security environment assessment. outline overview key sources and participants general findings ...
TRANSCRIPT
Security Environment Assessment
Outline
Overview Key Sources and
Participants General Findings Policy / Procedures Host Systems
Network Components Applications Overall Assessment -
Compliance with Policy Next Steps
Overview
ObjectiveBroad sweep to find significant strengths / weaknessesBaseline - not final statement of vulnerabilities
Approach InterviewsReview of system configurationsAutomated assessment tools (GFI)Examined policy, procedures, host systems, network
infrastructure, and some applications
General Findings - Strengths
Linksys Router /Firewall protects the network perimeter Mostly Standardized Intel Platform with an OS, of which
is XP Customer security requirements have positively
influenced security awareness Regulatory requirements dictate due diligence
General Findings - Weaknesses
External (e.g., Internet) access is not restricted i.e.(Filter inappropriate network traffic)
Critical Identified internal systems are not isolated Production systems are not subject to configuration
management Security program lacking key components and scope
necessary to effectively influence all systems Security staff not required but security knowledge and
emphasis lacking technical expertise to perform effective oversight of all systems
Policies not used to guide internal activities Security responsibilities not well defined Available technical features not used to best advantage
Policy / Procedures - Weaknesses
System specific practices not tied to top-level policy User account / password management practices Access control decisions
Workstation policy not clear; basic features not implemented High level policies for internet usage etc… does not exist Procedures well defined for systems not defined Training / user awareness for system specific features not
provided Training / user orientation emphasizes personal responsibility
does not exist Incident detection and response not addressed
General Findings - Weaknesses (cont)
System specific procedures lacking Security not integrated with business processes
Security responsibility for new systems and applications not well defined
Staff lacks technical expertise to effectively influence design of new systems
Policy/Procedures
StrengthsHigh level policy has good componentsTraining / user orientation emphasizes personal
responsibilityProcedures well defined for mainframe systems
WeaknessesSystem-specific practices not tied to top-level policyUser account/password/access practices not consistentNo provisions for incident detection / response
Host Systems
StrengthsPrivileged access limitedSecurity enhancements being implemented on some
systems
WeaknessesAvailable features not used to best advantageTechnical vulnerabilities on many systemsUnnecessary services are availableConfiguration not guided by security policy
Network Infrastructure
StrengthsFirewall/address translator limits external accessRouter filters limit access within the network
WeaknessesNetwork security responsibility not well defined;
configuration not guided by a security policyNo capability for encrypted internal communications,
remote access, or Internet linksDial-up access not well controlled or secured
Applications
StrengthsDevelopment and production environments are segregatedApplication security features are used to restrict access
WeaknessesPassword management practices are inconsistentPersonal accountability is not always maintained
Overall Assessment -- Compliance with Security Policies
Comparison of observed practice with the published “Information Security Policy”
Policy does not influence security configuration / management of non-mainframe systems
Most policy statements have not been implemented consistently across the enterprise
Next Steps
Reaction to vulnerabilities/weaknessesRecommend, prioritize, and implement fixes
Implementation of Internet and remote access solutionValidate design; implement technical fixes, policy, and
procedures
Define network security enhancementsRefine requirements; select and implement solution