main menu
DESCRIPTION
assurance guideTRANSCRIPT
![Page 1: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/1.jpg)
Managing Information Security Risks
Ken M. Shaurette, CISSP, CISA, CISM, IAMInformation Security Solutions Manager
MPC Security Solutions
TechFestDecember 2003
![Page 2: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/2.jpg)
Agenda• Why Security? • Information Assets• Threats• Vulnerabilities• Dynamic Security Methodology• Risk Management• MPC Security Solutions Delivers
![Page 3: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/3.jpg)
• Legislation and community pressure • Inappropriate use leads to
disciplinary action.• Protecting critical infrastructures.
(InfraGard, DHS)• Liability?• Its simply a good idea!
Why Security?
![Page 4: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/4.jpg)
Regulations Touch Everyone!
Source: Forrester / Giga Group GigaTel, Michael Rasmussen, Director of Research, Information Security, July 22, 2003.
![Page 5: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/5.jpg)
Once upon a time….
![Page 6: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/6.jpg)
Then things started to get a little ugly….
![Page 7: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/7.jpg)
Security used to be easy to understand
• Payroll Office….– Lock on door– Lock on file cabinet– Audits
Equal Reasonable Security
![Page 8: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/8.jpg)
• Active Directory, x.500, NDS, Shadow Passwords• VPN, PPTP, Telnet, SSH, IPSEC, Encryption• Wireless, Fiber, ATM, T1, DS3, Dial-up, Cell, PDA• PKI, Kerberos, DES, DES3, SHA, CHAP, PAP• Client Server, Mainframe, ASP, Web Services• Thin Client, Thick Client, Skinny Client, Tall Client• Terminal Server, Distance Learning• HTTPS, SSL
Security is now a little more complex
![Page 9: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/9.jpg)
You know more than you think…
• Information Security is about Information• Technology is a piece of the puzzle• You should not have to master technology in
order to manage risk
![Page 10: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/10.jpg)
The “Good” News
• Technology has become easier and easier to implement
– Anyone can install a server– Anyone can install a network– Anyone can bring up a web server– Anyone can get connected (in lots of ways)
![Page 11: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/11.jpg)
The “Bad” News
• Technology has become easier and easier to implement
– Anyone can install a server– Anyone can install a network– Anyone can bring up a web server– Anyone can get connected (in lots of ways)
![Page 12: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/12.jpg)
What are we securing against?
• Identity Theft• Privacy issues• Copyright issues• Hijacking of
resources• Liability• Regulations
![Page 13: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/13.jpg)
Information Assets
Which does your organization have?– Records about special programs– Resident’s information– Financial information– Health information– Statistical information
![Page 14: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/14.jpg)
Information Assets
How do you identify value?– Accounting / “book value”– Intrinsic value / Replacement Cost– Formal quantifiable methods
(BCP/DRP)– “Gut feel”
![Page 15: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/15.jpg)
The “Best” News
• There is hope!
![Page 16: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/16.jpg)
Information Assets
• What is worth protecting?– Confidentiality (keeping secrets)– Integrity (tamper-proofing)– Availability (there when you need it)
• Why protect?– Community expectations– Regulatory requirements– Perception– Liability
![Page 17: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/17.jpg)
Information Assets
How do you protect?– “Classification” (secret, top secret,
unclassified)– Policies ( separation of duties,
appropriate use)– “Security Awareness training” – “Common Sense” or “Second
Thought” approach
![Page 18: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/18.jpg)
Information Assets
How much do you spend on protection?– Is it based on the value of the information?– Is it based on the number and likelihood of
threats?– Are vulnerabilities accounted for?– How much is enough protection? – Is Return on Investment (ROI)
Expected or Required?
![Page 19: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/19.jpg)
Threats - Motive• What is the nature of a threat?
– Confidentiality (learning secrets)– Integrity (tampering with data)– Availability (denial of service)
• Who poses a threat to the organization?– Terrorists– Former employees– Unhappy residents– Hackers
![Page 20: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/20.jpg)
Vulnerabilities• Absence or weakness of a safeguard
– Safeguard’s reduce likelihood of expected loss from a threat
– Can be well known, such as an IIS patch– Can be unknown, such as a design error
• Type of vulnerabilities– Technical– Non-technical
![Page 21: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/21.jpg)
Could any of these Occur?• Sexual Harassment or stalking performed
using your Computers?• Email Threats to Residents, Officials,
Politicians?• Community questions about how their tax
money is being used.• Community asks how computer systems
are being wasted?
![Page 22: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/22.jpg)
`
"What Are The Short Falls?”
Perform Gap
Analysis
Dynamic Security Infrastructure
"What Is Our Security Policy?”"Implement!"
"How Do We Get There?"
"Experience Feedback"
Compliance
Reporting
Compliance
Reporting
Strategy
Definition
Strategy
Definition
Security
Architecture
Security
Architecture
Deploy
Solutions
Deploy
Solutions
Periodic Re-evaluation
"Where Are We Today?"
"Where Do We Need to Be?"
BaselineCurrentSecurity
BaselineCurrentSecurity
New Risks, LegislationSecurity Requirements
New Risks, LegislationSecurity Requirements
![Page 23: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/23.jpg)
Security Risk Management
• Understand value of information• Understand the threats• Understand vulnerabilities and
corresponding safeguards• Invest wisely in appropriate safeguards
that reduce the impact of threats. • Emergency preparedness
![Page 24: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/24.jpg)
Risk Mitigation• Understand security risk• Understand technology• Accept Risk
– Documentation of risk acceptance is a form of mitigation.
• Defer or transfer risk– Insurance
• Mitigate risk– Technology can mitigate risk
![Page 25: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/25.jpg)
How Can MPC Help?
• Services– Information Security Operational
Planning (ISOP)– Information Security Assessment
Project (SA)– Security Policy Review and Writing– Security Risk Management Program
![Page 26: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/26.jpg)
How Can MPC Help?
• Services– Network Perimeter Security Sweep
(NPSS)– Internal Network Security Sweep (INSS)– Secure Network Operations Center
(RSMC) for monitoring network, (IDS or Firewall)
![Page 27: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/27.jpg)
How Can MPC Help?• Technology
– Monitoring/Auditing Tools, workstation usage and measure license, and Computer utilization; (5th Column)
– Access Controls, (wireless, active directory, NDS, multiple factor authentication); (Novell, Microsoft)
– Filtering & Proxy Tools; (Websense)– Firewalls; (PIX, Cyberguard)
![Page 28: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/28.jpg)
How Can MPC Help?
• Technology– Intrusion Detection/Prevention
(Host and Network)– Application Gateways– IP Video Surveillance– Secure Network Infrastructure Design– Wireless Technology
![Page 29: Main Menu](https://reader033.vdocuments.site/reader033/viewer/2022060115/5576286ed8b42a4e1c8b52b0/html5/thumbnails/29.jpg)
Thank You!