Scribd Logo
Upload

Welcome to Scribd!

  • Security Analysis

    Uploaded by

    mrsanthosh786
    43 views17 pages
    security analysis

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    security analysis

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    43 views17 pages

    Security Analysis

    Uploaded by

    mrsanthosh786
    security analysis

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 17

    Information Technology Security

    Assessment
    Prepared By: Raghda Zahran
    Supervised By: Dr. Loai Tawalbeh
    New York Institute of Technology (NYIT)-
    Jordans campus-2006
    The Global Threat
    Information security is not just a paperwork
    drillthere are dangerous adversaries out
    there capable of launching serious attacks
    on our information systems that can result
    in severe or catastrophic damage to the
    nations critical information infrastructure
    and ultimately threaten our economic and
    national security
    Critical Infrastructures
    Examples
    Energy (electrical, nuclear, gas and oil, dams)
    Transportation (air, road, rail, port, waterways)
    Public Health Systems / Emergency Services
    Information and Telecommunications
    Defense Industry
    Banking and Finance
    Postal and Shipping
    Agriculture / Food / Water
    Chemical
    Computer Security Practices in Nonprofit
    Organizations
    When asked how employees would
    characterize the state of their own
    organization's computer security practices,
    nearly a third of the respondents (32%)
    acknowledged that their computer security
    practices needed to be improved.
    How respondents described their own
    organization's computer security?

    Threats to Security
    Connectivity
    Complexity
    Which of the following statements best
    describes your organization's computer
    security?
    Does your organization have a data recovery
    plan to implement in the event of catastrophic
    data loss?
    In your opinion, what are the computer security
    issues that your organization needs to address?
    The Risks are Real

    Lost laptops and portable storage devices
    Data/Information left on public computers
    Data/Information intercepted in transmission
    Spyware, malware, keystroke logging
    Unprotected computers infected within seconds
    of being connected to the network
    Thousands of attacks on campus networks
    every day







    Risk
    Identification
    Report
    &
    Briefing
    Data
    Analysis
    Vulnerability
    Scan
    Document
    Review

    Requirement Study
    And
    Situation Analysis
    Risk Management Flow
    Investigate
    Analyze: Risk Identification Identify the
    vulnerability and
    Analyze : Risk Control investigate how to
    control vulnerabilities
    Design
    Implement
    Maintain

    Information Security Program


    Adversaries attack the weakest linkwhere is yours?
    Risk assessment
    Security planning
    Security policies and procedures
    Contingency planning
    Incident response planning
    Security awareness and training
    Physical security
    Personnel security
    Certification, accreditation, and
    security assessments
    Access control mechanisms
    Identification & authentication mechanisms
    (Biometrics, tokens, passwords)
    Audit mechanisms
    Encryption mechanisms
    Firewalls and network security mechanisms
    Intrusion detection systems
    Security configuration settings
    Anti-viral software
    Smart cards
    Links in the Security Chain: Management, Operational, and Technical Controls
    What you need to know

    IT resources to be managed
    Whats available on your network
    Policies, laws & regulations
    Security Awareness
    Risk Assessment, Mitigation, & Monitoring
    Resources to help you

    The Golden Rules
    Building an Effective Enterprise Information Security Program
    Develop an enterprise-wide information security strategy
    and game plan
    Get corporate buy in for the enterprise information
    security programeffective programs start at the top
    Build information security into the infrastructure of the
    enterprise
    Establish level of due diligence for information security
    Focus initially on mission/business case impactsbring in
    threat information only when specific and credible
    The Golden Rules
    Building an Effective Enterprise Information Security Program
    Create a balanced information security program with
    management, operational, and technical security controls
    Employ a solid foundation of security controls first, then
    build on that foundation guided by an assessment of risk
    Avoid complicated and expensive risk assessments that rely
    on flawed assumptions or unverifiable data
    Harden the target; place multiple barriers between the
    adversary and enterprise information systems
    Be a good consumerbeware of vendors trying to sell
    single point solutions for enterprise security problems
    The Golden Rules
    Building an Effective Enterprise Information Security Program
    Dont be overwhelmed with the enormity or complexity of
    the information security problemtake one step at a time
    and build on small successes
    Dont tolerate indifference to enterprise information security
    problems
    And finally
    Manage enterprise riskdont try to avoid it!
    Thanks

    Q

    You might also like