Download - Security Controls – What Works
![Page 1: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/1.jpg)
Security Controls – What Works
Southside Virginia Community College: Security Awareness
![Page 2: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/2.jpg)
Session Overview
• Identification of Information Security Drivers• Identification of Regulations and Acts• Introduction to Security Standards• Understanding Security Controls• Technology Solutions Assisting in Regulatory Compliance
![Page 3: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/3.jpg)
Identification of Information Security Drivers
• Identification of Information Security Drivers• Identification of Regulations and Acts• Introduction to Security Standards• Understanding Security Controls• Technology Solutions Assisting in Regulatory Compliance
![Page 4: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/4.jpg)
Business Drivers
What are the business drivers for information security:What are the business drivers for information security:
Facilitate Business Initiatives
Protect Brand Image
Protect Customer Confidence
Reduce Costs and Improve Productivity
Enhance Service Levels
Technology Direction
Comply with Regulations
Facilitate Business Initiatives
Protect Brand Image
Protect Customer Confidence
Reduce Costs and Improve Productivity
Enhance Service Levels
Technology Direction
Comply with Regulations
![Page 5: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/5.jpg)
Regulatory Compliance Drives Security Initiatives
Key areas for compliance-related spending are associated with implementing an Information Security Management Framework and specifically include:
Key areas for compliance-related spending are associated with implementing an Information Security Management Framework and specifically include:
Policies and Procedures
Training and Awareness
Security Event Management Tools
Identity and Password Management Technologies
Policies and Procedures
Training and Awareness
Security Event Management Tools
Identity and Password Management Technologies
Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending. Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending.
![Page 6: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/6.jpg)
Information Security Management Framework
What is an Information Security Management Framework:What is an Information Security Management Framework:
Key Set of Policies and Processes Supporting Information Security
Organizational Structure and Governance for Information Security
Implementation of Standard Security Controls
Appropriate and Sufficient Security Tools and Technologies
Key Set of Policies and Processes Supporting Information Security
Organizational Structure and Governance for Information Security
Implementation of Standard Security Controls
Appropriate and Sufficient Security Tools and Technologies
![Page 7: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/7.jpg)
Regulatory Benefits of Implementing an Information Security Management Framework
Regulatory benefits of implementing an Information Security Management Framework include:Regulatory benefits of implementing an Information Security Management Framework include:
Protecting the privacy of personally identifiable information (customer and employee)
Protecting sensitive information and resources from being accessed or shared with unauthorized users
Ensuring integrity of financial data
Ensuring that data content is protected and tamper-resistant
Ensuring well controlled systems
Ensuring secure development and maintenance of software, systems, and applications
Protecting the privacy of personally identifiable information (customer and employee)
Protecting sensitive information and resources from being accessed or shared with unauthorized users
Ensuring integrity of financial data
Ensuring that data content is protected and tamper-resistant
Ensuring well controlled systems
Ensuring secure development and maintenance of software, systems, and applications
![Page 8: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/8.jpg)
Information Security Management Framework Lifecycle
The implementation of the Information Security Management Framework follows the concept of the Plan, Prevent, Detect, Respond cycle, common in other management frameworks, such as ISO 9001 and ISO 14001.
The implementation of the Information Security Management Framework follows the concept of the Plan, Prevent, Detect, Respond cycle, common in other management frameworks, such as ISO 9001 and ISO 14001.
Input
Work with business units to identify and classify their assets
along with the business risks
associated with those asset.
DEVELOPMENT, MAINTENANCE AND
IMPROVEMENT CYCLE.
Plan
Ensure the context and scope of the
Framework is correct and appropriate.
RespondUpdate Framework security processes
from lessons learned.
DetectMonitor the
effectiveness of security processes.
PreventImplement and
operate the processes associated with the
Framework.
Effective Information Security
Management Framework
based on the organization's risk
profile.
Output
![Page 9: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/9.jpg)
Information Security Management Framework Flow
Regulatory Requirements and Security Standards help define the Organizations Security Environment. This environment dictates the Organizations Security Directive, which dictates the ultimate Information Security Management Framework.
