1 / 18

Data Security

Brian Bradley. Data Security. Definitions. Data is any type of stored digital information. Security is about the protection of assets. Prevention: measures taken to protect your assets from being damaged.

mimir
Download Presentation

Data Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Brian Bradley Data Security

  2. Definitions • Data is any type of stored digital information. • Security is about the protection of assets. • Prevention: measures taken to protect your assets from being damaged. • Detection: measures taken to allow you to detect when an asset has been damaged, how it was damaged and who damaged it. • Reaction: measures that allow you to recover your assets.

  3. Definitions • Confidentiality ensures that that data is only read by the intended recipients. • Integrity ensures that all of the data has not been corrupted from its original source. • Availability guarantees that the data is usable upon demand. • Accountability is audit information that is kept and protected so that security actions can be traced to the responsible party.

  4. Audit Standards • Data Security is subject to several types of audit standards and verification. • The most common are ISO 17799, ISO 27001-02, PCI, ITIL, SAS-70, HIPPA, SOX • Security Administrators are responsible for creating and enforcing a policy that forms to the standards that apply to their organizations business.

  5. Audit Standards • IT certification audits are generally carried out by 3rd party accounting firms. • They generally can be done in a week or two, depending on the size of the organization. • Clients can also carry out audits before they begin doing business with the company to ensure that their data is secured to their standards.

  6. Security Policy • A security policy is a comprehensive document that defines a companies’ methods for prevention, detection, reaction, classification, accountability of data security practices and enforcement methods. • It generally follows industry best practices as defined by ISO 17799,27001-02, PCI, ITIL, SAS-70, HIPPA , SOX or a mix of them.

  7. Security Policy • The security policy is the key document in effective security practices. • Once it has been defined it must be implemented and modified and include any exceptions that may need to be in place for business continuity. • All users need to be trained on these best practices with continuing education at regular intervals.

  8. Tools to Secure Data • Data needs to be classified in the security policy according to its sensitivity. • Once this has taken place, the most sensitive data has extra measures in place to safeguard and ensure its integrity and availability. • All access to this sensitive data must be logged. • Secure data is usually isolated from other stored data.

  9. Tools to Secure Data • Controlling physical access to the data center or area where the data is stored. • Active or Open Directory is a centralized authentication management system that is available to companies to control and log access to any data on the system. • Encryption of the sensitive data is critical before transmission across public networks.

  10. Tools to Secure Data • The use of firewalls on all publicly facing WAN connections. • Deploying VLANs’ and ACLs’ to isolate sensitive departments from the rest of the network. • Shutting down unused switch ports. • If wireless is deployed, use authentication servers to verify and log the identity of those logging on. • Anti-Virus and malicious software protection on all systems.

  11. Tools to Monitor Secure Data • Walk around and look for passwords in the open. • Event Viewer / Log Files • Intrusion Detection/ Protection systems (IDS/IPS) such as SNORT. • These will alert Administrators of suspicious data flows.

  12. Tools to Monitor Secure Data • Set up SNMP monitoring servers to monitor and alert for everything. • This will alert Administrators to everything from unusual bandwidth usage to hardware failure. • It is key to know what's going on with your systems and network.

  13. Tools to Document Data Security • Microsoft Visio is the standard for drawing network maps. • These maps allow a detailed overview of the system and how it is functions. • They also allow the spotting of weak points of security and flaws in design that can impact reliability or continuity of the data to the end user.

  14. Tools to Document Data Security • Nessus is a network scanner that probes devices to ensure their secure. • It will probe and report old out of date software, open ports and the give details on potential exposure related to them. • Should be scheduled at least monthly enterprise wide. • A log needs to be kept of who was scanned so that anybody missed can be scanned either next time or individually.

  15. Tools to Stay Informed • SANS Storm Center will keep you posted to the latest attack trends. • Read you log files regularly of any publicly facing server to see what types of attacks are being run against your enterprise. • Trade publications discuss the latest threats and technologies. • Understand the technology that you are protecting and the technology that is used to attack.

  16. End User Education • All relevant security polices must be clearly explained to the end users. • A clear explanation of the consequences for violating these polices must also be explained. • The end user needs to sign a document acknowledging that they understand the policies and consequences for violating these policies.

  17. Enforcement • Must obtain executive authority to enforce policy. • Systematic approach of warnings and punishments. • Coordinate with HR to document continued issues with staff.

  18. Thank you! I very much appreciate your time and interest.

More Related