Sorry Image Redacted for Privacy<br />______ Security Solutions<br />
Security<br /><ul><li>Overview: What is security?</li></ul>Information security means protecting information and informati...
______ & Security<br /><ul><li>______</li></ul>To ....<br />Presented by. Peleg Holzmann, CISSP<br />
Overview: Gain Security Awareness<br />When you hire ______ you do not get one person but rather get a team of highly trai...
A few questions<br />1. What is your corporate vision for security?<br />2. Where are you today?<br />3. Where do you want...
One Answer<br />Sorry Image Redacted for Privacy<br />We can help you answer all these questions!<br />Presented by. Peleg...
CIA Triangle<br />Presented by. Peleg Holzmann, CISSP<br />
Risk<br />Risk is <br />the likelihood of the occurrence of a vulnerability<br />multiplied by<br />the value of the infor...
Risk<br />$1000<br />$25,000<br />Threat<br />$1000<br />$200<br />Presented by. Peleg Holzmann, CISSP<br />
Layered Approach– Defense in Depth<br />Redundancy<br />Security Planning<br />(IR, DR, BC)<br />Monitoring Systems<br />P...
Security Awareness<br />Presented by. Peleg Holzmann, CISSP<br />
Continual Service Improvement<br />Presented by. Peleg Holzmann, CISSP<br />
Typical Information Security Audit Procedure<br />Step 1.1:<br />NIST/ISO Security Standards<br />Step 1:<br />Ascertain A...
Requirements Continued<br />InformationSecurity<br />InformationSecurity Management System<br />Standards / Frameworks (IS...
Step 1 – Ascertain applicable laws/standards<br />Determine if your organization needs to meet any laws or standards.<br /...
SOX
GLBA
Etc. </li></ul>Determine if your organization is following any NIST/ISO Standards/Frameworks <br /><ul><li>ISO 27000 / ITIL
ISO 17799
COBIT
Etc.
Determine specific requirements</li></ul>Presented by. Peleg Holzmann, CISSP<br />
Step 1 – Example HIPPA<br />Some areas which need to be addressed and documented would include:<br />Physical Security<br ...
Typical Information Security Audit Procedure<br />Step 2:<br />Prepare Project Plan<br />Step 1.1:<br />NIST/ISO Security ...
Step 2 – Project Plan<br />Utilizing Microsoft Project design and maintain a feasible and detailed project plan.<br />Each...
Typical Information Security Audit Procedure<br />Documentation Review<br />Step 3:<br />Gather Information & Identify <br...
Step 3 – Gather Information<br />Use tools, interviews and documentation review to analyze business risk profile.  <br />P...
Step 3 – Gather Information - Interviews<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
Step 3 – Gather Information - Software<br />Nessus<br />Secunia<br />Microsoft Baseline Security Analyzer (MBSA)<br />Pres...
Step 3 – Gather Information – Documentation Review<br />Presented by. Peleg Holzmann, CISSP<br />
Typical Information Security Audit Procedure<br />Documentation Review<br />Step 3:<br />Gather Information & Identify <br...
Step 4 – Perform Risk Analysis<br />Risk is <br />the likelihood of the occurrence of a vulnerability<br />multiplied by<b...
System Boundary<br />System Functions<br />Systems & Data Criticality<br />System & Data Sensitivity<br />Hardware<br />So...
Step 4 – Perform Risk Analysis (Quantitative) <br />Quantitative Approach (more detailed and longer time frame)<br />Singl...
Step 4 – Perform Risk Analysis (Qualitative) <br />Qualitative Approach (Faster and Cheaper)<br />Low, Medium, High, Very ...
Step 4 – Perform Risk Analysis<br />At ______ we use both in combination:<br />Quantitative and Qualitative to produce the...
Step 4 – Perform Risk Analysis<br />At ______ we use both in combination:<br />Quantitative and Qualitative to produce the...
Typical Information Security Audit Procedure<br />Documentation Review<br />Step 3:<br />Gather Information & Identify <br...
Step 5 – Report Findings and Recommendations<br />Presented by. Peleg Holzmann, CISSP<br />
Typical Information Security Audit Procedure<br />Documentation Review<br />Step 6:<br />Prepare <br />Implementation Plan...
Step 6 – Implementation Plan<br />Presented by. Peleg Holzmann, CISSP<br />
Step 4 – Example of Patches and Vulnerabilities<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, C...
Typical Information Security Audit Procedure<br />Documentation Review<br />Step 6:<br />Prepare <br />Implementation Plan...
