SlideShare uma empresa Scribd logo

Security models for security architecture

Transferir como PPTX, PDF
Vladimir Jirasek
Vladimir Jirasek

The presentations should help security professionals create security architecture that supports business objectives, covers all areas of security technology, and allows for effective measurement of security value. The presentation was given at BrighTalk

Tecnologia
1 de 26
SECURITY MODELS FOR IMPROVING YOUR ORGANIZATION’S DEFENCE POSTURE AND STRATEGY Vladimir Jirasek Blog: JirasekOnSecurity.com Bio: About.me/jirasek 9th Nov 2011
About me • Security professional (11 years) • Founding member and steering group member of (Common Assurance Maturity Model) CAMM (common- assurance.com) • Director, CSA UK & Ireland • I love reading books: thrillers (Clive Cussler) and business management (Jo Owen)
I will cover topics today • Security model for information security • Security policy structure • Security processes • Security technology stack • Security metrics for organisations
Security model – business drives security Security management Correction of security processes International CEO & Board security standards Process Governance Policy framework Metrics framework framework Information Information Information Line Security Security Security Management Laws & policies Processes Metrics Regulations objectives Product Information Technology Define Management Drivers Security Rules People Measure Security Inform standards Metrics Portal Compliance Program requirements Management Information Security Artefacts Risk & Compliance Business Execute security Measure security Define security objectives controls controls maturity controls Auditors Security Security Security threats intelligence Professionals External security metrics
Information Security Policy framework CIS Business and O Information Security Policy Security objectives Data classification Employee Acceptable policy Use Policy CIO Security Information Technology Security Policy objectives IT Security IT security standards [reuse Architecture internationally accepted controls] Technology Controls and Technical Security processes teams architecture repository Security Processes guidelines
Relationship between business objectives and security processes Provides response to “Do we have all business risks covered?” International standards Control C1 Control C2 Security Security Objective SO1 Control C3 Process P1 Business objective Security Control C4 BO1 Objective SO2 Control C5 Business process B3 Business process B1 Security Business process B2 Business objective Security Control C6 Process P2 BO2 Objective SO3 Control C7 Business Security Control C8 objective BO3 Objective SO4 Control C9 Security Security Control C10 Process P3 Objective SO5 Control C11 Security Process P4 Provides response to “Why are we doing this?”
Sources of security controls • ISO 27000 series • ISF Standard of Good Practice 2011 • PCI DSS • NIST SP 800-53 • CObIT 4 • SANS 20 critical controls
Security technology stack GRC Organise security reporting around the stack Information & Event Mgmt Identity, Entitlement, Access For each prepare current, Data Security target state analysis and Cryptography roadmap Application Security Host Security Network Security Physical Security
GRC Information & Event Security stack::Network Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security • Network firewalls Host Security Network Security • VPN gateways Physical Security • Network Intrusion Detection/Prevention • DDoS • WiFi security • Network Access Control • DNS Security • Web, Email & IM filtering
GRC Information & Event Identity, Entitlement, Acc Network security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Data security Host security Monitor and control data Interconnect hosts on flow s on netw ork netw ork Use identity Establish secure channel Retrieve access control Control hosts on Identity and Access Netw ork security netw ork Monitor and control Send security logs applications Detect security incidents running on netw ork Key management Security event management Crypto offload Application security Cryptography
GRC Information & Event Identity, Entitlement, Acc Security stack::Host Mgmt Data Security Cryptography ess Application Security • Configuration compliance Host Security Network Security • Patch management Physical Security • Vulnerability scanning • Anti-malware • Application control • Location awareness • Device control • Trusted execution protection
GRC Information & Event Identity, Entitlement, Acc Host security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Netw ork security Data security Application security Monitor and filter restricted data Protects data at rest Protect integrity of applications Host security Use identity Send security logs Retrieve access control Detect security incidents Identity and Access domain Key management Security even management Cryptography domain
GRC Information & Event Security stack::Application Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security • Code reviews/scanning – binary and source Host Security Network Security • Security sensors (AppSensor) Physical Security • Web application scanning • Penetration testing • Web protection (WAF) Application Security Services throughout a lifecycle Num ber of flaw s and vulnerabilities o o C st t iat e d rem e E1 E2 E3 E4 E5 EOL Binary Code Analysis IT Security Assessm ent Web Application Scanning Web Application Protection Company Confidential
GRC Information & Event Identity, Entitlement, Acc Application security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security
GRC Information & Event Identity, Entitlement, Acc Security stack::Data Mgmt Data Security Cryptography ess Application Security • Data classification Host Security Network Security • Email encryption Physical Security • File encryption • Document Rights Management • Data Leakage protection • Watermarking • End point encryption • Database security
GRC Information & Event Identity, Entitlement, Acc Data security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security
GRC Information & Event Security stack::IAEM Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security • Principal management Host Security Network Security • Account provisioning Physical Security • Rights management • Directories • Single sign on and Federation • Authorisation • Role and rights auditing • 2nd factor authentication
GRC Information & Event Identity, Entitlement, Acc IAEM relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Netw ork security Security event management Provides authentication and authorisation services Send security logs Host security Detect security incidents Identity and Access Data security Key management Application security Cryptography domain
GRC Information & Event Identity, Entitlement, Acc Security stack::Cryptography Mgmt Data Security Cryptography ess Application Security • Key generation Host Security Network Security • Key escrow Physical Security • Host and Network HSM • Certificate management & PKI
GRC Information & Event Identity, Entitlement, Acc Cryptography relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Data security Host security Store encryption keys Email certificates Disk encryption Certificates for authentication Identity and Access Cryptography Digital signatures of log files Application signing Encryption of sensitive logs Encrypted and signed Application communication Security event management IPSec VPN SSL VPN, SSL split tunnel Application security Netw ork Security
GRC Information & Event Security stack::SIEM Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security • Collection of security relevant logs Host Security Network Security • Archiving – retention Physical Security • Correlation with other data sources • Acting on security information • Ideal to use MSSP
GRC Information & Event SIEM relationships Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security Host Security Network Security Physical Security CMDB Security event management Collect security Collect, analyse and configuration react on security events I dentity and Access Security even management Data security Netw ork security Cryptography Application security
Security metrics characteristics • Measurable • Objective • Quantitative (ideally) • Meaningful • With KPIs attached – know what is good and bad • Linked to business objectives – money speaks
Metrics for CIO – Policy compliance and control maturity Policy IT Unit A IT Unit B IT Unit C Overall IT statement Governance 3  3.5  2  3  Awareness 3  4  3  3.5  Development N/A 2  1  1.5  Hardening 4  N/A 2  3  Network N/A N/A 3  3  End devices 2  2  3  2  2 (£10m) 3 (£13.1m) Overall 3 (£3m)  3 (100k)   
Metrics for CIO – Maturity of controls for business processes/services Invest in IT service to lower the VaR IT Maturity VaR for VaR for VaR for VaR for IT ServiceBusi Process A Process B Process C service ness process IT Service 1 2 £1m £2m £1m £4m Infrastructure 3 £1m £3m £10m £14m IT Service 2 3 £0.5m N/A £20m £20.5m IT Service 3 4 N/A £100k £500k £600k Overall £2.5m £5.1k £31.5m £39.1m
Summary • Business drives security • Reuse good content from information security community • Security policy framework – target audience, think of implementation • Link security metrics to policy which is linked to business objectives • All rounded security controls – good prevention against cyber threats

