Security Controls – What Works Southside Virginia Community College: Security Awareness
Jan 07, 2016
Security Controls – What Works
Southside Virginia Community College: Security Awareness
Session Overview
• Identification of Information Security Drivers• Identification of Regulations and Acts• Introduction to Security Standards• Understanding Security Controls• Technology Solutions Assisting in Regulatory Compliance
Identification of Information Security Drivers
• Identification of Information Security Drivers• Identification of Regulations and Acts• Introduction to Security Standards• Understanding Security Controls• Technology Solutions Assisting in Regulatory Compliance
Business Drivers
What are the business drivers for information security:What are the business drivers for information security:
Facilitate Business Initiatives
Protect Brand Image
Protect Customer Confidence
Reduce Costs and Improve Productivity
Enhance Service Levels
Technology Direction
Comply with Regulations
Facilitate Business Initiatives
Protect Brand Image
Protect Customer Confidence
Reduce Costs and Improve Productivity
Enhance Service Levels
Technology Direction
Comply with Regulations
Regulatory Compliance Drives Security Initiatives
Key areas for compliance-related spending are associated with implementing an Information Security Management Framework and specifically include:
Key areas for compliance-related spending are associated with implementing an Information Security Management Framework and specifically include:
Policies and Procedures
Training and Awareness
Security Event Management Tools
Identity and Password Management Technologies
Policies and Procedures
Training and Awareness
Security Event Management Tools
Identity and Password Management Technologies
Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending. Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending.
Information Security Management Framework
What is an Information Security Management Framework:What is an Information Security Management Framework:
Key Set of Policies and Processes Supporting Information Security
Organizational Structure and Governance for Information Security
Implementation of Standard Security Controls
Appropriate and Sufficient Security Tools and Technologies
Key Set of Policies and Processes Supporting Information Security
Organizational Structure and Governance for Information Security
Implementation of Standard Security Controls
Appropriate and Sufficient Security Tools and Technologies
Regulatory Benefits of Implementing an Information Security Management Framework
Regulatory benefits of implementing an Information Security Management Framework include:Regulatory benefits of implementing an Information Security Management Framework include:
Protecting the privacy of personally identifiable information (customer and employee)
Protecting sensitive information and resources from being accessed or shared with unauthorized users
Ensuring integrity of financial data
Ensuring that data content is protected and tamper-resistant
Ensuring well controlled systems
Ensuring secure development and maintenance of software, systems, and applications
Protecting the privacy of personally identifiable information (customer and employee)
Protecting sensitive information and resources from being accessed or shared with unauthorized users
Ensuring integrity of financial data
Ensuring that data content is protected and tamper-resistant
Ensuring well controlled systems
Ensuring secure development and maintenance of software, systems, and applications
Information Security Management Framework Lifecycle
The implementation of the Information Security Management Framework follows the concept of the Plan, Prevent, Detect, Respond cycle, common in other management frameworks, such as ISO 9001 and ISO 14001.
The implementation of the Information Security Management Framework follows the concept of the Plan, Prevent, Detect, Respond cycle, common in other management frameworks, such as ISO 9001 and ISO 14001.
Input
Work with business units to identify and classify their assets
along with the business risks
associated with those asset.
DEVELOPMENT, MAINTENANCE AND
IMPROVEMENT CYCLE.
Plan
Ensure the context and scope of the
Framework is correct and appropriate.
RespondUpdate Framework security processes
from lessons learned.
DetectMonitor the
effectiveness of security processes.
PreventImplement and
operate the processes associated with the
Framework.
Effective Information Security
Management Framework
based on the organization's risk
profile.
Output
Information Security Management Framework Flow
Regulatory Requirements and Security Standards help define the Organizations Security Environment. This environment dictates the Organizations Security Directive, which dictates the ultimate Information Security Management Framework.
Regulatory Requirements and Security Standards help define the Organizations Security Environment. This environment dictates the Organizations Security Directive, which dictates the ultimate Information Security Management Framework.
