Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Security MGMT

    Încărcat de

    api-3729332
    132 vizualizări33 pagini
    Security Mgmt

    Titlu original

    Security Mgmt

    Drepturi de autor

    © Attribution Non-Commercial (BY-NC)

    Formate disponibile

    PPT, PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    Security Mgmt

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca PPT, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    132 vizualizări33 pagini

    Security MGMT

    Încărcat de

    api-3729332
    Security Mgmt

    Drepturi de autor:

    Attribution Non-Commercial (BY-NC)
    Descărcați ca PPT, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 33

    Security Management

    - Premanand Lotlikar

    26th August, 2007


    Agenda
    • Introduction
    • Objective of Security Mgmt
    • Basic Concepts
    • Benefits
    • Relationship with other processes
    • Activities in SLM
    • Process Control
    • Key Performance Indicators
    • Cost
    • Possible Problems
    Introduction
    • According to the latest statistical analysis, it is
    estimated there are over 1.1 billion Internet
    users worldwide1
    • The Internet is full of useful information, in fact, it
    is estimated that there are between 15 and 30
    billion different websites in existence today2

    • 1 World Internet Users and Population Stats. (2007, March 19). Internet
    World Stats. http://www.internetworldstats.com/stats.htm
    • 2The size of the World Wide Web. (2007, February 25). Pandia Search
    Engine News. http://www.pandia.com/sew/383-web-size.html
    Introduction
    Introduction

    651 million people around the world now use email regularly
    This figure is expected to grow steadily over the next four years, reaching
    850 million users by the end of 2008
    Time wasted deleting junk e-mail costs American businesses nearly $22 billion a
    year.
    Security Statistics. (2005) Aladdin: Securing the Global Village
    http://www.esafe.com/home/csrt/statistics/statistics_2005.asp
    Introduction
    • Security Threats
    • Telecom Threats
    – War Dialing
    – Unauthorized Remote Access
    – Unauthorized ISP Access
    – Unsecured Authorized Modems
    – Proxy Impersonation
    – Denial of Service
    – Message Tampering
    • VoIP Threats
    Unauthorized Remote Access
    Modems
    Unauthorized ISP Access
    Non-Secure Authorized Modems
    Voice System Attacks
    Security Gap Left by Traditional
    Data Firewall
    Security System for Traditional
    Voice Network
    Identity Threats
    Objectives
    • To meet the security requirements of SLA
    and external requirements (legislations,
    policies etc.)
    • To provide a basic level of security,
    independent of external requirement
    Basic Concepts
    • Safety: refers to not being vulnerable to
    known risks
    • Tool to provide this is security
    • Confidentiality: protecting information
    against unauthorized access and use
    • Integrity: accuracy, completeness and
    timeliness of information
    • Availability
    Benefits
    • Minimize downtime, exposure, and loss of critical
    information caused by security attacks
    • Minimizing damage to business, company brand,
    customer loyalty, intellectual property, and employee
    productivity
    • Prevent or minimize the spread of security attacks within
    the enterprise and stop the propagation of worms,
    viruses, and other pathogens
    • Control internal information for compliance with
    regulations (for example, Sarbanes-Oxley and the Basel
    II Accord) and prevent liabilities under the regulatory
    mandates
    • Focus on business rather than security incident recovery
    Relationship with other processes
    • Configuration Mgmt
    • Incident Mgmt
    • Problem Mgmt
    • Change Mgmt
    • Availability Mgmt
    • Capacity Mgmt
    • Service Level Mgmt
    • IT Continuity Mgmt
    Security Mgmt Process
    Activities in SLM
    • Plan
    • Implement
    • Evaluate
    • Maintenance
    • Reporting
    Plan
    • Includes defining the security section of
    the SLA
    • Business terms in SLA are converted to
    operational terms in OLA
    • Hence OLA can be considered as the
    security plan for the service provider
    • SLA should define the security
    requirements in measurable terms
    Implement
    • Classification and management of IT resources:
    – Providing input for maintaining CI’s & CMDB
    – Classifying the IT resources
    • Personnel security:
    – Tasks & responsibilities in job description
    – Screening
    – Confidentiality agreement for personnel
    – Training
    – Guidelines for personnel for dealing with security
    incidents
    – Disciplinary measures
    – Increasing security awareness
    Implement
    • Managing security:
    – Implementation of responsibilities
    – Written operating instructions
    – Internal regulations
    – Security guideline for the entire lifecycle
    (development, testing, acceptance, operations, maintenance & phasing out)
    – Separating the dev environment from test and
    production
    – Procedures for dealing with incidents
    – Implementation of recovery facilities
    – Implementation of virus protection measures
    – Handling and security of data media
    Implementation
    • Access control:
    – Implementation of access and access control
    policy
    – Maintenance of access privileges of users &
    application to networks and network services
    – Maintenance of network security barriers
    – Implementation of measures of identification
    and authentication
    Evaluate
    • 3 forms of evaluation:
    – Self-assessments: primarily implemented by the line
    organization of the process
    – Internal audits: undertaken by internal IT auditors
    – External audits: undertaken by external IT auditors
    • Main activities are:
    – Verifying compliance with the security plan and the
    implementation of the plan
    – Performing security audits on IT systems
    – Identifying and responding to inappropriate use of IT
    resources
    Maintenance
    • Includes the maintenance of the security
    section of the SLA and detailed security
    plans (OLA)
    • Carried out on the basis of the results of
    the Evaluation process
    • Any changes are subject to Change Mgmt
    Reporting
    • It is not a sub-process but an output of the
    other sub-processes
    • Provides information about achieved
    security performance and security issues
    • Important both to the customer and
    service provider
    • Customer must be correctly informed
    about the efficiency of the efforts and the
    actual security measures
    Reporting
    • Planning:
    – Reports about the UC and OLA
    – Reports about the annual security plans and
    action plans
    • Implementation:
    – Status reports about implementations
    – List of security incidents and responses
    – Identification of incident trends
    – Status of the awareness program
    Reporting
    • Evaluation:
    – Report about performance of sub-processes
    – Results of audits, review & internal
    assessments
    – Warnings, identification of new threats
    • Any specific report/s
    Critical Success Factors
    • Full mgmt commitment and involvement
    • User involvement when developing the
    process
    • Clear and separated responsibilities
    • Over-tasked IT staff
    • Missing or poor co-ordination among
    business units
    • Lack of security governance model
    Cost
    Possible Problems
    • Commitment
    • Awareness
    • Verification
    • Change Mgmt
    • Ambition
    • Over-reliance on stronghold/fortress
    techniques
    Thank you!

    S-ar putea să vă placă și