Security Mgmt

  • November 2019
  • PDF

This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA


Overview

Download & View Security Mgmt as PDF for free.

More details

  • Words: 921
  • Pages: 33
Security Management

- Premanand Lotlikar 26th August, 2007

Agenda • • • • • • • • • •

Introduction Objective of Security Mgmt Basic Concepts Benefits Relationship with other processes Activities in SLM Process Control Key Performance Indicators Cost Possible Problems

Introduction • According to the latest statistical analysis, it is estimated there are over 1.1 billion Internet users worldwide1 • The Internet is full of useful information, in fact, it is estimated that there are between 15 and 30 billion different websites in existence today2 • •

1 World Internet Users and Population Stats. (2007, March 19). Internet World Stats. http://www.internetworldstats.com/stats.htm 2The size of the World Wide Web. (2007, February 25). Pandia Search Engine News. http://www.pandia.com/sew/383-web-size.html

Introduction

Introduction

651 million people around the world now use email regularly This figure is expected to grow steadily over the next four years, reaching 850 million users by the end of 2008 Time wasted deleting junk e-mail costs American businesses nearly $22 billion a year. Security Statistics. (2005) Aladdin: Securing the Global Village http://www.esafe.com/home/csrt/statistics/statistics_2005.asp

Introduction • Security Threats • Telecom Threats – – – – – – –

War Dialing Unauthorized Remote Access Unauthorized ISP Access Unsecured Authorized Modems Proxy Impersonation Denial of Service Message Tampering

• VoIP Threats

Unauthorized Remote Access Modems

Unauthorized ISP Access

Non-Secure Authorized Modems

Voice System Attacks

Security Gap Left by Traditional Data Firewall

Security System for Traditional Voice Network

Identity Threats

Objectives • To meet the security requirements of SLA and external requirements (legislations, policies etc.) • To provide a basic level of security, independent of external requirement

Basic Concepts • Safety: refers to not being vulnerable to known risks • Tool to provide this is security • Confidentiality: protecting information against unauthorized access and use • Integrity: accuracy, completeness and timeliness of information • Availability

Benefits • Minimize downtime, exposure, and loss of critical information caused by security attacks • Minimizing damage to business, company brand, customer loyalty, intellectual property, and employee productivity • Prevent or minimize the spread of security attacks within the enterprise and stop the propagation of worms, viruses, and other pathogens • Control internal information for compliance with regulations (for example, Sarbanes-Oxley and the Basel II Accord) and prevent liabilities under the regulatory mandates • Focus on business rather than security incident recovery

Relationship with other processes • • • • • • • •

Configuration Mgmt Incident Mgmt Problem Mgmt Change Mgmt Availability Mgmt Capacity Mgmt Service Level Mgmt IT Continuity Mgmt

Security Mgmt Process

Activities in SLM • • • • •

Plan Implement Evaluate Maintenance Reporting

Plan • Includes defining the security section of the SLA • Business terms in SLA are converted to operational terms in OLA • Hence OLA can be considered as the security plan for the service provider • SLA should define the security requirements in measurable terms

Implement • Classification and management of IT resources: – Providing input for maintaining CI’s & CMDB – Classifying the IT resources

• Personnel security: – – – – –

Tasks & responsibilities in job description Screening Confidentiality agreement for personnel Training Guidelines for personnel for dealing with security incidents – Disciplinary measures – Increasing security awareness

Implement • Managing security: – – – –

Implementation of responsibilities Written operating instructions Internal regulations Security guideline for the entire lifecycle (development, testing, acceptance, operations, maintenance & phasing out)

– Separating the dev environment from test and production – Procedures for dealing with incidents – Implementation of recovery facilities – Implementation of virus protection measures – Handling and security of data media

Implementation • Access control: – Implementation of access and access control policy – Maintenance of access privileges of users & application to networks and network services – Maintenance of network security barriers – Implementation of measures of identification and authentication

Evaluate • 3 forms of evaluation: – Self-assessments: primarily implemented by the line organization of the process – Internal audits: undertaken by internal IT auditors – External audits: undertaken by external IT auditors

• Main activities are: – Verifying compliance with the security plan and the implementation of the plan – Performing security audits on IT systems – Identifying and responding to inappropriate use of IT resources

Maintenance • Includes the maintenance of the security section of the SLA and detailed security plans (OLA) • Carried out on the basis of the results of the Evaluation process • Any changes are subject to Change Mgmt

Reporting • It is not a sub-process but an output of the other sub-processes • Provides information about achieved security performance and security issues • Important both to the customer and service provider • Customer must be correctly informed about the efficiency of the efforts and the actual security measures

Reporting • Planning: – Reports about the UC and OLA – Reports about the annual security plans and action plans

• Implementation: – Status reports about implementations – List of security incidents and responses – Identification of incident trends – Status of the awareness program

Reporting • Evaluation: – Report about performance of sub-processes – Results of audits, review & internal assessments – Warnings, identification of new threats

• Any specific report/s

Critical Success Factors • Full mgmt commitment and involvement • User involvement when developing the process • Clear and separated responsibilities • Over-tasked IT staff • Missing or poor co-ordination among business units • Lack of security governance model

Cost

Possible Problems • • • • • •

Commitment Awareness Verification Change Mgmt Ambition Over-reliance on stronghold/fortress techniques

Thank you!

Related Documents