MANAGEMENT

Reelika Riis132270 YVEM

Tallinn University of Technology2014

1. Information security2. General security principles3. Causes of security vulnerabilities4. Possible consequences when

ignoring information risks5. Secure-by-design culture

Content

Almost all projects use some form of

information technology. This information needs to be protected.

Security planning is an integral part of the overall project life cycle and incorporates many different aspects to be considered when planning a project.

Introduction

Information and the systems and processes

supporting IT are key organizational assets.

Information Security is about ensuring the confidentiality, availability and integrity of that information and ensuring that privacy issues are addressed as required to support the achievement of the organization’s objectives.

What is Information Security?

Confidentiality – Ensuring data is only

accessed on a need to know Integrity – Ensuring that only authorized

changes are made to data and systems Availability – Ensuring that data and systems

are available when needed

General Security Principles

A flaw can be considered a security vulnerability when one of the goals is compromised.

Information risks come in various forms

Unintentional – errors, vulnerabilities Intentional – crime, misuse, Malware

Use the CIA model as your risk indicator Confidentiality – unauthorized access to data Integrity – unapproved changes Availability – no backups

Failure in Design

Poor decision about trust Unspoken assumptions Not accounting for failure

Failure in Implementation Insecure coding techniques Insecure configuration Poor deployment practices

Causes of Security Vulnerabilities

Loss of reputation – trust factor Loss of money – was there financial damage Costly – how much did it cost to fix it Regulation – did fines have to be paid Legal – were laws not followed Loss of services – impact to the business

If Information risks are ignored, what can

happen?

Reactive approach

Audits Incidents

Proactive approach Structured risk assessment in the beginning

phase of any plan to produce or upgrade a product or service

Part of the Project Management process

Methods of finding IT Security risks

Attacks on data and applications have grown in

frequency and sophistication, making single security solution hard to provide complete protection.

Cost-effective security begins with the development of secure applications FROM THE VERY BEGINNING! Speed time-to-market Help alleviate the costs and negative publicity

Organizations should aim to institute a governance-based secure-by-design culture!

Secure-by-design culture benefits

Potential roadblocks to achieving a secure-by-

design culture

Developers goals

Product functionality On-time delivery

Security analysts goals

Eliminating vulnerabilities

Implementing security controls as early in the development process as possible

To decrease and mitigate vulnerabilities – the development

and security teams must cooperate and work closely

together!

IBM Corporation. Manage data security and application threats with a multi-tiered

approach. January 2014. http://public.dhe.ibm.com/common/ssi/ecm/en/wgs03006usen/WGS03006USEN.PDF

IBM Corporation. Defending against malware: A holistic approach to one of today’s biggest IT risks. January 2014. http://public.dhe.ibm.com/common/ssi/ecm/en/wgw03050usen/WGW03050USEN.PDF

IBM Corporation. Five critical steps to achieving an effective application security program. December 2013. http://public.dhe.ibm.com/common/ssi/ecm/en/wgw03048usen/WGW03048USEN.PDF

Vitek, D. Security Issues that Project Managers at CDC Need to Address. The CDC Unified Process Project Management Newsletter. The National Center for Public Health Informatics, June 2008, Volume 2, Issue 6. http://www2.cdc.gov/cdcup/library/newsletter/CDC_UP_Newsletter_v2_i6.pdf

Ellison, R. J. Security and Project Management. Build Security In, August 2013. https://buildsecurityin.us-cert.gov/articles/best-practices/project-management/security-and-project-management

http://blogs.msdn.com/b/apinedo/archive/2007/05/09/microsoft-and-the-as-7799-iso-17799-standards-for-information-security-management.aspx

http://securitypresentations.files.wordpress.com/2009/04/1bbf05edd1725488d26467e7be314f4c.png - picture

References

Thank you for your attention!