Regulatory Requirements and Security Standards help define the Organizations Security Environment. This environment dictates the Organizations Security Directive, which dictates the ultimate Information Security Management Framework.
Information Security Framework
(Security Controls)
Organizational Directive for Information Security
Technologies and Solutions
Regulatory Requirements
Regulatory Requirements
Business InitiativesBusiness Initiatives
Security StandardsSecurity
StandardsTechnology Direction
Technology Direction
Business and Security Environment
![Page 10: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/10.jpg)
Identification of Regulations and Acts
• Identification of Information Security Drivers• Identification of Regulations and Acts • Introduction to Security Standards• Understanding of Security Controls• Technology Solutions Assisting in Regulatory Compliance
![Page 11: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/11.jpg)
Significant Regulations and Acts
Some of the more significant security regulations and acts include:Some of the more significant security regulations and acts include:
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes Oxley Act (SOX)
European Union Data Protection Directive (EUDPD)
Personal Data Act
Computer Misuse Act
Data Protection Act
21 CFR Part 11
BASEL II
Various State Security Breach Laws
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
Sarbanes Oxley Act (SOX)
European Union Data Protection Directive (EUDPD)
Personal Data Act
Computer Misuse Act
Data Protection Act
21 CFR Part 11
BASEL II
Various State Security Breach Laws
![Page 12: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/12.jpg)
Security ObjectivesThese regulations and acts specify information security objectives associated with:These regulations and acts specify information security objectives associated with:
Security Policy, Organization, and Program
Personnel, Human Resources, and Administrative security controls
User, Network, System, and Physical access management
Proactive vulnerability, risk, and threat assessment and management activities
Intrusion Detection capabilities
Event Logging and Monitoring and Incident Response programs and processes
Encryption capabilities and the protection of information confidentiality and integrity
Identification, authentication, and authorization controls to information and systems
Asset classification and control
Disaster Recovery and Business Continuity planning
Security Policy, Organization, and Program
Personnel, Human Resources, and Administrative security controls
User, Network, System, and Physical access management
Proactive vulnerability, risk, and threat assessment and management activities
Intrusion Detection capabilities
Event Logging and Monitoring and Incident Response programs and processes
Encryption capabilities and the protection of information confidentiality and integrity
Identification, authentication, and authorization controls to information and systems
Asset classification and control
Disaster Recovery and Business Continuity planning
This is not an all inclusive list of all security regulatory goals, but rather a sample of the security objectives of these regulationsThis is not an all inclusive list of all security regulatory goals, but rather a sample of the security objectives of these regulations
![Page 13: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/13.jpg)
Introduction to Security Standards
• Identification of Information Security Drivers• Identification of Regulations and Acts• Introduction to Security Standards• Understanding Security Controls• Technology Solutions Assisting in Regulatory Compliance
![Page 14: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/14.jpg)
Value Proposition of Security Standards
Security Standards:Security Standards:
Provide outlines of accepted best practice for security management
Provide guidelines for the implementation of security measures
Provide a framework for the management of information, network, and system security within an organization
Provide a suggested code of practice
Integrate security measures into an overall security architecture
Can be used by organizations of all sizes, industries, and sectors
Provide outlines of accepted best practice for security management
Provide guidelines for the implementation of security measures
Provide a framework for the management of information, network, and system security within an organization
Provide a suggested code of practice
Integrate security measures into an overall security architecture
Can be used by organizations of all sizes, industries, and sectors
Security Standard compliance is NOT required by law, though some contracts now require Certifications. Security Standard compliance is NOT required by law, though some contracts now require Certifications.
![Page 15: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/15.jpg)
Compliance and Certification
To achieve compliance the organization must implement measures to address all control objectives.To achieve compliance the organization must implement measures to address all control objectives.
Formal certification is usually achieved through a formal audit conducted by a certified independent auditor.
Certification offers internal and external confidence in the Information Security Management Framework.
Certification demonstrates good governance and can provide evidence of due diligence for some requirements for regulatory compliance.
Formal certification is usually achieved through a formal audit conducted by a certified independent auditor.
Certification offers internal and external confidence in the Information Security Management Framework.
