Security Architecture
Why?• Initially majority of businesses operated closedprocessing environments(Glass House).• Networks and a distributed cl...
Confidentiality• Confidentiality relates to the protection ofinformation from unauthorized access,regardless of where the ...
Integrity• Integrity is the protection of information,applications, systems, and networks fromintentional, unauthorized, o...
Availability• Availability is the assurance that informationand resources are accessible by authorizedusers as needed.– De...
Five components of the ISA• Security Organization / Infrastructure• Security policies, standards, and procedures• Security...
Information Security ArchitectureComponents
Case Study• Network Security
Infrastructure• Firewall
Policies, standards, and procedures• Who is permitted to use the application• What types of services will be provided by t...
Security baselines/risk assessments• Once the configuration is complete, anattempt to thwart the system should beperformed...
Security awareness and trainingprograms• All users of the system must be made aware ofwhat they can and cannot do.• Proper...
Compliance• Procedures need to be established to ensurethat all parties responsible for the Internetaccess and firewall co...
Piecemealing• As an organization grows, the tendency is toadd to the existing environment to meetcurrent requirements with...
The Threat• A threat is an act of coercion wherein an act isproposed to elicit a negative response.• Corporate information...
Intentional threats• Unauthorized users who inappropriatelyaccess data and information that they are notgranted permission...
Unintentional threats• Caused by untrained or careless employees.• Also include programmers or data processingpersonnel
Natural threats• Equipment failures, or disasters such as fire,floods, and earthquakes that can result in theloss of equip...
The Risks• There are many events that can result if abreach of confidentiality, integrity, oravailability occurs.
Threat/Concern/Risk Matrix
Overview of Security Controls• To apply appropriate controls to an operatingenvironment, it is necessary to understandwho ...
Risk versus controls implementation.
The Controls• Control requirements are not uniform for allsystems.– Administrative controls• Security policies and procedu...
Physical Controls
Administrative Controls
Technical Controls
The Strategic Information Technology(IT) Plan• The business plan answers the who, what,where, when, why, and how of the bu...
The Strategic Information Technology (IT)Plan
Strategic IT Plan should be broken intosix parts• Introduction• Description of the IT Organization• Scope, Viability, and ...
Introduction• Introduction is an overview or executivesummary that describes the background,origination, and intent of the...
Description of the IT Organization• Description of the IT Organization, shouldinclude a definition of the roles andrespons...
Scope, Viability, and Modification ofthe Plan• Scope, Viability, and Modification of the Plan,defines the scope of the doc...
Relationship to the Organization’sStrategic Business Plan• Relationship to the Organization’s StrategicBusiness Plan, refe...
Strategic Goals for InformationTechnology• Strategic Goals for Information Technology,lists the specific objectives from t...
Strategic IT Plan: Sample Table ofContentsTable of Contents1. Introduction2. Information Technology at XXXX Organization (...
3. Scope, Viability, and Modification of This Plan4. Relationship to the XXXX Corporation’s StrategicPlan5. Strategic Goal...
5.1.5 Establish Corporate wide Standards5.1.6 Effectively Manage and Distribute Servers5.1.7 Enhance Support of Library In...
5.2.2 Provide Appropriate Workstation Supportfor Management and Staff5.2.3 Promote Effective Research Computing5.2.4 Foste...
5.3.2 Ensure Availability of InformationTechnology Resources for Employees5.3.3 Engage the Corporate Community in theUse o...
5.5 A Corporate Goal: Information Security Architecture5.5.1 Establish an Organization that Supports the SecurityFunction5...
Security Architecture
Upcoming SlideShare
Loading in …5
×

Security Architecture

347 views

Published on

0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
347
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
19
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Security Architecture

