Security Controls What Works

1
Security Controls What Works

• Southside Virginia Community College Security
  Awareness

2
Session Overview

• Identification of Information Security Drivers
• Identification of Regulations and Acts
• Introduction to Security Standards
• Understanding Security Controls
• Technology Solutions Assisting in Regulatory
  Compliance

3
Identification of Information Security Drivers

• Identification of Information Security Drivers
• Identification of Regulations and Acts
• Introduction to Security Standards
• Understanding Security Controls
• Technology Solutions Assisting in Regulatory
  Compliance

4
Business Drivers
What are the business drivers for information
security

• Facilitate Business Initiatives
• Protect Brand Image
• Protect Customer Confidence
• Reduce Costs and Improve Productivity
• Enhance Service Levels
• Technology Direction
• Comply with Regulations

5
Regulatory Compliance Drives Security Initiatives
Regulatory Compliance has emerged as the biggest
driver of information security initiatives /
spending.
Key areas for compliance-related spending are
associated with implementing an Information
Security Management Framework and specifically
include

• Policies and Procedures
• Training and Awareness
• Security Event Management Tools
• Identity and Password Management Technologies

6
Information Security Management Framework
What is an Information Security Management
Framework

• Key Set of Policies and Processes Supporting
  Information Security
• Organizational Structure and Governance for
  Information Security
• Implementation of Standard Security Controls
• Appropriate and Sufficient Security Tools and
  Technologies

7
Regulatory Benefits of Implementing an
Information Security Management Framework
Regulatory benefits of implementing an
Information Security Management Framework include

• Protecting the privacy of personally identifiable
  information (customer and employee)
• Protecting sensitive information and resources
  from being accessed or shared with unauthorized
  users
• Ensuring integrity of financial data
• Ensuring that data content is protected and
  tamper-resistant
• Ensuring well controlled systems
• Ensuring secure development and maintenance of
  software, systems, and applications

8
Information Security Management Framework
Lifecycle
The implementation of the Information Security
Management Framework follows the concept of the
Plan, Prevent, Detect, Respond cycle, common in
other management frameworks, such as ISO 9001 and
ISO 14001.
9
Information Security Management Framework Flow
Regulatory Requirements and Security Standards
help define the Organizations Security
Environment. This environment dictates the
Organizations Security Directive, which dictates
the ultimate Information Security Management
Framework.
10
Identification of Regulations and Acts

• Identification of Information Security Drivers
• Identification of Regulations and Acts
• Introduction to Security Standards
• Understanding of Security Controls
• Technology Solutions Assisting in Regulatory
  Compliance

11
Significant Regulations and Acts
Some of the more significant security regulations
and acts include

• Gramm-Leach-Bliley Act (GLBA)
• Health Insurance Portability and Accountability
  Act (HIPAA)
• Sarbanes Oxley Act (SOX)
• European Union Data Protection Directive (EUDPD)
• Personal Data Act
• Computer Misuse Act
• Data Protection Act
• 21 CFR Part 11
• BASEL II
• Various State Security Breach Laws

12
Security Objectives
These regulations and acts specify information
security objectives associated with

• Security Policy, Organization, and Program
• Personnel, Human Resources, and Administrative
  security controls
• User, Network, System, and Physical access
  management
• Proactive vulnerability, risk, and threat
  assessment and management activities
• Intrusion Detection capabilities
• Event Logging and Monitoring and Incident
  Response programs and processes
• Encryption capabilities and the protection of
  information confidentiality and integrity
• Identification, authentication, and authorization
  controls to information and systems
• Asset classification and control
• Disaster Recovery and Business Continuity planning

This is not an all inclusive list of all security
regulatory goals, but rather a sample of the
security objectives of these regulations
13
Introduction to Security Standards

• Identification of Information Security Drivers
• Identification of Regulations and Acts
• Introduction to Security Standards
• Understanding Security Controls
• Technology Solutions Assisting in Regulatory
  Compliance

14
Value Proposition of Security Standards
Security Standards

• Provide outlines of accepted best practice for
  security management
• Provide guidelines for the implementation of
  security measures
• Provide a framework for the management of
  information, network, and system security within
  an organization
• Provide a suggested code of practice
• Integrate security measures into an overall
  security architecture
• Can be used by organizations of all sizes,
  industries, and sectors

Security Standard compliance is NOT required by
law, though some contracts now require
Certifications.
15
Compliance and Certification
To achieve compliance the organization must
implement measures to address all control
objectives.

