SlideShare a Scribd company logo

Security Baselines and Risk Assessments

Download as PPTX, PDF
P
Priyank Hada

This document provides an overview of conducting a security assessment. It discusses the importance of baselines and risk assessments to establish a starting point for measuring security. It outlines key areas to assess including security organization, policies, risk management programs, and technical controls. The document provides a detailed workplan and guidelines for assessing management controls, operations, applications, databases, networks, remote access, and emergency response. The goal is to identify strengths, weaknesses, and risks to help prioritize security improvements.

Technology
1 of 55
Security Baselines and Risk Assessments
Baseline • When a new system is implemented, a preliminary assessment called a security baseline needs to be performed. • A baseline provides a starting point to measure changes in configurations and improvements to the system.
Risk assessments • Risk assessments educate the administrators about their systems. • Assessments are a mechanism to identify the strengths and implemented controls of a system, not just the weaknesses and risks.
INFORMATION SECURITY ASSESSMENT: A PHASED APPROACH • Areas of increased risk within an organization: – Operating environment – Security organization – Security planning, administration, and management – Information security policies, standards, and procedures – Information security risk assessment – Information classification and control
Requirements • Organization chart • Security policies, standards, and procedures documentation • Network diagrams • List of applications • List of network management tools • List of security assessment tools • Asset inventory • List of databases • Reports from previous assessments and audits
Information Security Assessment Workplan • Section I: – Provides an overview concentrating on the management of specific programs developed as a part of the ISA and the allocation of security responsibilities. • Section II: – Security monitoring – Computer virus controls – Microcomputer security – Compliance with legal and regulatory requirements
• Section III, Computer Operations, includes: – Physical and environmental security – Computer systems management – Backup and recovery – Problem management • Section IV reviews those areas related to applications: access controls, application development and implementation, and change management.
HIGH-LEVEL SECURITY ASSESSMENT (SECTION I) • Assessing the Organization of the Security Function – An assessment of the security organization should document the number of individuals performing security functions, including full-time security positions as well as individuals that dedicate only a portion of their time to security. – To whom these positions report.
• Assessing the Security Plan – The Information Security Plan should be documented and describe support for the goals and objectives of the Strategic Information Technology Plan. – Determine who is responsible for its development, review, approval, and implementation. – Responsibility for, as well as target completion dates, should be defined for each project, initiative, or strategy defined in the Plan.
• Assessing Security Policies, Standards, and Procedures – Determine how policies, standards, and procedures are developed, reviewed, approved, and modified and who is responsible for each step of this process. • Assessing Risk-Related Programs – Programs for risk assessment include classification methodologies, business impact analysis (BIA), incident and emergency reporting and response, disaster recovery planning (DRP), business continuity planning (BCP), and incident monitoring, investigation, and remediation.
– Determine who is responsible for each of these programs • Assessment Document Checklist – Organization chart – IT strategic plan – Information security plan – Security charter or mission statement – Security policies, standards, and procedures – Policy acknowledgment forms – Confidentiality agreements/statements
• Network diagrams • Maintenance and service contracts with third-party service providers • Application inventory • Hardware asset inventory • Network management tools inventory • Security assessment tools inventory • Database inventory • Classification methodology • Audit programs • Compliance checklists • Security assessment reports • Resource ownership matrix
SECURITY OPERATIONS (SECTION II) • Security Monitoring – Security monitoring includes those processes in place to identify and investigate suspected access violations and attempted system intrusions. – For Ex. • Daily review of remote access log-ins to identify failed access attempts • Review of system access logs for access to systems during non-work hours • Review of traffic on external gateways • Review of access to application system utilities and privileged user activities • Review of access to sensitive files or data
– Procedures are necessary for reporting and responding to suspected violations. • Computer Virus Controls – Effective computer virus controls are an absolute necessity.
For anti-virus security assessments, it is necessary to ensure that procedures exist to: • Download current definitions from the appropriate sources on a timely basis • Test virus software before distribution • Distribute and upload current definitions to all platforms (servers, mail servers, firewalls, and workstations) • Validate that distribution of software and definition files is effective • Ensure compliance with all anti-virus software procedures • Assess the communications mechanism between administrators and users on potential viruses and the reporting of suspected viruses
• Microcomputer Security: – Monitoring licenses registered versus licenses used – Inventorying PC software – Defining and distributing approved software lists – Developing software usage policies
COMPLIANCE WITH LEGAL AND REGULATORY REQUIREMENTS • A security review of these areas should be conducted to ensure: – Guidelines on the retention, storage, and handling of regulated information – Appropriate protection of classified data – Compliance with regulatory requirements – Compliance with legislation protecting information
COMPUTER OPERATIONS (SECTION III) • Computer operations personnel are responsible for the physical security of the central processing facility, ensuring the proper execution of programs, maintaining system and critical data backups, responding to and resolving execution errors, and providing assistance in the recovery of systems, programs, and information.
