IT Security From an IT Security From an Organizational Perspective - - PowerPoint PPT Presentation

it security from an it security from an organizational
SMART_READER_LITE
LIVE PREVIEW

IT Security From an IT Security From an Organizational Perspective - - PowerPoint PPT Presentation

Jun 11, 2023 478 likes •1.16k views

Organizational Security Organizational Security 1 IT Security From an IT Security From an Organizational Perspective Organizational Perspective Ulrika Norman Ulrika Norman Jeffy Mwakalinga Jeffy Mwakalinga Re fe re nc e : 1) E nte

slide-1
SLIDE 1

Organizational Security Organizational Security 1

IT Security From an IT Security From an Organizational Perspective Organizational Perspective

Ulrika Norman Ulrika Norman Jeffy Mwakalinga Jeffy Mwakalinga

Re fe re nc e : 1) E nte rprise Se c urity. Robe rt C. Ne wma n. ISBN: 0- 13- 047458- 4 2) Corpora te Compute r a nd Ne twork Se c urity. Ra ymond R. Pa nko. ISBN: 0- 13- 101774- 8

slide-2
SLIDE 2

Organizational Security Organizational Security 2

Outline Outline

PART I Se c urity Ove rvie w PART I Se c urity Ove rvie w

1) 1)

Introduc tion Introduc tion

2) 2)

Se c urity Se rvic e s a nd Se c urity Se rvic e s a nd Imple me nta tion Imple me nta tion

3) 3)

Ove rvie w of E xisting Se c urity Ove rvie w of E xisting Se c urity Syste ms Syste ms

4) 4)

Imple me nting Se c urity in a Imple me nting Se c urity in a Syste m Syste m

  • PART

II: Org a niza tiona l PART II: Org a niza tiona l Se c urity Se c urity

1) Introduc tion 1) Introduc tion 2) Se c uring Informa tion Syste ms 2) Se c uring Informa tion Syste ms

  • f a n Org a niza tion
  • f a n Org a niza tion

3) Corpora te Se c urity Pla nning 3) Corpora te Se c urity Pla nning 4) Adding a Se c urity De pa rtme nt 4) Adding a Se c urity De pa rtme nt

slide-3
SLIDE 3

Organizational Security Organizational Security 3

Introduction Introduction

Se c urity Ma na g e me nt Se c urity Ma na g e me nt Mobile (wire le ss) Se c urity Mobile (wire le ss) Se c urity Informa tion Se c urity Informa tion Se c urity Informa tion T e c hnolog y Se c urity Informa tion T e c hnolog y Se c urity Wire d Se c urity Wire d Se c urity Applic a tions Se c urity Applic a tions Se c urity Communic a tion Se c urity Communic a tion Se c urity Compute r Se c urity Compute r Se c urity Se c urity T e c hnolog y Se c urity T e c hnolog y Physic a l Se c urity Physic a l Se c urity

slide-4
SLIDE 4

Organizational Security Organizational Security 4

Informa tion se c urity Informa tion se c urity is de fine d is de fine d a s me thods a nd te c hnolog ie s a s me thods a nd te c hnolog ie s for de te rre nc e (sc a ring a wa y ha c ke rs), for de te rre nc e (sc a ring a wa y ha c ke rs), prote c tion, de te c tion, re sponse , re c ove ry a nd prote c tion, de te c tion, re sponse , re c ove ry a nd e xte nde d func tiona litie s e xte nde d func tiona litie s Introduction Introduction

slide-5
SLIDE 5

Organizational Security Organizational Security 5

Generic Security Principles Generic Security Principles

De te rg e nc e (Sc a re a wa y) De te rg e nc e (Sc a re a wa y) Re c ove ry Re c ove ry Re sponse Re sponse De te c tion De te c tion Prote c tion Prote c tion Ge ne ric Se c urity Syste m Ge ne ric Se c urity Syste m

Information while in storage Information while in transmission Hardware Hacker

slide-6
SLIDE 6

Organizational Security Organizational Security 6

PART I: Security Overview PART I: Security Overview

  • Introduc tion

Introduc tion

  • Se c urity Se rvic e s a nd Imple me nta tion

Se c urity Se rvic e s a nd Imple me nta tion

  • Ove rvie w of E

xisting Se c urity Syste ms Ove rvie w of E xisting Se c urity Syste ms

  • Imple me nting se c urity in a syste m

Imple me nting se c urity in a syste m

slide-7
SLIDE 7

Organizational Security Organizational Security 7

Security Services and Implementation : Security Services and Implementation : Confidentiality Confidentiality

T

  • ke e p a me ssa g e se c re t to

T

  • ke e p a me ssa g e se c re t to

those tha t a re not a uthorize d those tha t a re not a uthorize d to re a d it to re a d it Confide ntia lity Confide ntia lity Authe ntic a tion Authe ntic a tion Ac c e ss Control Ac c e ss Control Inte g rity Inte g rity Ava ila bility Ava ila bility Non Non-

  • re pudia tion

re pudia tion

slide-8
SLIDE 8

Organizational Security Organizational Security 8

Security Services: Authentication Security Services: Authentication

Confide ntia lity Confide ntia lity Authe ntic a tion Authe ntic a tion Ac c e ss Control Ac c e ss Control Inte g rity Inte g rity Ava ila bility Ava ila bility Non Non-

  • re pudia tion

re pudia tion T

  • ve rify the ide ntity of the

T

  • ve rify the ide ntity of the

use r / c ompute r use r / c ompute r

slide-9
SLIDE 9

Organizational Security Organizational Security 9

Security Services: Access Control Security Services: Access Control

Confide ntia lity Confide ntia lity Authe ntic a tion Authe ntic a tion Ac c e ss Control Ac c e ss Control Inte g rity Inte g rity Ava ila bility Ava ila bility Non Non-

