SlideShare uma empresa Scribd logo

Information Security Blueprint

Transferir como PPTX, PDF
Z
Zefren Edior

Information Security Blueprint for the enterprise

Tecnologia
1 de 29
Information Security Blueprint
Objectives • Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines • Understand what an information security blueprint is, what its major components are, and how it is used to support the information security program • Understand how an organization institutionalizes its policies, standards, and practices using education, training, and awareness programs
Introduction • Creation of information security program begins with creation and/or review of organization’s information security policies, standards, and practices • Then, selection or creation of information security architecture and the development and use of a detailed information security blueprint creates plan for future success • Without policy, blueprints, and planning, organization is unable to meet information security needs of various communities of interest
Information Security Policy, Standards and Practices • Communities of interest must consider policies as basis for all information security efforts • Policies direct how issues should be addressed and technologies used • Security policies are least expensive controls to execute but most difficult to implement • Shaping policy is difficult
Definitions • Policy: course of action used by organization to convey instructions from management to those who perform duties • Policies are organizational laws • Standards: more detailed statements of what must be done to comply with policy • Practices, procedures and guidelines effectively explain how to comply with policy • For a policy to be effective, must be properly disseminated, read, understood and agreed to by all members of organization
Policies, Standards, and Practices
Enterprise Information Security Policy (EISP) • Sets strategic direction, scope, and tone for all security efforts within the organization • Executive-level document, usually drafted by or with CIO of the organization • Typically addresses compliance in two areas • Ensure meeting requirements to establish program and responsibilities assigned therein to various organizational components • Use of specified penalties and disciplinary action
Issue-Specific Security Policy (ISSP) • The ISSP: • Addresses specific areas of technology • Requires frequent updates • Contains statement on organization’s position on specific issue • Three approaches when creating and managing ISSPs: • Create a number of independent ISSP documents • Create a single comprehensive ISSP document • Create a modular ISSP document
Systems-Specific Policy (SysSP) • SysSPs frequently codified as standards and procedures used when configuring or maintaining systems • Systems-specific policies fall into two groups • Access control lists (ACLs) • Configuration rules
Systems-Specific Policy (SysSP) (continued) • Both Microsoft Windows and Novell Netware 5.x/6.x families translate ACLs into configurations used to control access • ACLs allow configuration to restrict access from anyone and anywhere • Rule policies are more specific to operation of a system than ACLs • Many security systems require specific configuration scripts telling systems what actions to perform on each set of information they process
Policy Management • Policies must be managed as they constantly change • To remain viable, security policies must have: • Individual responsible for reviews • A schedule of reviews • Method for making recommendations for reviews • Specific policy issuance and revision date
Information Classification • Classification of information is an important aspect of policy • Policies are classified • A clean desk policy stipulates that at end of business day, classified information must be properly stored and secured • In today’s open office environments, may be beneficial to implement a clean desk policy
The Information Security Blueprint • Basis for design, selection, and implementation of all security policies, education and training programs, and technological controls • More detailed version of security framework (outline of overall information security strategy for organization) • Should specify tasks to be accomplished and the order in which they are to be realized • Should also serve as scalable, upgradeable, and comprehensive plan for information security needs for coming years
ISO 17799/BS7799 • One of the most widely referenced and often discussed security models • Framework for information security that states organizational security policy is needed to provide management direction and support
NIST Security Models • Another possible approach described in documents available from Computer Security Resource Center of NIST • SP 800-12 • SP 800-14 • SP 800-18 • SP 800-26 • SP 800-30
