Download - Security Architecture
![Page 1: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/1.jpg)
Security Architecture
![Page 2: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/2.jpg)
Why?
• Initially majority of businesses operated closed processing environments(Glass House).
• Networks and a distributed client/server processing environment.
• Decentralized processing. • Increase the exposure of sensitive information.• We require:– Confidentiality– Integrity– Availability
![Page 3: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/3.jpg)
Confidentiality
• Confidentiality relates to the protection of information from unauthorized access, regardless of where the information resides or how it is stored.
• Are only the appropriate personnel viewing or using the organization’s information assets?
• Authentication and authorization• Framework for classifying the confidentiality
![Page 4: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/4.jpg)
Integrity
• Integrity is the protection of information, applications, systems, and networks from intentional, unauthorized, or accidental changes.
• Is the information correct and are the applications processing the appropriate files?
![Page 5: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/5.jpg)
Availability
• Availability is the assurance that information and resources are accessible by authorized users as needed.– Denial of services caused by a lack of security
controls– Loss of services from information resources due to
natural disasters• Are the network resources, applications, and
data accessible when needed?
![Page 6: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/6.jpg)
Five components of the ISA
• Security Organization / Infrastructure• Security policies, standards, and procedures• Security baselines/risk assessments• Security awareness and training programs• Compliance
![Page 7: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/7.jpg)
Information Security Architecture Components
![Page 8: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/8.jpg)
Case Study
• Network Security
![Page 9: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/9.jpg)
Infrastructure
• Firewall
![Page 10: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/10.jpg)
Policies, standards, and procedures
• Who is permitted to use the application• What types of services will be provided by the system• How users will request access to the system• Who will grant access to the system• How often access logs will be reviewed• What procedures will be taken for inappropriate use of the
system• How security incidences will be reported, recorded, and
handled• Who will be responsible for investigating suspicious activity
![Page 11: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/11.jpg)
Security baselines/risk assessments
• Once the configuration is complete, an attempt to thwart the system should be performed so that both the capabilities and weaknesses are known, documented, and improved.
• Automated vulnerability testing software• Testing software's must be updated frequently
![Page 12: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/12.jpg)
Security awareness and training programs
• All users of the system must be made aware of what they can and cannot do.
• Proper knowledge of policies.• Personal business are restricted on
organization infrastructure.• It needs to be made clear what the
consequences will be if the policies related to the Internet are not followed.
![Page 13: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/13.jpg)
Compliance
• Procedures need to be established to ensure that all parties responsible for the Internet access and firewall configuration are in compliance with the security policy, standards, and procedures that have been developed, and that the programs developed to enforce the policies are effective.
• Regular, depends on risk level.
![Page 14: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/14.jpg)
Piecemealing
• As an organization grows, the tendency is to add to the existing environment to meet current requirements without planning for future growth.
• This can occur due to lack of knowledge on available technology, lack of communication between departments, or nonexistent technology standards within the organization.
![Page 15: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/15.jpg)
The Threat
• A threat is an act of coercion wherein an act is proposed to elicit a negative response.
• Corporate information can be easily accessed, compromised, or destroyed by intentional, unintentional, or natural threats.
![Page 16: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/16.jpg)
Intentional threats
• Unauthorized users who inappropriately access data and information that they are not granted permission to view or use.
• Can be external or internal.
![Page 17: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/17.jpg)
Unintentional threats
• Caused by untrained or careless employees.• Also include programmers or data processing
personnel
![Page 18: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/18.jpg)
Natural threats
• Equipment failures, or disasters such as fire, floods, and earthquakes that can result in the loss of equipment and data
![Page 19: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/19.jpg)
The Risks
• There are many events that can result if a breach of confidentiality, integrity, or availability occurs.
![Page 20: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/20.jpg)
Threat/Concern/Risk Matrix
![Page 21: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/21.jpg)
Overview of Security Controls
• To apply appropriate controls to an operating environment, it is necessary to understand who or what poses a threat to the processing environment and then to understand what could happen (risk or danger) from that threat.
![Page 22: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/22.jpg)
![Page 23: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/23.jpg)
Risk versus controls implementation.
