SlideShare a Scribd company logo

Introduction to Security Management by Ashok Panwar

Download as PPTX, PDF
A
Ashok Panwar

Introduction to Security Management by Ashok Panwar

Internet
1 of 45
Computer Security and Cryptography Didactic Material for Free Distribution Introduction to Security Management Presented By:- Ashok Panwar Technical Officer in ECIL(NPCIL) Tarapur, Mumbai
Logical & Physical Data Protection All data must be protected applying:  Logical Security ◦ Use of protecting tools for the information in the same environment on which this is generated or transmited. ◦ Authentication protocols between client and server. ◦ Application of standards in networks, etc. ◦ Risks prevention measures must be included also in this chapter through the setting up of security policies, contigency plans, the application of normatives, the current legislation, etc.  Physical Security ◦ Procedures of physical protection of the system: staff access, fires, floods, earthquakes, etc. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 2
Physical Security in PC Environment’s  Anchoring to desktops.  Locks.  Cards with alarm.  Special Adhesive Labels.  Floppy drive blocking.  Keyboard protectors.  Hardware access control card.  Continuos power supply.  Ground connection (GFCI).  Elimination of the estatic... etc. Things to consider in PC environments Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 3
Risk analysis: strategic plan  It is the process of identification and evaluation of the risk that it is suffered on an attack and the data loss, time and working hours, comparing it with the cost that involves the prevention of this event.  Its analysis does not only lead to stablish an adequate security level, but permits to know better the system that we are going to protect.  You can download this tool that manages risk analysis from the link indicated below:  http://www.csi.map.es/csi/pdf/magerit_ingles.pdf Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 4
Risk analysis information  Information obtained in risks analysis: ◦ Precise determination of the sensible resources in the organization. ◦ Identification of system menaces. ◦ Identification of specific vulnerabilities in the system. ◦ Identification of possible losses. ◦ Identification of the probability that one loss happens. ◦ Derivation of effective contraindications. ◦ Identification of security tools. ◦ Implementation of an efficient security system regarding costs and time. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 5
Basic ecuation for risk analysis ¿ B  P  L ? ◦ B: is the load or expense that means prevention of an specific loss due to a vulnerability. ◦ P: is the probability that such vulnerability is affected and that specific loss happens. ◦ L: is the impact or total cost that means the specific loss due to the vulnerability that has been affected. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 6
How much shall we invest in security? If B  P  L A prevention measure must be implemented. If B  P  L A prevention measure is not necessary. ... At least mathematically. Nevertheless, an unforeseen accident like computing consecuences in some companies after September the 11th can always happen. However, it makes no sense to invest more money in the protection of the asset than its own total value. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 7
Effectivity of measure costs  Measures and control tools must have a cost less than the value of the possible losses and the impact of these if the risk we feared it´s produced.  Basic law: the cost of the control should be less than the asset protected. Something obvious that as managers as security responsibles of the company should adecuately estimate to their reality. In several cases, the real problem resides in the difficulty to estimate precisely the economic impact that can suppose the fact that such risk occurs. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 8
Factor L in the risk equation Factor L (in B  P  L)  The factor of total impact L is difficult to evaluate. It includes damages to information, to machines, losses due to reparation, to the need to start the system again, losses due to working hours, etc.  There will allways be a part of subjective assesment.  Data loss can lead to a loss of opportunities due to the fact named cascade effect.  It should exist an specialized comittee into the organization, internal or external, able to evaluate all the possible losses and to quantify them. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 9
Factor P in the risk equation Factor P (in B  P  L)  Factor P is related to the determination of the total impact L and depends on the environment on which the possible loss is. As this value is difficult to quantify, such probability can be associated to a known tendency or frequency. ◦ Once P is known for a given L, the probability of relative loss is obtained from occurrency PL that will be compared with B, the weight that would suppose to implant the respective prevention measure. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 10
Factor B in the risk equation Factor B (in B  P  L)  Indicates what is required in order to prevent a loss. For example, it can be the quantity of money that we will arrange to mitigate the possible loss. ◦ Example: the prevention load needed so that a computing system minimizes the risk of its servers being attacked includes the adecuated software and hardware installation, one firewall, an intruders detection system, a secure network configuration, a tracking policy for access and passwords, qualified technical staff, etc. All these things import an specific quantity of money. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 11
Quantification of protection ¿ B  P  L ?  How much protection is it necessary? ◦ In our example: what network configuration to use, on which environment to work, what type of firewalls, etc. That will depend on the level of security that our company desire, think addecuate or that the market set.  How will we protect ourselves? ◦ A house can be protected with doors, locks, steel bars in windows, alarm systems, etc. ◦ In an information system we may apply physical protections, security politicies, contingency and recovery plans, access control, firewalls, IDs, use of cipher, authentication, signatures, secure gateways, etc. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 12
Steps of a risk analysis 1. Identification cost of possibles losses (L) Identificating menaces 2. Determine susceptibility. The probability of loss (P) 3. Identification of possible actions (expenses) and their implications (B). Choosing actions to implement. ¿ B  PL ? The cycle is closed Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 13
Some security policies • Administrative Policies – Administrative procedures. • Access control policies – Access privileges of the user or program. • Flow information policies – Rules under which individuals communicate each other into the system. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 14
Administrative aspects • Administrative policies – Administrative type procedures are stablished into the organization like for example in programs development: modularity in applications, sistematic revision, etc. – Shared responsabilities for all users are established, every single one on its level. – This follows on from the awareness stage Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 15
Access control • Access control policies – Minor privilege policy • Strict access to determinated objects, with minimum privileges for the users. – Sharing policy • Maximum privilege access on which every user can access to all objects. – Granularity • Number of accesible objects. We speak then of gross and thin granularity. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 16
Flow control policies • Flow control policies – Information that it´s accessed, sent and received by: • Clear channels or hidden channels? ¿Secure or not? – What aspect must be promoted? • Confidentiality or integrity? • Disponibility? ... Non repudiation? • Depending on every organization and its working environment and services offered, differencies will exist. In some systems some will have priority over others, according to how secret information will be. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 17
Security models • Bell LaPadula model (BLP) – Rigid. confidentiality and with authority. • Clark-Wilson model (CW) – Commercial orientation: integrity. • Take-Grant model (TG) – Special rights: to take and to grant. • Others: Goguen-Meseguer model (no interference between users); matrix access model (status and transitions between status: type Graham-Dennig; type Harrison-Ruzzo- Ullman), Biba, Chinese Wall, etc. They will be soon defined on next slides Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 18
Bell LaPadula model BLP • Writing downwards is forbidden. • Reading upwards is forbidden. • This is known as principle of tranquility. No reading upwards Maximum secret user enabled with a level of secret Secret No writing downwards Unclassified Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 19
Clark Wilson model CW • It is based on integrity policies – Elements of restricted data. • A consistency checking must be done over these. – Elements of non restricted data. – Transformation procedures. • It treats both elements. – Integrity verification procedures. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 20
Take Grant model TG • It describes through oriented graphs: – the vertix is an object or subject. – an arc is a right. • It takes care only of those rights that can be transfered.  Every security policy is intended to strenght any property of the information. Given that this chapter is an introduction only, it is recommended to any reader interested on these themes the bibliography that can be found on the Internet. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 21
Criteria and security normatives • Evaluation Criteria TSEC – Trusted Computer System Evaluation Criteria, also known as Orange Book. • Evaluation Criteria ITSEC – Information Technology Security Evaluation Criteria. • Evaluation Criteria CC – Common Criteria: it includes both previous. • International normative 17799 – It develops a protocol with minimum security conditions with a wide espectre.  You'll find an interesting reading about Common Criteria applications on the documents below http://niap.bahialab.com/cc-scheme/  Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 22
Laws about computing security in Spain • In the Real Decree 994/1999 (June, 11th) about “Security Measures on automated files that contain personal character data” functions for the Security Responsible are defined. • Organic Data Protection Law (in spanish LOPD) is developed in Spain in December, 1999, and is applied since 2002. • An Agency for the Data Protection ADP is created to watch over the execution of this law through the realization of auditories, at least every two years. The ADP is formed by 9 people. • Functions and obligations for the File Responsible and for the person In Charge of Treatment. • Infractions are classified as slight, serious and very serious with sanctions of 60.000 €, 300.000 € and 600.000 € each one. • It stablishes a set of obligatory execution procedures so that besides protecting people´s privacity, the principles of physical and logical security in information technologies are carried out. http://www.agpd.es/index.php?idSeccion=77 Link to the Spanish Data Protection Agency: Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 23
