1 / 7

Driving Factors

Driving Factors. Compliance. Risk Mgt. Security. Controls. Risks, Threats, Vulnerabilities. Risk – Generalized impact statement Ex: disclosure of ratepayer data would be bad Threat – a generic method of exploiting a risk Ex: interception of data in-flight or at rest

xaviera-ferguson
Download Presentation

Driving Factors

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Driving Factors Compliance Risk Mgt Security Controls

  2. Risks, Threats, Vulnerabilities • Risk – Generalized impact statement • Ex: disclosure of ratepayer data would be bad • Threat – a generic method of exploiting a risk • Ex: interception of data in-flight or at rest • Vulnerability – a specific, actual, existing technical issue that could be leveraged • Ex: an unencrypted customer information file on a server

  3. Risk Profile: Confidential Data • Generalized Risks: • Disclosure, Unauthorized Modification • Threats: • Interception of data in-flight, at rest, after transformation, after export, before destruction • Vulnerabilities: • Unencrypted data transport • Unencrypted storage in flat files or in DB • Unencrypted storage after export to external components • Unencrypted data prior to disposal or destruction

  4. Reliability Engineering • Security controls fail with individual unpredictability but consistently across large control sets or long periods of time • Layered security controls limit the scope and impact of individual control failures • Existing control set for this service • Firewalls, IDS, server hardening, patching, access request controls, authentication/authorization, filesystem access controls, virus scanning, enterprise hardening baseline analysis, OS software, service software, application software, maintenance scripts

  5. Mapping Vulnerabilities to Controls • Vulnerability: Unencrypted data transport • Control: use NAESB, SFTP, or encrypted CD • Vulnerability: Unencrypted data storage • Control: • Vulnerability: Unencrypted data after transformation • Control: • Vulnerability: Unencrypted data prior to disposal • Control:

  6. Data Transport Mechanisms • NAESB • Current Market Standard • Existing management and maintenance infrastructure • Existing application infrastructure • Strong authentication/encryption • SFTP • Strong transport encryption • Partially existing server infrastructure • Partially existing management infrastructure for static passwords • No existing management infrastructure for ssh-keys • Use of static passwords for authentication creates possibility for password recovery via brute-force or disclosure at endpoints • Reduced visibility from network security monitoring platform • Additional implementation risk • Additional management/maintenance risk

  7. Data Transport Mechanisms • CD-R / DVD-R • Easy • Transportation via licensed/bonded couriers? • Still need to address encryption of data in transit • Physical media destruction becomes an issue • Need to develop operational procedures • Need to develop physical infrastructure for accepting, handling, storing, and destroying media

More Related