security administration. links to text chapter 8 parts of chapter 5 parts of chapter 1
TRANSCRIPT
![Page 1: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/1.jpg)
Security Administration
![Page 2: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/2.jpg)
Links to Text
Chapter 8Parts of Chapter 5Parts of Chapter 1
![Page 3: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/3.jpg)
Security Involves:
Technical controlsAdministrative controlsPhysical controls
![Page 4: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/4.jpg)
Major Chapter Topics PlanningRisk analysisPolicyPhysical security
![Page 5: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/5.jpg)
Security PlanWritten document that
describes how an organization will address its security needs
![Page 6: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/6.jpg)
What Should a Security Plan Do?
Identify what (vulnerabilities, threats, and risks)
Specify how they will be handled (controls)
Specify who will handle themSpecify when they will be handled
(timetable)
![Page 7: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/7.jpg)
Issues Listed in TextPolicyCurrent stateRequirementsRecommended controlsAccountabilityTimetableContinuing attention (updates)
![Page 8: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/8.jpg)
OCTAVEOperationally Critical Threat, Asset,
and Vulnerability EvaluationDeveloped at Carnegie Mellon
CERT Coordination CenterFirst published in 1999
![Page 9: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/9.jpg)
The OCTAVE Approach Self-directed Focused on risks to information assets Focused on practice-based mitigation
Best practices from CERT/CC, NIST, laws and regulations (e.g., HIPPA), etc.
Participation by both business and IT personnel
![Page 10: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/10.jpg)
Different Scales
OCTAVE – large organizationsOCTAVE-S – small organizations
![Page 11: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/11.jpg)
OCTAVE Steps 1. Identify enterprise knowledge 2. Identify operational area knowledge 3. Identify staff knowledge 4. Create threat profiles 5. Identify key components 6. Evaluate selected components 7. Conduct a risk analysis 8. Develop a protection strategy
![Page 12: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/12.jpg)
Common Criteria (CC)
Framework for evaluation of IT systems International effort
United States United Kingdom France Germany The Netherlands Canada
![Page 13: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/13.jpg)
Business Continuity Plan
Plan for management of situations which areCatastrophicLong-lasting
A single such incident can put a company out of business (even if handled well)
Identify essential assets and functions
![Page 14: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/14.jpg)
Incident Response Plan
Plan for management of security incidentsMay not be catastrophicMay not be long-lasting
Many incidents will have minor impact on operations
![Page 15: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/15.jpg)
Risk Analysis
Risks closely related to threatsRisk analysis attempts to quantify
and measure problems associated with threats
Many approaches to risk analysis have been developed
![Page 16: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/16.jpg)
Quantifying Risk
Risk probability How likely is the risk?
Risk impact How much do we lose?
Risk control Can the risk be avoided?
![Page 17: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/17.jpg)
Risk Exposure
Probability of Risk X Risk Impact
Risk Impact – $100,000
Risk Probability – 0.5
Risk Exposure – $50,000
![Page 18: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/18.jpg)
Risk Leverage
(Exposure Before – Exposure After)/Risk Control Cost
Original Risk Exposure – $ 50,000Cost of Control – $100Revised Risk Exposure – $20,000Risk Leverage – 300 (note: dimensionless)
![Page 19: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/19.jpg)
Risk Analysis Steps
Identify assetsDetermine vulnerabilitiesEstimate likelihood of exploitationCompute expected annual lossSurvey applicable controls and their costsProject annual savings of control
![Page 20: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/20.jpg)
Difficulties of Risk Analysis
Probabilities hard to estimateHistorical dataExpertsDelphi approach
Some costs hard to quantify
![Page 21: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/21.jpg)
Risk Analysis Approaches
Many risk analysis approachesUsual common features:
Checklists Organizational matrices Specification of procedures
No dominant approach
![Page 22: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/22.jpg)
Security Policy
A written document describing goals for and constraints on a system
Who can access what resources in what manner?
High level management documentShould not change often
![Page 23: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/23.jpg)
Policy Considerations
Stakeholders (beneficiaries)UsersOwnersResources
![Page 24: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/24.jpg)
Security Procedures/Guidelines
Describe how security policy will be implemented
More frequent changes than policy
![Page 25: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/25.jpg)
Physical Security
Protection that does not involve the system as a system
Independent of Hardware Software Data
![Page 26: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/26.jpg)
Possible Problems
Natural disasters Floods Fires
Power lossHuman vandalsInterception of sensitive information
![Page 27: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/27.jpg)
Physical Security Controls
Backups
BackupsBackupsBackups!!!
![Page 28: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/28.jpg)
Natural Disasters
Careful building designSystem placementFire extinguishers
![Page 29: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/29.jpg)
Power Loss
Uninterruptible power supplySurge suppressor
![Page 30: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/30.jpg)
Human Vandals
GuardsLocksAuthenticationReduced portabilityTheft detection
![Page 31: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/31.jpg)
Information Interception
ShreddingOverwriting magnetic dataDegaussing
Destroy magnetic fields
Tempest Prevent or control magnetic emanations
![Page 32: Security Administration. Links to Text Chapter 8 Parts of Chapter 5 Parts of Chapter 1](https://reader031.vdocument.in/reader031/viewer/2022032703/56649f535503460f94c78643/html5/thumbnails/32.jpg)
Contingency Plans
BackupOffsite backupNetworked storageCold siteHot site