Designing Security Architecture Infrastructures

1
Designing Security Architecture Infrastructures

• CISSP

2
CISSP - Certified Information System Security
Professional

• https//www.isc2.org
• CISSP examination
• http//www.cccure.org
• CISSP Studying Information

3
CISSP Certification Examination

• The CISSP Certification examination consists of
  250 multiple-choice questions. Candidates have up
  to 6 hours to complete the examination.
• Ten CISSP information systems security test
  domains are covered in the examination pertaining
  to the Common Body of Knowledge
• Access Control Systems Methodology
• Applications Systems Development
• Business Continuity Planning
• Cryptography
• Law, Investigation Ethics
• Operations Security
• Physical Security
• Security Architecture Models
• Security Management Practices
• Telecommunications, Network Internet Security

4
Agenda

• Common Body of Knowledge 6 Topics
• Cover the examination topics but will emphasis
  what works and what does not
• Homework yes
• Skim the chapter
• do some projects
• do practice tests and discuss results.
• Discussion of Sample Tests
• Why topics are important
• Hand-outs
• Electronic Viewgraphs will be available at the
  end of the course.
• Still Being Improve

5
Mapping
6
ITU / CISSP Two Classes

• Designing Security Architecture Infrastructures
• Focuses on the technical items
• Security Assessment
• Management Infrastructures
• Plans
• Polices Procedures
• Test Readiness

7
Instructor

• Jim Bullough-Latsch
• jbl_at_4terrorism.com
• 818-775-1015
• Security Experience
• Recent security assessments, plans, policies,
  procedures for Web Systems.
• Worked on Classified Systems.
• Architect for Several Systems with Sensitive Data
• Consulted on automating alarms and physical
  security systems
• Has plenty of Degrees and Lots of Years
• Available for consulting!

8
Why are you here?

• What do you know?
• What do you want to learn?

9
Security Trends Quick Summary

• On-line Business
• On-Line Information
• Access to Information
• Home Land Security
• Traditional Closed Systems New DoD Business

10
Dollars!

• Security

11
Jims Definition of Computer Security

• Protecting tomorrow systems against yesterdays
  threats
• Advice Follow the Money

12
Security Trends Book Chapter 2

• Many organizations incorrectly assume that
  information security is a technical issue.
• Information security is a management issue that
  may require technical solutions.
• Agree and it requires operational solutions as
  well.
• More and More Companies are coming online and
  connecting their closed systems to the internet.
• Agree Need to stay in business
• Lots of Advice about multiple layers as a
  security feature
• Disagree
• Each new interface causes lots of problems and
  access points!

13
Internet Information and Vulnerability

• Cardholder Information Security Program - Check
  List
• Will Review some each Session

14
Visa U.S.A. Cardholder Information Security
Program (CISP)

• The Visa U.S.A. Cardholder Information Security
  Program (CISP) defines a standard of due care and
  enforcement for protecting sensitive information.
  
• Because the payment industry places a high
  priority on maintaining the confidentiality and
  integrity of account and personal data, the CISP
  requirements are directed to all entities that
  store, process, or transmit cardholder
  information.
• The program ensures the annual validation of
  merchants that accept Visa and all service
  providers on both the Issuing and Acquiring side
  of the business.
• Includes advice on best practices and information
  sources!

15
Information Security Program Digital Dozen
Requirements

• Install and maintain a working firewall to
  protect data
• Keep security patches up-to-date
• Protect stored data
• Encrypt data sent across public networks
• Use and regularly update anti-virus software
• Restrict access by "need to know"
• Assign unique ID to each person with computer
  access
• Don't use vendor-supplied defaults for passwords
  and security parameters
• Track all access to data by unique ID
• Regularly test security systems and processes
• Implement and maintain an information security
  policy
• Restrict physical access to data

16
Rest Of Today

• Internet Sources
• CISP Overview
• Access Control

17
Internet Resources

• http//commoncriteria.org
• http//csrc.nist.gov/
• http//iase.disa.mil/policy.htmlguides
• http//niap.nist.gov/
• http//sepo.spawar.navy.mil/sepo/index2.html
• http//us.mcafee.com
• http//usa.visa.com/business/merchants/cisp_index.
  html
• http//v4.windowsupdate.microsoft.com/
• http//www.cert.org
• http//www.criticalsecurity.com

• http//www.fas.org/irp/doddir/dod/5200-1r
• http//www.hq.nasa.gov/office/codeq/ns871913.htm
  
• http//www.isalliance.org/
• http//www.microsoft.com/security
• http//www.nsa.gov
• http//www.pogner.demon.co.uk/mil_498
• http//www.radium.ncsc.mil/tpep
• http//www.sans.org/top20/
• http//www.symantec.com/
• https//sans20.qualys.com/