Effective Information Security Strategy: Dr. Javier Torner

Effective Information Security Strategy
Dr. Javier Torner

University Information Security Officer Professor of Physics
Secure IT -2004
April 27, 2004
Agenda
Introduction Successful Security Initiatives Elements of Risk Management Strategic Planning for Information Security Information Security Risk Assessment
Step by Step
Resources Questions and Final Thoughts

Secure IT -2004
April 27, 2004
Why a Security Strategy?

Everyone is vulnerable to attacks
Technological vulnerabilities Organizational vulnerabilities
The number of vulnerabilities keeps increasing The number of incidents keeps increasing Incidents affects the mission of the university Must meet Regulatory and Legislative compliance
Secure IT -2004
April 27, 2004
Reality Check
You can never eliminate/mitigate ALL the information security risks You cannot prevent highly skill and sophisticated attacks Resources are limited planning is critical Must plan for systems to be resilient and survive an event Survivability is good risk management
Secure IT -2004
April 27, 2004
Successful Security Initiatives

Have Upper Management Commitment and Support Security is part of STRATEGIC PLAN Security is identified as a PRIORITY Security is recognized as EVERYONES job
Secure IT -2004
April 27, 2004
Successful Security Initiatives

Security initiatives are the result of RISK ASSESSMENTS Security initiatives involve ALL members of the CAMPUS COMMUNITY Security initiatives are PRO-ACTIVE Accomplish their objectives with MINIMUM IMPACT to the users
Secure IT -2004
April 27, 2004
What is Risk?
Risk: The possibility of harm or loss Characterized by: Event or Scenario Consequence or impact to the organization Probability that the event will take place
Secure IT -2004
April 27, 2004
Risk Management
Each organization owns its risks
Each organization has its own information security risks
Each organization must characterize its risks Each organization must analyze its risks Each organization must manage its risks
Information Security risks are more element
Secure IT -2004
April 27, 2004
Risks vs. Vulnerabilities

Information Security Risk Assessment
Consider strategic practices business related practices Includes operational practices focus on technology related issues Incorporates the mission of the university
Information Security Vulnerability Assessment

Provide security picture at one moment Only considers technology related issues
Secure IT -2004
April 27, 2004
Strategic Planning for Security

Information Security Risk Assessment
Use Effective methods of Evaluation
Self directed, adaptable measures, defined processes, foundation for a continues process
Based in Sound Risk Management Principles

Focus on critical issues, identify critical assets, selection of effective security practices
Must Include Organizational and Cultural Principles

Open communications, global perspective, teamwork
Secure IT -2004
April 27, 2004
Strategic Practices
Security Strategy
Integration of security practices into business processes
Security Management
Defines roles and responsibilities
Security Policies and Procedures

Acceptable Use Policies Operating Procedures Incident Response Policies and Procedures
Security Awareness and Training Business Resumption/Disaster Recovery

Secure IT -2004
April 27, 2004
Operational Practices
Physical Security
Well Define Procedures Physical Access Controls Monitoring and Auditing physical security Incorporate security in the design of new facilities
Secure IT -2004
April 27, 2004
Security of Information Technology
Security Architecture and Design Computer systems and network management Administration of security tools Vulnerability management Monitoring and auditing Authentication and authorization Encryption
Secure IT -2004
April 27, 2004
Staff Security
Incident Management
Identifying, reporting and responding to incidents
General Staff Practices

Understanding security roles and responsibilities Following security policies and procedures Following effective practices
Secure IT -2004
April 27, 2004
Information Security Risk Assessment Step by Step

Identify Critical Assets Identify Security requirements for each Critical Asset Identify Threats to each Critical Asset Identify Current Organizational and Operational Vulnerabilities
Conduct Vulnerability Assessment
Identify Current Security Practices

Secure IT -2004
April 27, 2004

Identify Risks to Critical Assets Define a risk metrics
Critical, High, Medium, Low
Develop protection strategy and risk mitigation plan

Include Monitoring Include Metrics to assess progress
Implementation of security plan