  • re pudia tion

re pudia tion T

  • be a ble to te ll who c a n do

wha t with whic h re sourc e

slide-10
SLIDE 10

Organizational Security Organizational Security 10

Security Services: Integrity Security Services: Integrity

Confide ntia lity Confide ntia lity Authe ntic a tion Authe ntic a tion Ac c e ss Control Ac c e ss Control Inte g rity Inte g rity Ava ila bility Ava ila bility Non Non-

  • re pudia tion

re pudia tion T

  • ma ke sure tha t a me ssa g e

T

  • ma ke sure tha t a me ssa g e

ha s not be e n c ha ng e d while ha s not be e n c ha ng e d while

  • n T

ra nsfe r, stora g e , e tc

  • n T

ra nsfe r, stora g e , e tc

slide-11
SLIDE 11

Organizational Security Organizational Security 11

Security Services: Non Security Services: Non-

  • repudiation

repudiation

Confide ntia lity Confide ntia lity Authe ntic a tion Authe ntic a tion Ac c e ss Control Ac c e ss Control Inte g rity Inte g rity Ava ila bility Ava ila bility Non Non-

  • re pudia tion

re pudia tion T

  • ma ke sure tha t a

T

  • ma ke sure tha t a

use r/ se rve r c a n use r/ se rve r c a n’ ’t de ny la te r t de ny la te r ha ving pa rtic ipa te d in a ha ving pa rtic ipa te d in a tra nsa c tion tra nsa c tion

slide-12
SLIDE 12

Organizational Security Organizational Security 12

Security Services: Availability Security Services: Availability

Confide ntia lity Confide ntia lity Authe ntic a tion Authe ntic a tion Ac c e ss Control Ac c e ss Control Inte g rity Inte g rity Ava ila bility Ava ila bility Non Non-

  • re pudia tion

re pudia tion T

  • ma ke sure tha t the

T

  • ma ke sure tha t the

se rvic e s a re a lwa ys se rvic e s a re a lwa ys a va ila ble to use rs. a va ila ble to use rs.

slide-13
SLIDE 13

Organizational Security Organizational Security 13 Cryptography Cryptography

  • We use c ryptog ra phy

We use c ryptog ra phy

Sc ie nc e o f transfo rming

Sc ie nc e o f transfo rming info rmatio n so it is se c ure during transmissio n o r info rmatio n so it is se c ure during transmissio n o r sto rag e sto rag e

  • E

nc ryption E nc ryption: :

Chang ing o rig inal te xt into a se c re t, e nc o de d Chang ing o rig inal te xt into a se c re t, e nc o de d me ssag e me ssag e

  • De c ryption

De c ryption: :

Re ve rsing the e nc ryptio n pro c e ss to c hang e Re ve rsing the e nc ryptio n pro c e ss to c hang e te xt bac k to o rig inal, re adable fo rm te xt bac k to o rig inal, re adable fo rm

Providing Se c urity Se rvic e s: Confide ntia lity Providing Se c urity Se rvic e s: Confide ntia lity

slide-14
SLIDE 14

Organizational Security Organizational Security 14

Some confidential text (message) in clear (readable) form

  • E n c r y p t i o n

E n c r y p t i o n

Encryption Encryption

slide-15
SLIDE 15

Organizational Security Organizational Security 15

Some confidential text (message) in clear (readable) form

D e c r y p t i o n D e c r y p t i o n

  • Decryption

Decryption

slide-16
SLIDE 16

Organizational Security Organizational Security 16

Example Example

A B C D E F G . . . . X Y Z L G T U W O M . . . . I A C

VWRF NKROP ST OCKHOL M

slide-17
SLIDE 17

Organizational Security Organizational Security 17

Symmetric Key Encryption Symmetric Key Encryption – – One One Key System Key System

Internet Plaintext “Hello” Encryption Method & Key Ciphertext “11011101” Symmetric Key Ciphertext “11011101” Plaintext “Hello” Decryption Method & Key Same Symmetric Key Interceptor Anders Karin Note: A single key is used to encrypt and decrypt in both directions.

slide-18
SLIDE 18

Organizational Security Organizational Security 18

Sa me se c re t ke y is use d to e nc rypt a nd de c rypt me ssa g e s. Se c re t Ke y must re ma in se c re t

Some confidential text (message) in clear (readable) form

  • E n c r y p t i o n

E n c r y p t i o n D e c r y p t i o n D e c r y p t i o n

Crypto key

Single Key System: Symmetric System Single Key System: Symmetric System

slide-19
SLIDE 19

Organizational Security Organizational Security 19

Me ssa g e Me ssa g e Ke y Ke y

1, 2, 3, ... ... ... ... ... ...128 1, 2, 3, ... ... ... ... ... ...128 1, 2, 3, ... ... .128, 192,256 1, 2, 3, ... ... .128, 192,256

E nc rypte d me ssa g e E nc rypte d me ssa g e

1, 2, 3, ... ... ... ... ... ...... 64 1, 2, 3, ... ... ... ... ... ...... 64

K K-

  • 1

1 K K-

  • 2

2 K K-

  • Rounds

Rounds

Advanced Encryption Advanced Encryption Algorithm Algorithm (AES) (AES)

If ke y = 128 Rounds = 9 If ke y = 192 Rounds = 11 If ke y = 256 Rounds = 13

slide-20
SLIDE 20

Organizational Security Organizational Security 20

Two Keys System: Asymmetric System Two Keys System: Asymmetric System

Some confidential text (message) in clear (readable) form

  • E n c r y p t i o n

E n c r y p t i o n D e c r y p t i o n D e c r y p t i o n

Key 1 Key 2

System with two keys: Private key and Public

  • key. Example: Rivest Shamir Adleman system (RSA)
slide-21
SLIDE 21

Organizational Security Organizational Security 21

Providing Security Services: Authentication Providing Security Services: Authentication

