1 / 20

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006. Presented at the “Privacy & Security in Government Information” Seminar. Ottawa April 4, 2005. Prevalent attitude towards Information Security (IS) at Senior Management level:

ady
Download Presentation

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006

  2. Presented at the “Privacy & Security in Government Information” Seminar Ottawa April 4, 2005

  3. Prevalent attitude towards Information Security (IS) at Senior Management level: • At best a perceived inconvenience • At worst a compliance nightmare, exacerbated by PRIVACY issues

  4. Reality: • IS is just another business element to be factored into the cost of doing business • Should be approached from the perspective that, handled properly, IS is a potential enabler for competitive advantage

  5. Intent of this presentation is to provide some guidelines for planning and managing IS

  6. Outline • Key elements of the IS Management System • Statement of Sensitivity, or what corporate assets need to be protected? • Building the IS team • Determining the Scope of the Security Management System • Metrics and Objectives for IT Security and Web-based Applications

  7. Key Elements for Managing IS • Policy • Planning and Preparation • Protection – Implementation of Safeguards • Contingency Planning: • Incident Response • Business Continuity • Compliance

  8. Statement of Sensitivity (1) • Sensitive assets: • Personnel • Physical • Information Although this presentation focuses on the information aspect, personal security and physical security should be looked at concurrently.

  9. Statement of Sensitivity (2) • Degree of sensitivity: • Confidentiality • Availability • Integrity

  10. Building the IS Team • Largely dependent on the size of the enterprise • CSO (Corporate Security Officer) should be responsible for all 3 aspects of security, not just IT • CSO should possess the CISSP or CISM professional security qualification

  11. Scope of the IS Managing System • Assess current level of risk • Establish a baseline • Determine what can impact the risks • List the threats • Determine how risk (human, physical plant, IT) can be reduced at acceptable cost • ROSI (return on security investment) • Follow-up with: • Security awareness training • Testing for: incident response, business continuity

  12. Risk Reduction – Technical Safeguards • Myth: Often portrayed as a discipline beyond rocket science – something the CEO could never relate to • Reality: • Established standards, e.g. • MITS for the Canadian federal government • ISO 17799 for industry and much of Europe • NIST in the USA

  13. Basic Technical Safeguards • Anti-virus and firewalls (personal + corporate) in place • Patching strategy in place • Router Access Control Lists (ACL’s) enforced • SSL Encryption on VPN’s and wherever else feasible In general, CONFIGURATION CONTROL

  14. Further Safeguards • Intrusion detection systems • Intrusion prevention systems • Vulnerability Assessment Software • ESM (Enterprise Security Management) platform to manage all of the above • Third party “Penetration Testing” to probe for weaknesses in the infrastructure and applications

  15. Security Metrics • Generally, asset-focused • Measure of: • What defenses are in place * • How many systems protected against a specific threat * “Defense in depth”, or layers of security, is the key to an effective security architecture.

  16. Sources of Information • International Systems Security Engineering Association – Capability Maturity Model (SSE-CMM) • Institute for Security and Open Methodologies (ISECOM) – Security Metrics and RAVs (Risk Assessment Values) • The Open Web Application Security Project (OWASP) • www.securitymetrics.org • NIST Special Publication (SP) 800-55, Security Metrics Guide for Information Technology Systems

  17. Popular Metrics Tools • Microsoft Threat Scoring System • CERT Vulnerability Scoring • SANS Critical Vulnerability Analysis Scale Ratings • CVSS (Common Vulnerability Scoring System), an open framework

  18. Advanced MetricsTools • Dashboards: • Can be customized or configurable • Basically a snapshot view of the enterprise’s state of security • Includes metrics for monitoring security trends over time across the various applications

  19. A practical example of a metric • E-mail SPAM • Relatively easy to establish baseline on % of messaging traffic that is unwanted • Many SPAM filters to choose from • After filter application, remeasure • Continue to fine-tune filter, reapply and remeasure • Some slight risk that you will stop legitimate traffic – so reducing SPAM to zero is not necessarily the goal

  20. Thank You Questions?

More Related