Scribd Logo
Upload

Welcome to Scribd!

  • Security Administration

    Uploaded by

    Nadezhda Traykova
    22 views32 pages
    A security plan describes how an organization will address its security needs. It identifies what (vulnerabilities, threats, and risks) Specify how they will be handled (controls) Specify who will handle them Specify when they will handled (timetable) Participation by both business and IT personnel Best Different Scales OCTAVE - large organizations OCTAVE-S - small organizations Identify enterprise knowledge Identify operational area knowledge Identify staff knowledge Create threat profiles Identify key components Evaluate selected

    Original Description:

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    A security plan describes how an organization will address its security needs. It identifies what (vulnerabilities, threats, and risks) Specify how they will be handled (controls) Specify who will handle them Specify when they will handled (timetable) Participation by both business and IT personnel Best Different Scales OCTAVE - large organizations OCTAVE-S - small organizations Identify enterprise knowledge Identify operational area knowledge Identify staff knowledge Create threat profiles Identify key components Evaluate selected

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    22 views32 pages

    Security Administration

    Uploaded by

    Nadezhda Traykova
    A security plan describes how an organization will address its security needs. It identifies what (vulnerabilities, threats, and risks) Specify how they will be handled (controls) Specify who will handle them Specify when they will handled (timetable) Participation by both business and IT personnel Best Different Scales OCTAVE - large organizations OCTAVE-S - small organizations Identify enterprise knowledge Identify operational area knowledge Identify staff knowledge Create threat profiles Identify key components Evaluate selected

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 32

    Security Administration

    Links to Text
    Chapter 8
    Parts of Chapter 5

    Parts of Chapter 1

    Security Involves:
    Technical controls Administrative controls Physical controls

    Major Chapter Topics


    Planning Risk analysis Policy Physical security

    Security Plan
    Written document that

    describes how an organization will address its security needs

    What Should a Security Plan Do?


    Identify what (vulnerabilities,

    threats, and risks) Specify how they will be handled (controls) Specify who will handle them Specify when they will be handled (timetable)

    Issues Listed in Text


    Policy Current state Requirements Recommended controls Accountability Timetable Continuing attention (updates)

    OCTAVE
    Operationally Critical Threat, Asset,

    and Vulnerability Evaluation Developed at Carnegie Mellon CERT Coordination Center First published in 1999

    The OCTAVE Approach


    Self-directed

    Focused on risks to information assets


    Focused on practice-based mitigation

    practices from CERT/CC, NIST, laws and regulations (e.g., HIPPA), etc. Participation by both business and IT personnel

    Best

    Different Scales
    OCTAVE large organizations
    OCTAVE-S small organizations

    OCTAVE Steps
    1. 2. 3. 4. 5. 6. 7. 8.

    Identify enterprise knowledge Identify operational area knowledge Identify staff knowledge Create threat profiles Identify key components Evaluate selected components Conduct a risk analysis Develop a protection strategy

    Common Criteria (CC)


    Framework for evaluation of IT systems International effort
    United

    States United Kingdom France Germany The Netherlands Canada

    Business Continuity Plan


    Plan for management of situations which

    are Catastrophic Long-lasting A single such incident can put a company out of business (even if handled well) Identify essential assets and functions

    Incident Response Plan


    Plan for management of security

    incidents May not be catastrophic May not be long-lasting Many incidents will have minor impact on operations

    Risk Analysis
    Risks closely related to threats
    Risk analysis attempts to quantify

    and measure problems associated with threats Many approaches to risk analysis have been developed

    Quantifying Risk
    Risk probability

    How likely is the risk? Risk impact How much do we lose? Risk control Can the risk be avoided?

    Risk Exposure
    Probability of Risk X Risk Impact
    Risk Impact $100,000 Risk Probability 0.5 Risk Exposure $50,000

    Risk Leverage
    (Exposure Before Exposure After)/ Risk Control Cost
    Original Risk Exposure $ 50,000 Cost of Control $100 Revised Risk Exposure $20,000 Risk Leverage 300 (note: dimensionless)

    Risk Analysis Steps


    Identify assets
    Determine vulnerabilities

    Estimate likelihood of exploitation


    Compute expected annual loss Survey applicable controls and their

    costs Project annual savings of control

    Difficulties of Risk Analysis


    Probabilities hard to estimate Historical data Experts Delphi approach
    Some costs hard to quantify

    Risk Analysis Approaches


    Many risk analysis approaches
    Usual common features: Checklists Organizational matrices Specification of procedures

    No dominant approach

    Security Policy
    A written document describing goals

    for and constraints on a system Who can access what resources in what manner? High level management document Should not change often

    Policy Considerations
    Stakeholders (beneficiaries)
    Users

    Owners
    Resources

    Security Procedures/Guidelines
    Describe how security policy will

    be implemented More frequent changes than policy

    Physical Security
    Protection that does not involve the

    system as a system Independent of

    Hardware Software Data

    Possible Problems
    Natural disasters Floods Fires
    Power loss Human vandals Interception of sensitive information

    Physical Security Controls


    Backups

    Backups

    Backups

    Backups!!!

    Natural Disasters
    Careful building design
    System placement

    Fire extinguishers

    Power Loss
    Uninterruptible power supply
    Surge suppressor

    Human Vandals
    Guards
    Locks

    Authentication
    Reduced portability

    Theft detection

    Information Interception
    Shredding
    Overwriting magnetic data

    Degaussing Destroy magnetic fields


    Tempest Prevent or control magnetic emanations

    Contingency Plans
    Backup
    Offsite backup

    Networked storage
    Cold site Hot site

    You might also like