Security Management Practices - PowerPoint PPT Presentation

1 / 36

About This Presentation

Title:

Security Management Practices

Description:

Personal interview. Employee training and awareness. Employment Policies and Practices ... Lack of antivirus Software. Virus. Resulting in this Threat. Can ... – PowerPoint PPT presentation

Number of Views:884

Avg rating:3.0/5.0

Slides: 37

Provided by: miles80

Category:

more less

Transcript and Presenter's Notes

Title: Security Management Practices

1
Security Management Practices

2004 Summer Workshop
Data Collection and Data Sharing
July 13, 2004

Presented byRaza Hasan DBA DHMHs Center for
Cancer Surveillance Control
2
Security Management

Ensuring Confidentiality, Integrity and
Availability of information assets

3
How?

Develop and implement a Security Program
Conduct Risk Management

4
Security Policies

Organization policy
Is used to create an organization's central
computer security program
Issue specific polices
Addresses issues such as Internet usage, e-mail
privacy, etc.
System specific policies
Addresses security for a specific system

5
Examples of Security Policies

Network/Web Policy
Employment Policy
Database Policy

6
Network/Web Security Policy

Attempts to minimize risks associated with
services offered through Networks/Web

7
Network/Web Security Policy

Security policy depends on accurate
identification of your
Assets (what you try to protect)
Threats (what you try to protect your assets
from)
Services (what you allow your users to do)

8
Examples of Assets

Data
Computer/Network resources
Reputation

9
Examples of Threats

Sophisticated hackers
Script Kiddies
Spies
Hostile insiders (consultants, employees)
Accidents by valid users

10
Examples of Network/Web Services

Public
Web site
Email
E-Commerce
Private
Internal web site
Internal email
Web surfing
Virtual Private Network (VPN)

11
Elements of Network/Web Policy

A good network/Web security policy dictates what
traffic you allow in and out of your network, and
what you allow between network segments
Architecture
Firewall

12
Architecture

A network architectures security can be improved
with physical components such as firewalls and
network configuration, for example, network
address translation, virtual private networks,
and establishing Demilitarized Zones (DMZs).
A networks security can be weakened by adding
poorly configured dial-up services and improperly
implemented DMZs.

13
Firewalls

Device that restricts traffic between two
networks based upon a defined set of rules
Usually a dedicated device it should perform no
other role.

14
Firewall Diagram
Untrusted Network
Firewall
Protected Network
15
Typical Network Configuration

Demilitarized Zone (DMZ)
Separates external network, public servers, and
private systems.
If hackers manage to take over a server, they do
not automatically get access to the private
systems.
Must be careful not to grant special access
between the public servers and the private
network.

16
Example Policy
17
Example Policy (contd)

Protocols permitted between networks (all others
denied)

18
Employment Policies and Practices

Job Position Description
Separation of duties
Least privilege
Determine position sensitivity
Filling the position
Background checks
Personal interview
Employee training and awareness

19
Employment Policies and Practices User
Administration

User Account Management
Process of requesting/establishing/issuing/closing
user accounts
Tracking users and access authorizations
Managing the above functions
Audit and management reviews
Detecting unauthorized or illegal activities
Temporary assignments, transfers and termination
Contractor access considerations
Public access considerations

20
Database Security Policy

Aggregation Problem
When several access rights allow access to a
piece of information that should not be known
Can be solved by
Separating information into containers
Provide context dependant classification
Elevate containers security to a higher level

21
Database Security (contd)

Inference Problem
Occurs when a user can deduce information from
the information they have access to
Can be solved by
Fuzzy queries
Database design
Specify content and context dependant rules

22
Risk Management

Risk is the possibility of something adverse
happening to the organization
Risk management is the process of assessing risk
and taking steps to reduce it
Four ways to manage risk
Risk assignment and transfer (insurance)
Risk rejection (ignore risk)
Risk reduction (install safeguards)
Risk acceptance (e.g., costs exceed the benefits)

23
Risk Management Framework

Risk Assessment
Determine assessment scope and methodology
Collect and analyze data
Interpret risk and analyze results
Risk Mitigation
Select safeguards
Accept residual risk
Implement controls and monitor effectiveness

24
Risk Assessment Quantitative Techniques

Annual Loss Expectancy (ALE)
ALEI x F
I estimated impact in dollars
F estimated frequency of occurrence per year
Net Present Value (NPV)
NPV PV (Benefits) PV (Costs)

25
Risk Assessment Qualitative Techniques

Judgment and intuition of experts (a.k.a. gut
feeling)
Delphi technique
Polling

26
Risk Management Involves

Identification
Assets (Classification)
Threats
Vulnerabilities
Safeguards

27
Data Classification Schemes
Government Top Secret Secret Confidential Sensi
tive Unclassified

Corporate
Sensitive
Confidential
Private
Public

Highest Level Lowest Level
In order to develop effective information
security policy, information produced or
processed by an organization must be classified
according to its sensitivity to loss or
disclosure.
28
Distinction Between a Threat and Vulnerability

A threat is an activity, deliberate or
intentional, with the potential for causing harm
to a computer system or activity
A vulnerability is a flaw or weakness that may
allow harm to occur to a computer system or
activity

29
(No Transcript)
30
(No Transcript)
31
Common Threats and Vulnerabilities