Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Airport security wikipedia , lookup
Wireless security wikipedia , lookup
Unix security wikipedia , lookup
Distributed firewall wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Mobile security wikipedia , lookup
Information security wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Security-focused operating system wikipedia , lookup
Information Security Management A Process Driven Approach by Peter Benson and Phillip Mawson Copyright Security-Assessment.com 2004 Overview Information Security Management (ISM) Task centred approach to ISM Pro’s and Con’s Process centred approach to ISM Pro’s and Con’s Process Example Questions Copyright Security-Assessment.com 2004 Information Security Management Challenges Security threat growing Pressure to reduce IT operational spend Centralisation of infrastructure access technology Growth of online e-business Rapidly changing environments Copyright Security-Assessment.com 2004 Information Security Management Process Centred vs task centred Security Management Task: A unit of work Process: A complete end to end set of tasks that together create values for a client. Generally speaking Security Management today is task focused Copyright Security-Assessment.com 2004 Task Centred Approach Define Policy (password age 30 days) Audit environment against policy Identify level of non compliance Action plan to address non-compliance Re-audit environment to assess progress Copyright Security-Assessment.com 2004 Task Centred Approach Disadvantages Lots of tasks It’s expensive Often business value is unclear Susceptible to policy idealism (long live practical security policies) Copyright Security-Assessment.com 2004 Process Centred Approach Existing security processes security process quality system Assess existing processes Recommend process improvements Copyright Security-Assessment.com 2004 Implement process improvements Process Centred Approach Advantages Starting point is current state Overcomes snapshot limitations Process focus keeps things practical Process view is cheaper than policy view Simplified technology roadmap Copyright Security-Assessment.com 2004 Security Patch Management Process Identify & Assess Security patch assessment Deploy low priority Deploy High Priority Deployment will be bundled with other patch update activity. No specific action is required for this update Deploy Medium poririty Manage Test deployment plan Responsibility Colour Code Test deployment plan Assurance Group Gain change approval Gain change approval Begin patch deployment Begin patch deployment • Monitor One Week Maximum IS Operations Group One Month Maximum Information Security group Deployment complete Deployment complete Monitor This process should occur continuously iterating once a month as a maximum. • Audit Ensure network devices are securely configured to prevent unauthorised access. Securely configured means; - AV software has not been disabled - on access scanning is enabled - scheduled scanning is enabled - etc Copyright Security-Assessment.com 2004 Identify All Company Owned Data networks This includes all; - Laptops - Desktops - Servers This is referring to IP data communication networks Identify all network devices connected to Company owned networks Ensure all relevant security patches are installed and operating on all appropriate network devices. This will include many devices that do not require antivirus software such as; - Printers - Routers Perform process improvement and compliance • Manage 24 Hours Maximum • Identify & Assess The vendor security patch severity rating is assessed against the cost of deploying the patch. Supporting decision criteria should be developed and agreed with those accountable for information security. The outcome of these criteria will be a deployment rating. High, medium, low. New Software security patch notification or change in severity rating. Identify & Assess Identify & Assess 24 Hours Maximum New Software security patch notification or change in severity rating. Security patch assessment Deploy low priority Deployment will be bundled with other patch update activity. No specific action is required for this update Deploy Medium poririty Manage Copyright Security-Assessment.com 2004 The vendor security patch severity rating is assessed against the cost of deploying the patch. Supporting decision criteria should be developed and agreed with those accountable for information security. The outcome of these criteria will be a deployment rating. High, medium, low. Deploy High Priority Manage Manage Test deployment plan Responsibility Colour Code Test deployment plan Assurance Group Gain change approval Begin patch deployment Deployment complete Monitor Copyright Security-Assessment.com 2004 Gain change approval Begin patch deployment Deployment complete One Week Maximum IS Operations Group One Month Maximum Information Security group Monitor Monitor This process should occur continuously iterating once a month as a maximum. Identify All company owned data networks Perform root cause analysis of identified process failures and recommend process improvements This includes all; - Laptops - Desktops - Servers Copyright Security-Assessment.com 2004 This is referring to IP data communication networks Identify all network devices connected to data networks Ensure all relevant security patches are installed and operating on all appropriate network devices. This will include many devices that do not require patching software such as; - Printers - photocopiers Information Security Management Process Centred Approach – quick tips Process owners, doers and reviewers Process abdication is bad But we don’t have a process for that ??? Measurement is key Copyright Security-Assessment.com 2004 Questions Copyright Security-Assessment.com 2004