Scribd Logo
Upload

Welcome to Scribd!

  • Planning Enterprise Information Security

    Uploaded by

    Kumar Mayank
    79 views22 pages
    Complying with Mandates and Managing Risks

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Complying with Mandates and Managing Risks

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    79 views22 pages

    Planning Enterprise Information Security

    Uploaded by

    Kumar Mayank
    Complying with Mandates and Managing Risks

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 22

    IT Architecture for

    Dummies Chapter 5 & 6

    Presented by:
    Group - 15
    Kumar Mayank (14609038)
    Rachit Mehrotra (14609157)

    Coverage
    Planning Enterprise Information Security
    Protecting enterprise data.
    Creating a security plan.
    Developing a security policy.
    Using technology to support security operations.

    Complying with Mandates and Managing Risks


    Keeping your company complaint.
    Planning to manage risk.
    Addressing risks.

    9/8/15

    IT Architecture for Dummies - Chapter 5 & 6

    Protecting Enterprise Data


    Data breaches is the inadvertent release of sensitive or
    protected data that must be protected.
    Common ways in which data is revealed include Theft of equipment (particularly laptops) containing unencrypted
    information.
    Equipment discovered missing during periodic inventory checks.
    Confidential data posted to a companys public Web site or
    inadequately secured accessible location.
    Improper disposal of data processing equipment.
    Accidental exposure through e-mail.

    9/8/15

    IT Architecture for Dummies - Chapter 5 & 6

    Creating a Security Plan


    Design a workable program.
    View security as a program, not as a project.
    Keep security simple.

    9/8/15

    IT Architecture for Dummies - Chapter 5 & 6

    Creating a Security Plan.


    Use a layered framework which involves following security
    measures
    Data
    Applications that access the data
    Hosts on which the applications and data reside
    Network on which the hosts reside
    Perimeter separating your organizations network from the pu
    blic network
    Facility housing the computing

    9/8/15

    IT Architecture for Dummies - Chapter 5 & 6

    Creating a Security Plan.

    Figure 1 : A simple example of the Layered Defense strategy.


    9/8/15

    IT Architecture for Dummies - Chapter 5 & 6

    Creating a Security Plan.


    Implement security standard
    ISO/IEC 27000 series, published by the International
    Organ
    ization for Standardization (www.iso.org)
    Systems Security Engineering Capability Maturity Model
    (
    www.ssecmm.org)
    The Standard of Good Practice for Information Security,
    publis
    hed by the Information Security Forum
    (
    www.isfsecuritystandard.com)
    Special Publication 800 standards, published by the U.S.
    Natio
    nal Institute of Standards and Technology
    (csrc.nist.
    gov)
    Federal Information Processing Standards
    (
    www.itl.nist.gov/fipspubs)
    9/8/15

    IT Architecture for Dummies - Chapter 5 & 6

    Developing a Security Policy


    Classifying data to be secured.
    Training employees.
    Getting management approval.
    It ensures that those who control the finances understand that sec
    urity is important and must be budgeted for.
    It lets employees know that security is a valid business concern.
    Maintaining the policy.
    Emerging security threats.
    Changes in business functionality or data classification.
    Implementation of new technology.
    Mergers and acquisitions.
    Security incidents.

    9/8/15

    IT Architecture for Dummies - Chapter 5 & 6

    Developing a Security Policy.


    Addressing basic security elements
    Administrative access
    Acceptable use.
    Authorized software.
    Data disposal.
    Encryption.
    Firewall.
    Incident management.
    Malware.
    Passwords.
    Server and workstation hardening.
    Social engineering awareness.
    Social media.
    Telephone procedures.
    Waste disposal
    9/8/15
    IT Architecture for Dummies - Chapter 5 & 6

    Using Technology to support Security


    Operations
    Remain flexible.
    Plan for partner relationships.
    Outsource only when necessary.

    9/8/15

    IT Architecture for Dummies - Chapter 5 & 6

    10

    Using Technology to support Security


    Operations
    Use collaborative technologies.
    E-mail and messaging.
    Discussion boards and wikis.
    Scheduling and task management.
    Conferencing (Web, voice, and video).
    Communicate new security policies.
    Announce potential threats.
    Detail how to address, report, or respond to these risks.
    Remind users of their responsibilities with regards to security
    .
    Provide a mechanism for security incident reporting

    9/8/15

    IT Architecture for Dummies - Chapter 5 & 6

    11

    Complying with Mandates


    and Managing Risk

    9/8/15

    IT Architecture for Dummies - Chapter


    19 & 20

    12

    Legal Mandates Affecting Organization

    SOX
    GLBA
    HIPAA
    FERPA
    COPPA

    Planning to manage risk


    Technical Considerations
    Data centre management solutions
    Technology replacement agreements
    o Physical Security
    o Data centre planning measures

    Types Of Threats

    Natural-Weather events
    Environmental-Fire, power failure
    Human-Cheat, fraud
    Electronic
    Malware
    Bugs
    Phishing mails
    Bots & Botnets

    Assessing Risk
    Each threat is analyzed to determine its probability an
    d impact.
    Probability refers to likelihood that the threat will mate
    rialize into an actual event.
    Impact refers to loss that would occur.

    Assessing Risk Process


    Determining Probability- How often threat events occur.
    Determining Impact- By nature & severity of the conseq
    uences of a successful threat event.
    Using a risk matrix-Determining risk rating

    Addressing Risk
    Prioritizing Threats
    Reducing Probability
    Reducing Impact

    Prioritizing threats
    Acceptance- Risk identified & accepted. Impact is unde
    rstood.
    Avoidance-selecting an alternative option.
    Mitigation-Additional protection or Alterations.
    Transference-Insurance protections

    Reducing Probability
    Use of countermeasures against common threats.
    Examples:
    Threat

    Countermeasures

    Data exposure from lost or stolen


    backup media

    Encrypt backups and implement greater


    physical security controls.

    Thefts of user credentials

    Install anti-malware software

    Unauthorized access to corporate


    network

    Install a firewall

    Reducing Impact

    Comprehensive contingency plan.


    Training users to report suspected security incidents.
    Implementing clusters, load balancing.
    Ensure that copies of critical data are stored in a secure
    facility.

    9/8/15

    IT Architecture for Dummies - Chapter


    19 & 20

    22

    You might also like