- 1. Information Security Management CISSP Topic 1 ISA 562
Internet Security Theory and Practice
2. Course Outline
- An introductory course at the graduate level
-
- The CISSP exam at varying depth
-
- But is NOT a CISSP course
-
- Matt Bishop: Computer Security Art and Science
-
- Official ISC 2Guide to the CISSP CBK
3. Objectives Roles and responsibilities of individuals in a
security program Security planning in an organization Security
awareness in the organizationDifferences between policies,
standards, guidelines and procedures Risk Management practices and
tools 4. Syllabus of the Course
- Bishops book for the first part
- IC 2book for the second part
- Cover material relevant to the PhD qualifying examination in
security
5. Introduction
- Purpose of information security:
-
- to protect an organization's informationresources data,
hardware, and software.
- To increase organizational success: IS arecritical
assetssupporting its mission
6. Information Security TRIAD
- The Overhanging goals of information security are addressed
through the AIC TRIAD.
7. IT Security Requirements - I
- Security should be designed for two requirements:
- Functional :Definebehaviorof the control meansbased on risk
assessment
-
-
- should not depend on another control:
-
-
- Why? fail safe by maintaining security during
asystemfailure
- Assurance:Provideconfidencethat security functions perform as
expected.
-
-
- Compliance to best practices
-
- Functional: a network Firewall to permit or deny traffic.
-
- Assurance: logs are generated, monitored, and reviewed
8. Organizational & Business Requirements
- Focus on organizational mission:
- Depends on type of organization:
-
- Military , Government, or Commercial.
- Must be sensible and cost effective
-
- Solution considers the mission and environmentTrade-off
9. IT Security Governance
- Integral part of corporate governance:
-
- Fully integrated into overall risk-based threat analysis
- Ensure that IT infrastructure:
-
- Supports the strategies and objectives of the company.
-
- Includes service level agreements [if outsourced].
10. Security Governance: Major parts
-
- Security leaders must be part of the company leadership --
where they can be heard.
-
- occurs at many levels and should use a layered approach.
-
- follow internationally accepted best practices :
-
- Job rotation , Separation of duties, least privilege, mandatory
vacations, etc.
-
- Examples of standards : ISO 17799 & ISO 27001:2005
11. Security Blueprints
- Provide a structure for organizing requirements and
solutions.
-
- Ensure that security is considered holistically.
- To identify and design security requirements
12. Policy Overview
- Operational environment is a web of laws, regulations,
requirements, and agreements or contracts with partners and
competitors
- Change frequently and interact with each other
- Management must develop and publish security statements
addressing policies and supporting elements, such as standards ,
baselines, and guidelines.
13. Policy overview 14. Functions of Security policy
- Provide Management Goals and Objectives in writing
- Ensure Document compliance
- Create a security culture
- Anticipate and protect others from surprises
- Establish the security activity/function
- Hold individuals responsible and accountable
- Address foreseeable conflicts
- Make sure employees and contractors aware of organizational
policy and changes to it
- Require incident response plan
- Establish process for exception handling, rewards, and
discipline
15. Policy Infrastructure
- High level policies interpreted into functional policies.
- Functional polices derived from overarching policy and create
the foundation for procedures, standards, and baselines to
accomplish the objectives
- Polices gain credibility by top management buy-in.
16. Examples of Functional Policies
- Certification and accreditation
- Acceptable mail and Internet usage
17. Policy Implementation
- Standards, procedures, baselines, and guidelines turn
management objectives and goals [functional policies] into
enforceable actions for employees.
18. Standards and procedure
- Standards (local): Adoption of common hardware and software
mechanism and products throughout the enterprise.
-
-
- Examples: Desktop, Anti-Virus, Firewall
- Procedures: step by step actions thatmustbe followed to
accomplish a task.
- Guidelines: recommendations for product implementations,
procurement and planning, etc.
-
-
- Examples: ISO17799, Common Criteria, ITIL
19. Security Baselines
- Benchmarks: to ensure that a minimum level of security
configuration is provided across implementations and systems.
-
- establish consistent implementation of security
mechanisms.
20. Three Levels of security planning
- Focus on high-level, long-range organizational
requirements
-
- Example: overall security policy
- Focus on events that affect all the organization
-
- Example: functional plans
- 3. Operational: short-term
- Fight fires at the keyboard level, directly affecting how the
organization accomplishes its objectives.
21. Organizational roles and responsibilities
-
- with responsibility clearly communicated and understood
- Duties associated with the role must be assigned
-
-
-
- Reviewing violation reports
-
-
-
- Attending awareness training
22. Specific Roles and Responsibilities (duties)
-
- Publish and endorse security policy
-
- Establish goals and objectives
-
- State overall responsibility for asset protection.
- IS security professionals:
-
- Security design, implementation, management,
-
- Review of organization security policies.
-
- Information classification
-
- Set user access conditions
-
- Decide on business continuity priorities
-
- Entrusted with the Security of the information
-
- Audit assurance guarantees.
-
- Compliance with procedures and policies
23. Personnel Security: Hiring staff
- Background check/Security clearance
- Check references/Educational records
- Sign Employment agreement
-
-
-
- Non-disclosure agreements
- Consult with HR Department
- Termination/dismissal procedure
24. Third party considerations
- Must established procedures for these groups.