Physical and Environmental Security • Cypher or key pad locks • Fencing • Guards • Monitoring devices • Maintaining authorized personnel access lists • Limiting access to only essential operations personnel • Maintaining sign-in logs • Badges
Environmental controls include • Backup power (uninterruptible power systems [UPS]) • Air conditioning • Fire suppression devices (fire extinguishers, halon, other) • Fire detection devices (sensors) • Heat detection devices • Business continuity plans (BCPs) • Alternative processing facilities • Disaster recovery plans (DRPs) • System and data backups
Backup and Recovery • Removing backups from the facility creates a requirement for ensuring that those critical backups are not subject to unauthorized access by vendors or outside personnel. Review who, when, and how third-party vendors obtain, transport, and store those critical business system backup tapes.
• Internal tape management as well as by third- party vendors is also very important. • As a part of physical security, backup processing locations are important. • Recovery plans should be tested annually.
Computer Systems Management • Computer systems management includes the daily execution and maintenance of systems, applications, and information. • Maintain a log that details the execution, completion, and issues identified during the shift. • This log should be reviewed by management and jointly reviewed by both the outgoing shift personnel and incoming shift personnel so that continuity and efficiency are maintained.
• Computer operations personnel should be restricted from read, write, and delete access of computer programs. • Change logs: documentation of changes, validation of changes, and follow-up testing.
Problem Management • A problem management process needs to be in place to report, track, and resolve problems incurred in computer operations, as well as in dealing with security-related issues. • Reduction of failures to an acceptable level • Prevention of the reoccurrence of problems • Reduction of the impact on service
Problem resolution should include: • Providing a centralized point of contact for problems • Logging problem calls • Resolution of problems quickly and efficiently • Transferring unresolved problems to more technically qualified personnel • Tracking and managing difficult problems • Identifying recurring problems, analyzing root causes, and providing permanent resolution • Improving communication and training to end users • Reporting the status of issues to management, users, and departments impacted • Evaluating vendor performance and service-level contracts based on the level of support provided in resolving issues
APPLICATION CONTROLS ASSESSMENTS • Security control assessments related to applications primarily focus on the appropriate access of – users, – administrators, and – programmers to application data and functionality, system files, program modules, and hardware resources.
Access Controls • Data owners approve access based on job requirements and functionality. • Role-based access is the most logical method for setting up access to an application. • Role-based access is determined by an employee’s job function — not by who the employee is as a person. • Access control lists (ACLs) • Application access is typically controlled by menus that restrict user access to certain functionalities of the application.
Separation (or Segregation) of Duties • Separation of duties ensures that no single employee has control of a transaction from beginning to end. • Separation of duties guards against manipulating a transaction for personal gain.
Audit Trails • Audit logs are a record of system activities that provide the capability to reconstruct the sequence of events related to a transaction. • Audit logs can be used to determine errors in system processing as well as misuse of the system. • Violation reports that log security-related events, such as unsuccessful access attempts, should be monitored daily.
• It is necessary to test that users cannot break out of the menu and obtain the system prompt. • Application system utilities are sensitive because they bypass application access controls and allow direct access to production code and data. • These utilities should be protected by passwords and should not be accessible from the application.
Authentication • Authentication as it relates to application access is defined as the reconciliation of evidence of user identity. • The use of a password for authenticating a user is the most common method and is known as simple authentication.
There are three ways a user can identify himself to an application or system: • Presenting something that only the user knows. • Presenting something that only the user has. • Presenting something that the user is.
• Passwords are something that a user knows. • It is the least secure method of authentication because a password can be stolen and used by someone else. Presenting something that only the user knows.
Something the user has • Secure token. • An example of secure tokens are credit card- size hardware that produce a one-time password only valid and usable for a small window of time, such as one minute.
Something that the user is • Passwords and tokens can be stolen. • Fingerprints and retinas are unique to every person and they represent who the person is.
Using combinations of methods increases the strength of the authentication. • something you know + something you have = two-factor authentication • something you know + something you are = two-factor authentication • something you have + something you are = two-factor authentication • something you know + something you know = two-factor authentication • something you have + something you have = two-factor authentication • something you are + something you are = two-factor authentication
Password parameters include: • Application lockout after so many failed attempts to log on (e.g., three failed attempts) • Minimum password length (e.g., eight characters) • Specified password structure • Password change frequency (e.g., every 30 days)
• Passwords must be unique • Passwords must be encrypted • Maintain encrypted password files • Maintain password history (e.g., last ten passwords cannot be reused) • Establish password cycle time • Non-displayed fields • Validation of password before passwords can be changed • Limitations on sharing passwords
