TEL2813/IS2820 Security Management - PowerPoint PPT Presentation

About This Presentation
Title:

TEL2813/IS2820 Security Management

Description:

TEL2813/IS2820 Security Management Lecture 1 Jan 10, 2006 Contact James Joshi 706A, IS Building Phone: 412-624-9982 E-mail: jjoshi_at_mail.sis.pitt.edu Web: /~jjoshi ... – PowerPoint PPT presentation

Number of Views:151
Avg rating:3.0/5.0
Slides: 110
Provided by: jjo1
Learn more at: http://www.sis.pitt.edu
Category:

less

Transcript and Presenter's Notes

Title: TEL2813/IS2820 Security Management


1
TEL2813/IS2820 Security Management
  • Lecture 1
  • Jan 10, 2006

2
Contact
  • James Joshi
  • 706A, IS Building
  • Phone 412-624-9982
  • E-mail jjoshi_at_mail.sis.pitt.edu
  • Web /jjoshi/TELCOM2813/Spring2005/
  • Office Hours Wednesdays 1.00 3.00 p.m. or By
    appointments
  • GSA will be announced later

3
Course objective
  • The course is aimed at imparting knowledge and
    skill sets required to assume the overall
    responsibilities of administration and management
    of security of an enterprise information system.

4
Course objective
  • After the course, ability to to carry out
  • detailed analysis of enterprise security by
    performing various types of analysis
  • vulnerability analysis, penetration testing,
  • audit trail analysis,
  • system and network monitoring, and
  • Configuration management, etc.
  • Carry out the task of security risk management
    using various practical and theoretical tools.

5
Course objective
  • After the course, ability to carry out
  • Design detailed enterprise wide security plans
    and policies, and deploy appropriate safeguards
    (models, mechanisms and tools) at all the levels
    due consideration to
  • the life-cycle of the enterprise information
    systems and networks,
  • legal and social environment
  • Be able to certify products according to IA
    standards (Common Criteria Evaluations)

6
Course content
  • Introduction to Security Management
  • Security policies/models/mechanisms
  • Security Management Principles, Models and
    Practices
  • Security Planning/ Asset Protection
  • Security Programs and Disaster Recovery Plans
  • Standards and Security Certification Issues
  • Rainbow Series, Common Criteria
  • Security Certification Process
  • National/International Security Laws and Ethical
    Issues
  • Security Analysis and Safeguards
  • Vulnerability analysis (Tools Tech.)
  • Penetration testing
  • Risk Management
  • Protection Mechanisms and Incident handling
  • Access Control and Authentication architecture
  • Configuration Management
  • Auditing systems audit trail analysis
  • Network defense and countermeasures
  • Intrusion Detection Systems (SNORT)
  • Architectural configurations and survivability
  • Firewall configurations
  • Virtual private networks
  • Computer and network forensic
  • Privacy Protection
  • Case studies on OS and application software
    (e.g., SELinux, Unix and Windows Security)

7
Course Material
  • Recommended course material
  • Management of Information Security, M. E.
    Whitman, H. J. Mattord
  • Guide to Disaster Recovery, M. Erbschilde
  • Guide to Network Defense and Countermeasures, G.
    Holden
  • Real Digital Forensics Computer Security and
    Incident Response, 1/e Keith J. Jones, Richard
    Bejtlich, Curtis W. Rose
  • Computer Security Art and Science, Matt Bishop
    (ISBN 0-201-44099-7), Addison-Wesley 2003
  • Security in Computing, 2nd Edition, Charles P.
    Pfleeger, Prentice Hall
  • A list of papers will be provided

8
Tentative Grading
  • Assignments (50)
  • Homework/Quiz/Paper review/Class
    Participation/Seminar attendance 40
  • One/two presentation 10
  • Exams 20
  • Project 30

