Security Controls – What Works Southside Virginia Community College: Security Awareness.

Security Controls – What Works

Southside Virginia Community College: Security Awareness

Session Overview

• Identification of Information Security Drivers• Identification of Regulations and Acts• Introduction to Security Standards• Understanding Security Controls• Technology Solutions Assisting in Regulatory Compliance

Identification of Information Security Drivers


Business Drivers

What are the business drivers for information security:What are the business drivers for information security:

Facilitate Business Initiatives

Protect Brand Image

Protect Customer Confidence

Reduce Costs and Improve Productivity

Enhance Service Levels

Technology Direction

Comply with Regulations

Facilitate Business Initiatives

Protect Brand Image

Protect Customer Confidence

Reduce Costs and Improve Productivity

Enhance Service Levels


Comply with Regulations

Regulatory Compliance Drives Security Initiatives

Key areas for compliance-related spending are associated with implementing an Information Security Management Framework and specifically include:

Key areas for compliance-related spending are associated with implementing an Information Security Management Framework and specifically include:

Policies and Procedures

Training and Awareness

Security Event Management Tools

Identity and Password Management Technologies

Policies and Procedures

Training and Awareness

Security Event Management Tools

Identity and Password Management Technologies

Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending. Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending.

Information Security Management Framework

What is an Information Security Management Framework:What is an Information Security Management Framework:

Key Set of Policies and Processes Supporting Information Security

Organizational Structure and Governance for Information Security

Implementation of Standard Security Controls

Appropriate and Sufficient Security Tools and Technologies

Key Set of Policies and Processes Supporting Information Security

Organizational Structure and Governance for Information Security

Implementation of Standard Security Controls

Appropriate and Sufficient Security Tools and Technologies

Regulatory Benefits of Implementing an Information Security Management Framework

Regulatory benefits of implementing an Information Security Management Framework include:Regulatory benefits of implementing an Information Security Management Framework include:

Protecting the privacy of personally identifiable information (customer and employee)

Protecting sensitive information and resources from being accessed or shared with unauthorized users

Ensuring integrity of financial data

Ensuring that data content is protected and tamper-resistant

Ensuring well controlled systems

Ensuring secure development and maintenance of software, systems, and applications

Protecting the privacy of personally identifiable information (customer and employee)

Protecting sensitive information and resources from being accessed or shared with unauthorized users

Ensuring integrity of financial data

Ensuring that data content is protected and tamper-resistant

Ensuring well controlled systems

Ensuring secure development and maintenance of software, systems, and applications

Information Security Management Framework Lifecycle

The implementation of the Information Security Management Framework follows the concept of the Plan, Prevent, Detect, Respond cycle, common in other management frameworks, such as ISO 9001 and ISO 14001.

The implementation of the Information Security Management Framework follows the concept of the Plan, Prevent, Detect, Respond cycle, common in other management frameworks, such as ISO 9001 and ISO 14001.

Input

Work with business units to identify and classify their assets

along with the business risks

associated with those asset.

DEVELOPMENT, MAINTENANCE AND

IMPROVEMENT CYCLE.

Plan

Ensure the context and scope of the

Framework is correct and appropriate.

RespondUpdate Framework security processes

from lessons learned.

DetectMonitor the

effectiveness of security processes.

PreventImplement and

operate the processes associated with the

Framework.

Effective Information Security

Management Framework

based on the organization's risk

profile.

Output

Information Security Management Framework Flow

Regulatory Requirements and Security Standards help define the Organizations Security Environment. This environment dictates the Organizations Security Directive, which dictates the ultimate Information Security Management Framework.

Regulatory Requirements and Security Standards help define the Organizations Security Environment. This environment dictates the Organizations Security Directive, which dictates the ultimate Information Security Management Framework.

Information Security Framework

(Security Controls)

Organizational Directive for Information Security

Technologies and Solutions

Regulatory Requirements

Regulatory Requirements

Business InitiativesBusiness Initiatives

Security StandardsSecurity

StandardsTechnology Direction


Business and Security Environment

Identification of Regulations and Acts

• Identification of Information Security Drivers• Identification of Regulations and Acts • Introduction to Security Standards• Understanding of Security Controls• Technology Solutions Assisting in Regulatory Compliance

Significant Regulations and Acts

Some of the more significant security regulations and acts include:Some of the more significant security regulations and acts include:

Gramm-Leach-Bliley Act (GLBA)

Health Insurance Portability and Accountability Act (HIPAA)

Sarbanes Oxley Act (SOX)

European Union Data Protection Directive (EUDPD)

Personal Data Act

Computer Misuse Act

Data Protection Act

21 CFR Part 11

BASEL II

Various State Security Breach Laws

Gramm-Leach-Bliley Act (GLBA)

Health Insurance Portability and Accountability Act (HIPAA)

Sarbanes Oxley Act (SOX)

European Union Data Protection Directive (EUDPD)

