Download Security Standards and Threat Evaluation

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
Document related concepts

Wireless security wikipedia , lookup

Computer security wikipedia , lookup

Transcript 
Security
Standards and
Threat
Evaluation
Main Topic of Discussion




Methodologies
Standards
Frameworks
Measuring threats
– Threat evaluation
– Certification and accreditation
IT Governance
A structure of relationships and processes to direct and
control the enterprise in order to achieve the
enterprise’s goals by adding value while balancing risk
versus return over IT and its processes.
C&A
The certification and accreditation (C&A) process
focuses on federal IT systems processing, storing,
and transmitting sensitive information, the
associated tasks and subtasks, security controls,
and verification techniques and procedures, have
been broadly defined so as to be universally
applicable to all types of IT systems, including
national security or intelligence systems, if so
directed by appropriate authorities.
Standards in Assessing Risk
 Need a way to measure risk consistently
 Need to cover multiple geographies
 Needs to scale
 Newly forming
 Teaching
Methodologies
 A Body of Practices, procedures and rules
used by those who engage in an inquiry
 Can include multiple frameworks
 Overall approach used to measure something
 Repeatable
 Utilizes standards
Standards
 Something that is widely recognized or
employed, especially because of its
excellence
 An acknowledged measure of comparison
for qualitative or quantitative value
 Many different types of standards- even for
the same elements needing to be measured
Framework
 A set of assumptions, concepts, values and
practices that constitutes a way of viewing
reality
 Building block for crafting approach
 Encapsulates elements for performing a task
 Acts as a guide- details can be plugged in
for specific tasks
Standards




CoBit
ISO17999
Common Criteria
NIST
COBIT
 www.isaca.org
Control Objectives for Information and related
Technology
 Framework, Standard or Good practice?
 Includes:
–
–
–
–
Maturity models
Critical Success factors
Key Goal Indicators
Key Performance Indicators
COBIT
COBIT is structured around four main fields
of management implying 34 processes of
management associated with information
technology:
1.
2.
3.
4.
Planning and organization
Acquisition and implementation
Delivery and Support
Monitoring
ISO17999
 “A detailed security Standard”
 Ten major sections:
– Business Continuity Planning
– System Access Control
– System Development and Maintenance
– Physical and Environmental Security
– Compliance
– Personnel Security
– Security organization
– Computer and Network Management
– Asset Classification
– Security Policy
ISO17999
 Most widely recognized security standard
 Based on BS7799, last published in May
1999
 Comprehensive security control objectives
 UK based standard
SSECMM CIA Triad
 Defines the “triad” as the following items:






Confidentiality
Integrity
Availability
Accountability
Privacy
Assurance
Common Criteria
 Developed from TCSEC standard in 1980’s
(Orange book)
 International Standard
 ISO took ITSEC (UK) TCSEC and CTCPEC
(Canada) and combined them into CC (1996)
 NIAP
– National Information Assurance Partnership
– http://niap.nist.gov/
Common Criteria
 11 Functionality Classes:
– Audit
– Cryptographic Support
– Communications
– User Data Protection
– Identification and Authentication
– Security Management
– Privacy
– TOE Security functions
– Resource utilization
– TOE Access
– Trusted Paths
Threat Approach
Threat Evaluation
 Evaluation of level of threat to an asset
 Based on:
– Visibility, inherent weakness, location,
personal/business values
 Method:
– Determine threats to assets (and their importance)
– Determine cost of countermeasures
– Implement countermeasures to reduce threat
Threats





Activity that represents possible danger
Can come in different forms
Can come from different places
Can’t protect from all threats
Protect against most likely or most worrisome such
as:
– Business mission
– Data (integrity, confidentiality, availability)
Vulnerability Assessment
 Evaluation of weakness in asset
 Based on:
– Known published weakness
– Perceived / studied weakness
– Assessed threats
 Method:
–
–
–
–
Determined threats relevant to asset
Determined vulnerability to those threats
Determine vulnerability to theoretical threats
Fortify / accept vulnerabilities
Related documents
A. Explain the nature of marketing plans. B. Explain the role
A. Explain the nature of marketing plans. B. Explain the role
A. Explain the nature of marketing plans. B. Explain the role of
A. Explain the nature of marketing plans. B. Explain the role of
Testimony - American Security Project
Testimony - American Security Project
Customer markets
Customer markets
Slayt 1
Slayt 1
Web server software
Web server software
3 - School-Portal.co.uk
3 - School-Portal.co.uk
Asset Related Risk
Asset Related Risk
MKT 450 Group Project
MKT 450 Group Project
File
File
Overview of Database Security
Overview of Database Security
Upstream Intelligence - Indiana University of Pennsylvania
Upstream Intelligence - Indiana University of Pennsylvania
456-sp15-8-identifying-risk
456-sp15-8-identifying-risk
We conclude that the bol.com approach to resource allocation and
We conclude that the bol.com approach to resource allocation and
Water/Wastewater Infrastructure Security: Threats and
Water/Wastewater Infrastructure Security: Threats and
Alignment of Botswana Audit methodology to COBIT Paper
Alignment of Botswana Audit methodology to COBIT Paper
Cobit Foundation v.41 Sınavı Çalışma Notları Değerli arkadaşlar
Cobit Foundation v.41 Sınavı Çalışma Notları Değerli arkadaşlar