ISA 562
description
Transcript of ISA 562
- 1. Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice
2. Course Outline
- An introductory course at the graduate level
- It covers the topics of
-
- The CISSP exam at varying depth
-
- But is NOT a CISSP course
- Textbooks:
-
- Matt Bishop: Computer Security Art and Science
-
- Official ISC 2Guide to the CISSP CBK
3. Objectives Roles and responsibilities of individuals in a security program Security planning in an organization Security awareness in the organizationDifferences between policies, standards, guidelines and procedures Risk Management practices and tools 4. Syllabus of the Course
- Bishops book for the first part
- Papers for some classes
- IC 2book for the second part
- Cover material relevant to the PhD qualifying examination in security
5. Introduction
- Purpose of information security:
-
- to protect an organization's informationresources data, hardware, and software.
- To increase organizational success: IS arecritical assetssupporting its mission
6. Information Security TRIAD
- The Overhanging goals of information security are addressed through the AIC TRIAD.
7. IT Security Requirements - I
- Security should be designed for two requirements:
- Functional :Definebehaviorof the control meansbased on risk assessment
-
-
- Properties :
-
-
-
- should not depend on another control:
-
-
-
- Why? fail safe by maintaining security during asystemfailure
-
- Assurance:Provideconfidencethat security functions perform as expected.
-
-
- Internal/External Audit.
-
-
-
- Third Party reviews
-
-
-
- Compliance to best practices
-
-
- Examples
-
- Functional: a network Firewall to permit or deny traffic.
-
- Assurance: logs are generated, monitored, and reviewed
8. Organizational & Business Requirements
- Focus on organizational mission:
-
- Business or goals driven
- Depends on type of organization:
-
- Military , Government, or Commercial.
- Must be sensible and cost effective
-
- Solution considers the mission and environmentTrade-off
9. IT Security Governance
- Integral part of corporate governance:
-
- Fully integrated into overall risk-based threat analysis
- Ensure that IT infrastructure:
-
- Meets all requirements.
-
- Supports the strategies and objectives of the company.
-
- Includes service level agreements [if outsourced].
10. Security Governance: Major parts
- Leadership:
-
- Security leaders must be part of the company leadership -- where they can be heard.
- Structure:
-
- occurs at many levels and should use a layered approach.
- Processes:
-
- follow internationally accepted best practices :
-
- Job rotation , Separation of duties, least privilege, mandatory vacations, etc.
-
- Examples of standards : ISO 17799 & ISO 27001:2005
11. Security Blueprints
- Provide a structure for organizing requirements and solutions.
-
- Ensure that security is considered holistically.
- To identify and design security requirements
12. Policy Overview
- Operational environment is a web of laws, regulations, requirements, and agreements or contracts with partners and competitors
- Change frequently and interact with each other
- Management must develop and publish security statements addressing policies and supporting elements, such as standards , baselines, and guidelines.
13. Policy overview 14. Functions of Security policy
- Provide Management Goals and Objectives in writing
- Ensure Document compliance
- Create a security culture
- Anticipate and protect others from surprises
- Establish the security activity/function
- Hold individuals responsible and accountable
- Address foreseeable conflicts
- Make sure employees and contractors aware of organizational policy and changes to it
- Require incident response plan
- Establish process for exception handling, rewards, and discipline
15. Policy Infrastructure
- High level policies interpreted into functional policies.
- Functional polices derived from overarching policy and create the foundation for procedures, standards, and baselines to accomplish the objectives
- Polices gain credibility by top management buy-in.
16. Examples of Functional Policies
- Data classification
- Certification and accreditation
- Access control
- Outsourcing
- Remote access
- Acceptable mail and Internet usage
- Privacy
- Dissemination control
- Sharing control
17. Policy Implementation
- Standards, procedures, baselines, and guidelines turn management objectives and goals [functional policies] into enforceable actions for employees.
18. Standards and procedure
- Standards (local): Adoption of common hardware and software mechanism and products throughout the enterprise.
-
-
- Examples: Desktop, Anti-Virus, Firewall
-
- Procedures: step by step actions thatmustbe followed to accomplish a task.
- Guidelines: recommendations for product implementations, procurement and planning, etc.
-
-
- Examples: ISO17799, Common Criteria, ITIL
-
19. Security Baselines
- Benchmarks: to ensure that a minimum level of security configuration is provided across implementations and systems.
-
- establish consistent implementation of security mechanisms.
-
- Platform unique
-
-
- Examples:
-
-
-
- VPN Setup,
-
-
-
- IDS Configuration,
-
-
-
- Password rules
-
20. Three Levels of security planning
- Strategic: long term
- Focus on high-level, long-range organizational requirements
-
- Example: overall security policy
- 2. Tactical: medium-term
- Focus on events that affect all the organization
-
- Example: functional plans
- 3. Operational: short-term
- Fight fires at the keyboard level, directly affecting how the organization accomplishes its objectives.
21. Organizational roles and responsibilities
- Everyone has a role:
-
- with responsibility clearly communicated and understood
- Duties associated with the role must be assigned
-
-
- Examples:
-
-
-
-
- Securing email
-
-
-
-
-
- Reviewing violation reports
-
-
-
-
-
- Attending awareness training
-
-
22. Specific Roles and Responsibilities (duties)
- Executive Management:
-
- Publish and endorse security policy
-
- Establish goals and objectives
-
- State overall responsibility for asset protection.
- IS security professionals:
-
- Security design, implementation, management,
-
- Review of organization security policies.
- Owner:
-
- Information classification
-
- Set user access conditions
-
- Decide on business continuity priorities
- Custodian:
-
- Entrusted with the Security of the information
- IS Auditor:
-
- Audit assurance guarantees.
- User:
-
- Compliance with procedures and policies
23. Personnel Security: Hiring staff
- Background check/Security clearance
- Check references/Educational records
- Sign Employment agreement
-
-
-
- Non-disclosure agreements
-
-
-
-
-
- Non-compete agreements
-
-
- Low level Checks
- Consult with HR Department
- Termination/dismissal procedure
24. Third party considerations
- Include:
-
- Vendors/Suppliers
-
- Contractors
-
- Temporary Employees
-
- Customers
- Must established procedures for these groups.