Security Management
- Premanand Lotlikar 26th August, 2007
Agenda • • • • • • • • • •
Introduction Objective of Security Mgmt Basic Concepts Benefits Relationship with other processes Activities in SLM Process Control Key Performance Indicators Cost Possible Problems
Introduction • According to the latest statistical analysis, it is estimated there are over 1.1 billion Internet users worldwide1 • The Internet is full of useful information, in fact, it is estimated that there are between 15 and 30 billion different websites in existence today2 • •
1 World Internet Users and Population Stats. (2007, March 19). Internet World Stats. http://www.internetworldstats.com/stats.htm 2The size of the World Wide Web. (2007, February 25). Pandia Search Engine News. http://www.pandia.com/sew/383-web-size.html
Introduction
Introduction
651 million people around the world now use email regularly This figure is expected to grow steadily over the next four years, reaching 850 million users by the end of 2008 Time wasted deleting junk e-mail costs American businesses nearly $22 billion a year. Security Statistics. (2005) Aladdin: Securing the Global Village http://www.esafe.com/home/csrt/statistics/statistics_2005.asp
Introduction • Security Threats • Telecom Threats – – – – – – –
War Dialing Unauthorized Remote Access Unauthorized ISP Access Unsecured Authorized Modems Proxy Impersonation Denial of Service Message Tampering
• VoIP Threats
Unauthorized Remote Access Modems
Unauthorized ISP Access
Non-Secure Authorized Modems
Voice System Attacks
Security Gap Left by Traditional Data Firewall
Security System for Traditional Voice Network
Identity Threats
Objectives • To meet the security requirements of SLA and external requirements (legislations, policies etc.) • To provide a basic level of security, independent of external requirement
Basic Concepts • Safety: refers to not being vulnerable to known risks • Tool to provide this is security • Confidentiality: protecting information against unauthorized access and use • Integrity: accuracy, completeness and timeliness of information • Availability
Benefits • Minimize downtime, exposure, and loss of critical information caused by security attacks • Minimizing damage to business, company brand, customer loyalty, intellectual property, and employee productivity • Prevent or minimize the spread of security attacks within the enterprise and stop the propagation of worms, viruses, and other pathogens • Control internal information for compliance with regulations (for example, Sarbanes-Oxley and the Basel II Accord) and prevent liabilities under the regulatory mandates • Focus on business rather than security incident recovery
Relationship with other processes • • • • • • • •
Configuration Mgmt Incident Mgmt Problem Mgmt Change Mgmt Availability Mgmt Capacity Mgmt Service Level Mgmt IT Continuity Mgmt
Security Mgmt Process
Activities in SLM • • • • •
Plan Implement Evaluate Maintenance Reporting
Plan • Includes defining the security section of the SLA • Business terms in SLA are converted to operational terms in OLA • Hence OLA can be considered as the security plan for the service provider • SLA should define the security requirements in measurable terms
Implement • Classification and management of IT resources: – Providing input for maintaining CI’s & CMDB – Classifying the IT resources
• Personnel security: – – – – –
Tasks & responsibilities in job description Screening Confidentiality agreement for personnel Training Guidelines for personnel for dealing with security incidents – Disciplinary measures – Increasing security awareness
Implement • Managing security: – – – –
Implementation of responsibilities Written operating instructions Internal regulations Security guideline for the entire lifecycle (development, testing, acceptance, operations, maintenance & phasing out)
– Separating the dev environment from test and production – Procedures for dealing with incidents – Implementation of recovery facilities – Implementation of virus protection measures – Handling and security of data media
Implementation • Access control: – Implementation of access and access control policy – Maintenance of access privileges of users & application to networks and network services – Maintenance of network security barriers – Implementation of measures of identification and authentication
Evaluate • 3 forms of evaluation: – Self-assessments: primarily implemented by the line organization of the process – Internal audits: undertaken by internal IT auditors – External audits: undertaken by external IT auditors
• Main activities are: – Verifying compliance with the security plan and the implementation of the plan – Performing security audits on IT systems – Identifying and responding to inappropriate use of IT resources
Maintenance • Includes the maintenance of the security section of the SLA and detailed security plans (OLA) • Carried out on the basis of the results of the Evaluation process • Any changes are subject to Change Mgmt
Reporting • It is not a sub-process but an output of the other sub-processes • Provides information about achieved security performance and security issues • Important both to the customer and service provider • Customer must be correctly informed about the efficiency of the efforts and the actual security measures
Reporting • Planning: – Reports about the UC and OLA – Reports about the annual security plans and action plans
• Implementation: – Status reports about implementations – List of security incidents and responses – Identification of incident trends – Status of the awareness program
Reporting • Evaluation: – Report about performance of sub-processes – Results of audits, review & internal assessments – Warnings, identification of new threats
• Any specific report/s
Critical Success Factors • Full mgmt commitment and involvement • User involvement when developing the process • Clear and separated responsibilities • Over-tasked IT staff • Missing or poor co-ordination among business units • Lack of security governance model
Cost
Possible Problems • • • • • •
Commitment Awareness Verification Change Mgmt Ambition Over-reliance on stronghold/fortress techniques
Thank you!