1 / 8

Comprehensive Security Planning and Policy Implementation Guide

This guide covers security planning, risk analysis, policy implementation, accountability, and continued security measures. It discusses who should have access, what resources, and the types of access. It also explores organizational security goals, responsibilities, and commitment. The OCTAVE methodology and TCSEC requirements are detailed, along with strategies for protection and incident response planning.

shibbler
Download Presentation

Comprehensive Security Planning and Policy Implementation Guide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 8 – Administering Security • Security Planning • Risk Analysis • Security Policies • Physical Security

  2. Security Planning • Policy • Current state – risk analysis • Requirements • Recommended controls • Accountability • Timetable • Continuing attention

  3. Security Planning - Policy • Who should be allowed access? • To what system and organizational resources should access be allowed? • What types of access should each user be allowed for each resource?

  4. Security Planning - Policy • What are the organization’s goals on security? • Where does the responsibility for security lie? • What is the organization’s commitment to security?

  5. OCTAVE Methodologyhttp://www.cert.org/octave/ • Identify enterprise knowledge. • Identify operational area knowledge. • Identify staff knowledge. • Establish security requirements. • Map high-priority information assests to information infrastructure. • Perform an infrastructure vulnerability evaluation. • Conduct a multidimensional risk analysis. • Develop a protection strategy.

  6. Security Planning – Requirements of the TCSEC • Security Policy – must be an explicit and well-defined security policy enforced by the system. • Every subject must be uniquely and convincingly identified. • Every object must be associated with a label that indicates its security level. • The system must maintain complete, secure records of actions that affect security. • The computing system must contain mechanisms that enforce security. • The mechanisms that implement security must be protected against unauthorized change.

  7. Security Planning Team Members • Computer hardware group • System administrators • Systems programmers • Application programmers • Data entry personnel • Physical security personnel • Representative users

  8. Security Planning • Assuring Commitment to a Security Plan • Business Continuity Plans • Assess Business Impact • Develop Strategy • Develop Plan • Incident Response Plans • Advance Planning • Response Team • After the Incident is Resolved

More Related