Add to collection(s) Add to saved
  1. Business
  2. Management

Section 3 Directives & Best Practices

advertisement 
Section 3
Directives & Best Practices
Comments:
Nomenclature questions:
Directives – Governmentally specified or standardized practices to address
vulnerabilities?
Environment: Two meanings –
 Functional environment – setting (e.g., Doctor’s office vs CIA field
office) – related to security expectations
 Security Environment - physical security, network infrastructure, etc
Assumption: Environments/Vulerabilities to be addressed are identified in section 2.
What is to be done? Identify techniques applicable to vulnerabilities
Refer to standards.
What additional material is needed ? Identify Techniques and standards.
Process to be used (one person/team?)
Team – break into separate tasks
How long will it take?
First draft: October F2F
Scope of section: Identification of existing best practices applicable to protecting against
the vulnerabilities identified in section 2. Bag of tricks!
System Considerations
Identify functional environments and security objectives.
Holistic view of how to address security in all identified environment.
Define minimum system security considerations necessary to achieve the desired
overall security objectives in each environment.
Refer to existing Standards – as starting point..
See NIST 800.37 – Guide for Security Assurance and Acquisition of
Tested/Evaluated Products and NIST 800.23
Supplement and subtract as appropriate to functional environments?
Physical Security
Refer to existing standards – (as above)
Supplement with information on non controlled physical locations
Address techniques applicable to vulnerabilities involving physical access
Device Implementation Considerations
Identification of Protection Techniques appropriate to device features and
implementations
Basic Operating System internal to MFP Peripherals (Hard Disk)
External programmability (Java, executable code update etc)
I/O ports supported (data and management)
Authentication Techniques
Identify techniques Refer to standards (part of this is system dependent)
Standard Techniques (e.g., PKI, smart card, biometric) [ISO Specs]
Encryption
Identify Techniques - Refer to standards . Suggest minimum acceptable level.
Audit Trail
Identify Techniques - Refer to standards See NIST 800.37 – Guide for Security
Assurance and Acquisition of Tested/Evaluated Products
Related documents
This worksheet
This worksheet
10 General Security Rules
10 General Security Rules
Chapter 1 Security Problems in Computing
Chapter 1 Security Problems in Computing
Web Security: Deep Dive
Web Security: Deep Dive
Managing Security Risk Object Management Group Technical Meeting
Managing Security Risk Object Management Group Technical Meeting
Vendor security questions
Vendor security questions
Презентация Ашимжанова Коваленко Акимбаев
Презентация Ашимжанова Коваленко Акимбаев
Florida Information Technology Resource Security Policies and
Florida Information Technology Resource Security Policies and
Application Security - SoftServe United Blog
Application Security - SoftServe United Blog
Chapter 08
Chapter 08
Powerpoint 97
Powerpoint 97
Dr. Ron Ross, Fellow, National Institute of Standards and Technology
Dr. Ron Ross, Fellow, National Institute of Standards and Technology
Risk Assessment
Risk Assessment
FIGURES
FIGURES
SSCP 5 day course agenda Day One: Security Operations and
SSCP 5 day course agenda Day One: Security Operations and
Thematic Debate Afternoon Session
Thematic Debate Afternoon Session
Chap 8
Chap 8
Increasing Security for DoD Systems, Through Specific Security
Increasing Security for DoD Systems, Through Specific Security
Financial Information Resource System (FIRST)
Financial Information Resource System (FIRST)
Defending against We..
Defending against We..
NIST 800-30 Risk Assessment Steps
NIST 800-30 Risk Assessment Steps
Computer Security Presentation
Computer Security Presentation
Download
advertisement