1 / 32

Effective Information Security Strategy

Effective Information Security Strategy. Dr. Javier Torner University Information Security Officer Professor of Physics. Agenda. Introduction Successful Security Initiatives Elements of Risk Management Strategic Planning for Information Security Information Security Risk Assessment

shad-fox
Download Presentation

Effective Information Security Strategy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Effective Information Security Strategy Dr. Javier Torner University Information Security Officer Professor of Physics Effective Information Security Strategy

  2. Agenda • Introduction • Successful Security Initiatives • Elements of Risk Management • Strategic Planning for Information Security • Information Security Risk Assessment • Step by Step • Resources • Questions and Final Thoughts Effective Information Security Strategy

  3. Why a Security Strategy? • Everyone is vulnerable to attacks • Technological vulnerabilities • Organizational vulnerabilities • The number of vulnerabilities keeps increasing • The number of incidents keeps increasing • Incidents affects the mission of the university • Must meet Regulatory and Legislative compliance Effective Information Security Strategy

  4. Reality Check • You can never eliminate/mitigate ALL the information security risks • You cannot prevent highly skill and sophisticated attacks • Resources are limited – planning is critical • Must plan for systems to be resilient and survive an event • Survivability is good risk management Effective Information Security Strategy

  5. Successful Security Initiatives • Have Upper Management Commitment and Support • Security is part of STRATEGIC PLAN • Security is identified as a PRIORITY • Security is recognized as EVERYONE’S job Effective Information Security Strategy

  6. Successful Security Initiatives • Security initiatives are the result of RISK ASSESSMENTS • Security initiatives involve ALL members of the CAMPUS COMMUNITY • Security initiatives are PRO-ACTIVE • Accomplish their objectives with MINIMUM IMPACT to the users Effective Information Security Strategy

  7. What is Risk? Risk: The possibility of harm or loss Characterized by: • Event or Scenario • Consequence or impact to the organization • Probability that the event will take place Effective Information Security Strategy

  8. Risk Management • Each organization owns its risks • Each organization has its own information security risks • Each organization must characterize its risks • Each organization must analyze its risks • Each organization must manage its risks • Information Security risks are more element Effective Information Security Strategy

  9. Risks vs. Vulnerabilities • Information Security Risk Assessment • Consider strategic practices – business related practices • Includes operational practices – focus on technology related issues • Incorporates the mission of the university • Information Security Vulnerability Assessment • Provide security picture at one moment • Only considers technology related issues Effective Information Security Strategy

  10. Strategic Planning for Security • Information Security Risk Assessment • Use Effective methods of Evaluation • Self directed, adaptable measures, defined processes, foundation for a continues process • Based in Sound Risk Management Principles • Focus on critical issues, identify critical assets, selection of effective security practices • Must Include Organizational and Cultural Principles • Open communications, global perspective, teamwork Effective Information Security Strategy

  11. Strategic Practices • Security Strategy • Integration of security practices into business processes • Security Management • Defines roles and responsibilities • Security Policies and Procedures • Acceptable Use Policies • Operating Procedures • Incident Response Policies and Procedures • Security Awareness and Training • Business Resumption/Disaster Recovery Effective Information Security Strategy

  12. Operational Practices • Physical Security • Well Define Procedures • Physical Access Controls • Monitoring and Auditing physical security • Incorporate security in the design of new facilities Effective Information Security Strategy

  13. Operational Practices Security of Information Technology • Security Architecture and Design • Computer systems and network management • Administration of security tools • Vulnerability management • Monitoring and auditing • Authentication and authorization • Encryption Effective Information Security Strategy

  14. Operational Practices • Staff Security • Incident Management • Identifying, reporting and responding to incidents • General Staff Practices • Understanding security roles and responsibilities • Following security policies and procedures • Following effective practices Effective Information Security Strategy

  15. Information Security Risk AssessmentStep by Step • Identify Critical Assets • Identify Security requirements for each Critical Asset • Identify Threats to each Critical Asset • Identify Current Organizational and Operational Vulnerabilities • Conduct Vulnerability Assessment • Identify Current Security Practices Effective Information Security Strategy

  16. Information Security Risk AssessmentStep by Step • Identify Risks to Critical Assets • Define a risk metrics • Critical, High, Medium, Low • Develop protection strategy and risk mitigation plan • Include Monitoring • Include Metrics to assess progress • Implementation of security plan Effective Information Security Strategy

