SlideShare a Scribd company logo
Security Management Practices Ben Rothke New York Metro eSecurity Solutions Group 732/516-4248  EY/COMM 6027684 CISSP
Topics to be covered Change control Data classification Employment policies & practices InfoSec policies  Risk management Roles and responsibilities Security awareness training Security management planning
Change control & management Why is change control & change management a security issue? Many businesses live or die on data integrity Changes can break a security model Modifying system breaks warranty Gartner Group analyst recently stated that a rogue Y2K  programmer can cause $1B in potential losses Needed since change requester does not understand the security implications of their request Security administrator must analyze and assess carefully the impact to the system
Change control & management Tools Checksums Digital signatures Tripwire Effective change control can uncover: cases of policy violation by staff; where programs are installed or changed without following the proper notification procedures Possible hardware failure leading to data corruption Viruses, worms, malicious code
For  change control & management to work, you must have: Golden  copies of the software, for comparison use or database generation Secure infrastructure.  Software must be securely stored on physically protected media. If an intruder can get root, and change the golden copies, then the change control tools will be ineffective. Change control & management
Hardware Disks, peripherals Device drivers BIOS Application and operating systems software Upgrades Service packs, patches, fixes Changes to the firewall rulebase/proxies NLM’s Router software Change control & management
Policies, procedures and processes Develop polices that will stabilize the production processing environment by controlling all changes made to it Formal change control processes will help to ensure that only authorized changes are made, that they are made at the approved time, and that they are made in the approved manner Promptly implement security patches, command scripts, & similar from vendors, CERT, CIAC, etc.  Have procedures for roll-back to prior versions in case of problems, AKA, don’t burn your software bridges Change control & management
Data classification Classification is part of a mandatory access control model to ensure that sensitive data is properly controlled and secured DoD multi-level security policy has 4 classifications: Top Secret Secret Confidential Unclassified Other levels in use are: Eyes only Officers only Company confidential Public
Data classification benefits Data confidentiality, integrity & availability are improved since appropriate controls are used throughout the enterprise Protection mechanisms are maximized A process exists to review the values of company business data Decision quality is increased since the quality of the data upon which the decision is being made has been improved
Data classification Top Secret  - applies to the most sensitive business information which is intended strictly for use within the organization.  Unauthorized disclosure could seriously and adversely impact the company, stockholders, business partners, and/or its customers Secret  - Applies to less sensitive business information which is intended for use within a company. Unauthorized disclosure could adversely impact the company, its stockholders, its business partners, and/or its customers Confidential  - Applies to personal information which is intended for use within the company.  Unauthorized disclosure could adversely impact the company and/or its employees Unclassified  - Applies to all other information which does not clearly fit into any of the above three classifications.  Unauthorized disclosure isn’t expected to seriously or adversely impact the company
MAC data classification In MAC systems, every subject and object in a system has a sensitivity label and a set of categories: classification [category] Top Secret [CEO, CFO, Board Members] Confidential [Internal employees, auditors] The function of categories is that even someone with the highest classification isn’t automatically cleared to see all information at that level.  This support the concept of  need to know
Misc. data classification issues In a commercial setting, responsibility for assigning data classification labels is on the person who created or updated the information With the exception of general business correspondence, all externally-provided information which is not public in nature must have a data classification system label.  All tape reels, floppy disks and other computer storage media containing secret, confidential, or private information must be externally labelled with the appropriate sensitivity classification Holders of sensitive information must take appropriate steps to ensure that these materials are not available to unauthorized persons.
Data classification Roles & responsibilities Information owner Information custodian Application owner User manager Security administrator Security analyst Change control analyst Data analyst Solution provider End user
Employment policies & practices Background checks/security clearances Checking public records provides critical information needed to make the best hiring decision.  Conducting these often simple checks verifies the information provided on the application is current and true, and gives the employer an immediate measurement of an applicant’s integrity.
Background checks What does a background check prevent potentially prevent against: lawsuits from terminated employees lawsuits from 3rd-parties or customers for negligent hiring unqualified employees lost business and profits time wasted recruiting, hiring and training theft, embezzlement or property damage money lost (to recruiters fees, signing bonus) negligent hiring lawsuit decrease in employee moral workplace violence, or sexual harassment suits
Background checks Who should be checked?  Employee background checks should be performed for all sensitive positions. Information security staff in sensitive positions include those responsible for: firewall administration e-commerce management Kerberos administrator SecurID & Password usage PKI and certificate management router administrator
Background checks What can be checked for an applicant: Credit Report  SSN searches  Workers Compensation Reports  Criminal Records  Motor Vehicle Report  Education Verification & Credential Confirmation  Reference Checks Prior Employer Verification
Military security clearance Of the most meticulous background checks is those requiring a DoD security clearance.  After reviewing the 30-page  Defense Industrial Personnel Security Clearance Review , one will get a new understanding of painstaking review.  A defense security clearances is generally only requested for individuals in the following categories whose employment involves access to sensitive government assets:   Members of the military; Civilian employees working for the Department of Defense or other government agencies; Employees of government contractors.
Military security clearance A DoD review, more correctly known as a  personnel security investigation  is comprised of the following:  a search of investigative files and other records held by federal agencies, including the FBI and, if appropriate, overseas countries a financial check field interviews of references (in writing, by telephone, or in person), to include coworkers, employers, personal friends, educators, neighbors, and other individuals, as appropriate a personal interview with the applicant conducted by an Investigator
Employment agreement Non-compete Non-disclosure Restrictions on dissemination of corporate information, i.e., press, analysts, law enforcement
Hiring & termination Policies and procedures should come down from HR Should address: how to handle employee’s departure shutting down accounts forwarding e-mail and voice-mail lock and combination changes system password changes
Separation of duties The principle of separating of duties is that an organization should carefully separate duties, so that people involved in checking for inappropriate use are not also capable of make such inappropriate use No person should be responsible for completing a task involving sensitive, valuable or critical information from beginning to end.  Likewise, a single person must not be responsible for approving their own work
Separation of duties Separate: development/production security/audit  accounts payable/accounts receivable encryption key management/changing of keys Split knowledge Encryption keys are separated into two components, each of which does not reveal the other
