Upload
george-shields
View
232
Download
5
Tags:
Embed Size (px)
Citation preview
Information Security Information Security Management Management
Workshop AgendaWorkshop Agenda
• Understanding your Information Security EnvironmentUnderstanding your Information Security Environment
• Service Management & Risk IdentificationService Management & Risk Identification
• Understanding your Risk Environment Understanding your Risk Environment
• Managing the Risk – Compliance ManagementManaging the Risk – Compliance Management
• Information Security PlansInformation Security Plans
Workshop ThemeWorkshop Theme
• Management
• Staff and
• Customers
““Need to Need to Know” ? Know” ?
““The Need to Know” ?The Need to Know” ?
Understanding YourUnderstanding Your
Information EnvironmentInformation Environment
Enterprise Level Information EnvironmentEnterprise Level Information Environment
• If you can’t map your system you can’t secure your data
• Your system is bounded by your data model• What do you protect ?
– The data in the system• The system is more that the static ICT elements:
– Paper– Media – removable – Knowledge – people – Communications – internet, phone, mobile fax etc
““The Need to Know” ?The Need to Know” ?
Understanding YourUnderstanding Your
Information Security Information Security EnvironmentEnvironment
What is Information Security ?What is Information Security ?
• Organisations which collect and store data about:– Customers , Staff , Key business processes (IP)
• Must be able to demonstrate effective security measures
• Ensure that personal information is accurate and up to date
• Security - the key to retain the confidence of key stakeholders
““If you can’t secure data”If you can’t secure data”
“ “ you can’t measure quality and you can’t you can’t measure quality and you can’t improve integrity”improve integrity”
What is Information Security ?What is Information Security ?
“Information Security” combination of:
• Communications securityCommunications security (Comsec)
• Computer securityComputer security (Compusec)
Ref: Australian National Computer Security and Information Security Authority The Defence Signals Directorate
What is Information Security ?What is Information Security ?
• ““Confidentiality“Confidentiality“– ensuring that information is available only to those
people properly authorized to receive it
• “ “ Integrity”Integrity”– ensuring that information has not been changed or
tampered with
• ““Availability”Availability”– ensures that communications and computing systems
are not disrupted in their normal operations
What is Information Security ?What is Information Security ?
• AuthenticationAuthentication– ensures that a person accessing or providing
information is actually who they claim to be
• Non-repudiationNon-repudiation– ensures that a person is not able to deny the
receipt of information if they have received it
• These factors are rapidly growing in importance– our day-to-day business is increasingly conducted by
electronic means
QUESTIONS?QUESTIONS?
““The Need to Know” ?The Need to Know” ?
Service ManagementService Management
&&
Risk Identification Risk Identification
Service Delivery Management SystemService Delivery Management System
• StrategiesStrategies - Policy implementation (business drivers) e.g. Resolution Management at the system level
• PlansPlans - Example - What is resolution management, How it will be implemented, Who is responsible e.g. helpdesk manager (reviewed annually)
• ProcessesProcesses - Process flows of the Resolution Process (Flowcharts)
• ProceduresProcedures - Detailed process charts• HandbooksHandbooks - Functional Client/Practitioner
Perspective e.g. Help desk scripts
Service Delivery Processes
t
Control Processes
Configuration ManagementChange Management
Capacity ManagementService Level Management
Service Reporting
Information Security Management
Service Continuity and Availability
Management
Budgeting and AccountingFor IT services
Release Process
Release Management
RelationshipProcesses
Business Relationship Management
Supplier Management
ResolutionProcesses
Incident Management
Problem Management
Service management processes
Service Management - Risk Identification Service Management - Risk Identification • ICT Service Management includes
– Security Management• Effective Security Management requires a holistic
approach• IT&C Security Management Framework
– ensure effective management of all security functions
– security risk management – security related management reporting – requirements of PSM and Australian Standards
Service Management - Risk IdentificationService Management - Risk Identification
• Effective Information Security Management System is characterised by the Plan, Do, Check, Act (PDCA) process model
• Alignment of Service and Security management functions will ensure– a seamless transition of service incidents through
the resolution process – to achieve timely response and – detection of risks which will ensure improved
protection of the Agency and networks
Service Management - Risk IdentificationService Management - Risk Identification
The Plan-Do-Check-Act (PDCA)Plan-Do-Check-Act (PDCA) methodology:• PlanPlan: establish the objectives/processes used to
deliver results to meet customer requirements and the organizations policies
• DoDo: implement the processes• CheckCheck: monitor and measure processes/services
against policies, objectives and requirements and report the results
• ActAct: take actions to continually improve process performance
Service Management - Risk IdentificationService Management - Risk Identification• Service Management resolution processes:
– Include Incident and Problem Management• The relationship between Service incidents and
Security incidents is fundamental to the – Detection – Recording– Investigation – Resolution of security incidents
• Service and Security incidents may impact on the efficiency of networks - may represent a risk
Service Management - Risk IdentificationService Management - Risk Identification
Service and Security incident / Risk detection Service and Security incident / Risk detection • Timely detection of Service and Security incidents
– essential to avert damage or– disruption to services
• Resolution of Service delivery issues starts in the Helpdesk First Line response to incidents
• Challenge - Capture of Issues or Possible Risks at the Helpdesk
Service Management - Risk IdentificationService Management - Risk IdentificationRisk identificationRisk identification • Resolution is achieved by the Helpdesk
– incident is closed – Resolution Process is deemed complete
• Detection of risks to the network or system may also be initiated at the incident recording stage by the Helpdesk
• Development of a comprehensive assessment method to detect the characteristics of incidents
• Avert realisation of risks to the network or organization
QUESTIONS?QUESTIONS?