Levels of responsibility in security • File responsible: is the entity, institution or juridical person who owns personal character data and therefore must watch over the security of them. • Responsible of Treatment: it is possible that the previous entity is the one who manipulates the data (management, backups, etc.) or either this task is executed by another company. So there is a difference between these two responsibles. • Security responsible: people to whom the file responsible has formally assigned the function to coordinate and to control the applicable security measures. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 24
Responsibility operations in LOPD • Article 9: Security of data. – The responsible of the file and, in each case, the responsible of treatment must adopt the necessary measures with a technical and organizative nature that guarantee the security of the personal character data and avoid their alteration, loss, treatment or non authorized access, taking into account the status of technology, the nature of the stored data and the risks that they may suffer, either produced by human interaction or the physical or natural environment. Things like being in the “status of technology” and knowing every type of “risks” are a "headache" indeed for the security responsible. https://www.agpd.es/upload/Canal_Documentacion/legislacion/Estatal/Ley%2015_99.pdf  Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 25
Security levels on the RD 994/1999 • Basic Level: all the files that contain personal character data must adopt the security measures qualified as basic level. • Medium Level: the files that contain data relative to the comittee of penal or administrative infractions, Public Finance, financial services ..., they must gather, besides the basic level measures, those qualified as medium level. • High level: the files that contain data about ideology, religion, believes, racial origin, health or sexual life and so those that contain data gathered for police purposes without agreement of the affected people must gather, besides the basic and medium level measures, those qualified as high level. The measures referred can be seen into the Spanish Agency for Data Protection link: https://www.agpd.es/upload/Canal_Documentacion/legislacion/Estatal/A.8%29%20Real%20Decreto%20994-1999.pdf  Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 26
LOPD: some slight infractions • No attending, for formal reasons, the request of the interested person for rectification or cancellation of the treatment of personal data when it is legally possible. • No proportioning any information that the Agency for the Data Protection requests in the exercise of the competences that it has legally attributed, related to non substantive aspects of data protection. • No asking for the inscription of the personal character data file into the Data Protection General Record, when it does not suppose a serious infraction. • To Proceed to the personal character data capture of those affected without proportioning them the information that refers to the article 5 of current law. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 27
LOPD: some serious infractions • To proceed to the creation of unique titularity files or to iniciate the capture of personal character data for those, without authorization of general disposition, published in the “Official Bulletin of the Estate” or the corresponding official diary. • To proceed to the creation of private titularity files or to iniciate the capture of personal character data for those people with different purposes than the ones that constitute the legitimate object of the company or entity. • To proceed to the personal character data capture without collecting the express consent of the affected people, in the cases on that this can be demanded. • To maintain the files, places, programs or machines that contain personal character data without the proper security conditions that are determined in a reglamentary way. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 28
LOPD: some very serious infractions • Data capture in a dishonest and fraudulent way. • The communication or hand over of the personal character data, out of the cases on that they are permitted. • The temporary or definitive transference of the personal character data that have been treated or have been captured in order to apply them to such treatment, targeting countries that do not provide the same level protection without authorization of the Manager of the de Data Protection Agency. • To treat the personal character data in a illegitimate way or with undervaluation of the applicable principles and guarantees, when because of that, the fundamental rights are violated. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 29
Standard ISO 17799 (UNE-ISO/IEC)  It presents norms, criteria and basic recommendations to stablish security policies.  These embrace from physical security concepts until logical security concepts.  Part of the norm ellaborated by the BSI, British Standards Institution, adopted by International Standards Organization ISO and the International Electronic Commission IEC.  Document of 70 pages non distribution free. http://www.computersecuritynow.com/  Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 30
Environments of standard ISO 17799 It treats about a good practice code for Information Security Management. • Previous cases • Introduction • Object and application field • Terms and definitions • Security policy • Organizative aspects for security • Classification and control of the files • Security linked to staff • Physical and evironmental security • Communications and operations management • Access control • Development and maintenance of systems • Business continuity management • Agreement Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 31
History of standard ISO 17799 Reference: “Information Security Management: UNE 71502, ISO17799”. Author: Antonio Villalón, September, 2004, Spain. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 32
Contingency plans • A contingency plan consists of a detailed study and analysis of the areas that organization consists of and that will be useful to establish a recovering policy in case of disaster. – It consists of company strategic data that are reflected in a document with the purpose of being protected in case of eventualities. • Besides increasing security, with an strategic plan the company also obtains more knowledge about its strenght and weaknesses. • But if not, it is exposed to suffer a great loss rather more expensive than the implantation of this plan. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 33
Natural disasters and prevention  Natural disasters ◦ Hurricane ◦ Storm ◦ Flood ◦ Twister ◦ Gale ◦ Fire ◦ Earthquake ◦ Others  Prevention measures ◦ Adecuated locations ◦ Protection of walls, windows, doors Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 34
Computing vandalism and prevention  Terrorism  Sabotage  Robbery  Virus  Blackmail  Malware  Prevention measures ◦ Fortification of entrances ◦ Security guard ◦ Security patrols ◦ TV closed circuit ◦ Physical access control ◦ Protection of software and hardware with antivirus, firewalls, intruders detection, etc. ◦ Tracking of the security policies in the company. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 35
Water menaces and prevention  Menaces ◦ Floods due to causes produced in the company ◦ Floods due to foreign causes ◦ Small personal incidents (the common water bottle or cup of coffe that falls on keyboards...)  Prevention measures ◦ Check water pipes ◦ Locate the room with the most expensive machines in a place without these problems ◦ Install emergency drainage systems ◦ Awareness the employees Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 36
Fire menaces and prevention  Menaces ◦ A bad electric installation ◦ Personal oversights like smoking in computer rooms ◦ Bad located baskets where lighted cigarrettes are thrown ◦ Vulnerabilities of the system when smoke  Prevention measures ◦ Smoke detectors ◦ Ignifuge materials ◦ Paper warehouse separated of machines ◦ False ground status ◦ Extinguishers checked This is the most feared menace due to its fast destroyer power Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 37
What happens in case of catastrophe?  Companies depend nowadays on computing systems and the data stored there (payrolls, clients, invoices, ...).  Depend also more on communications through the networks.  If the computing system fails and this cannot be recovered, the company may disappear because it has no time enough to get into the market again with success expectations, though keeping its own staff completely. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 38
Recovery time on disasters  According to several studies the maximum period of inactivity that a company can bear without supposing a risk to its survival is: ◦ Insurance area: 5,6 days ◦ Manufacture area: 4,9 days ◦ Industrial area: 4,8 days ◦ Distribution area : 3,3 days ◦ Financial area: 2,0 days  • If we´ve been told that our bank has security problems and we cannot move our accounts, the most probably is that we will change to another bank next day. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 39
Losses due to not count on strategic plans  Client losses.  Image loss.  Income losses by benefits.  Income losses by sells and payments.  Income losses by production.  Competitivity loss in the market.  Credibility loss in the area. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 40
Basic measures in case of a disaster  Emergency plan ◦ Life, woundeds, assets, personal evacuation. ◦ Inventory sinister resources. ◦ Evaluate the cost of inactivity.  Recovering plan ◦ Actions that tend to return to the situation existing before the disaster. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 41
Alternatives for continuity plan  Alternative installacions ◦ Own services office ◦ Agreement with HW and SW supply company ◦ Reciprocal agreement between two or more companies ◦ Cold boot: own empty room ◦ Hot boot: equiped center ◦ Up Start system: caravan, mobile unit ◦ Hot Start system: twin center Some solutions can be very expensive. That choice will depend then of the criticity of the continuity plan. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 42
Questions and exercises (1 of 2) 1. What is and what does mean making a risk analysis? 2. Explain the sense of equations B > PL and B  PL. 3. After a study, we obtain B > PL, can we be totally calm if we do not use any prevention measure? 4. Explain what do mean factors L and P in equation B > PL. 5. Which are the steps to follow in a risk analysis according to the factors of equation B > PL? 6. In some information management systems sometimes it´s more important the confidentiality, but in others integrity. Put some examples on which we can watch this stage. What do you think about an electronic transaction? 7. Comment the security model of Bell Lapadula. Why is it called the model of tranquility? Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 43
Questions and exercises (2 of 2) 8. You´re the security responsible and you detect that one employee is stealing confidential information, what would be your reaction? 9. Which can be the losses in a company if you do not count on an adecuated Contigency Plan and a disaster happens? 10. What is a Contingency Plan and why is it so important? 11. Our business is dedicated part to distribution and part to finance. Is it strategic to have a Contingency Plan here? 12. Which solutions do we have so that one bank won´t be affected by a disaster and will be able to continue working with its clients with a recovering time low or minimum? What would it cost be? 13. Can extreme situations be foreseen like the incident happened on the twin towers? On what type of companies or institutions this type of incidents must be taken into account? In a company that sell cars? Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 44
Thank You!!! 45

