1 / 28

Security Management Practices

Security Management Practices. Keith A. Watson, CISSP CERIAS. Overview. The CIA Security Governance Policies, Procedures, etc. Organizational Structures Roles and Responsibilities Information Classification Risk Management. The CIA: Information Security Principles. Confidentiality

Olivia
Download Presentation

Security Management Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Management Practices • Keith A. Watson, CISSPCERIAS

  2. Overview • The CIA • Security Governance • Policies, Procedures, etc. • Organizational Structures • Roles and Responsibilities • Information Classification • Risk Management

  3. The CIA:Information Security Principles • Confidentiality • Allowing only authorized subjects access to information • Integrity • Allowing only authorized subjects to modify information • Availability • Ensuring that information and resources are accessible when needed

  4. Reverse CIA • Confidentiality • Preventing unauthorized subjects from accessing information • Integrity • Preventing unauthorized subjects from modifying information • Availability • Preventing information and resources from being inaccessible when needed

  5. Using the CIA • Think in terms of the core information security principles • How does this threat impact the CIA? • What controls can be used to reduce the risk to CIA? • If we increase confidentiality, will we decrease availability?

  6. Security Governance • Security Governance is the organizational processes and relationships for managing risk • Policies, Procedures, Standards, Guidelines, Baselines • Organizational Structures • Roles and Responsibilities

  7. Procedures Standards Guidelines Baselines Policy Mapping Laws, Regulations, Requirements, Organizational Goals, Objectives General Organizational Policies Functional Policies

  8. Policies • Policies are statements of management intentions and goals • Senior Management support and approval is vital to success • General, high-level objectives • Acceptable use, internet access, logging, information security, etc

  9. Procedures • Procedures are detailed steps to perform a specific task • Usually required by policy • Decommissioning resources, adding user accounts, deleting user accounts, change management, etc

  10. Standards • Standards specify the use of specific technologies in a uniform manner • Requires uniformity throughout the organization • Operating systems, applications, server tools, router configurations, etc

  11. Guidelines • Guidelines are recommended methods for performing a task • Recommended, but not required • Malware cleanup, spyware removal, data conversion, sanitization, etc

  12. Baselines • Baselines are similar to standards but account for differences in technologies and versions from different vendors • Operating system security baselines • FreeBSD 6.2, Mac OS X Panther, Solaris 10, Red Hat Enterprise Linux 5, Windows 2000, Windows XP, Windows Vista, etc

  13. Organizational Structure • Organization of and official responsibilities for security vary • BoD, CEO, BoD Committee • CFO, CIO, CSO, CISO • Director, Manager • IT/IS Security • Audit

  14. ProjectSecurity Architect EnterpriseSecurity Architect Typical Org Chart Security Analyst System Auditor Board of Directors/Trustees President CIO Security Director

  15. EnterpriseSecurity Architect ProjectSecurity Architect Security-Oriented Org Chart Security Analyst Board of Directors/Trustees President CIO IT Audit Manager Security Director System Auditor

  16. EnterpriseSecurity Architect ProjectSecurity Architect Further Separation Security Analyst Board of Directors/Trustees President Audit Committee Internal Audit CIO IT Audit Manager Security Director System Auditor

  17. Organizational Structure • Audit should be separate from implementation and operations • Independence is not compromised • Responsibilities for security should be defined in job descriptions • Senior management has ultimate responsibility for security • Security officers/managers have functional responsibility

  18. Roles and Responsibilities • Best Practices: • Least Privilege • Mandatory Vacations • Job Rotation • Separation of Duties

  19. Roles and Responsibilities • Owners • Determine security requirements • Custodians • Manage security based on requirements • Users • Access as allowed by security requirements

  20. Information Classification • Not all information has the same value • Need to evaluate value based on CIA • Value determines protection level • Protection levels determine procedures • Labeling informs users on handling

  21. Information Classification • Government classifications: • Top Secret • Secret • Confidential • Sensitive but Unclassified • Unclassified

  22. Information Classification • Private Sector classifications: • Confidential • Private • Sensitive • Public

  23. Information Classification • Criteria: • Value • Age • Useful Life • Personal Association

  24. Risk Management • Risk Management is identifying, evaluating, and mitigating risk to an organization • It’s a cyclical, continuous process • Need to know what you have • Need to know what threats are likely • Need to know how and how well it is protected • Need to know where the gaps are

  25. Identification • Assets • Threats • Threat-sources: man-made, natural • Vulnerabilities • Weakness • Controls • Safeguard

  26. Analysis/Evaluation • Quantitative • Objective numeric values • Cost-Benefit analysis • Guesswork low • Qualitative • Subjective intangible values • Time involved low • Guesswork high

  27. Remedy/Mitigation • Reduce • Use controls to limit or reduce threat • Remove • Stop using it • Transfer • Get insurance or outsource it • Accept • Hope for the best

  28. Summary • Security Management practices involve balancing security processes and proper management and oversight • Risk Management is a big part of managing holistic security of an organization

More Related