it security controls
play

IT Security Controls By: Jay Chen What are IT Security Controls? - PowerPoint PPT Presentation

Jul 16, 2023 •163 likes •483 views

IT Security Controls By: Jay Chen What are IT Security Controls? Safeguards or countermeasures to avoid, detect, counteract, or minimize security risk Types of Controls Preventive Controls (E.g. Password lockout after 5 failed

  1. IT Security Controls By: Jay Chen

  2. What are IT Security Controls? • Safeguards or countermeasures to avoid, detect, counteract, or minimize security risk • Types of Controls  Preventive Controls (E.g. Password lockout after 5 failed attempts)  Detective Controls (E.g. Intrusion Detection System (IDS) Alerting on Attacks)  Corrective Controls (E.g. Patch management, Incident Response Team)  Physical Controls (E.g. Locks, fences, doors)  Procedural Controls (E.g. Security awareness training, incident response plan)  Technical Controls (E.g. Anti-virus, firewall, user authentication)  Legal Controls (E.g. Policies)

  3. Why do we need IT Security Controls? • Laws and regulations (HIPAA, PCI, GDPR) • Protect critical infrastructure • Ensure the CIA Triad • Prevent security incidents  “Global Average Cost of a data breach is $3.86 million”  “Average cost for each stolen record is $148 per record” https://securitytoday.com/articles/2018/07/17/the-average-cost-of-a-data-breach.aspx

  4. Regulations and Industry Standards • HIPAA (Healthcare) • FERPA (Education) • FISMA (Government) • State Laws – NY DFS (Financial) • International Laws – GDPR (EU) • Industry Standards – PCI DSS (Payment Processors)

  5. So how do we ensure we have the correct IT controls?

  6. By using frameworks

  7. What is a security framework? • A framework consisting of policies, procedures, and processes that define how information is managed in a business, to lower risk and vulnerability • A framework is not:  A regulation  A legislation • However, a framework is a best practice

  8. List of Security Frameworks • COBIT  Created by ISACA  Risk Management Framework • ISO 27000 Series  Created by International Organization for Standardization (ISO)  Information Security Standards • NIST SP 800 Series ( https://csrc.nist.gov/publications/sp800)  Created by National Institute of Standards and Technology  Technology/Computer Security Frameworks and Guidelines  100+ SP Series Publications  Highlights  800-53 (Security and Privacy Controls for Information Systems and Organizations) 494 Pages  800-37 (Risk Management Framework)  800-12 (An Introduction to Information Security)  800-121 (Guide to Bluetooth Security)  800-184 (Guide for Cybersecurity Event Recovery)  800-115 (Technical Guide to Information Security Testing and Assesment)

  9. List of Security Frameworks • PTES (Penetration Testing Execution Standard)  Created by a group of information security practitioners  http://www.pentest-standard.org/index.php/Main_Page • NIST Cybersecurity Framework (NIST CSF)  Created by National Institute of Standards and Technology  A shorten 800-53 for private sector businesses • HiTrust CSF (Health Information Trust Alliance Common Security Framework)  Cybersecurity Framework for healthcare industry (HIPAA) • CIS Top 20  Created by Center for Internet Security  Top 20 Security Controls

  10. CIS Top 20 • Center for Internet Security Top 20 Controls • CIS Top 20 Critical Security Controls is a prioritized set of best practices created to stop the most pervasive and dangerous threats. • 3 Tier Implementation Level • CIS Category  Basic CIS Controls  Foundational CIS Controls  Organizational CIS Controls

  11. Basic CIS Controls (Technology)

  12. Foundational CIS Controls (Technology)

  13. Organizational CIS Controls (People & Process)

  14. Analyzing CIS Controls

  15. CIS Control 1 Implementation Guide

  16. What is NIST CSF? • NIST Cybersecurity Framework • Created by the National Institute of Standards and Technology (NIST) • The NIST cybersecurity framework separate into five cores  Identify  Detect  Protect  Response  Recover • These five cores represents industry standards, guidelines, and practices for cybersecurity activities across an organization.

  17. NIST Cybersecurity Framework

  18. Identify • Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.

  19. Protect • Develop and implement appropriate safeguards to ensure delivery of critical services.

  20. Detect • Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.

  21. Respond • Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.

  22. Recover • Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident.

  23. Control Breakdown Functions # of Subcategory (Controls) Identify 29 Protect 39 Detect 18 Respond 16 Recover 6 Total 108

  24. NIST CSF Structure (Categories)

  25. NIST CSF Structure (Subcategories)

  26. NIST CSF Structure

  27. NIST CSF Structure

  28. NIST CSF (First Two Controls)

  29. NIST CSF Mapping

  30. CIS Control Mapping

  31. The End • Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

IT Security Controls Spring 2020 By: Jay Chen What are Security Controls? A safeguard or