Recommended

Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance EnergyTech2015
 
Hp It Performance Suite Customer Presentation
Hp It Performance Suite Customer PresentationHp It Performance Suite Customer Presentation
Hp It Performance Suite Customer Presentationesbosman
 
Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Chris Hammond-Thrasher
 
Key Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsKey Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsGovernment Technology and Services Coalition
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slidesSteve Arnold
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
Defining Security Intelligence for the Enterprise - What CISOs Need to Know
Defining Security Intelligence for the Enterprise - What CISOs Need to KnowDefining Security Intelligence for the Enterprise - What CISOs Need to Know
Defining Security Intelligence for the Enterprise - What CISOs Need to KnowIBM Security
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 

Recommended

Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance Irv Badr: Managing Risk Safety and Security Compliance
Irv Badr: Managing Risk Safety and Security Compliance EnergyTech2015
 
Hp It Performance Suite Customer Presentation
Hp It Performance Suite Customer PresentationHp It Performance Suite Customer Presentation
Hp It Performance Suite Customer Presentationesbosman
 
Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Infosec Workshop - PacINET 2007
Infosec Workshop - PacINET 2007Chris Hammond-Thrasher
 
Key Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsKey Cyber Security Issues for Government Contractors
Key Cyber Security Issues for Government ContractorsGovernment Technology and Services Coalition
 
security_assessment_slides
security_assessment_slidessecurity_assessment_slides
security_assessment_slidesSteve Arnold
 
Information Security Assessment Offering
Information Security Assessment OfferingInformation Security Assessment Offering
Information Security Assessment Offeringeeaches
 
Defining Security Intelligence for the Enterprise - What CISOs Need to Know
Defining Security Intelligence for the Enterprise - What CISOs Need to KnowDefining Security Intelligence for the Enterprise - What CISOs Need to Know
Defining Security Intelligence for the Enterprise - What CISOs Need to KnowIBM Security
 
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...
Ncma saguaro cyber security 2016 law & regulations asis phoenix dely fina...John Hamilton, DAHC,EHC,CFDAI, CPP, PSPO
 
PMCD Fall 2015 Newsletter
PMCD Fall 2015 NewsletterPMCD Fall 2015 Newsletter
PMCD Fall 2015 NewsletterSandeep Raju
 
SCADA and Control Systems Security Summit
SCADA and Control Systems Security SummitSCADA and Control Systems Security Summit
SCADA and Control Systems Security SummitNicole Waddell
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayEnergySec
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsGovernment Technology and Services Coalition
 
Software Contract and Liability
Software Contract and LiabilitySoftware Contract and Liability
Software Contract and LiabilityMohamad Sani
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...David Sweigert
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1securityAnne Starr
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...John Gilligan
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardEnergySec
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016EnterpriseGRC Solutions, Inc.
 
Feroot Smart Technology Privacy Summit: Fiduciary Finesse & Cybersecurity — W...
Feroot Smart Technology Privacy Summit: Fiduciary Finesse & Cybersecurity — W...Feroot Smart Technology Privacy Summit: Fiduciary Finesse & Cybersecurity — W...
Feroot Smart Technology Privacy Summit: Fiduciary Finesse & Cybersecurity — W...Feroot
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...Global Knowledge Training
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Dave Darnell
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessmentHappiest Minds Technologies
 
Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221SALIH AHMED ISLAM
 
Securing the Supply Chain
Securing the Supply ChainSecuring the Supply Chain
Securing the Supply ChainIgnyte Assurance Platform
 
Cyber Essentials Requirements for UK Government
Cyber Essentials Requirements for UK GovernmentCyber Essentials Requirements for UK Government
Cyber Essentials Requirements for UK GovernmentDavid Sweigert
 
Cybersecurity Application Installation with no Shutdown Required webinar Slides
Cybersecurity Application Installation with no Shutdown Required webinar SlidesCybersecurity Application Installation with no Shutdown Required webinar Slides
Cybersecurity Application Installation with no Shutdown Required webinar SlidesYokogawa1
 
2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge DeliverableCurtis Brazzell
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMChristopher Nanchengwa
 

More Related Content

What's hot

PMCD Fall 2015 Newsletter
PMCD Fall 2015 NewsletterPMCD Fall 2015 Newsletter
PMCD Fall 2015 NewsletterSandeep Raju
 
SCADA and Control Systems Security Summit
SCADA and Control Systems Security SummitSCADA and Control Systems Security Summit
SCADA and Control Systems Security SummitNicole Waddell
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayEnergySec
 
Software Contract and Liability
Software Contract and LiabilitySoftware Contract and Liability
Software Contract and LiabilityMohamad Sani
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...David Sweigert
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1securityAnne Starr
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...John Gilligan
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardEnergySec
 
Feroot Smart Technology Privacy Summit: Fiduciary Finesse & Cybersecurity — W...
Feroot Smart Technology Privacy Summit: Fiduciary Finesse & Cybersecurity — W...Feroot Smart Technology Privacy Summit: Fiduciary Finesse & Cybersecurity — W...
Feroot Smart Technology Privacy Summit: Fiduciary Finesse & Cybersecurity — W...Feroot
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Ben Rothke
 
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...Global Knowledge Training
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Dave Darnell
 
Cyber Essentials Requirements for UK Government
Cyber Essentials Requirements for UK GovernmentCyber Essentials Requirements for UK Government
Cyber Essentials Requirements for UK GovernmentDavid Sweigert
 
Cybersecurity Application Installation with no Shutdown Required webinar Slides
Cybersecurity Application Installation with no Shutdown Required webinar SlidesCybersecurity Application Installation with no Shutdown Required webinar Slides
Cybersecurity Application Installation with no Shutdown Required webinar SlidesYokogawa1
 

What's hot (20)

PMCD Fall 2015 Newsletter
PMCD Fall 2015 NewsletterPMCD Fall 2015 Newsletter
PMCD Fall 2015 Newsletter
 
SCADA and Control Systems Security Summit
SCADA and Control Systems Security SummitSCADA and Control Systems Security Summit
SCADA and Control Systems Security Summit
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator Display
 
Robert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government ContractorsRobert Nichols: Cybersecurity for Government Contractors
Robert Nichols: Cybersecurity for Government Contractors
 
Software Contract and Liability
Software Contract and LiabilitySoftware Contract and Liability
Software Contract and Liability
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond Compliance
 
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
Integrating disaster recovery metrics into the NIST EO 13636 Cybersecurity Fr...
 
Cybertopic_1security
Cybertopic_1securityCybertopic_1security
Cybertopic_1security
 
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
Leveraging Purchase Power and Standards to Improve Security in the IT Supply ...
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
Feroot Smart Technology Privacy Summit: Fiduciary Finesse & Cybersecurity — W...
Feroot Smart Technology Privacy Summit: Fiduciary Finesse & Cybersecurity — W...Feroot Smart Technology Privacy Summit: Fiduciary Finesse & Cybersecurity — W...
Feroot Smart Technology Privacy Summit: Fiduciary Finesse & Cybersecurity — W...
 
Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)Rothke secure360 building a security operations center (soc)
Rothke secure360 building a security operations center (soc)
 
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...
Why It’s Critical to Apply the Risk Management Framework to Your IT Moderniza...
 
Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16Cyber security white paper final PMD 12_28_16
Cyber security white paper final PMD 12_28_16
 
It risk assessment
It risk assessmentIt risk assessment
It risk assessment
 
Gpc case study_eng_0221
Gpc case study_eng_0221Gpc case study_eng_0221
Gpc case study_eng_0221
 
Securing the Supply Chain
Securing the Supply ChainSecuring the Supply Chain
Securing the Supply Chain
 
Cyber Essentials Requirements for UK Government
Cyber Essentials Requirements for UK GovernmentCyber Essentials Requirements for UK Government
Cyber Essentials Requirements for UK Government
 
Cybersecurity Application Installation with no Shutdown Required webinar Slides
Cybersecurity Application Installation with no Shutdown Required webinar SlidesCybersecurity Application Installation with no Shutdown Required webinar Slides
Cybersecurity Application Installation with no Shutdown Required webinar Slides
 

Similar to Introduction to Security Management by Ashok Panwar

2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge DeliverableCurtis Brazzell
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMChristopher Nanchengwa
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfHumphrey Humphrey
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)ishan parikh production
 
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019Utility Networks Agile Response Capabilities - New Context at EnergySec 2019
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019Andrew Storms
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
risk assessment 27.docx
risk assessment 27.docxrisk assessment 27.docx
risk assessment 27.docxwrite5
 
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise WorldKey Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise WorldTEWMAGAZINE
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxmydrynan
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityWalls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityAbdul Jaleel
 
Capgemini Consulting Information Security Benchmarking 2017
Capgemini Consulting Information Security Benchmarking 2017Capgemini Consulting Information Security Benchmarking 2017
Capgemini Consulting Information Security Benchmarking 2017Capgemini
 
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...IFG Network marcus evans
 
Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Vincenzo De Florio
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxchristiandean12115
 
2023 - IBM Cost of a Data Breach Report.pdf
2023 - IBM Cost of a Data Breach Report.pdf2023 - IBM Cost of a Data Breach Report.pdf
2023 - IBM Cost of a Data Breach Report.pdfErickaDiaz24
 
Information Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docxInformation Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docxlanagore871
 

Similar to Introduction to Security Management by Ashok Panwar (20)

2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable2019 SANS Holiday Hack Challenge Deliverable
2019 SANS Holiday Hack Challenge Deliverable
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdf
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
 
ISA.pdf
ISA.pdfISA.pdf
ISA.pdf
 
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019Utility Networks Agile Response Capabilities - New Context at EnergySec 2019
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019
 
Topic11
Topic11Topic11
Topic11
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
risk assessment 27.docx
risk assessment 27.docxrisk assessment 27.docx
risk assessment 27.docx
 
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise WorldKey Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
Key Cybersecurity Risks and Mitigation Strategies in 2023 | The Enterprise World
 
E’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docxE’s Data Security Company Strategic Security Plan – 2015.docx
E’s Data Security Company Strategic Security Plan – 2015.docx
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application SecurityWalls of Steel, Doors of Wood - Relevance of Application Security
Walls of Steel, Doors of Wood - Relevance of Application Security
 
Capgemini Consulting Information Security Benchmarking 2017
Capgemini Consulting Information Security Benchmarking 2017Capgemini Consulting Information Security Benchmarking 2017
Capgemini Consulting Information Security Benchmarking 2017
 
Data breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundationData breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundation
 
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...
PROTECTING YOUR BUSINESS AND CLIENT INFORMATION IN A DIGITAL WORLD - Mitch Ta...
 
Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013Icssea 2013 arrl_final_08102013
Icssea 2013 arrl_final_08102013
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
 
2023 - IBM Cost of a Data Breach Report.pdf
2023 - IBM Cost of a Data Breach Report.pdf2023 - IBM Cost of a Data Breach Report.pdf
2023 - IBM Cost of a Data Breach Report.pdf
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Information Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docxInformation Security Assurance Capability Maturity Model (ISA-.docx
Information Security Assurance Capability Maturity Model (ISA-.docx
 

More from Ashok Panwar

Simulation and Performance Analysis of AODV using NS 2.34 by Ashok Panwar
Simulation and Performance Analysis of AODV using NS 2.34 by Ashok PanwarSimulation and Performance Analysis of AODV using NS 2.34 by Ashok Panwar
Simulation and Performance Analysis of AODV using NS 2.34 by Ashok PanwarAshok Panwar
 
Secure Routing with AODV Protocol for MANET by Ashok Panwar
Secure Routing with AODV Protocol for MANET by Ashok PanwarSecure Routing with AODV Protocol for MANET by Ashok Panwar
Secure Routing with AODV Protocol for MANET by Ashok PanwarAshok Panwar
 
Secure Mail Application's by Ashok Panwar
Secure Mail Application's by Ashok PanwarSecure Mail Application's by Ashok Panwar
Secure Mail Application's by Ashok PanwarAshok Panwar
 
Routing Protocols in MANET's by Ashok Panwar
Routing Protocols in MANET's by Ashok PanwarRouting Protocols in MANET's by Ashok Panwar
Routing Protocols in MANET's by Ashok PanwarAshok Panwar
 
Quality of Information and Malware by Ashok Panwar
Quality of Information and Malware by Ashok PanwarQuality of Information and Malware by Ashok Panwar
Quality of Information and Malware by Ashok PanwarAshok Panwar
 
Performance Analysis of AODV Protocol on Black-Hole Attack by Ashok Panwar
Performance Analysis of AODV Protocol on Black-Hole Attack by Ashok PanwarPerformance Analysis of AODV Protocol on Black-Hole Attack by Ashok Panwar
Performance Analysis of AODV Protocol on Black-Hole Attack by Ashok PanwarAshok Panwar
 
Network Management by Ashok Panwar
Network Management by Ashok PanwarNetwork Management by Ashok Panwar
Network Management by Ashok PanwarAshok Panwar
 
Firewalls & Trusted Systems by Ashok Panwar
Firewalls & Trusted Systems by Ashok PanwarFirewalls & Trusted Systems by Ashok Panwar
Firewalls & Trusted Systems by Ashok PanwarAshok Panwar
 
Ad-hoc Networks by Ashok Panwar
Ad-hoc Networks by Ashok PanwarAd-hoc Networks by Ashok Panwar
Ad-hoc Networks by Ashok PanwarAshok Panwar
 
Ad hoc On-demand Distance Vector (AODV) Routing Protocol by Ashok Panwar
Ad hoc On-demand Distance Vector (AODV) Routing Protocol by Ashok PanwarAd hoc On-demand Distance Vector (AODV) Routing Protocol by Ashok Panwar
Ad hoc On-demand Distance Vector (AODV) Routing Protocol by Ashok PanwarAshok Panwar
 
Ad-hoc networking with AODV
Ad-hoc networking with AODVAd-hoc networking with AODV
Ad-hoc networking with AODVAshok Panwar
 

More from Ashok Panwar (11)

Simulation and Performance Analysis of AODV using NS 2.34 by Ashok Panwar
Simulation and Performance Analysis of AODV using NS 2.34 by Ashok PanwarSimulation and Performance Analysis of AODV using NS 2.34 by Ashok Panwar
Simulation and Performance Analysis of AODV using NS 2.34 by Ashok Panwar
 
Secure Routing with AODV Protocol for MANET by Ashok Panwar
Secure Routing with AODV Protocol for MANET by Ashok PanwarSecure Routing with AODV Protocol for MANET by Ashok Panwar
Secure Routing with AODV Protocol for MANET by Ashok Panwar
 
Secure Mail Application's by Ashok Panwar
Secure Mail Application's by Ashok PanwarSecure Mail Application's by Ashok Panwar
Secure Mail Application's by Ashok Panwar
 
Routing Protocols in MANET's by Ashok Panwar
Routing Protocols in MANET's by Ashok PanwarRouting Protocols in MANET's by Ashok Panwar
Routing Protocols in MANET's by Ashok Panwar
 
Quality of Information and Malware by Ashok Panwar
Quality of Information and Malware by Ashok PanwarQuality of Information and Malware by Ashok Panwar
Quality of Information and Malware by Ashok Panwar
 
Performance Analysis of AODV Protocol on Black-Hole Attack by Ashok Panwar
Performance Analysis of AODV Protocol on Black-Hole Attack by Ashok PanwarPerformance Analysis of AODV Protocol on Black-Hole Attack by Ashok Panwar
Performance Analysis of AODV Protocol on Black-Hole Attack by Ashok Panwar
 
Network Management by Ashok Panwar
Network Management by Ashok PanwarNetwork Management by Ashok Panwar
Network Management by Ashok Panwar
 
Firewalls & Trusted Systems by Ashok Panwar
Firewalls & Trusted Systems by Ashok PanwarFirewalls & Trusted Systems by Ashok Panwar
Firewalls & Trusted Systems by Ashok Panwar
 
Ad-hoc Networks by Ashok Panwar
Ad-hoc Networks by Ashok PanwarAd-hoc Networks by Ashok Panwar
Ad-hoc Networks by Ashok Panwar
 
Ad hoc On-demand Distance Vector (AODV) Routing Protocol by Ashok Panwar
Ad hoc On-demand Distance Vector (AODV) Routing Protocol by Ashok PanwarAd hoc On-demand Distance Vector (AODV) Routing Protocol by Ashok Panwar
Ad hoc On-demand Distance Vector (AODV) Routing Protocol by Ashok Panwar
 
Ad-hoc networking with AODV
Ad-hoc networking with AODVAd-hoc networking with AODV
Ad-hoc networking with AODV
 

Recently uploaded

一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样ayvbos
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理AS
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsMonica Sydney
 
