1 / 69

Chapter 2 Planning for Security

Chapter 2 Planning for Security. Presented by: Ryan Horvath, Jennifer Kaufman, Sergey Morozov & Kalagee Shah. Outline. The Role of Planning Precursors to Planning Values Statement Vision Statement Mission Statement Strategic Planning Creating a Strategic Plan Planning Levels

gmadeline
Download Presentation

Chapter 2 Planning for Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 2 Planning for Security Presented by: Ryan Horvath, Jennifer Kaufman, Sergey Morozov & Kalagee Shah

  2. Outline • The Role of Planning • Precursors to Planning • Values Statement • Vision Statement • Mission Statement • Strategic Planning • Creating a Strategic Plan • Planning Levels • Planning and the CISO(Chief Info Security Officer) • Planning for Information Security Implementation

  3. Chapter Objectives • Identify the roles in organizations that are active in the planning process • Grasp the principal components of information security system implementation planning in the organizational planning scheme.

  4. Chapter Organization

  5. Planning Influences • Employees • Management • Stockholders • Outside stakeholders • Physical environment • Political and legal environment • Competitive environment • Technological environment

  6. Information Security Professionals • Professionals that support the information security program • Chief Information Officer (CIO) • Chief Information Security Office (CISO) • Security Managers • Security Technicians • Data Owners • Data Custodians • Data Users Slide 6

  7. Planning Definition • Planning is creating action steps toward goals and then controlling them • Provides direction for the organization’s future • Allows managing resources • Optimizes the use of the resources • Coordinates the effort of independent organizational units

  8. Precursors to Planning • Values Statement • Vision Statement • Mission Statement

  9. Values Statement • Principles • Qualities • Benchmarks • What your company is? • Microsoft: Integrity, honesty, passion, and respectfulness are significant parts of Microsoft’s corporate philosophy

  10. Vision Statement • Ambitious • Best-case scenario • Future goals • Where your company wants to be? • Microsoft: A personal computer in every home running Microsoft software

  11. Mission Statement • Organization’s business • Areas of operation • Internal • External • How your company is going to get there? • Google: Organize the world's information and make it universally accessible and useful.

  12. Strategic Planning • Strategy lays out the long-term direction to be taken by organization • It guides organizational efforts, and focuses resources toward specific, clearly defined goals. • Strategic planning includes • Mission statement • Vision statement • Values statement • Coordinated plans for sub units

  13. Creating a Strategic Plan • Organization • Develops a general strategy • Creates specific strategic plans for major divisions • Each level of translates those objectives into more specific objectives for the level below

  14. Top-Down Strategic Planning

  15. Creating a Strategic Plan • Strategic goals are translated into tasks • Specific • Measurable • Achievable • Realistic • Timely

  16. Planning Levels • Strategic Planning • Five or more year focus • Strategic plan separated into strategic goals for each department • Tactical Planning • One to three year focus • Breaks strategic goals into a series of incremental objectives

  17. Planning Levels • Operational Planning • Organize the ongoing, day-to-day performance of tasks • Includes clearly identified coordination activities across department boundaries • Communications requirements • Weekly meetings • Summaries • Progress reports

  18. Planning Levels

  19. Strategic Plan Elements • Introduction by senior executive • Executive Summary • Mission Statement and Vision Statement • Organizational Profile and History • Strategic Issues and Core Values • Program Goals and Objectives • Management/Operations Goals and Objectives • Appendices (optional) • Strengths, weaknesses, opportunities and threats (SWOT) analyses, surveys, budgets &etc

  20. 10 Tips For Strategic Planning • Create a compelling vision statement • Embrace the use of balanced scorecard approach • Deploy a draft high level plan early, and get input from stakeholders • Make the evolving plan visible

  21. 10 Tips For Planning (cont.) 5. Make the process invigorating for everyone 6. Be persistent 7. Make the process continuous 8. Provide meaning 9. Be yourself 10. Have fun

  22. Planning For InfoSec Implementation • Commonly the CISO directly reports to the CIO. • The CIO and CISO play important roles in translating overall strategic planning into tactical and operational information security plans • CISO plays a more active role planning the details

  23. CISO Job Description • Creates strategic information security plan with a vision for the future of information security • Understands fundamental business activities performed by the company • Suggests appropriate information security solutions that uniquely protect these activities • Improves status of information security by developing • action plans • schedules • budgets • status reports • top management communications

  24. Planning for Information Security • CIO: translates strategic plan into departmental and InfoSec objectives • CISO: translates InfoSec objectives into tactical and operational objectives • Implementation can now begin • Implementation of information security can be accomplished in two ways • Bottom-up • Top-down

  25. Bottom-Up Approach • Grass-roots effort • Individual administrators try to improve security • No coordinated planning from upper management • No coordination between departments • Unpredictable funding

  26. Top-Down Approach • Strong upper management support • A dedicated champion • Assured funding • Clear planning and implementation process • Ability to influence organizational culture

  27. Approaches to Security Implementation

  28. Joint Application Development • Outcome of the objective directly affects the end users • Key end users assigned to development teams • Processes documented and integrated into organizational culture • Ensures continuation of Application • Seldom found in bottom-up initiatives

  29. The Systems Development Life Cycle (SDLC) • Methodology for the design and implementation of an information system • SDLC-based projects may be initiated by events or planned • Each phase concludes with a review or a feasibility analysis

  30. Phases of an SecSDLC

  31. Investigation Phase for SecSDLC • Identifies problem to be solved • Begins with the objectives, constraints, and scope of the project • A preliminary cost/benefit analysis is then developed • Ends with a feasibility analysis

  32. Feasibility

  33. Common steps Outline project scope/goals Estimate costs Evaluate existing resources Analyze feasibility Steps unique to SecSDLC Define project process and goals and document them in the program security policy SDLC vs. SecSDLC: Investigation

  34. Analysis in the SecSDLC

  35. Analysis in SecSDLC • A preliminary analysis of • Existing security polices • Current threats and attacks • Legal issues • Risk management • Process of identifying, assessing & evaluation of levels of risks facing the organization

  36. Threats Know your enemy: It's the first step in mounting an effective defense Enemy = Threats • Threat is an object, person or other entities that represents constant danger to information asset • Well-understood and well-researched • Grouped by activities

  37. Threats

  38. Attacks • Attack is an event that exploits the vulnerability • Attack is accomplished by threat agent • A vulnerability is an identified weakness of controlled information asset • An exploit is a technique use to compromise an information asset

  39. Types of attacks • Back doors • Brute force • Dictionary • Man-in-middle • Password crack • Social engineering • Spear phishing • Phishing

  40. Buffer overflow DoS & DDoS Hoaxes Mail bombing Spam Malicious code DNS Cache poisoning Sniffers Spoofing Timing Types of attacks (cont.)

  41. Risk Analysis • Asset valuation • Identify the categories to assign to each asset • Most critical to the success of the organization • The most revenue • The highest profitability • The most expensive to replace • The most expensive to protect • Liability of organization if revealed

  42. Risk Analysis (cont.) • Categories must be comprehensive and mutually exclusive • Rank the components based on criteria of categorization of assets • Review each information assets for each threats it faces • Create a list of vulnerabilities • Assign a rank for comparative risk to each information asset

  43. Common steps Assess current system against plan developed in phase 1 Develop system requirements Study integration of new system Update feasibility analysis Steps unique to SecSDLC Analyze existing security policies and programs Analyze current threats and attacks Examine legal issues Risk analysis SDLC vs. SecSDLC : Analysis

  44. Design in SecSDLC

  45. Design in SecSDLC • Logical design phase • Create and develop a security blueprint • Implement key policies • Feasibility analysis – develop or outsource • Physical design phase • Evaluate technology to support security blueprint • Generate alternative solutions • Agree on final design

  46. Security models • Security team often use established security models to adapt or adopt. • Security models provide framework • Addresses all areas of security • Computer Security Resource Center of NIST • Information Technology Code of Practice for Information Security Management- ISO/IEC 17799 – International standard

  47. Design elements • Information security policy • Management must define • General security policy • Issue-specific security policy • Systems-specific security policy

  48. Design elements (cont.) • SETA – Security education, training and awareness program contains • Security education • Security training • Security awareness • Purpose • Improving awareness • Developing skills & knowledge • Building in-depth knowledge

  49. Design elements (cont.) • Controls and Safeguards • Managerial controls • Operational controls • Technical controls

  50. Managerial Control • Address the design, scope and implementation of the security planning process & security program • Addresses risk management and security control overview • Addresses scope of legal compliance

More Related