organizational aspects of network security
TRANSCRIPT
8/12/2019 Organizational Aspects of Network Security
http://slidepdf.com/reader/full/organizational-aspects-of-network-security 1/14
by
Imran hameed
8/12/2019 Organizational Aspects of Network Security
http://slidepdf.com/reader/full/organizational-aspects-of-network-security 2/14
Aims & Objectives
• Evolution of Security
• Security Life Cycle
• Security program-defined
• Security Processes• Policy Development
• Technical Controls
• Integrity Controls
8/12/2019 Organizational Aspects of Network Security
http://slidepdf.com/reader/full/organizational-aspects-of-network-security 3/14
Evolution of Security
Technology
Process
People
Management
Strategy
• Standards
• Guidelines
• Procedures
• Network perimeter
• Best effort security
• Education
• Awareness Training
• Policy
• Program Development
• Audit
• Policy Compliance
• Risk management
• Corporate alignment
8/12/2019 Organizational Aspects of Network Security
http://slidepdf.com/reader/full/organizational-aspects-of-network-security 4/14
Plan
•Policy Development
•Security Posture Definition
•
Security Program Development•Business Continuity Planning
•Security AwarenessPlan
Implementation
•Firewall Integration
•Intrusion Detection
•Application Integration
•Authentication Systems
Implement
Monitor & Manage
•Security Monitoring &
Management
•Patching/Updating/Upgrading
•Incident Response
•Disaster Recovery
Monitor
& Manage
Assess
•Perimeter Security Assessment
• Network Security Assessment
•Internal & External Audit
•Risk Management
Assess
Security
Life Cycle
Security Life Cycle
8/12/2019 Organizational Aspects of Network Security
http://slidepdf.com/reader/full/organizational-aspects-of-network-security 5/14
• Security is achieved by implementing appropriate
controls in the form of
– Policy,
– Organizational structure &
– Technology
in conjunction with the business objectives.
Security Program - Defined
8/12/2019 Organizational Aspects of Network Security
http://slidepdf.com/reader/full/organizational-aspects-of-network-security 6/14
Administrative & PhysicalSecurity Processes
• Organization
• Policy
•
Third Party Agreements• Business Continuity Management
• Data & Asset Classification
• Awareness & Training
• Personnel Security
• Physical & Environment
Security Processes
Technical SecurityProcesses
• Network Access ControlsPolicy
• System Access Controls
• Authentication
• Auditing, Monitoring &Response
• Operational Security
• Account Management
• System Integrity
8/12/2019 Organizational Aspects of Network Security
http://slidepdf.com/reader/full/organizational-aspects-of-network-security 7/14
Policy Development
IT Security Guiding Principles
• Commitment
• Classification
• Accountability
• Authority
• Responsibility
• Review
8/12/2019 Organizational Aspects of Network Security
http://slidepdf.com/reader/full/organizational-aspects-of-network-security 8/14
Policy Development
System & Issue Papers• Network Security Policy
• Domain Security Policy
• Remote Access Policy
• Password Policy
• Virus & Content Security Policy
Host Data Sheets• Host1 Security Data Sheet
• Host2 Security Data Sheet
8/12/2019 Organizational Aspects of Network Security
http://slidepdf.com/reader/full/organizational-aspects-of-network-security 9/14
Policy Framework
8/12/2019 Organizational Aspects of Network Security
http://slidepdf.com/reader/full/organizational-aspects-of-network-security 10/14
Technical Controls
• Authorization
• Access
• Audit & Monitoring
8/12/2019 Organizational Aspects of Network Security
http://slidepdf.com/reader/full/organizational-aspects-of-network-security 11/14
Authorization
• Based on Corporate Assets & Responsibilities Policy
• Access based on “Need to Know”
• System & Data Owners
– Approval Authority
• IT Support Personnel
– Granting Authority
• Separation of Duties
8/12/2019 Organizational Aspects of Network Security
http://slidepdf.com/reader/full/organizational-aspects-of-network-security 12/14
Access Controls
• Based on Classification Policy
• Least Privileged Model
• Layered Security
– Physical Separation
– Network Segmentation
– Role-based Access Controls
– Data Classification
8/12/2019 Organizational Aspects of Network Security
http://slidepdf.com/reader/full/organizational-aspects-of-network-security 13/14
Audit & Monitoring
• Centralized Logging• Automated Monitoring & Notification
• Layered Security
– Define security zones
– Never allow direct access across 2 zones.
• e.g.. Public to Classified
– Reduces risk
• Response & Reporting