NIST Special Publication 800- 14 • Security supports mission of organization; is an integral element of sound management • Security should be cost-effective; owners have security responsibilities outside their own organizations • Security responsibilities and accountability should be made explicit; security requires a comprehensive and integrated approach • Security should be periodically reassessed; security is constrained by societal factors • 33 Principles enumerated
IETF Security Architecture • Security Area Working Group acts as advisory board for protocols and areas developed and promoted by the Internet Society • RFC 2196: Site Security Handbook covers five basic areas of security with detailed discussions on development and implementation
VISA International Security Model • VISA International promotes strong security measures and has security guidelines • Developed two important documents that improve and regulate information systems: “Security Assessment Process”; “Agreed Upon Procedures” • Using the two documents, security team can develop sound strategy the design of good security architecture • Only down side to this approach is very specific focus on systems that can or do integrate with VISA’s systems
Baselining and Best Business Practices • Baselining and best practices are solid methods for collecting security practices, but provide less detail than a complete methodology • Possible to gain information by baselining and using best practices and thus work backwards to an effective design • The Federal Agency Security Practices (FASP) site (fasp.nist.gov) designed to provide best practices for public agencies and adapted easily to private institutions
Hybrid Framework for a Blueprint of an Information Security System • Result of a detailed analysis of components of all documents, standards, and Web-based information described previously • Offered here as a balanced introductory blueprint for learning the blueprint development process
Hybrid Framework for a Blueprint of an Information Security System (continued) • NIST SP 800-26 • Management controls cover security processes designed by the strategic planners and performed by security administration • Operational controls deal with operational functionality of security in organization • Technical controls address tactical and technical issues related to designing and implementing security in organization
Design of Security Architecture • Defense in depth • Implementation of security in layers • Requires that organization establish sufficient security controls and safeguards so that an intruder faces multiple layers of controls • Security perimeter • Point at which an organization’s security protection ends and outside world begins • Does not apply to internal attacks from employee threats or on-site physical threats
Key Technology Components • Firewall: device that selectively discriminates against information flowing into or out of organization • Demilitarized zone (DMZ): no-man’s land between inside and outside networks where some organizations place Web servers • Intrusion Detection Systems (IDSs): in effort to detect unauthorized activity within inner network, or on individual machines, organization may wish to implement an IDS
Figure 5-18 – Key Components
Security Education, Training, and Awareness Program • As soon as general security policy exist, policies to implement security education, training and awareness (SETA) program should follow • SETA is a control measure designed to reduce accidental security breaches • Security education and training builds on the general knowledge the employees must possess to do their jobs, familiarizing them with the way to do their jobs securely • The SETA program consists of three elements: security education; security training; and security awareness
Security Education • Everyone in an organization needs to be trained and aware of information security; not every member needs formal degree or certificate in information security • When formal education for individuals in security is needed, an employee can identify curriculum available from local institutions of higher learning or continuing education • A number of universities have formal coursework in information security
Security Training • Involves providing members of organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely • Management of information security can develop customized in-house training or outsource the training program
Security Awareness • One of least frequently implemented but most beneficial programs is the security awareness program • Designed to keep information security at the forefront of users’ minds • Need not be complicated or expensive • If the program is not actively implemented, employees begin to “tune out” and risk of employee accidents and failures increases
Summary • Management has essential role in development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines • Information security blueprint is planning document that is basis for design, selection, and implementation of all security policies, education and training programs, and technological controls