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...MOHANI PANDEY
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge GraphsEleniIlkou
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Sareena Khatun
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理F
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxi191686
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiMonica Sydney
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理F
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书F
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtrahman018755
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Roommeghakumariji156
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...meghakumariji156
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制pxcywzqs
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdfMatthew Sinclair
 

Recently uploaded (20)

一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
 
一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理一比一原版帝国理工学院毕业证如何办理
一比一原版帝国理工学院毕业证如何办理
 
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptxResearch Assignment - NIST SP800 [172 A] - Presentation.pptx
Research Assignment - NIST SP800 [172 A] - Presentation.pptx
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 

Introduction to Security Management by Ashok Panwar

  • 1. Computer Security and Cryptography Didactic Material for Free Distribution Introduction to Security Management Presented By:- Ashok Panwar Technical Officer in ECIL(NPCIL) Tarapur, Mumbai
  • 2. Logical & Physical Data Protection All data must be protected applying:  Logical Security ◦ Use of protecting tools for the information in the same environment on which this is generated or transmited. ◦ Authentication protocols between client and server. ◦ Application of standards in networks, etc. ◦ Risks prevention measures must be included also in this chapter through the setting up of security policies, contigency plans, the application of normatives, the current legislation, etc.  Physical Security ◦ Procedures of physical protection of the system: staff access, fires, floods, earthquakes, etc. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 2
  • 3. Physical Security in PC Environment’s  Anchoring to desktops.  Locks.  Cards with alarm.  Special Adhesive Labels.  Floppy drive blocking.  Keyboard protectors.  Hardware access control card.  Continuos power supply.  Ground connection (GFCI).  Elimination of the estatic... etc. Things to consider in PC environments Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 3
  • 4. Risk analysis: strategic plan  It is the process of identification and evaluation of the risk that it is suffered on an attack and the data loss, time and working hours, comparing it with the cost that involves the prevention of this event.  Its analysis does not only lead to stablish an adequate security level, but permits to know better the system that we are going to protect.  You can download this tool that manages risk analysis from the link indicated below:  http://www.csi.map.es/csi/pdf/magerit_ingles.pdf Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 4
  • 5. Risk analysis information  Information obtained in risks analysis: ◦ Precise determination of the sensible resources in the organization. ◦ Identification of system menaces. ◦ Identification of specific vulnerabilities in the system. ◦ Identification of possible losses. ◦ Identification of the probability that one loss happens. ◦ Derivation of effective contraindications. ◦ Identification of security tools. ◦ Implementation of an efficient security system regarding costs and time. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 5
  • 6. Basic ecuation for risk analysis ¿ B  P  L ? ◦ B: is the load or expense that means prevention of an specific loss due to a vulnerability. ◦ P: is the probability that such vulnerability is affected and that specific loss happens. ◦ L: is the impact or total cost that means the specific loss due to the vulnerability that has been affected. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 6
  • 7. How much shall we invest in security? If B  P  L A prevention measure must be implemented. If B  P  L A prevention measure is not necessary. ... At least mathematically. Nevertheless, an unforeseen accident like computing consecuences in some companies after September the 11th can always happen. However, it makes no sense to invest more money in the protection of the asset than its own total value. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 7
  • 8. Effectivity of measure costs  Measures and control tools must have a cost less than the value of the possible losses and the impact of these if the risk we feared it´s produced.  Basic law: the cost of the control should be less than the asset protected. Something obvious that as managers as security responsibles of the company should adecuately estimate to their reality. In several cases, the real problem resides in the difficulty to estimate precisely the economic impact that can suppose the fact that such risk occurs. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 8
  • 9. Factor L in the risk equation Factor L (in B  P  L)  The factor of total impact L is difficult to evaluate. It includes damages to information, to machines, losses due to reparation, to the need to start the system again, losses due to working hours, etc.  There will allways be a part of subjective assesment.  Data loss can lead to a loss of opportunities due to the fact named cascade effect.  It should exist an specialized comittee into the organization, internal or external, able to evaluate all the possible losses and to quantify them. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 9
  • 10. Factor P in the risk equation Factor P (in B  P  L)  Factor P is related to the determination of the total impact L and depends on the environment on which the possible loss is. As this value is difficult to quantify, such probability can be associated to a known tendency or frequency. ◦ Once P is known for a given L, the probability of relative loss is obtained from occurrency PL that will be compared with B, the weight that would suppose to implant the respective prevention measure. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 10
  • 11. Factor B in the risk equation Factor B (in B  P  L)  Indicates what is required in order to prevent a loss. For example, it can be the quantity of money that we will arrange to mitigate the possible loss. ◦ Example: the prevention load needed so that a computing system minimizes the risk of its servers being attacked includes the adecuated software and hardware installation, one firewall, an intruders detection system, a secure network configuration, a tracking policy for access and passwords, qualified technical staff, etc. All these things import an specific quantity of money. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 11
  • 12. Quantification of protection ¿ B  P  L ?  How much protection is it necessary? ◦ In our example: what network configuration to use, on which environment to work, what type of firewalls, etc. That will depend on the level of security that our company desire, think addecuate or that the market set.  How will we protect ourselves? ◦ A house can be protected with doors, locks, steel bars in windows, alarm systems, etc. ◦ In an information system we may apply physical protections, security politicies, contingency and recovery plans, access control, firewalls, IDs, use of cipher, authentication, signatures, secure gateways, etc. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 12
  • 13. Steps of a risk analysis 1. Identification cost of possibles losses (L) Identificating menaces 2. Determine susceptibility. The probability of loss (P) 3. Identification of possible actions (expenses) and their implications (B). Choosing actions to implement. ¿ B  PL ? The cycle is closed Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 13
  • 14. Some security policies • Administrative Policies – Administrative procedures. • Access control policies – Access privileges of the user or program. • Flow information policies – Rules under which individuals communicate each other into the system. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 14
  • 15. Administrative aspects • Administrative policies – Administrative type procedures are stablished into the organization like for example in programs development: modularity in applications, sistematic revision, etc. – Shared responsabilities for all users are established, every single one on its level. – This follows on from the awareness stage Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 15
  • 16. Access control • Access control policies – Minor privilege policy • Strict access to determinated objects, with minimum privileges for the users. – Sharing policy • Maximum privilege access on which every user can access to all objects. – Granularity • Number of accesible objects. We speak then of gross and thin granularity. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 16
  • 17. Flow control policies • Flow control policies – Information that it´s accessed, sent and received by: • Clear channels or hidden channels? ¿Secure or not? – What aspect must be promoted? • Confidentiality or integrity? • Disponibility? ... Non repudiation? • Depending on every organization and its working environment and services offered, differencies will exist. In some systems some will have priority over others, according to how secret information will be. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 17
  • 18. Security models • Bell LaPadula model (BLP) – Rigid. confidentiality and with authority. • Clark-Wilson model (CW) – Commercial orientation: integrity. • Take-Grant model (TG) – Special rights: to take and to grant. • Others: Goguen-Meseguer model (no interference between users); matrix access model (status and transitions between status: type Graham-Dennig; type Harrison-Ruzzo- Ullman), Biba, Chinese Wall, etc. They will be soon defined on next slides Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 18
  • 19. Bell LaPadula model BLP • Writing downwards is forbidden. • Reading upwards is forbidden. • This is known as principle of tranquility. No reading upwards Maximum secret user enabled with a level of secret Secret No writing downwards Unclassified Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 19
  • 20. Clark Wilson model CW • It is based on integrity policies – Elements of restricted data. • A consistency checking must be done over these. – Elements of non restricted data. – Transformation procedures. • It treats both elements. – Integrity verification procedures. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 20
  • 21. Take Grant model TG • It describes through oriented graphs: – the vertix is an object or subject. – an arc is a right. • It takes care only of those rights that can be transfered.  Every security policy is intended to strenght any property of the information. Given that this chapter is an introduction only, it is recommended to any reader interested on these themes the bibliography that can be found on the Internet. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 21
  • 22. Criteria and security normatives • Evaluation Criteria TSEC – Trusted Computer System Evaluation Criteria, also known as Orange Book. • Evaluation Criteria ITSEC – Information Technology Security Evaluation Criteria. • Evaluation Criteria CC – Common Criteria: it includes both previous. • International normative 17799 – It develops a protocol with minimum security conditions with a wide espectre.  You'll find an interesting reading about Common Criteria applications on the documents below http://niap.bahialab.com/cc-scheme/  Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 22
  • 23. Laws about computing security in Spain • In the Real Decree 994/1999 (June, 11th) about “Security Measures on automated files that contain personal character data” functions for the Security Responsible are defined. • Organic Data Protection Law (in spanish LOPD) is developed in Spain in December, 1999, and is applied since 2002. • An Agency for the Data Protection ADP is created to watch over the execution of this law through the realization of auditories, at least every two years. The ADP is formed by 9 people. • Functions and obligations for the File Responsible and for the person In Charge of Treatment. • Infractions are classified as slight, serious and very serious with sanctions of 60.000 €, 300.000 € and 600.000 € each one. • It stablishes a set of obligatory execution procedures so that besides protecting people´s privacity, the principles of physical and logical security in information technologies are carried out. http://www.agpd.es/index.php?idSeccion=77 Link to the Spanish Data Protection Agency: Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 23
