Transcript
- 1. Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice
2. Course Outline
- An introductory course at the graduate level
- It covers the topics of
- The CISSP exam at varying depth
- But is NOT a CISSP course
- Textbooks:
- Matt Bishop: Computer Security Art and Science
- Official ISC 2Guide to the CISSP CBK
3. Objectives Roles and responsibilities of individuals in a security program Security planning in an organization Security awareness in the organizationDifferences between policies, standards, guidelines and procedures Risk Management practices and tools 4. Syllabus of the Course
- Bishops book for the first part
- Papers for some classes
- IC 2book for the second part
- Cover material relevant to the PhD qualifying examination in security
5. Introduction
- Purpose of information security:
- to protect an organization's informationresources data, hardware, and software.
- To increase organizational success: IS arecritical assetssupporting its mission
6. Information Security TRIAD
- The Overhanging goals of information security are addressed through the AIC TRIAD.
7. IT Security Requirements - I
- Security should be designed for two requirements:
- Functional :Definebehaviorof the control meansbased on risk assessment
- Properties :
- should not depend on another control:
- Why? fail safe by maintaining security during asystemfailure
- Assurance:Provideconfidencethat security functions perform as expected.
- Internal/External Audit.
- Third Party reviews
- Compliance to best practices
- Examples
- Functional: a network Firewall to permit or deny traffic.
- Assurance: logs are generated, monitored, and reviewed
8. Organizational & Business Requirements
- Focus on organizational mission:
- Business or goals driven
- Depends on type of organization:
- Military , Government, or Commercial.
- Must be sensible and cost effective
- Solution considers the mission and environmentTrade-off
9. IT Security Governance
- Integral part of corporate governance:
- Fully integrated into overall risk-based threat analysis
- Ensure that IT infrastructure:
- Meets all requirements.
- Supports the strategies and objectives of the company.
- Includes service level agreements [if outsourced].
10. Security Governance: Major parts
- Leadership:
- Security leaders must be part of the company leadership -- where they can be heard.
- Structure:
- occurs at many levels and should use a layered approach.
- Processes:
- follow internationally accepted best practices :
- Job rotation , Separation of duties, least privilege, mandatory vacations, etc.
- Examples of standards : ISO 17799 & ISO 27001:2005
11. Security Blueprints
- Provide a structure for organizing requirements and solutions.
- Ensure that security is considered holistically.
- To identify and design security requirements
12. Policy Overview
- Operational environment is a web of laws, regulations, requirements, and agreements or contracts with partners and competitors
- Change frequently and interact with each other
- Management must develop and publish security statements addressing policies and supporting elements, such as standards , baselines, and guidelines.
13. Policy overview 14. Functions of Security policy
- Provide Management Goals and Objectives in writing
- Ensure Document compliance
- Create a security culture
- Anticipate and protect others from surprises
- Establish the security activity/function
- Hold individuals responsible and accountable
- Address foreseeable conflicts
- Make sure employees and contractors aware of organizational policy and changes to it
- Require incident response plan
- Establish process for exception handling, rewards, and discipline
15. Policy Infrastructure
- High level policies interpreted into functional policies.
- Functional polices derived from overarching policy and create the foundation for procedures, standards, and baselines to accomplish the objectives
- Polices gain credibility by top management buy-in.
16. Examples of Functional Policies
- Data classification
- Certification and accreditation
- Access control
- Outsourcing
- Remote access
- Acceptable mail and Internet usage
- Privacy
- Dissemination control
- Sharing control
17. Policy Implementation
- Standards, procedures, baselines, and guidelines turn management objectives and goals [functional policies] into enforceable actions for employees.
18. Standards and procedure
- Standards (local): Adoption of common hardware and software mechanism and products throughout the enterprise.
- Examples: Desktop, Anti-Virus, Firewall
- Procedures: step by step actions thatmustbe followed to accomplish a task.
- Guidelines: recommendations for product implementations, procurement and planning, etc.
- Examples: ISO17799, Common Criteria, ITIL
19. Security Baselines
- Benchmarks: to ensure that a minimum level of security configuration is provided across implementations and systems.
- establish consistent implementation of security mechanisms.
- Platform unique
- Examples:
- VPN Setup,
- IDS Configuration,
- Password rules
20. Three Levels of security planning
- Strategic: long term
- Focus on high-level, long-range organizational requirements
- Example: overall security policy
- 2. Tactical: medium-term
- Focus on events that affect all the organization
- Example: functional plans
- 3. Operational: short-term
- Fight fires at the keyboard level, directly affecting how the organization accomplishes its objectives.
21. Organizational roles and responsibilities
- Everyone has a role:
- with responsibility clearly communicated and understood
- Duties associated with the role must be assigned
- Examples:
- Securing email
- Reviewing violation reports
- Attending awareness training
22. Specific Roles and Responsibilities (duties)
- Executive Management:
- Publish and endorse security policy
- Establish goals and objectives
- State overall responsibility for asset protection.
- IS security professionals:
- Security design, implementation, management,
- Review of organization security policies.
- Owner:
- Information classification
- Set user access conditions
- Decide on business continuity priorities
- Custodian:
- Entrusted with the Security of the information
- IS Auditor:
- Audit assurance guarantees.
- User:
- Compliance with procedures and policies
23. Personnel Security: Hiring staff
- Background check/Security clearance
- Check references/Educational records
- Sign Employment agreement
- Non-disclosure agreements
- Non-compete agreements
- Low level Checks
- Consult with HR Department
- Termination/dismissal procedure
24. Third party considerations
- Include:
- Vendors/Suppliers
- Contractors
- Temporary Employees
- Customers
- Must established procedures for these groups.
top related