Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

ISA 562

advertisement 
ISA 562
Internet Security Theory
and Practice
Information Security
Management
CISSP Topic 1
ISA 562
Summer 2008
1
Course Outline
An introductory course at the graduate
level
It covers the topics of
The CISSP exam at varying depth
But is NOT a CISSP course
Textbooks:
Matt Bishop: Computer Security Art and Science
Official ISC2 Guide to the CISSP CBK
ISA 562
Summer 2008
2
Objectives
Roles and responsibilities of individuals in a
security program
Security planning in an organization
Security awareness in the organization
Differences between policies, standards,
guidelines and procedures
Risk Management practices and tools
ISA 562
Summer 2008
3
Syllabus of the Course
• Bishop’s book for the first part
• Papers for some classes
• IC2 book for the second part
• Cover material relevant to the PhD
qualifying examination in security
ISA 562
Summer 2008
Introduction
• Purpose of information security:
– to protect an organization's information
resources  data, hardware, and
software.
• To increase organizational success:
IS are critical assets supporting its
mission
ISA 562
Summer 2008
Information Security TRIAD
ISA 562
Summer 2008
IT Security Requirements - I
Security should be designed for two requirements:
1. Functional: Define behavior of the control means 
based on risk assessment
Properties:
2.
•
•
should not depend on another control:
Why? fail safe by maintaining security during a system failure
•
•
•
Internal/External Audit.
Third Party reviews
Compliance to best practices
Assurance: Provide confidence that security functions
perform as expected.
Examples
–
Functional: a network Firewall to permit or deny traffic.
–
Assurance: logs are generated, monitored, and reviewed
ISA 562
Summer 2008
Organizational & Business
Requirements
• Focus on organizational mission:
– Business or goals driven
• Depends on type of organization:
– Military , Government, or Commercial.
• Must be sensible and cost effective
– Solution considers the mission and
environment  Trade-off
ISA 562
Summer 2008
IT Security Governance
Integral part of corporate governance:
– Fully integrated into overall risk-based threat
analysis
Ensure that IT infrastructure:
– Meets all requirements.
– Supports the strategies and objectives of the
company.
– Includes service level agreements [if
outsourced].
ISA 562
Summer 2008
Security Governance: Major
parts
1.
Leadership:
•
2.
Security leaders must be part of the company
leadership -- where they can be heard.
Structure:
•
3.
occurs at many levels and should use a layered
approach.
Processes:
•
follow internationally accepted “best practices”:
•
Job rotation , Separation of duties, least privilege,
mandatory vacations, …etc.
Examples of standards : ISO 17799 & ISO 27001:2005
•
ISA 562
Summer 2008
Security Blueprints
Provide a structure for organizing
requirements and solutions.
– Ensure that security is considered
holistically.
To identify and design security
requirements
ISA 562
Summer 2008
Policy Overview
1.
Operational environment is a web of laws,
regulations, requirements, and agreements or
contracts with partners and competitors
2.
Change frequently and interact with each other
3.
Management must develop and publish security
statements addressing policies and supporting
elements, such as standards , baselines, and
guidelines.
ISA 562
Summer 2008
Policy overview
ISA 562
Summer 2008
Functions of Security policy
1.
Provide Management Goals and Objectives in
writing
2. Ensure Document compliance
3. Create a security culture
4. Anticipate and protect others from surprises
5. Establish the security activity/function
6. Hold individuals responsible and accountable
7. Address foreseeable conflicts
8. Make sure employees and contractors aware of
organizational policy and changes to it
9. Require incident response plan
10. Establish process for exception handling,
rewards, and discipline
ISA 562
Summer 2008
Policy Infrastructure
1.
2.
3.
High level policies interpreted
into functional policies.
Functional polices derived
from overarching policy and
create the foundation for
procedures, standards, and
baselines to accomplish the
objectives
Polices gain credibility by top
management buy-in.
ISA 562
Summer 2008
Examples of Functional Policies
1.
2.
3.
4.
5.
6.
7.
8.
9.
Data classification
Certification and accreditation
Access control
Outsourcing
Remote access
Acceptable mail and Internet usage
Privacy
Dissemination control
Sharing control
ISA 562
Summer 2008
Policy Implementation
• Standards, procedures, baselines,
and guidelines turn management
objectives and goals [functional
policies] into enforceable actions for
employees.
ISA 562
Summer 2008
Standards and procedure
1. Standards (local): Adoption of common
hardware and software mechanism and
products throughout the enterprise.
Examples: Desktop, Anti-Virus, Firewall
2. Procedures: step by step actions that
must be followed to accomplish a task.
3. Guidelines: recommendations for
product implementations, procurement
and planning, etc.
Examples: ISO17799, Common Criteria, ITIL
ISA 562
Summer 2008
Security Baselines
Benchmarks: to ensure that a minimum
level of security configuration is provided
across implementations and systems.
– establish consistent implementation of
security mechanisms.
– Platform unique
Examples:
• VPN Setup,
• IDS Configuration,
• Password rules
ISA 562
Summer 2008
Three Levels of security planning
1. Strategic: long term
•
Focus on high-level, long-range organizational
requirements
–
Example: overall security policy
2. Tactical: medium-term
•
Focus on events that affect all the organization
–
Example: functional plans
3. Operational: short-term
•
Fight fires at the keyboard level, directly affecting
how the organization accomplishes its objectives.
ISA 562
Summer 2008
Organizational roles and
responsibilities
• Everyone has a role:
– with responsibility clearly communicated
and understood
• Duties associated with the role must
be assigned
• Examples:
– Securing email
– Reviewing violation reports
– Attending awareness training
ISA 562
Summer 2008
21
Specific Roles and
Responsibilities (duties)
• Executive Management:
– Publish and endorse security policy
– Establish goals and objectives
– State overall responsibility for asset protection.
• IS security professionals:
– Security design, implementation, management,
– Review of organization security policies.
• Owner:
– Information classification
– Set user access conditions
– Decide on business continuity priorities
• Custodian:
– Entrusted with the Security of the information
• IS Auditor:
–
Audit assurance guarantees.
• User:
– Compliance with procedures and policies
ISA 562
Summer 2008
Personnel Security: Hiring staff
• Background check/Security clearance
• Check references/Educational records
• Sign Employment agreement
– Non-disclosure agreements
– Non-compete agreements
• Low level Checks
• Consult with HR Department
• Termination/dismissal procedure
ISA 562
Summer 2008
23
Third party considerations
Include:
– Vendors/Suppliers
– Contractors
– Temporary Employees
– Customers
Must established procedures for these
groups.
ISA 562
Summer 2008
Related documents
The Truth About Modest & Immodest Apparel
The Truth About Modest & Immodest Apparel
Substantive procedures summary
Substantive procedures summary
Curriculum Guide | Key Stage 4
Curriculum Guide | Key Stage 4
The Waste Land - Valdosta State University
The Waste Land - Valdosta State University
Download
advertisement