  • something who you are
  • something what you have
  • something what you know
  • whe re you a re - te rmina l

WWW Server User

slide-22
SLIDE 22

Organizational Security Organizational Security 22

Authentication (continued) Authentication (continued)

  • Pa sswords

Pa sswords

  • Sma rt c a rds

Sma rt c a rds

  • c e rtific a te s

c e rtific a te s

  • Biome tric s

Biome tric s

  • Biome tric s use d for

Biome tric s use d for door loc ks, c a n a lso be door loc ks, c a n a lso be use d for a c c e ss c ontrol use d for a c c e ss c ontrol to pe rsona l c ompute rs to pe rsona l c ompute rs

  • F

ing e rprint sc a nne rs F ing e rprint sc a nne rs

Fingerprint scanner

slide-23
SLIDE 23

Organizational Security Organizational Security 23

Providing Security Services Providing Security Services:

: Access Control

Access Control

Ac c e ss c ontr

  • l

Ac c e ss c ontr

  • l

Ac c e ss c ontr

  • l

Who c a n do ... wha t ... with whic h re sourc e ?

F ile A F ile A F ile B F ile B

Re a d Copy

slide-24
SLIDE 24

Organizational Security Organizational Security 24

Subje c t1 Subje c t2 Subje c t3 Subje c t4 Subje c t5 Subje c t6

F ile 1 F ile 2 F ile 3 F ile 4 F ile 5 F ile 6

read, write delete

Access Control Matrix Access Control Matrix

slide-25
SLIDE 25

Organizational Security Organizational Security 25

Some confidential text (message) in clear (readable) form

1101 0011 1010 1001 1101 0011 1010 1001 It is c alle d Me ssage Dige st It is c alle d Me ssage Dige st

Providing Security Services Providing Security Services : Integrity

: Integrity

1011100011001101010101010011101 0011 1010 1001 1011100011001101010101010011101 0011 1010 1001

Compress (Hashing)

Cha ng e to Bina ry form

slide-26
SLIDE 26

Organizational Security Organizational Security 26

Providing Integrity Providing Integrity

message

Me ssa g e Dig e st

Hashing System

Me ssa g e Dig e st ~ Me ssa g e Authe ntic a tion Code (MAC)

slide-27
SLIDE 27

Organizational Security Organizational Security 27

message

Hashing System

MAC

RSA (signing)

Signature

Sender’s private RSA key

message Signature PKCS#1

14 14

Providing Security Services Providing Security Services : Non

: Non-

  • repudiation

repudiation -

  • Signatures

Signatures

slide-28
SLIDE 28

Organizational Security Organizational Security 28

PART I: Security Overview PART I: Security Overview

  • Introduc tion

Introduc tion

  • Se c urity Se rvic e s

Se c urity Se rvic e s

  • Ove rvie w of E

xisting Se c urity Syste ms Ove rvie w of E xisting Se c urity Syste ms

  • Imple me nting se c urity in a syste m

Imple me nting se c urity in a syste m

slide-29
SLIDE 29

Organizational Security Organizational Security 29

Overview of Existing Security Systems : Overview of Existing Security Systems : Firewalls Firewalls Used even for Deterring (Scaring attackers) Used even for Deterring (Scaring attackers)

F ire wa lls De sig ne d to pre ve nt malic io us pac ke ts fro m e nte ring Softwa re ba se d Runs as a lo c al pro g ram to pro te c t o ne c o mpute r

(pe rsona l fire wa ll) o r as a pro g ram o n a se parate c o mpute r (ne twork fire wa ll) to pro te c t the ne two rk

Ha rdwa re ba se d se parate de vic e s that pro te c t the e ntire ne two rk (ne two rk

fire walls)

slide-30
SLIDE 30

Organizational Security Organizational Security 30

Overview of Existing Security Systems : Overview of Existing Security Systems : Detection Detection -

  • Intrusion Detection Systems

Intrusion Detection Systems

Intrusion De te c tion Syste m (IDS) E

xamine s the ac tivity o n a ne two rk

Goa l is to de te c t intrusions a nd ta ke a c tion T wo type s of IDS: Host- ba se d IDS I

nstalle d o n a se rve r o r o the r c o mpute rs (so me time s all) Mo nito rs traffic to and fro m that partic ular c o mpute r

Ne twork- ba se d IDS L

  • c ate d be hind the fire wall and mo nito rs all ne two rk

traffic

slide-31
SLIDE 31

Organizational Security Organizational Security 31

Ove rvie w of E xisting Se c urity Syste ms : Ove rvie w of E xisting Se c urity Syste ms : Ne twork Addre ss T ra nsla tion (NAT ) Ne twork Addre ss T ra nsla tion (NAT )

Ne twork Addre ss T ra nsla tion (NAT ) Syste ms Hide s the IP a ddre ss of ne twork de vic e s L

  • c a te d just be hind the fire wa ll. NAT

de vic e use s a n a lia s IP a ddre ss in pla c e of the se nding ma c hine ’s re a l one “You c a nnot a tta c k wha t you c a n’t se e ”

slide-32
SLIDE 32

Organizational Security Organizational Security 32

Ove rvie w of E xisting Se c urity Syste ms : Ove rvie w of E xisting Se c urity Syste ms : Proxy Se rve rs Proxy Se rve rs