Personal Data Act

Computer Misuse Act

Data Protection Act

21 CFR Part 11

BASEL II

Various State Security Breach Laws

Security ObjectivesThese regulations and acts specify information security objectives associated with:These regulations and acts specify information security objectives associated with:

Security Policy, Organization, and Program

Personnel, Human Resources, and Administrative security controls

User, Network, System, and Physical access management

Proactive vulnerability, risk, and threat assessment and management activities

Intrusion Detection capabilities

Event Logging and Monitoring and Incident Response programs and processes

Encryption capabilities and the protection of information confidentiality and integrity

Identification, authentication, and authorization controls to information and systems

Asset classification and control

Disaster Recovery and Business Continuity planning

Security Policy, Organization, and Program

Personnel, Human Resources, and Administrative security controls

User, Network, System, and Physical access management

Proactive vulnerability, risk, and threat assessment and management activities

Intrusion Detection capabilities

Event Logging and Monitoring and Incident Response programs and processes

Encryption capabilities and the protection of information confidentiality and integrity

Identification, authentication, and authorization controls to information and systems

Asset classification and control

Disaster Recovery and Business Continuity planning

This is not an all inclusive list of all security regulatory goals, but rather a sample of the security objectives of these regulationsThis is not an all inclusive list of all security regulatory goals, but rather a sample of the security objectives of these regulations

Introduction to Security Standards


Value Proposition of Security Standards

Security Standards:Security Standards:

Provide outlines of accepted best practice for security management

Provide guidelines for the implementation of security measures

Provide a framework for the management of information, network, and system security within an organization

Provide a suggested code of practice

Integrate security measures into an overall security architecture

Can be used by organizations of all sizes, industries, and sectors

Provide outlines of accepted best practice for security management

Provide guidelines for the implementation of security measures

Provide a framework for the management of information, network, and system security within an organization

Provide a suggested code of practice

Integrate security measures into an overall security architecture

Can be used by organizations of all sizes, industries, and sectors

Security Standard compliance is NOT required by law, though some contracts now require Certifications. Security Standard compliance is NOT required by law, though some contracts now require Certifications.

Compliance and Certification

To achieve compliance the organization must implement measures to address all control objectives.To achieve compliance the organization must implement measures to address all control objectives.

Formal certification is usually achieved through a formal audit conducted by a certified independent auditor.

Certification offers internal and external confidence in the Information Security Management Framework.

Certification demonstrates good governance and can provide evidence of due diligence for some requirements for regulatory compliance.

Formal certification is usually achieved through a formal audit conducted by a certified independent auditor.

Certification offers internal and external confidence in the Information Security Management Framework.

Certification demonstrates good governance and can provide evidence of due diligence for some requirements for regulatory compliance.

Compliance Achievement Process

Recognise the need· Get management support· Appoint Program Manager

Scoping· Decide on suitable scope· Define scope· Agree with Certification Body

(formal certification only)

Gap Analysis· Identify existing controls· Review existing documents· Identify gaps between these

and Standard requirements

Risk Assessment· Identify assets within scope· Identify threats to assets· Asses level of risk· Identify treatment options

Security Improvement· Managed program for

addressing security issues

Typical activities· Security policies and

procedures· Security awareness training· Internet and email usage· Laptop and PDA security· Backup procedures· Firewall configuration review· Penetration Testing· Review of user accounts

Formal Certification· Documentation Review and

Pre Audit (2-3 days)· Formal Audit (4-8 days)

Demonstrate Compliance· Document ISMS Policy· Justify claim in documented

Statement of Applicability

AnalysisInitiation ComplianceImplementation

Industry Accepted Security Standards

Some of the more commonly accepted and implemented standards include:Some of the more commonly accepted and implemented standards include:

International Standard, ISO/IEC 17799:2005 (ISO 17799)

Australian Standard, AS/NZS 7799.2:2003 (AS 7799)

Payment Card Industry (PCI) Data Standard

Common Criteria for IT Security Evaluation (ISO 9000)

NIST Computer Security Standards

International Standard, ISO/IEC 17799:2005 (ISO 17799)

Australian Standard, AS/NZS 7799.2:2003 (AS 7799)

Payment Card Industry (PCI) Data Standard

Common Criteria for IT Security Evaluation (ISO 9000)

NIST Computer Security Standards

Understanding Security Controls


Security Controls Overview

Security Controls address security issues that should be considered as part of the Information Security Management Framework.

Security Controls address security issues that should be considered as part of the Information Security Management Framework.

While there is no authoritative set of controls and titles, most security standards and best practices use similar titles and categories to define security controls.

While there is no authoritative set of controls and titles, most security standards and best practices use similar titles and categories to define security controls.

