View
404
Download
22
Category
Preview:
DESCRIPTION
Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory, service provider) Program Quality Security Structure Policies Technology-Independent Best Practices Security, Policies and Standards TechnologyPhysicalInformation Asset Profile Inventory, Ownership, Risk Assessment, Information Classification TechnologySpecifications Virtual Private Network Wireless Security Platform Hardening Intrusion Detection System Security Event Management PKI: Components & Applications BusinessDrivers Business Strategies Industry Regulations Acceptable Risk People & OrganizationalManagement Organizational Structure Functional Definition Roles and Responsibilities Skills/Resource Plan Security Architecture Design, Deployment & Operations Processes and Operational Practices Trust Management Incident & Response Management Identity & Access Mgmt Key Management Patch Management Security Awareness/Education Service Provider Management Security Monitoring Threat Management Vulnerability Mgmt Risk Management 3rd Party Security Asset Management Configuration Mgmt Information Security Framework Gramm-Leach-Bliley Act (GLBA) Compliance Risk Management, Efficiency Enhancement, Business Process Enablement Identification of PII and Where It Resides Rules for Using and Protecting PII Network and System Architecture and other Tools to Protect PII Security Configuration and Management of Systems Hosting PII Practices for Supporting Operations (Tape Backup, Application Execution, Etc.) on Systems Hosting PII Roles, Responsibilities, and Practices for Handling and Using PII Practices for Monitoring the Security and Use of PII Rule for Protection and Use of Enterprise Information Identification of Sensitive Business Information such as Legal, Financial, Strategic, HR, Etc. and Where it Resides Security Impact of Enterprise Network and System Architecture - Vulnerabilities on non-PII systems may Expose PII People Element of Information and Systems Management Process Element of Information and Systems Management Technology Element of Information and Systems Management Method to Monitor and Maintain Architecture Integrity
Citation preview
Information Security Framework
Regulatory Compliance and Reporting Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory, service provider) Program Quality
Security StructurePolicies
Technology-Independent Best Practices
Security,Security, Policies and Standards Policies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Assessment, Information Classification
TechnologyTechnologySpecificationsSpecifications
Virtual Private NetworkWireless SecurityPlatform HardeningIntrusion Detection SystemSecurity Event ManagementPKI: Components & Applications
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Security ArchitectureSecurity ArchitectureDesign, Deployment & OperationsDesign, Deployment & Operations
Processes andProcesses andOperational PracticesOperational Practices
Trust ManagementIncident & Response ManagementIdentity & Access MgmtKey ManagementPatch ManagementSecurity Awareness/EducationService Provider Management
Security MonitoringThreat ManagementVulnerability MgmtRisk Management3rd Party SecurityAsset ManagementConfiguration Mgmt
Regulatory Compliance and Reporting Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory, service provider) Program Quality
Security StructurePolicies
Technology-Independent Best Practices
Security,Security, Policies and Standards Policies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Assessment, Information Classification
TechnologyTechnologySpecificationsSpecifications
Virtual Private NetworkWireless SecurityPlatform HardeningIntrusion Detection SystemSecurity Event ManagementPKI: Components & Applications
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Security ArchitectureSecurity ArchitectureDesign, Deployment & OperationsDesign, Deployment & Operations
Processes andProcesses andOperational PracticesOperational Practices
Trust ManagementIncident & Response ManagementIdentity & Access MgmtKey ManagementPatch ManagementSecurity Awareness/EducationService Provider Management
Security MonitoringThreat ManagementVulnerability MgmtRisk Management3rd Party SecurityAsset ManagementConfiguration Mgmt
Information Security FrameworkSarbanes Oxley (SOX) Compliance with COSO Governance
Rules for SOX Compliance
Network and System Architecture and other Tools to Protect SOX data
Event Management
Practices for Supporting Operations on Systems Hosting SOX related applications
Practices for Monitoring the Effectiveness of IT Controls
Identification of SOX related data. and Where it Resides
Security Impact of Enterprise Network and System Architecture - Vulnerabilities on SOX supported systems
Method to Monitor and Maintain SOX Compliance
Technology Element of Information and Systems Management
Regulatory Compliance and Reporting Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory, service provider) Program Quality
Security StructurePolicies
Technology-Independent Best Practices
Security,Security, Policies and Standards Policies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Assessment, Information Classification
TechnologyTechnologySpecificationsSpecifications
Virtual Private NetworkWireless SecurityPlatform HardeningIntrusion Detection SystemSecurity Event ManagementPKI: Components & Applications
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Security ArchitectureSecurity ArchitectureDesign, Deployment & OperationsDesign, Deployment & Operations
Processes andProcesses andOperational PracticesOperational Practices
Trust ManagementIncident & Response ManagementIdentity & Access MgmtKey ManagementPatch ManagementSecurity Awareness/EducationService Provider Management
Security MonitoringThreat ManagementVulnerability MgmtRisk Management3rd Party SecurityAsset ManagementConfiguration Mgmt
