securing information servicesv1.0
TRANSCRIPT
SECURING INFORMATION SERVICES
SECURITY BENCHMARK Elevated Standards defined by customer Advanced security controls Meet Customer demands Cost by Customer/Organization Periodic review by Customer/Third Party Approvals by Customer/Organization Example: Customers 3 & 6 are identified as elevated customers
and hence a custom security model will be introduced and followed for these customers.
Baseline Organization standard practices Mandatory security controls No customer security demands Cost by Organization Periodic Review by Organization/Third party Approvals by Organization Example: Customers 1, 2, 5 & 7 are identified as baseline
customers. These customers agree to organization's general security practices therefore a single security model will be followed.
DATA PROTECTION MECHANISMSObjective: To understand and apply security controls for the protection of confidentiality, integrity, and availability of critical data or business functions.Layering: Multiple controls in a series
Abstraction: Similar elements are put into group
Data Hiding: Preventing data from being discovered or accessed
Encryption : Limit access to intended recipients
IDENTITY AND ACCESS MANAGEMENT
Objective: To control access to computer resources, enforcing policies, auditing usage, and trace action to specific user.Authentication Single Sign on RADIUS Multi Factor
Authorization Access Management Endpoint validation
Accounting Audit logging
RISK MANAGEMENTObjective: To develop strategies and implement proper controls that reduces overall risks associated with critical assets, to determine the severity of impact to the business due to any risk that affects the confidentiality, integrity or availability of critical assets.Identify Threats and Vulnerabilities Threats against critical assetsRisk Assessment/Analysis Qualitative Analysis
o Delphi Technique Quantitative Analysis
o Revenue Loss in Dollarso Cost benefit AnalysisRisk Response
Reduce or mitigate Assign or transfer Accept Reject or ignore Residual risk
Objective: To ensure that any change does not lead to reduced or compromised security, which can impact confidentiality, integrity or availability of any information or business functions.
PDCA Model Change Management
Improvement/New requirement Corrective Action/Fix plan
Release Management Test Plan Execute Change
Incident Management Change failure New Incident reported
Problem Management Input from incident New problem reported
Configuration Management Track Configuration Items
CHANGE MANAGEMENT
BUSINESS CONTINUITY PLAN
Objective: To implement a combination of policies, procedures, and processes such that a potentially disruptive event has as little impact on the business as possible.
BCP Lifecycle :Project scope Risk AssessmentBusiness impact analysisContinuity planningApproval, Execute planTest, Monitor
DISASTER RECOVERY PLANObjective: To create a documented process or set of procedures to recover and protect a business IT infrastructure in the event of a disaster.Preparedness HA, Redundancy 24/7 Monitoring Data backup Recovery ProceduresResponse Incident Management Emergency Call Tree 24/7 Support Recovery Execute Recovery PlanMitigation Revise CAP & PAP BCP Continuous Improvement
Thank you