security management practices keith a. watson, cissp cerias
Post on 21-Dec-2015
230 views
TRANSCRIPT
![Page 1: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/1.jpg)
Security Management Practices
Keith A. Watson, CISSPCERIAS
![Page 2: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/2.jpg)
2
Overview
The CIA Security Governance• Policies, Procedures, etc.• Organizational Structures• Roles and Responsibilities
Information Classification Risk Management
![Page 3: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/3.jpg)
3
The CIA:Information Security Principles
Confidentiality• Allowing only authorized subjects
access to information Integrity• Allowing only authorized subjects to
modify information Availability• Ensuring that information and
resources are accessible when needed
![Page 4: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/4.jpg)
4
Reverse CIA
Confidentiality• Preventing unauthorized subjects from
accessing information Integrity• Preventing unauthorized subjects from
modifying information Availability• Preventing information and resources
from being inaccessible when needed
![Page 5: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/5.jpg)
5
Using the CIA
Think in terms of the core information security principles
How does this threat impact the CIA?
What controls can be used to reduce the risk to CIA?
If we increase confidentiality, will we decrease availability?
![Page 6: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/6.jpg)
6
Security Governance
Security Governance is the organizational processes and relationships for managing risk• Policies, Procedures, Standards,
Guidelines, Baselines• Organizational Structures• Roles and Responsibilities
![Page 7: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/7.jpg)
7
Policy Mapping
Functional Policies
Procedures Standards Guidelines Baselines
Laws, Regulations, Requirements, Organizational Goals, Objectives
General Organizational Policies
![Page 8: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/8.jpg)
8
Policies
Policies are statements of management intentions and goals
Senior Management support and approval is vital to success
General, high-level objectives
Acceptable use, internet access, logging, information security, etc
![Page 9: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/9.jpg)
9
Procedures
Procedures are detailed steps to perform a specific task
Usually required by policy
Decommissioning resources, adding user accounts, deleting user accounts, change management, etc
![Page 10: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/10.jpg)
10
Standards
Standards specify the use of specific technologies in a uniform manner
Requires uniformity throughout the organization
Operating systems, applications, server tools, router configurations, etc
![Page 11: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/11.jpg)
11
Guidelines
Guidelines are recommended methods for performing a task
Recommended, but not required
Malware cleanup, spyware removal, data conversion, sanitization, etc
![Page 12: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/12.jpg)
12
Baselines
Baselines are similar to standards but account for differences in technologies and versions from different vendors
Operating system security baselines• FreeBSD 6.2, Mac OS X Panther, Solaris
10, Red Hat Enterprise Linux 5, Windows 2000, Windows XP, Windows Vista, etc
![Page 13: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/13.jpg)
13
Organizational Structure
Organization of and official responsibilities for security vary• BoD, CEO, BoD Committee• CFO, CIO, CSO, CISO• Director, Manager
IT/IS Security
Audit
![Page 14: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/14.jpg)
14
Typical Org Chart
Board of Directors/Trustees President
CIO
Security Director
ProjectSecurity Architect
EnterpriseSecurity Architect
Security Analyst System Auditor
![Page 15: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/15.jpg)
15
Security-Oriented Org Chart
Board of Directors/Trustees President
CIO
Security Director
ProjectSecurity Architect
EnterpriseSecurity Architect
Security AnalystSystem Auditor
IT Audit Manager
![Page 16: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/16.jpg)
16
Further Separation
Audit Committee
Board of Directors/Trustees President
CIO
Security Director
ProjectSecurity Architect
EnterpriseSecurity Architect
Security AnalystSystem Auditor
IT Audit Manager
Internal Audit
![Page 17: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/17.jpg)
17
Organizational Structure
Audit should be separate from implementation and operations• Independence is not compromised
Responsibilities for security should be defined in job descriptions
Senior management has ultimate responsibility for security
Security officers/managers have functional responsibility
![Page 18: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/18.jpg)
18
Roles and Responsibilities
Best Practices:• Least Privilege• Mandatory Vacations• Job Rotation• Separation of Duties
![Page 19: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/19.jpg)
19
Roles and Responsibilities
Owners• Determine security requirements
Custodians• Manage security based on
requirements
Users• Access as allowed by security
requirements
![Page 20: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/20.jpg)
20
Information Classification
Not all information has the same value
Need to evaluate value based on CIA
Value determines protection level
Protection levels determine procedures
Labeling informs users on handling
![Page 21: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/21.jpg)
21
Information Classification
Government classifications:• Top Secret• Secret• Confidential• Sensitive but Unclassified• Unclassified
![Page 22: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/22.jpg)
22
Information Classification
Private Sector classifications:• Confidential• Private• Sensitive• Public
![Page 23: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/23.jpg)
23
Information Classification
Criteria:• Value• Age• Useful Life• Personal Association
![Page 24: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/24.jpg)
24
Risk Management
Risk Management is identifying, evaluating, and mitigating risk to an organization• It’s a cyclical, continuous process• Need to know what you have• Need to know what threats are likely• Need to know how and how well it is
protected• Need to know where the gaps are
![Page 25: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/25.jpg)
25
Identification
Assets
Threats• Threat-sources: man-made, natural
Vulnerabilities• Weakness
Controls• Safeguard
![Page 26: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/26.jpg)
26
Analysis/Evaluation
Quantitative• Objective numeric values• Cost-Benefit analysis• Guesswork low
Qualitative• Subjective intangible values• Time involved low• Guesswork high
![Page 27: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/27.jpg)
27
Remedy/Mitigation
Reduce
• Use controls to limit or reduce threat
Remove• Stop using it
Transfer• Get insurance or outsource it
Accept• Hope for the best
![Page 28: Security Management Practices Keith A. Watson, CISSP CERIAS](https://reader035.vdocument.in/reader035/viewer/2022081420/56649d545503460f94a30d5f/html5/thumbnails/28.jpg)
28
Summary
Security Management practices involve balancing security processes and proper management and oversight
Risk Management is a big part of managing holistic security of an organization