Recomendados

Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architectureMubashirAslam5
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 

Recomendados

Security architecture frameworks
Security architecture frameworksSecurity architecture frameworks
Security architecture frameworksJohn Arnold
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architectureMubashirAslam5
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Craig Martin
 
Enterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEnterprise Cybersecurity: From Strategy to Operating Model
Enterprise Cybersecurity: From Strategy to Operating ModelEryk Budi Pratama
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextDavid Sweigert
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureSABSAcourses
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
IBM Qradar
IBM QradarIBM Qradar
IBM QradarCoenraad Smith
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitectureKris Kimmerle
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureThe Open Group SA
 
SABSA white paper
SABSA white paperSABSA white paper
SABSA white paperSABSAcourses
 
Security Modelling in ArchiMate
Security Modelling in ArchiMateSecurity Modelling in ArchiMate
Security Modelling in ArchiMatePECB
 
SABSA overview
SABSA overviewSABSA overview
SABSA overviewSABSAcourses
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitecturePriyanka Aash
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0Maganathin Veeraragaloo
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 

Mais conteúdo relacionado

Mais procurados

Security architecture
Security architectureSecurity architecture
Security architectureDuncan Unwin
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextDavid Sweigert
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureSABSAcourses
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2Tanmay Shinde
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedSounil Yu
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitectureKris Kimmerle
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Complianceseanpizzy
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy Allen Baranov
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity frameworkShriya Rai
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureThe Open Group SA
 
Security Modelling in ArchiMate
Security Modelling in ArchiMateSecurity Modelling in ArchiMate
Security Modelling in ArchiMatePECB
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitecturePriyanka Aash
 

Mais procurados (20)

Security architecture
Security architectureSecurity architecture
Security architecture
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security Architecture
 
ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2ISO 27001 - information security user awareness training presentation -part 2
ISO 27001 - information security user awareness training presentation -part 2
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
 
IBM Qradar
IBM QradarIBM Qradar
IBM Qradar
 
Cyber Defense Matrix: Reloaded
Cyber Defense Matrix: ReloadedCyber Defense Matrix: Reloaded
Cyber Defense Matrix: Reloaded
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
Auditing SOX ITGC Compliance
Auditing SOX ITGC ComplianceAuditing SOX ITGC Compliance
Auditing SOX ITGC Compliance
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy A Practical Example to Using SABSA Extended Security-in-Depth Strategy
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
 
NIST cybersecurity framework
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise Architecture
 
SABSA white paper
SABSA white paperSABSA white paper
SABSA white paper
 
Security Modelling in ArchiMate
Security Modelling in ArchiMateSecurity Modelling in ArchiMate
Security Modelling in ArchiMate
 
SABSA overview
SABSA overviewSABSA overview
SABSA overview
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 

Destaque

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Schneider Electric
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)WAJAHAT IQBAL
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapWAJAHAT IQBAL
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditBob Rhubart
 
Capability Model_Data Governance
Capability Model_Data GovernanceCapability Model_Data Governance
Capability Model_Data GovernanceSteve Novak
 

Destaque (7)

TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...Industrial Control System Cyber Security and the Employment of Industrial Fir...
Industrial Control System Cyber Security and the Employment of Industrial Fir...
 
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
CYBERSECURITY - Best Practices,Concepts & Case Study (Mindmap)
 
NIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - MindmapNIST Cybersecurity Framework - Mindmap
NIST Cybersecurity Framework - Mindmap
 
Enterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to auditEnterprise Security Architecture: From access to audit
Enterprise Security Architecture: From access to audit
 
Capability Model_Data Governance
Capability Model_Data GovernanceCapability Model_Data Governance
Capability Model_Data Governance
 

Semelhante a Security models for security architecture

Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metricsVladimir Jirasek
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT SecuritySeccuris Inc.
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By DesignNalneesh Gaur
 
Ta Security
Ta SecurityTa Security
Ta Securityjothsna
 
TA security
TA securityTA security
TA securitykesavars
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGArul Nambi
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodologylaurahees
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems PolicyAli Sadhik Shaik
 
Know more about exin unique information security program
Know more about exin unique information security programKnow more about exin unique information security program
Know more about exin unique information security programElke Couto Morgado
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011IBM Sverige
 
[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux
[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux
[Chaco] Soluciones de Seguridad – Nicolás Pérez, GiuxIBMSSA
 
E-Mail Compliance Frameworks in the Real World
E-Mail Compliance Frameworks in the Real WorldE-Mail Compliance Frameworks in the Real World
E-Mail Compliance Frameworks in the Real WorldChris Byrne
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governancenooralmousa
 
