Information Security Architecture: Building Security Into Your Organziation

2,486 views
2,359 views

Published on

Controls and solutions can mitigate risk, but can also deeply undermine business productivity and the benefits that new technologies may bring. Harnessing the SABSA Information Security framework will allow your organization to build robust enterprise security architecture, directly supporting and enabling your organization's core objectives.

This presentation will highlight the key concerns you should be aware of within your organization and current security program, as well as provide specific recommendations to successfully move your security and compliance goals ahead. Learn more about the techniques and tools readily available in the industry and how you can use these tools to create immediate wins and security improvements in your organization.

Published in: Technology
0 Comments
9 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,486
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
9
Embeds 0
No embeds

No notes for slide

Information Security Architecture: Building Security Into Your Organziation

  1. 1. Information Security Architecture Building Security into your Organization
  2. 2. The on-going promotion of security… • Increasing threats • Complex Vulnerabilities • Large, intricate solutions required Copyright 2007 – Seccuris Inc.
  3. 3. We‘re sucked into acting on generic justifications! After implementing large, intricate solutions we have: • Increased our workload • Impacted productivity and innovation in the environment Copyright 2007 – Seccuris Inc.
  4. 4. The internal challenge… What do we hear most from IT & IT Security Departments regarding support? • We are under resourced • We are fighting a loosing battle • The “business” is making our jobs harder We are misaligned with the business! Copyright 2007 – Seccuris Inc.
  5. 5. Copyright 2007 – Seccuris Inc.
  6. 6. Our key issue… We are using Security to undermine the business • How many organizations business is information security? • Not Many. • Information Security enables the business to operate effectively with a properly managed (balanced) risk profile. Copyright 2007 – Seccuris Inc.
  7. 7. Our key issue… We are using Security to undermine the business • How many organizations business need information security? Copyright 2007 – Seccuris Inc.
  8. 8. Our key issue… Every business requires Trust & Relationships • Information Security ensures: • Trust is maintained appropriately for the level of risk • Relationships are protected and “assured” (AIC) Copyright 2007 – Seccuris Inc.
  9. 9. Our key issue… • Implementing solutions without understanding Trust requirements impacts: • Productivity • Innovation • Flexibility Copyright 2007 – Seccuris Inc.
  10. 10. Why are we undermining the business? Current approach to security solutions undermine: business productivity benefits of new technologies Copyright 2007 – Seccuris Inc.
  11. 11. Undermining the Business We implement solutions that focus on security, not on business Prevent systems to interface other systems FW, IDS/IPS Solutions Restrict user abilities within the application Application & Database controls Authorize access to information systems & services Web filtering / Instant Messaging Control / SSL VPN Copyright 2007 – Seccuris Inc.
  12. 12. Undermining the Business We build unnecessary conflict into our projects and environment • Being on the “Same Team” is seen as a conflict • Why is being on the “Same Team” an issue? • Who is really accepting the risk? Copyright 2007 – Seccuris Inc.
  13. 13. Undermining the Business We implement solutions without Justification, Prioritization & Completeness Lacking processes such as: • Business Requirements for Information Sharing • Privacy and Security Requirements Definition • Solution Design Reviews • Environment Validation & Health Checks • Incident Handling & Forensic Investigation • Business Risk acceptance for implemented solutions Copyright 2007 – Seccuris Inc.
  14. 14. Undermining the Business We implement solutions without Justification, Prioritization & Completeness Lacking processes such as: • Business Requirements for Information Sharing • Privacy and Security Requirements Definition • Solution Design Reviews • Environment Validation & Health Checks • Incident Handling & Forensic Investigation • Business Risk acceptance for implemented solutions Copyright 2007 – Seccuris Inc.
  15. 15. Undermining the Business Are we undermining the benefits of new technologies? • Enterprise Storage & Backup Solutions • Remote Access • VOIP • Virtualization Copyright 2007 – Seccuris Inc.
  16. 16. Improving enablement of the business An Information Security Framework aligns controls and solutions enabling business objectives AND US! Copyright 2007 – Seccuris Inc.
  17. 17. SABSA: Enterprise Security Framework Focuses on: • Establishing Business Context • Developing a Business Risk Model • Developing a Conceptual Trust Model • Developing a Security Domain Model • Understanding business priorities, environment gaps and key strategies to move forward Copyright 2007 – Seccuris Inc.
