Professional Documents
Culture Documents
Lecture
2
03-02-2020
Information
Security
Management
Dr. Muhammad Nadeem Sial
muhammad.sial@kcl.ac.uk, nadeem_606@yahoo.com
Course Outline
• Information Security Governance & Risk Management
• Cryptography
• Access Control
• Telecommunication and Network Security
• Software Development Security
• Security Architecture & Design
• Operations Security
• Business Continuity & Disaster Recovery Planning
• Legal, Regulations, Investigations and Compliance
• Physical (Environment) Security 3
Course Outline (CISSP 7Th Edition by James Michael Stewart)
• Info Security Governance & Risk Mgt • Security Architecture & Design
• Chapter 1: Security Governance Through Principles and • Chapter 8: Principles of Security Models, Design &
Policies Capabilities
• Chapter 2: Personnel Security and Risk Mgt Concepts • Chapter 9: Security Vulnerabilities, Threats and
• Chapter 5: Protecting Security of Assets Countermeasures
• Cryptography • Chapter 15: Security Assessment and Testing
• Chapter 6: Cryptography and Symmetric Key Algorithms • Operations Security
• Chapter 7: PKI and Cryptographic Applications • Chapter 16: Managing Security Operations
• Access Control • Business Continuity & Disaster Recovery Planning
• Chapter 13: Managing Identity and Authentication • Chapter 3 Business Continuity Planning
• Chapter 14: Controlling and Monitoring Access • Chapter 17 Preventing and Responding to Incidents
• Telecommunication and NW Security • Chapter 18 Disaster Recovery Planning
• Chapter 11: Secure Network Architecture and Securing • Legal, Regulations, Investigations and Compliance
Network Components • Chapter 4: Laws, Regulations, and Compliance
• Chapter 12: Secure Comm and Network Attacks • Chapter 19: Incidents and Ethics
• Software Dev Security • Physical (Environment) Security
• Chapter 20: Software Dev Security • Chapter 10: Physical Security Requirements
• Chapter 21 Malicious Code and Application Attacks 4
Course Outline (ISM Standards)
• FIPS-140-2 (Radio Encryptors, Crypto Modules, IP Encryptor, • NIST SP 800-160 Volume 1 (NIST 800-64), Systems Security Engineering
Encryption Boards, Secure USB / Token, Secure Gateway) Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy
Secure Systems
• Common Criteria (IDS, IPS, OS, Firewall, Router, Trusted computing,
• Operationally Critical Threat Asset Vulnerability Evaluation (OCTAVE)
Enterprise Security Mgmt Access Control, VoIP, IPE, Mobile Devices,
Biometric Verification Mechanisms) • Information Technology Infrastructure Library (ITIL) - Best practices
• Security & Audit Frameworks, Methodologies and Architecture for IT Service Management by UK government
• ISO 27001:2013 & 2005 • Security Models
• CoBIT • Special Publication 800-27, Engg Principles for Information Tech
• COSO Security (EP-ITS), NIST 33 Security Principles
• NIST SP 800-53, Minimum Security Controls for Federal IT Systems • ISO/IEC 17799 or BS 7799: Information Technology – Code of Practice
• for Information Security Management
SABSA (Zachman Framework)
• RFC 2196, Site Security Handbook
• ToGAF
• SP 800-12, Computer Security Handbook
• Risk Assessment Methodologies / Risk Analysis & Management • SP 800-14, Generally Accepted Security Principles & Practices
• SP 800-30: Risk Management Guide for IT Systems • SP 800-18, Guide for Developing Security Plans
• ISO 27005, IT Security techniques, Information security risk mgmt • SP 800-26, Security Self-Assessment Guide-IT Systems
• ISO 31000 Risk Management • VISA International Security Model
• CCTA Risk Analysis & Management Method (CRAMM)
• SP 800-37, Guidelines for the Security Certification and Accreditation
of Federal IT Systems
5
6
Common Criteria FIPS-140-2 Phases of System Risk Assessment Security & Audit
• IDS • Radio Encryptors Development Life Methodologies / Frameworks,
• IPS • Crypto Modules Cycle (SDLC) Risk Analysis & Methodologies and
• NIST SP 800-160 Management Architecture
• OS • IP Encryptor Information
• Firewall • Encryption Technology Volume 1 (NIST • SP 800-30 • ISO27001
• Router
Operationally 800-64) • ISO 27005 • CoBIT
Boards Infrastructure
• Trusted computing
Critical Threat • ISO 31000 Risk • COSO
• Secure USB / Library (ITIL) - Best
• Enterprise Security
Asset Vulnerability Management
Token practices for IT • NIST 800-53
Management Access Evaluation
• Secure Gateway Service • CCTA Risk • SABSA (Zachman
Control (OCTAVE)
Management by Analysis & Framework)
• VoIP
UK government Management • ToGAF
• IP Encryptor
• Method (CRAMM)
Mobile Devices
• Biometric
Verification
Mechanisms
Projects & Case Studies
Projects & Case Studies
Topic Proposal & Case Study Project Report Presentation
Approval • Study relevant • Prepare results, • Presentation will
• Submit your documents/ vulnerabilities, be for 15-20
proposed topic standards suggestions and minutes
with objectives/ • Study overall • After
scope / selected organizational IS assessment along presentation
organization / architecture / with there will be 5
system for case system security recommendation mins question &
study architecture • Deadline: 2 answer session
• Select an • Apply selected Weeks after Mid
organization/ standard for Term Exam
system to apply organization/
the selected topic system
for Case Study assessment
• Deadline: 17 Feb, • Weaknesses?