Corporate Presentation
Corporate PresentationCorporate Presentation
Corporate PresentationArul Nambi
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeJeff Johnson
 

Semelhante a Security models for security architecture (20)

Information Risk Security model and metrics
Information Risk Security model and metricsInformation Risk Security model and metrics
Information Risk Security model and metrics
 
Making Executives Accountable for IT Security
Making Executives Accountable for IT SecurityMaking Executives Accountable for IT Security
Making Executives Accountable for IT Security
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
 
iCode Security Architecture Framework
iCode Security Architecture FrameworkiCode Security Architecture Framework
iCode Security Architecture Framework
 
Ta Security
Ta SecurityTa Security
Ta Security
 
TA security
TA securityTA security
TA security
 
ISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTINGISO 27001 - IMPLEMENTATION CONSULTING
ISO 27001 - IMPLEMENTATION CONSULTING
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodology
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
 
Know more about exin unique information security program
Know more about exin unique information security programKnow more about exin unique information security program
Know more about exin unique information security program
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Tata Kelola Keamanan Informasi
Tata Kelola Keamanan InformasiTata Kelola Keamanan Informasi
Tata Kelola Keamanan Informasi
 
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
En arkitektonisk vy av en ledande och dynamisk IT-säkerhetsportfölj - PCTY 2011
 
[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux
[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux
[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux
 
E-Mail Compliance Frameworks in the Real World
E-Mail Compliance Frameworks in the Real WorldE-Mail Compliance Frameworks in the Real World
E-Mail Compliance Frameworks in the Real World
 
Fadi Mutlak - Information security governance
Fadi Mutlak - Information security governanceFadi Mutlak - Information security governance
Fadi Mutlak - Information security governance
 
Corporate Presentation
Corporate PresentationCorporate Presentation
Corporate Presentation
 
Security Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To ConsumeSecurity Patterns How To Make Security Arch Easy To Consume
Security Patterns How To Make Security Arch Easy To Consume
 
Agam Profile
Agam ProfileAgam Profile
Agam Profile
 
Agama Profile
Agama ProfileAgama Profile
Agama Profile
 

Mais de Vladimir Jirasek

Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanningVladimir Jirasek
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVladimir Jirasek
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud securityVladimir Jirasek
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Vladimir Jirasek
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architectureVladimir Jirasek
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architectureVladimir Jirasek
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantVladimir Jirasek
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009Vladimir Jirasek
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksVladimir Jirasek
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesVladimir Jirasek
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White HatsVladimir Jirasek
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metricsVladimir Jirasek
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011Vladimir Jirasek
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekVladimir Jirasek
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityFederation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityVladimir Jirasek
 

Mais de Vladimir Jirasek (16)

Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London Gathering
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risks
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single IdentityFederation For The Cloud Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single Identity
 

Último

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

Último (20)