Information security policies Policy is perhaps the most crucial element in a corporate information security infrastructure Marcus Ranum defines a firewall as  “the implementation of your Internet security policy.  If you haven’t got a security policy, you haven’t got a firewall.  Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do” Corporate computing is a complex operation.  Effective policies can rectify many of the weaknesses and faults
Information security policies Benefits: Ensure systems are utilized in the manner intended for Ensure users understand their roles & responsibilities Control legal liability
Information security policies Components of an effective policy: Title Purpose Authorizing individual Author/sponsor Reference to other policies Scope Measurement expectations Exception process Accountability Effective/expiration dates Definitions
Information security policies How to ensure that policies are understood: Jargon free/non-technical language Rather then, “when creating software authentication codes, users must endeavor to use codes that do not facilitate nor submit the company to vulnerabilities in the event that external operatives break such codes”, use “passwords that are guessable should not be used”. Focused Job position independent No procedures, techniques or methods Policy is the approach.  The specific details & implementations should be in another document Responsibility for adherence Users must understand the magnitude & significance of the policy. “ I thought this policy didn’t apply to me”  should never be heard.
Information security policies How should policies be disseminated? New hires should get hard copies at orientation Rehires should go through orientation Hard copies Web/corporate intranet Brochures Videos Posters e-mail/voice-mail
Risk management Security risks start when the power is turned-on. At that point, security risks commence.  The only way to deal with those security risks is via risk management Risks can be identified & reduced, but  never  eliminated No matter how secure you make a system, it can always be broken into given sufficient resources, time, motivation and money People are usually cheaper & easier to compromise than advance technological safeguards
Qualitative and quantitative There are two different risk management metrics: q ualitative and quantitative Quantitative, or a quasi-subjective, risk management attempts to establish and maintain an independent set of risk metrics  & statistics Q ualitative
Qualitative vs. quantitative Qualitative - Pros Calculations are simple and readily understood and execute Not necessary to determine quantitative threat frequency & impact data Not necessary to estimate the cost of recommended risk mitigation measures & calculate cost/benefit A general indication of significant areas of risk that should be addressed is provided Qualitative - Cons Risk assessment & results are essentially subjective in both process & metrics.  Use of independently objective metrics is eschewed. No effort is made to develop an objective monetary basis for the value of targeted information assets No basis is provided for cost/benefit analysis of risk mitigation measures.  Only subjective indication of a problem It is not possible to track risk management performance objectively when all measures are subjective Copied from 1999 Handbook of Information Security Management, pages 441-442
Qualitative vs. quantitative Quantitative - Pros Assessment & results are based substantially on independently objective processes & metrics.  Thus, meaningful statistical analysis is supported The value of information (availability, confidentiality & integrity) as expressed in monetary terms with supporting rationale, is better understood.  Thus, the basis for expected loss is better understood. A credible basis for cost/benefit assessment of risk mitigation measures is provided.  Thus, information security budget decision-making is supported Quantitative - Cons Calculations are complex.  If they are not understood or effectively explained, management may mistrust the results of  black-box  testing A substantial amount of information about the target information & its IT environment must be gathered There is not yet a standard, independently developed & maintained threat population & frequency knowledge base.  Thus, users must rely on the credibility of the vendors who develop & support the automated tools or do perform the research. Copied from 1999 Handbook of Information Security Management, pages 441-442
Risk management nomenclature Annualized loss expectancy (ALE) Single loss expectance x annualized rate of occurrence = ALE Annualized rate of occurrence (ARO) On an annualized basis, the frequency with which a threat is expected to occur Exposure factor A measure of the magnitude of loss or impact on the value of an asset Probability Chance or likelihood, in a finite sample, that an event will occur or that a specific loss value may be attained should the event occur Threat An event, the occurrence of which cold have an undesired impart Safeguard Risk reducing measure that acts to detect, prevent or minimize loss associated with the occurrence of a specified threat or category of threats Vulnerability The absence or weakness of a risk-reducing safeguard
Risk assessment Since you can’t protect yourself if you do not know what you are protecting against, a risk assessment must be performed A risk assessment answers 3 fundamental questions: Identify assets  - What I am trying to protect?  Identify threats  - What do I need to protect against?  Calculating risks  - How much time, effort & money am I willing to expend to obtain adequate protection?  After risks are determined, you can then develop the policies & procedures needed to reduce the risks
Identifying assets Tangibles Computers, communications equipment, wiring Data Software Audit records, books, documents Intangibles Privacy Employe safety & health Passwords Image & reputation Availability Employee morale
Identifying threats Earthquake, flood, hurricane, lightening Structural failure, asbestos Utility loss, i.e., water, power, telecommunications Theft of hardware, software, data Terrorists, both political and information Software bugs, virii, malicious code, SPAM, mail bombs Strikes, labor & union problems Hackers, internal/external Inflammatory usenet, Internet & web postings Employee illness, death  Outbreak, epidemic, pandemic
Calculating (quantifying) risks This is the hard part.  Insurance & historical records may help, but your actuary is your best friend. How much damage did Kevin Mitnick do? Estimates range from $500,000 to $120,000,000   Review the risks Lists should be regularly updated Small changes in operations or corporate structure can have significant risk implications Changes such as location, vendor, M&A, etc., must be included into the risk factor
Cost/benefit analysis Cost of a loss Often hard to determine accurately Cost of prevention Long term/short term Adding up the numbers Output of an Excel spreadsheet listing assets, risks & possible losses For each loss, know its probability, predicted loss & amount of money needed to defend against the loss
Security awareness Must be driven from the top-down Must be comprehensive, all the way down to the floppy & hard copies Education Hard copies Web-based Training & education
Security management planning But most importantly, to be successful in selling security you  must  know your company’s or client’s business Know what is important Each industry has differing priorities
Identify costs Initial investment ongoing costs Identify benefits Help Desk reduction Common data locations Reduced Remote Access costs Improve Business Partner access  Enhanced public perception Ernst & Young Cyberprocess Certification Security management planning
Identify potential losses if security is not properly implemented Trade secrets confidential information personal e-mail adverse publicity viruses, worms, malicious Java and ActiveX applications denial of service hard drive reformats, router reconfigurations M&A financials hacked web pages breach of Human Resources information Security management planning
Management Procrastination Four primary reasons why the decision maker typically procrastinates in deciding whether to allocate funds or commence the initiative: Unable to understand or quantify security threats and technical  vulnerabilities.  This results in buying decision paralysis. Unable to measure (through quantitative or qualitative analysis) the severity and probability of risk. Begins the analysis with a preconceived notion that the cost of controls will be excessive or the security technology does not exist. Believes that the security solution will interfere with the performance or appearance of the business product Security management planning
Any questions?