• Formal certification is usually achieved through
  a formal audit conducted by a certified
  independent auditor.
• Certification offers internal and external
  confidence in the Information Security Management
  Framework.
• Certification demonstrates good governance and
  can provide evidence of due diligence for some
  requirements for regulatory compliance.

16
Compliance Achievement Process
17
Industry Accepted Security Standards
Some of the more commonly accepted and
implemented standards include

• International Standard, ISO/IEC 177992005 (ISO
  17799)
• Australian Standard, AS/NZS 7799.22003 (AS 7799)
• Payment Card Industry (PCI) Data Standard
• Common Criteria for IT Security Evaluation (ISO
  9000)
• NIST Computer Security Standards

18
Understanding Security Controls

• Identification of Information Security Drivers
• Identification of Regulations and Acts
• Introduction to Security Standards
• Understanding Security Controls
• Technology Solutions Assisting in Regulatory
  Compliance

19
Security Controls Overview
Security Controls address security issues that
should be considered as part of the Information
Security Management Framework.

• Security Policy
• Security Organization and Governance
• Asset Management
• Data Protection
• Personnel Security
• Physical and Environmental
• Communications and Operations Management

• Access Control
• Logging and Monitoring
• Vulnerability Management
• Incident Management
• Software System Acquisition, Development, and
  Maintenance
• Business Continuity Management
• Compliance

While there is no authoritative set of controls
and titles, most security standards and best
practices use similar titles and categories to
define security controls.
20
Security Control Objectives - 1
Security Policy

• Documented security objectives for the
  organization that is agreed and approved by
  management

Security Organization and Governance

• Assigning security responsibilities and
  accountability and a management forum for setting
  and approving security objectives

21
Security Control Objectives - 2
Asset Management

• The management (identification, classification,
  and control) of information and hardware
  software resources

Data Protection

• Effective controls for protecting the
  confidentiality, integrity, and availability of
  information and information resources

22
Security Control Objectives - 3
Personnel Security

• The management of staff, terms of employment,
  termination processes, and awareness and training

Physical and Environmental Security

• Securing the human and system physical
  environment including entry controls, fire and
  power controls, cable and rack security

23
Security Control Objectives - 4
Communications and Operations Management

• Key security aspects of managing network and
  system components securely, including backups,
  anti-virus, patches, media and laptop security

Access Control

• The control of logical, physical, and remote
  access to information and resources including
  identification and authentication, authorization,
  password and user management on applications,
  operating systems, and within networks

24
Security Control Objectives - 5
Logging and Monitoring

• The collection, aggregation, normalization,
  correlation, mining, and tracking of security
  events

Vulnerability Management

• The performance of risk, threat, and
  vulnerability assessments

25
Security Control Objectives - 6
Incident Management

• The detection, reporting, recording, handling,
  response, review, and management of security
  incidents

Software System Acquisition, Development, and
Maintenance

• The secure development and maintenance of
  software and systems for on-going secure operation

26
Security Control Objectives - 7
Business Continuity Management

• Planning and defining the response in the event
  of a disaster or disruption in business to ensure
  continuity of operations

Compliance

• Ensuring the compliance with security and privacy
  legislative requirements

27
Technology Solutions Assisting In Regulatory
Compliance

• Identification of Information Security Drivers
• Introduction to Security Standards
• Understanding of Security Controls
• Identification of Regulations and Acts
• Technology Solutions Assisting in Regulatory
  Compliance

28
Microsofts The Regulatory Compliance Planning
Guide
This guide provides technology solutions for
assisting regulatory compliance. The technology
solution categories include

• Data Classification and Protection Solutions
• Identity Management Solutions
• Authentication, Authorization, and Access Control
  Solutions
• Training Solutions
• Physical Security Solutions
• Vulnerability Identification Solutions
• Monitoring and Reporting Solutions
• Disaster Recovery and Failover Solutions
• Incident Management and Trouble-Tracking Solutions

• Document Management Solutions
• Business Process Management Solutions
• Project Management Solutions
• Risk Assessment Solutions
• Change Management Solutions
• Network Security Controls
• Host Control Solutions
• Malicious Software Prevention Solutions
• Application Security Solutions
• Messaging and Collaboration Solutions

29
Session Summary
Regulatory Compliance has emerged as the biggest
driver of information security initiatives /
spending.
ü
Regulations and Acts specify information security
objectives necessary for regulatory compliance.
ü
Any organization can use the guidance and
requirements in Security Standards to improve
aspects of their internal security management.
ü
Security Controls address security issues that
should be considered as part of the Information
Security Management Framework. Microsoft
Products and Solutions support the implementation
of security controls.
ü
Many Microsoft technology solutions assist in
regulatory compliance
ü