Certification demonstrates good governance and can provide evidence of due diligence for some requirements for regulatory compliance.
![Page 16: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/16.jpg)
Compliance Achievement Process
Recognise the need· Get management support· Appoint Program Manager
Scoping· Decide on suitable scope· Define scope· Agree with Certification Body
(formal certification only)
Gap Analysis· Identify existing controls· Review existing documents· Identify gaps between these
and Standard requirements
Risk Assessment· Identify assets within scope· Identify threats to assets· Asses level of risk· Identify treatment options
Security Improvement· Managed program for
addressing security issues
Typical activities· Security policies and
procedures· Security awareness training· Internet and email usage· Laptop and PDA security· Backup procedures· Firewall configuration review· Penetration Testing· Review of user accounts
Formal Certification· Documentation Review and
Pre Audit (2-3 days)· Formal Audit (4-8 days)
Demonstrate Compliance· Document ISMS Policy· Justify claim in documented
Statement of Applicability
AnalysisInitiation ComplianceImplementation
![Page 17: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/17.jpg)
Industry Accepted Security Standards
Some of the more commonly accepted and implemented standards include:Some of the more commonly accepted and implemented standards include:
International Standard, ISO/IEC 17799:2005 (ISO 17799)
Australian Standard, AS/NZS 7799.2:2003 (AS 7799)
Payment Card Industry (PCI) Data Standard
Common Criteria for IT Security Evaluation (ISO 9000)
NIST Computer Security Standards
International Standard, ISO/IEC 17799:2005 (ISO 17799)
Australian Standard, AS/NZS 7799.2:2003 (AS 7799)
Payment Card Industry (PCI) Data Standard
Common Criteria for IT Security Evaluation (ISO 9000)
NIST Computer Security Standards
![Page 18: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/18.jpg)
Understanding Security Controls
• Identification of Information Security Drivers• Identification of Regulations and Acts• Introduction to Security Standards• Understanding Security Controls• Technology Solutions Assisting in Regulatory Compliance
![Page 19: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/19.jpg)
Security Controls Overview
Security Controls address security issues that should be considered as part of the Information Security Management Framework.
Security Controls address security issues that should be considered as part of the Information Security Management Framework.
While there is no authoritative set of controls and titles, most security standards and best practices use similar titles and categories to define security controls.
While there is no authoritative set of controls and titles, most security standards and best practices use similar titles and categories to define security controls.
Security Policy
Security Organization and Governance
Asset Management
Data Protection
Personnel Security
Physical and Environmental
Communications and Operations Management
Security Policy
Security Organization and Governance
Asset Management
Data Protection
Personnel Security
Physical and Environmental
Communications and Operations Management
Access Control
Logging and Monitoring
Vulnerability Management
Incident Management
Software & System Acquisition, Development, and Maintenance
Business Continuity Management
Compliance
Access Control
Logging and Monitoring
Vulnerability Management
Incident Management
Software & System Acquisition, Development, and Maintenance
Business Continuity Management
Compliance
![Page 20: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/20.jpg)
Security Control Objectives - 1
Security Policy:Security Policy:
Documented security objectives for the organization that is agreed and approved by management
Documented security objectives for the organization that is agreed and approved by management
Security Organization and Governance:Security Organization and Governance:
Assigning security responsibilities and accountability and a management forum for setting and approving security objectives
Assigning security responsibilities and accountability and a management forum for setting and approving security objectives
![Page 21: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/21.jpg)
Security Control Objectives - 2
Asset Management:Asset Management:
The management (identification, classification, and control) of information and hardware & software resources
The management (identification, classification, and control) of information and hardware & software resources
Data Protection:Data Protection:
Effective controls for protecting the confidentiality, integrity, and availability of information and information resources
Effective controls for protecting the confidentiality, integrity, and availability of information and information resources
![Page 22: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/22.jpg)
Security Control Objectives - 3
Personnel Security:Personnel Security:
The management of staff, terms of employment, termination processes, and awareness and training
The management of staff, terms of employment, termination processes, and awareness and training
Physical and Environmental Security:Physical and Environmental Security:
Securing the human and system physical environment; including entry controls, fire and power controls, cable and rack security
