Information Security vs IT - Key Roles & ResponsibilitiesKroll
Marc Brawner is a Principal with Kroll's Cyber Security & Investigations team. In this presentation to the Tennessee Bankers Association, Marc explains the key roles & responsibilities of the information security and information technology teams for increased cyber security
Information Security vs IT - Key Roles & ResponsibilitiesKroll
Marc Brawner is a Principal with Kroll's Cyber Security & Investigations team. In this presentation to the Tennessee Bankers Association, Marc explains the key roles & responsibilities of the information security and information technology teams for increased cyber security
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
Cyber Security Awareness Session conducted by Lightracers Consulting, for Management and non-IT employees. In this learning presentation, we will look at - What is Cyber Crime, Types of Cyber crime, What is Cyber Security, Types of Threats, Social Engineering techniques, Identifying legitimate and secure websites, Protection measures, Cyber Law in India followed by a small quiz.
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.
A to Z of Information Security ManagementMark Conway
The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software.
Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW
BEFORE, DURING AND AFTER AN ATTACK
View the webinar:
https://www2.fireeye.com/The_Board_and_CyberSecurity_webinar_EMEA.html?utm_source=SS
Download the full report:
https://www2.fireeye.com/WEB-2015-The-Cyber-Security-Playbook.html?utm_source=SS
These are slides from local security chapters meetup, Here I tried to explain the challenges in appsec and complete framework for different life cycle of secure software development cycle
The presentation is about information risk management. It covers information threats, risks, vulnerabilities and importance of risk assessment for information security for software companies in India.
http://www.ifour-consultancy.com
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Frameworks" will help you understand why and how the organizations are using the cybersecurity framework to Identify, Protect and Recover from cyber attacks.
Cybersecurity Training Playlist: https://bit.ly/2NqcTQV
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
Cyber Security Awareness Session for Executives and Non-IT professionalsKrishna Srikanth Manda
Cyber Security Awareness Session conducted by Lightracers Consulting, for Management and non-IT employees. In this learning presentation, we will look at - What is Cyber Crime, Types of Cyber crime, What is Cyber Security, Types of Threats, Social Engineering techniques, Identifying legitimate and secure websites, Protection measures, Cyber Law in India followed by a small quiz.
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.
A to Z of Information Security ManagementMark Conway
The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software.
Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW
BEFORE, DURING AND AFTER AN ATTACK
View the webinar:
https://www2.fireeye.com/The_Board_and_CyberSecurity_webinar_EMEA.html?utm_source=SS
Download the full report:
https://www2.fireeye.com/WEB-2015-The-Cyber-Security-Playbook.html?utm_source=SS
These are slides from local security chapters meetup, Here I tried to explain the challenges in appsec and complete framework for different life cycle of secure software development cycle
The presentation is about information risk management. It covers information threats, risks, vulnerabilities and importance of risk assessment for information security for software companies in India.
http://www.ifour-consultancy.com
The Security Policy Management Maturity Model: How to Move Up the CurveAlgoSec
Rising network complexity and increased demands on business agility are rapidly hindering the traditional approach to managing security policies. The Security policy management maturity model can help you better understand your current network environment and provide you with a roadmap for improving both your security AND agility. Learn:
- The four stages of the maturity model
- How to compare your environment to the different stages
- Tips for orchestrating security policy management
- Real-life examples of benefits achieved by "moving up the curve"
12.1 Security Awareness, Training, and Education
12.2 Polices and Employment Practices
12.3 E-Mail and Internet Use Policies
12.4 Computer Security Incident Response Teams
Information security management best practiceparves kamal
ISO 17799 is an internationally recognized Information Security Management Standard, first published by the International Organization for Standardization, or ISO (www.iso.ch), in December 2000.
'Protecting Your Information Assets' is Nugget 2 in the series 'Cyber Security Awareness Month 2017'. You must have a clear understanding of the ideal security measure for protecting your Assets.....
01Introduction to Information Security.pptit160320737038
A distributed system is a collection of computer programs that utilize computational resources across multiple, separate computation nodes to achieve a common, shared goal. Distributed systems aim to remove bottlenecks or central points of failure from a system.