Application Development and Implementation • A formal program for application development and implementation is necessary to ensure that appropriate controls are built into the application to provide authentication, authorization, and integrity.
The application development and implementation program should ensure: • Appropriate access to source libraries • The ability to audit access to source libraries • Integrity checks for the input of data to detect out-of-range values, invalid characters in data fields, incomplete data, upper and lower data volume limits, two character data ranges, and inconsistent control data • Session or batch controls to reconcile file balances after transaction updates
• Balance controls to validate opening balances with previously closed balances, including run-to- run totals, file update totals, program-to-program totals, and hash totals on records and files • Management authorization for the initiation of application acquisition, development, and maintenance • Change requests documents that record the reason for the amendment, date of amendment, and appropriate approvals • Separate test and production environments • Documented acceptance criteria for test plans
• New programs and program changes are formally approved during appropriate phases of the development process and prior to implementation • Formal sign-off and acceptance procedures • Cut-over procedures to move applications from the test to the production environment • Programmers are prevented from updating production programs • Programmers are restricted from adding programs to the production libraries
• Segregation of duties in programming and execution of programs • System documentation and user documentation is updated to reflect all program and operations changes • Emergency maintenance and temporary fixes to application and system software are covered by the same procedures applied to normal maintenance • Backup versions of software are maintained prior to making any changes to the code
Change Management • Change management refers to changes in program code, operating system configurations, or network architectures. • An effective change management program uses an application or tool to register changes. • This tool should record the change requestor’s name, details of the request, business justification, approvers, estimated time to perform or implement the change, individuals responsible for modifications, individuals affected by the change, testing requirements, requestor’s approval on tests, management approval, and a scheduled date of change.
Check to make sure that: • The library control systems ensure that all changes to production programs are implemented by library control administrators — and not the programmers who coded the program • Only the applications programmers involved in the changes have access to application programs under development
• Only systems programmers have access to system programs under development • Only library administrators have write access to system and application libraries • Access to live data is only through programs that are in the application libraries
Database Security • Access is controlled through discretionary access controls (DACs) or mandatory access controls (MACs). • With DACs, access must be granted before a user can gain access to a view. • MACs secure information by assigning classification levels or labels to data.
Network Assessments • Obtain an understanding of the network architecture: – Review network diagrams and documentation – Interview data network administrators – Interview voice network administrators – Interview network device administrators – Review standards relating to networked systems – Review planned migration to new technologies – Review network software inventory – Review network hardware inventory – Identify business functions utilizing the network
• Obtain an understanding of network management: – Identify network management tools and other utility software used in managing the network – Identify how the network management tools are utilized – Identify the devices managed through network – Identify plans or changes to network managers • Obtain an understanding of network security administration: – Identify policies, procedures, standards, and guidelines for network security administration – Identify responsibilities for network security administration – Identify monitoring capabilities and reports used in network security administration
• Obtain an understanding of new technology assessments and deployment: – Identify responsibilities for change control – Identify audit/security participation in new technology plans – Identify documentation of risks in new technologies – Identify general control strategy used in introduction of new technologies – Identify testing/acceptance methods used for new technologies – Identify review process for approval of new technology plans
• Obtain an understanding of outage/threat response capabilities: – Identify tools and approaches to reducing risks – Identify responsibility for emergency response – Identify tools/strategies for responding to emergency conditions – Identify threat incidents and priorities
Emergency Response • It is necessary to ensure that bugs, security holes, and vulnerabilities are disseminated to the appropriate individuals and that those individuals are addressing the problem. • Include follow-up efforts to ensure that alerts, advisories, and fixes are applied in a timely manner.
Remote Access • For each of the dial-in connections, the following activities will be performed: • Evaluate external connections and dial access: – Identify external network service providers – Identify external network users (customers, business partners, employees, service providers) – Identify access methods – Identify frequency of access – Identify nature of access – Identify services used for access – Identify time-of-day access required – Identify services used when access granted
• Evaluate network security features: – Identify points of control for each access path – Identify points of control for each service accessed – Identify points of external control – Identify nature of control points (intended for authentication, monitoring, etc.) – Identify level of functionality for each control point – Identify responsibility for each control point • Develop access path schematic: – Document access paths and control points – Report observations and recommendations

