Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Planning: Computer/Information Security Drmysiyal P2-1

    Enviado por

    Koh Hong Wei
    12 visualizações21 páginas
    information security

    Título original

    sld2-2015

    Direitos autorais

    © © All Rights Reserved

    Formatos disponíveis

    PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    information security

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    12 visualizações21 páginas

    Planning: Computer/Information Security Drmysiyal P2-1

    Enviado por

    Koh Hong Wei
    information security

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 21

    PLANNING

    DR M Y Siyal Computer/Information Security P2-1


    HOW LONG DO I HAVE, DOC?

    Source http://isc.sans.org/survivaltime.html
    DR M Y Siyal Computer/Information Security P2-2
    SECURITY PLANNING
     SECURITY PLANNING PRINCIPLES
    RISK ANALYSIS
    The process of balancing threat and protection costs for
    individual assets.
    Annual cost of protection should not exceed the expected
    annual damage.
     If probable annual damage is $10,000 and the annual cost
    of protection is $200,000, protection should not be
    undertaken.
    Goal is not to eliminate risk but to reduce it in an economically
    rational level.

    DR M Y Siyal Computer/Information Security P2-3


    SECURITY PLANNING PRINCIPLES
     COMPREHENSIVE SECURITY
    An attacker only has to find one weakness to succeed.
    A firm needs to close off all avenues of attack (comprehensive
    security).
    This requires very good planning.
     DEFENSE IN DEPTH
    Every protection breaks down sometimes.
    The attacker should have to break through several lines of defense to
    succeed.
    Even if one protection breaks down, the attack will not succeed

    DR M Y Siyal Computer/Information Security P2-4


    DIMENSIONS OF COMPUTER SECURITY
     THERE ARE TWO ASPECTS OF COMPUTER SECURITY
    Technical
    Managerial
     TECHNICAL
    Main focus is on developing technical expertise and technologies
    for computer security
    Encryption techniques
    Firewalls
    Biometric-based security technologies
     MANAGERIAL
    The focus is on developing security policies and procedures
    Policies and mechanisms
    Operational Issues
    Human Issues
    DR M Y Siyal Computer/Information Security P2-5
    SECURITY IMPLEMENTATION RELIES ON

    Policies must be Systems must


    developed, be built to
    communicated, technically
    maintained and adhere to
    enforced policy
    Process Technology
    Processes must
    be developed that People must
    show how policies People understand their
    will be responsibilities
    implemented regarding policy

    DR M Y Siyal Computer/Information Security P2-6


    POLICY-BASED SECURITY

    Planners create policies, which


    specify what to do but not how to
    do it.

    Policy-makers create policies


    with global knowledge.

    Implementers implement policies


    with local and technical
    expertise.

    DR M Y Siyal Computer/Information Security P2-7


    POLICY-BASED SECURITY

    Implementation guidance
    goes beyond pure “what” by
    constraining to some extent
    the “how”.

    For example, it may specify


    that encryption keys must
    be more than 100 bits long.

    Constrains implementers so
    they will make reasonable
    choices.

    DR M Y Siyal Computer/Information Security P2-8


    POLICY-BASED SECURITY

    Implementation Guidance has


    two forms.

    Standards MUST be followed by


    implementers.

    Guidelines SHOULD be
    followed, but are optional.
    However, guidelines must be
    considered carefully.

    DR M Y Siyal Computer/Information Security P2-9


    POLICY-BASED SECURITY

    Oversight checks that policies are


    being implemented successfully.

    Good implementation +
    Good oversight =
    Good protection

    DR M Y Siyal Computer/Information Security P2-10


    POLICY-BASED SECURITY

    Policies are given to implementers and


    oversight staff independently.

    Oversight may uncover implementation


    problems or problems with the
    specification of the policy.

    DR M Y Siyal Computer/Information Security P2-11


    SECURITY APPROACHES
     BOTTOM UP APPROACH
     Systems administrators attempt to improve the security of their systems
     Key advantage: Technical expertise of the individual administrators
     Key disadvantage - Seldom works since it lacks critical features:
     Participant support
     Organizational staying power
     TOP-DOWN APPROACH
     Initiated by upper management:
     Issue policy, procedures, and processes
     Dictate the goals and expected outcomes of the project
     Determine who is accountable for each required action
     Pluses
     Strong upper management support
     Dedicated champion
     Dedicated funding
     Clear planning
     Chance to influence organizational culture
    DR M Y Siyal Computer/Information Security P2-12
    SECURITY APPROACHES

    TOP-DOWN APPROACH BOTTOM-UP APPROACH

    CEO

    CFO CIO COO

    CISO VP-Systems VP-Networks

    security systems network


    manager manager manager
    security systems network
    admin admin admin
    security systems network
    tech tech tech

    DR M Y Siyal Computer/Information Security P2-13


    AN AFFIRMATIVE MODEL OF DEFENSE
    DIGITAL LIABILITY MANAGEMENT

     DLM MODEL AND METHODOLOGY


     Benefits of the top-down approach to implementation.
     Role of people, process and technology in security.
     THE OBJECTIVE OF THE DLM APPROACH
    To protect against the occurrence of intrusion and
    incidents.
    To provide a good defense when they occur.
     The four defense tiers help companies deal with the
    challenging threats and vulnerabilities.

