1 / 35

EE579U Information Systems Security and Management

EE579U Information Systems Security and Management. 9: Security Management Professor Richard A. Stanley. Overview of Today’s Class. Review of last class Security Management. Last class…. Gathering forensic information from computers is difficult and time-consuming

marnie
Download Presentation

EE579U Information Systems Security and Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. EE579UInformation Systems Security and Management 9: Security Management Professor Richard A. Stanley

  2. Overview of Today’s Class • Review of last class • Security Management

  3. Last class… • Gathering forensic information from computers is difficult and time-consuming • You must preserve the chain of custody of evidence or your efforts are in vain • Tools exist to help with the hard stuff • Crawl to conclusions—it is easy to become enamored of the first theory to pop up

  4. What Must be Managed? • Security requirements • Security design • Security implementation • Security response(s)

  5. Requirements Management • Formal methodologies exist • Waterfall • Spiral • …etc. • You may not be free to choose the one you like (e.g. many US Govt. procurements require use of the waterfall model)

  6. Waterfall Model View Requirements Refine Validate Specification Code Validate Implement/Unit test Build Verify Integration/System test Field Verify Opns & Maintenance

  7. Spiral Model http://www.cc.gatech.edu/classes/cs3302_98_winter/1-08-mgt/sld012.htm

  8. What Now? • Security design should get the key security points into the design documents • The next problem is to ensure they survive the actual system engineering • This is not an easy task • Relevance • ROI • Organizational support

  9. A thought • Security management is not a goal, it is a process • It requires a thorough understanding of all the key security technologies that you have studied, plus keen management ability • This is an uncommon mix of abilities • You are constantly in the position of saying “NO,” so it is hard to “trade favors”

  10. Return on Investment • Common method of measuring business investment worth • ROI = Average annual profit / Project cost • With security-related expenses, the denominator is almost always known • How do we calculate the numerator? • And will we be believed?

  11. One View of the Topic • Access control • Telecomm and network security • Security management practices • Applications and systems development security • Cryptography • Security architecture and models • Operations security • Business continuity/disaster recovery planning • Law, investigation, and ethics Micki Krause. Information Security Management Handbook, Fourth Edition, Volume I

  12. Access Control • Making sure only authorized users can access systems • Ensuring the authorized users can do only what they should do once on the system • This spans all levels of the system, from development to day-to-day operation

  13. Telecommunications and Network Security • This is the current “glamour” sector • Network security seen by many as the problem to solve • As we have seen, it is one of many • Significant technical content here • Hard to stay current • Harder still to keep an eye on all the practitioners

  14. Security Management Practices • Awareness • Policy • Risk Management • Vulnerability assessment • Quantified where possible • Insurance?

  15. Applications and Systems Development Security • Build it in, don’t bolt it on • Easy to say, hard to do • What happens when all software not produced under your control? • How to evaluate security in outsourced products and services? • Methodologies can get in the way of reality

  16. Cryptography • Basis of most modern authentication systems • Technical knowledge in this field absolutely essential for sound security management • Choices made here haunt the system forever • Key management • Key security • System use policies

  17. Security Architecture and Models • Bigger than the computer box we choose • Security architectures of the equipment and the organization should be congruent • Models help to evaluate the “goodness” of our security approach, just as in engineering • Simply selecting an architecture doesn’t solve the problems • It may not even highlight them!

  18. Operations Security • Simply put, how do we keep the system operating safely on a day-to-day basis? • Keeping hackers and malicious code at bay are part of this effort • Personnel security, physical security, and other areas are implemented here • This area gets little respect or funding, but is absolutely critical to success

  19. Business Continuity & Disaster Recovery Planning • This will be our topic next week • Simply put, it covers how to keep the business running in the event of a disaster and how to plan for recovery in that event • ALL reasonable probable disasters must be considered

  20. Law, Investigation, and Ethics • We’ve spent a lot of time here • This is usually seen as the end of the security management process—if done right, it can be a continuing process of cooperation that helps to ensure success • It may not be possible to force ethical adjustment, but you can enforce the corporation’s ethics on the workforce

  21. Policy Mangement • Policy establishment • Building and maintaining policies to keep current with law and regulation • Communicating the policy • Get the users to read and use it! • Measure and enforce policy compliance • Are they using it? How to know?

  22. Administration Management • Administering and securing complex modern software suites, such as Active Directory • Adding and deleting users in a timely fashion • Keeping user privileges current • Enabling user self-service • Reduces admin load, may reduce security

  23. Vulnerability Management • Audit for policy exceptions • Monitor for vulnerabilities • Minimize manual processes • Provide scorecards for performance • Tighten security on platforms by using best practices

  24. Incident Management • Identify security problems promptly • Reduce false positives and noise • Analyze events • Prevent/detect intrusions • Correlate information to get the “big picture”

  25. People: The Forgotten Dimension • Technology can’t fix the problem, even though it helped to create it • “Human Firewall Manifesto” • Vetting and monitoring people is not only difficult, it runs through many laws and regulations • Distributed organizations present special issues, particularly across national borders

  26. Financial Issues • Management exists largely to help the company turn a profit • Security managers must understand basic financial accounting terms and forms • Balance sheet • Income statement (a.k.a. profit & loss) • Cash flow statement • Project evaluation techniques

  27. Balance Sheet

  28. Sample Income Statement

  29. Cash Flow Statement • Exists to show how the company is using its cash • “Cash is king” because companies with plenty of cash can often survive bad times • Works just like your checkbook register • Much harder to “fiddle” than the Balance Sheet or Income Statement

  30. Project Evaluation Techniques • ROI • Payback period • Discounted cash flow

  31. Help? • Lot of vendors—be careful here • Government help aplenty • www.nsa.gov • www.issm.doe.gov • www.gao.gov

  32. GAO View in One Quarter • “A new homeland security emphasis is under way, but remains incomplete.” • “The federal government’s efforts to improve homeland security will require a results-oriented approach to ensure mission accountability and sustainability over time.” GAO Highlights, “HOMELAND SECURITY Management Challenges Facing Federal Leadership, GAO 03-260, December 2002.

  33. Case Studies • Mine • Yours

  34. Summary • Security management is the “glue” that binds the entire security effort together. • Absent proper and adequate management, it doesn't matter how well the other bits and pieces work • This is probably the hardest part of all, because it remains difficult to compute the ROI

  35. Homework • From your personal experience or research, identify a security management issue that you believe was not optimally handled. Identify the security lapses that resulted or might have resulted. How would you have management this problem? How would you structure the security management organization and process to avoid recurrence of this or a similar problem?

More Related