Recommended

Cybercrime and Cybersecurity Governance: A Kenyan Perspective
Cybercrime and Cybersecurity Governance: A Kenyan PerspectiveCybercrime and Cybersecurity Governance: A Kenyan Perspective
Cybercrime and Cybersecurity Governance: A Kenyan PerspectiveIvan Sang
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
USB flash drive security
USB flash drive securityUSB flash drive security
USB flash drive securityjin88lin
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesLearningwithRayYT
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesSlideTeam
 

Recommended

Cybercrime and Cybersecurity Governance: A Kenyan Perspective
Cybercrime and Cybersecurity Governance: A Kenyan PerspectiveCybercrime and Cybersecurity Governance: A Kenyan Perspective
Cybercrime and Cybersecurity Governance: A Kenyan PerspectiveIvan Sang
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness PresentationCristian Mihai
 
USB flash drive security
USB flash drive securityUSB flash drive security
USB flash drive securityjin88lin
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesLearningwithRayYT
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
IT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesIT Security PowerPoint Presentation Slides
IT Security PowerPoint Presentation SlidesSlideTeam
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeAtlantic Training, LLC.
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
National Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action PlanNational Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action PlanDr David Probert
 
Csslp
CsslpCsslp
CsslpSushil Shakya
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityMarketingArrowECS_CZ
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Cyber security 07
Cyber security 07Cyber security 07
Cyber security 07Habib Siddiqui
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...Edureka!
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamMohammed Adam
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards ComplianceDr. Prashant Vats
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.finalahmad abdelhafeez
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Cyber-Security-20211013105857.ppt
Cyber-Security-20211013105857.pptCyber-Security-20211013105857.ppt
Cyber-Security-20211013105857.pptvisik2
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 
Introduzione al web marketing
Introduzione al web marketingIntroduzione al web marketing
Introduzione al web marketingAlessandro Germano
 
Omnik solar-inverter-product-portfolio
Omnik solar-inverter-product-portfolioOmnik solar-inverter-product-portfolio
Omnik solar-inverter-product-portfolioOmnik Solar
 

More Related Content

What's hot

NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeAtlantic Training, LLC.
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
National Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action PlanNational Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action PlanDr David Probert
 
Information security management system
Information security management systemInformation security management system
Information security management systemArani Srinivasan
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...PECB
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...Edureka!
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptOoXair
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamMohammed Adam
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards ComplianceDr. Prashant Vats
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Cyber-Security-20211013105857.ppt
Cyber-Security-20211013105857.pptCyber-Security-20211013105857.ppt
Cyber-Security-20211013105857.pptvisik2
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness SnapComms
 

What's hot (20)

NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community College
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
National Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action PlanNational Cybersecurity - Roadmap and Action Plan
National Cybersecurity - Roadmap and Action Plan
 
Csslp
CsslpCsslp
Csslp
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
Information Security vs. Data Governance vs. Data Protection: What Is the Rea...
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Cyber security 07
Cyber security 07Cyber security 07
Cyber security 07
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Cybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by AdamCybersecurity Awareness Session by Adam
Cybersecurity Awareness Session by Adam
 
Cyber Security Standards Compliance
Cyber Security Standards ComplianceCyber Security Standards Compliance
Cyber Security Standards Compliance
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
Cyber-Security-20211013105857.ppt
Cyber-Security-20211013105857.pptCyber-Security-20211013105857.ppt
Cyber-Security-20211013105857.ppt
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 

Viewers also liked

Omnik solar-inverter-product-portfolio
Omnik solar-inverter-product-portfolioOmnik solar-inverter-product-portfolio
Omnik solar-inverter-product-portfolioOmnik Solar
 
GIS Day @ APIS IT 2012
GIS Day @ APIS IT 2012GIS Day @ APIS IT 2012
GIS Day @ APIS IT 2012Ana Car
 
0108ゲーミフィケーションインタレストレポート
0108ゲーミフィケーションインタレストレポート0108ゲーミフィケーションインタレストレポート
0108ゲーミフィケーションインタレストレポートYuri Nakayama
 
Me Myself and I
Me Myself and IMe Myself and I
Me Myself and IAna Car
 
World on your Finger Tips - IT
World on your Finger Tips - ITWorld on your Finger Tips - IT
World on your Finger Tips - ITHarin Sagar
 
ZGeoportal upute za korištenje
ZGeoportal upute za korištenjeZGeoportal upute za korištenje
ZGeoportal upute za korištenjeAna Car
 
What Others Are Saying Pelino
What Others Are Saying PelinoWhat Others Are Saying Pelino
What Others Are Saying Pelinodrloreleypelino
 
Security Architecture
Security ArchitectureSecurity Architecture
Security ArchitecturePriyank Hada
 
Pv-inverter-efficiency-photon-test
Pv-inverter-efficiency-photon-testPv-inverter-efficiency-photon-test
Pv-inverter-efficiency-photon-testOmnik Solar
 

Viewers also liked (14)

Introduzione al web marketing
Introduzione al web marketingIntroduzione al web marketing
Introduzione al web marketing
 
Omnik solar-inverter-product-portfolio
Omnik solar-inverter-product-portfolioOmnik solar-inverter-product-portfolio
Omnik solar-inverter-product-portfolio
 
Teori antrian
Teori antrianTeori antrian
Teori antrian
 
GIS Day @ APIS IT 2012
GIS Day @ APIS IT 2012GIS Day @ APIS IT 2012
GIS Day @ APIS IT 2012
 
0108ゲーミフィケーションインタレストレポート
0108ゲーミフィケーションインタレストレポート0108ゲーミフィケーションインタレストレポート
0108ゲーミフィケーションインタレストレポート
 
