1 MISA Model MISA Model Douglas Petry Douglas Petry Manager Information Security Manager Information Security Architecture Architecture Methodist Health System Methodist Health System [email protected][email protected]402.354.4894 402.354.4894 Managed Information Security Architecture Managed Information Security Architecture
26
Embed
1 MISA Model Douglas Petry Manager Information Security Architecture Methodist Health System [email protected] 402.354.4894 Managed Information Security.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
MISA Model MISA Model
Douglas PetryDouglas Petry
Manager Information Security ArchitectureManager Information Security Architecture
Managed Information Security ArchitectureManaged Information Security Architecture
2
Introduction to MISAIntroduction to MISA
The goal of the MISA model is to provide:The goal of the MISA model is to provide:
Tool to assess the security architectureTool to assess the security architecture 16 Areas of Security16 Areas of Security
Dashboard executive overviewDashboard executive overview Current state of security capabilities. Current state of security capabilities.
3
Introduction to MISAIntroduction to MISA
Additional tools were developed to :Additional tools were developed to :
Provide a method to identify /document the future state of Provide a method to identify /document the future state of our security capabilities.our security capabilities.
Define efficient implementation approaches across the 16 Define efficient implementation approaches across the 16 security areas within the assessment tool.security areas within the assessment tool.
Map and crosswalks to new and existing regulations to Map and crosswalks to new and existing regulations to refine the architecture and align with organizational refine the architecture and align with organizational requirements.requirements.
Provide a metrics or baseline to enable us to modularize Provide a metrics or baseline to enable us to modularize and focus on the levels of security capabilities / and focus on the levels of security capabilities / deficiencies. deficiencies.
Define efficient implementation approaches across the 16 Define efficient implementation approaches across the 16 security areas within the assessment tool.security areas within the assessment tool.
4
Gap Analysis Model Gap Analysis Model
Web
Ser
vers
Web
Ser
vers
App
licat
ion
App
licat
ion
Syst
ems
Syst
ems
e-M
ail
e-M
ail
Net
wor
kN
etw
ork
Infr
astr
uctu
reIn
fras
truc
ture
Ope
ratin
g O
pera
ting
Syst
ems
Syst
ems
Dat
abas
esD
atab
ases
Intr
usio
n In
trus
ion
Det
ectio
nD
etec
tion
Fire
wal
lsFi
rew
alls
Ant
iviru
sA
ntiv
irus
Educ
ate
Educ
ate
Adm
inis
ter
Adm
inis
ter
Mon
itor
Mon
itor
Res
pond
Res
pond
Aud
itA
udit
DocumentationDocumentationPolicies and ProceduresPolicies and Procedures
Information Security ArchitectureInformation Security Architecture
What is ISA?What is ISA?
Way to bridge the gapsWay to bridge the gaps
Manage the processesManage the processes
Alignment to business needsAlignment to business needs
Minimize risks without impeding the Minimize risks without impeding the
quality of care to the customerquality of care to the customer
6
ISA –vs.– Managed ISA (MISA)ISA –vs.– Managed ISA (MISA)
Managed ISA, or MISA, provides:Managed ISA, or MISA, provides:
Ongoing review and quality assurance Ongoing review and quality assurance of an ISA with a metrics to track ISA of an ISA with a metrics to track ISA capabilities from a current state to a capabilities from a current state to a future statefuture state
ISA provides system-based ISA provides system-based assessments -- MISA assesses the ISA assessments -- MISA assesses the ISA methodologiesmethodologies
7
ISA –vs.– Managed ISA (MISA)ISA –vs.– Managed ISA (MISA)
ISA provides the framework within which our ISA provides the framework within which our security program aligns with our business security program aligns with our business objectives and involves:objectives and involves:
Organizational InfrastructureOrganizational Infrastructure Policies, Standards, and ProceduresPolicies, Standards, and Procedures Security Baselines and AssessmentsSecurity Baselines and Assessments Training and AwarenessTraining and Awareness ComplianceCompliance
MISA provides the managerial, operational, and MISA provides the managerial, operational, and technical controls necessary to help ensure technical controls necessary to help ensure security.security.
8
Managed ISAManaged ISA
Manage
Measure
Document
MIS
A
ISA
Most security Most security architectures provide architectures provide ample documentation ample documentation on controls, policies, on controls, policies, and procedures. In some and procedures. In some case, metrics are case, metrics are identified for specific identified for specific systems or capabilities.systems or capabilities.
MISA manages and MISA manages and measures the security measures the security capabilities and the capabilities and the architecture.architecture.
Determine Security CapabilitiesDetermine Security Capabilities Determine Current StateDetermine Current State Determine Future StateDetermine Future State
Develop Route Map to Future StateDevelop Route Map to Future State Identify Key InitiativesIdentify Key Initiatives
Continuous Quality ImprovementContinuous Quality Improvement Re-Assess Current State/Future StateRe-Assess Current State/Future State
Information is labeled &disposed of under IAWpolicies & procedures
Information is stored& handled under IAWpolicies & procedures
21
Capability AssessmentCapability Assessment
Metrics Low
Med
ium
Hig
h
Doe
s N
ot A
pply
Not
hing
in P
lace
A L
ittle
in p
lace
Acc
epta
ble
Leve
l
A lo
t in
plac
e
Ful
ly In
tegr
ated
Deposits and withdrawals of tapes and other storage media from the library authorized and logged.
X X X
Audit trails used for receipt of sensitive inputs/outputs. X X X xControls in place for transporting or mailing media or printed output.
X X X
Audit trails kept for inventory management. X X X xActivity involving access to and modification of sensitive or critical files logged, monitored, and possible security violations investigated.
X X X x
Audit trail provide a trace of user actions. X X
Audit trail supporting after-the fact investigations of how, when, and why normal operations ceased to operate.
X X X
Access to online audit logs strictly controlled. X X X
Off-line storage of audit logs retained for a period of time, and if so, is access to audit logs strictly controlled.
X X X x
Separation of duties exist between security personnel who Administer the access control function and those who administer the audit trail.
X X X
Audit trails reviewed frequently X X xAutomated tools used to review audit records in real time or near real time
X X X X x
Suspicious activity investigated and appropriate action taken.X X X
If keystroke monitoring used are users notified of it. X XPhysical security audit team regularly tests and assesses the quality of organization's physical security
X X x
Organization established routine testing, auditing and change management procedures to support the certification process.