  18. 18. SABSA: Enterprise Security Framework Focuses on: • Establishing Business Context • Developing a Business Risk Model • Developing a Conceptual Trust Model • Developing a Security Domain Model • Understanding business priorities, environment gaps and key strategies to move forward Copyright 2007 – Seccuris Inc.
  19. 19. Developing a Conceptual Trust Model To secure the organization: • Identify entities involved with the organization • Define information flowing between business entities • Assess the assurance required to establish trust Copyright 2007 – Seccuris Inc.
  20. 20. Developing a Conceptual Trust Model Copyright 2007 – Seccuris Inc.
  21. 21. Developing a Conceptual Trust Model SABSA – Example Trust Model 5. Partner Organizations 5a. Partner 1 5b. Partner 2 TH9. Financial, Client Personal, TH10. Financial, Client Personal, Business Confidential Business Confidential Information Information 6. Our Organization 7. Executive Management 1. Clients 8. General 4. Integrated Suppliers/ TH1. Financial. Personal, Management 7a. Board Executive Partners TH8. Intellectual Property, Health Financial, Employee / Client Personal, Information Employee / Client Personal Health 1a. Target Clients Information 4a. 4 Outsourced Delivery (IT) 9. Organizational Units TH2. Client Confidential TH7 Intellectual Property, 1b. Industry Information 9a. Business 9b. Service Financial, Employee / Client Personal, 4b. Outsourced Partners Employee / Client Personal Health Administration Delivery Delivery Information, Compliance (Business/Program) Audits, 10. Independent Sales TH3. Financial, Performance 11. Sales Agencies Status Information Offices TH4. Public Information 2. Other Stakeholders TH6. Intellectual TH5. Compliance Property Audits, 2a. Industry Groups 2b. Media Sensitive Information 3. General Suppliers 3c. External 3a. Vendors & 3b. Suppliers Regulators Contractors (e.g. PCI) Copyright 2007 – Seccuris Inc.
  22. 22. Conceptual Trust Model: Define Information Sharing Financial, Personal & Health Information Intellectual Property, Financial Information, Audit Reports Copyright 2007 – Seccuris Inc.
  23. 23. Conceptual Trust Model: Define Trust Requirements Our organization provides services to our clients that must remain confidential from other internal business units / employees, as well as external entities. Copyright 2007 – Seccuris Inc.
  24. 24. Conceptual Trust Model: Define Trust Requirements Clients provide confidential personal, financial and health information that must remain confidential from other internal entities, as well as external entities. i.e. Payment Card Information Copyright 2007 – Seccuris Inc.
  25. 25. Conceptual Trust Model: Define Trust Requirements Our organization shares intellectual property relevant to the business services provided as well as Financial, Personal and Health information regarding our employees and our clients that must remain confidential from non-involved internal entities, as well as non-involved (contractually bound) external entities. Copyright 2007 – Seccuris Inc.
  26. 26. Conceptual Trust Model: Define Trust Requirements Integrated Suppliers share intellectual property relevant to the business services provided as well as Financial, Personal and Health information regarding our employees and clients that must remain confidential from our clients (direct), non-involved internal entities, as well as external entities. Copyright 2007 – Seccuris Inc.
  27. 27. Developing a Security Domain Model The security domain model defines three major elements: 1. Structure and scope of the security domains within the Organization 2. Interrelationships to external security domains 3. Who is the Authority for the Domain Copyright 2007 – Seccuris Inc.
  28. 28. Developing a Security Domain Model D1. Our Organization D3. Executive Management D3a. Board D2. Organizational Units Executive D3a. Business D4. General D3b. Program D2a. Business DR1 D12. Clients Enablement D3b. Program Management Services Enablement s D2a. Business D2b. Service Services Services Services Administration General Delivery D16. Suppliers DR2 DR7 D5. Independent Sales Offices DR3 D11. General General Suppliers Suppliers D6. Sales Agencies DR4 DR6 ASD DR5 (IT) ASD D10. Integrated (IT) Suppliers ASD (Business) (IT) ASD Other D9. Integrated (IT) Other Governments Suppliers D7. Partner Governments (IT) Organizations D8. Other Stakeholders Copyright 2007 – Seccuris Inc.
  29. 29. Developing a Security Domain Model D1. Our Organization D2. Organizational Units D3a. Business D3b. D3b Program D2a. D2a Business DR1 D12. Clients Enablement D3b. Program Services Enablement s D2a. Business D2b. Service Services Services Services Administration General Delivery D16. DR3 Suppliers ASD (IT) ASD D10. Integrated (IT) Suppliers (Business) Copyright 2007 – Seccuris Inc.
  30. 30. Security Domain Model: Authority & Scope Domain Authority: Our CIO Our organization encompasses all management (executive and general), Organizational Units and Sales (Independent and Agency) entities owned and legally controlled by our organization. Copyright 2007 – Seccuris Inc.