Me Myself and I
Me Myself and IMe Myself and I
Me Myself and I
 
Compliance
ComplianceCompliance
Compliance
 
World on your Finger Tips - IT
World on your Finger Tips - ITWorld on your Finger Tips - IT
World on your Finger Tips - IT
 
Fail
FailFail
Fail
 
ZGeoportal upute za korištenje
ZGeoportal upute za korištenjeZGeoportal upute za korištenje
ZGeoportal upute za korištenje
 
What Others Are Saying Pelino
What Others Are Saying PelinoWhat Others Are Saying Pelino
What Others Are Saying Pelino
 
Biology
BiologyBiology
Biology
 
Security Architecture
Security ArchitectureSecurity Architecture
Security Architecture
 
Pv-inverter-efficiency-photon-test
Pv-inverter-efficiency-photon-testPv-inverter-efficiency-photon-test
Pv-inverter-efficiency-photon-test
 

Similar to Security Baselines and Risk Assessments

CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptxdotco
 
Information system audit 2
Information system audit 2 Information system audit 2
Information system audit 2 Jayant Dalvi
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentAdetula Bunmi
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPsJayesh Daga
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptxdotco
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptxHardikKundra
 
IT ELECT 4 NETWORK SECURITY LECTURE 6-5-13
IT ELECT 4 NETWORK SECURITY LECTURE 6-5-13IT ELECT 4 NETWORK SECURITY LECTURE 6-5-13
IT ELECT 4 NETWORK SECURITY LECTURE 6-5-13Jd Mercado
 
Software Engineering Introduction
Software Engineering IntroductionSoftware Engineering Introduction
Software Engineering IntroductionrajeswaricseAvinuty
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
Unit-1 part 2.pptx
Unit-1 part 2.pptxUnit-1 part 2.pptx
Unit-1 part 2.pptxHKShab
 
Network Operations Center (NOC)
Network Operations Center (NOC)Network Operations Center (NOC)
Network Operations Center (NOC)Boni Yeamin
 
crisc_wk_4.pptx
crisc_wk_4.pptxcrisc_wk_4.pptx
crisc_wk_4.pptxdotco
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Chapter 12 Managing Systems Support and Security .pptx
Chapter 12 Managing Systems Support and Security .pptxChapter 12 Managing Systems Support and Security .pptx
Chapter 12 Managing Systems Support and Security .pptxAxmedMaxamuudYoonis
 
chapter12-120827115424-phpapp01.pdf
chapter12-120827115424-phpapp01.pdfchapter12-120827115424-phpapp01.pdf
chapter12-120827115424-phpapp01.pdfAxmedMaxamuud6
 
Chapter-2-Control-Audit-Security-ioenotes.pptx
Chapter-2-Control-Audit-Security-ioenotes.pptxChapter-2-Control-Audit-Security-ioenotes.pptx
Chapter-2-Control-Audit-Security-ioenotes.pptxToxicHawk
 
Software Engineering Ethics
Software Engineering EthicsSoftware Engineering Ethics
Software Engineering EthicsKapil Rajpurohit
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.pptit160320737038
 

Similar to Security Baselines and Risk Assessments (20)

CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
 
Information system audit 2
Information system audit 2 Information system audit 2
Information system audit 2
 
The Importance of Security within the Computer Environment
The Importance of Security within the Computer EnvironmentThe Importance of Security within the Computer Environment
The Importance of Security within the Computer Environment
 
ITGC audit of ERPs
ITGC audit of ERPsITGC audit of ERPs
ITGC audit of ERPs
 
CISM_WK_2.pptx
CISM_WK_2.pptxCISM_WK_2.pptx
CISM_WK_2.pptx
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptx
 
IT ELECT 4 NETWORK SECURITY LECTURE 6-5-13
IT ELECT 4 NETWORK SECURITY LECTURE 6-5-13IT ELECT 4 NETWORK SECURITY LECTURE 6-5-13
IT ELECT 4 NETWORK SECURITY LECTURE 6-5-13
 
Software Engineering Introduction
Software Engineering IntroductionSoftware Engineering Introduction
Software Engineering Introduction
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 
Unit-1 part 2.pptx
Unit-1 part 2.pptxUnit-1 part 2.pptx
Unit-1 part 2.pptx
 
Network Operations Center (NOC)
Network Operations Center (NOC)Network Operations Center (NOC)
Network Operations Center (NOC)
 
crisc_wk_4.pptx
crisc_wk_4.pptxcrisc_wk_4.pptx
crisc_wk_4.pptx
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 
Chapter 12 Managing Systems Support and Security .pptx
Chapter 12 Managing Systems Support and Security .pptxChapter 12 Managing Systems Support and Security .pptx
Chapter 12 Managing Systems Support and Security .pptx
 
chapter12-120827115424-phpapp01.pdf
chapter12-120827115424-phpapp01.pdfchapter12-120827115424-phpapp01.pdf
chapter12-120827115424-phpapp01.pdf
 
