Your SlideShare is downloading. ×
0
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Presentation (2010)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Presentation (2010)

487

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
487
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Sorry Image Redacted for Privacy
    ______ Security Solutions
  • 2. Security
    • Overview: What is security?
    Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction
    Presented by. Peleg Holzmann, CISSP
  • 3. ______ & Security
    • ______
    To ....
    Presented by. Peleg Holzmann, CISSP
  • 4. Overview: Gain Security Awareness
    When you hire ______ you do not get one person but rather get a team of highly trained and experienced IT professionals who are experienced in all areas of information security.
    ______ works with you to understand your business goals, concerns and your organizations vision to create the optimal security solution customized for your individual organization.
    Presented by. Peleg Holzmann, CISSP
  • 5. A few questions
    1. What is your corporate vision for security?
    2. Where are you today?
    3. Where do you want to be?
    4. How do we get there?
    5. Did we get there?
    6. How do we keep the momentum going?
    Presented by. Peleg Holzmann, CISSP
  • 6. One Answer
    Sorry Image Redacted for Privacy
    We can help you answer all these questions!
    Presented by. Peleg Holzmann, CISSP
  • 7. CIA Triangle
    Presented by. Peleg Holzmann, CISSP
  • 8. Risk
    Risk is
    the likelihood of the occurrence of a vulnerability
    multiplied by
    the value of the information asset
    minus -
    the percentage of risk mitigated by current controls
    plus +
    the uncertainty of the current knowledge of the vulnerability.
    Presented by. Peleg Holzmann, CISSP
  • 9. Risk
    $1000
    $25,000
    Threat
    $1000
    $200
    Presented by. Peleg Holzmann, CISSP
  • 10. Layered Approach– Defense in Depth
    Redundancy
    Security Planning
    (IR, DR, BC)
    Monitoring Systems
    Patches &
    Updates
    Education and
    Training
    Host IDS
    Firewalls
    Authorized Personnel
    Network IDS
    Information
    Network IPS
    Proxy Servers
    Systems
    Encryption
    Backups
    People
    Networks
    Policies and Laws
    Access Controls
    Internet
    Technology
    People
    Presented by. Peleg Holzmann, CISSP
  • 11. Security Awareness
    Presented by. Peleg Holzmann, CISSP
  • 12. Continual Service Improvement
    Presented by. Peleg Holzmann, CISSP
  • 13. Typical Information Security Audit Procedure
    Step 1.1:
    NIST/ISO Security Standards
    Step 1:
    Ascertain Applicable Laws
    Requirements
    Presented by. Peleg Holzmann, CISSP
  • 14. Requirements Continued
    InformationSecurity
    InformationSecurity Management System
    Standards / Frameworks (ISO 27000)
    Processes
    Policies
    Procedures
    Practices
    Accountability
    Compliance, Assurance, Audit
    Presented by. Peleg Holzmann, CISSP
  • 15. Step 1 – Ascertain applicable laws/standards
    Determine if your organization needs to meet any laws or standards.
    Determine if your organization is following any NIST/ISO Standards/Frameworks
    Presented by. Peleg Holzmann, CISSP
  • 23. Step 1 – Example HIPPA
    Some areas which need to be addressed and documented would include:
    Physical Security
    Systems should be located in physically secure locations, whenever possible.
    Secure Locations
    Secure locations must have physical access controls (Card Key, door locks, etc.) that prevent unauthorized entry, particularly during periods outside of normal work hours, or when authorized personnel are not present to monitor security.
    Access Control Systems
    Access control systems must be maintained in good working order and records of maintenance, modification and repair activities should be available.
    Media Destruction and Recycling
    Back-up Systems and Procedures
    Account Management and Access Review
    Emergency Access
    Disaster Recovery…
    Presented by. Peleg Holzmann, CISSP
  • 24. Typical Information Security Audit Procedure
    Step 2:
    Prepare Project Plan
    Step 1.1:
    NIST/ISO Security Standards
    Step 1:
    Ascertain Applicable Laws
    Requirements
    Presented by. Peleg Holzmann, CISSP
  • 25. Step 2 – Project Plan
    Utilizing Microsoft Project design and maintain a feasible and detailed project plan.