  17. Information Security Risk AssessmentStep by Step • Identify Critical Assets • Systems • Software • Hardware • Information • Business Process • People Effective Information Security Strategy

  18. Information Security Risk AssessmentStep by Step • Critical Asset Information • Rational for selection • Identify • Who controls it • Who is responsible • Who uses it • How is it used Effective Information Security Strategy

  19. Information Security Risk AssessmentStep by Step • Identify Security Requirements for each asset • Confidentiality • Contains/access personal/sensitive information • Only authorized users • Integrity • Requires authenticity • Requires to be accurate • Availability • Requirements • Other Effective Information Security Strategy

  20. Information Security Risk AssessmentAreas of Concern Potential Sources of Threat Outcome Deliberate-People Inside/Outside Unauthorized Disclosure of Information Accidental-People Inside/Outside Asset Modification of Information System Problems-Malicious Code, Software,Hardware, etc Destruction/Loss of Information Hardware,Software, Other Interruption of access to Information, software applications or services Other- Natural Disaster, Power Outages, etc Effective Information Security Strategy

  21. Information Security Risk AssessmentStep by Step Threats by people: • Identify • Access • Physical or Network • Entity • Inside or Outside organization • Motive – • Accidental or Deliberate • Outcome • Disclosure, modification, loss/destruction, interruption, other Effective Information Security Strategy

  22. Information Security Risk AssessmentStep by Step Threats for System Problems • Identify • Entity • Software defect • Malicious Code • Hardware failure • Outcome • Disclosure, Modification, Loss/destruction, interruption Effective Information Security Strategy

  23. Information Security Risk AssessmentStep by Step Systems/Components associated with a critical asset • Where is it stored/resides/processed? • Which systems does it interacts with? • Which systems may be targeted by the threat? Effective Information Security Strategy

  24. Information Security Risk AssessmentStep by Step Associated systems • Servers, workstations, laptops • Networking components • Security Components • Storage Devices • Wireless Components • Home Computers Effective Information Security Strategy

  25. Information Security Risk AssessmentStep by Step Security Profile of a Critical Asset • Description of the Asset • Security Requirements • Confidentiality,integrity, availability, other • Threat Profile • Associated Systems Effective Information Security Strategy

  26. Information Security Risk AssessmentStep by Step Vulnerability Assessment • Identify each threat with the associated systems • Define the approach for the evaluation of technology vulnerabilities in the associated systems • Identify the tools and who will perform the vulnerability assessment Effective Information Security Strategy

  27. Information Security Risk AssessmentStep by Step Vulnerabilities • Summarized the type of vulnerabilities • The potential impact on the critical asset • How could it be addressed • Strategic Practices • Operational Practices Effective Information Security Strategy

  28. Information Security Risk AssessmentStep by Step Risk Impact • Identify the impact based on your threat outcomes • Disclosure  lawsuits, financial, etc • Interruption  productivity, financial, etc • Define a “risk” metric • Qualitative • What is a high, medium, low risk? • Quantitative • What is the probability for each threat outcome? Effective Information Security Strategy

  29. Information Security Risk AssessmentStep by Step • Prioritize your risks • For each risk identify an action or countermeasures to mitigate the risk • Decide to accept or mitigate the risk • Develop protection strategy and risk mitigation plan • Include Monitoring • Include Metrics to assess progress • Implementation of security plan Effective Information Security Strategy

  30. Hints to Develop a Security Plan • Set realistic Goals and Objectives • Include Operational Security Practices • Secure critical assets • Identify and correct technological vulnerabilities • Conduct security assessments • Implement preventive measures • Implement overlapping, independent protecting measures • Secure perimeter - firewalls • Adopt effective practices • Use intrusion detection/prevention tools Effective Information Security Strategy

  31. Hints to Develop a Security Plan • Include Strategic Security Practices • Develop Policies and Procedures • Enforceable • Define Accountability • Implement Recovery Procedures • Incident Response • Tie to your Business Resumption/Disaster Recovery • Provide Training and Education • End users - Awareness • ITC – Professional development Effective Information Security Strategy

  32. References • OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation http://www.cert.org/octave/ • Educause – Internet 2 – Effective Security Practices Guide http://www.educause.edu/security/guide/ • ISO/IEC 17799 – International Code of Practices for Information Security Management http://csrc.nist.gov/publications/secpubs/ otherpubs/reviso-faq.pdf Effective Information Security Strategy

More Related