  • 24. Levels of responsibility in security • File responsible: is the entity, institution or juridical person who owns personal character data and therefore must watch over the security of them. • Responsible of Treatment: it is possible that the previous entity is the one who manipulates the data (management, backups, etc.) or either this task is executed by another company. So there is a difference between these two responsibles. • Security responsible: people to whom the file responsible has formally assigned the function to coordinate and to control the applicable security measures. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 24
  • 25. Responsibility operations in LOPD • Article 9: Security of data. – The responsible of the file and, in each case, the responsible of treatment must adopt the necessary measures with a technical and organizative nature that guarantee the security of the personal character data and avoid their alteration, loss, treatment or non authorized access, taking into account the status of technology, the nature of the stored data and the risks that they may suffer, either produced by human interaction or the physical or natural environment. Things like being in the “status of technology” and knowing every type of “risks” are a "headache" indeed for the security responsible. https://www.agpd.es/upload/Canal_Documentacion/legislacion/Estatal/Ley%2015_99.pdf  Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 25
  • 26. Security levels on the RD 994/1999 • Basic Level: all the files that contain personal character data must adopt the security measures qualified as basic level. • Medium Level: the files that contain data relative to the comittee of penal or administrative infractions, Public Finance, financial services ..., they must gather, besides the basic level measures, those qualified as medium level. • High level: the files that contain data about ideology, religion, believes, racial origin, health or sexual life and so those that contain data gathered for police purposes without agreement of the affected people must gather, besides the basic and medium level measures, those qualified as high level. The measures referred can be seen into the Spanish Agency for Data Protection link: https://www.agpd.es/upload/Canal_Documentacion/legislacion/Estatal/A.8%29%20Real%20Decreto%20994-1999.pdf  Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 26
  • 27. LOPD: some slight infractions • No attending, for formal reasons, the request of the interested person for rectification or cancellation of the treatment of personal data when it is legally possible. • No proportioning any information that the Agency for the Data Protection requests in the exercise of the competences that it has legally attributed, related to non substantive aspects of data protection. • No asking for the inscription of the personal character data file into the Data Protection General Record, when it does not suppose a serious infraction. • To Proceed to the personal character data capture of those affected without proportioning them the information that refers to the article 5 of current law. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 27
  • 28. LOPD: some serious infractions • To proceed to the creation of unique titularity files or to iniciate the capture of personal character data for those, without authorization of general disposition, published in the “Official Bulletin of the Estate” or the corresponding official diary. • To proceed to the creation of private titularity files or to iniciate the capture of personal character data for those people with different purposes than the ones that constitute the legitimate object of the company or entity. • To proceed to the personal character data capture without collecting the express consent of the affected people, in the cases on that this can be demanded. • To maintain the files, places, programs or machines that contain personal character data without the proper security conditions that are determined in a reglamentary way. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 28
  • 29. LOPD: some very serious infractions • Data capture in a dishonest and fraudulent way. • The communication or hand over of the personal character data, out of the cases on that they are permitted. • The temporary or definitive transference of the personal character data that have been treated or have been captured in order to apply them to such treatment, targeting countries that do not provide the same level protection without authorization of the Manager of the de Data Protection Agency. • To treat the personal character data in a illegitimate way or with undervaluation of the applicable principles and guarantees, when because of that, the fundamental rights are violated. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 29
  • 30. Standard ISO 17799 (UNE-ISO/IEC)  It presents norms, criteria and basic recommendations to stablish security policies.  These embrace from physical security concepts until logical security concepts.  Part of the norm ellaborated by the BSI, British Standards Institution, adopted by International Standards Organization ISO and the International Electronic Commission IEC.  Document of 70 pages non distribution free. http://www.computersecuritynow.com/  Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 30
  • 31. Environments of standard ISO 17799 It treats about a good practice code for Information Security Management. • Previous cases • Introduction • Object and application field • Terms and definitions • Security policy • Organizative aspects for security • Classification and control of the files • Security linked to staff • Physical and evironmental security • Communications and operations management • Access control • Development and maintenance of systems • Business continuity management • Agreement Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 31
  • 32. History of standard ISO 17799 Reference: “Information Security Management: UNE 71502, ISO17799”. Author: Antonio Villalón, September, 2004, Spain. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 32
  • 33. Contingency plans • A contingency plan consists of a detailed study and analysis of the areas that organization consists of and that will be useful to establish a recovering policy in case of disaster. – It consists of company strategic data that are reflected in a document with the purpose of being protected in case of eventualities. • Besides increasing security, with an strategic plan the company also obtains more knowledge about its strenght and weaknesses. • But if not, it is exposed to suffer a great loss rather more expensive than the implantation of this plan. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 33
  • 34. Natural disasters and prevention  Natural disasters ◦ Hurricane ◦ Storm ◦ Flood ◦ Twister ◦ Gale ◦ Fire ◦ Earthquake ◦ Others  Prevention measures ◦ Adecuated locations ◦ Protection of walls, windows, doors Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 34
  • 35. Computing vandalism and prevention  Terrorism  Sabotage  Robbery  Virus  Blackmail  Malware  Prevention measures ◦ Fortification of entrances ◦ Security guard ◦ Security patrols ◦ TV closed circuit ◦ Physical access control ◦ Protection of software and hardware with antivirus, firewalls, intruders detection, etc. ◦ Tracking of the security policies in the company. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 35
  • 36. Water menaces and prevention  Menaces ◦ Floods due to causes produced in the company ◦ Floods due to foreign causes ◦ Small personal incidents (the common water bottle or cup of coffe that falls on keyboards...)  Prevention measures ◦ Check water pipes ◦ Locate the room with the most expensive machines in a place without these problems ◦ Install emergency drainage systems ◦ Awareness the employees Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 36
  • 37. Fire menaces and prevention  Menaces ◦ A bad electric installation ◦ Personal oversights like smoking in computer rooms ◦ Bad located baskets where lighted cigarrettes are thrown ◦ Vulnerabilities of the system when smoke  Prevention measures ◦ Smoke detectors ◦ Ignifuge materials ◦ Paper warehouse separated of machines ◦ False ground status ◦ Extinguishers checked This is the most feared menace due to its fast destroyer power Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 37
  • 38. What happens in case of catastrophe?  Companies depend nowadays on computing systems and the data stored there (payrolls, clients, invoices, ...).  Depend also more on communications through the networks.  If the computing system fails and this cannot be recovered, the company may disappear because it has no time enough to get into the market again with success expectations, though keeping its own staff completely. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 38
  • 39. Recovery time on disasters  According to several studies the maximum period of inactivity that a company can bear without supposing a risk to its survival is: ◦ Insurance area: 5,6 days ◦ Manufacture area: 4,9 days ◦ Industrial area: 4,8 days ◦ Distribution area : 3,3 days ◦ Financial area: 2,0 days  • If we´ve been told that our bank has security problems and we cannot move our accounts, the most probably is that we will change to another bank next day. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 39
  • 40. Losses due to not count on strategic plans  Client losses.  Image loss.  Income losses by benefits.  Income losses by sells and payments.  Income losses by production.  Competitivity loss in the market.  Credibility loss in the area. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 40
  • 41. Basic measures in case of a disaster  Emergency plan ◦ Life, woundeds, assets, personal evacuation. ◦ Inventory sinister resources. ◦ Evaluate the cost of inactivity.  Recovering plan ◦ Actions that tend to return to the situation existing before the disaster. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 41
  • 42. Alternatives for continuity plan  Alternative installacions ◦ Own services office ◦ Agreement with HW and SW supply company ◦ Reciprocal agreement between two or more companies ◦ Cold boot: own empty room ◦ Hot boot: equiped center ◦ Up Start system: caravan, mobile unit ◦ Hot Start system: twin center Some solutions can be very expensive. That choice will depend then of the criticity of the continuity plan. Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 42
  • 43. Questions and exercises (1 of 2) 1. What is and what does mean making a risk analysis? 2. Explain the sense of equations B > PL and B  PL. 3. After a study, we obtain B > PL, can we be totally calm if we do not use any prevention measure? 4. Explain what do mean factors L and P in equation B > PL. 5. Which are the steps to follow in a risk analysis according to the factors of equation B > PL? 6. In some information management systems sometimes it´s more important the confidentiality, but in others integrity. Put some examples on which we can watch this stage. What do you think about an electronic transaction? 7. Comment the security model of Bell Lapadula. Why is it called the model of tranquility? Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 43
  • 44. Questions and exercises (2 of 2) 8. You´re the security responsible and you detect that one employee is stealing confidential information, what would be your reaction? 9. Which can be the losses in a company if you do not count on an adecuated Contigency Plan and a disaster happens? 10. What is a Contingency Plan and why is it so important? 11. Our business is dedicated part to distribution and part to finance. Is it strategic to have a Contingency Plan here? 12. Which solutions do we have so that one bank won´t be affected by a disaster and will be able to continue working with its clients with a recovering time low or minimum? What would it cost be? 13. Can extreme situations be foreseen like the incident happened on the twin towers? On what type of companies or institutions this type of incidents must be taken into account? In a company that sell cars? Presented By:- Ashok Panwar Technical Officer in ECIL 5/2/2019 44

