perspective Global Dialogue World Bank Group September.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.

© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.
CHAPTER 4 Information Security. CHAPTER OUTLINE 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate.

CHAPTER 4 Information Security. CHAPTER OUTLINE 4.1 Introduction to Information Security 4.2 Unintentional Threats to Information Security 4.3 Deliberate.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Security Risk Assessment Applied Risk Management July 2002.

Security Risk Assessment Applied Risk Management July 2002.

Similar presentations

Ads by Google