Recomendados

02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Securitysappingtonkr
 
Protocol for Secure Communication
Protocol for Secure CommunicationProtocol for Secure Communication
Protocol for Secure Communicationchauhankapil
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Polyalphabetic Substitution Cipher
Polyalphabetic Substitution CipherPolyalphabetic Substitution Cipher
Polyalphabetic Substitution CipherSHUBHA CHATURVEDI
 
Intruders
IntrudersIntruders
Intruderstechn
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptShruthi48
 
Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Requirements engineering for agile methods
Requirements engineering for agile methodsRequirements engineering for agile methods
Requirements engineering for agile methodsSyed Zaid Irshad
 

Recomendados

02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Security02 Legal, Ethical, and Professional Issues in Information Security
02 Legal, Ethical, and Professional Issues in Information Securitysappingtonkr
 
Protocol for Secure Communication
Protocol for Secure CommunicationProtocol for Secure Communication
Protocol for Secure Communicationchauhankapil
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Polyalphabetic Substitution Cipher
Polyalphabetic Substitution CipherPolyalphabetic Substitution Cipher
Polyalphabetic Substitution CipherSHUBHA CHATURVEDI
 
Intruders
IntrudersIntruders
Intruderstechn
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptShruthi48
 
Security policies
Security policiesSecurity policies
Security policiesNishant Pahad
 
Requirements engineering for agile methods
Requirements engineering for agile methodsRequirements engineering for agile methods
Requirements engineering for agile methodsSyed Zaid Irshad
 
Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technologytrainersenthil14
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Software security
Software securitySoftware security
Software securityRoman Oliynykov
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownInformation Security Awareness Group
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1RAMESHBABU311293
 
IP Security
IP SecurityIP Security
IP SecurityDr.Florence Dayana
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptxGovt. P.G. College Sendhwa, Barwani (M.P.)
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanismspriya_trehan
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 
Security audit
Security auditSecurity audit
Security auditRosaria Dee
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and StandardsDirectorate of Information Security | Ditjen Aptika
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security ArchitectureBharathiKrishna6
 
OSI Security Architecture
OSI Security ArchitectureOSI Security Architecture
OSI Security Architectureuniversity of education,Lahore
 
block ciphers
block ciphersblock ciphers
block ciphersAsad Ali
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocolsOnline
 
Security technologies
Security technologiesSecurity technologies
Security technologiesDhani Ahmad
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security FrameworkKarthikeyan Dhayalan
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.pptit160320737038
 

Mais conteúdo relacionado

Mais procurados

Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technologytrainersenthil14
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standardsprimeteacher32
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1RAMESHBABU311293
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanismspriya_trehan
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity AuditEC-Council
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security ArchitectureBharathiKrishna6
 
block ciphers
block ciphersblock ciphers
block ciphersAsad Ali
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocolsOnline
 
Security technologies
Security technologiesSecurity technologies
Security technologiesDhani Ahmad
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)k33a
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 

Mais procurados (20)

Design of security architecture in Information Technology
Design of security architecture in Information TechnologyDesign of security architecture in Information Technology
Design of security architecture in Information Technology
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
Software security
Software securitySoftware security
Software security
 
Cryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie BrownCryptography and Network Security William Stallings Lawrie Brown
Cryptography and Network Security William Stallings Lawrie Brown
 
Security Policies and Standards
Security Policies and StandardsSecurity Policies and Standards
Security Policies and Standards
 
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1CRYPTOGRAPHY & NETWORK SECURITY - unit 1
CRYPTOGRAPHY & NETWORK SECURITY - unit 1
 
IP Security
IP SecurityIP Security
IP Security
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptx
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanisms
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
 
Security audit
Security auditSecurity audit
Security audit
 
Information Security Policies and Standards
Information Security Policies and StandardsInformation Security Policies and Standards
Information Security Policies and Standards
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
 
OSI Security Architecture
OSI Security ArchitectureOSI Security Architecture
OSI Security Architecture
 
block ciphers
block ciphersblock ciphers
block ciphers
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocols
 
Security technologies
Security technologiesSecurity technologies
Security technologies
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
The information security audit
The information security auditThe information security audit
The information security audit
 

Semelhante a Information Security Blueprint

01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.pptit160320737038
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information securityKumawat Dharmpal
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationMcKonly & Asbury, LLP
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit processDivya Tiwari
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security elmuhammadmuhammad
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfAbuHanifah59
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Information security
Information securityInformation security
Information securityPraveen Minz
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxkevlekalakala
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsSam Bowne
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsSam Bowne
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptxPrashant Singh
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011codka
 

Semelhante a Information Security Blueprint (20)

Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
 
01Introduction to Information Security.ppt
01Introduction to Information Security.ppt01Introduction to Information Security.ppt
01Introduction to Information Security.ppt
 