More Related Content

What's hot

Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
Divya Tiwari
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
learnt
 
Security Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.PptSecurity Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.Ppt
Faheem Ul Hasan
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
Tanmay Shinde
 
Incident response process
Incident response processIncident response process
Incident response process
Bhupeshkumar Nanhe
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
Randy Bowman
 
Security policy
Security policySecurity policy
Security policy
Dhani Ahmad
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security Presentation
Wajahat Rajab
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Physical Security
Physical SecurityPhysical Security
Physical Security
Kriscila Yumul
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
Denis kisina
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
primeteacher32
 
Security Awareness & Training
Security Awareness & TrainingSecurity Awareness & Training
Security Awareness & Training
novemberchild
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework Types
LearningwithRayYT
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
SnapComms
 
Physical Security In The Workplace
Physical Security In The WorkplacePhysical Security In The Workplace
Physical Security In The Workplace
dougfarre
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
Darren Pauli
 
Personnel security
Personnel securityPersonnel security
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
SAROJ BEHERA
 

What's hot (20)

Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 
InformationSecurity
InformationSecurityInformationSecurity
InformationSecurity
 
Security Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.PptSecurity Training Incident Investigation And Report Writing.Ppt
Security Training Incident Investigation And Report Writing.Ppt
 
ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3ISO 27001 - Information security user awareness training presentation - part 3
ISO 27001 - Information security user awareness training presentation - part 3
 
Incident response process
Incident response processIncident response process
Incident response process
 
Information Security Awareness Training
Information Security Awareness TrainingInformation Security Awareness Training
Information Security Awareness Training
 
Security policy
Security policySecurity policy
Security policy
 
Physical Security Presentation
Physical Security PresentationPhysical Security Presentation
Physical Security Presentation
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Physical Security
Physical SecurityPhysical Security
Physical Security
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
Security Awareness & Training
Security Awareness & TrainingSecurity Awareness & Training
Security Awareness & Training
 
Compare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework TypesCompare and Contrast Security Controls and Framework Types
Compare and Contrast Security Controls and Framework Types
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
Physical Security In The Workplace
Physical Security In The WorkplacePhysical Security In The Workplace
Physical Security In The Workplace
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
 
The Six Stages of Incident Response
The Six Stages of Incident Response The Six Stages of Incident Response
The Six Stages of Incident Response
 
Personnel security
Personnel securityPersonnel security
Personnel security
 
Isms awareness training
Isms awareness trainingIsms awareness training
Isms awareness training
 

Viewers also liked

Information security management
Information security managementInformation security management
Information security management
UMaine
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
Jerod Brennen
 
Evolution of Security Management
Evolution of Security ManagementEvolution of Security Management
Evolution of Security Management
Christophe Briguet
 
Prosedur selamatkan diri daripada kebakaran bangunan
Prosedur selamatkan diri daripada kebakaran bangunanProsedur selamatkan diri daripada kebakaran bangunan
Prosedur selamatkan diri daripada kebakaran bangunan
Sabri Khalizasabarifayuim
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Information security management system
Information security management systemInformation security management system
Information security management system
Arani Srinivasan
 
Kertas kerja & Lampiran surat latihan kebakaran bersama bomba SKST 2016
Kertas kerja & Lampiran surat latihan kebakaran bersama bomba SKST 2016Kertas kerja & Lampiran surat latihan kebakaran bersama bomba SKST 2016
Kertas kerja & Lampiran surat latihan kebakaran bersama bomba SKST 2016
Rosdi Ramli
 
Pengenalan kebakaran dan tindakan (Asnan Alias)
Pengenalan kebakaran dan tindakan (Asnan Alias)Pengenalan kebakaran dan tindakan (Asnan Alias)
Pengenalan kebakaran dan tindakan (Asnan Alias)
Asnan Alias Enterprise
 
Fire drill sekolah
Fire drill sekolahFire drill sekolah
Fire drill sekolah
Amimah Yusoff
 
Sistem pencegah kebakaran
Sistem pencegah kebakaranSistem pencegah kebakaran
Sistem pencegah kebakaran
UTHM
 

Viewers also liked (10)

Information security management
Information security managementInformation security management
Information security management
 
Information Security Management 101
Information Security Management 101Information Security Management 101
Information Security Management 101
 
Evolution of Security Management
Evolution of Security ManagementEvolution of Security Management
Evolution of Security Management
 
Prosedur selamatkan diri daripada kebakaran bangunan
Prosedur selamatkan diri daripada kebakaran bangunanProsedur selamatkan diri daripada kebakaran bangunan
Prosedur selamatkan diri daripada kebakaran bangunan
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Information security management system
Information security management systemInformation security management system
Information security management system
 
Kertas kerja & Lampiran surat latihan kebakaran bersama bomba SKST 2016
Kertas kerja & Lampiran surat latihan kebakaran bersama bomba SKST 2016Kertas kerja & Lampiran surat latihan kebakaran bersama bomba SKST 2016
Kertas kerja & Lampiran surat latihan kebakaran bersama bomba SKST 2016
 
Pengenalan kebakaran dan tindakan (Asnan Alias)
Pengenalan kebakaran dan tindakan (Asnan Alias)Pengenalan kebakaran dan tindakan (Asnan Alias)
Pengenalan kebakaran dan tindakan (Asnan Alias)
 
Fire drill sekolah
Fire drill sekolahFire drill sekolah
Fire drill sekolah
 
Sistem pencegah kebakaran
Sistem pencegah kebakaranSistem pencegah kebakaran
Sistem pencegah kebakaran
 

