prepared by: razif razali 1 tmk 264: computer security chapter six : administering security
DESCRIPTION
Prepared By: Razif Razali 3 SECURITY PLANNING A security plan is a document that describes how an organization will address its security needs. The plan is subject to periodic review and revision as the organization’s security needs change. A good security plan is an official record of current security practices, plus a blueprint for orderly change to improve the practices. A security plan identifies and organizes the security activities for computing system. Advantage of having the security plan is it can allow happening in studied and organized manner.TRANSCRIPT
Prepared By: Razif Razali 1
TMK 264: COMPUTER SECURITY
CHAPTER SIX : ADMINISTERING
SECURITY
Prepared By: Razif Razali 2
INTRODUCTION
Years ago, when most computing was done on mainframe computers, data processing centers were responsible for protection.
Responsibility for security rested neither with the programmer nor the users but instead with the computing centers themselves.
These centers developed expertise in security, and they implemented many protection activities in the background, without users having to be conscious of protection needs and practices.
Prepared By: Razif Razali 3
SECURITY PLANNING
A security plan is a document that describes how an organization will address its security needs.
The plan is subject to periodic review and revision as the organization’s security needs change.
A good security plan is an official record of current security practices, plus a blueprint for orderly change to improve the practices.
A security plan identifies and organizes the security activities for computing system.
Advantage of having the security plan is it can allow happening in studied and organized manner.
Prepared By: Razif Razali 4
SECURITY PLANNING The plan is both a description of the current
situation and a plan for improvement. Every security plan must address seven
issues, which is::• Policy• Current State• Requirements• Recommended Control• Accountability• Timetable• Continuing Attention
Prepared By: Razif Razali 5
Policy Indicate the goals of computer security efforts. The willingness of the people involved to work to achieve the
goals. A security policy is a high-level statement of purpose and
intent. For this reason, the policy statement must answer three essential questions:
• Who should be allowed access?• To what system and organizational resources should access be
allowed?• What types of access should each user be allowed for each
resource? The policy statement should specify the following:
• The organization’s goals on security.• Where the responsibility for security lies.• The organization’s commitment to security.
Prepared By: Razif Razali 6
Current State
To be able to plan for security, an organization must understand the vulnerabilities to which it may be exposed..
The organization can determine the vulnerabilities by performing a risk analysis: a careful investigation of the system, its environment, and the things that might go wrong.
Prepared By: Razif Razali 7
Requirements
• The heart of the security plan us its set of security requirements: functional or performance demands placed on a system to ensure a desired level of security.
• Ways to meet the security goals.• The requirement usually derived from the organizational
needs.• In particular, we should make sure that the requirement
have these characteristics:• Correctness – Are the requirement understandable?• Consistency – Are there any conflicting or ambiguous
requirements?• Completeness - Are all possible situations addressed by
the requirements?• Realism – Is it possible to implement what the
requirements mandate?
Prepared By: Razif Razali 8
Recommended Controls The security plan must also
recommended what controls should be incorporated into the system to meet those requirements.
Mapping controls to the vulnerabilities identified in the policy.
Prepared By: Razif Razali 9
Accountability
Describing who is responsible for each security activities. This documentation assists those who must coordinate their
individual responsibilities with those of the developers. Example:
• Project Leader may responsible for the security of data and computations.
• Database manager may responsible for the access to and integrity of data in their databases.
• Information officers may be responsible for overseeing the creation and use or data.
Prepared By: Razif Razali 10
Timetable
• The security plan includes a timetable that shows how and when the elements of the plan will be performed.
• These dated also give milestones so that management can track the progress of implementation.
• Identifying when different security function are to be done.
Prepared By: Razif Razali 11
Continuing Attention.• We must not only take care in defining
requirements and controls, but we must also find ways for evaluating a system’s security to be sure that the system is as secure as we intend it to be.
• Specifying a structure for periodically updating the security plan.
Prepared By: Razif Razali 12
RISK ANALYSIS Good, effective security planning includes a
careful risk analysis. A risk is a potential problem that the system or
its users may experiences. We distinguish a risk from other projects
events by looking for three things:• A loss associated with an event.
• The event must generate a negative effect.• The likelihood that the event will occur.
• There is a probability of occurrence associated with each risk.• The degree to which we can change the outcome.
• We must determine what, if anything, we can do to avoid the impact or at least reduce its effects.
Prepared By: Razif Razali 13
STRATEGIES FOR RISK REDUCTION In general, there are three strategies for risk reduction:
• Avoiding the risk• Transferring the risk.• Assuming the risk.
Risk analysis is the process of examining a system and its operational context to determine possible exposure and the potential harm they can cause.
Prepared By: Razif Razali 14
STEPS OF A RISK ANALYSIS Risk analysis for security is adapted from more
general management practice, placing special emphasis on the kinds of problem likely to arise from security issues.
By following well-defined steps, we can analyze the security risks in a computing system.
The basic steps of risk analysis are listed below:• Identify assets.• Determine vulnerabilities.• Estimate likelihood of exploitation.• Computer expected annual loss.• Survey applicable controls and their costs.• Project annual savings of control.
ORGANIZATIONAL SECURITY POLICIES A key element of any organization’s security planning is an effective
security policy. A security policy is a high-level management document to inform all
users of the goals of and constrains on using a system. A policy document is written in broad enough terms that it does not
change frequently. Purpose of security policies:
• Security policies are used for several purposes, including the following:• Recognizing sensitive information assets.• Clarifying security responsibilities.• Promoting awareness for existing employees.• Guiding new employees.
CONCLUSION Security Planning Contents of Security Plan Risk Analysis Strategies of Risk Reduction Steps of Risk Analysis Organizational Security Policies