Step 7: Continual Service Improvement<br />Presented by. Peleg Holzmann, CISSP<br />
Some Examples….<br />Presented by. Peleg Holzmann, CISSP<br />
Firewall Rules<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
Wi-Fi Site Analysis<br />Presented by. Peleg Holzmann, CISSP<br />
Network Analysis<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
Documentation – MacAfee Epolicy Orchestrator <br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CIS...
Patch / Change Management Report<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
Risk Assessment<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
Upcoming SlideShare
Loading in …5
×

Presentation (2010)

689 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
689
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
17
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Presentation (2010)

  1. 1. Sorry Image Redacted for Privacy<br />______ Security Solutions<br />
  2. 2. Security<br /><ul><li>Overview: What is security?</li></ul>Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction<br />Presented by. Peleg Holzmann, CISSP<br />
  3. 3. ______ & Security<br /><ul><li>______</li></ul>To ....<br />Presented by. Peleg Holzmann, CISSP<br />
  4. 4. Overview: Gain Security Awareness<br />When you hire ______ you do not get one person but rather get a team of highly trained and experienced IT professionals who are experienced in all areas of information security.<br />______ works with you to understand your business goals, concerns and your organizations vision to create the optimal security solution customized for your individual organization.<br />Presented by. Peleg Holzmann, CISSP<br />
  5. 5. A few questions<br />1. What is your corporate vision for security?<br />2. Where are you today?<br />3. Where do you want to be?<br />4. How do we get there?<br />5. Did we get there?<br />6. How do we keep the momentum going?<br />Presented by. Peleg Holzmann, CISSP<br />
  6. 6. One Answer<br />Sorry Image Redacted for Privacy<br />We can help you answer all these questions!<br />Presented by. Peleg Holzmann, CISSP<br />
  7. 7. CIA Triangle<br />Presented by. Peleg Holzmann, CISSP<br />
  8. 8. Risk<br />Risk is <br />the likelihood of the occurrence of a vulnerability<br />multiplied by<br />the value of the information asset<br />minus -<br />the percentage of risk mitigated by current controls<br />plus +<br />the uncertainty of the current knowledge of the vulnerability.<br />Presented by. Peleg Holzmann, CISSP<br />
  9. 9. Risk<br />$1000<br />$25,000<br />Threat<br />$1000<br />$200<br />Presented by. Peleg Holzmann, CISSP<br />
  10. 10. Layered Approach– Defense in Depth<br />Redundancy<br />Security Planning<br />(IR, DR, BC)<br />Monitoring Systems<br />Patches &<br />Updates<br />Education and <br />Training<br />Host IDS<br />Firewalls<br />Authorized Personnel<br />Network IDS<br />Information<br />Network IPS<br />Proxy Servers<br />Systems<br />Encryption<br />Backups<br />People<br />Networks<br />Policies and Laws<br />Access Controls<br />Internet<br />Technology<br />People<br />Presented by. Peleg Holzmann, CISSP<br />
  11. 11. Security Awareness<br />Presented by. Peleg Holzmann, CISSP<br />
  12. 12. Continual Service Improvement<br />Presented by. Peleg Holzmann, CISSP<br />
  13. 13. Typical Information Security Audit Procedure<br />Step 1.1:<br />NIST/ISO Security Standards<br />Step 1:<br />Ascertain Applicable Laws<br />Requirements<br />Presented by. Peleg Holzmann, CISSP<br />
  14. 14. Requirements Continued<br />InformationSecurity<br />InformationSecurity Management System<br />Standards / Frameworks (ISO 27000)<br />Processes<br />Policies<br />Procedures<br />Practices<br />Accountability<br />Compliance, Assurance, Audit<br />Presented by. Peleg Holzmann, CISSP<br />
  15. 15. Step 1 – Ascertain applicable laws/standards<br />Determine if your organization needs to meet any laws or standards.<br /><ul><li>HIPPA
  16. 16. SOX
  17. 17. GLBA
  18. 18. Etc. </li></ul>Determine if your organization is following any NIST/ISO Standards/Frameworks <br /><ul><li>ISO 27000 / ITIL
  19. 19. ISO 17799
  20. 20. COBIT
  21. 21. Etc.
