1 / 77

Security Management Practices Security Management Planning

Security Management Practices Security Management Planning. Security Management. Security Management includes Risk management Information security policies Procedures Standards Guidelines Baselines Information classification Security organization Security eduction. Security Policy.

chance
Télécharger la présentation

Security Management Practices Security Management Planning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Management PracticesSecurity Management Planning CISSP All-in-one Exam Guide Shon Harris

  2. Security Management • Security Management includes • Risk management • Information security policies • Procedures • Standards • Guidelines • Baselines • Information classification • Security organization • Security eduction CISSP All-in-one Exam Guide Shon Harris

  3. Security Policy • Security Policy • blueprint for a company’s security program • necessary foundation to build upon • After developing security policy • Develop and implement procedures, standards and guidelines that support security policy • Identify security countermeasures CISSP All-in-one Exam Guide Shon Harris

  4. Approaches to security program • Top-down approach • Initiation, support and direction come from top management, work their way to middle management and then to staff members • Ideal approach for security program • Makes sure people are responsible for a company’s assets. • Bottom-up approach • IT department develops a security program without proper management support and direction • Less effective, not broad enough, doomed to fail. CISSP All-in-one Exam Guide Shon Harris

  5. Security Administration and Supporting Controls • Company’s Data and assets are protected by • Physical Controls: Facility protection, security guards, locks, monitoring, environmental controls and intrusion detection. • Technical controls: Logical access controls, encryption, security devices, identification and authentication • Administrative controls: Policies, standards, procedures, guidelines, screening personnel, security awareness and training. CISSP All-in-one Exam Guide Shon Harris

  6. Due Care • Legal term and concept used to help determine liability in a court of law • information owner violates due care if • does not lay out the foundation of data protection and • Does not ensure that the directives are enforced • If practicing due care • Acting responsibly • Have lower probability of being found negligent and liable in the event of a security incident • Due Care – proper insurance on your car CISSP All-in-one Exam Guide Shon Harris

  7. AIC Tiad • Security objectives must address • Availability • Integrity • Confidentiality CISSP All-in-one Exam Guide Shon Harris

  8. Security Goals • Operational/Daily Goals – Daily Tasks • Ensures company functions in a smooth and predictable manner • E.g. update virus definitions, patches etc • Tactical Goals – Short term • E.g. integrate all workstations and resources into one domain for central control • Strategic Goals – Long Term • E.g. Move all branches from dedicated communication lines to frame relay, implement IPSec VPNs for remote users, integrate wireless technology into the environment. CISSP All-in-one Exam Guide Shon Harris

  9. ISO 17799 • ISO 17799 is a standard and an industry best practice for developing and implementing a security prorgam • Derrived for the British standard 7799 (BS 7799) • Internationally recognized Information Security Management (ISM) standard provides high level, conceptual recommendations for enterprise security. CISSP All-in-one Exam Guide Shon Harris

  10. ISO 17799 • Part 1 – Implementation Guide • Part 2 – Auditing guide CISSP All-in-one Exam Guide Shon Harris

  11. ISO 17799 • Domains • Information security policy for the organization • Creation of information security infrastructure • Asset classification and control • Personnel security • Physical and environmental security • Communications and operations management • Access control • Systems development and maintenance • Business continuity management • Compliance CISSP All-in-one Exam Guide Shon Harris

  12. Security Management Planning • When Planning for security management, you must know • Your company's or client's business • What is important to them • Different industries - even different departments - have different information security priorities • You must identify costs, risks and benefits • Initial investment • Ongoing costs CISSP All-in-one Exam Guide Shon Harris

  13. Security Management Planning • What are the benefits - Help desk reduction • Common data locations - Reduced remote access costs - Improve business partner access - Enhanced public perception • What organizations want: reduce cost and increase productivity. CISSP All-in-one Exam Guide Shon Harris

  14. Security Management Planning • Management needs to understand what will be impacted • You must identify potential losses if security is not properly implemented • Trade secrets • Viruses, worms, malicious codes • Confidential information • Personal e-mail • Adverse publicity • Denial of service • Hard drive reformats • Financials • Router reconfigura­tions • Hacked web pages • Breach of HR information CISSP All-in-one Exam Guide Shon Harris

  15. Security Management Planning • Four reasons decision makers procrastinate • Cannot understand or quantify threats and vulnerabilities • Unable to measure the severity and probability of risk • No direct relationship between risks and the cost of mitigation. • Believe that solution will interfere with performance or appearance of product • Explain in terms of $$$...we invest $100..we will reduce the risk by $1,000 CISSP All-in-one Exam Guide Shon Harris

  16. Information Risk Management (IRM) CISSP All-in-one Exam Guide Shon Harris

  17. IRM policy • Subset of the organization’s overall risk management policy. • Mapped to the organizational security policies • Provides infrastructure for the organization’s risk management process and procedures • Addresses all issues of information security. CISSP All-in-one Exam Guide Shon Harris

