1

Information security proces

The security procesRisk AssessmentPolicies and processSecurity ImplementationSecurity awarenessAudits

2

Cost

Total cost of Security = Cost of the Incident + Cost of Countermesures

Cost of Information Security = Cost of Countermeasures

Cost of the Incident + Cost of Countermeasures >> Cost of Countermesures

3

Process of information security

1. Assessment2. Policy3. Implementation4. Training5. Audit

Continues proces of 5 above phases

4

1.Conducting an Assessment

Goal for Assessment Determine value of the information assets Determine threats to confidentiality, integrity,

avaliability and/or accountability Determine the existing vulnerabilities inherent to the

current practice of the organization Identify the risk posed to the organization with regards

to information assets Recommend change to current practice Provide a foundation on which to build an appropriate

security plan

5

Conducting an Assessment

5 types of assessment System-level vulnerability assessment

Computer system are examined for known vulnerabilities

Network-level risk assessmentComputer network and infrastructure

Organization-wide risk assessment(se next slide)

Audit Penetration test

6

Conducting an Assessment

Gather information from Employee interviews Document review Technical examination Physical inspection

7

Conducting an Assessment

Organization Organization network The organization’s physical security measures The organization’s existing policies and procedures Precautions the organization has put in place Employee awareness of security issues Employees of the organization The workload of the employee The attitude of the employee Employee adherence to existing policies and procedures The Business of the organization

8

Conducting an Assessment

Result Assessment team presents complete set

of risks and recommendations to the organization

Present risk from largest to smallest For each risk cost (in broad sence)

should be presented Develop a security plan

9

2. Developing Policy

Information policySecurity policyUse policyBackup policyAccount management proceduresIncident handling procedureDisaster recovery plan

10

3. Implementing Security

Security Reporting Systems Use-Monitoring System Vulnerability Scans Policy Adherence Authentication Systems Perimeter Security Network Monitoring Systems Encryption Physical Security Staff

11

4. Awareness Training

EmployeesAdministratorsDevelopersExecutivesSecurity Staff

12

5. Audits

3 different functions: Policy adherence audits Periodic and new project assessments

Penetration tests

13

Information Security Best Practices

1. Best practices2. Administrative security

practices3. Technical security practices4. Using best practices standards

14

2. Administrative Security Practices

Policies and ProceduresRessourcesResponsibilityEducationContingency PlansSecurity Projects Plans

15

Policies and Procedures

Information policySecurity policyUse policyBackup policyProcedures for user managementSystem administration proceduresConfiguration management procedures

16

Ressources

Time, Ressources and Scope triangle equals Project management

StaffBudget

17

Education

Preventative measuresEnforcement measuresIncentive measures

18

Contingency Plans

Incident ResponseBackup and Data ArchivalDisaster Recovery

19

Security Project Plans

Improvement plansAssessment plansVulnerability assessment plansAudit plansTraining plansPolicy evaluation plan

20

2. Technical Security Practices

Network ControlsMalicious Code ProtectionAuthenticationMonitoringEncryptionPatching SystemsBackup and RecoveryPhysical Security

21

3. Using best practice standards

ISO 270021. Begin with best practice of this chapter or ISO

270022. For each section what are you doing now?3. If your organization do not follow the practice try to

understand why?4. If you find recommendation tha haven’t been

implement you have a gap.5. Determine whether the gap is something to be

covered make recommendation to you management.