Similar to Security Management Practices

Testing
TestingTesting
Testing
lorenceman
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
alokkesh
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
Infosectrain3
 
Privacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management   Al RaymondPrivacy & Security Controls In Vendor Management   Al Raymond
Privacy & Security Controls In Vendor Management Al Raymond
spencerharry
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancem
IlonaThornburg83
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS              .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS              .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
joellemurphey
 
Rothke Patchlink
Rothke    PatchlinkRothke    Patchlink
Rothke Patchlink
Ben Rothke
 
Enterprise Se.docx
Enterprise Se.docxEnterprise Se.docx
Enterprise Se.docx
gertrudebellgrove
 
Enterprise Se.docx
Enterprise Se.docxEnterprise Se.docx
Enterprise Se.docx
adkinspaige22
 
Information security background
Information security backgroundInformation security background
Information security background
Nicholas Davis
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
Nicholas Davis
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge Training
Tory Quinton
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
phanleson
 
Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoft
Appsian
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
DMIMarketing
 
Importance of Information Security and Goals for Preventing Data Breaches
 Importance of Information Security and Goals for Preventing Data Breaches Importance of Information Security and Goals for Preventing Data Breaches
Importance of Information Security and Goals for Preventing Data Breaches
kimsrung lov
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government Contracts
Robert E Jones
 
BBA 3551, Information Systems Management 1 Course Lea.docx
 BBA 3551, Information Systems Management 1 Course Lea.docx BBA 3551, Information Systems Management 1 Course Lea.docx
BBA 3551, Information Systems Management 1 Course Lea.docx
aryan532920
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael
Priyanka Aash
 

Similar to Security Management Practices (20)

Testing
TestingTesting
Testing
 
For our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdfFor our discussion question, we focus on recent trends in security t.pdf
For our discussion question, we focus on recent trends in security t.pdf
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
Privacy & Security Controls In Vendor Management Al Raymond
Privacy & Security Controls In Vendor Management   Al RaymondPrivacy & Security Controls In Vendor Management   Al Raymond
Privacy & Security Controls In Vendor Management Al Raymond
 
Module 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancemModule 02 Performance Risk-based Analytics With all the advancem
Module 02 Performance Risk-based Analytics With all the advancem
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS              .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS              .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
 
Rothke Patchlink
Rothke    PatchlinkRothke    Patchlink
Rothke Patchlink
 
Enterprise Se.docx
Enterprise Se.docxEnterprise Se.docx
Enterprise Se.docx
 
Enterprise Se.docx
Enterprise Se.docxEnterprise Se.docx
Enterprise Se.docx
 
Information security background
Information security backgroundInformation security background
Information security background
 
Information Security Background
Information Security BackgroundInformation Security Background
Information Security Background
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge Training
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
 
Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoft
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
Importance of Information Security and Goals for Preventing Data Breaches
 Importance of Information Security and Goals for Preventing Data Breaches Importance of Information Security and Goals for Preventing Data Breaches
Importance of Information Security and Goals for Preventing Data Breaches
 
Cybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government ContractsCybersecurity Compliance in Government Contracts
Cybersecurity Compliance in Government Contracts
 
BBA 3551, Information Systems Management 1 Course Lea.docx
 BBA 3551, Information Systems Management 1 Course Lea.docx BBA 3551, Information Systems Management 1 Course Lea.docx
BBA 3551, Information Systems Management 1 Course Lea.docx
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael
 

More from amiable_indian

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
amiable_indian
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
amiable_indian
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
amiable_indian
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
amiable_indian
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
amiable_indian
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
amiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
amiable_indian
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
amiable_indian
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
amiable_indian
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
amiable_indian
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
amiable_indian
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
amiable_indian
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
amiable_indian
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
amiable_indian
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
amiable_indian
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
amiable_indian
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
amiable_indian
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
amiable_indian
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
amiable_indian
 

More from amiable_indian (20)

Phishing As Tragedy of the Commons
Phishing As Tragedy of the CommonsPhishing As Tragedy of the Commons
Phishing As Tragedy of the Commons
 
Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art Cisco IOS Attack & Defense - The State of the Art
Cisco IOS Attack & Defense - The State of the Art
 
Secrets of Top Pentesters
Secrets of Top PentestersSecrets of Top Pentesters
Secrets of Top Pentesters
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
 
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
Insecure Implementation of Security Best Practices: of hashing, CAPTCHA's and...
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
State of Cyber Law in India
State of Cyber Law in IndiaState of Cyber Law in India
State of Cyber Law in India
 
AntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the uglyAntiSpam - Understanding the good, the bad and the ugly
AntiSpam - Understanding the good, the bad and the ugly
 
Reverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure CodingReverse Engineering v/s Secure Coding
Reverse Engineering v/s Secure Coding
 
Network Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons LearnedNetwork Vulnerability Assessments: Lessons Learned
Network Vulnerability Assessments: Lessons Learned
 
Economic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds DissectedEconomic offenses through Credit Card Frauds Dissected
Economic offenses through Credit Card Frauds Dissected
 
Immune IT: Moving from Security to Immunity
Immune IT: Moving from Security to ImmunityImmune IT: Moving from Security to Immunity
Immune IT: Moving from Security to Immunity
 
Reverse Engineering for exploit writers
Reverse Engineering for exploit writersReverse Engineering for exploit writers
Reverse Engineering for exploit writers
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Web Exploit Finder Presentation
Web Exploit Finder PresentationWeb Exploit Finder Presentation
Web Exploit Finder Presentation
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization Enhancing Computer Security via End-to-End Communication Visualization
Enhancing Computer Security via End-to-End Communication Visualization
 
Top Network Vulnerabilities Over Time
Top Network Vulnerabilities Over TimeTop Network Vulnerabilities Over Time
Top Network Vulnerabilities Over Time
 
What are the Business Security Metrics?
What are the Business Security Metrics? What are the Business Security Metrics?
What are the Business Security Metrics?
 