Information Security FrameworkGramm-Leach-Bliley Act (GLBA) Compliance Risk Management, Efficiency Enhancement, Business
Process Enablement
Identification of PII and Where It Resides
Rules for Using and Protecting PII
Network and System Architecture and other Tools to Protect PII
Security Configuration and Management of Systems Hosting PII
Practices for Supporting Operations (Tape Backup, Application Execution, Etc.) on Systems Hosting PII
Roles, Responsibilities, and Practices for Handling and Using PII
Practices for Monitoring the Security and Use of PII
Rule for Protection and Use of Enterprise Information
Identification of Sensitive Business Information such as Legal, Financial, Strategic, HR, Etc. and Where it Resides
Security Impact of Enterprise Network and System Architecture - Vulnerabilities on non-PII systems may Expose PII
People Element of Information and Systems Management
Process Element of Information and Systems Management
Technology Element of Information and Systems Management
Method to Monitor and Maintain Architecture Integrity
Regulatory Compliance and Reporting Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory, service provider) Program Quality
Security StructurePolicies
Technology-Independent Best Practices
Security,Security, Policies and Standards Policies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Assessment, Information Classification
TechnologyTechnologySpecificationsSpecifications
Virtual Private NetworkWireless SecurityPlatform HardeningIntrusion Detection SystemSecurity Event ManagementPKI: Components & Applications
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Security ArchitectureSecurity ArchitectureDesign, Deployment & OperationsDesign, Deployment & Operations
Processes andProcesses andOperational PracticesOperational Practices
Trust ManagementIncident & Response ManagementIdentity & Access MgmtKey ManagementPatch ManagementSecurity Awareness/EducationService Provider Management
Security MonitoringThreat ManagementVulnerability MgmtRisk Management3rd Party SecurityAsset ManagementConfiguration Mgmt
Information Security FrameworkSupervisor Control and Data Acquisition (SCADA) Best Practice
Understand the business risk
Best Practice
Security Process Control
Establish Response Capabilities
Practices for Supporting Operations on Systems Hosting SCADA related applications
Identification of SCADA related technology.
Security Impact of Enterprise Network and System Architecture - Vulnerabilities on SCADA supported systems
Manage Third Party Risk
Technology Element of Information and Systems Management
Implement secure architecture
Improve Awareness and Skills
Regulatory Compliance and Reporting Regulatory Compliance and Reporting Auditing and Validation Metrics Definition and Collection Reporting (management, regulatory, service provider) Program Quality
Security StructurePolicies
Technology-Independent Best Practices
Security,Security, Policies and Standards Policies and Standards
Technology Physical InformationAsset ProfileAsset Profile
Inventory, Ownership, Risk Assessment, Information Classification
TechnologyTechnologySpecificationsSpecifications
Virtual Private NetworkWireless SecurityPlatform HardeningIntrusion Detection SystemSecurity Event ManagementPKI: Components & Applications
BusinessBusinessDriversDrivers
Business StrategiesIndustry Regulations
Acceptable Risk
People & People & OrganizationalOrganizationalManagementManagement
Organizational StructureFunctional DefinitionRoles and ResponsibilitiesSkills/Resource Plan
Security ArchitectureSecurity ArchitectureDesign, Deployment & OperationsDesign, Deployment & Operations
Processes andProcesses andOperational PracticesOperational Practices
Trust ManagementIncident & Response ManagementIdentity & Access MgmtKey ManagementPatch ManagementSecurity Awareness/EducationService Provider Management
Security MonitoringThreat ManagementVulnerability MgmtRisk Management3rd Party SecurityAsset ManagementConfiguration Mgmt
Information Security FrameworkPayment Card Industry (PCI) Compliance Info Security Policy
Identification of PCI and Where It Resides
Rules for Using and Protecting PCI Data
Network and System Architecture and other Tools to Protect PCI Data
Security Configuration and Management of Systems Hosting PCI Data
Vulnerability Management
Monitoring and Testing Controls
Protect Card Holder Data
Strong Access Controls
Secure Network
Method to Monitor and Maintain Architecture Integrity
Technology Element of Information and Systems Management
Roles, Responsibilities, and Practices for Handling and Using PCI Data
• Confidentiality – Ensuring that only authorized personnel have access to information
• Integrity – Ensuring that information is unchanged and accurate
• Availability – Ensuring that information is available to the user when it is needed
Confidentiality, Integrity and Availability
• Demonstrate support for, and commitment to, information security
• States policy across the entire enterprise • Broad statement of principle• Long term; changed infrequently• Few in overall number• Provide overall direction for the organization• Mandatory; require formal exception process• Process and technology independent• Require a high level of authority to create, change
or eliminate
Policies
• Suitable for complying with policies• Specify a course of action• Mandatory; require formal exception process• Process and technology independent• Mid-level authority required to create, change or
eliminate
Standards
• Process and/or technology dependent• Require a low level of authority to create, change or
eliminate• May have a high level of complexity• Generally apply enterprise-wide, with some exceptions
locally• May be situation-specific• May require formal exception process• They are detailed steps to be followed by users, system
operations personnel, or others to accomplish a particular task (e.g., preparing new user accounts and assigning the appropriate privileges).
