security management INFOSYS 6828
Popular in Principles of Information Security
Popular in Information technology
This 6 page Class Notes was uploaded by Frederick Notetaker on Tuesday February 9, 2016. The Class Notes belongs to INFOSYS 6828 at University of Missouri - St. Louis taught by Dr. Shaji Khan in Spring 2016. Since its upload, it has received 81 views. For similar materials see Principles of Information Security in Information technology at University of Missouri - St. Louis.
Reviews for security management
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 02/09/16
InfoSec Management – Frameworks & Standards Overview Major InfoSec Management Frameworks ISO/IEC ISMS Family of Standards COBIT 5 for Information Security NIST – SP 800 – 100 and related Others: Information Security Forum – Standards of Good Practice PCI – DSS Major InfoSec Management Frameworks – ISO/IEC ISMS Family ISO/IEC, Information Security Management System (ISMS) Family of Standards ISO: International Organization for Standardization IEC: International Electrotechnical Commission Under a Joint Technical Committee (JTC) experts from these organizations drafted a series of standards that pertain to Information Security Management ISO/IEC 27000 Provides an overview of this family ISO/IEC 27001 provides normative requirements that if followed affords an organization opportunity to be “ISO/IEC 27001 Certified” ISO/IEC 27002 provides 114 Controls that organizations could implement to protect information assets ISO/IEC Links What is a Management System Standard by ISO? Documentation for ISO standards is not free You can get the overview standard (27000) from here: http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html (look for ISO/IEC 27000:2014 and download zip file) You can see a “preview of 27001” here (scroll down and look for preview link) ALL Standards Published by the ISO/IEC JTC 1/SC 27 Subcommittee called “IT Security Techniques” http://www.iso.org/iso/home/store/catalogue_tc/catalogue_tc_browse.htm? commid=45306&published=on Major InfoSec Management Frameworks – COBIT 5 – For Information Security Page1 of6 COBIT 5 – For Information Security COBIT: Control Objectives for Information and Related Technology COBIT 5: A broader Business Framework for the Governance and Management of Enterprise IT One of the areas COBIT 5 focuses on is Information Security It is created by ISACA (previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only) ISACA also offers certifications: Certified Information Security Manager (CISM) Certified Information Systems Auditor (CISA) COBIT 5 Links COBIT 5 Overall Framework Check out Additional Resources to get an overview COBIT 5 for Information Security Look for the “preview” PDF or see the introduction PowerPoint A simple overview of COBIT 5 for InfoSec NIST – ComNIST (National Institute of Standards and Technology)’s Computer Security Division, develops a variety of Standards, Guidelines, and Recommendations related to InfoSec NIST CSRC Publications A broad set of guidelines are presented in NIST Special Publication NIST SP 800-100: Information Security Handbook: A Guide for Managers This framework addresses major management aspects such as governance, risk management, planning, controls, etc.puter Security Division -Guidelines Other Frameworks/Standards/Best Practices Information Security Forum: The Standard of Good Practice for Information Security Payment Card Industry Data Security Standard (PCI-DSS) Not really a framework but a standard that specifies controls to be implemented by any entity that deals with payment cards data Started by Visa, MasterCard, Discover, JCB, and American Express Page2 of6 Managing InfoSec: The basic idea We have “valuable” information assets that need protection Our assets face “risks” because of inherent vulnerabilities in our “systems” that create, process, store, and communicate information Risks are present because “threats” can exploit vulnerabilities to cause breaches in CIA So, we systematically identify, assess, and evaluate risks Treat unacceptable levels of risks by applying suitable controls to prevent breaches BUT as circumstances related to our assets and the threats change we need to perform these activities continuously Information Security Management System (ISMS) An ISMS is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives It is based upon a risk assessment and the organization’s risk acceptance levels designed to effectively treat and manage risks It consists of policies, procedures, guidelines, resources, and activities Key activities include: RISK MANAGEMENT SELECTION AND IMPLEMENTATION OF CONTROLS BASED ON INPUT FROM RISK MANAGEMENT PROCESSES Step 1: Identifying information security requirements Identify InfoSec Requirements based on understanding of: identified information assets and their value; business needs for information processing, storage and communication; and legal, regulatory, and contractual requirements Example: A “doctors office” has a Patient Billing Management System (software app) that sits on a local Windows 2003 Server (software and hardware) We need to enter patient billing information and then it needs to be shared with insurance companies for payment Among CIA, integrity of this data is most important to us followed by confidentiality. We could live with a downtime of a day (availability) Page 3 of6 However, due to HIPAA regulations and our contracts with other hospitals/providers we have to also strictly enforce confidentiality 2: Assessing information security risks (Risk Assessment) Identify InfoSec Risks: Look at our assets, their vulnerabilities, and potential threats to clearly identify risks Disgruntled billing clerk could intentionally modify billing data Hackers could exploit known vulnerabilities in Windows Server Analyze InfoSec Risks: Systematically figure out the nature of risk and magnitude of risk 10% probability that billing clerk acts crazy Could result in $10,000 damage per incident Risk = 0.1 * 10000 = 1000 per incident Evaluate InfoSec Risks: Compare estimated risks from our earlier analyses with certain risk criteria (that we developed) to determine if risk is acceptable/tolerable Criteria: Anything less than $5000 is not worth it For the above risk, simply “accept it” and do nothing Risk Treatment: Based on our risk evaluations, we must figure out how to “treat” this risk Simply accept it (Risk Acceptance) Avoid risks by not allowing actions that would cause the risks to occur (Risk Avoidance) Share the associated risks with other parties, e.g. insurers or suppliers (one reason for outsourcing!!!) (Risk Transfer) Apply appropriate controls to reduce the risks (Risk Mitigation) 3: Select and Implement Appropriate Controls Controls: countermeasures that modify risk include any process, policy, device, practice, or a combination of efforts geared toward reducing the risks to an acceptable level Controls may not always exert the intended or assumed modifying effect. Example (continuing our doctors office scenario): Technical Control: Upgrade to Windows 2012 R2 Server, keep it well patched etc. Administrative control: Any major (say $5000 or more) change in billing system needs approval from two people Page4 of6 Controls should be aligned with: requirements and constraints of national and international legislation and regulations; organizational objectives; operational requirements and constraints; their cost of implementation and operation in relation to the risks being reduced, and remaining proportional to the organization’s requirements and constraints; The selection and implementation of controls should be documented within a statement of applicability to assist with compliance requirements. ISO/IEC 27002 Provides a list of 114 specific controls grouped under 14 Categories: 4: Monitor, maintain and improve the effectiveness of the ISMS Monitor and assess ISMS performance against organizational policies and objectives This implies we need to have strong metrics to measure ISMS performance Focus on continuous improvement: seeking opportunities for improvement and not assuming that existing management activities are good enough or as good as they can Some Critical Success Factors in Implementing ISMS that meets Organizational Objectives information security policy, objectives, and activities aligned with business objectives an ISMS approach and framework consistent with the organizational culture visible support and commitment from all levels of management, especially top management an understanding of information asset protection requirements achieved through the application of information security risk management (see ISO/IEC 27005); an effective information security awareness, training and education program for all stakeholders (with motivation to act) an effective information security incident management process an effective business continuity management approach Page5 of6 Page6 of6
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'