    Each project plan is followed and evaluated constantly to ensure that milestones, schedules and budgets are met.
    Presented by. Peleg Holzmann, CISSP
  • 26. Typical Information Security Audit Procedure
    Documentation Review
    Step 3:
    Gather Information & Identify
    Assets
    Step 2:
    Prepare Project Plan
    Step 1.1:
    NIST/ISO Security Standards
    Step 1:
    Ascertain Applicable Laws
    Interviews
    Requirements
    Presented by. Peleg Holzmann, CISSP
  • 27. Step 3 – Gather Information
    Use tools, interviews and documentation review to analyze business risk profile.
    Presented by. Peleg Holzmann, CISSP
  • 28. Step 3 – Gather Information - Interviews
    Sorry Image Redacted for Privacy
    Presented by. Peleg Holzmann, CISSP
  • 29. Step 3 – Gather Information - Software
    Nessus
    Secunia
    Microsoft Baseline Security Analyzer (MBSA)
    Presented by. Peleg Holzmann, CISSP
  • 30. Step 3 – Gather Information – Documentation Review
    Presented by. Peleg Holzmann, CISSP
  • 31. Typical Information Security Audit Procedure
    Documentation Review
    Step 3:
    Gather Information & Identify
    Assets
    Step 2:
    Prepare Project Plan
    Step 4:
    Perform Risk Analysis
    Step 1.1:
    NIST/ISO Security Standards
    Step 1:
    Ascertain Applicable Laws
    Interviews
    Requirements
    Presented by. Peleg Holzmann, CISSP
  • 32. Step 4 – Perform Risk Analysis
    Risk is
    the likelihood of the occurrence of a vulnerability
    multiplied by
    the value of the information asset
    minus -
    the percentage of risk mitigated by current controls
    plus +
    the uncertainty of the current knowledge of the vulnerability.
    Presented by. Peleg Holzmann, CISSP
  • 33. System Boundary
    System Functions
    Systems & Data Criticality
    System & Data Sensitivity
    Hardware
    Software
    System Interfaces
    Data & Information
    People
    System Mission
    History of system attacks
    Outside agency data
    Step 6:
    Impact Analysis
    Loss of CIA
    Threat Statement
    Step 2:
    Threat Identification
    Step 3:
    Vulnerability Identification
    Step 4:
    Control Analysis
    Step 7:
    Risk Determination
    Step 5:
    Likelihood determination
    Step 1:
    System Characterization
    Prior Risk Assessments
    Prior Audits
    Security Requirements
    Security Test Results
    List of Potential Vulnerabilities
    Current Controls
    Planned Controls
    List of current & planned controls
    Threat Source Motivation
    Threat Capacity
    Nature of Vulnerability
    Current Controls
    Impact Rating
    Mission impact analysis
    Asset criticality assessment
    Data criticality
    Data sensitivity
    Impact Ratings
    Likelihood of threat exploitation
    Magnitude of impact
    Adequacy of planned & Implemented controls
    Risk & Associated Risk Levels
    Presented by. Peleg Holzmann, CISSP
  • 34. Step 4 – Perform Risk Analysis (Quantitative)
    Quantitative Approach (more detailed and longer time frame)
    Single Loss Expectancy (SLE)
    Annualized Rate of Occurrence (ARO)
    Annualized Loss Expectancy (ALE)
    SLE x ARO = ALE
    Cost Basis Analysis (CBA)
    Annualized Cost of Safeguard (ACS)
    CBA = ALE (prior) – ALE (Post) - ACS
    Presented by. Peleg Holzmann, CISSP
  • 35. Step 4 – Perform Risk Analysis (Qualitative)
    Qualitative Approach (Faster and Cheaper)
    Low, Medium, High, Very High
    Assign a degree to the asset then create a RISK Matrix Chart similar to sample shown.
    Presented by. Peleg Holzmann, CISSP
  • 36. Step 4 – Perform Risk Analysis
    At ______ we use both in combination:
    Quantitative and Qualitative to produce the most accurate risk matrix.
    Sorry Image Redacted for Privacy
    Quantitative
    Qualitative
    Presented by. Peleg Holzmann, CISSP
  • 37. Step 4 – Perform Risk Analysis
    At ______ we use both in combination:
    Quantitative and Qualitative to produce the most accurate risk matrix.
    Identify Information Assets
    Implement
    Control
    Plan for
    Maintenance
    Vulnerability
    Worksheet
    Access
    Control
    Measure
    Risk to Asset
    Control Strategy
    And Plan
    Adequate
    Controls?
    Adequate
    Risk?
    YES
    NO
    YES
    NO
    Presented by. Peleg Holzmann, CISSP
  • 38. Typical Information Security Audit Procedure
    Documentation Review
    Step 3:
    Gather Information & Identify
    Assets
    Step 5:
    Report Findings &
    Recommendations
    Step 2:
    Prepare Project Plan
    Step 4:
    Perform Risk Analysis
    Step 1.1:
    NIST/ISO Security Standards
    Step 1:
    Ascertain Applicable Laws
    Interviews
    Requirements
    Presented by. Peleg Holzmann, CISSP
  • 39. Step 5 – Report Findings and Recommendations
    Presented by. Peleg Holzmann, CISSP
  • 40. Typical Information Security Audit Procedure
    Documentation Review
    Step 6:
    Prepare
    Implementation Plan
    Step 3:
    Gather Information & Identify
    Assets
    Step 5:
    Report Findings &
    Recommendations
    Step 2:
    Prepare Project Plan
    Step 4:
    Perform Risk Analysis
    Step 1.1:
    NIST/ISO Security Standards
    Step 1:
    Ascertain Applicable Laws
    Interviews
    Requirements
    Presented by. Peleg Holzmann, CISSP
  • 41. Step 6 – Implementation Plan
    Presented by. Peleg Holzmann, CISSP
  • 42. Step 4 – Example of Patches and Vulnerabilities
    Sorry Image Redacted for Privacy
    Presented by. Peleg Holzmann, CISSP
  • 43. Typical Information Security Audit Procedure
    Documentation Review
    Step 6:
    Prepare
    Implementation Plan
    Step 7:
    Continual Service
    Improvement
    Step 3:
    Gather Information & Identify
    Assets
    Step 5:
    Report Findings &
    Recommendations
    Step 2:
    Prepare Project Plan
    Step 4:
    Perform Risk Analysis
    Step 1.1:
    NIST/ISO Security Standards
    Step 1:
    Ascertain Applicable Laws
    Interviews
    Requirements
    Presented by. Peleg Holzmann, CISSP
  • 44. Step 7: Continual Service Improvement
    Presented by. Peleg Holzmann, CISSP
  • 45. Some Examples….
    Presented by. Peleg Holzmann, CISSP
  • 46. Firewall Rules
    Sorry Image Redacted for Privacy
    Presented by. Peleg Holzmann, CISSP
  • 47. Wi-Fi Site Analysis
    Presented by. Peleg Holzmann, CISSP
  • 48. Network Analysis
    Sorry Image Redacted for Privacy
    Presented by. Peleg Holzmann, CISSP
  • 49. Documentation – MacAfee Epolicy Orchestrator
    Sorry Image Redacted for Privacy
    Presented by. Peleg Holzmann, CISSP
  • 50. Patch / Change Management Report
    Sorry Image Redacted for Privacy
    Presented by. Peleg Holzmann, CISSP
  • 51. Risk Assessment
    Sorry Image Redacted for Privacy
    Presented by. Peleg Holzmann, CISSP
  • 52. Documentation Review / Audits
    Sorry Image Redacted for Privacy
    Presented by. Peleg Holzmann, CISSP
  • 53. Documentation Work Area Recovery Recommendations
    Sorry Image Redacted for Privacy
    Presented by. Peleg Holzmann, CISSP
  • 54. Documentation Business Impact Analysis (BIA)
    Sorry Image Redacted for Privacy
    Presented by. Peleg Holzmann, CISSP
  • 55. Control Objective
    Sorry Image Redacted for Privacy
    Presented by. Peleg Holzmann, CISSP
  • 56. Policy Document
    Sorry Image Redacted for Privacy
    Presented by. Peleg Holzmann, CISSP
  • 57. Standards Document
    Sorry Image Redacted for Privacy
    Presented by. Peleg Holzmann, CISSP
  • 58. We help you assemble your complete security solution
    Presented by. Peleg Holzmann, CISSP

×