Security Management Practices. Keith A. Watson, CISSP CERIAS

Size: px

Start display at page:

Download "Security Management Practices. Keith A. Watson, CISSP CERIAS"

Meghan White
10 years ago
Views:

1 Security Management Practices Keith A. Watson, CISSP CERIAS

2 Overview The CIA Security Governance Policies, Procedures, etc. Organizational Structures Roles and Responsibilities Information Classification Risk Management 2

3 The CIA: Information Security Principles Confidentiality Allowing only authorized subjects access to information Integrity Allowing only authorized subjects to modify information Availability Ensuring that information and resources are accessible when needed 3

Integrity Allowing only authorized subjects to modify

4 Reverse CIA Confidentiality Preventing unauthorized subjects from accessing information Integrity Preventing unauthorized subjects from modifying information Availability Preventing information and resources from being inaccessible when needed 4

subjects from modifying information Availability Preventing

5 Using the CIA Think in terms of the core information security principles How does this threat impact the CIA? What controls can be used to reduce the risk to CIA? If we increase confidentiality, will we decrease availability? 5

What controls can be used to reduce the risk to CIA?

6 Security Governance Security Governance is the organizational processes and relationships for managing risk Policies, Procedures, Standards, Guidelines, Baselines Organizational Structures Roles and Responsibilities 6

managing risk Policies, Procedures, Standards,

7 Policy Mapping Laws, Regulations, Requirements, Organizational Goals, Objectives General Organizational Policies Functional Policies Procedures Standards Guidelines Baselines 7

8 Policies Policies are statements of management intentions and goals Senior Management support and approval is vital to success General, high-level objectives Acceptable use, internet access, logging, information security, etc 8

approval is vital to success General, high-level

9 Procedures Procedures are detailed steps to perform a specific task Usually required by policy Decommissioning resources, adding user accounts, deleting user accounts, change management, etc 9

10 Standards Standards specify the use of specific technologies in a uniform manner Requires uniformity throughout the organization Operating systems, applications, server tools, router configurations, etc 10

uniformity throughout the organization Operating

11 Guidelines Guidelines are recommended methods for performing a task Recommended, but not required Malware cleanup, spyware removal, data conversion, sanitization, etc 11

12 Baselines Baselines are similar to standards but account for differences in technologies and versions from different vendors Operating system security baselines FreeBSD 6.2, Mac OS X Panther, Solaris 10, Red Hat Enterprise Linux 5, Windows 2000, Windows XP, Windows Vista, etc 12

Operating system security baselines FreeBSD 6.

13 Organizational Structure Organization of and official responsibilities for security vary BoD, CEO, BoD Committee CFO, CIO, CSO, CISO Director, Manager IT/IS Security Audit 13

14 Typical Org Chart Board of Directors/Trustees President CIO Security Director Project Security Architect Enterprise Security Architect Security Analyst System Auditor 14

15 Security-Oriented Org Chart Board of Directors/Trustees President CIO IT Audit Manager Security Director System Auditor Enterprise Security Architect Security Analyst Project Security Architect 15

16 Further Separation Board of Directors/Trustees President Audit Committee Internal Audit CIO IT Audit Manager Security Director System Auditor Enterprise Security Architect Security Analyst Project Security Architect 16

Manager Security Director System Auditor Enterprise

17 Organizational Structure Audit should be separate from implementation and operations Independence is not compromised Responsibilities for security should be defined in job descriptions Senior management has ultimate responsibility for security Security officers/managers have functional responsibility 17

should be defined in job descriptions Senior management has ultimate

18 Roles and Responsibilities Best Practices: Least Privilege Mandatory Vacations Job Rotation Separation of Duties 18

19 Roles and Responsibilities Owners Determine security requirements Custodians Manage security based on requirements Users Access as allowed by security requirements 19

20 Information Classification Not all information has the same value Need to evaluate value based on CIA Value determines protection level Protection levels determine procedures Labeling informs users on handling 20

Value determines protection level Protection levels

21 Information Classification Government classifications: Top Secret Secret Confidential Sensitive but Unclassified Unclassified 21

22 Information Classification Private Sector classifications: Confidential Private Sensitive Public 22

23 Information Classification Criteria: Value Age Useful Life Personal Association 23

24 Risk Management Risk Management is identifying, evaluating, and mitigating risk to an organization It s a cyclical, continuous process Need to know what you have Need to know what threats are likely Need to know how and how well it is protected Need to know where the gaps are 24

25 Identification Assets Threats Threat-sources: man-made, natural Vulnerabilities Weakness Controls Safeguard 25

26 Analysis/Evaluation Quantitative Objective numeric values Cost-Benefit analysis Guesswork low Qualitative Subjective intangible values Time involved low Guesswork high 26

27 Remedy/Mitigation Reduce Use controls to limit or reduce threat Remove Stop using it Transfer Get insurance or outsource it Accept Hope for the best 27

28 Summary Security Management practices involve balancing security processes and proper management and oversight Risk Management is a big part of managing holistic security of an organization 28

The Protection Mission a constant endeavor

The Protection Mission a constant endeavor a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring