Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Main Menu


Published on

assurance guide

Published in: Technology
  • Be the first to like this

Main Menu

  1. 1. Managing Information Security Risks Ken M. Shaurette, CISSP, CISA, CISM, IAM Information Security Solutions Manager MPC Security Solutions TechFest December 2003
  2. 2. Agenda <ul><li>Why Security? </li></ul><ul><li>Information Assets </li></ul><ul><li>Threats </li></ul><ul><li>Vulnerabilities </li></ul><ul><li>Dynamic Security Methodology </li></ul><ul><li>Risk Management </li></ul><ul><li>MPC Security Solutions Delivers </li></ul>
  3. 3. <ul><li>Legislation and community pressure </li></ul><ul><li>Inappropriate use leads to disciplinary action. </li></ul><ul><li>Protecting critical infrastructures. (InfraGard, DHS) </li></ul><ul><li>Liability? </li></ul><ul><li>Its simply a good idea! </li></ul>Why Security?
  4. 4. Regulations Touch Everyone! Source: Forrester / Giga Group GigaTel, Michael Rasmussen, Director of Research, Information Security, July 22, 2003.
  5. 5. Once upon a time….
  6. 6. Then things started to get a little ugly….
  7. 7. Security used to be easy to understand <ul><li>Payroll Office…. </li></ul><ul><ul><li>Lock on door </li></ul></ul><ul><ul><li>Lock on file cabinet </li></ul></ul><ul><ul><li>Audits </li></ul></ul><ul><li>Equal Reasonable Security </li></ul>
  8. 8. <ul><li>Active Directory, x.500, NDS, Shadow Passwords </li></ul><ul><li>VPN, PPTP, Telnet, SSH, IPSEC, Encryption </li></ul><ul><li>Wireless, Fiber, ATM, T1, DS3, Dial-up, Cell, PDA </li></ul><ul><li>PKI, Kerberos, DES, DES3, SHA, CHAP, PAP </li></ul><ul><li>Client Server, Mainframe, ASP, Web Services </li></ul><ul><li>Thin Client, Thick Client, Skinny Client, Tall Client </li></ul><ul><li>Terminal Server, Distance Learning </li></ul><ul><li>HTTPS, SSL </li></ul>Security is now a little more complex
  9. 9. You know more than you think… <ul><li>Information Security is about Information </li></ul><ul><li>Technology is a piece of the puzzle </li></ul><ul><li>You should not have to master technology in order to manage risk </li></ul>
  10. 10. The “Good” News <ul><li>Technology has become easier and easier to implement </li></ul><ul><ul><li>Anyone can install a server </li></ul></ul><ul><ul><li>Anyone can install a network </li></ul></ul><ul><ul><li>Anyone can bring up a web server </li></ul></ul><ul><ul><li>Anyone can get connected (in lots of ways) </li></ul></ul>
  11. 11. The “Bad” News <ul><li>Technology has become easier and easier to implement </li></ul><ul><ul><li>Anyone can install a server </li></ul></ul><ul><ul><li>Anyone can install a network </li></ul></ul><ul><ul><li>Anyone can bring up a web server </li></ul></ul><ul><ul><li>Anyone can get connected (in lots of ways) </li></ul></ul>
  12. 12. What are we securing against? <ul><li>Identity Theft </li></ul><ul><li>Privacy issues </li></ul><ul><li>Copyright issues </li></ul><ul><li>Hijacking of resources </li></ul><ul><li>Liability </li></ul><ul><li>Regulations </li></ul>
  13. 13. Information Assets <ul><li>Which does your organization have? </li></ul><ul><ul><li>Records about special programs </li></ul></ul><ul><ul><li>Resident’s information </li></ul></ul><ul><ul><li>Financial information </li></ul></ul><ul><ul><li>Health information </li></ul></ul><ul><ul><li>Statistical information </li></ul></ul>
  14. 14. Information Assets <ul><li>How do you identify value ? </li></ul><ul><ul><li>Accounting / “book value” </li></ul></ul><ul><ul><li>Intrinsic value / Replacement Cost </li></ul></ul><ul><ul><li>Formal quantifiable methods (BCP/DRP) </li></ul></ul><ul><ul><li>“Gut feel” </li></ul></ul>
  15. 15. The “Best” News <ul><li>There is hope! </li></ul>
  16. 16. Information Assets <ul><li>What is worth protecting? </li></ul><ul><ul><li>Confidentiality (keeping secrets) </li></ul></ul><ul><ul><li>Integrity (tamper-proofing) </li></ul></ul><ul><ul><li>Availability (there when you need it) </li></ul></ul><ul><li>Why protect? </li></ul><ul><ul><li>Community expectations </li></ul></ul><ul><ul><li>Regulatory requirements </li></ul></ul><ul><ul><li>Perception </li></ul></ul><ul><ul><li>Liability </li></ul></ul>
  17. 17. Information Assets <ul><li>How do you protect? </li></ul><ul><ul><li>“Classification” (secret, top secret, unclassified) </li></ul></ul><ul><ul><li>Policies ( separation of duties, appropriate use) </li></ul></ul><ul><ul><li>“Security Awareness training” </li></ul></ul><ul><ul><li>“Common Sense” or “Second Thought” approach </li></ul></ul>