    DR M Y Siyal Computer/Information Security P2-14


    DLM FOUR TIERS OF DEFENSE

    TIER 1 Senior management commitment and support

    TIER 2 Acceptable-use polices and other statements of


    practice

    TIER 3 Secure-use procedures

    TIER 4 Hardware, software and network security tools

    DR M Y Siyal Computer/Information Security P2-15


    SECURITY STRATEGIES
     Security strategies that are technology-centric or policy-centric will
    fail.
     Technology-centric strategies are weak without strong policies and
    practices.
     Policy-centric strategies are ineffective without technology to monitor
    and enforce them.
     What is needed is a comprehensive multi faceted approach based on:
    SENIOR MANAGEMENT SUPPORT
    POLICIES
    PROCESSES
    TECHNOLOGIES
    because all four play a vital role in the proper execution of an security
    program

    DR M Y Siyal Computer/Information Security P2-16


    THE SYSTEM DEVELOPMENT LIFE CYCLE
     Computer security must be managed in a manner similar to any other major
    system implemented in the organization
     USING A METHODOLOGY
     Ensures a rigorous process
     Avoids missing steps
     Goal is to create a Investigation
     comprehensive security
     program Analysis

    Logical Design
     SDLC Waterfall Methodology
    Physical Design

    Implementation
    REPEAT
    Maintenance
    and change

    DR M Y Siyal Computer/Information Security P2-17


    SDLC WATERFALL METHODOLOGY
     INVESTIGATION
     What is the problem the system is being developed to solve?
     The objectives, constraints, and scope of the project are specified
     A preliminary cost/benefit analysis is developed
     A feasibility analysis is performed to assesses the economic, technical, and
    behavioral feasibilities of the process
     ANALYSIS
     Consists primarily of
     Assessments of the organization
     The status of current systems
     Capability to support the proposed systems
     ANALYSTS BEGIN TO DETERMINE
     What the new system is expected to do
     How the new system will interact with existing systems
     Ends with the documentation of the findings and a feasibility analysis update
     LOGICAL DESIGN
     Based on business need, applications are selected capable of providing
    needed services
    DR M Y Siyal Computer/Information Security P2-18
    SDLC WATERFALL METHODOLOGY
     At the end, another feasibility analysis is performed
     PHYSICAL DESIGN
     Specific technologies are selected to support the alternatives identified and
    evaluated in the logical design
     Selected components are evaluated based on a make-or-buy decision
     Entire solution is presented to the end-user representatives for approval
     IMPLEMENTATION
     Components are ordered, received, assembled, and tested
     Users are trained and documentation created
     Users are then presented with the system for a performance review and
    acceptance test
     MAINTENANCE AND CHANGE
     Tasks necessary to support and modify the system for the remainder of its
    useful life
     The life cycle continues until the process begins again from the investigation
    phase
     When the current system can no longer support the mission of the
    organization, a new project is implemented
    DR M Y Siyal Computer/Information Security P2-19
    INFORMATION SECURITY LIFE CYCLE
     There are four key steps or milestones within the Lifecycle
     Assessment
     Remediation and Architecture
     Education and Awareness
     Management

    DR M Y Siyal Computer/Information Security P2-20


    SECURITY PROFESSIONALS AND THE ORGANIZATION

     It takes a wide range of professionals to support a diverse computer security program


     To develop and execute specific security policies and procedures, additional
    administrative support and technical expertise is required
     SENIOR MANAGEMENT
     Chief Information Officer
     The senior technology officer
     Primarily responsible for advising the senior executive(s) for strategic planning
     Chief Information Security Officer
     Responsible for the assessment, management, and implementation of
    securing the information in the organization
     May also be referred to as the Manager for Security, Security Manager, the
    Security Administrator, or a similar title
     SECURITY PROJECT TEAM
     The team leader
     Security policy developers
     Risk assessment specialists
     Security professionals
     Systems administrators
     End users
    DR M Y Siyal Computer/Information Security P2-21

    Você também pode gostar