Information and Security

More documents

Recommendations

Info

VISA International Security Model VISA International promotes strong security measures andhas security guidelines Developed two important documents that improve andregulate information systems: “Security AssessmentProcess”; “Agreed Upon Procedures” Using the two documents, security team can develop soundstrategy the design of good security architecture Only down side to this approach is very specific focus onsystems that can or do integrate with VISA’s systemsBaselining and Best Business Practices Baselining and best practices are solid methods forcollecting security practices, but provide less detail than acomplete methodology Possible to gain information by baselining and using bestpractices and thus work backwards to an effective design The Federal Agency Security Practices (FASP) site(fasp.nist.gov) designed to provide best practices for publicagencies and adapted easily to private institutionsHybrid Framework for a Blueprint of anInformation Security System Result of a detailed analysis of components of alldocuments, standards, and Web-based informationdescribed previously Offered here as a balanced introductory blueprint forlearning the blueprint development processFigure 5-15 – Spheres of SecurityHybrid Framework for a Blueprint of anInformation Security System (continued) NIST SP 800-26 Management controls cover security processes designed bythe strategic planners and performed by securityadministration Operational controls deal with operational functionality ofsecurity in organization Technical controls address tactical and technical issuesrelated to designing and implementing security inorganizationDesign of Security Architecture Defense in depth Implementation of security in layers Requires that organization establish sufficient securitycontrols and safeguards so that an intruder faces multiplelayers of controls Security perimeter Point at which an organization’s security protection ends andoutside world begins Does not apply to internal attacks from employee threats oron-site physical threatsKey Technology Components Firewall: device that selectively discriminates againstinformation flowing into or out of organization Demilitarized zone (DMZ): no-man’s land between insideand outside networks where some organizations placeWeb servers Intrusion Detection Systems (IDSs): in effort to detectunauthorized activity within inner network, or on individualmachines, organization may wish to implement an IDSFigure 5-18 – Key ComponentsSecurity Education, Training, and AwarenessProgram As soon as general security policy exist, policies toimplement security education, training and awareness(SETA) program should follow SETA is a control measure designed to reduce accidentalsecurity breaches Security education and training builds on the generalknowledge the employees must possess to do their jobs,familiarizing them with the way to do their jobs securely The SETA program consists of three elements: securityeducation; security training; and security awareness
Security Education Everyone in an organization needs to be trained and awareof information security; not every member needs formaldegree or certificate in information security When formal education for individuals in security is needed,an employee can identify curriculum available from localinstitutions of higher learning or continuing education A number of universities have formal coursework ininformation securitySecurity Training Involves providing members of organization with detailedinformation and hands-on instruction designed to preparethem to perform their duties securely Management of information security can developcustomized in-house training or outsource the trainingprogramSecurity Awareness One of least frequently implemented but most beneficialprograms is the security awareness program Designed to keep information security at the forefront ofusers’ minds Need not be complicated or expensive If the program is not actively implemented, employeesbegin to “tune out” and risk of employee accidents andfailures increasesContinuity Strategies Incident response plans (IRPs); disaster recovery plans(DRPs); business continuity plans (BCPs) Primary functions of above plans IRP focuses on immediate response; if attack escalates or isdisastrous, process changes to disaster recovery and BCP DRP typically focuses on restoring systems after disastersoccur; as such, is closely associated with BCP BCP occurs concurrently with DRP when damage is major orlong term, requiring more than simple restoration ofinformation and information resourcesFigure 5-22 – Contingency PlanningTimelineContinuity Strategies (continued) Before planning can begin, a team has to plan effort andprepare resulting documents Champion: high-level manager to support, promote, andendorse findings of project Project manager: leads project and makes sure soundproject planning process is used, a complete and usefulproject plan is developed, and project resources areprudently managed Team members: should be managers or theirrepresentatives from various communities of interest:business, IT, and information securityFigure 5-23 – Major Steps inContingency PlanningIncident Response Planning Incident response planning covers identification of,classification of, and response to an incident Attacks classified as incidents if they: Are directed against information assets Have a realistic chance of success Could threaten confidentiality, integrity, or availability ofinformation resources Incident response (IR) is more reactive, than proactive, with theexception of planning that must occur to prepare IR teams to beready to react to an incidentIncident Planning First step in overall process of incident response planning Pre-defined responses enable organization to react quicklyand effectively to detected incident if: Organization has IR team Organization can detect incident IR team consists of individuals needed to handle systemsas incident takes place Planners should develop guidelines for reacting to andrecovering from incident
Page 1 and 2: Information andSecurity"No one can
Page 3: Systems-Specific Policy (SysSP) Sys
Page 7 and 8: Business Continuity Planning Outlin
Page 9 and 10: InterferenceWiFi Frequency - 2.4 Gh
Page 11 and 12: InfrastructureStations access via W

Information and Security

Create successful ePaper yourself

Delete template?

Save as template?