  18. 18. Information Assets <ul><li>How much do you spend on protection? </li></ul><ul><ul><li>Is it based on the value of the information? </li></ul></ul><ul><ul><li>Is it based on the number and likelihood of threats? </li></ul></ul><ul><ul><li>Are vulnerabilities accounted for? </li></ul></ul><ul><ul><li>How much is enough protection? </li></ul></ul><ul><ul><li>Is Return on Investment (ROI) Expected or Required? </li></ul></ul>
  19. 19. Threats - Motive <ul><li>What is the nature of a threat? </li></ul><ul><ul><li>Confidentiality (learning secrets) </li></ul></ul><ul><ul><li>Integrity (tampering with data) </li></ul></ul><ul><ul><li>Availability (denial of service) </li></ul></ul><ul><li>Who poses a threat to the organization? </li></ul><ul><ul><li>Terrorists </li></ul></ul><ul><ul><li>Former employees </li></ul></ul><ul><ul><li>Unhappy residents </li></ul></ul><ul><ul><li>Hackers </li></ul></ul>
  20. 20. Vulnerabilities <ul><li>Absence or weakness of a safeguard </li></ul><ul><ul><li>Safeguard’s reduce likelihood of expected loss from a threat </li></ul></ul><ul><ul><li>Can be well known, such as an IIS patch </li></ul></ul><ul><ul><li>Can be unknown, such as a design error </li></ul></ul><ul><li>Type of vulnerabilities </li></ul><ul><ul><li>Technical </li></ul></ul><ul><ul><li>Non-technical </li></ul></ul>
  21. 21. Could any of these Occur? <ul><li>Sexual Harassment or stalking performed using your Computers? </li></ul><ul><li>Email Threats to Residents, Officials, Politicians? </li></ul><ul><li>Community questions about how their tax money is being used. </li></ul><ul><li>Community asks how computer systems are being wasted? </li></ul>
  22. 22. ` &quot;What Are The Short Falls?” Dynamic Security Infrastructure &quot; What Is Our Security Policy?” &quot;Implement!&quot; &quot;How Do We Get There?&quot; &quot;Experience Feedback&quot; Compliance Reporting Strategy Definition Security Architecture Deploy Solutions Periodic Re-evaluation &quot;Where Are We Today?&quot; &quot;Where Do We Need to Be?&quot; Baseline Current Security New Risks, Legislation Security Requirements Perform Gap Analysis
  23. 23. Security Risk Management <ul><li>Understand value of information </li></ul><ul><li>Understand the threats </li></ul><ul><li>Understand vulnerabilities and corresponding safeguards </li></ul><ul><li>Invest wisely in appropriate safeguards that reduce the impact of threats. </li></ul><ul><li>Emergency preparedness </li></ul>
  24. 24. Risk Mitigation <ul><li>Understand security risk </li></ul><ul><li>Understand technology </li></ul><ul><li>Accept Risk </li></ul><ul><ul><li>Documentation of risk acceptance is a form of mitigation. </li></ul></ul><ul><li>Defer or transfer risk </li></ul><ul><ul><li>Insurance </li></ul></ul><ul><li>Mitigate risk </li></ul><ul><ul><li>Technology can mitigate risk </li></ul></ul>
  25. 25. How Can MPC Help? <ul><li>Services </li></ul><ul><ul><li>Information Security Operational Planning (ISOP) </li></ul></ul><ul><ul><li>Information Security Assessment Project (SA) </li></ul></ul><ul><ul><li>Security Policy Review and Writing </li></ul></ul><ul><ul><li>Security Risk Management Program </li></ul></ul>
  26. 26. How Can MPC Help? <ul><li>Services </li></ul><ul><ul><li>Network Perimeter Security Sweep (NPSS) </li></ul></ul><ul><ul><li>Internal Network Security Sweep (INSS) </li></ul></ul><ul><ul><li>Secure Network Operations Center (RSMC) for monitoring network, (IDS or Firewall) </li></ul></ul>
  27. 27. How Can MPC Help? <ul><li>Technology </li></ul><ul><ul><li>Monitoring/Auditing Tools, workstation usage and measure license, and Computer utilization; (5 th Column) </li></ul></ul><ul><ul><li>Access Controls, (wireless, active directory, NDS, multiple factor authentication); (Novell, Microsoft) </li></ul></ul><ul><ul><li>Filtering & Proxy Tools; (Websense) </li></ul></ul><ul><ul><li>Firewalls; (PIX, Cyberguard) </li></ul></ul>
  28. 28. How Can MPC Help? <ul><li>Technology </li></ul><ul><ul><li>Intrusion Detection/Prevention </li></ul></ul><ul><ul><li>(Host and Network) </li></ul></ul><ul><ul><li>Application Gateways </li></ul></ul><ul><ul><li>IP Video Surveillance </li></ul></ul><ul><ul><li>Secure Network Infrastructure Design </li></ul></ul><ul><ul><li>Wireless Technology </li></ul></ul>
  29. 29. <ul><li>Thank You! </li></ul>