Editor's Notes

  1. Chapter 5: Introduction to Security Management
  2. Chapter 5: Introduction to Security Management
  3. Chapter 5: Introduction to Security Management
  4. Chapter 5: Introduction to Security Management
  5. Chapter 5: Introduction to Security Management
  6. Chapter 5: Introduction to Security Management
  7. Chapter 5: Introduction to Security Management
  8. Chapter 5: Introduction to Security Management
  9. Chapter 5: Introduction to Security Management
  10. Chapter 5: Introduction to Security Management
  11. Chapter 5: Introduction to Security Management
  12. Chapter 5: Introduction to Security Management
  13. Chapter 5: Introduction to Security Management
  14. Chapter 5: Introduction to Security Management
  15. Chapter 5: Introduction to Security Management
  16. Chapter 5: Introduction to Security Management
  17. Chapter 5: Introduction to Security Management
  18. Chapter 5: Introduction to Security Management
  19. Chapter 5: Introduction to Security Management
  20. Chapter 5: Introduction to Security Management
  21. Chapter 5: Introduction to Security Management
  22. Chapter 5: Introduction to Security Management
  23. Chapter 5: Introduction to Security Management
  24. Chapter 5: Introduction to Security Management
  25. Chapter 5: Introduction to Security Management
  26. Chapter 5: Introduction to Security Management
  27. Chapter 5: Introduction to Security Management
  28. Chapter 5: Introduction to Security Management
  29. Chapter 5: Introduction to Security Management
  30. Chapter 5: Introduction to Security Management
  31. Chapter 5: Introduction to Security Management
  32. Chapter 5: Introduction to Security Management
  33. Chapter 5: Introduction to Security Management
  34. Chapter 5: Introduction to Security Management
  35. Chapter 5: Introduction to Security Management
  36. Chapter 5: Introduction to Security Management
  37. Chapter 5: Introduction to Security Management
  38. Chapter 5: Introduction to Security Management
  39. Chapter 5: Introduction to Security Management
  40. Chapter 5: Introduction to Security Management
  41. Chapter 5: Introduction to Security Management
  42. Chapter 5: Introduction to Security Management
  43. Chapter 5: Introduction to Security Management
  44. Chapter 5: Introduction to Security Management