Professional Documents
Culture Documents
Administrating Security
Administrating Security
Security Planning
• comparison of security planning / strategie
• focus on procedure
• ex; how much we spend for the proj
• targeting achievement
• who involved
• only ITdept who implement strategy planning
Risk Analysis
Security Policies
• - how to allocate resources(time(testing , configuration),
money/budget, human resources)
Accountability
Timetable
Continuing attention
Security Planning - Policy
Who should be allowed access?
To what system and organizational
security lie?
What is the organization’s
commitment to security?
OCTAVE Methodology
(operationally control, threats, asset, vulnerabilities)
http://www.cert.org/octave/
Systems programmers
Application programmers
Representative users
Security Planning
Assuring Commitment to a Security Plan
Business Continuity Plans
• Assess Business Impact
• Develop Strategy
• Develop Plan
Incident Response Plans
• Advance Planning
• Response Team
• After the Incident is Resolved
Risk Analysis
Risk impact - loss associated with
an event
risk probability – likelihood that
probability
Risk Analysis – risk reduction
Avoid the risk
Transfer the risk
costs
Project annual savings of control
Identify Assets
Hardware
Software
Data
People
Procedures (policies, training)
Documentation
Supplies
Infrastructure (building, power, water,…)
Determine Vulnerabilities
Asset Confidentiality Integrity Availability
Hardware
Software
Data
People
procedures
Determine Vulnerabilities
What are the effects of unintentional
errors?
What are the effects of willfully
malicious insiders?
What are the effects of outsiders?
What are the effects of natural and
physical disasters?
Risk Analysis
Estimate Likelihood of Exploitation
• Classical probability
• Frequency probability (simulation)
• Subjective probability (Delphi approach)
Computer Expected Lost (look for hidden
costs)
• Legal obligations
• Side effects
• Psychological effects
Risk Analysis
Survey and Select New Controls
• What Criteria Are Used for Selecting Controls?
Vulnerability Assessment and Mitigation (VAM)
Methodology
• How Do Controls Affect What They Control?
• Which Controls Are Best?
Project Savings
• Do costs outweigh benefits of preventing /
mitigating risks
Arguments for Risk Analysis
Improve awareness
Relate security mission to
management objectives
Identify assets, vulnerabilities, and
controls
Improve basis for decisions
employees
Guide new employees
Security Policies Audience
Users
Owners
Beneficiaries
Realism
Usefulness
Examples
Physical Security
Natural Disasters
• Flood
• Fire
• Other
Power Loss
• UPS; surge suppressors (line conditioners)
Human Vandals
• Unauthorized Access and Use
• Theft
Physical Security
Interception of Sensitive Information
• Dumpster Diving - Shredding
• Remanence (slack bits)
Overwriting Magnetic Data
DiskWipe
Degaussing
• Emanation - Tempest
Contingency Planning
BACKUP!!!!!
• Complete backup
• Revolving backup
• Selective backup
OFFSITE BACKUP!!!!!
Networked Storage (SAN)
Hot site