IT Security Controls Spring 2020 By: Jay Chen What are Security Controls? A safeguard or

IT Security Controls Spring 2020 By: Jay Chen What are Security Controls? A safeguard or countermeasure for an information system or an organization designed to protect confidentiality, integrity, and availability of its information and to

605 views • 34 slides
Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing

Who Controls the Past Controls the Future Who Controls the Present Controls the Past Nothing gives rest but the sincere search for truth. -Pascal Greetz from Room 101 Kenneth Geers 1984 # Nineteen Eighty-Four (Orwell) # Govt IW vs own

1.03k views • 77 slides
Injecting Security Controls into Software Applications Katy Anton Principal Application Security

Injecting Security Controls into Software Applications Katy Anton Principal Application Security

Injecting Security Controls into Software Applications Katy Anton Principal Application Security Consultant About me Katy Anton Software development background Project co-leader for OWASP Top 10 Proactive Controls (@OWASPControls)

599 views • 37 slides
Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings

Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings

Security Controls for Industrial Control Systems EEI/AGA Security Committee Fall Meetings September 13, 2006 Boston, MA Stuart Katzke and Keith Stouffer, National Institute of Standards & Technology, Gaithersburg, MD Marshall Abrams, The

460 views • 23 slides
Cyber Security and Export Controls: You Need to Know More Than You Already Do AnnaLisa

Cyber Security and Export Controls: You Need to Know More Than You Already Do AnnaLisa

Cyber Security and Export Controls: You Need to Know More Than You Already Do AnnaLisa Nash Export Control Officer, NDSU Why Should You Care About Export Controls? so you can avoid HERE. When Should You Care? NOW. U.S. export

758 views • 65 slides
Overview Database Security Semantic Integrity Controls Access Control Rules Multilevel

Overview Database Security Semantic Integrity Controls Access Control Rules Multilevel

Overview Database Security Semantic Integrity Controls Access Control Rules Multilevel Secure Databases RBAC in Commercial DBMS Statistical Database Security Simone Fischer-Hbner Applied Security, DAVC17 Relational Database

194 views • 6 slides
Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani

Measuring the Performance and Effectiveness of Critical security controls William Makatiani Name Here About Serianu Limited Serianu is a Pan Africa based Cyber Security and business consulting firm. We are an award winning company in the

759 views • 46 slides
Todays Keys What are IT Controls Basic IT Controls Where to Find Resources What are IT

Todays Keys What are IT Controls Basic IT Controls Where to Find Resources What are IT

Todays Keys What are IT Controls Basic IT Controls Where to Find Resources What are IT Controls Objectives of IT Controls are Interrelated Prevent & Detect Fraud Automate Ensure controls Prevent integrity & accidental

308 views • 16 slides
This audit looked at whether the fraud and corruptjon controls over personnel security are

This audit looked at whether the fraud and corruptjon controls over personnel security are

This audit looked at whether the fraud and corruptjon controls over personnel security are well-designed and operatjng as intended. We examined recruitment practjces for employees, contractors and consultants in the Victorian Public Service, or

255 views • 3 slides
ASCEM Conference Lighting Controls Roundtable Discussion Why do we want lighting controls?

ASCEM Conference Lighting Controls Roundtable Discussion Why do we want lighting controls?

ASCEM Conference Lighting Controls Roundtable Discussion Why do we want lighting controls? Behavior Modification versus lighting controls Implementation and outcomes Typical Controls Keyed Switches Dual switching

973 views • 15 slides
Simulation-based optimization of information security controls: An adversary-centric approach

Simulation-based optimization of information security controls: An adversary-centric approach

Simulation-based optimization of information security controls: An adversary-centric approach Elmar Kiesling, Andreas Ekelhart, Bernhard Grill, Christine Strau, Christian Stummer December 9, 2013; Washington, DC Funded by the Austrian

1.01k views • 88 slides
Controls: Benefits of Honeypots to Companies Srgio Nunes & Miguel Correia Lisboa, December

Controls: Benefits of Honeypots to Companies Srgio Nunes & Miguel Correia Lisboa, December

IBWAS 2010 From Risk Awareness to Security Controls: Benefits of Honeypots to Companies Srgio Nunes & Miguel Correia Lisboa, December 2010 About me Senior Information Security Consultant / Auditor University Professor: Security,

447 views • 23 slides
API security in a microservice architecture Matt McLarty VP, API Academy, CA Technologies Feb.

API security in a microservice architecture Matt McLarty VP, API Academy, CA Technologies Feb.