Recently uploaded

Bangalore Girls Call Bangalore 0X0000000X Payment On Delevery Cash Hot Premiu...
Bangalore Girls Call Bangalore 0X0000000X Payment On Delevery Cash Hot Premiu...Bangalore Girls Call Bangalore 0X0000000X Payment On Delevery Cash Hot Premiu...
Bangalore Girls Call Bangalore 0X0000000X Payment On Delevery Cash Hot Premiu...
seenaoberoi
 
how to sell hamster kombat tokens any where in the world?
how to sell hamster kombat tokens any where in the world?how to sell hamster kombat tokens any where in the world?
how to sell hamster kombat tokens any where in the world?
CRYPTO SPACE 🪙
 
how much can I sell my Hamster Kombat coins.
how much can I sell my Hamster Kombat coins.how much can I sell my Hamster Kombat coins.
how much can I sell my Hamster Kombat coins.
CRYPTO SPACE 🪙
 
OAT_RI_Ep21 WeighingTheRisks_June24_CommodityInflation.pptx
OAT_RI_Ep21 WeighingTheRisks_June24_CommodityInflation.pptxOAT_RI_Ep21 WeighingTheRisks_June24_CommodityInflation.pptx
OAT_RI_Ep21 WeighingTheRisks_June24_CommodityInflation.pptx
hiddenlevers
 
Has anyone made money from hamster kombat - the REAL truth.
Has anyone made money from hamster kombat - the REAL truth.Has anyone made money from hamster kombat - the REAL truth.
Has anyone made money from hamster kombat - the REAL truth.
CRYPTO SPACE 🪙
 
How do I sell my Hamster kombat currency?
How do I sell my Hamster kombat currency?How do I sell my Hamster kombat currency?
How do I sell my Hamster kombat currency?
CRYPTO SPACE 🪙
 
When will I be able to sell my Hamster Kombat coins.
When will I be able to sell my Hamster Kombat coins.When will I be able to sell my Hamster Kombat coins.
When will I be able to sell my Hamster Kombat coins.
CRYPTO SPACE 🪙
 
VIP Girls Call Noida 9873940964 Provide Best And Top Girl Service And No1 in ...
VIP Girls Call Noida 9873940964 Provide Best And Top Girl Service And No1 in ...VIP Girls Call Noida 9873940964 Provide Best And Top Girl Service And No1 in ...
VIP Girls Call Noida 9873940964 Provide Best And Top Girl Service And No1 in ...
AK47 AK47
 
What website can I sell my hamster kombat tokens.
What website can I sell my hamster kombat tokens.What website can I sell my hamster kombat tokens.
What website can I sell my hamster kombat tokens.
CRYPTO SPACE 🪙
 
Girls call Service Hyderabad 000XX00000 Provide Best And Top Girl Service And...
Girls call Service Hyderabad 000XX00000 Provide Best And Top Girl Service And...Girls call Service Hyderabad 000XX00000 Provide Best And Top Girl Service And...
Girls call Service Hyderabad 000XX00000 Provide Best And Top Girl Service And...
avanikakapoor
 
Economic Risk Factor Update: July 2024 [SlideShare]
Economic Risk Factor Update: July 2024 [SlideShare]Economic Risk Factor Update: July 2024 [SlideShare]
Economic Risk Factor Update: July 2024 [SlideShare]
Commonwealth
 
hamster kombat airdrop - official launch date revealed.
hamster kombat airdrop - official launch date revealed.hamster kombat airdrop - official launch date revealed.
hamster kombat airdrop - official launch date revealed.
CRYPTO SPACE 🪙
 
how to increase profit as an hamster Miner - earn over 100,000,000+ token's p...
how to increase profit as an hamster Miner - earn over 100,000,000+ token's p...how to increase profit as an hamster Miner - earn over 100,000,000+ token's p...
how to increase profit as an hamster Miner - earn over 100,000,000+ token's p...
CRYPTO SPACE 🪙
 
What is the Secret way of selling hamster kombat tokens online?
What is the Secret way of selling hamster kombat tokens online?What is the Secret way of selling hamster kombat tokens online?
What is the Secret way of selling hamster kombat tokens online?
CRYPTO SPACE 🪙
 
how do I sell hamster kombat at exchange price!
how do I sell hamster kombat at exchange price!how do I sell hamster kombat at exchange price!
how do I sell hamster kombat at exchange price!
CRYPTO SPACE 🪙
 
Sustainable-Development-Goals-presentation-by-Office-of-National-Statistics.ppt
Sustainable-Development-Goals-presentation-by-Office-of-National-Statistics.pptSustainable-Development-Goals-presentation-by-Office-of-National-Statistics.ppt
Sustainable-Development-Goals-presentation-by-Office-of-National-Statistics.ppt
JayanthAdithya1
 
Girls Call DN Nagar 9910780858 Provide Best And Top Girl Service And No1 in City
Girls Call DN Nagar 9910780858 Provide Best And Top Girl Service And No1 in CityGirls Call DN Nagar 9910780858 Provide Best And Top Girl Service And No1 in City
Girls Call DN Nagar 9910780858 Provide Best And Top Girl Service And No1 in City
margaretblush
 
Most Girls Call Navi Mumbai 9930245274 Provide Best And Top Girl Service And ...
Most Girls Call Navi Mumbai 9930245274 Provide Best And Top Girl Service And ...Most Girls Call Navi Mumbai 9930245274 Provide Best And Top Girl Service And ...
Most Girls Call Navi Mumbai 9930245274 Provide Best And Top Girl Service And ...
sharonblush
 
University of Southern California degree offer diploma Transcript
University of Southern California degree offer diploma TranscriptUniversity of Southern California degree offer diploma Transcript
University of Southern California degree offer diploma Transcript
oywfdy
 
How can i sell hamster kombat token on Binance exchange!
How can i sell hamster kombat token on Binance exchange!How can i sell hamster kombat token on Binance exchange!
How can i sell hamster kombat token on Binance exchange!
CRYPTO SPACE 🪙
 

Recently uploaded (20)

Bangalore Girls Call Bangalore 0X0000000X Payment On Delevery Cash Hot Premiu...
Bangalore Girls Call Bangalore 0X0000000X Payment On Delevery Cash Hot Premiu...Bangalore Girls Call Bangalore 0X0000000X Payment On Delevery Cash Hot Premiu...
Bangalore Girls Call Bangalore 0X0000000X Payment On Delevery Cash Hot Premiu...
 
how to sell hamster kombat tokens any where in the world?
how to sell hamster kombat tokens any where in the world?how to sell hamster kombat tokens any where in the world?
how to sell hamster kombat tokens any where in the world?
 
how much can I sell my Hamster Kombat coins.
how much can I sell my Hamster Kombat coins.how much can I sell my Hamster Kombat coins.
how much can I sell my Hamster Kombat coins.
 