  18. Risk Analysis • A tool for risk management • Identifying, assessing, and mitigating risks • 4 main goals • Identify assets and their values • Identify vulnerabilities and threats • Quantify the probability and business impact of potential threats. • Provide an economic balance between the impact of the threat and the cost of countermeasure CISSP All-in-one Exam Guide Shon Harris

  19. Risk Analysis • Identifies threat agent exploits • Provides a cost/benefit comparison • Comparison of the annualized cost of safeguard to the potential cost of safeguard • Safeguard should not be implemented unless the cost of loss exceeds the annualized cost of safeguard • Project sizing – carried out before an assessment and analysis is started • To understand what assets and threats are to be evaluated CISSP All-in-one Exam Guide Shon Harris

  20. Risk Analysis • Risk analysis team • Include individuals from many or all departments • Ensures that all threats are identified and addresses • Must include people who understand the processes that are a part of their department • Individuals must be at the right level • Valuation of information and assets • Important to protect them • Senior management reviews and approves the list to make them a part of the scope of the IRM CISSP All-in-one Exam Guide Shon Harris

  21. Economic Capital • Amount of money a company needs to protect itself against unexpected losses CISSP All-in-one Exam Guide Shon Harris

  22. Costs That Make Up the Value • Actual value of asset - Determined by costs to acquire, develop, and maintain • Value of data - Determined by the value it has to its • owners, • authorized users • unauthorized users • E.g. Stolen credit card database has a lot of value to the thief. • Assets can be • tangible (computer, facilities, supplies) • Intangible (reputation, data, intellectual property) CISSP All-in-one Exam Guide Shon Harris

  23. Costs That Make Up the Value • Consider- • Cost to acquire or develop • Cost to maintain and protect • Value of assets to owners and users • Value of assets to adversaries • Value of intellectual property • Price others are willing to pay • cost to replace the asset if lost • Operational and production activities that are affected if the asset is unavailable • Liability issues if the asset is compromised • Usefulness and role of the asset in the organization CISSP All-in-one Exam Guide Shon Harris

  24. Identifying Threats • What to be afraid of – • Man made • Natural • Technical • Loss potential • Delayed loss • Loss anywhere from 15 minutes to years after exploitation CISSP All-in-one Exam Guide Shon Harris

  25. Quantitative Risk Analysis • Assign real numbers • Safeguard costs • asset value • Business impact • Threat frequency • Safeguard effectiveness • Exploitation probabilities • Provides concrete probability percentages for determining likelihood • Purely quantitative risk analysis is not possible CISSP All-in-one Exam Guide Shon Harris

  26. Automated Risk Analysis Methods • Collecting and interpreting can be overwhelming • Automated tools make the process accurate • Advantages • Data can be reused • Reduces time required to perform analysis • Accurate analysis • Reports and graphs to be presented to management • Provides risk for different scenarios CISSP All-in-one Exam Guide Shon Harris

  27. Risk Analysis Steps • Assign value to information assets • Estimate potential loss per threat - SLE • Perform threat analysis - ARO • Derive the overall loss potential per risk - ALE • Choose remedial measures • Reduce, assign, or accept the risk CISSP All-in-one Exam Guide Shon Harris

  28. Evaluating Risk • Formula for risk avaluation Asset Value(AV) X Exposure Factor (EF) Single Loss Expectancy (SLE) Exposure Factor - Percentage of asset loss caused by identified threat Single Loss Expectancy (SLE) X Annualized Rate of Occurrence (ARO) Annualized Loss Expectancy (ALE) Annualized Rate of Occurrence = Estimated frequency a threat will occur within a year. CISSP All-in-one Exam Guide Shon Harris

  29. ARO • Represents the estimated frequency of a specific threat taking place with a one-year time frame • Range can be anywhere from 0.0 (never) to 1.0 (at least one year) to greater than one (several times a year) • E.g. probability of a flood taking place in Mesa, Arizona is once in 1000 years • ARO = 0.001 CISSP All-in-one Exam Guide Shon Harris

  30. Results of Risk Analysis • Risk is measured by assigning a value to information and assets – ALE • Results • Monetary value assigned to assets • List of all possible threats • Probability of the occurrence of each threat • Loss potential for the company over a 12-month period • Recommended safeguards, countermeasures CISSP All-in-one Exam Guide Shon Harris

  31. Qualitative Risk Analysis • Walkthrough and rank seriousness of threat • Techniques • Judgment • Intuition • Experience • Examples • Delphi – Group discussion. • Brainstorming • Storyboarding • Focus groups • Surveys • Questionnaires • Checklists • One-on-one meetings • Interviews • Rank risk as • high, medium or low or • Scale of 1-5 or 1-10 CISSP All-in-one Exam Guide Shon Harris

  32. Delphi Techniques • Group discussion method • Ensures that each member gives anopinion • Each member writes down opinion • Comments are written anonymously • Consensus formed • Very effective CISSP All-in-one Exam Guide Shon Harris

