Planning Enterprise Information Security

Presented by:Group - 15

Kumar Mayank (14609038)Rachit Mehrotra (14609157)

IT Architecture for Dum-mies – Chapter 5 & 6

Coverage

• Planning Enterprise Information Security Protecting enterprise data. Creating a security plan. Developing a security policy. Using technology to support security operations.

• Complying with Mandates and Managing Risks Keeping your company complaint. Planning to manage risk. Addressing risks.

04/18/2023IT Architecture for Dummies - Chapter 5

& 62

Protecting Enterprise Data

Data breaches is the inadvertent release of sensitive or protected data that must be protected.

Common ways in which data is revealed include -• Theft of equipment (particularly laptops) containing unencrypted

information.• Equipment discovered missing during periodic inventory checks.• Confidential data posted to a company’s public Web site or

inadequately secured accessible location.• Improper disposal of data processing equipment.• Accidental exposure through e-mail.

04/18/2023IT Architecture for Dummies - Chapter 5

& 63

Creating a Security Plan

• Design a workable program.• View security as a program, not as a project.• Keep security simple.

04/18/2023IT Architecture for Dummies - Chapter 5

& 64

Creating a Security Plan….

• Use a layered framework which involves following security measures –

Data Applications that access the data Hosts on which the applications and data reside Network on which the hosts reside Perimeter separating your organization’s network from the

public network Facility housing the computing

04/18/2023IT Architecture for Dummies - Chapter 5

& 65

Creating a Security Plan….

04/18/2023IT Architecture for Dummies - Chapter 5

& 66

Figure 1 : A simple example of the Layered Defense strategy.

Creating a Security Plan….

• Implement security standard– ISO/IEC 27000 series, published by the International

Organization for Standardization (www.iso.org) Systems Security Engineering Capability Maturity Model (

www.ssecmm.org) The Standard of Good Practice for Information Security,

published by the Information Security Forum (www.isfsecuritystandard.com)

Special Publication 800 standards, published by the U.S. National Institute of Standards and Technology (csrc.nist.gov)

Federal Information Processing Standards (www.itl.nist.gov/fipspubs)

04/18/2023IT Architecture for Dummies - Chapter 5

& 67

Developing a Security Policy

• Classifying data to be secured.• Training employees.• Getting management approval.

It ensures that those who control the finances understand that security is important and must be budgeted for.

It lets employees know that security is a valid business concern.

• Maintaining the policy. Emerging security threats. Changes in business functionality or data classification. Implementation of new technology. Mergers and acquisitions. Security incidents.

04/18/2023IT Architecture for Dummies - Chapter 5

& 68

Developing a Security Policy….

Addressing basic security elements –

• Administrative access• Acceptable use.• Authorized software.• Data disposal.• Encryption.• Firewall.• Incident management.• Malware.• Passwords.• Server and workstation hardening.• Social engineering awareness.• Social media.• Telephone procedures.• Waste disposal04/18/2023

IT Architecture for Dummies - Chapter 5 & 6

9

Using Technology to support Security Operations

• Remain flexible.• Plan for partner relationships.• Outsource only when necessary.

04/18/2023IT Architecture for Dummies - Chapter 5

& 610

Using Technology to support Security Operations• Use collaborative technologies.

E-mail and messaging. Discussion boards and wikis. Scheduling and task management. Conferencing (Web, voice, and video). Communicate new security policies. Announce potential threats. Detail how to address, report, or respond to these risks. Remind users of their responsibilities with regards to

security. Provide a mechanism for security incident reporting

04/18/2023IT Architecture for Dummies - Chapter 5

& 611

04/18/2023 IT Architecture for Dummies - Chapter 19 & 20

12

Complying with Mandates and Managing Risk

Legal Mandates Affecting Organization

• SOX• GLBA• HIPAA• FERPA• COPPA

Planning to manage risk

• Technical ConsiderationsData centre management solutionsTechnology replacement agreements

o Physical Securityo Data centre planning measures

Types Of Threats

• Natural-Weather events• Environmental-Fire, power failure• Human-Cheat, fraud• Electronic

– Malware– Bugs– Phishing mails– Bots & Botnets

Assessing Risk

• Each threat is analyzed to determine its probabil-ity and impact.

• Probability refers to likelihood that the threat will materialize into an actual event.

• Impact refers to loss that would occur.

Assessing Risk Process

• Determining Probability- How often threat events occur.

• Determining Impact- By nature & severity of the consequences of a successful threat event.

• Using a risk matrix-Determining risk rating

Addressing Risk

• Prioritizing Threats• Reducing Probability• Reducing Impact

Prioritizing threats

• Acceptance- Risk identified & accepted. Impact is understood.

• Avoidance-selecting an alternative option.• Mitigation-Additional protection or Alterations.• Transference-Insurance protections

Reducing Probability

• Use of countermeasures against common threats.• Examples:

Threat Countermeasures

Data exposure from lost or stolen backup media

Encrypt backups and implement greater physical security controls.

Thefts of user credentials Install anti-malware software

Unauthorized access to corpo-rate network

Install a firewall

Reducing Impact

• Comprehensive contingency plan.• Training users to report suspected security inci-

dents.• Implementing clusters, load balancing.• Ensure that copies of critical data are stored in a

secure facility.

04/18/2023 IT Architecture for Dummies - Chapter 19 & 20

22