OAT_RI_Ep21 WeighingTheRisks_June24_CommodityInflation.pptx
OAT_RI_Ep21 WeighingTheRisks_June24_CommodityInflation.pptxOAT_RI_Ep21 WeighingTheRisks_June24_CommodityInflation.pptx
OAT_RI_Ep21 WeighingTheRisks_June24_CommodityInflation.pptx
 
Has anyone made money from hamster kombat - the REAL truth.
Has anyone made money from hamster kombat - the REAL truth.Has anyone made money from hamster kombat - the REAL truth.
Has anyone made money from hamster kombat - the REAL truth.
 
How do I sell my Hamster kombat currency?
How do I sell my Hamster kombat currency?How do I sell my Hamster kombat currency?
How do I sell my Hamster kombat currency?
 
When will I be able to sell my Hamster Kombat coins.
When will I be able to sell my Hamster Kombat coins.When will I be able to sell my Hamster Kombat coins.
When will I be able to sell my Hamster Kombat coins.
 
VIP Girls Call Noida 9873940964 Provide Best And Top Girl Service And No1 in ...
VIP Girls Call Noida 9873940964 Provide Best And Top Girl Service And No1 in ...VIP Girls Call Noida 9873940964 Provide Best And Top Girl Service And No1 in ...
VIP Girls Call Noida 9873940964 Provide Best And Top Girl Service And No1 in ...
 
What website can I sell my hamster kombat tokens.
What website can I sell my hamster kombat tokens.What website can I sell my hamster kombat tokens.
What website can I sell my hamster kombat tokens.
 
Girls call Service Hyderabad 000XX00000 Provide Best And Top Girl Service And...
Girls call Service Hyderabad 000XX00000 Provide Best And Top Girl Service And...Girls call Service Hyderabad 000XX00000 Provide Best And Top Girl Service And...
Girls call Service Hyderabad 000XX00000 Provide Best And Top Girl Service And...
 
Economic Risk Factor Update: July 2024 [SlideShare]
Economic Risk Factor Update: July 2024 [SlideShare]Economic Risk Factor Update: July 2024 [SlideShare]
Economic Risk Factor Update: July 2024 [SlideShare]
 
hamster kombat airdrop - official launch date revealed.
hamster kombat airdrop - official launch date revealed.hamster kombat airdrop - official launch date revealed.
hamster kombat airdrop - official launch date revealed.
 
how to increase profit as an hamster Miner - earn over 100,000,000+ token's p...
how to increase profit as an hamster Miner - earn over 100,000,000+ token's p...how to increase profit as an hamster Miner - earn over 100,000,000+ token's p...
how to increase profit as an hamster Miner - earn over 100,000,000+ token's p...
 
What is the Secret way of selling hamster kombat tokens online?
What is the Secret way of selling hamster kombat tokens online?What is the Secret way of selling hamster kombat tokens online?
What is the Secret way of selling hamster kombat tokens online?
 
how do I sell hamster kombat at exchange price!
how do I sell hamster kombat at exchange price!how do I sell hamster kombat at exchange price!
how do I sell hamster kombat at exchange price!
 
Sustainable-Development-Goals-presentation-by-Office-of-National-Statistics.ppt
Sustainable-Development-Goals-presentation-by-Office-of-National-Statistics.pptSustainable-Development-Goals-presentation-by-Office-of-National-Statistics.ppt
Sustainable-Development-Goals-presentation-by-Office-of-National-Statistics.ppt
 
Girls Call DN Nagar 9910780858 Provide Best And Top Girl Service And No1 in City
Girls Call DN Nagar 9910780858 Provide Best And Top Girl Service And No1 in CityGirls Call DN Nagar 9910780858 Provide Best And Top Girl Service And No1 in City
Girls Call DN Nagar 9910780858 Provide Best And Top Girl Service And No1 in City
 
Most Girls Call Navi Mumbai 9930245274 Provide Best And Top Girl Service And ...
Most Girls Call Navi Mumbai 9930245274 Provide Best And Top Girl Service And ...Most Girls Call Navi Mumbai 9930245274 Provide Best And Top Girl Service And ...
Most Girls Call Navi Mumbai 9930245274 Provide Best And Top Girl Service And ...
 
University of Southern California degree offer diploma Transcript
University of Southern California degree offer diploma TranscriptUniversity of Southern California degree offer diploma Transcript
University of Southern California degree offer diploma Transcript
 
How can i sell hamster kombat token on Binance exchange!
How can i sell hamster kombat token on Binance exchange!How can i sell hamster kombat token on Binance exchange!
How can i sell hamster kombat token on Binance exchange!
 

