1 / 15

Security Management Principles Beyond the Fundamentals

Security Management Principles Beyond the Fundamentals. Brad Flick, Associate Commissioner Office of Information Security. All statements of fact, opinion, or analysis expressed are those of the author and do not reflect the official

yitro
Télécharger la présentation

Security Management Principles Beyond the Fundamentals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Management PrinciplesBeyond the Fundamentals Brad Flick, Associate CommissionerOffice of Information Security All statements of fact, opinion, or analysis expressed are those of the author and do not reflect the official positions or views of the Social Security Administration (SSA) or any other U.S. Government Agency. Nothing in the contents should be construed as asserting or implying U.S. government authentication of information or SSA's endorsement of the author’s views.

  2. Basic Fundamentals • Confidentiality • Integrity • Availability • Threats • Vulnerabilities • Defense • Policy • Patch Management • Auditing

  3. Social Security Administration • FY 2011 • $770 Billion in Benefits- Over 60 Million People • 152 Million Transactions (avg. daily volume) • $1.5 Billion in Annual IT Investment

  4. Social Security Administration • Annual Workloads • 17.2 Million Social Security Cards • 1 Billion SS Number Verifications • 147 Million Social Security Statements • 270 Million Earnings Items Posted • 3.9 Million Retirement, Survivor, and Medicare applications • 2.5 Million Disability Applications

  5. Social Security Administration • Network Overview • Approx. 100,000 system users • Over 1,300 offices worldwide • Over 200,000 network devices • Over 21 Petabytes of Data

  6. Beyond the Fundamentals 10 principles

  7. Your Reputation Precedes You • Security needs to be part of the culture • Privacy of SSA records – the 1st regulation adopted, 1937 • Regulation No. 1It being found by the Social Security Board (hereinafter referred to as the Board) that the public interest and the efficient administration of the functions with which the Board is charged under the Social Security Act require that the confidential nature of all wage records and other records or information in possession of the Board, pertaining to any person, be preserved.

  8. Policy and Standards • Should be like a good rental agreement • Must be enforced • Communication • If you can’t communicate, you will struggle to be successful • Everyone must understand the message

  9. Training and Awareness • Vital! Do not underestimate. • Big Issues in 2011-Phishing Attack • RSA • Sr. Govt. Official’s Gmail compromise • Federally Funded Research facilities

  10. Security Has to be Usable • If it is too difficult, it will be bypassed

  11. Build It In, Don’t Retro Fit • Obvious - but no magic solution • Security is often ‘last minute’ • Developers and Sponsors resistant to changes • Can be Cultural • Must build awareness of the value of ‘building in’

  12. Build Alert Mechanisms • Most folks focus on access control and audit trail. • Dashboards – are they being watched? • Audit trails – are they being reviewed? • Build tolerances to alert on suspicious activities.

  13. Take Time to Plan • Firefighting vs. fire prevention planning…

  14. Regular Reality Checks are Necessary Is there governance and compliance? Are the rules relevant to the business process, understandable, reflective of reality, and current? Are they enforceable or at least not ignored? • Don’t assume the business owner will do the right thing. They will Roll the Dice every time.

  15. Questions?

More Related