Organizational Aspects of Network Security

8/12/2019 Organizational Aspects of Network Security

http://slidepdf.com/reader/full/organizational-aspects-of-network-security 1/14

by

Imran hameed



Aims & Objectives

• Evolution of Security

• Security Life Cycle

• Security program-defined

• Security Processes• Policy Development

• Technical Controls

• Integrity Controls



Evolution of Security

Technology

Process

People

Management

Strategy

• Standards

• Guidelines

• Procedures

• Network perimeter

• Best effort security

• Education

• Awareness Training

• Policy

• Program Development

• Audit

• Policy Compliance

• Risk management

• Corporate alignment



Plan

•Policy Development

•Security Posture Definition

•

Security Program Development•Business Continuity Planning

•Security AwarenessPlan

Implementation

•Firewall Integration

•Intrusion Detection

•Application Integration

•Authentication Systems

Implement

Monitor & Manage

•Security Monitoring &

Management

•Patching/Updating/Upgrading

•Incident Response

•Disaster Recovery

Monitor

& Manage

Assess

•Perimeter Security Assessment

• Network Security Assessment

•Internal & External Audit

•Risk Management

Assess

Security

Life Cycle

Security Life Cycle



• Security is achieved by implementing appropriate

controls in the form of

– Policy,

– Organizational structure &

– Technology

in conjunction with the business objectives.

Security Program - Defined



Administrative & PhysicalSecurity Processes

• Organization

• Policy

•

Third Party Agreements• Business Continuity Management

• Data & Asset Classification

• Awareness & Training

• Personnel Security

• Physical & Environment

Security Processes

Technical SecurityProcesses

• Network Access ControlsPolicy

• System Access Controls

• Authentication

• Auditing, Monitoring &Response

• Operational Security

• Account Management

• System Integrity



Policy Development

IT Security Guiding Principles

• Commitment

• Classification

• Accountability

• Authority

• Responsibility

• Review



Policy Development

System & Issue Papers• Network Security Policy

• Domain Security Policy

• Remote Access Policy

• Password Policy

• Virus & Content Security Policy

Host Data Sheets• Host1 Security Data Sheet

• Host2 Security Data Sheet



Policy Framework



Technical Controls

• Authorization

• Access

• Audit & Monitoring



Authorization

• Based on Corporate Assets & Responsibilities Policy

• Access based on “Need to Know”

• System & Data Owners

– Approval Authority

• IT Support Personnel

– Granting Authority

• Separation of Duties



Access Controls

• Based on Classification Policy

• Least Privileged Model

• Layered Security

– Physical Separation

– Network Segmentation

– Role-based Access Controls

– Data Classification



Audit & Monitoring

• Centralized Logging• Automated Monitoring & Notification

• Layered Security

– Define security zones

– Never allow direct access across 2 zones.

• e.g.. Public to Classified

– Reduces risk

• Response & Reporting



Integrity Controls

Anti-virus

Patch Management

Change Management

Standard Configurations

Software Life-Cycle

Documents

Organizational Aspects of Network Security