![Page 24: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/24.jpg)
The Controls
• Control requirements are not uniform for all systems.– Administrative controls• Security policies and procedures
– Physical controls• Direct physical access to equipment
– Technical controls• Logical controls
– Access controls• Non-repudiation
![Page 25: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/25.jpg)
Physical Controls
![Page 26: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/26.jpg)
Administrative Controls
![Page 27: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/27.jpg)
Technical Controls
![Page 28: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/28.jpg)
The Strategic Information Technology (IT) Plan
• The business plan answers the who, what, where, when, why, and how of the business.
![Page 29: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/29.jpg)
The Strategic Information Technology (IT) Plan
![Page 30: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/30.jpg)
Strategic IT Plan should be broken intosix parts
• Introduction• Description of the IT Organization• Scope, Viability, and Modification of the Plan• Relationship to the Organization’s Strategic
Business Plan• Strategic Goals for Information Technology• Summary and Conclusion
![Page 31: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/31.jpg)
Introduction
• Introduction is an overview or executive summary that describes the background, origination, and intent of the document.
![Page 32: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/32.jpg)
Description of the IT Organization
• Description of the IT Organization, should include a definition of the roles and responsibilities of individuals within the IS department, an organization chart and description of supporting staff, and a vision for the use of IT.
![Page 33: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/33.jpg)
Scope, Viability, and Modification of the Plan
• Scope, Viability, and Modification of the Plan, defines the scope of the document.
![Page 34: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/34.jpg)
Relationship to the Organization’s Strategic Business Plan
• Relationship to the Organization’s Strategic Business Plan, refers back to the business plan and provides a discussion of how the plan is integrated with and supports the Strategic Business Plan.
![Page 35: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/35.jpg)
Strategic Goals for Information Technology
• Strategic Goals for Information Technology, lists the specific objectives from the business plan that relate to IT.
![Page 36: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/36.jpg)
Strategic IT Plan: Sample Table of Contents
Table of Contents1. Introduction2. Information Technology at XXXX Organization (Mission Statement)2.1 The CIO and Information Systems & Technology Roles2.2 The Information Systems & Technology Institutional-Level Organization2.3 Local Information Technology Support Staff2.4 The Evolving Information Technology Support Role2.5 A Vision for Information Technology Effectiveness
![Page 37: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/37.jpg)
3. Scope, Viability, and Modification of This Plan4. Relationship to the XXXX Corporation’s Strategic Plan5. Strategic Goals for Information Technology5.1 A Corporate Goal: Information Accessibility5.1.1 Enhance and Extend the Network Infrastructure5.1.2 Ensure Appropriate Off-Site Network Access5.1.3 Ensure Effective Delivery of Information Technology Support5.1.4 Evaluate Services and Customer Satisfaction
![Page 38: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/38.jpg)
5.1.5 Establish Corporate wide Standards5.1.6 Effectively Manage and Distribute Servers5.1.7 Enhance Support of Library Initiatives5.1.8 Enhance Internal and External Communications5.2 A Corporate Goal: Technology-Enabled Management, Staff, and Business Partners5.2.1 Ensure Management and Staff Development in Technology
![Page 39: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/39.jpg)
5.2.2 Provide Appropriate Workstation Support for Management and Staff5.2.3 Promote Effective Research Computing5.2.4 Foster Technology Experimentation5.2.5 Provide Effective Information Technology Services for Clients5.3 A Corporate Goal: Technology-Enhanced Business5.3.1 Establish Appropriate Levels of Technology in Business Operations
![Page 40: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/40.jpg)
5.3.2 Ensure Availability of Information Technology Resources for Employees5.3.3 Engage the Corporate Community in the Use of Technology5.4 A Corporate Goal: Business Process Effectiveness5.4.1 Improve Efficiency of Operations5.4.2 Establish an Effective Data Warehouse System5.4.3 Replace Business-Process Software Systems
![Page 41: Security Architecture](https://reader036.vdocuments.site/reader036/viewer/2022062419/5575b121d8b42a3b498b4d04/html5/thumbnails/41.jpg)
5.5 A Corporate Goal: Information Security Architecture5.5.1 Establish an Organization that Supports the Security Function5.5.2 Establish Security Policies and Procedures5.5.3 Conduct Baseline Risk Assessments for Each Component of theOperating Environment5.5.4 Develop a User Awareness Program and Conduct Training for Employeesand Individuals with Security Responsibility5.5.5 Develop a Comprehensive Compliance Program6. Summary and Conclusion