SECURING INFORMATION SERVICES

SECURITY BENCHMARK Elevated Standards defined by customer Advanced security controls Meet Customer demands Cost by Customer/Organization Periodic review by Customer/Third Party Approvals by Customer/Organization Example: Customers 3 & 6 are identified as elevated customers

and hence a custom security model will be introduced and followed for these customers.

Baseline Organization standard practices Mandatory security controls No customer security demands Cost by Organization Periodic Review by Organization/Third party Approvals by Organization Example: Customers 1, 2, 5 & 7 are identified as baseline

customers. These customers agree to organization's general security practices therefore a single security model will be followed.

DATA PROTECTION MECHANISMSObjective: To understand and apply security controls for the protection of confidentiality, integrity, and availability of critical data or business functions.Layering: Multiple controls in a series

Abstraction: Similar elements are put into group

Data Hiding: Preventing data from being discovered or accessed

Encryption : Limit access to intended recipients

IDENTITY AND ACCESS MANAGEMENT

Objective: To control access to computer resources, enforcing policies, auditing usage, and trace action to specific user.Authentication Single Sign on RADIUS Multi Factor

Authorization Access Management Endpoint validation

Accounting Audit logging

RISK MANAGEMENTObjective: To develop strategies and implement proper controls that reduces overall risks associated with critical assets, to determine the severity of impact to the business due to any risk that affects the confidentiality, integrity or availability of critical assets.Identify Threats and Vulnerabilities Threats against critical assetsRisk Assessment/Analysis Qualitative Analysis

o Delphi Technique Quantitative Analysis

o Revenue Loss in Dollarso Cost benefit AnalysisRisk Response

Reduce or mitigate Assign or transfer Accept Reject or ignore Residual risk

Objective: To ensure that any change does not lead to reduced or compromised security, which can impact confidentiality, integrity or availability of any information or business functions.

PDCA Model Change Management

Improvement/New requirement Corrective Action/Fix plan

Release Management Test Plan Execute Change

Incident Management Change failure New Incident reported

Problem Management Input from incident New problem reported

Configuration Management Track Configuration Items

CHANGE MANAGEMENT

BUSINESS CONTINUITY PLAN

Objective: To implement a combination of policies, procedures, and processes such that a potentially disruptive event has as little impact on the business as possible.

BCP Lifecycle :Project scope Risk AssessmentBusiness impact analysisContinuity planningApproval, Execute planTest, Monitor

DISASTER RECOVERY PLANObjective: To create a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster.Preparedness HA, Redundancy 24/7 Monitoring Data backup Recovery ProceduresResponse Incident Management Emergency Call Tree 24/7 Support Recovery Execute Recovery PlanMitigation Revise CAP & PAP BCP Continuous Improvement

Thank you