9
Course Policies
  • Your work MUST be your own
  • Zero tolerance for cheating/plagiarism
  • You get an F for the course if you cheat in
    anything however small NO DISCUSSION
  • Discussing the problem is encouraged
  • Homework
  • Penalty for late assignments (15 each day)
  • Ensure clarity in your answers no credit will
    be given for vague answers
  • Homework is primarily the GSAs responsibility
  • Check webpage for everything!
  • You are responsible for checking the webpage for
    updates

10
Introduction
11
Introduction
  • Information technology is critical to business
    and society
  • Computer security is evolving into information
    security
  • Information security is the responsibility of
    every member of an organization, but managers
    play a critical role

12
Introduction
  • Information security involves three distinct
    communities of interest
  • Information security managers and professionals
  • Information technology managers and professionals
  • Non-technical business managers and professionals

13
Communities of Interest
  • InfoSec community
  • protect information assets from threats
  • IT community
  • support business objectives by supplying
    appropriate information technology
  • Business community
  • policy and resources

14
What Is Security?
  • The quality or state of being secureto be free
    from danger
  • Security is achieved using several strategies
    simultaneously

15
Security and Control
  • Controls
  • Physical Controls
  • Technical Controls
  • Administrative
  • Prevention Detection Recovery
  • Deterrence, Corrective
  • Examples
  • Physical security
  • Personal security
  • Operations security
  • Communications security
  • Network security

16
InfoSec Components
17
CIA Triangle
  • The C.I.A. triangle is made up of
  • Confidentiality
  • Integrity
  • Availability
  • Over time the list of characteristics has
    expanded, but these three remain central
  • CNSS model is based on CIA

18
NSTISSC Security Model (4011)
19
Key Concepts Confidentiality
  • Some threats
  • Hackers
  • Masqueraders
  • Unauthorized users
  • Unprotected download of files
  • LANS
  • Trojan horses
  • Confidentiality
  • only those with sufficient privileges may access
    certain information
  • Confidentiality model
  • Bell-LaPadula
  • No write down No read up
  • TCSEC/TNI (Orange, Red Book)

20
Key Concepts Integrity
  • Other issues
  • Origin integrity
  • Data integrity
  • Integrity
  • Integrity is the quality or state of being whole,
    complete, and uncorrupted
  • Integrity model
  • Biba/low water mark
  • No write up No read down
  • Clark-Wilson
  • Separation of duty
  • Lipner

21
Key Concepts Availability
  • Availability
  • making information accessible to user access
    without interference or obstruction
  • Survivability
  • Ensuring availability in presence of attacks

22
Key Concepts privacy
  • Privacy
  • Information is to be used only for purposes known
    to the data owner
  • This does not focus on freedom from observation,
    but rather that information will be used only in
    ways known to the owner

23
Key Concepts Identification
  • Identification
  • Information systems possess the characteristic of
    identification when they are able to recognize
    individual users
  • Identification and authentication are essential
    to establishing the level of access or
    authorization that an individual is granted

24
Key Concepts Authentication Authorization
  • Authentication
  • Authentication occurs when a control provides
    proof that a user possesses the identity that he
    or she claims
  • Authorization
  • authorization provides assurance that the user
    has been specifically and explicitly authorized
    by the proper authority to access the contents of
    an information asset

25
Key Concepts Accountability Assurance
  • Accountability
  • The characteristic of accountability exists when
    a control provides assurance that every activity
    undertaken can be attributed to a named person or
    automated process
  • Assurance
  • Assurance that all security objectives are met

26
What Is Management?
  • A process of achieving objectives using a given
    set of resources
  • To manage the information security process, first
    understand core principles of management
  • A manager is
  • someone who works with and through other people
    by coordinating their work activities in order to
    accomplish organizational goals

27
Managerial Roles
  • Informational role Collecting, processing, and
    using information to achieve the objective
  • Interpersonal role Interacting with superiors,
    subordinates, outside stakeholders, and other
  • Decisional role Selecting from alternative
    approaches and resolving conflicts, dilemmas, or
    challenges