  33. Protection Mechanisms • Identify current security mechanisms • Evaluate effectiveness • Identify assets to protect (Risk analysis) CISSP All-in-one Exam Guide Shon Harris

  34. Countermeasure Selection • Product costs • Design / planning costs • Implementation costs • Environment modifications • Compatibility with other countermeasures • Maintenance requirements • Testing requirements • Repair / replace / update costs • Operating support costs • Effects on productivity CISSP All-in-one Exam Guide Shon Harris

  35. Value of Safeguard • Cost/benefit analysis • ALE before implementation – ALE after implementation – Annual cost of safeguard = Value of safeguard to the company CISSP All-in-one Exam Guide Shon Harris

  36. Total Risk vs. Residual Risk Threats X Vulnerability X Asset Value Total Risk Total Risk X Control Gap (protection the control cannot provide) Residual Risk (Amount of risk remaining after implementing risk control measures). CISSP All-in-one Exam Guide Shon Harris

  37. Handling Risk • Once a company has determined - • The amount of risk it has • Where the risk is located ... ... it must decided how to deal with this risk CISSP All-in-one Exam Guide Shon Harris

  38. Handling Risk • Transfer –Insurance policy • monetary cost • Reduce – Countermeasures • E.g. Firewalls • Reject - Ignored; not advisable • Accept - Acknowledged; cost to mitigate risk outweighs loss from risk. CISSP All-in-one Exam Guide Shon Harris

  39. Policies, Standards, Baselines Guidelines and Procedures CISSP All-in-one Exam Guide Shon Harris

  40. Security Policy • General or formal statement produced by senior management (or board or committee) • Provides scope and direction for all security activities • Organizational Security Policy • Establishes how a security program will be set up • Defines program goals • Assigns responsibilities • Shows strategic and tactical value of security • Outlines enforcement • Security Policy addresses • Laws • Regulations • Liabilities CISSP All-in-one Exam Guide Shon Harris

  41. Security Policy • Issue-specific • Functional implementation policy • Addresses a specific security issue • Provides detailed explanation and attention • Ensures all employees understand how to comply with a specific issue • E.g. e-mail policy • System-specific • Management's decisions that are specific to actual computers, networks and applications • E.g. approved software lists, applications installed on an individual workstation, how databases are used, how firewalls, IDS and scanners are empoloyed. CISSP All-in-one Exam Guide Shon Harris

  42. Types of Policies • Regulatory – Industry specific • Ensures the organization follows standards set by a specific industry or regulatory body e.g. Nuclear power regulatory policy. • Advisory – Expectations, ramifications • Strongly suggests that employees follow certain types of behavior. E.g. no internet access during work hours. • Informative – FYI, not enforced • Informs employees of certain topics • Not for enforcement but for teaching e.g. Remind employees to lock cars before exiting the company parking lot CISSP All-in-one Exam Guide Shon Harris

  43. Security Policy • Policies are broad and cover many subjects • Procedures, Standards and Guidelines provide granularity needed to support the actual policy • Policy provides foundation • Procedures, standards and Guidelines provide the security framework. CISSP All-in-one Exam Guide Shon Harris

  44. Standards • Mandatory activities, actions, rules or regulations • Provide support to a policy and reinforcement in direction • Could be internal or externally mandated (laws and regulations) • Implemented uniformly across the organization. • E.g. Specify how hardware and software products are to be used, • specify that all employees have their identification badges at all times. CISSP All-in-one Exam Guide Shon Harris

  45. Baselines • Baselines • Specify a bare minimum level of performance • Provides a consistent reference point • Baselines can be defined per system type to indicate • the necessary system settings • Level of protection provided • E.g. all accounting systems must meet a baseline of EAL 4 CISSP All-in-one Exam Guide Shon Harris

  46. Guidelines and Procedures • Guidelines • Recommend actions and operational guides when standards do not exist • Address the grey areas • General approaches that provide the necessary flexibility • Procedures • Outline step-by-step instructions to help someone achieve a certain task • E.g. detailed steps to set up firewall, configure a router CISSP All-in-one Exam Guide Shon Harris

  47. Implementation • Awareness training • Manuals • Presentations • Newsletters • Legal banners – Very effective • Warning: Computer use for company business only. • Legal banners in e-mail • Due care and due diligence CISSP All-in-one Exam Guide Shon Harris

  48. Data Classification CISSP All-in-one Exam Guide Shon Harris

  49. Data Classification • Part of a mandatory access control (MAC) model • Access according to security clearance • Ensures that sensitive data is properly controlled and secured • DoD multi-level security policy has four classifications • Top secret • Secret • Confidential • Sensitive but unclassified • Unclassified CISSP All-in-one Exam Guide Shon Harris

  50. Data Classification Data classification for commercial business • Confidential • Private • Sensitive • Public CISSP All-in-one Exam Guide Shon Harris

More Related