Information Security Framework
(Security Controls)
Organizational Directive for Information Security
Technologies and Solutions
Regulatory Requirements
Regulatory Requirements
Business InitiativesBusiness Initiatives
Security StandardsSecurity
StandardsTechnology Direction
Technology Direction
Business and Security Environment
Identification of Regulations and Acts
• Identification of Information Security Drivers• Identification of Regulations and Acts • Introduction to Security Standards• Understanding of Security Controls• Technology Solutions Assisting in Regulatory Compliance
Significant Regulations and Acts
Some of the more significant security regulations and acts include:Some of the more significant security regulations and acts include:
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes Oxley Act (SOX)
European Union Data Protection Directive (EUDPD)
Personal Data Act
Computer Misuse Act
Data Protection Act
21 CFR Part 11
BASEL II
Various State Security Breach Laws
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes Oxley Act (SOX)
European Union Data Protection Directive (EUDPD)
Personal Data Act
Computer Misuse Act
Data Protection Act
21 CFR Part 11
BASEL II
Various State Security Breach Laws
Security ObjectivesThese regulations and acts specify information security objectives associated with:These regulations and acts specify information security objectives associated with:
Security Policy, Organization, and Program
Personnel, Human Resources, and Administrative security controls
User, Network, System, and Physical access management
Proactive vulnerability, risk, and threat assessment and management activities
Intrusion Detection capabilities
Event Logging and Monitoring and Incident Response programs and processes
Encryption capabilities and the protection of information confidentiality and integrity
Identification, authentication, and authorization controls to information and systems
Asset classification and control
Disaster Recovery and Business Continuity planning
Security Policy, Organization, and Program
Personnel, Human Resources, and Administrative security controls
User, Network, System, and Physical access management
Proactive vulnerability, risk, and threat assessment and management activities
Intrusion Detection capabilities
Event Logging and Monitoring and Incident Response programs and processes
Encryption capabilities and the protection of information confidentiality and integrity
Identification, authentication, and authorization controls to information and systems
Asset classification and control
Disaster Recovery and Business Continuity planning
This is not an all inclusive list of all security regulatory goals, but rather a sample of the security objectives of these regulationsThis is not an all inclusive list of all security regulatory goals, but rather a sample of the security objectives of these regulations
Introduction to Security Standards
• Identification of Information Security Drivers• Identification of Regulations and Acts• Introduction to Security Standards• Understanding Security Controls• Technology Solutions Assisting in Regulatory Compliance
Value Proposition of Security Standards
Security Standards:Security Standards:
Provide outlines of accepted best practice for security management
Provide guidelines for the implementation of security measures
Provide a framework for the management of information, network, and system security within an organization
Provide a suggested code of practice
Integrate security measures into an overall security architecture
Can be used by organizations of all sizes, industries, and sectors
Provide outlines of accepted best practice for security management
Provide guidelines for the implementation of security measures
Provide a framework for the management of information, network, and system security within an organization
Provide a suggested code of practice
Integrate security measures into an overall security architecture
Can be used by organizations of all sizes, industries, and sectors
Security Standard compliance is NOT required by law, though some contracts now require Certifications. Security Standard compliance is NOT required by law, though some contracts now require Certifications.
Compliance and Certification
To achieve compliance the organization must implement measures to address all control objectives.To achieve compliance the organization must implement measures to address all control objectives.
Formal certification is usually achieved through a formal audit conducted by a certified independent auditor.
Certification offers internal and external confidence in the Information Security Management Framework.
Certification demonstrates good governance and can provide evidence of due diligence for some requirements for regulatory compliance.
Formal certification is usually achieved through a formal audit conducted by a certified independent auditor.
Certification offers internal and external confidence in the Information Security Management Framework.
Certification demonstrates good governance and can provide evidence of due diligence for some requirements for regulatory compliance.
Compliance Achievement Process
Recognise the need· Get management support· Appoint Program Manager
Scoping· Decide on suitable scope· Define scope· Agree with Certification Body
(formal certification only)
Gap Analysis· Identify existing controls· Review existing documents· Identify gaps between these
and Standard requirements
Risk Assessment· Identify assets within scope· Identify threats to assets· Asses level of risk· Identify treatment options
Security Improvement· Managed program for
addressing security issues
Typical activities· Security policies and
procedures· Security awareness training· Internet and email usage· Laptop and PDA security· Backup procedures· Firewall configuration review· Penetration Testing· Review of user accounts
Formal Certification· Documentation Review and
Pre Audit (2-3 days)· Formal Audit (4-8 days)
Demonstrate Compliance· Document ISMS Policy· Justify claim in documented
Statement of Applicability
AnalysisInitiation ComplianceImplementation
Industry Accepted Security Standards
Some of the more commonly accepted and implemented standards include:Some of the more commonly accepted and implemented standards include:
International Standard, ISO/IEC 17799:2005 (ISO 17799)
Australian Standard, AS/NZS 7799.2:2003 (AS 7799)
Payment Card Industry (PCI) Data Standard
Common Criteria for IT Security Evaluation (ISO 9000)
NIST Computer Security Standards
International Standard, ISO/IEC 17799:2005 (ISO 17799)
Australian Standard, AS/NZS 7799.2:2003 (AS 7799)
Payment Card Industry (PCI) Data Standard
Common Criteria for IT Security Evaluation (ISO 9000)
NIST Computer Security Standards
Understanding Security Controls
• Identification of Information Security Drivers• Identification of Regulations and Acts• Introduction to Security Standards• Understanding Security Controls• Technology Solutions Assisting in Regulatory Compliance
Security Controls Overview
Security Controls address security issues that should be considered as part of the Information Security Management Framework.
Security Controls address security issues that should be considered as part of the Information Security Management Framework.
While there is no authoritative set of controls and titles, most security standards and best practices use similar titles and categories to define security controls.
While there is no authoritative set of controls and titles, most security standards and best practices use similar titles and categories to define security controls.
