An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Transcription

1 An Overview of Information Security Frameworks Presented to TIF September 25, 2013

2 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information security programs. The framework is essentially a blueprint for building and sustaining an information security program.

3 More about Frameworks Frameworks do not describe security requirements. Security requirements come from three main sources: Governing policies and practices UC System Wide and UCD s policies and standards. Compliance Requirements- statutory, regulatory, and contractual. Audits and Risk Assessments.

4 Commonly Used Frameworks COBIT ISO series NIST SP 800 series 20 Critical Security Controls

5 Control Objectives for Information and Related Technology (COBIT) Developed in the mid-90s by ISACA This framework started out primarily focused on reducing technical risks in organizations, but has evolved recently with COBIT 5 to also include alignment of IT with business-strategic goals. It is the most commonly used framework to achieve compliance with Sarbanes-Oxley rules.

6 ISO SERIES The ISO series was developed by the International Standards Organization Broad information security framework that represents a series of standards for information security. Used extensively in the public and private sectors Many security programs are based on ISO and 27002

7 ISO Code of Practice for Information Security Management Contains 11 security domains and 39 subsections: Security Policy (1); Organizing Information Security (2); Asset Management (2); Human Resources Security (3); Physical and Environmental Security (2); Communications and Operations Management (10); Access Control (7); Information Systems Acquisition, Development and Maintenance (6); Information Security Incident Management (2); Business Continuity Management (1); Compliance (3).

8 National Institute of Standards and Technology (NIST) SP 800 Series The NIST Special Publication 800 series was first published in 1990 and has grown to provide advice on just about every aspect of information security. Federal agencies and some federal contractors are required to comply with NIST guidelines governing information security. Notable publications include: NIST Rev. 4 (Security and Privacy Controls for Federal Information Systems and Organizations) NIST (Guide for Applying the Risk Management Framework to Federal Information Systems)

9 NIST Family of Publications Access Control Audit & Accountability Awareness & Training Certification, Accreditation & Security Assessments Configuration Management Contingency Planning Identification & Authentication Incident Response Maintenance Media Protection Personnel Security Physical & Environmental Protection Planning Program Management Risk Assessment System & Communication Protection System & Information Integrity System & Services Acquisition

10 20 Critical Security Controls for Effective Cyber Defense A recent addition to the family of frameworks - First draft was circulated in 2009 Designed to help federal agencies and prioritize cyber security spending. Recommends a set of controls that are effective in stopping known attacks Gaining wide adoption in higher education Updated to version 4.1 in March 2013

11 20 Critical Controls Control 1: Inventory of Authorized and Unauthorized Devices Control 2: Inventory of Authorized and Unauthorized Software Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops Workstations, and Servers Control 4: Continuous Vulnerability Assessment and Remediation Control 5: Malware Defenses Control 6: Application Software Security Control 7: Wireless Device Control Control 8: Data Recovery Capability Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

12 20 Critical Controls (continue) Control 11: Limitation and Control of Network Ports, Protocols, and Services Control 12: Controlled Use of Administrative Privileges Control 13: Boundary Defense Control 14: Maintenance, Monitoring, and Analysis of Audit Logs Control 15: Controlled Access Based on the Need to Know Control 16: Account Monitoring and Control Control 17: Data Loss Prevention Control 18: Incident Response and Management Control 19: Secure Network Engineering Control 20: Penetration Tests and Red Team Exercises

13 20 Critical Controls (continue) Control Family Description Quick Wins risk reduction without major procedural, architectural, or technical changes, or provide substantial and immediate risk reduction against very common attacks Visibility and Attribution Measures improve capabilities of organizations to monitor their networks and computer systems to detect attack attempts, locate points of entry, identify already-compromised machines, interrupt infiltrated attackers' activities, and gain information about the sources of an attack. Improved Information Security Configuration reduce the number and magnitude of security vulnerabilities and improve the operations of networked computer systems, and focus on protecting against poor security practices that could give an attacker an advantage. Advanced Sub-Controls use new technologies that provide maximum security

14 Concluding Remarks. Managing security requirements can be challenging and overwhelming. An information security framework can help you organize and prioritize the work effort. If you have any questions about security frameworks, contact me at: