best practices for information security management
DESCRIPTION
Best Practices for Information Security Management. Bob Small, CISSP, CEH [email protected] March 2006. Take-away Messages. Defense in depth solutions Effective security requires a rigorous risk management process Must be effective and cost effective - PowerPoint PPT PresentationTRANSCRIPT
Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA 20170-4227Phone: (703)742-8877 | FAX: (703)742-7200
www.systemsandsoftware.org
Best Practices forInformation Security
Management
Bob Small, CISSP, CEH
March 2006
March 2006 2
Take-away Messages
• Defense in depth solutions• Effective security requires a rigorous risk management
process• Must be effective and cost effective• Think about it from the adversary’s perspective
March 2006 3
Key Elements of Security
Integrity
AvailabilityConfidentiality
People Process
Technology
March 2006 4
Defense In Depth
Speed bumps are a better metaphor for information security than bank vaults
March 2006 5
Risk Management Process
Degree of Assurance Required
Asset Identification and Valuation
Asset Identification and Valuation
Identification of Vulnerabilities
Identification of Vulnerabilities
Identification of Threats
Identification of Threats
Evaluation of Impacts
Evaluation of Impacts
Business Risks
Business Risks
Risk Assessment
Ranking of Risks
Ranking of Risks
Likelihood ofOccurrence
Likelihood ofOccurrence
Review of existing security controls
Review of existing security controls
Risk Mitigation
Identification of new security controls
Identification of new security controls
Policy and ProceduresPolicy and Procedures
Implement Controls to Reduce Risk
Implement Controls to Reduce Risk
Risk Acceptance (Residual Risk)
Risk Acceptance (Residual Risk)
Gap analysis
March 2006 6
International Standards for ISMS
Confidentiality
Integrity
Availability
People, process, tools
Plan | Do | Check | Act
Tangible assets
Intangible assets
Information Security Management System
ISO 17799, Code of Practice For Information Security Management
ISO 27001, InformationSecurity Management
Systems – Requirement
These standards are accepted as industry best practices
March 2006 7
Control Areas In ISO 17799
133 controls in 11 areas
Security Policy Organization of Information Security
Asset Management Human Resource Security
Physical and Environmental SecurityCommunications and Operations Management
Access ControlInformation Systems Acquisition, Development and Maintenance
Information Security Incident Management
Business Continuity ManagementCompliance
March 2006 8
Security Policy
Security Policy
Objective: Provide management direction and support for information security in accordance with business requirements and relevant laws and regulations
• It must be written
• It must be reviewed periodically
March 2006 9
Security Must Be Managed In All Relationships
ISMS Scope
Internal Support
Functions
Facilities
HR
F&A
LegalMarketing
IT Support
Audit
Data ArchivingConsultants
External Support
FunctionsEach arrow represents a contract, MOA, SLA, etc.
Customers
March 2006 10
Information Assets Must Be Managed
Inventory of Assets
• Tangible
• Intangible
Acceptable UseOwnership
Information Labelingand Handling
Classification Guidelines
March 2006 11
Human Resources Security
Termination or Changeof Employment
During EmploymentPrior to Employment
March 2006 12
Think Creatively About Information Security
Catch Me If You Can
The Shawshank Redemption
The Italian Job
March 2006 13
ISMS Resources
• ISO 17799, Code of Practice for Information Security Management
• ISO 27001, Information Security Management Systems – Requirements
http://www.iso.org
http://csrc.nist.gov• National Institute for Standards & Technology
• SP 800-70, The NIST Security Configuration Checklists Program
• SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
• SP 800-30, Risk Management Guide for Information Technology Systems
http://www.incits.org• INCITS CS1 (Cybersecurity)
March 2006 14
Thank You
?
?
??
??
?
??