Chapter 7
Chapter 7Chapter 7
Chapter 7
 
Chapter-2-Control-Audit-Security-ioenotes.pptx
Chapter-2-Control-Audit-Security-ioenotes.pptxChapter-2-Control-Audit-Security-ioenotes.pptx
Chapter-2-Control-Audit-Security-ioenotes.pptx
 
Software Engineering Ethics
Software Engineering EthicsSoftware Engineering Ethics
Software Engineering Ethics
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 

Recently uploaded (20)

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 

Security Baselines and Risk Assessments

  • 1. Security Baselines and Risk Assessments
  • 2. Baseline • When a new system is implemented, a preliminary assessment called a security baseline needs to be performed. • A baseline provides a starting point to measure changes in configurations and improvements to the system.
  • 3. Risk assessments • Risk assessments educate the administrators about their systems. • Assessments are a mechanism to identify the strengths and implemented controls of a system, not just the weaknesses and risks.
  • 4. INFORMATION SECURITY ASSESSMENT: A PHASED APPROACH • Areas of increased risk within an organization: – Operating environment – Security organization – Security planning, administration, and management – Information security policies, standards, and procedures – Information security risk assessment – Information classification and control
  • 5. Requirements • Organization chart • Security policies, standards, and procedures documentation • Network diagrams • List of applications • List of network management tools • List of security assessment tools • Asset inventory • List of databases • Reports from previous assessments and audits
  • 6. Information Security Assessment Workplan • Section I: – Provides an overview concentrating on the management of specific programs developed as a part of the ISA and the allocation of security responsibilities. • Section II: – Security monitoring – Computer virus controls – Microcomputer security – Compliance with legal and regulatory requirements
  • 7. • Section III, Computer Operations, includes: – Physical and environmental security – Computer systems management – Backup and recovery – Problem management • Section IV reviews those areas related to applications: access controls, application development and implementation, and change management.
  • 8. HIGH-LEVEL SECURITY ASSESSMENT (SECTION I) • Assessing the Organization of the Security Function – An assessment of the security organization should document the number of individuals performing security functions, including full-time security positions as well as individuals that dedicate only a portion of their time to security. – To whom these positions report.
  • 9. • Assessing the Security Plan – The Information Security Plan should be documented and describe support for the goals and objectives of the Strategic Information Technology Plan. – Determine who is responsible for its development, review, approval, and implementation. – Responsibility for, as well as target completion dates, should be defined for each project, initiative, or strategy defined in the Plan.
  • 10. • Assessing Security Policies, Standards, and Procedures – Determine how policies, standards, and procedures are developed, reviewed, approved, and modified and who is responsible for each step of this process. • Assessing Risk-Related Programs – Programs for risk assessment include classification methodologies, business impact analysis (BIA), incident and emergency reporting and response, disaster recovery planning (DRP), business continuity planning (BCP), and incident monitoring, investigation, and remediation.
  • 11. – Determine who is responsible for each of these programs • Assessment Document Checklist – Organization chart – IT strategic plan – Information security plan – Security charter or mission statement – Security policies, standards, and procedures – Policy acknowledgment forms – Confidentiality agreements/statements
  • 12. • Network diagrams • Maintenance and service contracts with third-party service providers • Application inventory • Hardware asset inventory • Network management tools inventory • Security assessment tools inventory • Database inventory • Classification methodology • Audit programs • Compliance checklists • Security assessment reports • Resource ownership matrix
  • 13. SECURITY OPERATIONS (SECTION II) • Security Monitoring – Security monitoring includes those processes in place to identify and investigate suspected access violations and attempted system intrusions. – For Ex. • Daily review of remote access log-ins to identify failed access attempts • Review of system access logs for access to systems during non-work hours • Review of traffic on external gateways • Review of access to application system utilities and privileged user activities • Review of access to sensitive files or data
  • 14. – Procedures are necessary for reporting and responding to suspected violations. • Computer Virus Controls – Effective computer virus controls are an absolute necessity.
  • 15. For anti-virus security assessments, it is necessary to ensure that procedures exist to: • Download current definitions from the appropriate sources on a timely basis • Test virus software before distribution • Distribute and upload current definitions to all platforms (servers, mail servers, firewalls, and workstations) • Validate that distribution of software and definition files is effective • Ensure compliance with all anti-virus software procedures • Assess the communications mechanism between administrators and users on potential viruses and the reporting of suspected viruses
  • 16. • Microcomputer Security: – Monitoring licenses registered versus licenses used – Inventorying PC software – Defining and distributing approved software lists – Developing software usage policies
  • 17. COMPLIANCE WITH LEGAL AND REGULATORY REQUIREMENTS • A security review of these areas should be conducted to ensure: – Guidelines on the retention, storage, and handling of regulated information – Appropriate protection of classified data – Compliance with regulatory requirements – Compliance with legislation protecting information
  • 18. COMPUTER OPERATIONS (SECTION III) • Computer operations personnel are responsible for the physical security of the central processing facility, ensuring the proper execution of programs, maintaining system and critical data backups, responding to and resolving execution errors, and providing assistance in the recovery of systems, programs, and information.