28
Differences Between Leadership and Management
  • The leader influences employees so that they are
    willing to accomplish objectives
  • He or she is expected to lead by example and
    demonstrate personal traits that instill a desire
    in others to follow
  • Leadership provides purpose, direction, and
    motivation to those that follow
  • A manager administers the resources of the
    organization, budgets, authorizes expenditure

29
Characteristics of a Leader
  • Bearing
  • Courage
  • Decisiveness
  • Dependability
  • Endurance
  • Enthusiasm
  • Initiative
  1. Integrity
  2. Judgment
  3. Justice
  4. Knowledge
  5. Loyalty
  6. Tact
  7. Unselfishness

Used by US military
30
What Makes a Good Leader?Action plan
  1. Know yourself and seek self-improvement
  2. Be technically and tactically proficient
  3. Seek responsibility and take responsibility for
    your actions
  4. Make sound and timely decisions
  5. Set the example
  6. Know your subordinates and look out for their
    well-being
  1. Keep your subordinates informed
  2. Develop a sense of responsibility in your
    subordinates
  3. Ensure the task is understood, supervised, and
    accomplished
  4. Build the team
  5. Employ your team in accordance with its
    capabilities

31
Leadership quality and types
  • A leader must
  • BE a person of strong and honorable character
  • KNOW you, the details of your situation, the
    standards to which you work, human nature, and
    your team
  • DO by providing purpose, direction, and
    motivation to your team
  • Three basic behavioral types of leaders
  • Autocratic
  • Democratic
  • Laissez-faire

32
Characteristics of Management
  • Two well-known approaches to management
  • Traditional management theory using principles of
    planning, organizing, staffing, directing, and
    controlling (POSDC)
  • Popular management theory using principles of
    management into planning, organizing, leading,
    and controlling (POLC)

33
The PlanningControlling Link
34
Planning Organization
  • Planning process that develops, creates, and
    implements strategies for the accomplishment of
    objectives
  • Three levels of planning
  • Strategic
  • Tactical
  • Operational
  • Organization structuring of resources to support
    the accomplishment of objectives

35
Leadership
  • Encourages the implementation of
  • the planning and organizing functions,
  • Includes supervising employee behavior,
    performance, attendance, and attitude
  • Leadership generally addresses the direction and
    motivation of the human resource

36
Control
  • Control
  • Monitoring progress toward completion
  • Making necessary adjustments to achieve the
    desired objectives
  • Controlling function determines what must be
    monitored as well as using specific control tools
    to gather and evaluate information

37
Control Tools
  • Four categories
  • Information
  • Information flows/ communications
  • Financial
  • Guide use of monetary resources (ROI,CBA,..)
  • Operational
  • PERT, Gantt, process flow
  • Behavioral
  • Human resources

38
The Control Process
39
Solving Problems
  • Step 1 Recognize and Define the Problem
  • Step 2 Gather Facts and Make Assumptions
  • Step 3 Develop Possible Solutions
    (Brainstorming)
  • Step 4 Analyze and Compare the Possible
    Solutions (Feasibility analysis)
  • Step 5 Select, Implement, and Evaluate a Solution

40
Feasibility Analyses
  • Economic feasibility assesses costs and benefits
    of a solution
  • Technological feasibility assesses an
    organizations ability to acquire and manage a
    solution
  • Behavioral feasibility assesses whether members
    of the organization will support a solution
  • Operational feasibility assesses if an
    organization can integrate a solution

41
Principles Of Information Security Management
  • The extended characteristics of information
    security are known as the six Ps
  • Planning
  • Policy
  • Programs
  • Protection
  • People
  • Project Management

42
InfoSec Planning
  • Planning as part of InfoSec management
  • is an extension of the basic planning model
    discussed earlier
  • Included in the InfoSec planning model are
  • activities necessary to support the design,
    creation, and implementation of information
    security strategies as they exist within the IT
    planning environment