Security Policy
Security Organization and Governance
Asset Management
Data Protection
Personnel Security
Physical and Environmental
Communications and Operations Management
Security Policy
Security Organization and Governance
Asset Management
Data Protection
Personnel Security
Physical and Environmental
Communications and Operations Management
Access Control
Logging and Monitoring
Vulnerability Management
Incident Management
Software & System Acquisition, Development, and Maintenance
Business Continuity Management
Compliance
Access Control
Logging and Monitoring
Vulnerability Management
Incident Management
Software & System Acquisition, Development, and Maintenance
Business Continuity Management
Compliance
Security Control Objectives - 1
Security Policy:Security Policy:
Documented security objectives for the organization that is agreed and approved by management
Documented security objectives for the organization that is agreed and approved by management
Security Organization and Governance:Security Organization and Governance:
Assigning security responsibilities and accountability and a management forum for setting and approving security objectives
Assigning security responsibilities and accountability and a management forum for setting and approving security objectives
Security Control Objectives - 2
Asset Management:Asset Management:
The management (identification, classification, and control) of information and hardware & software resources
The management (identification, classification, and control) of information and hardware & software resources
Data Protection:Data Protection:
Effective controls for protecting the confidentiality, integrity, and availability of information and information resources
Effective controls for protecting the confidentiality, integrity, and availability of information and information resources
Security Control Objectives - 3
Personnel Security:Personnel Security:
The management of staff, terms of employment, termination processes, and awareness and training
The management of staff, terms of employment, termination processes, and awareness and training
Physical and Environmental Security:Physical and Environmental Security:
Securing the human and system physical environment; including entry controls, fire and power controls, cable and rack security
Securing the human and system physical environment; including entry controls, fire and power controls, cable and rack security
Security Control Objectives - 4
Communications and Operations Management:Communications and Operations Management:
Key security aspects of managing network and system components securely, including backups, anti-virus, patches, media and laptop security
Key security aspects of managing network and system components securely, including backups, anti-virus, patches, media and laptop security
Access Control:Access Control:
The control of logical, physical, and remote access to information and resources; including identification and authentication, authorization, password and user management on applications, operating systems, and within networks
The control of logical, physical, and remote access to information and resources; including identification and authentication, authorization, password and user management on applications, operating systems, and within networks
Security Control Objectives - 5
Logging and Monitoring:Logging and Monitoring:
The collection, aggregation, normalization, correlation, mining, and tracking of security events
The collection, aggregation, normalization, correlation, mining, and tracking of security events
Vulnerability Management:Vulnerability Management:
The performance of risk, threat, and vulnerability assessmentsThe performance of risk, threat, and vulnerability assessments
Security Control Objectives - 6
Incident Management:Incident Management:
The detection, reporting, recording, handling, response, review, and management of security incidents
The detection, reporting, recording, handling, response, review, and management of security incidents
Software & System Acquisition, Development, and Maintenance:Software & System Acquisition, Development, and Maintenance:
The secure development and maintenance of software and systems for on-going secure operation
The secure development and maintenance of software and systems for on-going secure operation
Security Control Objectives - 7
Business Continuity Management:Business Continuity Management:
Planning and defining the response in the event of a disaster or disruption in business to ensure continuity of operations
Planning and defining the response in the event of a disaster or disruption in business to ensure continuity of operations
Compliance:Compliance:
Ensuring the compliance with security and privacy legislative requirements
Ensuring the compliance with security and privacy legislative requirements
Technology Solutions Assisting In Regulatory Compliance
• Identification of Information Security Drivers• Introduction to Security Standards• Understanding of Security Controls• Identification of Regulations and Acts• Technology Solutions Assisting in Regulatory Compliance
This guide provides technology solutions for assisting regulatory compliance. The technology solution categories include:
This guide provides technology solutions for assisting regulatory compliance. The technology solution categories include:
Microsoft’s “The Regulatory Compliance Planning Guide”
• Document Management Solutions
• Business Process Management Solutions
• Project Management Solutions
• Risk Assessment Solutions
• Change Management Solutions
• Network Security Controls
• Host Control Solutions
• Malicious Software Prevention Solutions
• Application Security Solutions
• Messaging and Collaboration Solutions
• Data Classification and Protection Solutions
• Identity Management Solutions• Authentication, Authorization, and
Access Control Solutions• Training Solutions• Physical Security Solutions• Vulnerability Identification Solutions• Monitoring and Reporting Solutions• Disaster Recovery and Failover
Solutions• Incident Management and Trouble-
Tracking Solutions
Session Summary
Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending.Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending.
Any organization can use the guidance and requirements in Security Standards to improve aspects of their internal security management.Any organization can use the guidance and requirements in Security Standards to improve aspects of their internal security management.
Security Controls address security issues that should be considered as part of the Information Security Management Framework. Microsoft Products and Solutions support the implementation of security controls.
Security Controls address security issues that should be considered as part of the Information Security Management Framework. Microsoft Products and Solutions support the implementation of security controls.
Many Microsoft technology solutions assist in regulatory complianceMany Microsoft technology solutions assist in regulatory compliance
Regulations and Acts specify information security objectives necessary for regulatory compliance.Regulations and Acts specify information security objectives necessary for regulatory compliance.