  • 19. Physical and Environmental Security • Cypher or key pad locks • Fencing • Guards • Monitoring devices • Maintaining authorized personnel access lists • Limiting access to only essential operations personnel • Maintaining sign-in logs • Badges
  • 20. Environmental controls include • Backup power (uninterruptible power systems [UPS]) • Air conditioning • Fire suppression devices (fire extinguishers, halon, other) • Fire detection devices (sensors) • Heat detection devices • Business continuity plans (BCPs) • Alternative processing facilities • Disaster recovery plans (DRPs) • System and data backups
  • 21. Backup and Recovery • Removing backups from the facility creates a requirement for ensuring that those critical backups are not subject to unauthorized access by vendors or outside personnel. Review who, when, and how third-party vendors obtain, transport, and store those critical business system backup tapes.
  • 22. • Internal tape management as well as by third- party vendors is also very important. • As a part of physical security, backup processing locations are important. • Recovery plans should be tested annually.
  • 23. Computer Systems Management • Computer systems management includes the daily execution and maintenance of systems, applications, and information. • Maintain a log that details the execution, completion, and issues identified during the shift. • This log should be reviewed by management and jointly reviewed by both the outgoing shift personnel and incoming shift personnel so that continuity and efficiency are maintained.
  • 24. • Computer operations personnel should be restricted from read, write, and delete access of computer programs. • Change logs: documentation of changes, validation of changes, and follow-up testing.
  • 25. Problem Management • A problem management process needs to be in place to report, track, and resolve problems incurred in computer operations, as well as in dealing with security-related issues. • Reduction of failures to an acceptable level • Prevention of the reoccurrence of problems • Reduction of the impact on service
  • 26. Problem resolution should include: • Providing a centralized point of contact for problems • Logging problem calls • Resolution of problems quickly and efficiently • Transferring unresolved problems to more technically qualified personnel • Tracking and managing difficult problems • Identifying recurring problems, analyzing root causes, and providing permanent resolution • Improving communication and training to end users • Reporting the status of issues to management, users, and departments impacted • Evaluating vendor performance and service-level contracts based on the level of support provided in resolving issues
  • 27. APPLICATION CONTROLS ASSESSMENTS • Security control assessments related to applications primarily focus on the appropriate access of – users, – administrators, and – programmers to application data and functionality, system files, program modules, and hardware resources.
  • 28. Access Controls • Data owners approve access based on job requirements and functionality. • Role-based access is the most logical method for setting up access to an application. • Role-based access is determined by an employee’s job function — not by who the employee is as a person. • Access control lists (ACLs) • Application access is typically controlled by menus that restrict user access to certain functionalities of the application.
  • 29. Separation (or Segregation) of Duties • Separation of duties ensures that no single employee has control of a transaction from beginning to end. • Separation of duties guards against manipulating a transaction for personal gain.
  • 30. Audit Trails • Audit logs are a record of system activities that provide the capability to reconstruct the sequence of events related to a transaction. • Audit logs can be used to determine errors in system processing as well as misuse of the system. • Violation reports that log security-related events, such as unsuccessful access attempts, should be monitored daily.
  • 31. • It is necessary to test that users cannot break out of the menu and obtain the system prompt. • Application system utilities are sensitive because they bypass application access controls and allow direct access to production code and data. • These utilities should be protected by passwords and should not be accessible from the application.
  • 32. Authentication • Authentication as it relates to application access is defined as the reconciliation of evidence of user identity. • The use of a password for authenticating a user is the most common method and is known as simple authentication.
  • 33. There are three ways a user can identify himself to an application or system: • Presenting something that only the user knows. • Presenting something that only the user has. • Presenting something that the user is.
  • 34. • Passwords are something that a user knows. • It is the least secure method of authentication because a password can be stolen and used by someone else. Presenting something that only the user knows.
  • 35. Something the user has • Secure token. • An example of secure tokens are credit card- size hardware that produce a one-time password only valid and usable for a small window of time, such as one minute.
  • 36. Something that the user is • Passwords and tokens can be stolen. • Fingerprints and retinas are unique to every person and they represent who the person is.
  • 37. Using combinations of methods increases the strength of the authentication. • something you know + something you have = two-factor authentication • something you know + something you are = two-factor authentication • something you have + something you are = two-factor authentication • something you know + something you know = two-factor authentication • something you have + something you have = two-factor authentication • something you are + something you are = two-factor authentication
  • 38. Password parameters include: • Application lockout after so many failed attempts to log on (e.g., three failed attempts) • Minimum password length (e.g., eight characters) • Specified password structure • Password change frequency (e.g., every 30 days)
  • 39. • Passwords must be unique • Passwords must be encrypted • Maintain encrypted password files • Maintain password history (e.g., last ten passwords cannot be reused) • Establish password cycle time • Non-displayed fields • Validation of password before passwords can be changed • Limitations on sharing passwords
