1 information security proces zthe security proces zrisk assessment zpolicies and process zsecurity...
TRANSCRIPT
1
Information security proces
The security procesRisk AssessmentPolicies and processSecurity ImplementationSecurity awarenessAudits
2
Cost
Total cost of Security = Cost of the Incident + Cost of Countermesures
Cost of Information Security = Cost of Countermeasures
Cost of the Incident + Cost of Countermeasures >> Cost of Countermesures
3
Process of information security
1. Assessment2. Policy3. Implementation4. Training5. Audit
Continues proces of 5 above phases
4
1.Conducting an Assessment
Goal for Assessment Determine value of the information assets Determine threats to confidentiality, integrity,
avaliability and/or accountability Determine the existing vulnerabilities inherent to the
current practice of the organization Identify the risk posed to the organization with regards
to information assets Recommend change to current practice Provide a foundation on which to build an appropriate
security plan
5
Conducting an Assessment
5 types of assessment System-level vulnerability assessment
Computer system are examined for known vulnerabilities
Network-level risk assessmentComputer network and infrastructure
Organization-wide risk assessment(se next slide)
Audit Penetration test
6
Conducting an Assessment
Gather information from Employee interviews Document review Technical examination Physical inspection
7
Conducting an Assessment
Organization Organization network The organization’s physical security measures The organization’s existing policies and procedures Precautions the organization has put in place Employee awareness of security issues Employees of the organization The workload of the employee The attitude of the employee Employee adherence to existing policies and procedures The Business of the organization
8
Conducting an Assessment
Result Assessment team presents complete set
of risks and recommendations to the organization
Present risk from largest to smallest For each risk cost (in broad sence)
should be presented Develop a security plan
9
2. Developing Policy
Information policySecurity policyUse policyBackup policyAccount management proceduresIncident handling procedureDisaster recovery plan
10
3. Implementing Security
Security Reporting Systems Use-Monitoring System Vulnerability Scans Policy Adherence Authentication Systems Perimeter Security Network Monitoring Systems Encryption Physical Security Staff
11
4. Awareness Training
EmployeesAdministratorsDevelopersExecutivesSecurity Staff
12
5. Audits
3 different functions: Policy adherence audits Periodic and new project assessments
Penetration tests
13
Information Security Best Practices
1. Best practices2. Administrative security
practices3. Technical security practices4. Using best practices standards
14
2. Administrative Security Practices
Policies and ProceduresRessourcesResponsibilityEducationContingency PlansSecurity Projects Plans
15
Policies and Procedures
Information policySecurity policyUse policyBackup policyProcedures for user managementSystem administration proceduresConfiguration management procedures
16
Ressources
Time, Ressources and Scope triangle equals Project management
StaffBudget
17
Education
Preventative measuresEnforcement measuresIncentive measures
18
Contingency Plans
Incident ResponseBackup and Data ArchivalDisaster Recovery
19
Security Project Plans
Improvement plansAssessment plansVulnerability assessment plansAudit plansTraining plansPolicy evaluation plan
20
2. Technical Security Practices
Network ControlsMalicious Code ProtectionAuthenticationMonitoringEncryptionPatching SystemsBackup and RecoveryPhysical Security
21
3. Using best practice standards
ISO 270021. Begin with best practice of this chapter or ISO
270022. For each section what are you doing now?3. If your organization do not follow the practice try to
understand why?4. If you find recommendation tha haven’t been
implement you have a gap.5. Determine whether the gap is something to be
covered make recommendation to you management.