1 / 32

Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology

Security Management. Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu. Theory  Practice. Learning by Doing. IST 515. Security Management Framework. Organizational. Security Policy.

gracie
Download Presentation

Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security Management Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu Theory  Practice Learning by Doing IST 515

  2. Security Management Framework Organizational Security Policy Organizational Design Security Management Asset Classification and Control Access Control Compliance Personnel Security Awareness Education Physical and Environmental Security System Development and Maintenance Communications & Operations Mgmt. Business Continuity Management Operational

  3. Objectives This module will familiarize you with the following: • Why securities? • Essential security terminologies. • Core information security principles. • Security management framework. • Information security management governance. • Security policies, procedures, standards, guidelines and baselines • Auditing frameworks for compliance

  4. Readings • NIST, “An Introduction to Computer Security,” SP 800-12 (Oct. 1995). Chapters 2 & 4 (Required). • Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the CISSP CBK, Auerbach, 2007. Domain 1 (Required). • Bowen, P., Hash, J. and Wilson, M., “Information Security Handbook: A Guide for Managers,” NIST, SP 800-100 (Oct. 2006). Chapter 2. • von Solms, B. and von Solms, R., “The 10 Deadly Sins of Information Security Management,” Computers & Security (2004) 23, 371-376. • Wikipedia, Information Technology Infrastructure Library. http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library • Wikipedia, COSO Enterprise risk management, http://en.wikipedia.org/wiki/Enterprise_risk_management#COSO_ERM_framework • Wikipedia, ISO/IEC 27000. http://en.wikipedia.org/wiki/Iso27000

  5. Scenario Stephen used to be the most bullied guy in his circle of friends. Johnson, the neighborhood guy was part of the peer group and foremost in bullying Stephen. Stephen started developing hatred for Johnson. Johnson owned/hosted a personal website where he showcased his website development skills. He passed the IP address of his website to his peer group so that they could comment on it after viewing the pages. Stephen comes across an article on hacking on the Internet. Amazed by the potential of tools showcased in that article, he decides to try it hands on. With the downloaded scanning tools, Stephen started scanning the IP of Johnson’s website. • What kind of information will Stephen be exposed to? • Will the scan performed by Stephen affect Johnson’s Website?

  6. Evolution of technology focused on ease of use Decreasing skill level needed for exploits Why Security? • Increased network environment and network based applications

  7. Why Security? • Direct impact of security breach on corporate asset base and goodwill. • Increasing complexity of computer infrastructure administration and management.

  8. Essential Security Terminologies

  9. Essential Security Terminologies

  10. Information Security Principles - CIA • Security rests on confidentiality, authenticity, integrity, and availability: • Confidentiality. Only authorized individuals, processes, or systems have access to information on a need-to-know basis. • Integrity. Information should be protected from intentional, unauthorized, or accidental changes. • Availability. Information and resources are accessible when needed. (DoS, DDoS) • Authenticity. The identification and assurance of the origin of information. (Hash function, MD5)

  11. Confidentiality, Integrity and Availability Confidentiality Security Integrity Availability

  12. Reverse CIA Confidentiality: • Preventing unauthorized subjects from accessing information Integrity: • Preventing unauthorized subjects from modifying information Availability: • Preventing information and resources from being inaccessible when needed.

  13. Trade-off Functionality Moving the ball towards security means moving away from the functionality and ease of use Security Usability

  14. Security/Risk Management Relationships Determine Needs & Assess Risks Central Management Implement Policies & Control Monitor & Evaluate Promote Awareness

  15. 10 Deadly Sins of Security Management • Not realizing that information security is a corporate governance responsibility (the buck stops right at the top) • Not realizing that information security is a business issue and not a technical issue • Not realizing the fact that information security governance is a multi-dimensional discipline • Not realizing that an information security plan must be based on identified risks • Not realizing the important role of international bestpractices for information security management

  16. 10 Deadly Sins of Security Management • Not realizing that a corporate information security policy is absolutely essential • Not realizing that information security compliance enforcement and monitoring is absolutely essential • Not realizing that a proper information security governance structure is absolutely essential • Not realizing the core importance of information security awareness amongst users • Not empowering information security managers with the infrastructure, tools and supporting mechanisms to properly perform their responsibilities Lessons Learned

