1 / 24

Information Security Management CISSP Topic 1

ISA 562 Internet Security Theory and Practice. Information Security Management CISSP Topic 1. Course Outline. An introductory course at the graduate level It covers the topics of The CISSP exam at varying depth But is NOT a CISSP course Textbooks:

Download Presentation

Information Security Management CISSP Topic 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ISA 562Internet Security Theory and Practice Information Security Management CISSP Topic 1 Summer 2008

  2. Course Outline An introductory course at the graduate level It covers the topics of The CISSP exam at varying depth But is NOT a CISSP course Textbooks: Matt Bishop: Computer Security Art and Science Official ISC2 Guide to the CISSP CBK Summer 2008

  3. Objectives Roles and responsibilities of individuals in a security program Security planning in an organization Security awareness in the organization Differences between policies, standards, guidelines and procedures Risk Management practices and tools Summer 2008

  4. Syllabus of the Course • Bishop’s book for the first part • Papers for some classes • IC2 book for the second part • Cover material relevant to the PhD qualifying examination in security Summer 2008

  5. Introduction • Purpose of information security: • to protect an organization's information resources data, hardware, and software. • To increase organizational success: IS are critical assets supporting its mission Summer 2008

  6. Information Security TRIAD The Overhanging goals of information security are addressed through the AIC TRIAD. Summer 2008

  7. IT Security Requirements - I Security should be designed for two requirements: Functional: Define behavior of the control means  based on risk assessment Properties: should not depend on another control: Why? fail safe by maintaining security during a system failure Assurance: Provide confidence that security functions perform as expected. Internal/External Audit. Third Party reviews Compliance to best practices Examples Functional:a network Firewall to permit or deny traffic. Assurance:logs are generated, monitored, and reviewed Summer 2008

  8. Organizational & Business Requirements Focus on organizational mission: Business or goals driven Depends on type of organization: Military , Government, or Commercial. Must be sensible and cost effective Solution considers the mission and environment  Trade-off Summer 2008

  9. IT Security Governance Integral part of corporate governance: Fully integrated into overall risk-based threat analysis Ensure that IT infrastructure: Meets all requirements. Supports the strategies and objectives of the company. Includes service level agreements [if outsourced]. Summer 2008

  10. Security Governance: Major parts Leadership: Security leaders must be part of the company leadership -- where they can be heard. Structure: occurs at many levels and should use a layered approach. Processes: follow internationally accepted “best practices”: Job rotation , Separation of duties, least privilege, mandatory vacations, …etc. Examples of standards : ISO 17799 & ISO 27001:2005 Summer 2008

  11. Security Blueprints Provide a structure for organizing requirements and solutions. Ensure that security is considered holistically. To identify and design security requirements Summer 2008

  12. Policy Overview Operational environment is a web of laws, regulations, requirements, and agreements or contracts with partners and competitors Change frequently and interact with each other Management must develop and publish security statements addressing policies and supporting elements, such as standards , baselines, and guidelines. Summer 2008

  13. Policy overview Summer 2008

  14. Functions of Security policy Provide Management Goals and Objectives in writing Ensure Document compliance Create a security culture Anticipate and protect others from surprises Establish the security activity/function Hold individuals responsible and accountable Address foreseeable conflicts Make sure employees and contractors aware of organizational policy and changes to it Require incident response plan Establish process for exception handling, rewards, and discipline Summer 2008

  15. Policy Infrastructure High level policies interpreted into functional policies. Functional polices derived from overarching policy and create the foundation for procedures, standards, and baselines to accomplish the objectives Polices gain credibility by top management buy-in. Summer 2008

  16. Examples of Functional Policies Data classification Certification and accreditation Access control Outsourcing Remote access Acceptable mail and Internet usage Privacy Dissemination control Sharing control Summer 2008

  17. Policy Implementation Standards, procedures, baselines, and guidelines turn management objectives and goals [functional policies] into enforceable actions for employees. Summer 2008

  18. Standards and procedure Standards (local):Adoption of common hardware and software mechanism and products throughout the enterprise. Examples: Desktop, Anti-Virus, Firewall Procedures:step by step actions that must be followed to accomplish a task. Guidelines:recommendations for product implementations, procurement and planning, etc. Examples: ISO17799, Common Criteria, ITIL Summer 2008

  19. Security Baselines Benchmarks: to ensure that a minimum level of security configuration is provided across implementations and systems. establish consistent implementation of security mechanisms. Platform unique Examples: VPN Setup, IDS Configuration, Password rules Summer 2008

  20. Three Levels of security planning Strategic:long term Focus on high-level, long-range organizational requirements Example: overall security policy 2. Tactical:medium-term Focus on events that affect all the organization Example: functional plans 3. Operational:short-term Fight fires at the keyboard level, directly affecting how the organization accomplishes its objectives. Summer 2008

  21. Organizational roles and responsibilities Everyone has a role: with responsibility clearly communicated and understood Duties associated with the role must be assigned Examples: Securing email Reviewing violation reports Attending awareness training Summer 2008

  22. Specific Roles and Responsibilities (duties) Executive Management: Publish and endorse security policy Establish goals and objectives State overall responsibility for asset protection. IS security professionals: Security design, implementation, management, Review of organization security policies. Owner: Information classification Set user access conditions Decide on business continuity priorities Custodian: Entrusted with the Security of the information IS Auditor: Audit assurance guarantees. User: Compliance with procedures and policies Summer 2008

  23. Personnel Security: Hiring staff Background check/Security clearance Check references/Educational records Sign Employment agreement Non-disclosure agreements Non-compete agreements Low level Checks Consult with HR Department Termination/dismissal procedure Summer 2008

  24. Third party considerations Include: Vendors/Suppliers Contractors Temporary Employees Customers Must established procedures for these groups. Summer 2008

More Related