Security Management Practices

  • 1. Security Management Practices Ben Rothke New York Metro eSecurity Solutions Group 732/516-4248 EY/COMM 6027684 CISSP
  • 2. Topics to be covered Change control Data classification Employment policies & practices InfoSec policies Risk management Roles and responsibilities Security awareness training Security management planning
  • 3. Change control & management Why is change control & change management a security issue? Many businesses live or die on data integrity Changes can break a security model Modifying system breaks warranty Gartner Group analyst recently stated that a rogue Y2K programmer can cause $1B in potential losses Needed since change requester does not understand the security implications of their request Security administrator must analyze and assess carefully the impact to the system
  • 4. Change control & management Tools Checksums Digital signatures Tripwire Effective change control can uncover: cases of policy violation by staff; where programs are installed or changed without following the proper notification procedures Possible hardware failure leading to data corruption Viruses, worms, malicious code
  • 5. For change control & management to work, you must have: Golden copies of the software, for comparison use or database generation Secure infrastructure. Software must be securely stored on physically protected media. If an intruder can get root, and change the golden copies, then the change control tools will be ineffective. Change control & management
  • 6. Hardware Disks, peripherals Device drivers BIOS Application and operating systems software Upgrades Service packs, patches, fixes Changes to the firewall rulebase/proxies NLM’s Router software Change control & management
  • 7. Policies, procedures and processes Develop polices that will stabilize the production processing environment by controlling all changes made to it Formal change control processes will help to ensure that only authorized changes are made, that they are made at the approved time, and that they are made in the approved manner Promptly implement security patches, command scripts, & similar from vendors, CERT, CIAC, etc. Have procedures for roll-back to prior versions in case of problems, AKA, don’t burn your software bridges Change control & management
  • 8. Data classification Classification is part of a mandatory access control model to ensure that sensitive data is properly controlled and secured DoD multi-level security policy has 4 classifications: Top Secret Secret Confidential Unclassified Other levels in use are: Eyes only Officers only Company confidential Public
  • 9. Data classification benefits Data confidentiality, integrity & availability are improved since appropriate controls are used throughout the enterprise Protection mechanisms are maximized A process exists to review the values of company business data Decision quality is increased since the quality of the data upon which the decision is being made has been improved
  • 10. Data classification Top Secret - applies to the most sensitive business information which is intended strictly for use within the organization. Unauthorized disclosure could seriously and adversely impact the company, stockholders, business partners, and/or its customers Secret - Applies to less sensitive business information which is intended for use within a company. Unauthorized disclosure could adversely impact the company, its stockholders, its business partners, and/or its customers Confidential - Applies to personal information which is intended for use within the company. Unauthorized disclosure could adversely impact the company and/or its employees Unclassified - Applies to all other information which does not clearly fit into any of the above three classifications. Unauthorized disclosure isn’t expected to seriously or adversely impact the company
  • 11. MAC data classification In MAC systems, every subject and object in a system has a sensitivity label and a set of categories: classification [category] Top Secret [CEO, CFO, Board Members] Confidential [Internal employees, auditors] The function of categories is that even someone with the highest classification isn’t automatically cleared to see all information at that level. This support the concept of need to know
  • 12. Misc. data classification issues In a commercial setting, responsibility for assigning data classification labels is on the person who created or updated the information With the exception of general business correspondence, all externally-provided information which is not public in nature must have a data classification system label. All tape reels, floppy disks and other computer storage media containing secret, confidential, or private information must be externally labelled with the appropriate sensitivity classification Holders of sensitive information must take appropriate steps to ensure that these materials are not available to unauthorized persons.
  • 13. Data classification Roles & responsibilities Information owner Information custodian Application owner User manager Security administrator Security analyst Change control analyst Data analyst Solution provider End user
  • 14. Employment policies & practices Background checks/security clearances Checking public records provides critical information needed to make the best hiring decision. Conducting these often simple checks verifies the information provided on the application is current and true, and gives the employer an immediate measurement of an applicant’s integrity.
  • 15. Background checks What does a background check prevent potentially prevent against: lawsuits from terminated employees lawsuits from 3rd-parties or customers for negligent hiring unqualified employees lost business and profits time wasted recruiting, hiring and training theft, embezzlement or property damage money lost (to recruiters fees, signing bonus) negligent hiring lawsuit decrease in employee moral workplace violence, or sexual harassment suits
  • 16. Background checks Who should be checked? Employee background checks should be performed for all sensitive positions. Information security staff in sensitive positions include those responsible for: firewall administration e-commerce management Kerberos administrator SecurID & Password usage PKI and certificate management router administrator
  • 17. Background checks What can be checked for an applicant: Credit Report SSN searches Workers Compensation Reports Criminal Records Motor Vehicle Report Education Verification & Credential Confirmation Reference Checks Prior Employer Verification
  • 18. Military security clearance Of the most meticulous background checks is those requiring a DoD security clearance. After reviewing the 30-page Defense Industrial Personnel Security Clearance Review , one will get a new understanding of painstaking review. A defense security clearances is generally only requested for individuals in the following categories whose employment involves access to sensitive government assets: Members of the military; Civilian employees working for the Department of Defense or other government agencies; Employees of government contractors.
  • 19. Military security clearance A DoD review, more correctly known as a personnel security investigation is comprised of the following: a search of investigative files and other records held by federal agencies, including the FBI and, if appropriate, overseas countries a financial check field interviews of references (in writing, by telephone, or in person), to include coworkers, employers, personal friends, educators, neighbors, and other individuals, as appropriate a personal interview with the applicant conducted by an Investigator
  • 20. Employment agreement Non-compete Non-disclosure Restrictions on dissemination of corporate information, i.e., press, analysts, law enforcement
  • 21. Hiring & termination Policies and procedures should come down from HR Should address: how to handle employee’s departure shutting down accounts forwarding e-mail and voice-mail lock and combination changes system password changes
  • 22. Separation of duties The principle of separating of duties is that an organization should carefully separate duties, so that people involved in checking for inappropriate use are not also capable of make such inappropriate use No person should be responsible for completing a task involving sensitive, valuable or critical information from beginning to end. Likewise, a single person must not be responsible for approving their own work
  • 23. Separation of duties Separate: development/production security/audit accounts payable/accounts receivable encryption key management/changing of keys Split knowledge Encryption keys are separated into two components, each of which does not reveal the other