Proxy Se rve r Ope rate s similar to NAT

, but also e xamine s pac ke ts to lo o k fo r malic io us c o nte nt Re pla c e s the prote c te d c ompute r’s IP a ddre ss with the proxy

se rve r’s a ddre ss Prote c te d c ompute rs ne ve r ha ve a dire c t c onne c tion outside the ne tworkT he proxy se rve r inte rc e pts re que sts. Ac ts “on be ha lf of” the re que sting c lie nt

slide-33
SLIDE 33

Organizational Security Organizational Security 33

Adding a Spe c ia l Ne twork c a lle d De milita rize d Zone (DMZ) Adding a Spe c ia l Ne twork c a lle d De milita rize d Zone (DMZ)

De milita rize d Zone s (DMZ) Anothe r ne twork tha t sits outside the se c ure ne twork pe rime te r. Outside use rs c a n a c c e ss the DMZ, but not the se c ure ne twork Some DMZs use two fire wa lls. T his pre ve nts outside use rs fr

  • m e ve n a c c e ssing

the inte rna l fire wa ll Provide s a n a dditiona l la ye r of se c urity

slide-34
SLIDE 34

Organizational Security Organizational Security 34

Overview of Existing Security Systems : Overview of Existing Security Systems : Virtual Private Virtual Private Networks Networks (VPN) (VPN)

  • Virtua l Priva te Ne tworks (VPNs)

Virtua l Priva te Ne tworks (VPNs)

A se c ure

A se c ure ne two rk c o nne c tio n o ve r a public ne two rk ne two rk c o nne c tio n o ve r a public ne two rk

  • Allows mobile use rs to se c ure ly a c c e ss informa tion

Allows mobile use rs to se c ure ly a c c e ss informa tion

  • Se ts up a unique c onne c tion c a lle d a tunne l

Se ts up a unique c onne c tion c a lle d a tunne l

slide-35
SLIDE 35

Organizational Security Organizational Security 35

Ove rvie w of E xisting Se c urity Syste ms : Ove rvie w of E xisting Se c urity Syste ms : Virtua l Priva te Ne tworks Virtua l Priva te Ne tworks (VPN) (VPN)

slide-36
SLIDE 36

Organizational Security Organizational Security 36

Overview of Existing Security Systems : Overview of Existing Security Systems : Honeypots Honeypots

Hone ypots Co mpute r lo c ate d in a DMZ and lo ade d with file s and so ftware that

appe ar to be authe ntic , but are ac tually imitatio ns

Inte ntiona lly c onfig ure d with se c urity hole s Goa ls: Dire c t a tta c ke r’s a tte ntion a wa y from re a l ta rg e ts; E xa mine the te c hnique s use d by ha c ke rs

slide-37
SLIDE 37

Organizational Security Organizational Security 37

Overview of Existing Security Systems : Overview of Existing Security Systems : Secure Socket Secure Socket Layer (SSL) Layer (SSL)

SSL is use d for se c uring c ommunic a tion be twe e n c lie nts SSL is use d for se c uring c ommunic a tion be twe e n c lie nts a nd se rve rs. It provide s ma inly c onfide ntia lity, inte g rity a nd se rve rs. It provide s ma inly c onfide ntia lity, inte g rity a nd a uthe ntic a tion a nd a uthe ntic a tion

WWW Server Client Establish SSL connection - communication protected

slide-38
SLIDE 38

Organizational Security Organizational Security 38

PART I: Security Overview PART I: Security Overview

  • Introduc tion

Introduc tion

  • Se c urity Se rvic e s a nd Imple me nta tion

Se c urity Se rvic e s a nd Imple me nta tion

  • Ove rvie w of E

xisting Se c urity Syste ms Ove rvie w of E xisting Se c urity Syste ms

  • Imple me nting se c urity in a syste m

Imple me nting se c urity in a syste m

slide-39
SLIDE 39

Organizational Security Organizational Security 39

Implementing Security in a System Involves: Implementing Security in a System Involves:

Pa tc hing softwa re Pa tc hing softwa re

  • Ge tting the la te st ve rsions

Ge tting the la te st ve rsions Ha rde ning syste ms Ha rde ning syste ms

  • by using diffe re nt se c urity syste ms a va ila ble

by using diffe re nt se c urity syste ms a va ila ble Bloc king a tta c ks Bloc king a tta c ks – – By ha ving diffe re nt se c urity tools By ha ving diffe re nt se c urity tools to pre ve nt a tta c ks to pre ve nt a tta c ks T e sting de fe nse s T e sting de fe nse s Re g ula rly te sting from outside a nd Re g ula rly te sting from outside a nd inside the ne twork or a n org a niza tion inside the ne twork or a n org a niza tion

slide-40
SLIDE 40

Organizational Security Organizational Security 40

Protecting one Computer Protecting one Computer

Summary (continued) Summary (continued)

  • Ope ra ting syste m ha rde ning is the proc e ss of

Ope ra ting syste m ha rde ning is the proc e ss of ma king a PC ope ra ting syste m more se c ure ma king a PC ope ra ting syste m more se c ure

  • Pa tc h ma na g e me nt

Pa tc h ma na g e me nt

  • Antivirus softwa re

Antivirus softwa re – – to prote c t your pc from viruse s to prote c t your pc from viruse s

  • Antispywa re softwa re

Antispywa re softwa re

  • F

ire wa lls F ire wa lls – – to de te r (sc a re ), prote c t to de te r (sc a re ), prote c t

  • Se tting c orre c t pe rmissions for sha re s

Se tting c orre c t pe rmissions for sha re s

  • Intrusion de te c tion Syste ms

Intrusion de te c tion Syste ms – – to de te c t intrusions to de te c t intrusions

