layered approach - information security recommendations
DESCRIPTION
This is a presentation discussing recommendations for a secure connection between a remote data center and a primary data center; taking into account user connectivity and end-user security awareness training.TRANSCRIPT
1
01 INFORMATION SECURITYUsing a Layered Approach
Michael Kaishar, CISSPInformation Security Consultant
2
Defense-in-Depth
Layered Approach
Policies, Procedures, & Security Awareness
Physical Security
Perimeter
Internal Network
Host
Application
Data Access Control Lists and Access Control Lists and Permissions controlled by GPOPermissions controlled by GPO
All applications published by Citrix All applications published by Citrix Portal with SSL certificate securityPortal with SSL certificate security
OS Hardening & Patching, BIOS OS Hardening & Patching, BIOS Password, and Disable USBPassword, and Disable USB
Subnets, VLANs, IDS/IPS, IPSecSubnets, VLANs, IDS/IPS, IPSec
Firewalls, VPN, IDS/IPSFirewalls, VPN, IDS/IPS
Badges, PINS, Security Cameras, Badges, PINS, Security Cameras, Locks, etc…Locks, etc…
Electronic Security Policy and Electronic Security Policy and Security Awareness TrainingSecurity Awareness Training
Michael Kaishar, CISSP / Information Security Consultant
3
02 SECURITY AWARENESS TRAININGWeb-Based Training provided by [Vendor of Choice]
Michael Kaishar, CISSP / Information Security Consultant
4
Security Awareness Training
Security Awareness Training empowers employees through a web-based delivery system supporting Information Security Policies and Acceptable Use of Electronic Communications Systems at [COMPANY]. The web-based, e-learning courses are designed to help meet compliance requirements.
• Security Awareness Training Course Topics– Passwords: how to create a strong password and the techniques
hackers use to crack them.– Viruses & Hoaxes: malware concepts and protective controls each
employee can take.– Social Engineering: gathering of private information through
conversations, and how to avoid crossing the line from helpful to harmful.
Michael Kaishar, CISSP / Information Security Consultant
5
03 END-USER SECURITYRECOMMENDATIONS FOR TECHNICAL SECURITY
Michael Kaishar, CISSP / Information Security Consultant
6
End-User Security Technical Recommendation
End-User Client Security
In order to mitigate the risk of data theft it is necessary to provide a secure ePC (Thin) client solution.
• ePC Security & Feature Configuration Recommendations– RDP / ICA Connection– Only Boot from Hard Drive (Disable CD/DVD/USB Booting)– Enable BIOS Passwords– Latest XP Service Pack.– DISABLE ALL USB PORTS!!
Michael Kaishar, CISSP / Information Security Consultant
7
04 Network DiagramRECOMMENDATION FOR A SECURE NETWORK
Michael Kaishar, CISSP / Information Security Consultant
8
Network Security Recommendation
Michael Kaishar, CISSP / Information Security Consultant