CTAC 2024 Valencia - Sven Zoelle - Most Crucial Invest to Digitalisation_slid...
Â
Information security - 360 Degree Approach
1. You must have read a famous quote
“A security system with several layers is difficult to hack. So, even if your
data is targeted, getting through the many tiers of security will be a hassle.
The simplest of programs, such as free online email accounts, have multi-
layered security, too. Even if accessing your accounts takes a few extra
steps, it is still worth the effort, certainly better than losing your data. Using
a firewall, making sure your antivirus software is updated, running antivirus
checks frequently and updating your programs regularly are all part of
maintaining your personal data security.” – Doug Theis, Innovative
Integration, Inc.
INFORMATION SECURITY – 360°APPROACH
Harsh Arora Certified Information Security Professional
2. IT Security in an organization requires multilayered, top to bottom,
structured approach covering all systems and employees of the
organization.
All interaction points with the external environment including vendors,
customers, third party systems etc need to be secured.
IT Security must be reviewed and upgraded on continuous basis.
Following slides describe an integrated and structured methodology to
secure Organization’s IT Landscape
INFORMATION SECURITY – 360°APPROACH
Harsh Arora Certified Information Security Professional
3. Develop Risk Management Framework
It involves
- Categorization of Information Systems based on impact assessment
- Select initial level of baseline Security Controls
- Implement the Security Controls
- Assess the security control implementation with respect to requirement
- Authorize Information System Operation
- Monitor the Security Controls
INFORMATION SECURITY – 360°APPROACH
Harsh Arora Certified Information Security Professional
4. Multi-tiered Risk Management
Three Tier approach to address risk at
- Organizational Level
- Mission/Business Process Level
- Information System Level
INFORMATION SECURITY – 360°APPROACH
Harsh Arora Certified Information Security Professional
5. Three Tiered Risk Management Approach
INFORMATION SECURITY – 360°APPROACH
Harsh Arora Certified Information Security Professional
6. Security Categorization
It is the process of determining the security category for information
or an information system. Organizations first determine the criticality and
sensitivity of the information to be processed, stored, or transmitted by the
Information Systems.
The generalized format for expressing the security category (SC) of an
information system is:
INFORMATION SECURITY – 360°APPROACH
Harsh Arora Certified Information Security Professional
7. DEFINE SECURITY CONTROL BASELINES
Baseline controls are the starting point for the security control selection process and are
chosen based on the security category and associated impact level of information
systems. The information systems are categorized as low-Impact, moderate-impact and
high-impact.
Organizations can use the recommended priority code designation associated with each
security control in the baselines to assist in making sequencing decisions for control
implementation
INFORMATION SECURITY – 360°APPROACH
Harsh Arora Certified Information Security Professional
8. CREATING OVERLAYS
An overlay is a fully specified set of security controls, control enhancements, and
supplemental guidance derived from the application of tailoring guidance. Overlays
complement the initial security control baselines by:
(i) providing the opportunity to add or eliminate controls;
(ii) providing security control applicability and interpretations for specific
information technologies, computing paradigms, environments of operation, types of
information systems, types of missions/operations, operating modes, industry
sectors, and statutory/regulatory requirements;
(iii) establishing community-wide parameter values for assignment and/or selection
statements in security controls and control enhancements; and
(iv) extending the supplemental guidance for security controls, where necessary.
INFORMATION SECURITY – 360°APPROACH
Harsh Arora Certified Information Security Professional
9. Applying Security Controls
Security Control is a safeguard or countermeasure prescribed for an
information system or an organization designed to protect the confidentiality,
integrity, and availability of its information and to meet a set of
defined security requirements.
Security controls cover entire spectrum of an Organization including Access
Control, Training, Audit, Configuration Management, Contingency Planning,
Authentication, Incident Response, Media Protection, Physical and
Environmental Protection etc
INFORMATION SECURITY – 360°APPROACH
Harsh Arora Certified Information Security Professional
10. SECURITY CONTROL DESIGNATIONS
Security Controls are designated in three distinct types:
1 Common Controls – These are security controls whose implementation
results in a security capability that is inheritable by one or more organizational
information systems.
2 System Specific Controls – applicable for specific systems
3 Hybrid Controls - Organizations assign a hybrid status to security controls
when one part of the control is common and another part of the control is
system-specific.
INFORMATION SECURITY – 360°APPROACH
Harsh Arora Certified Information Security Professional
11. Assurance Level of Information System
Assurance is the Measure of confidence that the security features, practices,
procedures, and architecture of an information system accurately
mediates and enforces the security policy.
Organizations can use the Risk Management Framework (RMF), to ensure that
the appropriate assurance levels are achieved for the information systems
and system components deployed to carry out core missions and business
functions.
INFORMATION SECURITY – 360°APPROACH
Harsh Arora Certified Information Security Professional
12. Trustworthiness of Information System
Trustworthiness if the degree to which an information system (including the
information technology components that are used to build the
system) can be expected to preserve the confidentiality, integrity,
and availability of the information being processed, stored, or
transmitted by the system across the full range of threats.
A trustworthy information system is a system that is believed to be capable of
operating within defined levels of risk despite the environmental disruptions,
human errors, structural failures, and purposeful attacks that are expected to
occur in its environment of operation.
INFORMATION SECURITY – 360°APPROACH
Harsh Arora Certified Information Security Professional
13. Enhancing the Trustworthiness of Information System
There are a number of design, architectural, and implementation principles
that, if used, can result in more trustworthy systems. These core security
principles include,
For example, simplicity, modularity, layering, domain isolation, least privilege,
least functionality, and resource isolation/encapsulation.
INFORMATION SECURITY – 360°APPROACH
Harsh Arora Certified Information Security Professional
15. Define Privacy Controls
Governments have made laws and guidelines to ensure safety and
confidentiality of private data
The information systems must have capabilities & protections to safeguard
privacy information of the stakeholders.
INFORMATION SECURITY – 360°APPROACH
Harsh Arora Certified Information Security Professional
16. About The Author
Harsh Arora has more than 26 years of experience in Systems &
Information Technology in Process & Manufacturing Industry
He has done many certifications including Certified Information Security
Professional, PMP, Six Sigma & SAP
INFORMATION SECURITY – 360°APPROACH
Harsh Arora Certified Information Security Professional