  31. 31. Security Domain Model: Authority & Scope Domain Authority: Org Unit President Organizational Units encompass the specific Business Administration and Service Delivery Functions for each unique OU entity. (Including IT Services & Functions) Copyright 2007 – Seccuris Inc.
  32. 32. Security Domain Model: Authority & Scope Domain Authority: Integrated Supplier Integrated Suppliers (Business) encompass any specific external entity controlling one or many smaller entities that provide outsourced business functions to any specific Organizational Unit. Copyright 2007 – Seccuris Inc.
  33. 33. Security Domain Model: Authority & Scope Domain Authority: Client (Individual) Clients encompass both specific target clients as well as industry partners relevant to our organizations service offerings. Copyright 2007 – Seccuris Inc.
  34. 34. Using Trust & Relationships The tools we have used: • Entity Diagram Relationships • Trust Relationship Diagram Trust • Security Domain Diagram Authorities • Boundary Control Inventory Copyright 2007 – Seccuris Inc.
  35. 35. Defining Boundary Controls DR# Boundary Description Boundary Controls DR3 Our Organization interacting with Organizational •Contracts/Agreements Integrated Suppliers (Business) •Service Level Agreement •Internal Policy (InfoSec) •Industry Compliance Requirements •Legislation, regulations, and acts Technical •Firewall / ACLs •Segmented VLANs for Supplier •Intrusion Prevention Systems (NIDS) •Intrusion Prevention Systems (HIDS) Copyright 2007 – Seccuris Inc.
  36. 36. Defining Boundary Controls DR# Boundary Description Boundary Controls DR1 Our Organization interacting with Organizational •Contracts/Agreements Clients •Internal Policy (InfoSec) •Legislation, regulations, and acts Technical •Firewall / ACLs •Intrusion Prevention Systems (NIDS) •User Account Roles (Web SVC) Copyright 2007 – Seccuris Inc.
  37. 37. Defining Boundary Controls Review defined boundary controls: • What relationships have the most complex control requirements? Prioritization • What relationships lack controls? Completeness • How many boundaries share common controls? Justification Copyright 2007 – Seccuris Inc.
  38. 38. Improving your Security Program How do you use Trust and Security Domain Models to improve your Information Security posture? What should we think about when implementing: • IDS / IPS • Database Security • Web filtering / Instant Messaging Control / SSL VPN Copyright 2007 – Seccuris Inc.
  39. 39. Defend your boundaries • Focus on Automated Policy Enforcement on clearly understood boundaries where information sharing requirements are well defined. • Free resources to focus on higher level business risks • Restrictive Firewalls / IPS / UTM / Content Filtering Copyright 2007 – Seccuris Inc.
  40. 40. Defend your boundaries D1. Our Organization D3. Executive Management D3a. Board D2. Organizational Units Executive D3a. Business D4. General D3b. Program D2a. Business DR1 D12. Clients Enablement D3b. Program Management Services Enablement s D2a. Business D2b. Service Services Services Services Administration General Delivery D16. Suppliers DR2 DR7 D5. Independent DR3 Sales Offices D11. General General Suppliers Suppliers D6. Sales Agencies DR4 DR6 ASD DR5 (IT) ASD D10. Integrated (IT) Suppliers ASD (Business) (IT) ASD Other D9. Integrated (IT) Other Governments Suppliers D7. Partner Governments (IT) Organizations D8. Other Stakeholders Copyright 2007 – Seccuris Inc.
  41. 41. Protect your core • Focus verbose detective tools within boundaries to allow for business focused investigation to occur • Generic DB attack from the outside world • Automated Block – Move on • Generic DB attack from the inside world • Review Block – Monitor / Investigate / Respond • IDS/IPS / Database Security Controls / Investigative Process Copyright 2007 – Seccuris Inc.
  42. 42. Protect your core Copyright 2007 – Seccuris Inc.
  43. 43. Enable your business Build strategies that align with Trust and Information Sharing requirements • Using Trust Modeling and Security Domains we clearly know: • What is at stake • To what level we must protect the relationship and information • Who decides what risk level is acceptable • Who accepts the residual risk Copyright 2007 – Seccuris Inc.
  44. 44. Enable your business with an Information Security Framework • Improve visibility to security boundaries and identify Trust issues • Free to focus on building new solutions enabling information sharing • Demonstrates linkages between the business and chosen strategy & solutions • Prioritizes implementation of controls Copyright 2007 – Seccuris Inc.
  45. 45. Conclusion We can implement solutions with Justification, Prioritization & Completeness Seccuris will assist with: • Strategy & Framework •Process Development • Solution Creation & Validation • Implementation • Monitoring & Response Copyright 2007 – Seccuris Inc.
  46. 46. Thanks Michael Legary, CSA, CISSP, CISM, CISA, CCSA, CPP, GCIH, PCI-QSA Founder & CIO Seccuris Inc. Email: Michael.Legary@seccuris.com Direct: 204-255-4490 Main: 204-255-4136 Fax: 204-942-6705 Copyright 2007 – Seccuris Inc.

×