  22. 22. Determine specific requirements</li></ul>Presented by. Peleg Holzmann, CISSP<br />
  23. 23. Step 1 – Example HIPPA<br />Some areas which need to be addressed and documented would include:<br />Physical Security<br />Systems should be located in physically secure locations, whenever possible. <br />Secure Locations<br />Secure locations must have physical access controls (Card Key, door locks, etc.) that prevent unauthorized entry, particularly during periods outside of normal work hours, or when authorized personnel are not present to monitor security. <br />Access Control Systems<br />Access control systems must be maintained in good working order and records of maintenance, modification and repair activities should be available. <br />Media Destruction and Recycling<br />Back-up Systems and Procedures<br />Account Management and Access Review<br />Emergency Access<br />Disaster Recovery…<br />Presented by. Peleg Holzmann, CISSP<br />
  24. 24. Typical Information Security Audit Procedure<br />Step 2:<br />Prepare Project Plan<br />Step 1.1:<br />NIST/ISO Security Standards<br />Step 1:<br />Ascertain Applicable Laws<br />Requirements<br />Presented by. Peleg Holzmann, CISSP<br />
  25. 25. Step 2 – Project Plan<br />Utilizing Microsoft Project design and maintain a feasible and detailed project plan.<br />Each project plan is followed and evaluated constantly to ensure that milestones, schedules and budgets are met. <br />Presented by. Peleg Holzmann, CISSP<br />
  26. 26. Typical Information Security Audit Procedure<br />Documentation Review<br />Step 3:<br />Gather Information & Identify <br />Assets<br />Step 2:<br />Prepare Project Plan<br />Step 1.1:<br />NIST/ISO Security Standards<br />Step 1:<br />Ascertain Applicable Laws<br />Interviews<br />Requirements<br />Presented by. Peleg Holzmann, CISSP<br />
  27. 27. Step 3 – Gather Information<br />Use tools, interviews and documentation review to analyze business risk profile. <br />Presented by. Peleg Holzmann, CISSP<br />
  28. 28. Step 3 – Gather Information - Interviews<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
  29. 29. Step 3 – Gather Information - Software<br />Nessus<br />Secunia<br />Microsoft Baseline Security Analyzer (MBSA)<br />Presented by. Peleg Holzmann, CISSP<br />
  30. 30. Step 3 – Gather Information – Documentation Review<br />Presented by. Peleg Holzmann, CISSP<br />
  31. 31. Typical Information Security Audit Procedure<br />Documentation Review<br />Step 3:<br />Gather Information & Identify <br />Assets<br />Step 2:<br />Prepare Project Plan<br />Step 4:<br />Perform Risk Analysis<br />Step 1.1:<br />NIST/ISO Security Standards<br />Step 1:<br />Ascertain Applicable Laws<br />Interviews<br />Requirements<br />Presented by. Peleg Holzmann, CISSP<br />
  32. 32. Step 4 – Perform Risk Analysis<br />Risk is <br />the likelihood of the occurrence of a vulnerability<br />multiplied by<br />the value of the information asset<br />minus -<br />the percentage of risk mitigated by current controls<br />plus +<br />the uncertainty of the current knowledge of the vulnerability.<br />Presented by. Peleg Holzmann, CISSP<br />
  33. 33. System Boundary<br />System Functions<br />Systems & Data Criticality<br />System & Data Sensitivity<br />Hardware<br />Software<br />System Interfaces<br />Data & Information<br />People<br />System Mission<br />History of system attacks<br />Outside agency data<br />Step 6:<br />Impact Analysis <br />Loss of CIA<br />Threat Statement<br />Step 2:<br />Threat Identification<br />Step 3:<br />Vulnerability Identification<br />Step 4:<br />Control Analysis<br />Step 7:<br />Risk Determination<br />Step 5:<br />Likelihood determination<br />Step 1:<br />System Characterization<br />Prior Risk Assessments<br />Prior Audits<br />Security Requirements<br />Security Test Results<br />List of Potential Vulnerabilities<br />Current Controls<br />Planned Controls<br />List of current & planned controls<br />Threat Source Motivation<br />Threat Capacity<br />Nature of Vulnerability<br />Current Controls<br />Impact Rating<br />Mission impact analysis<br />Asset criticality assessment<br />Data criticality<br />Data sensitivity<br />Impact Ratings<br />Likelihood of threat exploitation<br />Magnitude of impact<br />Adequacy of planned & Implemented controls<br />Risk & Associated Risk Levels<br />Presented by. Peleg Holzmann, CISSP<br />