  • 24. Information security policies Policy is perhaps the most crucial element in a corporate information security infrastructure Marcus Ranum defines a firewall as “the implementation of your Internet security policy. If you haven’t got a security policy, you haven’t got a firewall. Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do” Corporate computing is a complex operation. Effective policies can rectify many of the weaknesses and faults
  • 25. Information security policies Benefits: Ensure systems are utilized in the manner intended for Ensure users understand their roles & responsibilities Control legal liability
  • 26. Information security policies Components of an effective policy: Title Purpose Authorizing individual Author/sponsor Reference to other policies Scope Measurement expectations Exception process Accountability Effective/expiration dates Definitions
  • 27. Information security policies How to ensure that policies are understood: Jargon free/non-technical language Rather then, “when creating software authentication codes, users must endeavor to use codes that do not facilitate nor submit the company to vulnerabilities in the event that external operatives break such codes”, use “passwords that are guessable should not be used”. Focused Job position independent No procedures, techniques or methods Policy is the approach. The specific details & implementations should be in another document Responsibility for adherence Users must understand the magnitude & significance of the policy. “ I thought this policy didn’t apply to me” should never be heard.
  • 28. Information security policies How should policies be disseminated? New hires should get hard copies at orientation Rehires should go through orientation Hard copies Web/corporate intranet Brochures Videos Posters e-mail/voice-mail
  • 29. Risk management Security risks start when the power is turned-on. At that point, security risks commence. The only way to deal with those security risks is via risk management Risks can be identified & reduced, but never eliminated No matter how secure you make a system, it can always be broken into given sufficient resources, time, motivation and money People are usually cheaper & easier to compromise than advance technological safeguards
  • 30. Qualitative and quantitative There are two different risk management metrics: q ualitative and quantitative Quantitative, or a quasi-subjective, risk management attempts to establish and maintain an independent set of risk metrics & statistics Q ualitative
  • 31. Qualitative vs. quantitative Qualitative - Pros Calculations are simple and readily understood and execute Not necessary to determine quantitative threat frequency & impact data Not necessary to estimate the cost of recommended risk mitigation measures & calculate cost/benefit A general indication of significant areas of risk that should be addressed is provided Qualitative - Cons Risk assessment & results are essentially subjective in both process & metrics. Use of independently objective metrics is eschewed. No effort is made to develop an objective monetary basis for the value of targeted information assets No basis is provided for cost/benefit analysis of risk mitigation measures. Only subjective indication of a problem It is not possible to track risk management performance objectively when all measures are subjective Copied from 1999 Handbook of Information Security Management, pages 441-442
  • 32. Qualitative vs. quantitative Quantitative - Pros Assessment & results are based substantially on independently objective processes & metrics. Thus, meaningful statistical analysis is supported The value of information (availability, confidentiality & integrity) as expressed in monetary terms with supporting rationale, is better understood. Thus, the basis for expected loss is better understood. A credible basis for cost/benefit assessment of risk mitigation measures is provided. Thus, information security budget decision-making is supported Quantitative - Cons Calculations are complex. If they are not understood or effectively explained, management may mistrust the results of black-box testing A substantial amount of information about the target information & its IT environment must be gathered There is not yet a standard, independently developed & maintained threat population & frequency knowledge base. Thus, users must rely on the credibility of the vendors who develop & support the automated tools or do perform the research. Copied from 1999 Handbook of Information Security Management, pages 441-442
  • 33. Risk management nomenclature Annualized loss expectancy (ALE) Single loss expectance x annualized rate of occurrence = ALE Annualized rate of occurrence (ARO) On an annualized basis, the frequency with which a threat is expected to occur Exposure factor A measure of the magnitude of loss or impact on the value of an asset Probability Chance or likelihood, in a finite sample, that an event will occur or that a specific loss value may be attained should the event occur Threat An event, the occurrence of which cold have an undesired impart Safeguard Risk reducing measure that acts to detect, prevent or minimize loss associated with the occurrence of a specified threat or category of threats Vulnerability The absence or weakness of a risk-reducing safeguard
  • 34. Risk assessment Since you can’t protect yourself if you do not know what you are protecting against, a risk assessment must be performed A risk assessment answers 3 fundamental questions: Identify assets - What I am trying to protect? Identify threats - What do I need to protect against? Calculating risks - How much time, effort & money am I willing to expend to obtain adequate protection? After risks are determined, you can then develop the policies & procedures needed to reduce the risks
  • 35. Identifying assets Tangibles Computers, communications equipment, wiring Data Software Audit records, books, documents Intangibles Privacy Employe safety & health Passwords Image & reputation Availability Employee morale
  • 36. Identifying threats Earthquake, flood, hurricane, lightening Structural failure, asbestos Utility loss, i.e., water, power, telecommunications Theft of hardware, software, data Terrorists, both political and information Software bugs, virii, malicious code, SPAM, mail bombs Strikes, labor & union problems Hackers, internal/external Inflammatory usenet, Internet & web postings Employee illness, death Outbreak, epidemic, pandemic
  • 37. Calculating (quantifying) risks This is the hard part. Insurance & historical records may help, but your actuary is your best friend. How much damage did Kevin Mitnick do? Estimates range from $500,000 to $120,000,000 Review the risks Lists should be regularly updated Small changes in operations or corporate structure can have significant risk implications Changes such as location, vendor, M&A, etc., must be included into the risk factor
  • 38. Cost/benefit analysis Cost of a loss Often hard to determine accurately Cost of prevention Long term/short term Adding up the numbers Output of an Excel spreadsheet listing assets, risks & possible losses For each loss, know its probability, predicted loss & amount of money needed to defend against the loss
  • 39. Security awareness Must be driven from the top-down Must be comprehensive, all the way down to the floppy & hard copies Education Hard copies Web-based Training & education
  • 40. Security management planning But most importantly, to be successful in selling security you must know your company’s or client’s business Know what is important Each industry has differing priorities
  • 41. Identify costs Initial investment ongoing costs Identify benefits Help Desk reduction Common data locations Reduced Remote Access costs Improve Business Partner access Enhanced public perception Ernst & Young Cyberprocess Certification Security management planning
  • 42. Identify potential losses if security is not properly implemented Trade secrets confidential information personal e-mail adverse publicity viruses, worms, malicious Java and ActiveX applications denial of service hard drive reformats, router reconfigurations M&A financials hacked web pages breach of Human Resources information Security management planning
  • 43. Management Procrastination Four primary reasons why the decision maker typically procrastinates in deciding whether to allocate funds or commence the initiative: Unable to understand or quantify security threats and technical vulnerabilities. This results in buying decision paralysis. Unable to measure (through quantitative or qualitative analysis) the severity and probability of risk. Begins the analysis with a preconceived notion that the cost of controls will be excessive or the security technology does not exist. Believes that the security solution will interfere with the performance or appearance of the business product Security management planning