Introduction to information security
Introduction to information securityIntroduction to information security
Introduction to information security
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Cybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your OrganizationCybersecurity Risk Management Program and Your Organization
Cybersecurity Risk Management Program and Your Organization
 
ANS_Ch_06_Handouts.pdf
ANS_Ch_06_Handouts.pdfANS_Ch_06_Handouts.pdf
ANS_Ch_06_Handouts.pdf
 
Planning for security and security audit process
Planning for security and security audit processPlanning for security and security audit process
Planning for security and security audit process
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security chapter 1. Introduction to Information Security
chapter 1. Introduction to Information Security
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Information security
Information securityInformation security
Information security
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
 
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptxChapter 1 Best Practices, Standards, and a Plan of Action.pptx
Chapter 1 Best Practices, Standards, and a Plan of Action.pptx
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 
Information security policy_2011
Information security policy_2011Information security policy_2011
Information security policy_2011
 

Último

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 

Último (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Information Security Blueprint

  • 2. Objectives • Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines • Understand what an information security blueprint is, what its major components are, and how it is used to support the information security program • Understand how an organization institutionalizes its policies, standards, and practices using education, training, and awareness programs
  • 3. Introduction • Creation of information security program begins with creation and/or review of organization’s information security policies, standards, and practices • Then, selection or creation of information security architecture and the development and use of a detailed information security blueprint creates plan for future success • Without policy, blueprints, and planning, organization is unable to meet information security needs of various communities of interest
  • 4. Information Security Policy, Standards and Practices • Communities of interest must consider policies as basis for all information security efforts • Policies direct how issues should be addressed and technologies used • Security policies are least expensive controls to execute but most difficult to implement • Shaping policy is difficult
  • 5. Definitions • Policy: course of action used by organization to convey instructions from management to those who perform duties • Policies are organizational laws • Standards: more detailed statements of what must be done to comply with policy • Practices, procedures and guidelines effectively explain how to comply with policy • For a policy to be effective, must be properly disseminated, read, understood and agreed to by all members of organization
  • 7. Enterprise Information Security Policy (EISP) • Sets strategic direction, scope, and tone for all security efforts within the organization • Executive-level document, usually drafted by or with CIO of the organization • Typically addresses compliance in two areas • Ensure meeting requirements to establish program and responsibilities assigned therein to various organizational components • Use of specified penalties and disciplinary action
  • 8. Issue-Specific Security Policy (ISSP) • The ISSP: • Addresses specific areas of technology • Requires frequent updates • Contains statement on organization’s position on specific issue • Three approaches when creating and managing ISSPs: • Create a number of independent ISSP documents • Create a single comprehensive ISSP document • Create a modular ISSP document
  • 9. Systems-Specific Policy (SysSP) • SysSPs frequently codified as standards and procedures used when configuring or maintaining systems • Systems-specific policies fall into two groups • Access control lists (ACLs) • Configuration rules
  • 10. Systems-Specific Policy (SysSP) (continued) • Both Microsoft Windows and Novell Netware 5.x/6.x families translate ACLs into configurations used to control access • ACLs allow configuration to restrict access from anyone and anywhere • Rule policies are more specific to operation of a system than ACLs • Many security systems require specific configuration scripts telling systems what actions to perform on each set of information they process
  • 11. Policy Management • Policies must be managed as they constantly change • To remain viable, security policies must have: • Individual responsible for reviews • A schedule of reviews • Method for making recommendations for reviews • Specific policy issuance and revision date
  • 12. Information Classification • Classification of information is an important aspect of policy • Policies are classified • A clean desk policy stipulates that at end of business day, classified information must be properly stored and secured • In today’s open office environments, may be beneficial to implement a clean desk policy
  • 13. The Information Security Blueprint • Basis for design, selection, and implementation of all security policies, education and training programs, and technological controls • More detailed version of security framework (outline of overall information security strategy for organization) • Should specify tasks to be accomplished and the order in which they are to be realized • Should also serve as scalable, upgradeable, and comprehensive plan for information security needs for coming years
