Documente Academic
Documente Profesional
Documente Cultură
Secure IT -2004
Agenda
Introduction Successful Security Initiatives Elements of Risk Management Strategic Planning for Information Security Information Security Risk Assessment
Step by Step
The number of vulnerabilities keeps increasing The number of incidents keeps increasing Incidents affects the mission of the university Must meet Regulatory and Legislative compliance
Secure IT -2004
Reality Check
You can never eliminate/mitigate ALL the information security risks You cannot prevent highly skill and sophisticated attacks Resources are limited planning is critical Must plan for systems to be resilient and survive an event Survivability is good risk management
Secure IT -2004
Effective Information Security Strategy
What is Risk?
Risk: The possibility of harm or loss Characterized by: Event or Scenario Consequence or impact to the organization Probability that the event will take place
Secure IT -2004
Risk Management
Each organization owns its risks
Each organization has its own information security risks
Each organization must characterize its risks Each organization must analyze its risks Each organization must manage its risks
Information Security risks are more element
Secure IT -2004
Effective Information Security Strategy
Secure IT -2004
Strategic Practices
Security Strategy
Integration of security practices into business processes
Security Management
Defines roles and responsibilities
Operational Practices
Physical Security
Well Define Procedures Physical Access Controls Monitoring and Auditing physical security Incorporate security in the design of new facilities
Secure IT -2004
Operational Practices
Security of Information Technology
Security Architecture and Design Computer systems and network management Administration of security tools Vulnerability management Monitoring and auditing Authentication and authorization Encryption
Effective Information Security Strategy
Secure IT -2004
Operational Practices
Staff Security
Incident Management
Identifying, reporting and responding to incidents
Secure IT -2004
Secure IT -2004
Secure IT -2004
Integrity
Requires authenticity Requires to be accurate
Availability
Requirements
Other
Secure IT -2004
Effective Information Security Strategy
Accidental-People Inside/Outside
System ProblemsMalicious Code, Software,Hardware, etc Other- Natural Disaster, Power Outages, etc Secure IT -2004
Asset
Modification of Information Destruction/Loss of Information Hardware,Software, Other Interruption of access to Information, software applications or services
Entity
Inside or Outside organization
Motive
Accidental or Deliberate
Outcome
Disclosure, modification, loss/destruction, interruption, other
Secure IT -2004
Effective Information Security Strategy
Outcome
Disclosure, Modification, Loss/destruction, interruption
Secure IT -2004
Effective Information Security Strategy
Secure IT -2004
Secure IT -2004
Quantitative
What is the probability for each threat outcome?
Secure IT -2004
Effective Information Security Strategy
Secure IT -2004
References
OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation http://www.cert.org/octave/ Educause Internet 2 Effective Security Practices Guide http://www.educause.edu/security/guide/ ISO/IEC 17799 International Code of Practices for Information Security Management
http://csrc.nist.gov/publications/secpubs/ otherpubs/reviso-faq.pdf Secure IT -2004
Effective Information Security Strategy