  • Cryptog ra phic syste ms

Cryptog ra phic syste ms

slide-41
SLIDE 41

Organizational Security Organizational Security 41

Protecting a Wired Network Protecting a Wired Network

Use F ire wa lls, Intrusion De te c tion Syste ms, Ne twork Addre ss T ra nsla tion, Virtua l Priva te ne t Ne tworks, hone y pots, c ryptog ra phic syste ms, e tc

slide-42
SLIDE 42

Organizational Security Organizational Security 42

Protecting a Wireless Local Area Network (WLAN) Protecting a Wireless Local Area Network (WLAN)

slide-43
SLIDE 43

Organizational Security Organizational Security 43

Security in a Wireless LAN Security in a Wireless LAN

  • WL

ANs inc lude a diffe re nt se t of se c urity WL ANs inc lude a diffe re nt se t of se c urity issue s issue s

  • Ste ps to se c ure :

Ste ps to se c ure :

  • T

urn off broa dc a st informa tion T urn off broa dc a st informa tion

  • MAC a ddre ss filte ring

MAC a ddre ss filte ring

  • E

nc ryption E nc ryption

  • Pa ssword prote c t the a c c e ss point

Pa ssword prote c t the a c c e ss point

  • Physic a lly se c ure the a c c e ss point

Physic a lly se c ure the a c c e ss point

  • Use e nha nc e d WL

AN se c urity sta nda rds Use e nha nc e d WL AN se c urity sta nda rds whe ne ve r possible whe ne ve r possible

  • Use c ryptog ra phic syste ms

Use c ryptog ra phic syste ms

slide-44
SLIDE 44

Organizational Security Organizational Security 44

PART II: Organizational Security PART II: Organizational Security

  • Introduc tion

Introduc tion

  • Se c uring Informa tion Syste ms of a n Org a niza tion

Se c uring Informa tion Syste ms of a n Org a niza tion

  • Corpora te Se c urity Pla nning

Corpora te Se c urity Pla nning

  • Adding a se c urity De pa rtme nt

Adding a se c urity De pa rtme nt

slide-45
SLIDE 45

Organizational Security Organizational Security 45

Introduction Introduction -

  • Traditional Organization

Traditional Organization

Produc tion Ma rke ting Custome rs Re se a rc h Supply Se rvic e s Ma na g e me nt Sa le s Org a niza tion We b Clie nts Busine ss to Busine ss Pa rtne rs (Outsourc e )

slide-46
SLIDE 46

Organizational Security Organizational Security 46

Introduction: Adding Information System Introduction: Adding Information System

IS for Produc tion IS for Ma rke ting IS for Custome rs IS for Re se a rc h IS for Supply IS for Se rvic e s Informa tion Syste m (IS) for Ma na g e me nt IS for Sa le s Org a niza tion + IS IS for We b Clie nts IS 4 Busine ss to Busine ss IS 4 Pa rtne rs (Outsourc e ) How do we se c ure the IS of the org a niza tion?

slide-47
SLIDE 47

Organizational Security Organizational Security 47

PART II: Organizational Security PART II: Organizational Security

  • Introduc tion

Introduc tion

  • Se c uring Informa tion Syste ms of a n Org a niza tion

Se c uring Informa tion Syste ms of a n Org a niza tion

  • Corpora te Se c urity Pla nning

Corpora te Se c urity Pla nning

  • Adding a se c urity De pa rtme nt

Adding a se c urity De pa rtme nt

slide-48
SLIDE 48

Organizational Security Organizational Security 48

Securing Information Systems of an Organization Securing Information Systems of an Organization

IS for Produc tion IS for Ma rke ting IS for Custome rs IS for Re se a rc h IS for Supply IS for Se rvic e s Informa tion Syste m for Ma na g e me nt IS for Sa le s IS org a niza tion IS for We b Clie nts IS for B2B IS 4 Pa rtne rs (Outsourc e ) Inte rne t Se c urity Se c urity Se c urity Se c urity Se c urity Se c urity Se c urity Se c urity Se c urity Se c urity Se c urity Se c urity S E C U R I T y

slide-49
SLIDE 49

Organizational Security Organizational Security 49

Holistic (Generic) Security Approach Holistic (Generic) Security Approach

Org a niza tion

De te rg e nc e (Sc a re a wa y) De te rg e nc e (Sc a re a wa y) Re c ove ry Re c ove ry Re sponse Re sponse De te c tion De te c tion Prote c tion Prote c tion

Se c urity Pe ople T e c hnolog y (se rve rs, … ) Informa tion

slide-50
SLIDE 50

Organizational Security Organizational Security 50

Analysis Analysis

De te rg e nc e (Sc a re a wa y) De te rg e nc e (Sc a re a wa y) Re c ove ry Re c ove ry Re sponse Re sponse De te c tion De te c tion Prote c tion Prote c tion

How muc h to spe nd on De te rre nc e ? How muc h to spe nd on De te rre nc e ?

How muc h to spe nd on Re c ove ry? How muc h to spe nd on Re c ove ry? How muc h to spe nd on Re sponse ? How muc h to spe nd on Re sponse ? How muc h to spe nd on De te c tion? How muc h to spe nd on De te c tion? How muc h to spe nd on Prote c tion? How muc h to spe nd on Prote c tion? 10% ? 10% ? 10% ? 10% ? 10% ? 10% ? 20% ? 20% ? 50% ? 50% ?

How muc h re sponsibility

  • n e mploye e s?

How muc h re sponsibility

  • n e mploye e s?

How muc h re sponsibility

  • n e mploye e s?

How muc h re sponsibility

  • n e mploye e s?

How muc h re sponsibility

  • n e mploye e s?

How muc h re sponsibility

  • n e mploye e s?

How muc h re sponsibility

  • n e mploye e s?