The IoT Era Begins
Components of IoT-Enabled Things
IoT Reference model
IoT Security
IoT Security & Privacy Req. defined by ITU-T
An IoT Security Framework
IoT Security Challenges
Internet of Things - Liability
IoT security tools
MEANING OF RESEARCH
OBJECTIVES OF RESEARCH
CHARACTERISTICS OF RESEARCH
CRITERIA OF A GOOD RESEARCH
QUALITIES OF GOOD RESEARCH
RESEARCH MOTIVATIONS
TYPES OF RESEARCH
PROBLEMS IN RESEARCH
RESEARCH APPROACHES
RESEARCH PROCESS
LITERATURE REVIEW
HYPOTHESIS
CRITERIA OF GOOD RESEARCH
PROBLEMS ENCOUNTERED BY RESEARCHER
Symmetric encryption and message confidentialityCAS
Symmetric Encryption Principles
Data Encryption Standard
Advanced Encryption Standard
Stream Ciphers and RC4
Cipher Block Modes of Operation
Key Distribution
1 Symmetric Encryption
2 Message Authentication and Hash Functions
3 Public-Key Encryption
4 Digital Signatures and Key Management
5 Random and Pseudo random Numbers
6 Practical Application: Encryption of Stored Data
7 Symmetric vs Asymmetric
What is communication?
Communicating with individuals .
1. Letters
2. Telegrams
3. Telephones
4. Fax
5. Email
6. Smart Phones
Mass Communication
1. Printing
2. Radio
3. Television
4. The Internet
5. Social Engineering
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 4
It security controls, plans, and procedures
1. 1
IT SECURITY CONTROLS, PLANS, AND
PROCEDURES
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
Mr. RAJASEKAR RAMALINGAM
Department of IT, College of Applied
Sciences, Sur.
Sultanate of Oman.
http://vrrsekar.wixsite.com/raja
Based on
William Stallings, Lawrie Brown, Computer Security: Principles and
Practice, Third Edition
2. CONTENT
11.1 IT Security Management Implementation
11.2 Security Controls or Safeguards
11.3 IT Security Plan
11.4 Implementation of Controls
11.5 Monitoring Risks
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES 2
3. 3
11.1 IT Security Management Implementation
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
4. 4
11.2 Controls or Safeguards
• Controls or safeguards are
– practices, procedures or mechanisms which may
protect against a threat, reduce a vulnerability,
limit the impact of an unwanted incident, detect
unwanted incidents and facilitate recover
• Classes of controls:
– management
– operational
– technical
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
6. 6
11.2.2 Lists of Controls
CLASS CONTROL FAMILY
Management Risk Assessment
Management Planning
Management System and Services Acquisition
Management Certification, Accreditation, and Security Assessments
Operational Personnel Security
Operational Physical and Environmental Protection
Operational Contingency Planning
Operational Configuration Management
Operational Maintenance
Operational System and Information Integrity
Operational Media Protection
Operational Incident Response
Operational Awareness and Training
Technical Identification and Authentication
Technical Access Control
Technical Audit and Accountability
Technical System and Communications Protection
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
8. 8
11.2.4 Cost-Benefit Analysis
• conduct to determine appropriate controls
– greatest benefit given resources available
• qualitative or quantitative
• show cost justified by reduction in risk
• contrast impact of implementing it or not
• management chooses selection of controls
• considers if it reduces risk too much or not enough, is too costly
or appropriate
• fundamentally a business decision
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
9. 9
11.3 IT Security Plan
• provides details of
– what will be done
– what resources are needed
– who is responsible
• should include
– risks, recommended controls, action priority
– selected controls, resources needed
– responsible personnel, implementation dates
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
10. 10
11.4 Implementation Plan
Risk
(Asset/Threat)
Level
of
Risk
Recommended
Controls
Prio
rity
Selected
Controls
Required
Resources
Responsible
Persons
Start
– End
Date
Other
Comments
Hacker attack
on Internet
Router
High 1. disable external
telnet access
2. use detailed auditing
of privileged command
use
3. set policy for strong
admin passwords
4. set backup strategy
for router config file
5. set change control
policy for the router
configuration
1 1.