““The Need to Know” ?The Need to Know” ?
Understanding yourUnderstanding your
Risk EnvironmentRisk Environment
RiskRisk Management EnvironmentManagement Environment
Discover environmental data:
• What data do you hold?• Where is the information?• Where does the data reside ?• Interfaces ?• Who has access to your information?• What are the boundaries of your system?
Is information security aboutIs information security about Computers or Information ?Computers or Information ?
RiskRisk Management SystemManagement System
• Determining the level of risk -achieved by– comparing the relationship between the threats to
information and assets
– the known security weaknesses or vulnerability of information technology systems
• The level of acceptable risk– a managerial decision based on the information and
recommendations provided in the risk assessment
Dynamic Risk Management SystemsDynamic Risk Management Systems
Establish the Context• Define relationship with other systems• Identify assets• Establish risk criteria
Risk Identification• Identify the risks to be managed• Determine what to protect against (Threats)• Determine who to protect against
Dynamic Risk Management SystemsDynamic Risk Management Systems
Risk Analysis• Analyze risks to be managed• Estimate likelihood and consequence• Determine context against management/control
measures• Assess existing/proposed security measures • Determine vulnerability and acceptable risk
Dynamic Risk Management SystemsDynamic Risk Management Systems
• Risk Evaluation and Treatment– Compare assessed risks against risk criteria– Consider treatment options
• Recommendations– Identify the steps to be taken to manage the
accepted or residual risks
Risk AssessmentRisk Assessment
• Do you understand your information system ?
• Risk Assessment will reveal a detailed view of your information environment– Establish the boundaries of your system– Identify your information inventory– Identify and value your critical data sets– Establish the risks to your information system
Risk AssessmentRisk Assessment
• The risk assessment process - converting subjective risks into objective harms
• Harms to your information system can be assessed, analysed and measured.
• Risk is assessed against the likelihood and consequence of compromising:– Confidentiality– Integrity – Availability of your information
Threats to Information AssetsThreats to Information Assets
Threats that can impact on the Confidentiality, Integrity and Availability of an Information System include the following generic threats:
• Accidental Threats– Fire– Programming error– Technical (hardware) failure– Data entry error– Environmental– Failure of power
Threats to Information AssetsThreats to Information Assets
Deliberate Threats including:– Denial of Service– Eavesdropping– Malicious code - virus– Malicious code - logic– Malicious destruction of data– Malicious destruction of facilities– Unauthorised access to data– Unauthorised release of data
QUESTIONS?QUESTIONS?
““The Need to Know” ?The Need to Know” ?
Managing the RiskManaging the Risk
Compliance ManagementCompliance Management
Compliance ObligationsCompliance Obligations
• Handle all information with care – all information that an employee or contractor accesses must be handled according to policy – official information, personal information (Privacy Act)
• Information must only be used for the purpose stated by the agency or organization- any other use is misuse
• Information must be secured appropriately- sound security risk management – Procedures to identify Vital information and information resources
• Risks must be reduced to an acceptable level
Compliance ObligationsCompliance Obligations
• The Integrity and reliability of information systems which process, store or transmit information - require some level of protection
• Some Government information (official information) is given a security classification where its compromise could cause harm to the nation, the public interest, the Government or other entities or individuals
• Specific security measures must be followed
QUESTIONS?QUESTIONS?
Information Security PlansInformation Security Plans
• If you can’t map your system you can’t secure your data
• Your system is bounded by your data model • What do you protect ?
– The data in the system• The system is more that the static ICT elements:
– Paper– Media – removable – Knowledge – people – Communications – internet, phone, mobile fax etc
Information Security PlansInformation Security Plans
Aim: Provide an effective, integral and available information system and resource by:
• Incorporating security into every facet of the architecture, design and operation of the System environment
• Establishing a Security Management Strategy
• Developing Security Standards
Information Security PlansInformation Security Plans
Development of Information Security Plans requires a good understanding of your data
• Step 1 Understand your information (Data)
• Step 2 Understand your Information System
• Step 3 Map your system boundaries - SAPP (Security Architecture and Policy Plan)
Information Security PlansInformation Security Plans
Step 4 - Develop an Information Security (IS) Policy
Step 5 - Develop an Information Security (IS) Plan
Step 6 - Develop / implement Risk Management System
Step 7 - Establish an IS Education Program
Information Security PlansInformation Security Plans
Implement Security System
Implement Compliance Management System
Implement Security Education and Awareness Program
Outcome
Protecting information against unauthorized disclosure, fraud, loss, damage or theft
QUESTIONS?QUESTIONS?