Secure IT -2004
April 27, 2004

Identify Critical Assets
Systems Software Hardware Information Business Process People
Secure IT -2004
April 27, 2004

Critical Asset Information
Rational for selection Identify
Who controls it Who is responsible Who uses it How is it used
Secure IT -2004
April 27, 2004

Identify Security Requirements for each asset
Confidentiality
Contains/access personal/sensitive information Only authorized users
Integrity
Requires authenticity Requires to be accurate
Availability
Requirements
Other
Secure IT -2004
April 27, 2004
Information Security Risk Assessment Areas of Concern

Potential Sources of Threat
Deliberate-People Inside/Outside
Outcome Unauthorized Disclosure of Information
Accidental-People Inside/Outside
System ProblemsMalicious Code, Software,Hardware, etc Other- Natural Disaster, Power Outages, etc Secure IT -2004
Asset
Modification of Information Destruction/Loss of Information Hardware,Software, Other Interruption of access to Information, software applications or services
April 27, 2004

Threats by people: Identify
Access
Physical or Network
Entity
Inside or Outside organization
Motive
Accidental or Deliberate
Outcome
Disclosure, modification, loss/destruction, interruption, other
Secure IT -2004
April 27, 2004

Threats for System Problems Identify
Entity
Software defect Malicious Code Hardware failure
Outcome
Disclosure, Modification, Loss/destruction, interruption
Secure IT -2004
April 27, 2004

Systems/Components associated with a critical asset Where is it stored/resides/processed? Which systems does it interacts with? Which systems may be targeted by the threat?
Secure IT -2004
April 27, 2004

Associated systems Servers, workstations, laptops Networking components Security Components Storage Devices Wireless Components Home Computers
Secure IT -2004
April 27, 2004

Security Profile of a Critical Asset Description of the Asset Security Requirements
Confidentiality,integrity, availability, other
Threat Profile Associated Systems

Secure IT -2004
April 27, 2004

Vulnerability Assessment Identify each threat with the associated systems Define the approach for the evaluation of technology vulnerabilities in the associated systems Identify the tools and who will perform the vulnerability assessment
Secure IT -2004
April 27, 2004

Vulnerabilities Summarized the type of vulnerabilities The potential impact on the critical asset How could it be addressed
Strategic Practices Operational Practices
Secure IT -2004
April 27, 2004

Risk Impact Identify the impact based on your threat outcomes
Disclosure lawsuits, financial, etc Interruption productivity, financial, etc
Define a risk metric

Qualitative
What is a high, medium, low risk?
Quantitative
What is the probability for each threat outcome?
Secure IT -2004
April 27, 2004

Prioritize your risks For each risk identify an action or countermeasures to mitigate the risk Decide to accept or mitigate the risk Develop protection strategy and risk mitigation plan
Include Monitoring Include Metrics to assess progress
Implementation of security plan

Secure IT -2004
April 27, 2004
Hints to Develop a Security Plan

Set realistic Goals and Objectives Include Operational Security Practices
Secure critical assets Identify and correct technological vulnerabilities
Conduct security assessments
Implement preventive measures

Implement overlapping, independent protecting measures Secure perimeter - firewalls Adopt effective practices Use intrusion detection/prevention tools
Secure IT -2004
April 27, 2004
Hints to Develop a Security Plan

Include Strategic Security Practices
Develop Policies and Procedures
Enforceable Define Accountability
Implement Recovery Procedures

Incident Response Tie to your Business Resumption/Disaster Recovery
Provide Training and Education

End users - Awareness ITC Professional development
Secure IT -2004
April 27, 2004
References
OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation http://www.cert.org/octave/ Educause Internet 2 Effective Security Practices Guide http://www.educause.edu/security/guide/ ISO/IEC 17799 International Code of Practices for Information Security Management
http://csrc.nist.gov/publications/secpubs/ otherpubs/reviso-faq.pdf Secure IT -2004
April 27, 2004

Effective Information Security Strategy: Dr. Javier Torner

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Effective Information Security Strategy: Dr. Javier Torner

Încărcat de

Drepturi de autor:

Formate disponibile

Effective Information Security Strategy

Dr. Javier Torner