Procedures / Guidelines
Policy, Standard, Procedure Framework
Policy, Standard, Procedure Framework
• Development: Planning and creation of the policy• Review: Assessment of the policy by an independent party• Approval: Authorizing implementation of the policy • Communication: Dissemination of policy to enterprise• Implementation: Initial execution of the policy • Compliance Monitoring: Tracking and reporting on the
effectiveness• Exception Approval: Evaluation, documentation and tracking
of exceptions• Maintenance: Ensuring currency
Policy Management / Administration
Provide simple, consistent and timely classification and authorization processes
Balance between protection of and access to an organization’s business information
Provide clear guidelines for employees and contractors for the classification and handling of information
Policy Management / Administration
Maintain an inventory of assets, link those assets to owners, and identify technologies supporting key applications or groups of applications
Enable organizations to track security controls implemented to protect assets
Monitor support of ongoing threats that may be introduced to the asset environment
Asset Management – Asset Inventory
• Multi-tiered centrally managed approach to Internet access
• All access to the Internet is controlled via password protected proxy devices that filter inappropriate content
• Third party connectivity is controlled via connections to distinct network segments
• Connections to the enterprise network are only made after a review of controls at connecting organization
Security ArchitectureDesign, Deployment, Operations
• Network-based intrusion detection in place for all external network connections
• Host-based intrusion detection in place for all business critical servers
• Production data is strictly segmented from development data
Security ArchitectureDesign, Deployment, Operations
• Multiple tiers of virus protection exist• All email is filtered through a virus scanner• All file servers and workstations are protected via a
managed (push-technology) virus protection solution• Encryption Standards are employed consistently across
enterprise• Only Standards Based Encryption is used• Centralized Directory (LDAP) in use
Security ArchitectureDesign, Deployment, Operations
• Business Continuity Management• Critical Business Process are identified and linked to
Applications• Business Applications are linked to IT Disaster Recovery
Plans• Incident Response
• Documented Incident Response Plans define roles and actions
• Ensure proper control of information released to public• Identity and Access Management
• Users are centrally managed• Tools may assist in user provisioning
Processes and Operational Practices
• Trust Management• Incident Reporting & Response Management• Identity & Access Mgmt• Key Management• Patch Management• Security Awareness/Education• Service Provider Management
Processes and Operational Practices
• Security Monitoring• Threat Management• Vulnerability Mgmt• Risk Management• Service Party Security (i.e., Verizon, HP, CSC)• Asset Management• Configuration Mgmt
Processes and Operational Practices
• All Major Platforms are identified• Minimum Security Baselines for Specific platforms in
use• Technical Specifications for technologies created
before implementation
Technical Specifications
• Virtual Private Network• Wireless Security• Platform Hardening• Intrusion Detection System• Security Event Management• PKI: Components & Applications• Security and Privacy in Cloud Management
Technical Specifications
Technical Security Standard for Unix (Solaris, Linux, AIX, HPUX) Technical Security Standards for AS400 Technical Security Standard for Firewalls Technical Security Standard for Routers Technical Security Standards for Oracle, SQL Technical Security Standards for Web Security Technical Security Standards for Citrix Technical Security Standards for Cryptography Technical Security Standards for System or Application
Development and Maintenance Technical Security Standards for Windows 2000, 2003, XP, Vista Technical Security Standards for Wireless
Technical Specifications
• Security concerns are issues of corporate governance• Identify and communicate high-level executive
sponsorship to manage information security risks• Recognize information security as a business issue
that requires people, technology, policy, and process to implement
Security Organization
• Structure is clearly defined and communicated in leading organizations
• Reporting levels are appropriately aligned and have appropriate authority
• Blends of both centralized and de-centralized security structure
• De-centralized business unit or functional security units are aligned with centralized corporate security function
Security Organization - Structure
• Measures effectiveness of security program• Gramm-Leach-Bliley Act (GLBA) Compliance• Sarbanes Oxley (SOX) Compliance with COSO• Payment Card Industry (PCI) Compliance• Supervisor or Control and Data Acquisition (SCADA) Best Practice
• Conducts compliance reviews across all domains of influence• Reports across the enterprise• Security audits performed on risk basis• Goals have been defined for projects
Security Program Compliance and Reporting
Determine the effectiveness and maturity of a various business supporting practices, processes, and management
Demonstrates where youare in the securitylifecycle
Organization will be able to visualize
– Exceeding expectations– Meeting requirements– Gaps in business needs
Information Security Lifecycle
Recommended