An Overview of Information Security Frameworks. Presented to TIF September 25, 2013



Similar documents
Looking at the SANS 20 Critical Security Controls

Critical Controls for Cyber Security.

The Future Is SECURITY THAT MAKES A DIFFERENCE. Overview of the 20 Critical Controls. Dr. Eric Cole

PCI DSS AND THE TOP 20 CRITICAL SECURITY CONTROLS COMPARING SECURITY FRAMEWORKS SERIES

Assessing the Effectiveness of a Cybersecurity Program

THE TOP 4 CONTROLS.

The Protection Mission a constant endeavor

SANS Top 20 Critical Controls for Effective Cyber Defense

Independent Security Operations Oversight and Assessment. Captain Timothy Holland PM NGEN

Jumpstarting Your Security Awareness Program

Building a More Secure and Prosperous Texas through Expanded Cybersecurity

Defending Against Data Beaches: Internal Controls for Cybersecurity

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

Check Point and Security Best Practices. December 2013 Presented by David Rawle

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

SCAC Annual Conference. Cybersecurity Demystified

Application White Listing and Privilege Management: Picking Up Where Antivirus Leaves Off

Information Technology Risk Management

Information Technology Control Framework in the Federal Government Considerations for an Audit Strategy

John Essner, CISO Office of Information Technology State of New Jersey

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Security Management. Keeping the IT Security Administrator Busy

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

Altius IT Policy Collection Compliance and Standards Matrix

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Cyber Risk Mitigation via Security Monitoring. Enhanced by Managed Services

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

ISO COMPLIANCE WITH OBSERVEIT

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

NERC CIP VERSION 5 COMPLIANCE

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

5 Steps to Advanced Threat Protection

Cybersecurity Health Check At A Glance

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Information Blue Valley Schools FEBRUARY 2015

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

Security Controls What Works. Southside Virginia Community College: Security Awareness

Department of Management Services. Request for Information

FINRA Publishes its 2015 Report on Cybersecurity Practices

Evaluation Report. Weaknesses Identified During the FY 2013 Federal Information Security Management Act Review. April 30, 2014 Report Number 14-12

University of Pittsburgh Security Assessment Questionnaire (v1.5)

SECURITY CONTROLS AND RISK MANAGEMENT FRAMEWORK

Attachment A. Identification of Risks/Cybersecurity Governance

NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense

Goals. Understanding security testing

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Top 20 Critical Security Controls

White Paper: Consensus Audit Guidelines and Symantec RAS

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

POSTAL REGULATORY COMMISSION

Security Controls in Service Management

KEY STEPS FOLLOWING A DATA BREACH

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

Bellevue University Cybersecurity Programs & Courses

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Protecting Organizations from Cyber Attack

Chapter 1 The Principles of Auditing 1

External Penetration Assessment and Database Access Review

Technology Risk Management

BPA Policy Cyber Security Program

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

Risk Management Guide for Information Technology Systems. NIST SP Overview

The Role of Security Monitoring & SIEM in Risk Management

KEY TRENDS AND DRIVERS OF SECURITY

Securing the Cloud Infrastructure

Four Top Emagined Security Services

HIPAA: Compliance Essentials

Privacy Impact Assessment. For Person Authentication Service (PAS) Date: January 9, 2015

Overview of Cloud Computing and Cloud Computing s Use in Government Justin Heyman CGCIO, Information Technology Specialist, Township of Franklin

CYBERSECURITY: ISSUES AND ISACA S RESPONSE

SECURITY RISK MANAGEMENT

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

The Cyber OODA Loop: How Your Attacker Should Help You Design Your Defense. Tony Sager The Center for Internet Security

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

QRadar SIEM 6.3 Datasheet

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Domain 1 The Process of Auditing Information Systems

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Information Security Program Management Standard

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

Twenty Critical Controls for Effective Cyber Defense: Consensus Audit Guidelines

Cisco Advanced Services for Network Security

Transcription:

An Overview of Information Security Frameworks Presented to TIF September 25, 2013

What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information security programs. The framework is essentially a blueprint for building and sustaining an information security program.