43
InfoSec Planning Types
  • Several types of InfoSec plans exist
  • Incident response
  • Business continuity
  • Disaster recovery
  • Policy
  • Personnel
  • Technology rollout
  • Risk management and
  • Security program including education, training
    and awareness

44
Policy
  • Policy set of organizational guidelines that
    dictates certain behavior within the organization
  • In InfoSec, there are three general categories of
    policy
  • General program policy (Enterprise Security
    Policy)
  • An issue-specific security policy (ISSP)
  • E.g., email, Intenert use
  • System-specific policies (SSSPs)
  • E.g., Access control list (ACLs) for a device

45
Programs
  • Programs are operations managed as
  • specific entities in the information security
    domain
  • Example
  • A security education training and awareness
    (SETA) program is one such entity
  • Other programs that may emerge include
  • a physical security program, complete with fire,
    physical access, gates, guards, and so on

46
Protection
  • Risk management activities, including
  • risk assessment and control,
  • Protection mechanisms, technologies tools
  • Each of these mechanisms represents some aspect
    of the management of specific controls in the
    overall security plan

47
People
  • People are the most critical link in the
    information security program
  • Human firewall
  • It is imperative that managers continuously
    recognize the crucial role that people play
    includes
  • information security personnel and the security
    of personnel, as well as aspects of the SETA
    program

48
Project Management
  • Project management discipline should be present
    throughout all elements of the information
    security program
  • Involves
  • Identifying and controlling the resources applied
    to the project
  • Measuring progress and adjusting the process as
    progress is made toward the goal

49
(No Transcript)
50
Security Planning
51
Introduction
  • Successful organizations utilize planning
  • Planning involves
  • Employees
  • Management
  • Stockholders
  • Other outside stakeholders
  • Physical environment
  • Political and legal environment
  • Competitive environment
  • Technological environment

52
Introduction
  • Strategic planning includes
  • Vision statement
  • Mission statement
  • Strategy
  • Coordinated plans for sub units
  • Knowing how the general organizational planning
    process works helps in the information security
    planning process

53
Introduction
  • Planning
  • Is creating action steps toward goals, and then
    controlling them
  • Provides direction for the organizations future
  • Top-down method
  • Organizations leaders choose the direction
  • Planning begins with the general and ends with
    the specific

54
Information Security Planning
55
Components Of PlanningMission Statement
  • Mission statement
  • Declares the business of the organization and its
    intended areas of operations
  • Explains what the organization does and for whom
  • Example
  • Random Widget Works, Inc. designs and
    manufactures quality widgets, associated
    equipment and supplies for use in modern business
    environments

CSSD http//technology.pitt.edu/security.html
56
Components Of PlanningVision Statement
  • Vision statement
  • Expresses what the organization wants to become
  • Should be ambitious
  • Example
  • Random Widget Works will be the preferred
    manufacturer of choice for every businesss
    widget equipment needs, with an RWW widget in
    every machine they use

57
Components Of PlanningValues
  • By establishing organizational principles in a
    values statement, an organization makes its
    conduct standards clear
  • Example
  • RWW values commitment, honesty, integrity and
    social responsibility among its employees, and is
    committed to providing its services in harmony
    with its corporate, social, legal and natural
    environments.
  • The mission, vision, and values statements
    together provide the foundation for planning

58
Components Of PlanningStrategy
  • Strategy is the basis for long-term direction
  • Strategic planning
  • Guides organizational efforts
  • Focuses resources on clearly defined goals
  • strategic planning is a disciplined effort to
    produce fundamental decisions and actions that
    shape and guide what an organization is, what it
    does, and why it does it, with a focus on the
    future.

59
Strategic Planning
60
Strategic Planning
  • Organization
  • Develops a general strategy
  • Creates specific strategic plans for major
    divisions
  • Each level of division
  • translates those objectives into more specific
    objectives for the level below
  • In order to execute this broad strategy,
  • executives must define individual managerial
    responsibilities

61
Planning for the Organization
62
Strategic Planning
  • Strategic goals are then translated
  • into tasks with specific, measurable, achievable,
    reasonably high and time-bound objectives (SMART)
  • Strategic planning
  • then begins a transformation from general to
    specific objectives

63
Planning Levels
64
Planning levels
  • Tactical Planning
  • Shorter focus than strategic planning
  • Usually one to three years
  • Breaks applicable strategic goals into a series
    of incremental objectives

65
Planning levels
  • Operational Planning
  • Used by managers and employees to organize the
    ongoing, day-to-day performance of tasks
  • Includes clearly identified coordination
    activities across department boundaries such as
  • Communications requirements
  • Weekly meetings
  • Summaries
  • Progress reports

66
Typical Strategic Plan Elements
  • Introduction by senior executive (President/CEO)
  • Executive Summary
  • Mission Statement and Vision Statement
  • Organizational Profile and History
  • Strategic Issues and Core Values
  • Program Goals and Objectives
  • Management/Operations Goals and Objectives
  • Appendices (optional)
  • Strengths, weaknesses, opportunities and threats
    (SWOT) analyses, surveys, budgets etc

67
Tips For Planning
  • Create a compelling vision statement that frames
    the evolving plan, and acts as a magnet for
    people who want to make a difference
  • Embrace the use of balanced scorecard approach
  • Deploy a draft high level plan early, and ask for
    input from stakeholders in the organization
  • Make the evolving plan visible

68
Tips For Planning
  • Make the process invigorating for everyone
  • Be persistent
  • Make the process continuous
  • Provide meaning
  • Be yourself
  • Lighten up and have some fun

69
Planning For Information Security Implementation
  • The CIO and CISO play important roles
  • in translating overall strategic planning into
    tactical and operational information security
    plans
  • CISO plays a more active role
  • in the development of the planning details than
    does the CIO

70
CISO Job Description
  • Creates strategic information security plan with
    a vision for the future of information security
    at Company X
  • Understands fundamental business activities
    performed by Company X
  • Based on this understanding, suggests appropriate
    information security solutions that uniquely
    protect these activities
  • Develops action plans, schedules, budgets, status
    reports and other top management communications
    intended to improve the status of information
    security at Company X

71
Planning for InfoSec
  • Once plan has been translated into IT and
    information security objectives and tactical and
    operational plans for information security,
    implementation can begin
  • Implementation of information security can be
    accomplished in two ways
  • Bottom-up
  • OR
  • Top-down

72
Approaches to Security Implementation
73
The Systems Development Life Cycle (SDLC)
  • SDLC methodology for the design and
    implementation of an information system
  • SDLC-based projects may be initiated by events or
    planned
  • At the end of each phase, a review occurs when
    reviewers determine if the project should be
    continued, discontinued, outsourced, or postponed

74
Phases of An SDLC
75
Investigation
  • Identifies problem to be solved
  • Begins with the objectives, constraints, and
    scope of the project
  • A preliminary cost/benefit analysis is developed
    to evaluate the perceived benefits and the
    appropriate costs for those benefits

76
Analysis
  • Begins with information from the Investigation
    phase
  • Assesses the organizations readiness, its
    current systems status, and its capability to
    implement and then support the proposed system(s)
  • Analysts determine what the new system is
    expected to do, and how it will interact with
    existing systems

77
Logical Design
  • Information obtained from analysis phase is used
    to create a proposed solution for the problem
  • A system and/or application is selected based on
    the business need
  • The logical design is the implementation
    independent blueprint for the desired solution

78
Physical Design
  • During the physical design phase, the team
    selects specific technologies
  • The selected components are evaluated further as
    a make-or-buy decision
  • A final design is chosen that optimally
    integrates required components

79
Implementation
  • Develop any software that is not purchased, and
    create integration capability
  • Customized elements are tested and documented
  • Users are trained and supporting documentation is
    created
  • Once all components have been tested
    individually, they are installed and tested as a
    whole

80
Maintenance
  • Tasks necessary to support and modify the system
    for the remainder of its useful life
  • System is tested periodically for compliance with
    specifications
  • Feasibility of continuance versus discontinuance
    is evaluated
  • Upgrades, updates, and patches are managed
  • When current system can no longer support the
    mission of the organization, it is terminated and
    a new systems development project is undertaken

81
The Security SDLC
  • May differ in several specifics, but overall
    methodology is similar to the SDLC
  • SecSDLC process involves
  • Identification of specific threats and the risks
    that they represent
  • Subsequent design and implementation of specific
    controls to counter those threats and assist in
    the management of the risk those threats pose to
    the organization

82
Investigation in the SecSDLC
  • Often begins as directive from management
    specifying the process, outcomes, and goals of
    the project and its budget
  • Frequently begins with the affirmation or
    creation of security policies
  • Teams assembled to analyze problems, define
    scope, specify goals and identify constraints
  • Feasibility analysis determines whether the
    organization has resources and commitment to
    conduct a successful security analysis and design

83
Analysis in the SecSDLC
  • A preliminary analysis of existing security
    policies or programs is prepared along with known
    threats and current controls
  • Includes an analysis of relevant legal issues
    that could affect the design of the security
    solution
  • Risk management begins in this stage

84
Risk Management
  • Risk Management process of identifying,
    assessing, and evaluating the levels of risk
    facing the organization
  • Specifically the threats to the information
    stored and processed by the organization
  • To better understand the analysis phase of the
    SecSDLC, you should know something about the
    kinds of threats facing organizations
  • In this context, a threat is an object, person,
    or other entity that represents a constant danger
    to an asset

85
Key Terms
  • Attack deliberate act that exploits a
    vulnerability to achieve the compromise of a
    controlled system
  • Accomplished by a threat agent that damages or
    steals an organizations information or physical
    asset
  • Exploit technique or mechanism used to
    compromise a system
  • Vulnerability identified weakness of a
    controlled system in which necessary controls are
    not present or are no longer effective

86
Threats to Information Security
87
Some Common Attacks
  • Malicious code
  • Hoaxes
  • Back doors
  • Password crack
  • Brute force
  • Dictionary
  • Denial-of-service (DoS) and distributed
    denial-of-service (DDoS)
  • Spoofing
  • Man-in-the-middle
  • Spam
  • Mail bombing
  • Sniffer
  • Social engineering
  • Buffer overflow
  • Timing

88
Risk Management
  • Use some method of prioritizing risk posed by
    each category of threat and its related methods
    of attack
  • To manage risk, you must identify and assess the
    value of your information assets
  • Risk assessment assigns comparative risk rating
    or score to each specific information asset
  • Risk management identifies vulnerabilities in an
    organizations information systems and takes
    carefully reasoned steps to assure the
    confidentiality, integrity, and availability of
    all the components in organizations information
    system

89
Design in the SecSDLC
  • Design phase actually consists of two distinct
    phases
  • Logical design phase team members create and
    develop a blueprint for security, and examine and
    implement key policies
  • Physical design phase team members evaluate the
    technology needed to support the security
    blueprint, generate alternative solutions, and
    agree upon a final design

90
Security Models
  • Security managers often use established security
    models to guide the design process
  • Security models provide frameworks for ensuring
    that all areas of security are addressed
  • Organizations can adapt or adopt a framework to
    meet their own information security needs

91
Policy
  • A critical design element of the information
    security program is the information security
    policy
  • Management must define three types of security
    policy
  • General or security program policy
  • Issue-specific security policies
  • Systems-specific security policies

92
SETA
  • An integral part of the InfoSec program is
  • Security education and training (SETA) program
  • SETA program consists of three elements
  • security education, security training, and
    security awareness
  • Purpose of SETA is to enhance security by
  • Improving awareness
  • Developing skills and knowledge
  • Building in-depth knowledge

93
Design
  • Attention turns to the design of the controls and
    safeguards used to protect information from
    attacks by threats
  • Three categories of controls
  • Managerial
  • Operational
  • Technical

