1 / 14

Best Practices for Information Security Management

Best Practices for Information Security Management. Bob Small, CISSP, CEH small@software.org March 2006. Take-away Messages. Defense in depth solutions Effective security requires a rigorous risk management process Must be effective and cost effective

paula-burton
Download Presentation

Best Practices for Information Security Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Best Practices forInformation Security Management Bob Small, CISSP, CEH small@software.org March 2006

  2. Take-away Messages • Defense in depth solutions • Effective security requires a rigorous risk management process • Must be effective and cost effective • Think about it from the adversary’s perspective

  3. People Process Integrity Confidentiality Availability Technology Key Elements of Security

  4. Defense In Depth Speed bumps are a better metaphor for information security than bank vaults

  5. Asset Identification and Valuation Identification of Vulnerabilities Identification of Threats Likelihood ofOccurrence Evaluation of Impacts Business Risks Ranking of Risks Risk Assessment Degree of Assurance Required Review of existing security controls Identification of new security controls Policy and Procedures Gap analysis Implement Controls to Reduce Risk Risk Acceptance (Residual Risk) Risk Mitigation Risk Management Process

  6. Confidentiality Integrity Availability People, process, tools Plan | Do | Check | Act Tangible assets Intangible assets ISO 27001, InformationSecurity Management Systems – Requirement ISO 17799, Code of Practice For Information Security Management International Standards for ISMS Information Security Management System These standards are accepted as industry best practices

  7. Control Areas In ISO 17799 Security Policy Organization of Information Security Asset Management Human Resource Security Communications and Operations Management Physical and Environmental Security Information Systems Acquisition, Development and Maintenance Access Control Information Security Incident Management Compliance Business Continuity Management 133 controls in 11 areas

  8. Security Policy Security Policy Objective: Provide management direction and support for information security in accordance with business requirements and relevant laws and regulations • It must be written • It must be reviewed periodically

  9. Internal Support Functions Data Archiving ISMS Scope Consultants Marketing Legal HR Customers F&A Audit Facilities External Support Functions IT Support Security Must Be Managed In All Relationships Each arrow represents a contract, MOA, SLA, etc.

  10. Ownership Acceptable Use Classification Guidelines Information Labelingand Handling Information Assets Must Be Managed • Inventory of Assets • Tangible • Intangible

  11. Prior to Employment During Employment Termination or Changeof Employment Human Resources Security

  12. Catch Me If You Can The Italian Job The Shawshank Redemption Think Creatively About Information Security

  13. ISMS Resources • ISO 17799, Code of Practice for Information Security Management • ISO 27001, Information Security Management Systems – Requirements http://www.iso.org • National Institute for Standards & Technology • SP 800-70, The NIST Security Configuration Checklists Program • SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule • SP 800-30, Risk Management Guide for Information Technology Systems http://csrc.nist.gov • INCITS CS1 (Cybersecurity) http://www.incits.org

  14. Thank You ? ? ? ? ? ? ? ? ?

More Related