  • 40. Application Development and Implementation • A formal program for application development and implementation is necessary to ensure that appropriate controls are built into the application to provide authentication, authorization, and integrity.
  • 41. The application development and implementation program should ensure: • Appropriate access to source libraries • The ability to audit access to source libraries • Integrity checks for the input of data to detect out-of-range values, invalid characters in data fields, incomplete data, upper and lower data volume limits, two character data ranges, and inconsistent control data • Session or batch controls to reconcile file balances after transaction updates
  • 42. • Balance controls to validate opening balances with previously closed balances, including run-to- run totals, file update totals, program-to-program totals, and hash totals on records and files • Management authorization for the initiation of application acquisition, development, and maintenance • Change requests documents that record the reason for the amendment, date of amendment, and appropriate approvals • Separate test and production environments • Documented acceptance criteria for test plans
  • 43. • New programs and program changes are formally approved during appropriate phases of the development process and prior to implementation • Formal sign-off and acceptance procedures • Cut-over procedures to move applications from the test to the production environment • Programmers are prevented from updating production programs • Programmers are restricted from adding programs to the production libraries
  • 44. • Segregation of duties in programming and execution of programs • System documentation and user documentation is updated to reflect all program and operations changes • Emergency maintenance and temporary fixes to application and system software are covered by the same procedures applied to normal maintenance • Backup versions of software are maintained prior to making any changes to the code
  • 45. Change Management • Change management refers to changes in program code, operating system configurations, or network architectures. • An effective change management program uses an application or tool to register changes. • This tool should record the change requestor’s name, details of the request, business justification, approvers, estimated time to perform or implement the change, individuals responsible for modifications, individuals affected by the change, testing requirements, requestor’s approval on tests, management approval, and a scheduled date of change.
  • 46. Check to make sure that: • The library control systems ensure that all changes to production programs are implemented by library control administrators — and not the programmers who coded the program • Only the applications programmers involved in the changes have access to application programs under development
  • 47. • Only systems programmers have access to system programs under development • Only library administrators have write access to system and application libraries • Access to live data is only through programs that are in the application libraries
  • 48. Database Security • Access is controlled through discretionary access controls (DACs) or mandatory access controls (MACs). • With DACs, access must be granted before a user can gain access to a view. • MACs secure information by assigning classification levels or labels to data.
  • 49. Network Assessments • Obtain an understanding of the network architecture: – Review network diagrams and documentation – Interview data network administrators – Interview voice network administrators – Interview network device administrators – Review standards relating to networked systems – Review planned migration to new technologies – Review network software inventory – Review network hardware inventory – Identify business functions utilizing the network
  • 50. • Obtain an understanding of network management: – Identify network management tools and other utility software used in managing the network – Identify how the network management tools are utilized – Identify the devices managed through network – Identify plans or changes to network managers • Obtain an understanding of network security administration: – Identify policies, procedures, standards, and guidelines for network security administration – Identify responsibilities for network security administration – Identify monitoring capabilities and reports used in network security administration
  • 51. • Obtain an understanding of new technology assessments and deployment: – Identify responsibilities for change control – Identify audit/security participation in new technology plans – Identify documentation of risks in new technologies – Identify general control strategy used in introduction of new technologies – Identify testing/acceptance methods used for new technologies – Identify review process for approval of new technology plans
  • 52. • Obtain an understanding of outage/threat response capabilities: – Identify tools and approaches to reducing risks – Identify responsibility for emergency response – Identify tools/strategies for responding to emergency conditions – Identify threat incidents and priorities
  • 53. Emergency Response • It is necessary to ensure that bugs, security holes, and vulnerabilities are disseminated to the appropriate individuals and that those individuals are addressing the problem. • Include follow-up efforts to ensure that alerts, advisories, and fixes are applied in a timely manner.
  • 54. Remote Access • For each of the dial-in connections, the following activities will be performed: • Evaluate external connections and dial access: – Identify external network service providers – Identify external network users (customers, business partners, employees, service providers) – Identify access methods – Identify frequency of access – Identify nature of access – Identify services used for access – Identify time-of-day access required – Identify services used when access granted
  • 55. • Evaluate network security features: – Identify points of control for each access path – Identify points of control for each service accessed – Identify points of external control – Identify nature of control points (intended for authentication, monitoring, etc.) – Identify level of functionality for each control point – Identify responsibility for each control point • Develop access path schematic: – Document access paths and control points – Report observations and recommendations