  17. Multi-Dimension of Information Security • The Corporate Governance Dimension • The Organizational Dimension • The Policy Dimension • The Best Practice Dimension • The Ethical Dimension • The Certification Dimension • The Legal dimension • The Insurance Dimension • The Personnel/Human Dimension • The Awareness Dimension • The Technical Dimension • The Measurement/Metrics (Compliance monitoring/Real time IT audit) Dimension • The Audit Dimension

  18. Security Management Practice • Security Governance. • Security Policies, Procedures, Standards, Guidelines, and Baselines. • Security Planning. • Security Organization. • Personnel Security. • Security Audit and Control. • Security Awareness, Training and Education. • Risk Assessment and Management. • Professional Ethics.

  19. Security Management Governance Security Governance is the organizational processes and relationships to guarantee that the appropriate information security activities are being performed to ensure that the risks are appropriately reduced, the information security investments are appropriated directed, and the executive management has visibility into the program and is asking the appropriate questions to determine the effectiveness of the program. • Policies, Procedures, Standards, Guidelines, Baselines • Organizational Structures • Roles and Responsibilities

  20. Policies, Standards, Procedures, Baselines, & Guidelines Laws, Regulations, Requirements, Organizational Goals & Objectives Procedures, standards, and guidelines are used to describe how these policies will be implemented within an organization. General Organizational Policies Management’s Security Statement Functional Implementing Policies Management’s Security Directives Standards Procedures Baselines Guidelines Specific Hardware & Software Step-by-Step Instructions Consistent Level of Security Recommendations

  21. Audit Frameworks for Compliance • COSO – The Committee of Sponsoring Organization of the Treadway Commission (1985). • ITIL – The IT Infrastructure Library (1989-1992). • ISO 17799/BS 7799 (1995) • ISO/IE 27000 (2005) • COBIT – Control Objectives for Information and Related Technology.

  22. COSO Integrated Framework Internal Environment Monitoring Objective Setting Enterprise Risk Management Information & Communication Risk Identification Control Activities Risk Assessment Risk Response

  23. The COSO Cube

  24. ITIL Service Management Processes (http://www.securityfocus.com/print/infocus/1815)

  25. ITIL Framework (http://iwi.uibk.ac.at/wikiwi/index.php?title=Image:Itil.jpg)

  26. ITIL V3 Processes and Functions Service Strategy Service Design Service Transition Service Operation Continual Service Improvement Demand Mgmt. Service Level Mgmt. Knowledge Mgmt. Service Desk Service Measurement F Financial Mgmt. Change Mgmt. Event Mgmt. Capacity Mgmt. Service Reporting Strategic Generation Asset and Configuration Mgmt. Incident Mgmt. Availability Mgmt. Service Improvement Request Fulfillment Service Portfolio Mgmt. IT Service Continuity Mgmt. Release and Deployment Mgmt. Return on Investment Problem Mgmt. Information Security Mgmt. Transition Planning and Support Access Mgmt. Business Questions Supplier Mgmt. IT Operations Mgmt. F Service Catalogue Mgmt. Service Validation and Testing F Applications Mgmt. F are functions Evaluation Technical Mgmt. F (http://krpm.wordpress.com/reports/)

  27. ISO 17799 Standards • Information security policy. • Organizing information security. • Asset management. • Human resources security. • Physical and environmental security. • Communications and operations management. • Access control. • Information systems acquisition, development and maintenance. • Information security incident management. • Business continuity management. • Compliance

  28. ISO 27000 Framework

  29. Business Objectives Governance Objectives COBIT Information • Effectiveness • Efficiency • Confidentiality • Integrity • Availability • Compliance • Reliability Monitor & Evaluate Plan & Organize IT Resources Deliver & Support Acquire & Implement • Application • Information • Infrastructure • People

  30. Summary of Audit Frameworks • COSO – The Committee of Sponsoring Organization of the Treadway Commission (1985). • ITIL – The IT Infrastructure Library (1989-1992). • ISO 17799/BS 7799 (1995) • ISO/IE 27000 (2005) • COBIT – Control Objectives for Information and Related Technology.

  31. Possible Projects • Develop a security audit plan. • Compliance testing according to a standard (e.g., HIPAA, ISO 27000, COBIT, etc.). • Awareness education for HIPAA, ISO 27000, COBIT compliance. • A comparative analysis of different security compliance frameworks.

More Related