How muc h re sponsibility

  • n e mploye e s?

How muc h re sponsibility

  • n e mploye e s?

How muc h re sponsibility

  • n e mploye e s?

How muc h re sponsibility

  • n org a niza tion?

How muc h re sponsibility

  • n org a niza tion?

How muc h re sponsibility

  • n org a niza tion?

How muc h re sponsibility

  • n org a niza tion?

How muc h re sponsibility

  • n org a niza tion?

How muc h re sponsibility

  • n org a niza tion?

How muc h re sponsibility

  • n org a niza tion?

How muc h re sponsibility

  • n org a niza tion?

How muc h re sponsibility

  • n org a niza tion?

How muc h re sponsibility

  • n org a niza tion?

How muc h re sponsibility

  • n g ove rnme nt?

How muc h re sponsibility

  • n g ove rnme nt?

How muc h re sponsibility

  • n g ove rnme nt?

How muc h re sponsibility

  • n g ove rnme nt?

How muc h re sponsibility

  • n g ove rnme nt?

How muc h re sponsibility

  • n g ove rnme nt?

How muc h re sponsibility

  • n g ove rnme nt?

How muc h re sponsibility

  • n g ove rnme nt?

How muc h re sponsibility

  • n g ove rnme nt?

How muc h re sponsibility

  • n g ove rnme nt?
slide-51
SLIDE 51

Organizational Security Organizational Security 51

Analysis continued Analysis continued

De te rg e nc e (Sc a re a wa y) De te rg e nc e (Sc a re a wa y) Re c ove ry Re c ove ry Re sponse Re sponse De te c tion De te c tion Prote c tion Prote c tion

Imple me nta tion

By Softwa re x% By Pe ople y% By Ha rdwa re z%

Imple me nta tion

By Softwa re x% By Pe ople y% By Ha rdwa re z%

Imple me nta tion

By Softwa re k% By Pe ople d% By Ha rdwa re c %

Imple me nta tion

By Softwa re k% By Pe ople d% By Ha rdwa re c %

Imple me nta tion

By Softwa re f% By Pe ople g % By Ha rdwa re r%

Imple me nta tion

By Softwa re f% By Pe ople g % By Ha rdwa re r%

Imple me nta tion

By Softwa re m% By Pe ople p% By Ha rdwa re h%

Imple me nta tion

By Softwa re m% By Pe ople p% By Ha rdwa re h%

Imple me nta tion: By Softwa re ? n% By Pe ople s% By Ha rdwa re t% Imple me nta tion: By Softwa re ? n% By Pe ople s% By Ha rdwa re t% Whic h sta nda rds to use for de te rring ? Whic h sta nda rds to use for de te rring ?

Whic h sta nda rds to use for Re c ove ry? Whic h sta nda rds to use for Re c ove ry? Whic h sta nda rds to use for re sponse ? Whic h sta nda rds to use for re sponse ? Whic h sta nda rds to use for de te c tion? Whic h sta nda rds to use for de te c tion? Whic h sta nda rds to use for Prote c tion? Whic h sta nda rds to use for Prote c tion?

T

  • do the a na lysis we ne e d c orpora te se c urity pla nning ?
slide-52
SLIDE 52

Organizational Security Organizational Security 52

PART II: Organizational Security PART II: Organizational Security

  • Introduc tion

Introduc tion

  • Se c uring Informa tion Syste ms of a n Org a niza tion

Se c uring Informa tion Syste ms of a n Org a niza tion

  • Corpora te Se c urity Pla nning

Corpora te Se c urity Pla nning

  • Adding a se c urity De pa rtme nt

Adding a se c urity De pa rtme nt

slide-53
SLIDE 53

Organizational Security Organizational Security 53

Corporate Security Planning Corporate Security Planning

  • Se c urity re quire me nts Asse ssme nt

Se c urity re quire me nts Asse ssme nt

  • Busine ss Continuity Pla nning

Busine ss Continuity Pla nning

  • How to pe rform ne twork ma na g e me nt?

How to pe rform ne twork ma na g e me nt?

  • Administra tion

Administra tion

  • How to te st a nd trouble shoot?

How to te st a nd trouble shoot?

slide-54
SLIDE 54

Organizational Security Organizational Security 54

Security requirements Assessment: Continuous process Security requirements Assessment: Continuous process

F inish one round Audit

Ana lyze De sig n Imple me nt Ide ntify E va lua te

Sta rt Ide ntify the org a niza tion’s se c urity issue s a nd a sse ts Ana lyze se c urity risks, thre a ts a nd vulne ra bilitie s De sig n the se c urity a rc hite c ture a nd the a ssoc ia te d proc e sse s Audit the impa c t of the se c urity te c hnolog y a nd proc e sse s E va lua te the e ffe c tive ne ss of c urre nt a rc hite c ture a nd polic ie s Ide ntify the org a niza tion’s se c urity issue s a nd a sse ts Ana lyze se c urity risks, thre a ts a nd vulne ra bilitie s De sig n the se c urity a rc hite c ture a nd the a ssoc ia te d proc e sse s Audit the impa c t of the se c urity te c hnolog y a nd proc e sse s E va lua te the e ffe c tive ne ss of c urre nt a rc hite c ture a nd polic ie s

slide-55
SLIDE 55

Organizational Security Organizational Security 55

Business Continuity Planning (1) Business Continuity Planning (1)

  • A busine ss c ontinuity pla n spe c ifie s how a c ompa ny pla ns to re st

A busine ss c ontinuity pla n spe c ifie s how a c ompa ny pla ns to re store

  • re

c ore busine ss ope ra tions whe n disa ste rs oc c ur c ore busine ss ope ra tions whe n disa ste rs oc c ur