More about Frameworks Frameworks do not describe security requirements. Security requirements come from three main sources: Governing policies and practices UC System Wide and UCD s policies and standards. Compliance Requirements- statutory, regulatory, and contractual. Audits and Risk Assessments.

Commonly Used Frameworks COBIT ISO 27000 series NIST SP 800 series 20 Critical Security Controls

Control Objectives for Information and Related Technology (COBIT) Developed in the mid-90s by ISACA This framework started out primarily focused on reducing technical risks in organizations, but has evolved recently with COBIT 5 to also include alignment of IT with business-strategic goals. It is the most commonly used framework to achieve compliance with Sarbanes-Oxley rules.

ISO 27000 SERIES The ISO 27000 series was developed by the International Standards Organization Broad information security framework that represents a series of standards for information security. Used extensively in the public and private sectors Many security programs are based on ISO 27001 and 27002

ISO 27002 Code of Practice for Information Security Management Contains 11 security domains and 39 subsections: Security Policy (1); Organizing Information Security (2); Asset Management (2); Human Resources Security (3); Physical and Environmental Security (2); Communications and Operations Management (10); Access Control (7); Information Systems Acquisition, Development and Maintenance (6); Information Security Incident Management (2); Business Continuity Management (1); Compliance (3).

National Institute of Standards and Technology (NIST) SP 800 Series The NIST Special Publication 800 series was first published in 1990 and has grown to provide advice on just about every aspect of information security. Federal agencies and some federal contractors are required to comply with NIST guidelines governing information security. Notable publications include: NIST 800-53 Rev. 4 (Security and Privacy Controls for Federal Information Systems and Organizations) NIST 800-37 (Guide for Applying the Risk Management Framework to Federal Information Systems)

NIST Family of Publications Access Control Audit & Accountability Awareness & Training Certification, Accreditation & Security Assessments Configuration Management Contingency Planning Identification & Authentication Incident Response Maintenance Media Protection Personnel Security Physical & Environmental Protection Planning Program Management Risk Assessment System & Communication Protection System & Information Integrity System & Services Acquisition

20 Critical Security Controls for Effective Cyber Defense A recent addition to the family of frameworks - First draft was circulated in 2009 Designed to help federal agencies and prioritize cyber security spending. Recommends a set of controls that are effective in stopping known attacks Gaining wide adoption in higher education Updated to version 4.1 in March 2013

20 Critical Controls Control 1: Inventory of Authorized and Unauthorized Devices Control 2: Inventory of Authorized and Unauthorized Software Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops Workstations, and Servers Control 4: Continuous Vulnerability Assessment and Remediation Control 5: Malware Defenses Control 6: Application Software Security Control 7: Wireless Device Control Control 8: Data Recovery Capability Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps Control 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches

20 Critical Controls (continue) Control 11: Limitation and Control of Network Ports, Protocols, and Services Control 12: Controlled Use of Administrative Privileges Control 13: Boundary Defense Control 14: Maintenance, Monitoring, and Analysis of Audit Logs Control 15: Controlled Access Based on the Need to Know Control 16: Account Monitoring and Control Control 17: Data Loss Prevention Control 18: Incident Response and Management Control 19: Secure Network Engineering Control 20: Penetration Tests and Red Team Exercises

20 Critical Controls (continue) Control Family Description Quick Wins risk reduction without major procedural, architectural, or technical changes, or provide substantial and immediate risk reduction against very common attacks Visibility and Attribution Measures improve capabilities of organizations to monitor their networks and computer systems to detect attack attempts, locate points of entry, identify already-compromised machines, interrupt infiltrated attackers' activities, and gain information about the sources of an attack. Improved Information Security Configuration reduce the number and magnitude of security vulnerabilities and improve the operations of networked computer systems, and focus on protecting against poor security practices that could give an attacker an advantage. Advanced Sub-Controls use new technologies that provide maximum security

Concluding Remarks. Managing security requirements can be challenging and overwhelming. An information security framework can help you organize and prioritize the work effort. If you have any questions about security frameworks, contact me at: cwashington@ucdavis.edu

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information