1 / 14

MANAGEMENT

MANAGEMENT. Reelika Riis 132270 YVEM. Tallinn University of Technology 2014. Content. Information security General security principles Causes of security vulnerabilities Possible consequences when ignoring information risks Secure-by-design culture. Introduction.

melvyn
Download Presentation

MANAGEMENT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. MANAGEMENT Reelika Riis 132270 YVEM Tallinn University of Technology 2014

  2. Content • Information security • General security principles • Causes of security vulnerabilities • Possible consequences when ignoring information risks • Secure-by-design culture

  3. Introduction • Almost all projects use some form of information technology. • This information needs to be protected. • Security planning is an integral part of the overall project life cycle and incorporates many different aspects to be considered when planning a project.

  4. What is Information Security? • Information and the systems and processes supporting ITare key organizationalassets. • Information Security is about ensuring the confidentiality, availability and integrity of that information and ensuring that privacy issues are addressed as required to support the achievement of the organization’s objectives.

  5. A flaw can be considered a security vulnerability when one of the goals is compromised. General Security Principles • Confidentiality – Ensuring data is only accessed on a need to know • Integrity – Ensuring that only authorized changes are made to data and systems • Availability – Ensuring that data and systems are available when needed

  6. Information risks come in various forms • Unintentional – errors, vulnerabilities • Intentional – crime, misuse, Malware • Use the CIA model as your risk indicator • Confidentiality – unauthorized access to data • Integrity – unapproved changes • Availability – no backups

  7. Causes of Security Vulnerabilities • Failure in Design • Poor decision about trust • Unspoken assumptions • Not accounting for failure • Failure in Implementation • Insecure coding techniques • Insecure configuration • Poor deployment practices

  8. If Information risks are ignored, what can happen? • Loss of reputation – trust factor • Loss of money – was there financial damage • Costly – how much did it cost to fix it • Regulation – did fines have to be paid • Legal – were laws not followed • Loss of services – impact to the business

  9. Methods of finding IT Security risks • Reactive approach • Audits • Incidents • Proactive approach • Structured risk assessment in the beginning phase of any plan to produce or upgrade a product or service • Part of the Project Management process

  10. Secure-by-design culture benefits • Attacks on data and applications have grown in frequency and sophistication, making single security solution hard to provide complete protection. • Cost-effective security begins with the development of secure applications FROM THE VERY BEGINNING! • Speed time-to-market • Help alleviate the costs and negative publicity Organizations should aim to institute a governance-based secure-by-design culture!

  11. Potential roadblocks to achieving a secure-by-design culture Developers goals Security analysts goals Eliminating vulnerabilities Implementing security controls as early in the development process as possible • Product functionality • On-time delivery

  12. To decrease and mitigate vulnerabilities – the development and security teams must cooperate and work closely together!

  13. References • IBM Corporation. Manage data security and application threats with a multi-tiered approach. January 2014. http://public.dhe.ibm.com/common/ssi/ecm/en/wgs03006usen/WGS03006USEN.PDF • IBM Corporation. Defending against malware: A holistic approach to one of today’s biggest IT risks. January 2014. http://public.dhe.ibm.com/common/ssi/ecm/en/wgw03050usen/WGW03050USEN.PDF • IBM Corporation. Five critical steps to achieving an effective application security program. December 2013. http://public.dhe.ibm.com/common/ssi/ecm/en/wgw03048usen/WGW03048USEN.PDF • Vitek, D. Security Issues that Project Managers at CDC Need to Address. The CDC Unified Process Project Management Newsletter. The National Center for Public Health Informatics, June 2008, Volume 2, Issue 6. http://www2.cdc.gov/cdcup/library/newsletter/CDC_UP_Newsletter_v2_i6.pdf • Ellison, R. J. Security and Project Management. Build Security In, August 2013. https://buildsecurityin.us-cert.gov/articles/best-practices/project-management/security-and-project-management • http://blogs.msdn.com/b/apinedo/archive/2007/05/09/microsoft-and-the-as-7799-iso-17799-standards-for-information-security-management.aspx • http://securitypresentations.files.wordpress.com/2009/04/1bbf05edd1725488d26467e7be314f4c.png- picture

  14. Thank you for your attention!

More Related