More Related Content
Similar to Funsec3e ppt ch06
Similar to Funsec3e ppt ch06 (20)
More from Skillspire LLC (20)
Recently uploaded
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
Funsec3e ppt ch06
- 1. © 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Fundamentals of Information
Systems Security
Lesson 6
Security Operations and Administration
- 2. Page 2
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective(s)
Explain the role of IT operations,
administration, and security policies.
- 3. Page 3
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Key Concepts
Role of security administration within an
organization
Components of an IT security policy infrastructure
Data classification standards used by
organizations and the DoD
Change management and configuration
management
The system life cycle (SLC) and the system
development life cycle (SDLC)
- 4. Page 4
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Security Administration
The group of individuals responsible for
planning, designing, implementing, and
monitoring an organization’s security plan
Identify and document the assets, and then
assign responsibility of each one to a
person or position
- 5. Page 5
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Controlling Access
Identification
Authentication
Authorization
Accountability
- 6. Page 6
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Documentation, Procedures, and
Guidelines
The most common documentation requirements include:
• Sensitive assets list
• The organization’s security process
• The authority of the persons responsible for security
• The policies, procedures, and guidelines adopted by the
organization
An organization must comply with rules on two levels:
• Regulatory compliance
• Organizational compliance
- 7. Page 7
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Disaster Assessment and Recovery
The security administration team handles
incidents, disasters, and other interruptions
The emergency operations group is
responsible for protecting sensitive data in
the event of:
• Natural disasters
• Equipment failure
• Other potential emergencies
- 8. Page 8
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Security Outsourcing
Advantages
• High level of expertise
Disadvantages
• The outsourcing firm might not possess
internal knowledge
• You won’t develop in-house capability or
talent and have to continue to pay for these
services indefinitely
- 9. Page 9
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 9
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Outsourcing Concerns
Privacy
Risk
Data security
Ownership
Adherence to policy
- 10. Page 10
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Common Agreements
Service-level agreement (SLA)
Blanket purchase agreement (BPA)
Memorandum of understanding (MOU)
Interconnection security agreement (ISA)
- 11. Page 11
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Compliance
Event logs
Compliance liaison
Remediation
- 12. Page 12
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Professional Ethics
Set the example
Encourage adopting ethical guidelines and
standards
Inform users through security awareness
training
A code of ethics helps ensure
professionalism
- 13. Page 13
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Personnel Security Principles
Limiting
Access
Separation
of duties
Job rotation
Mandatory
vacations
Security
training
Security
awareness
Social
engineering
- 14. Page 14
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Infrastructure for an IT Security
Policy
Policies
Standards
Procedures
Baselines
Guidelines
- 15. Page 15
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Security Policy Environment
- 16. Page 16
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Security
Policy
Hierarchy
- 17. Page 17
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data Classification Standards
Classification is the duty of the data owner
or someone the owner assigns
System owner is the person or group that
manages the infrastructure
Classifying information criteria:
• Value
• Sensitivity
• Criticality
- 18. Page 18
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Information Classification Objectives
To identify information protection requirements
To identify data value in accordance with organization
policy
To ensure that sensitive and/or critical information is
provided appropriate protection/controls
To lower costs by protecting only sensitive information
To standardize classification labeling throughout the
organization
To alert employees and other authorized personnel to
protection requirements
To comply with privacy law and regulations
- 19. Page 19
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Examples of Classification
• Unclassified
• Restricted
• Confidential
• Secret
• Top Secret
U.S. government
(standardized)
• Public (low)
• Private (medium)
• Confidential (high)
Private sector
(not standardized)
- 20. Page 20
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Configuration Management
The process of managing all changes to
computer and device configurations
Evaluates the impact a modification might
have on security
As a security professional, your job is to:
• Ensure that you adequately review all system
changes
• Ensure that configuration changes will not
cause unintended consequences for security
- 21. Page 21
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Hardware Inventory and
Configuration Chart
A decision to roll out a new patch, service
pack, or release will be complicated if you
can’t find, update, and test every affected
device
Have an up-to-date map or layout of the
configuration of the hardware components
Regularly check for any available vendor
upgrades and service packs
- 22. Page 22
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 22
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Change Management Process
Configuration control
• The management of the baseline settings for
a system device
Change control
• The management of changes to the
configuration
- 23. Page 23
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 23
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Change Control Management
Communicate change management procedures
and standards effectively
Reactive or proactive
• Reactive: Management responds to changes in the
business environment
• Proactive: Management initiates the change to
achieve a desired goal
Occurs on a continuous, regularly scheduled,
release, or program-by-program basis
- 24. Page 24
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 24
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Change Control Committees
• Properly tested
• Authorized
• Scheduled
• Communicated
• Documented
Ensure changes are:
- 25. Page 25
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 25
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Change Control Procedures
- 26. Page 26
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 26
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Change Control Issues
• Ensure that a peer or another expert
double-checks all changes before you
put them into production
Peer reviews
• Ensure that if the change doesn’t work
properly, a plan exists to restore the
system to a known good condition
Back-out plans
• Keep documentation current to reflect
the true system’s design
Documentation
- 27. Page 27
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 27
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Application Software Security
Processes for software development:
• System Life Cycle (SLC)
• System Development Life Cycle (SDLC)
Steps are similar; a few key differences:
• SLC includes operations and disposal
• SDLC ends with the transition to production
- 28. Page 28
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 28
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The System Life Cycle
Project
initiation and
planning
Functional
requirements
and definition
System design
specification
Build (develop)
and document
Acceptance
testing
Implementation
(transition to
production)
Operations and
maintenance
Disposal
- 29. Page 29
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 29
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Testing Application Software
Test for all expected and unexpected actions
Handle errors correctly
Perform tests to test the maximum load on the
system, including:
• Transaction volume
• Memory allocation
• Network bandwidth
• Response times
Keep production or sensitive data secure during
testing
- 30. Page 30
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 30
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Catching Vulnerabilities
Thoroughly evaluate any change to your
environment
Formalize the process for procuring new
equipment
Follow the guidance in your data policies
Review a system throughout its life cycle to
ensure that it meets its specified security
(certification)
Make sure management officially accepts the
system (accreditation)
- 31. Page 31
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 31
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Software Development and Security
Checks user authentication to the application
Checks user authorization (privilege level)
Has procedures for recovering database integrity in the
event of system failure
Handles errors and exceptions consistently and does not
allow any error or exception to go unhandled
Validates all input
Defines secure configuration baselines
Provides guidance on hardening your application
Provides and applies frequent patches
- 32. Page 32
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 32
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Software Development Models
The two most widely accepted models
for software development
The waterfall
model
Agile
development
method
- 33. Page 33
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 33
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Waterfall Model
- 34. Page 34
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 34
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
The Agile Software Development
Method
- 35. Page 35
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 35
Fundamentals of Information Systems Security
© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Summary
Role of security administration within an
organization
Components of an IT security policy
infrastructure
Data classification standards used by
organizations and the DoD
Change management and configuration
management
The system life cycle (SLC) and the system
development life cycle (SDLC)