New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 

Security models for security architecture

  • 1. SECURITY MODELS FOR IMPROVING YOUR ORGANIZATION’S DEFENCE POSTURE AND STRATEGY Vladimir Jirasek Blog: JirasekOnSecurity.com Bio: About.me/jirasek 9th Nov 2011
  • 2. About me • Security professional (11 years) • Founding member and steering group member of (Common Assurance Maturity Model) CAMM (common- assurance.com) • Director, CSA UK & Ireland • I love reading books: thrillers (Clive Cussler) and business management (Jo Owen)
  • 3. I will cover topics today • Security model for information security • Security policy structure • Security processes • Security technology stack • Security metrics for organisations
  • 4. Security model – business drives security Security management Correction of security processes International CEO & Board security standards Process Governance Policy framework Metrics framework framework Information Information Information Line Security Security Security Management Laws & policies Processes Metrics Regulations objectives Product Information Technology Define Management Drivers Security Rules People Measure Security Inform standards Metrics Portal Compliance Program requirements Management Information Security Artefacts Risk & Compliance Business Execute security Measure security Define security objectives controls controls maturity controls Auditors Security Security Security threats intelligence Professionals External security metrics
  • 5. Information Security Policy framework CIS Business and O Information Security Policy Security objectives Data classification Employee Acceptable policy Use Policy CIO Security Information Technology Security Policy objectives IT Security IT security standards [reuse Architecture internationally accepted controls] Technology Controls and Technical Security processes teams architecture repository Security Processes guidelines
  • 6. Relationship between business objectives and security processes Provides response to “Do we have all business risks covered?” International standards Control C1 Control C2 Security Security Objective SO1 Control C3 Process P1 Business objective Security Control C4 BO1 Objective SO2 Control C5 Business process B3 Business process B1 Security Business process B2 Business objective Security Control C6 Process P2 BO2 Objective SO3 Control C7 Business Security Control C8 objective BO3 Objective SO4 Control C9 Security Security Control C10 Process P3 Objective SO5 Control C11 Security Process P4 Provides response to “Why are we doing this?”
  • 7. Sources of security controls • ISO 27000 series • ISF Standard of Good Practice 2011 • PCI DSS • NIST SP 800-53 • CObIT 4 • SANS 20 critical controls
  • 8. Security technology stack GRC Organise security reporting around the stack Information & Event Mgmt Identity, Entitlement, Access For each prepare current, Data Security target state analysis and Cryptography roadmap Application Security Host Security Network Security Physical Security
  • 9. GRC Information & Event Security stack::Network Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security • Network firewalls Host Security Network Security • VPN gateways Physical Security • Network Intrusion Detection/Prevention • DDoS • WiFi security • Network Access Control • DNS Security • Web, Email & IM filtering
  • 10. GRC Information & Event Identity, Entitlement, Acc Network security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Data security Host security Monitor and control data Interconnect hosts on flow s on netw ork netw ork Use identity Establish secure channel Retrieve access control Control hosts on Identity and Access Netw ork security netw ork Monitor and control Send security logs applications Detect security incidents running on netw ork Key management Security event management Crypto offload Application security Cryptography
  • 11. GRC Information & Event Identity, Entitlement, Acc Security stack::Host Mgmt Data Security Cryptography ess Application Security • Configuration compliance Host Security Network Security • Patch management Physical Security • Vulnerability scanning • Anti-malware • Application control • Location awareness • Device control • Trusted execution protection
  • 12. GRC Information & Event Identity, Entitlement, Acc Host security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Netw ork security Data security Application security Monitor and filter restricted data Protects data at rest Protect integrity of applications Host security Use identity Send security logs Retrieve access control Detect security incidents Identity and Access domain Key management Security even management Cryptography domain