2.
3.
4.
5.
1. 3 daysIT
net admin
time to
change &
verify router
config,
write
policies;
2. 1 day of
training for
net admin
staff
John Doe,
Lead
NetworkSys
Admin,
CorporateIT
Support
Team
1-
Feb-
2006
to4-
Feb-
2006
1. need
periodic test
& review of
config &
policy use
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
11. 11
11.4.1 Security Plan Implementation
• given plan documents what is required
• identified personnel perform needed tasks
– to implement new or enhanced controls
– may need system configuration changes, upgrades
or new system installation
– or development of new / extended procedures
– with support from management
• monitored to ensure process correct
• when completed management approves
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
12. 12
11.4.2 Security Training / Awareness
• responsible personnel need training
– on details of design and implementation
– awareness of operational procedures
• also need general awareness for all
– spanning all levels in organization
– essential to meet security objectives
– lack leads to poor practices reducing security
– aim to convince personnel that risks exist and
breaches may have significant consequences
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
13. 13
11.4.3 Implementation Follow-up
• security management is cyclic, repeated
• need to monitor implemented controls
• evaluate changes for security implications
– otherwise increase chance of security breach
• have a number of aspects
• which may indicate need for changes in previous stages
of process
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
14. 14
11.4.4 Maintenance
• need continued maintenance and monitoring of implemented
controls to ensure continued correct functioning and
appropriateness
• tasks include:
– periodic review of controls
– upgrade of controls to meet new requirements
– check system changes do not impact controls
– address new threats or vulnerabilities
• goal to ensure controls perform as intended
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
15. 15
11.4.5 Security Compliance
• audit process to review security processes
• to verify compliance with security plan
• using internal or external personnel
• usually based on checklists to check
– suitable policies and plans were created
– suitable selection of controls were
chosen
– that they are maintained and used
correctly
• often as part of wider general audit
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
16. 16
11.4.6 Change and Configuration Management
• change management is the process to review proposed
changes to systems
– evaluate security and wider impact of changes
– part of general systems administration process
– cf. management of bug patch testing and install
– may be informal or formal
• configuration management is keeping track of
configuration and changes to each system
– to help restoring systems following a failure
– to know what patches or upgrades might be relevant
– also part of general systems administration process
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
17. 17
11.5 Monitoring Risk
11.5.1 Incident Handling
• need procedures specifying how to respond to a security
incident
– given will most likely occur sometime
• reflect range of consequences on org
• codify action to avoid panic
• e.g. mass email worm
– exploiting vulnerabilities in common apps
– propagating via email in high volumes
– should disconnect from Internet or not?
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
18. 18
11.5.2 Types of Security Incidents
• any action threatening classic security services
• unauthorized access to a system
– unauthorized viewing by self / other of information
– bypassing access controls
– using another users access
– denying access to another user
• unauthorized modification of info on a system
– corrupting information
– changing information without authorization
– unauthorized processing of information
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
19. 19
11.5.3 Managing Security Incidents
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
20. 20
11.5.4 Detecting Incidents
• reports from users or admin staff
– encourage such reporting
• detected by automated tools
– e.g. system integrity verification tools, log
analysis tools, network and host intrusion
detection systems, intrusion prevention systems
– updated to reflect new attacks or vulnerabilities
– costly so deployed if risk assess justifies
• admins must monitor vulnerability reports
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
21. 21
11.5.5 Responding to Incidents
• need documented response procedures
– how to identify cause of the security incident
– describe action taken to recover from it
• procedures should
– identify typical categories of incidents and approach taken
to respond
– identify management personnel responsible for making
critical decisions and their contacts
– whether to report incident to police / CERT etc
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES
22. 22
11.5.6 Documenting Incidents
• need to identify vulnerability used
• and how to prevent it occurring in future
• recorded details for future reference
• consider impact on org and risk profile
– may simply be unlucky
– more likely risk profile has changed
– hence risk assessment needs reviewing
– followed by reviewing controls in use
ITSY3104 COMPUTER SECURITY - A - LECTURE 11 - IT SECURITY CONTROLS, PLANS, AND PROCEDURES