information technology security assessment prepared by: raghda zahran supervised by: dr. lo’ai...
TRANSCRIPT
Information Technology Security Information Technology Security Assessment Assessment
Prepared By: Raghda ZahranSupervised By: Dr. Lo’ai Tawalbeh
New York Institute of Technology (NYIT)-Jordan’s campus-2006
Prepared By: Raghda ZahranSupervised By: Dr. Lo’ai Tawalbeh
New York Institute of Technology (NYIT)-Jordan’s campus-2006
The Global ThreatThe Global Threat
Information security is not just a paperwork drill…there are dangerous adversaries out there capable of launching serious attacks on our information systems that can result in severe or catastrophic damage to the nation’s critical information infrastructure and ultimately threaten our economic and national security…
Information security is not just a paperwork drill…there are dangerous adversaries out there capable of launching serious attacks on our information systems that can result in severe or catastrophic damage to the nation’s critical information infrastructure and ultimately threaten our economic and national security…
Critical InfrastructuresCritical InfrastructuresExamplesExamples
Energy (electrical, nuclear, gas and oil, dams) Transportation (air, road, rail, port, waterways) Public Health Systems / Emergency Services Information and Telecommunications Defense Industry Banking and Finance Postal and Shipping Agriculture / Food / Water Chemical
Energy (electrical, nuclear, gas and oil, dams) Transportation (air, road, rail, port, waterways) Public Health Systems / Emergency Services Information and Telecommunications Defense Industry Banking and Finance Postal and Shipping Agriculture / Food / Water Chemical
Computer Security Practices in Computer Security Practices in Nonprofit Organizations Nonprofit Organizations
• When asked how employees would characterize the state of their own organization's computer security practices, nearly a third of the respondents (32%) acknowledged that their computer security practices needed to be improved.
• How respondents described their own organization's computer security?
•
• When asked how employees would characterize the state of their own organization's computer security practices, nearly a third of the respondents (32%) acknowledged that their computer security practices needed to be improved.
• How respondents described their own organization's computer security?
•
Threats to SecurityThreats to Security
Connectivity
Complexity
Which of the following statements best Which of the following statements best describes your organization's computer describes your organization's computer security?security?
Does your organization have a data Does your organization have a data recovery plan to implement in the recovery plan to implement in the event of catastrophic data loss?event of catastrophic data loss?
In your opinion, what are the computer In your opinion, what are the computer security issues that your organization security issues that your organization needs to address? needs to address?
The Risks are RealThe Risks are Real
• • Lost laptops and portable storage devices• • Data/Information “left” on public computers• • Data/Information intercepted in transmission• • Spyware, “malware,” “keystroke logging”• • Unprotected computers infected within seconds• of being connected to the network• • Thousands of attacks on campus networks• every day
• • Lost laptops and portable storage devices• • Data/Information “left” on public computers• • Data/Information intercepted in transmission• • Spyware, “malware,” “keystroke logging”• • Unprotected computers infected within seconds• of being connected to the network• • Thousands of attacks on campus networks• every day
Risk Identification
Report&
Briefing
Data Analysis
Vulnerability Scan
Document Review
Requirement Study And
Situation Analysis
Risk Management FlowRisk Management Flow
• Investigate
• Analyze: Risk Identification Identify the vulnerability and
• Analyze : Risk Control investigate how to control vulnerabilities
• Design
• Implement
• Maintain
• Investigate
• Analyze: Risk Identification Identify the vulnerability and
• Analyze : Risk Control investigate how to control vulnerabilities
• Design
• Implement
• Maintain
Information Security ProgramInformation Security Program
Adversaries attack the weakest link…where is yours?
Risk assessment Security planning Security policies and procedures Contingency planning Incident response planning Security awareness and training Physical security Personnel security Certification, accreditation, and security assessments
Access control mechanisms Identification & authentication mechanisms (Biometrics, tokens, passwords) Audit mechanisms Encryption mechanisms Firewalls and network security mechanisms Intrusion detection systems Security configuration settings Anti-viral software Smart cards
Links in the Security Chain: Management, Operational, and Technical Controls
What you need to knowWhat you need to know
• IT resources to be managed
• What’s available on your network
• Policies, laws & regulations
• Security Awareness
• Risk Assessment, Mitigation, & Monitoring
• Resources to help you
• IT resources to be managed
• What’s available on your network
• Policies, laws & regulations
• Security Awareness
• Risk Assessment, Mitigation, & Monitoring
• Resources to help you
The Golden RulesThe Golden RulesBuilding an Effective Enterprise Information Security ProgramBuilding an Effective Enterprise Information Security Program
Develop an enterprise-wide information security strategy and game plan
Get corporate “buy in” for the enterprise information security program—effective programs start at the top
Build information security into the infrastructure of the enterprise
Establish level of “due diligence” for information security
Focus initially on mission/business case impacts—bring in threat information only when specific and credible
Develop an enterprise-wide information security strategy and game plan
Get corporate “buy in” for the enterprise information security program—effective programs start at the top
Build information security into the infrastructure of the enterprise
Establish level of “due diligence” for information security
Focus initially on mission/business case impacts—bring in threat information only when specific and credible
The Golden RulesThe Golden RulesBuilding an Effective Enterprise Information Security ProgramBuilding an Effective Enterprise Information Security Program
Create a balanced information security program with management, operational, and technical security controls
Employ a solid foundation of security controls first, then build on that foundation guided by an assessment of risk
Avoid complicated and expensive risk assessments that rely on flawed assumptions or unverifiable data
Harden the target; place multiple barriers between the adversary and enterprise information systems
Be a good consumer—beware of vendors trying to sell “single point solutions” for enterprise security problems
Create a balanced information security program with management, operational, and technical security controls
Employ a solid foundation of security controls first, then build on that foundation guided by an assessment of risk
Avoid complicated and expensive risk assessments that rely on flawed assumptions or unverifiable data
Harden the target; place multiple barriers between the adversary and enterprise information systems
Be a good consumer—beware of vendors trying to sell “single point solutions” for enterprise security problems
The Golden RulesThe Golden RulesBuilding an Effective Enterprise Information Security ProgramBuilding an Effective Enterprise Information Security Program
Don’t be overwhelmed with the enormity or complexity of the information security problem—take one step at a time and build on small successes
Don’t tolerate indifference to enterprise information security problems
And finally…
Manage enterprise risk—don’t try to avoid it!
Don’t be overwhelmed with the enormity or complexity of the information security problem—take one step at a time and build on small successes
Don’t tolerate indifference to enterprise information security problems
And finally…
Manage enterprise risk—don’t try to avoid it!
ThanksThanks
QQAA