  • 13. GRC Information & Event Security stack::Application Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security • Code reviews/scanning – binary and source Host Security Network Security • Security sensors (AppSensor) Physical Security • Web application scanning • Penetration testing • Web protection (WAF) Application Security Services throughout a lifecycle Num ber of flaw s and vulnerabilities o o C st t iat e d rem e E1 E2 E3 E4 E5 EOL Binary Code Analysis IT Security Assessm ent Web Application Scanning Web Application Protection Company Confidential
  • 14. GRC Information & Event Identity, Entitlement, Acc Application security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security
  • 15. GRC Information & Event Identity, Entitlement, Acc Security stack::Data Mgmt Data Security Cryptography ess Application Security • Data classification Host Security Network Security • Email encryption Physical Security • File encryption • Document Rights Management • Data Leakage protection • Watermarking • End point encryption • Database security
  • 16. GRC Information & Event Identity, Entitlement, Acc Data security relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security
  • 17. GRC Information & Event Security stack::IAEM Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security • Principal management Host Security Network Security • Account provisioning Physical Security • Rights management • Directories • Single sign on and Federation • Authorisation • Role and rights auditing • 2nd factor authentication
  • 18. GRC Information & Event Identity, Entitlement, Acc IAEM relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Netw ork security Security event management Provides authentication and authorisation services Send security logs Host security Detect security incidents Identity and Access Data security Key management Application security Cryptography domain
  • 19. GRC Information & Event Identity, Entitlement, Acc Security stack::Cryptography Mgmt Data Security Cryptography ess Application Security • Key generation Host Security Network Security • Key escrow Physical Security • Host and Network HSM • Certificate management & PKI
  • 20. GRC Information & Event Identity, Entitlement, Acc Cryptography relationships Mgmt Data Security Cryptography ess Application Security Host Security Network Security Physical Security Data security Host security Store encryption keys Email certificates Disk encryption Certificates for authentication Identity and Access Cryptography Digital signatures of log files Application signing Encryption of sensitive logs Encrypted and signed Application communication Security event management IPSec VPN SSL VPN, SSL split tunnel Application security Netw ork Security
  • 21. GRC Information & Event Security stack::SIEM Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security • Collection of security relevant logs Host Security Network Security • Archiving – retention Physical Security • Correlation with other data sources • Acting on security information • Ideal to use MSSP
  • 22. GRC Information & Event SIEM relationships Mgmt Identity, Entitlement, Data Security Cryptography Access Application Security Host Security Network Security Physical Security CMDB Security event management Collect security Collect, analyse and configuration react on security events I dentity and Access Security even management Data security Netw ork security Cryptography Application security
  • 23. Security metrics characteristics • Measurable • Objective • Quantitative (ideally) • Meaningful • With KPIs attached – know what is good and bad • Linked to business objectives – money speaks
  • 24. Metrics for CIO – Policy compliance and control maturity Policy IT Unit A IT Unit B IT Unit C Overall IT statement Governance 3  3.5  2  3  Awareness 3  4  3  3.5  Development N/A 2  1  1.5  Hardening 4  N/A 2  3  Network N/A N/A 3  3  End devices 2  2  3  2  2 (£10m) 3 (£13.1m) Overall 3 (£3m)  3 (100k)   
  • 25. Metrics for CIO – Maturity of controls for business processes/services Invest in IT service to lower the VaR IT Maturity VaR for VaR for VaR for VaR for IT ServiceBusi Process A Process B Process C service ness process IT Service 1 2 £1m £2m £1m £4m Infrastructure 3 £1m £3m £10m £14m IT Service 2 3 £0.5m N/A £20m £20.5m IT Service 3 4 N/A £100k £500k £600k Overall £2.5m £5.1k £31.5m £39.1m
  • 26. Summary • Business drives security • Reuse good content from information security community • Security policy framework – target audience, think of implementation • Link security metrics to policy which is linked to business objectives • All rounded security controls – good prevention against cyber threats

