1 / 15

BEST SECURITY PRACTICES

BEST SECURITY PRACTICES. GUY KING Computer Sciences Corporation Defense Group Information Security and Operations Center Presented by: Tong Xu. Agenda. Introduction Definition of Best Security Practice (BSP) Security process framework (SPF) BSP life cycle Summary. Introduction.

reba
Download Presentation

BEST SECURITY PRACTICES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BEST SECURITY PRACTICES GUY KING Computer Sciences Corporation Defense Group Information Security and Operations Center Presented by: Tong Xu

  2. Agenda • Introduction • Definition of Best Security Practice (BSP) • Security process framework (SPF) • BSP life cycle • Summary

  3. Introduction • Technology vs. Human practices • Best practices • Proven effective by one or more organizations • Promising to be effective if adapted by other organizations • The need for BSP

  4. Best Security Practices • Security implementations • Technical: software, hardware • Physical: physical barriers, locks, etc. • Administrative: the practices of people • BSP is an administrative means • Good security practices are the foundation of security

  5. Human practice Security-related Shown by experience to be effective A best existing practice Among the most effective Not IT mechanism Not business practice Not the result of armchair theorizing Not the best possible practice Not necessarily the single best Definition and ClarificationA BSP is

  6. Collect the Best, the Good and the Worst Security Practices • Sometimes the good is better than the best • An example of the four levels of excellence: • Good idea • Good practice • Local best practice • Industry best practice • Profit from knowing the worst security practices

  7. BSPs and KM • BSP is about sharing knowledge • Knowledge management (KM) techniques apply to BSP sharing • To document BSP is not enough • Expert-novice interaction is needed for knowledge transfer to occur

  8. Security Process Framework(SPF) • An ordered structure of security processes, used to categorize BSPs • Facilitates BSP sharing and management • Related to the security program • Includes the program areas (high-level security processes) and their sub-processes

  9. The SPF’s 10 Program Areas Security Program Management Customer Security Support Risk Management Certification and Accreditation (C&A) Personnel Security Security Training Physical Security Contingency Planning Technical Security Incident Response

  10. Two Major Divisions of SPF Organizational security program (OSP) vs System security program(SSP) • Apply different BSPs • Pertain to the same program areas • The ten security processes of each division follow a four-phase life cycle • The operate phase of the OSP guides all phases of the SSP

  11. Program Area Life Cycles

  12. BSP Life Cycle 1 • Identify candidate BSPs • Package BSPs • Evaluate BSPs • Adopt BSPs • Deliver BSPs • Improve BSPs

  13. BSP Life Cycle 2 Package BSPs • Provide sample and template documents, check lists, etc • Document steps, relationship to other BSPs, implementation guidance and resource estimates, metrics

  14. BSP Life Cycle 3 Evaluate BSPs • Preliminary evaluation criteria: • Authenticate the BSP contributors • Check mandatory sections • Ensure BSPs harmless • Evaluation criteria • Effective • Cost and time efficient • Easy to implement • Consistent with other BSPs

  15. Summary • Security industry situations • Education • Sharing of BSPs • Approaches of sharing BSPs

More Related