layered approach - information security recommendations

8

Click here to load reader

Upload: michael-kaishar-msia-cissp

Post on 05-Jul-2015

863 views

Category:

Technology


0 download

DESCRIPTION

This is a presentation discussing recommendations for a secure connection between a remote data center and a primary data center; taking into account user connectivity and end-user security awareness training.

TRANSCRIPT

Page 1: Layered Approach - Information Security Recommendations

1

01 INFORMATION SECURITYUsing a Layered Approach

Michael Kaishar, CISSPInformation Security Consultant

Page 2: Layered Approach - Information Security Recommendations

2

Defense-in-Depth

Layered Approach

Policies, Procedures, & Security Awareness

Physical Security

Perimeter

Internal Network

Host

Application

Data Access Control Lists and Access Control Lists and Permissions controlled by GPOPermissions controlled by GPO

All applications published by Citrix All applications published by Citrix Portal with SSL certificate securityPortal with SSL certificate security

OS Hardening & Patching, BIOS OS Hardening & Patching, BIOS Password, and Disable USBPassword, and Disable USB

Subnets, VLANs, IDS/IPS, IPSecSubnets, VLANs, IDS/IPS, IPSec

Firewalls, VPN, IDS/IPSFirewalls, VPN, IDS/IPS

Badges, PINS, Security Cameras, Badges, PINS, Security Cameras, Locks, etc…Locks, etc…

Electronic Security Policy and Electronic Security Policy and Security Awareness TrainingSecurity Awareness Training

Michael Kaishar, CISSP / Information Security Consultant

Page 3: Layered Approach - Information Security Recommendations

3

02 SECURITY AWARENESS TRAININGWeb-Based Training provided by [Vendor of Choice]

Michael Kaishar, CISSP / Information Security Consultant

Page 4: Layered Approach - Information Security Recommendations

4

Security Awareness Training

Security Awareness Training empowers employees through a web-based delivery system supporting Information Security Policies and Acceptable Use of Electronic Communications Systems at [COMPANY]. The web-based, e-learning courses are designed to help meet compliance requirements.

• Security Awareness Training Course Topics– Passwords: how to create a strong password and the techniques

hackers use to crack them.– Viruses & Hoaxes: malware concepts and protective controls each

employee can take.– Social Engineering: gathering of private information through

conversations, and how to avoid crossing the line from helpful to harmful.

Michael Kaishar, CISSP / Information Security Consultant

Page 5: Layered Approach - Information Security Recommendations

5

03 END-USER SECURITYRECOMMENDATIONS FOR TECHNICAL SECURITY

Michael Kaishar, CISSP / Information Security Consultant

Page 6: Layered Approach - Information Security Recommendations

6

End-User Security Technical Recommendation

End-User Client Security

In order to mitigate the risk of data theft it is necessary to provide a secure ePC (Thin) client solution.

• ePC Security & Feature Configuration Recommendations– RDP / ICA Connection– Only Boot from Hard Drive (Disable CD/DVD/USB Booting)– Enable BIOS Passwords– Latest XP Service Pack.– DISABLE ALL USB PORTS!!

Michael Kaishar, CISSP / Information Security Consultant

Page 7: Layered Approach - Information Security Recommendations

7

04 Network DiagramRECOMMENDATION FOR A SECURE NETWORK

Michael Kaishar, CISSP / Information Security Consultant

Page 8: Layered Approach - Information Security Recommendations

8

Network Security Recommendation

Michael Kaishar, CISSP / Information Security Consultant