Notas do Editor

  1. This model is used to link security technologies reference model and blueprints to business requirementsAll security technology must support at least one information security process otherwise should be deployedBy linking requirements to policies to processes and to technologies we can be assured that technologies we deploy are justifiable and, at the same time, we know there should be no gapsInformation Security is a journey not a project and needs to be treated accordinglyInformation Security Policy is driven by business, legal and regulatory requirements which then mandates what security processes must and should be implementedIT Security policy is based on ISF Standard of Good Practice (SoGP) which maps to major regulatory and international standardsSecurity processes are run by People using Technology and report to Information Security Centre where data is correlated, normalised and available for management decisions, all in appropriate level of detail for audienceThe effectiveness of security processes is measured by Internal security metrics that are based on accepted best practice metrics, hence Nokia’s information security status can be compared with other companies
  2. Why infosec policy and then IT sec policy, IT sec policy is for CIO/CTOArchitecture repository -
  3. Examples of business objectives – increase market share by adopting e-commerce, increase output in factories by 20%Examples of security processes, security controls can span more than one security process, and security processes typically cover multiple controls,
  4. Areas support each other, all feed into SIEM and GRC
  5. Network firewalls – ideally application sessions aware, audit the configurationVPN gateways – linked to IAEM platform, Network Access Control, Application streamingNetwork Intrusion Detection/Prevention – physical and virtual, linked to CMDB, vulnerability data and loggingDDoS – protecting against flooding but also application specific DoS