API security in a microservice architecture Matt McLarty VP, API Academy, CA Technologies Feb. 28, 2018 Agenda Purpose and Goals Background Current Approaches - Network-level Controls - Application-level Controls - Emerging

785 views • 43 slides
Implementation of Resilience via Operational Controls Art Conklin, University of Houston Funded

Implementation of Resilience via Operational Controls Art Conklin, University of Houston Funded

Implementation of Resilience via Operational Controls Art Conklin, University of Houston Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security | cred-c.org Security in IT vs. OT IT security CIA associated

348 views • 14 slides
Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David

Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David

Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David Waltermire National Institute of Standards and Technology Teleconference Overview 2 Ground Rules OSCAL Status Summary (5 minutes) Review

118 views • 9 slides
Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David

Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David

Open Security Controls Assessment Language (OSCAL) Lunch with the OSCAL Developers David Waltermire National Institute of Standards and Technology Teleconference Overview 2 Ground Rules OSCAL Status Summary (5 minutes) Issues

434 views • 16 slides
Charting our I nternational Future : A Competitive Greater Montreal ISRN Annual Meeting Yves

Charting our I nternational Future : A Competitive Greater Montreal ISRN Annual Meeting Yves

Charting our I nternational Future : A Competitive Greater Montreal ISRN Annual Meeting Yves Charette Greater Montreal Economic Development Coordinator Toronto, May 5 th , 2010 Montreal Metropolitain Community at a glance 82 Local

269 views • 16 slides
Driving the Future of Health Care Real Estate Welltower at a Glance Welltower is redefining the

Driving the Future of Health Care Real Estate Welltower at a Glance Welltower is redefining the

Driving the Future of Health Care Real Estate Welltower at a Glance Welltower is redefining the settings where healthcare services will be delivered in the future 1,676 ~19,965,000 ~321,000 OUTPATIENT TOTAL HEALTH CARE RESIDENTS (2) MEDICAL

354 views • 7 slides
Building High Performance Protocols Todd L. Montgomery @toddlmontgomery Informatica Ultra

Building High Performance Protocols Todd L. Montgomery @toddlmontgomery Informatica Ultra

Building High Performance Protocols Todd L. Montgomery @toddlmontgomery Informatica Ultra Messaging Architecture Protocol Design & Implementation Today, less than 100 ns. 10,000x improvement from App-to-App Latency 2004. Today, more than

471 views • 20 slides
April 22, 2015 Our Agenda Topic Speaker Webinar Overview and Instructions Hilary Hunt

April 22, 2015 Our Agenda Topic Speaker Webinar Overview and Instructions Hilary Hunt

April 22, 2015 Our Agenda Topic Speaker Webinar Overview and Instructions Hilary Hunt Teaching and Assessing Student Understanding Dr. Andrew Hill of Saving and Investing Spice Up Your Saving and Investing Lessons Hilary Hunt Model

1.22k views • 76 slides
Inadequacies of Current Risk Controls for the Cloud Name: Michael Goldsmith Michael Auty, Sadie

Inadequacies of Current Risk Controls for the Cloud Name: Michael Goldsmith Michael Auty, Sadie

Inadequacies of Current Risk Controls for the Cloud Name: Michael Goldsmith Michael Auty, Sadie Creese and Paul Hopkins Venue: CPSRT@CloudCom2010, Indianapolis Date: 2 December 2010 Research supported by 1 Methodology to Identify

623 views • 17 slides
State Consistencies for Cyber- Physical System Recovery Fanxin Kong, S yracuse Universit y

State Consistencies for Cyber- Physical System Recovery Fanxin Kong, S yracuse Universit y

State Consistencies for Cyber- Physical System Recovery Fanxin Kong, S yracuse Universit y okolsky, James Weimer, Insup Lee, Universit y of Oleg S Pennsylvania April 15, 2019 Department of Electrical Engineering and Computer S cience

456 views • 23 slides
IMGD 3xxx - HCI for Real, Virtual, and Teleoperated Environments: Physical Input by Robert W.

IMGD 3xxx - HCI for Real, Virtual, and Teleoperated Environments: Physical Input by Robert W.

IMGD 3xxx - HCI for Real, Virtual, and Teleoperated Environments: Physical Input by Robert W. Lindeman gogo@wpi.edu Overview Manipulating Physical controls is different from manipulating virtual controls Handling them is

597 views • 13 slides
Got Loss? Get zOVN! Daniel Crisan, Robert Birke, Gilles Cressier, Cyriel Minkenberg, and Mitch

Got Loss? Get zOVN! Daniel Crisan, Robert Birke, Gilles Cressier, Cyriel Minkenberg, and Mitch

Got Loss? Get zOVN! Daniel Crisan, Robert Birke, Gilles Cressier, Cyriel Minkenberg, and Mitch Gusat ACM SIGCOMM 2013, 12-16 August, Hong Kong, China Research Zurich Research Laboratory Application Performance in Virtualized Datacenter

691 views • 24 slides

More recommend