Securing the human and system physical environment; including entry controls, fire and power controls, cable and rack security
![Page 23: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/23.jpg)
Security Control Objectives - 4
Communications and Operations Management:Communications and Operations Management:
Key security aspects of managing network and system components securely, including backups, anti-virus, patches, media and laptop security
Key security aspects of managing network and system components securely, including backups, anti-virus, patches, media and laptop security
Access Control:Access Control:
The control of logical, physical, and remote access to information and resources; including identification and authentication, authorization, password and user management on applications, operating systems, and within networks
The control of logical, physical, and remote access to information and resources; including identification and authentication, authorization, password and user management on applications, operating systems, and within networks
![Page 24: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/24.jpg)
Security Control Objectives - 5
Logging and Monitoring:Logging and Monitoring:
The collection, aggregation, normalization, correlation, mining, and tracking of security events
The collection, aggregation, normalization, correlation, mining, and tracking of security events
Vulnerability Management:Vulnerability Management:
The performance of risk, threat, and vulnerability assessmentsThe performance of risk, threat, and vulnerability assessments
![Page 25: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/25.jpg)
Security Control Objectives - 6
Incident Management:Incident Management:
The detection, reporting, recording, handling, response, review, and management of security incidents
The detection, reporting, recording, handling, response, review, and management of security incidents
Software & System Acquisition, Development, and Maintenance:Software & System Acquisition, Development, and Maintenance:
The secure development and maintenance of software and systems for on-going secure operation
The secure development and maintenance of software and systems for on-going secure operation
![Page 26: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/26.jpg)
Security Control Objectives - 7
Business Continuity Management:Business Continuity Management:
Planning and defining the response in the event of a disaster or disruption in business to ensure continuity of operations
Planning and defining the response in the event of a disaster or disruption in business to ensure continuity of operations
Compliance:Compliance:
Ensuring the compliance with security and privacy legislative requirements
Ensuring the compliance with security and privacy legislative requirements
![Page 27: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/27.jpg)
Technology Solutions Assisting In Regulatory Compliance
• Identification of Information Security Drivers• Introduction to Security Standards• Understanding of Security Controls• Identification of Regulations and Acts• Technology Solutions Assisting in Regulatory Compliance
![Page 28: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/28.jpg)
This guide provides technology solutions for assisting regulatory compliance. The technology solution categories include:
This guide provides technology solutions for assisting regulatory compliance. The technology solution categories include:
Microsoft’s “The Regulatory Compliance Planning Guide”
• Document Management Solutions
• Business Process Management Solutions
• Project Management Solutions
• Risk Assessment Solutions
• Change Management Solutions
• Network Security Controls
• Host Control Solutions
• Malicious Software Prevention Solutions
• Application Security Solutions
• Messaging and Collaboration Solutions
• Data Classification and Protection Solutions
• Identity Management Solutions• Authentication, Authorization, and
Access Control Solutions• Training Solutions• Physical Security Solutions• Vulnerability Identification Solutions• Monitoring and Reporting Solutions• Disaster Recovery and Failover
Solutions• Incident Management and Trouble-
Tracking Solutions
![Page 29: Security Controls – What Works](https://reader035.vdocument.in/reader035/viewer/2022062422/56813e5c550346895da85902/html5/thumbnails/29.jpg)
Session Summary
Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending.Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending.
Any organization can use the guidance and requirements in Security Standards to improve aspects of their internal security management.Any organization can use the guidance and requirements in Security Standards to improve aspects of their internal security management.
Security Controls address security issues that should be considered as part of the Information Security Management Framework. Microsoft Products and Solutions support the implementation of security controls.
Security Controls address security issues that should be considered as part of the Information Security Management Framework. Microsoft Products and Solutions support the implementation of security controls.
Many Microsoft technology solutions assist in regulatory complianceMany Microsoft technology solutions assist in regulatory compliance
Regulations and Acts specify information security objectives necessary for regulatory compliance.Regulations and Acts specify information security objectives necessary for regulatory compliance.