  • Busine ss Proc e ss Ana lysis

Busine ss Proc e ss Ana lysis

  • Ide ntific a tion of busine ss proc e sse s a nd the ir inte rre la tionship

Ide ntific a tion of busine ss proc e sse s a nd the ir inte rre la tionships s

  • Prioritiza tions of busine ss proc e sse s

Prioritiza tions of busine ss proc e sse s

  • Communic a ting , T

e sting , a nd Upda ting the Pla n Communic a ting , T e sting , a nd Upda ting the Pla n

  • T

e sting (usua lly throug h wa lkthroug hs) ne e de d to find we a kne sse s T e sting (usua lly throug h wa lkthroug hs) ne e de d to find we a kne sse s

  • Upda te d fre que ntly be c a use busine ss c onditions c ha ng e a nd busine

Upda te d fre que ntly be c a use busine ss c onditions c ha ng e a nd busine sse s sse s re org a nize c onsta ntly re org a nize c onsta ntly

slide-56
SLIDE 56

Organizational Security Organizational Security 56

Business Continuity Planning Business Continuity Planning -

  • continued

continued

  • Disa ste r Re c ove ry

Disa ste r Re c ove ry

  • Disa ste r re c ove ry looks spe c ific a lly a t the te c hnic a l a spe c ts of

Disa ste r re c ove ry looks spe c ific a lly a t the te c hnic a l a spe c ts of how a c ompa ny how a c ompa ny c a n g e t ba c k into ope ra tion using ba c kup fa c ilitie s c a n g e t ba c k into ope ra tion using ba c kup fa c ilitie s

  • Ba c kup F

a c ilitie s Ba c kup F a c ilitie s

  • Hot site s

Hot site s

– – Re a dy to run (with powe r, c ompute rs): Just a dd da ta

Re a dy to run (with powe r, c ompute rs): Just a dd da ta

  • Cold site s

Cold site s

– – Building fa c ilitie s, powe r, c ommunic a tion to outside world only

Building fa c ilitie s, powe r, c ommunic a tion to outside world only

– – No c ompute r e quipme nts

No c ompute r e quipme nts

– – Mig ht re quire too long to g e t ope ra ting

Mig ht re quire too long to g e t ope ra ting

  • Re stora tion of Da ta a nd Prog ra ms

Re stora tion of Da ta a nd Prog ra ms

  • T

e sting the Disaste r Re c ove ry Pla n T e sting the Disaste r Re c ove ry Pla n

slide-57
SLIDE 57

Organizational Security Organizational Security 57

Network management Functions (ISO) Network management Functions (ISO)

  • F

a ult Ma na g e me nt F a ult Ma na g e me nt

  • Ability to de te c t, isola te , a nd c orre c t a bnorma l c onditions tha t

Ability to de te c t, isola te , a nd c orre c t a bnorma l c onditions tha t oc c ur in a

  • c c ur in a

ne twork. ne twork.

  • Config ura tion ma na g e me nt

Config ura tion ma na g e me nt

  • Ability to ide ntify c ompone nts c onfig ure the m a c c ording to the s

Ability to ide ntify c ompone nts c onfig ure the m a c c ording to the se c urity polic y e c urity polic y

  • Pe rforma nc e Ma na g e me nt

Pe rforma nc e Ma na g e me nt

  • Ability to e va lua te a c tivitie s of the ne twork a nd improve ne twor

Ability to e va lua te a c tivitie s of the ne twork a nd improve ne twork pe rforma nc e k pe rforma nc e

  • Se c urity ma na g e me nt

Se c urity ma na g e me nt

  • Ability to monitor, c ontrol a c c e ss, se c ure ly store informa tion,

Ability to monitor, c ontrol a c c e ss, se c ure ly store informa tion, e xa mine e xa mine a udit re c ords; e tc . a udit re c ords; e tc .

  • Ac c ounting ma na g e me nt

Ac c ounting ma na g e me nt

T he a bility to tra c k the use of ne twork re sourc e s. Ide ntify c ost T he a bility to tra c k the use of ne twork re sourc e s. Ide ntify c osts a nd s a nd c ha rg e s re la te d to the use of ne twork re sourc e s c ha rg e s re la te d to the use of ne twork re sourc e s

slide-58
SLIDE 58

Organizational Security Organizational Security 58

Some Network management Standards Some Network management Standards

  • Simple Ne twork Ma na g e me nt

Simple Ne twork Ma na g e me nt Protoc ol (SNMP) Protoc ol (SNMP)

  • Common Ma na g e me nt

Common Ma na g e me nt Informa tion protoc ol (CMIP). Informa tion protoc ol (CMIP). T he ma in func tions provide d by T he ma in func tions provide d by this protoc ol a re : a la rm this protoc ol a re : a la rm re porting , a c c e ss c ontrol, re porting , a c c e ss c ontrol, a c c ounting , e ve nt re port a c c ounting , e ve nt re port ma na g e me nt, lo c ontrol, ma na g e me nt, lo c ontrol,

  • bje c t ma na g e me nt, sta te
  • bje c t ma na g e me nt, sta te

ma na g e me nt, se c urity a udit, ma na g e me nt, se c urity a udit, te st ma na g e me nt, te st ma na g e me nt, summa riza tion, re la tion summa riza tion, re la tion ma na g e me nt. ma na g e me nt.