  34. 34. Step 4 – Perform Risk Analysis (Quantitative) <br />Quantitative Approach (more detailed and longer time frame)<br />Single Loss Expectancy (SLE)<br />Annualized Rate of Occurrence (ARO)<br />Annualized Loss Expectancy (ALE)<br />SLE x ARO = ALE <br />Cost Basis Analysis (CBA)<br />Annualized Cost of Safeguard (ACS)<br />CBA = ALE (prior) – ALE (Post) - ACS<br />Presented by. Peleg Holzmann, CISSP<br />
  35. 35. Step 4 – Perform Risk Analysis (Qualitative) <br />Qualitative Approach (Faster and Cheaper)<br />Low, Medium, High, Very High<br />Assign a degree to the asset then create a RISK Matrix Chart similar to sample shown.<br />Presented by. Peleg Holzmann, CISSP<br />
  36. 36. Step 4 – Perform Risk Analysis<br />At ______ we use both in combination:<br />Quantitative and Qualitative to produce the most accurate risk matrix.<br />Sorry Image Redacted for Privacy<br />Quantitative<br />Qualitative<br />Presented by. Peleg Holzmann, CISSP<br />
  37. 37. Step 4 – Perform Risk Analysis<br />At ______ we use both in combination:<br />Quantitative and Qualitative to produce the most accurate risk matrix.<br />Identify Information Assets<br />Implement <br />Control<br />Plan for<br />Maintenance<br />Vulnerability <br />Worksheet<br />Access<br />Control<br />Measure<br />Risk to Asset<br />Control Strategy<br />And Plan<br />Adequate<br />Controls?<br />Adequate<br />Risk?<br />YES<br />NO<br />YES<br />NO<br />Presented by. Peleg Holzmann, CISSP<br />
  38. 38. Typical Information Security Audit Procedure<br />Documentation Review<br />Step 3:<br />Gather Information & Identify <br />Assets<br />Step 5:<br />Report Findings & <br />Recommendations<br />Step 2:<br />Prepare Project Plan<br />Step 4:<br />Perform Risk Analysis<br />Step 1.1:<br />NIST/ISO Security Standards<br />Step 1:<br />Ascertain Applicable Laws<br />Interviews<br />Requirements<br />Presented by. Peleg Holzmann, CISSP<br />
  39. 39. Step 5 – Report Findings and Recommendations<br />Presented by. Peleg Holzmann, CISSP<br />
  40. 40. Typical Information Security Audit Procedure<br />Documentation Review<br />Step 6:<br />Prepare <br />Implementation Plan<br />Step 3:<br />Gather Information & Identify <br />Assets<br />Step 5:<br />Report Findings & <br />Recommendations<br />Step 2:<br />Prepare Project Plan<br />Step 4:<br />Perform Risk Analysis<br />Step 1.1:<br />NIST/ISO Security Standards<br />Step 1:<br />Ascertain Applicable Laws<br />Interviews<br />Requirements<br />Presented by. Peleg Holzmann, CISSP<br />
  41. 41. Step 6 – Implementation Plan<br />Presented by. Peleg Holzmann, CISSP<br />
  42. 42. Step 4 – Example of Patches and Vulnerabilities<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
  43. 43. Typical Information Security Audit Procedure<br />Documentation Review<br />Step 6:<br />Prepare <br />Implementation Plan<br />Step 7:<br />Continual Service <br />Improvement<br />Step 3:<br />Gather Information & Identify <br />Assets<br />Step 5:<br />Report Findings & <br />Recommendations<br />Step 2:<br />Prepare Project Plan<br />Step 4:<br />Perform Risk Analysis<br />Step 1.1:<br />NIST/ISO Security Standards<br />Step 1:<br />Ascertain Applicable Laws<br />Interviews<br />Requirements<br />Presented by. Peleg Holzmann, CISSP<br />
  44. 44. Step 7: Continual Service Improvement<br />Presented by. Peleg Holzmann, CISSP<br />
  45. 45. Some Examples….<br />Presented by. Peleg Holzmann, CISSP<br />
  46. 46. Firewall Rules<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
  47. 47. Wi-Fi Site Analysis<br />Presented by. Peleg Holzmann, CISSP<br />
  48. 48. Network Analysis<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
  49. 49. Documentation – MacAfee Epolicy Orchestrator <br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
  50. 50. Patch / Change Management Report<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
  51. 51. Risk Assessment<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
  52. 52. Documentation Review / Audits<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
  53. 53. Documentation Work Area Recovery Recommendations<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
  54. 54. Documentation Business Impact Analysis (BIA)<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
  55. 55. Control Objective<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
  56. 56. Policy Document<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
  57. 57. Standards Document<br />Sorry Image Redacted for Privacy<br />Presented by. Peleg Holzmann, CISSP<br />
  58. 58. We help you assemble your complete security solution<br />Presented by. Peleg Holzmann, CISSP<br />

×