94
Managerial Controls
  • Address design/implementation of the
  • security planning process and
  • security program management
  • Management controls also address
  • Risk management
  • Security control reviews

95
Operational Controls
  • Cover management functions and lower level
    planning including
  • Disaster recovery
  • Incident response planning
  • Operational controls also address
  • Personnel security
  • Physical security
  • Protection of production inputs and outputs

96
Technical Controls
  • Address those tactical and technical issues
    related to
  • designing and implementing security in the
    organization
  • Technologies necessary to protect information are
    examined and selected

97
Contingency Planning
  • Essential preparedness documents provide
    contingency planning (CP) to prepare, react and
    recover from circumstances that threaten the
    organization
  • Incident response planning (IRP)
  • Disaster recovery planning (DRP)
  • Business continuity planning (BCP)

98
Physical Security
  • Physical Securityaddresses
  • the design, implementation, and maintenance of
    countermeasures that protect the physical
    resources of an organization
  • Physical resources include
  • People
  • Hardware
  • Supporting information system elements

99
Implementation in the SecSDLC
  • Security solutions are acquired, tested,
    implemented, and tested again
  • Personnel issues are evaluated and specific
    training and education programs conducted
  • Perhaps most important element of implementation
    phase is management of project plan
  • Planning the project
  • Supervising tasks and action steps within the
    project
  • Wrapping up the project

100
InfoSec Project Team
  • Should consist of individuals experienced in one
    or multiple technical and non-technical areas
    including
  • Champion
  • Team leader
  • Security policy developers
  • Risk assessment specialists
  • Security professionals
  • Systems administrators
  • End users

101
Staffing the InfoSec Function
  • Each organization should examine the options for
    staffing of the information security function
  • Decide how to position and name the security
    function
  • Plan for proper staffing of information security
    function
  • Understand impact of information security across
    every role in IT
  • Integrate solid information security concepts
    into personnel management practices of the
    organization

102
InfoSec Professionals
  • It takes a wide range of professionals to support
    a diverse information security program
  • Chief Information Officer (CIO)
  • Chief Information Security Officer (CISO)
  • Security Managers
  • Security Technicians
  • Data Owners
  • Data Custodians
  • Data Users

103
Certifications
  • Many organizations seek professional
    certification so that they can more easily
    identify the proficiency of job applicants
  • CISSP
  • SSCP
  • GIAC
  • SCP
  • ICSA
  • Security
  • CISM

104
Maintenance and Change in the SecSDLC
  • Once information security program is implemented,
  • it must be properly operated, managed, and kept
    up to date by means of established procedures
  • If the program is not adjusting adequately to the
    changes in the internal or external environment,
    it may be necessary to begin the cycle again

105
Maintenance Model
  • While a systems management model is designed to
    manage and operate systems, a maintenance model
    is intended to focus organizational effort on
    system maintenance
  • External monitoring
  • Internal monitoring
  • Planning and risk assessment
  • Vulnerability assessment and remediation
  • Readiness and review
  • Vulnerability assessment

106
(No Transcript)
107
ISO Management Model
  • One issue planned in the SecSDLC is the systems
    management model
  • ISO network management model - five areas
  • Fault management
  • Configuration and name management
  • Accounting management
  • Performance management
  • Security management

108
Security Management Model
  • Fault Management involves identifying and
    addressing faults
  • Configuration and Change Management involve
    administration of components involved in the
    security program and administration of changes
  • Accounting and Auditing Management involves
    chargeback accounting and systems monitoring
  • Performance Management determines if security
    systems are effectively doing the job for which
    they were implemented

109
Security Program Management
  • Once an information security program is
    functional, it must be operated and managed
  • In order to assist in the actual management of
    information security programs, a formal
    management standard can provide some insight into
    the processes and procedures needed
  • This could be based on the BS7799/ISO17799 model
    or the NIST models described earlier
Write a Comment
User Comments (0)
About PowerShow.com