Security Policy

Security Organization and Governance

Asset Management

Data Protection

Personnel Security

Physical and Environmental

Communications and Operations Management

Security Policy

Security Organization and Governance

Asset Management

Data Protection

Personnel Security

Physical and Environmental

Communications and Operations Management

Access Control

Logging and Monitoring

Vulnerability Management

Incident Management

Software & System Acquisition, Development, and Maintenance

Business Continuity Management

Compliance

Access Control

Logging and Monitoring

Vulnerability Management

Incident Management

Software & System Acquisition, Development, and Maintenance

Business Continuity Management

Compliance

Security Control Objectives - 1

Security Policy:Security Policy:

Documented security objectives for the organization that is agreed and approved by management

Documented security objectives for the organization that is agreed and approved by management

Security Organization and Governance:Security Organization and Governance:

Assigning security responsibilities and accountability and a management forum for setting and approving security objectives

Assigning security responsibilities and accountability and a management forum for setting and approving security objectives


Asset Management:Asset Management:

The management (identification, classification, and control) of information and hardware & software resources

The management (identification, classification, and control) of information and hardware & software resources

Data Protection:Data Protection:

Effective controls for protecting the confidentiality, integrity, and availability of information and information resources

Effective controls for protecting the confidentiality, integrity, and availability of information and information resources


Personnel Security:Personnel Security:

The management of staff, terms of employment, termination processes, and awareness and training

The management of staff, terms of employment, termination processes, and awareness and training

Physical and Environmental Security:Physical and Environmental Security:

Securing the human and system physical environment; including entry controls, fire and power controls, cable and rack security

Securing the human and system physical environment; including entry controls, fire and power controls, cable and rack security


Communications and Operations Management:Communications and Operations Management:

Key security aspects of managing network and system components securely, including backups, anti-virus, patches, media and laptop security

Key security aspects of managing network and system components securely, including backups, anti-virus, patches, media and laptop security

Access Control:Access Control:

The control of logical, physical, and remote access to information and resources; including identification and authentication, authorization, password and user management on applications, operating systems, and within networks

The control of logical, physical, and remote access to information and resources; including identification and authentication, authorization, password and user management on applications, operating systems, and within networks


Logging and Monitoring:Logging and Monitoring:

The collection, aggregation, normalization, correlation, mining, and tracking of security events

The collection, aggregation, normalization, correlation, mining, and tracking of security events

Vulnerability Management:Vulnerability Management:

The performance of risk, threat, and vulnerability assessmentsThe performance of risk, threat, and vulnerability assessments


Incident Management:Incident Management:

The detection, reporting, recording, handling, response, review, and management of security incidents

The detection, reporting, recording, handling, response, review, and management of security incidents

Software & System Acquisition, Development, and Maintenance:Software & System Acquisition, Development, and Maintenance:

The secure development and maintenance of software and systems for on-going secure operation

The secure development and maintenance of software and systems for on-going secure operation


Business Continuity Management:Business Continuity Management:

Planning and defining the response in the event of a disaster or disruption in business to ensure continuity of operations

Planning and defining the response in the event of a disaster or disruption in business to ensure continuity of operations

Compliance:Compliance:

Ensuring the compliance with security and privacy legislative requirements

Ensuring the compliance with security and privacy legislative requirements

Technology Solutions Assisting In Regulatory Compliance

• Identification of Information Security Drivers• Introduction to Security Standards• Understanding of Security Controls• Identification of Regulations and Acts• Technology Solutions Assisting in Regulatory Compliance

This guide provides technology solutions for assisting regulatory compliance. The technology solution categories include:

This guide provides technology solutions for assisting regulatory compliance. The technology solution categories include:

Microsoft’s “The Regulatory Compliance Planning Guide”

• Document Management Solutions

• Business Process Management Solutions

• Project Management Solutions

• Risk Assessment Solutions

• Change Management Solutions

• Network Security Controls

• Host Control Solutions

• Malicious Software Prevention Solutions

• Application Security Solutions

• Messaging and Collaboration Solutions

• Data Classification and Protection Solutions

• Identity Management Solutions• Authentication, Authorization, and

Access Control Solutions• Training Solutions• Physical Security Solutions• Vulnerability Identification Solutions• Monitoring and Reporting Solutions• Disaster Recovery and Failover

Solutions• Incident Management and Trouble-

Tracking Solutions

Session Summary

Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending.Regulatory Compliance has emerged as the biggest driver of information security initiatives / spending.

Any organization can use the guidance and requirements in Security Standards to improve aspects of their internal security management.Any organization can use the guidance and requirements in Security Standards to improve aspects of their internal security management.

Security Controls address security issues that should be considered as part of the Information Security Management Framework. Microsoft Products and Solutions support the implementation of security controls.

Security Controls address security issues that should be considered as part of the Information Security Management Framework. Microsoft Products and Solutions support the implementation of security controls.

Many Microsoft technology solutions assist in regulatory complianceMany Microsoft technology solutions assist in regulatory compliance

Regulations and Acts specify information security objectives necessary for regulatory compliance.Regulations and Acts specify information security objectives necessary for regulatory compliance.

Security Controls – What Works Southside Virginia Community College: Security Awareness.

Documents

Transcript of Security Controls – What Works Southside Virginia Community College: Security Awareness.