Embed Size (px)
Citation preview
Security Administration
Links to Text
Chapter 8Parts of Chapter 5Parts of Chapter 1
Security Involves:
Technical controlsAdministrative controlsPhysical controls
Major Chapter Topics PlanningRisk analysisPolicyPhysical security
Security PlanWritten document that
describes how an organization will address its security needs
What Should a Security Plan Do?
Identify what (vulnerabilities, threats, and risks)
Specify how they will be handled (controls)
Specify who will handle themSpecify when they will be handled
(timetable)
Issues Listed in TextPolicyCurrent stateRequirementsRecommended controlsAccountabilityTimetableContinuing attention (updates)
OCTAVEOperationally Critical Threat, Asset,
and Vulnerability EvaluationDeveloped at Carnegie Mellon
CERT Coordination CenterFirst published in 1999
The OCTAVE Approach Self-directed Focused on risks to information assets Focused on practice-based mitigation
Best practices from CERT/CC, NIST, laws and regulations (e.g., HIPPA), etc.
Participation by both business and IT personnel
Different Scales
OCTAVE – large organizationsOCTAVE-S – small organizations
OCTAVE Steps 1. Identify enterprise knowledge 2. Identify operational area knowledge 3. Identify staff knowledge 4. Create threat profiles 5. Identify key components 6. Evaluate selected components 7. Conduct a risk analysis 8. Develop a protection strategy
Common Criteria (CC)
Framework for evaluation of IT systems International effort
United States United Kingdom France Germany The Netherlands Canada
Business Continuity Plan
Plan for management of situations which areCatastrophicLong-lasting
A single such incident can put a company out of business (even if handled well)
Identify essential assets and functions
Incident Response Plan
Plan for management of security incidentsMay not be catastrophicMay not be long-lasting
Many incidents will have minor impact on operations
Risk Analysis
Risks closely related to threatsRisk analysis attempts to quantify
and measure problems associated with threats
Many approaches to risk analysis have been developed
Quantifying Risk
Risk probability How likely is the risk?
Risk impact How much do we lose?
Risk control Can the risk be avoided?
Risk Exposure
Probability of Risk X Risk Impact
Risk Impact – $100,000
Risk Probability – 0.5
Risk Exposure – $50,000
Risk Leverage
(Exposure Before – Exposure After)/Risk Control Cost
Original Risk Exposure – $ 50,000Cost of Control – $100Revised Risk Exposure – $20,000Risk Leverage – 300 (note: dimensionless)
Risk Analysis Steps
Identify assetsDetermine vulnerabilitiesEstimate likelihood of exploitationCompute expected annual lossSurvey applicable controls and their costsProject annual savings of control
Difficulties of Risk Analysis
Probabilities hard to estimateHistorical dataExpertsDelphi approach
Some costs hard to quantify
Risk Analysis Approaches
Many risk analysis approachesUsual common features:
Checklists Organizational matrices Specification of procedures
No dominant approach
Security Policy
A written document describing goals for and constraints on a system
Who can access what resources in what manner?
High level management documentShould not change often
Policy Considerations
Stakeholders (beneficiaries)UsersOwnersResources
Security Procedures/Guidelines
Describe how security policy will be implemented
More frequent changes than policy
Physical Security
Protection that does not involve the system as a system
Independent of Hardware Software Data
Possible Problems
Natural disasters Floods Fires
Power lossHuman vandalsInterception of sensitive information
Physical Security Controls
Backups
BackupsBackupsBackups!!!
Natural Disasters
Careful building designSystem placementFire extinguishers
Power Loss
Uninterruptible power supplySurge suppressor
Human Vandals
GuardsLocksAuthenticationReduced portabilityTheft detection
Information Interception
ShreddingOverwriting magnetic dataDegaussing
Destroy magnetic fields
Tempest Prevent or control magnetic emanations
Contingency Plans
BackupOffsite backupNetworked storageCold siteHot site