  • 14. ISO 17799/BS7799 • One of the most widely referenced and often discussed security models • Framework for information security that states organizational security policy is needed to provide management direction and support
  • 15. NIST Security Models • Another possible approach described in documents available from Computer Security Resource Center of NIST • SP 800-12 • SP 800-14 • SP 800-18 • SP 800-26 • SP 800-30
  • 16. NIST Special Publication 800- 14 • Security supports mission of organization; is an integral element of sound management • Security should be cost-effective; owners have security responsibilities outside their own organizations • Security responsibilities and accountability should be made explicit; security requires a comprehensive and integrated approach • Security should be periodically reassessed; security is constrained by societal factors • 33 Principles enumerated
  • 17. IETF Security Architecture • Security Area Working Group acts as advisory board for protocols and areas developed and promoted by the Internet Society • RFC 2196: Site Security Handbook covers five basic areas of security with detailed discussions on development and implementation
  • 18. VISA International Security Model • VISA International promotes strong security measures and has security guidelines • Developed two important documents that improve and regulate information systems: “Security Assessment Process”; “Agreed Upon Procedures” • Using the two documents, security team can develop sound strategy the design of good security architecture • Only down side to this approach is very specific focus on systems that can or do integrate with VISA’s systems
  • 19. Baselining and Best Business Practices • Baselining and best practices are solid methods for collecting security practices, but provide less detail than a complete methodology • Possible to gain information by baselining and using best practices and thus work backwards to an effective design • The Federal Agency Security Practices (FASP) site (fasp.nist.gov) designed to provide best practices for public agencies and adapted easily to private institutions
  • 20. Hybrid Framework for a Blueprint of an Information Security System • Result of a detailed analysis of components of all documents, standards, and Web-based information described previously • Offered here as a balanced introductory blueprint for learning the blueprint development process
  • 21. Hybrid Framework for a Blueprint of an Information Security System (continued) • NIST SP 800-26 • Management controls cover security processes designed by the strategic planners and performed by security administration • Operational controls deal with operational functionality of security in organization • Technical controls address tactical and technical issues related to designing and implementing security in organization
  • 22. Design of Security Architecture • Defense in depth • Implementation of security in layers • Requires that organization establish sufficient security controls and safeguards so that an intruder faces multiple layers of controls • Security perimeter • Point at which an organization’s security protection ends and outside world begins • Does not apply to internal attacks from employee threats or on-site physical threats
  • 23. Key Technology Components • Firewall: device that selectively discriminates against information flowing into or out of organization • Demilitarized zone (DMZ): no-man’s land between inside and outside networks where some organizations place Web servers • Intrusion Detection Systems (IDSs): in effort to detect unauthorized activity within inner network, or on individual machines, organization may wish to implement an IDS
  • 24. Figure 5-18 – Key Components
  • 25. Security Education, Training, and Awareness Program • As soon as general security policy exist, policies to implement security education, training and awareness (SETA) program should follow • SETA is a control measure designed to reduce accidental security breaches • Security education and training builds on the general knowledge the employees must possess to do their jobs, familiarizing them with the way to do their jobs securely • The SETA program consists of three elements: security education; security training; and security awareness
  • 26. Security Education • Everyone in an organization needs to be trained and aware of information security; not every member needs formal degree or certificate in information security • When formal education for individuals in security is needed, an employee can identify curriculum available from local institutions of higher learning or continuing education • A number of universities have formal coursework in information security
  • 27. Security Training • Involves providing members of organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely • Management of information security can develop customized in-house training or outsource the training program
  • 28. Security Awareness • One of least frequently implemented but most beneficial programs is the security awareness program • Designed to keep information security at the forefront of users’ minds • Need not be complicated or expensive • If the program is not actively implemented, employees begin to “tune out” and risk of employee accidents and failures increases
  • 29. Summary • Management has essential role in development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines • Information security blueprint is planning document that is basis for design, selection, and implementation of all security policies, education and training programs, and technological controls