1) Ma na g e me nt Ag e nt 2) Ma na g e me nt Informa tion ba se (MIB) 1) Ne twork Ma na g e me nt Sta tion 2) Applic a tion prog ra m 1) Ma na g e me nt Ag e nt 2) Ma na g e me nt Informa tion ba se (MIB) Ne twork E le me nt no: 1 (re se a rc h se c tion) Ne twork E le me nt no: N (se rvic e s se c tion) SNMP SNMP

slide-59
SLIDE 59

Organizational Security Organizational Security 59

Administration Administration

  • Compute r a nd Ne twork a dministra tion se c tion

Compute r a nd Ne twork a dministra tion se c tion

  • Dutie s:

Dutie s:

1) 1)

Softwa re insta lla tion a nd upg ra de Softwa re insta lla tion a nd upg ra de

2) 2)

Da ta ba se a c c e ss a pprova l a nd ma inte na nc e Da ta ba se a c c e ss a pprova l a nd ma inte na nc e

3) 3)

Use r ide ntitie s a nd pa ssword ma na g e me nt Use r ide ntitie s a nd pa ssword ma na g e me nt

4) 4)

Ba c k up a nd re stora l proc e sse s Ba c k up a nd re stora l proc e sse s

5) 5)

T ra ining e mploye e s a bout se c urity a wa re ne ss T ra ining e mploye e s a bout se c urity a wa re ne ss

slide-60
SLIDE 60

Organizational Security Organizational Security 60

How to test and troubleshoot? How to test and troubleshoot?

  • T

e st whe the r the syste ms a nd c ompone nts a re be ha ving T e st whe the r the syste ms a nd c ompone nts a re be ha ving in a c c orda nc e to the se c urity pla ns in a c c orda nc e to the se c urity pla ns

  • T

e st from inside the org a niza tion a nd from outside the T e st from inside the org a niza tion a nd from outside the

  • rg a niza tion
  • rg a niza tion
  • T

rouble shooting : De fine the situa tion, prioritize the T rouble shooting : De fine the situa tion, prioritize the proble m, de ve lop informa tion a bout the proble m, proble m, de ve lop informa tion a bout the proble m, ide ntify possible c a use s, e limina te the possibilitie s one a t ide ntify possible c a use s, e limina te the possibilitie s one a t a time , e nsure the fix doe s not c a use a dditiona l a time , e nsure the fix doe s not c a use a dditiona l proble ms, doc ume nt the solution proble ms, doc ume nt the solution

slide-61
SLIDE 61

Organizational Security Organizational Security 61

PART II: Organizational Security PART II: Organizational Security

  • Introduc tion

Introduc tion

  • Se c uring Informa tion Syste ms of a n Org a niza tion

Se c uring Informa tion Syste ms of a n Org a niza tion

  • Corpora te Se c urity Pla nning

Corpora te Se c urity Pla nning

  • Adding a se c urity De pa rtme nt

Adding a se c urity De pa rtme nt

slide-62
SLIDE 62

Organizational Security Organizational Security 62

Adding a security Department Adding a security Department

  • Se c urity Ma na g e me nt se c tion

Se c urity Ma na g e me nt se c tion

1) 1)

Se c urity pla nning Se c urity pla nning

2) 2)

Se c urity re quire me nts Se c urity re quire me nts Asse ssme nt Asse ssme nt

3) 3)

Busine ss c ontinuity pla nning Busine ss c ontinuity pla nning

  • Se c urity T

e c hnolog y se c tion Se c urity T e c hnolog y se c tion

1) 1)

Compute r a nd Ne twork Compute r a nd Ne twork a dministra tion a dministra tion

2) 2)

Ne twork ma na g e me nt Ne twork ma na g e me nt

3) 3)

T e sting a nd trouble shooting T e sting a nd trouble shooting

slide-63
SLIDE 63

Organizational Security Organizational Security 63

Organization with a Security Department Organization with a Security Department

IS for Produc tion IS for Ma rke ting IS for Custome rs IS for Re se a rc h IS for Supply IS for Se rvic e s Informa tion Syste m for Ma na g e me nt IS for Sa le s IS org a niza tion IS for We b Clie nts IS for B2B IS 4 Pa rtne rs (Outsourc e ) Inte rne t Se c urity Se c urity Se c urity Se c urity Se c urity Se c urity Se c urity Se c urity Se c urity Se c urity Se c urity Se c urity S E C U R I T y

Se c urity

Se c urity

slide-64
SLIDE 64

Organizational Security Organizational Security 64

PART II: Organizational Security PART II: Organizational Security

  • Introduc tion

Introduc tion

  • Se c uring Informa tion Syste ms of a n Org a niza tion

Se c uring Informa tion Syste ms of a n Org a niza tion

  • Corpora te Se c urity Pla nning

Corpora te Se c urity Pla nning

  • Adding a se c urity De pa rtme nt

Adding a se c urity De pa rtme nt

slide-65
SLIDE 65

Organizational Security Organizational Security 65

Summary Summary

PART I Se c urity Ove rvie w PART I Se c urity Ove rvie w

1) 1)

Introduc tion Introduc tion

2) 2)

Se c urity Se rvic e s a nd Se c urity Se rvic e s a nd Imple me nta tion Imple me nta tion

3) 3)

Ove rvie w of E xisting Se c urity Ove rvie w of E xisting Se c urity Syste ms Syste ms

4) 4)

Imple me nting Se c urity in a Imple me nting Se c urity in a Syste m Syste m

  • PART

II: Org a niza tiona l Se c urity PART II: Org a niza tiona l Se c urity 1) Introduc tion 1) Introduc tion 2) Se c uring Informa tion Syste ms 2) Se c uring Informa tion Syste ms

  • f a n Org a niza tion
  • f a n Org a niza tion

3) Corpora te Se c urity Pla nning 3) Corpora te Se c urity Pla nning 4) Adding a Se c urity De pa rtme nt 4) Adding a Se c urity De pa rtme nt

slide-66
SLIDE 66

Organizational Security Organizational Security 66

Questions Questions