  1. 1. Security Architecture
  2. 2. Why?• Initially majority of businesses operated closedprocessing environments(Glass House).• Networks and a distributed client/serverprocessing environment.• Decentralized processing.• Increase the exposure of sensitive information.• We require:– Confidentiality– Integrity– Availability
  3. 3. Confidentiality• Confidentiality relates to the protection ofinformation from unauthorized access,regardless of where the information resides orhow it is stored.• Are only the appropriate personnel viewing orusing the organization’s information assets?• Authentication and authorization• Framework for classifying the confidentiality
  4. 4. Integrity• Integrity is the protection of information,applications, systems, and networks fromintentional, unauthorized, or accidentalchanges.• Is the information correct and are theapplications processing the appropriate files?
  5. 5. Availability• Availability is the assurance that informationand resources are accessible by authorizedusers as needed.– Denial of services caused by a lack of securitycontrols– Loss of services from information resources due tonatural disasters• Are the network resources, applications, anddata accessible when needed?
  6. 6. Five components of the ISA• Security Organization / Infrastructure• Security policies, standards, and procedures• Security baselines/risk assessments• Security awareness and training programs• Compliance
  7. 7. Information Security ArchitectureComponents
  8. 8. Case Study• Network Security
  9. 9. Infrastructure• Firewall
  10. 10. Policies, standards, and procedures• Who is permitted to use the application• What types of services will be provided by the system• How users will request access to the system• Who will grant access to the system• How often access logs will be reviewed• What procedures will be taken for inappropriate use ofthe system• How security incidences will be reported, recorded,and handled• Who will be responsible for investigating suspiciousactivity
  11. 11. Security baselines/risk assessments• Once the configuration is complete, anattempt to thwart the system should beperformed so that both the capabilities andweaknesses are known, documented, andimproved.• Automated vulnerability testing software• Testing softwares must be updated frequently
  12. 12. Security awareness and trainingprograms• All users of the system must be made aware ofwhat they can and cannot do.• Proper knowledge of policies.• Personal business are restricted onorganization infrastructure.• It needs to be made clear what theconsequences will be if the policies related tothe Internet are not followed.
  13. 13. Compliance• Procedures need to be established to ensurethat all parties responsible for the Internetaccess and firewall configuration are incompliance with the security policy, standards,and procedures that have been developed,and that the programs developed to enforcethe policies are effective.• Regular, depends on risk level.
  14. 14. Piecemealing• As an organization grows, the tendency is toadd to the existing environment to meetcurrent requirements without planning forfuture growth.• This can occur due to lack of knowledge onavailable technology, lack of communicationbetween departments, or nonexistenttechnology standards within the organization.
  15. 15. The Threat• A threat is an act of coercion wherein an act isproposed to elicit a negative response.• Corporate information can be easily accessed,compromised, or destroyed by intentional,unintentional, or natural threats.
  16. 16. Intentional threats• Unauthorized users who inappropriatelyaccess data and information that they are notgranted permission to view or use.• Can be external or internal.
  17. 17. Unintentional threats• Caused by untrained or careless employees.• Also include programmers or data processingpersonnel
  18. 18. Natural threats• Equipment failures, or disasters such as fire,floods, and earthquakes that can result in theloss of equipment and data
  19. 19. The Risks• There are many events that can result if abreach of confidentiality, integrity, oravailability occurs.
  20. 20. Threat/Concern/Risk Matrix
  21. 21. Overview of Security Controls• To apply appropriate controls to an operatingenvironment, it is necessary to understandwho or what poses a threat to the processingenvironment and then to understand whatcould happen (risk or danger) from thatthreat.
  22. 22. Risk versus controls implementation.
  23. 23. The Controls• Control requirements are not uniform for allsystems.– Administrative controls• Security policies and procedures– Physical controls• Direct physical access to equipment– Technical controls• Logical controls– Access controls• Non-repudiation
  24. 24. Physical Controls
  25. 25. Administrative Controls
  26. 26. Technical Controls
  27. 27. The Strategic Information Technology(IT) Plan• The business plan answers the who, what,where, when, why, and how of the business.
  28. 28. The Strategic Information Technology (IT)Plan
  29. 29. Strategic IT Plan should be broken intosix parts• Introduction• Description of the IT Organization• Scope, Viability, and Modification of the Plan• Relationship to the Organization’s StrategicBusiness Plan• Strategic Goals for Information Technology• Summary and Conclusion
  30. 30. Introduction• Introduction is an overview or executivesummary that describes the background,origination, and intent of the document.
  31. 31. Description of the IT Organization• Description of the IT Organization, shouldinclude a definition of the roles andresponsibilities of individuals within the ISdepartment, an organization chart anddescription of supporting staff, and a vision forthe use of IT.
  32. 32. Scope, Viability, and Modification ofthe Plan• Scope, Viability, and Modification of the Plan,defines the scope of the document.
  33. 33. Relationship to the Organization’sStrategic Business Plan• Relationship to the Organization’s StrategicBusiness Plan, refers back to the business planand provides a discussion of how the plan isintegrated with and supports the StrategicBusiness Plan.
  34. 34. Strategic Goals for InformationTechnology• Strategic Goals for Information Technology,lists the specific objectives from the businessplan that relate to IT.
  35. 35. Strategic IT Plan: Sample Table ofContentsTable of Contents1. Introduction2. Information Technology at XXXX Organization (MissionStatement)2.1 The CIO and Information Systems & Technology Roles2.2 The Information Systems & Technology Institutional-Level Organization2.3 Local Information Technology Support Staff2.4 The Evolving Information Technology Support Role2.5 A Vision for Information Technology Effectiveness
  36. 36. 3. Scope, Viability, and Modification of This Plan4. Relationship to the XXXX Corporation’s StrategicPlan5. Strategic Goals for Information Technology5.1 A Corporate Goal: Information Accessibility5.1.1 Enhance and Extend the NetworkInfrastructure5.1.2 Ensure Appropriate Off-Site Network Access5.1.3 Ensure Effective Delivery of InformationTechnology Support5.1.4 Evaluate Services and Customer Satisfaction
  37. 37. 5.1.5 Establish Corporate wide Standards5.1.6 Effectively Manage and Distribute Servers5.1.7 Enhance Support of Library Initiatives5.1.8 Enhance Internal and ExternalCommunications5.2 A Corporate Goal: Technology-EnabledManagement, Staff, and Business Partners5.2.1 Ensure Management and StaffDevelopment in Technology
  38. 38. 5.2.2 Provide Appropriate Workstation Supportfor Management and Staff5.2.3 Promote Effective Research Computing5.2.4 Foster Technology Experimentation5.2.5 Provide Effective Information TechnologyServices for Clients5.3 A Corporate Goal: Technology-EnhancedBusiness5.3.1 Establish Appropriate Levels of Technologyin Business Operations
  39. 39. 5.3.2 Ensure Availability of InformationTechnology Resources for Employees5.3.3 Engage the Corporate Community in theUse of Technology5.4 A Corporate Goal: Business ProcessEffectiveness5.4.1 Improve Efficiency of Operations5.4.2 Establish an Effective Data WarehouseSystem5.4.3 Replace Business-Process SoftwareSystems
  40. 40. 5.5 A Corporate Goal: Information Security Architecture5.5.1 Establish an Organization that Supports the SecurityFunction5.5.2 Establish Security Policies and Procedures5.5.3 Conduct Baseline Risk Assessments for EachComponent of theOperating Environment5.5.4 Develop a User Awareness Program and ConductTraining for Employeesand Individuals with Security Responsibility5.5.5 Develop a Comprehensive Compliance Program6. Summary and Conclusion

×