Network Security and DRP


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Network Security and DRP

  1. 1. Network Security: The First Line of Defense for BCP and DRP Doug Ochs President Fortrex Technologies, Inc.
  2. 2. What is a Good Security Program? <ul><li>Even a good program cannot guarantee anything </li></ul><ul><li>Good programs are not only based on the latest and greatest technology </li></ul><ul><li>Good programs do not ignore the people component </li></ul><ul><li>The goal is to manage an organization’s risk. </li></ul>
  3. 3. Components of a Good Security Program Risk Transferance Risk Avoidance Risk Mitigation Risk Identification
  4. 4. Risk Identification <ul><li>The first step on the process of security </li></ul><ul><li>We perform risk identification through the use of assessments </li></ul><ul><li>An assessment answers the question “where are we” </li></ul>
  5. 5. Types of Assessments and Frequency As Necessary Application Risk Assessments Monthly Policy Evaluations Monthly Vulnerability Scans Semi-Annually Perimeter Assessments Bi-Annually Penetration Test Annually IT Risk Assessment Annually Enterprise Risk Assessment Frequency Assessment
  6. 6. Risk Mitigation <ul><li>The second phase in the process of security </li></ul><ul><li>Risk Mitigation includes all of the steps that we take to manage our risk </li></ul><ul><ul><li>Policy </li></ul></ul><ul><ul><li>Deployment </li></ul></ul><ul><ul><li>Management/Managed Services </li></ul></ul><ul><ul><li>Training </li></ul></ul>
  7. 7. Policy <ul><li>A good security program will have a complete set of policies and procedures that cover the following areas: </li></ul><ul><ul><li>Information Policy </li></ul></ul><ul><ul><li>Security Policy </li></ul></ul><ul><ul><li>User Management Procedures </li></ul></ul><ul><ul><li>Incident Response Procedures </li></ul></ul><ul><ul><li>Disaster Recovery Plan </li></ul></ul><ul><ul><li>Business Continuity Plan </li></ul></ul><ul><ul><li>Computer Use Policy </li></ul></ul><ul><ul><li>Configuration Control Procedures </li></ul></ul><ul><ul><li>System Configuration Procedures </li></ul></ul><ul><ul><li>Design Methodology </li></ul></ul>
  8. 8. Incident Response Procedures <ul><li>Determine strategy and course of action prior to a security event. </li></ul><ul><ul><li>What is your primary goal in a security event? </li></ul></ul><ul><ul><ul><li>Preserve data </li></ul></ul></ul><ul><ul><ul><li>Block further access to offending party </li></ul></ul></ul><ul><ul><ul><li>Preserve evidence for potential prosecution </li></ul></ul></ul><ul><ul><li>What course of action will you take? </li></ul></ul><ul><ul><li>Who makes critical decisions along the way? </li></ul></ul>
  9. 9. Deployment <ul><li>There are many aspects to deployment, we’ll discuss only three… </li></ul><ul><ul><li>New Business Projects </li></ul></ul><ul><ul><li>Security Integration </li></ul></ul><ul><ul><li>Managed Security Services (Outsourcing) </li></ul></ul>
  10. 10. New Business Projects <ul><li>New business projects should follow the organization’s development methodology </li></ul><ul><li>Security should be involved in all phases of the SDLC </li></ul><ul><ul><li>Defining requirements </li></ul></ul><ul><ul><li>Designing Systems/ Infrastructure </li></ul></ul><ul><ul><li>Coding Requirements </li></ul></ul><ul><ul><li>Testing Plans </li></ul></ul><ul><ul><li>Security Tests </li></ul></ul><ul><ul><li>Deployment </li></ul></ul>
  11. 11. Security Integration <ul><li>Deployment of Security Infrastructure </li></ul><ul><ul><li>Network Intrusion Detection </li></ul></ul><ul><ul><li>Host Intrusion Detection </li></ul></ul><ul><ul><li>File Integrity Management </li></ul></ul><ul><ul><li>Firewalls </li></ul></ul><ul><ul><li>VPNs </li></ul></ul><ul><ul><li>Access Control Solutions </li></ul></ul><ul><ul><li>Management Systems </li></ul></ul>
  12. 12. Managed Security Services <ul><li>“ Stick to the Knitting.” </li></ul><ul><li>Advantages of Outsourced Security Services </li></ul><ul><ul><li>Security Expertise </li></ul></ul><ul><ul><li>Product Expertise </li></ul></ul><ul><ul><li>24/7 Coverage </li></ul></ul><ul><ul><li>Centralized Reporting and Analysis </li></ul></ul><ul><ul><li>Efficiency/Cost Reduction </li></ul></ul><ul><li>Managed Security Services </li></ul><ul><ul><li>Managed Network IDS </li></ul></ul><ul><ul><li>Managed Host IDS </li></ul></ul><ul><ul><li>Managed Firewall/VPN </li></ul></ul><ul><ul><li>Vulnerability Assessments </li></ul></ul><ul><ul><li>File/Web Integrity Management </li></ul></ul>
  13. 13. Training <ul><li>A good security program will have regular training classes: </li></ul><ul><ul><li>New hires – to explain security policies </li></ul></ul><ul><ul><li>Employees – annual awareness training to reemphasize policy issues and provide instruction on how to be compliant </li></ul></ul><ul><ul><li>Developers – annual training on how to use the development methodology </li></ul></ul><ul><ul><li>Administrators – annual training on the requirements of the security policy </li></ul></ul>
  14. 14. Risk Transfer <ul><li>Determine three things: </li></ul><ul><ul><li>What risk to avoid </li></ul></ul><ul><ul><li>What risk to accept and manage </li></ul></ul><ul><ul><li>What risk to transfer </li></ul></ul><ul><li>Transfer risk through insurance </li></ul><ul><li>Rates will depend on the quality of the organization’s security program </li></ul><ul><li>Through Fortrex’s partner AIG, receive a free Network Risk Assessment! </li></ul>
  15. 15. Metrics <ul><li>A good security program will have metrics </li></ul><ul><li>The metrics will be chosen to provide information on the state of the security program and the risk to the organization </li></ul><ul><li>Metrics will be provided and analyzed for the reports that go to management </li></ul>
  16. 16. Good Metrics <ul><li>Good metrics are things that can be measured and that mean something to the organization </li></ul><ul><li>Potential metrics </li></ul><ul><ul><li>Number of system vulnerabilities </li></ul></ul><ul><ul><li>System policy violations </li></ul></ul><ul><ul><li>Use policy violations </li></ul></ul><ul><ul><li>Number of staff through training </li></ul></ul><ul><ul><li>Number of incidents </li></ul></ul>
  17. 17. Because Your Information is Your Business