2020 • Suggestions?
• Improvements?
7
Information Security
Management
Introduction
8
Threat Modeling
9
Risk Management
Identify
the
Risk Areas
Re-evaluate
the Risks Assess the
Risk Risks
Management
Implement Risk
Cycle Risk Assessment
Management Develop Risk
Actions Risk Control (Mitigation)
Management
Plan
10
Distinct Communities
of Interest?
11
Distinct Communities of Interest
12
Communities of Interest
InfoSec community:
• protect information
assets from threats
IT community:
Business • support business
community: objectives by supplying
• policy and resources appropriate information
technology
13
InfoSec Components?
14
InfoSec Components
15
National Sec Telecomm & IS Sec Committee (NSTISSC) : Security Model
16
Mgmt & Roles?
17
What Is Management?
18
Managerial Roles
19
Differences Between Leadership and Management
20
Characteristics of a Leader
1. Bearing 8. Integrity
2. Courage 9. Judgment
3. Decisiveness 10. Justice
4. Dependability 11. Knowledge
5. Endurance 12. Loyalty
6. Enthusiasm 13. Tact
7. Initiative 14. Unselfishness
21
What Makes a Good Leader? Action Plan
24
25
• Popular management theory using principles
of management into planning, organizing,
POLC
leading, and controlling (POLC)
• Traditional management theory using
principles of planning, organizing, staffing,
directing, and controlling (POSDC)
POSDC
Characteristics of Management
The Planning–Controlling Link
26
Planning & Organization
• Planning: process that develops, creates, and implements strategies for
the accomplishment of objectives
• Three levels of planning
• Strategic
• Tactical
• Operational
• Organization: structuring of resources to support the accomplishment
of objectives
27
Leadership
28
Control
• Control:
• Monitoring progress toward completion
• Making necessary adjustments to achieve the desired
objectives
• Controlling function determines what must be
monitored as well as using specific control tools to
gather and evaluate information
29
Control Tools
• Four categories:
• Information
• Information flows/ communications
• Financial
• Guide use of monetary resources (Return on Investment-ROI,
cost/benefit analysis-CBA,..)
• Operational
• PERT, Gantt, process flow
• Behavioral
• Human resources
30
The Control Process
31
Solving Problems
• Step 1: Recognize and Define the Problem
• Step 2: Gather Facts and Make Assumptions
• Step 3: Develop Possible Solutions (Brainstorming)
• Step 4: Analyze and Compare the Possible Solutions (Feasibility analysis)
• Step 5: Select, Implement, and Evaluate a Solution
32
Feasibility Analyses
• Economic feasibility assesses costs and benefits of a
solution
• Technological feasibility assesses an organization’s
ability to acquire and manage a solution
• Behavioral feasibility assesses whether members of the
organization will support a solution
• Operational feasibility assesses if an organization can
integrate a solution
33
Principles Of
Information Security
Management?
34
Principles Of Information Security Management
35
InfoSec Planning
• Planning as part of InfoSec management
• is an extension of the basic planning model discussed earlier
• Included in the InfoSec planning model are
• activities necessary to support the design, creation, and
implementation of information security strategies as they
exist within the IT planning environment
36
InfoSec Planning Types
37
Policy
• Policy: set of organizational guidelines that dictates certain
behavior within the organization
• In InfoSec, there are three general categories of policy:
• General program policy (Enterprise Security Policy)
• An issue-specific security policy (ISSP)
• E.g., email, Intenert use
• System-specific policies (SSSPs)
• E.g., Access control list (ACLs) for a device
38
Programs
39
Protection
40
People
• People are the most critical link in the information security
program
• Human firewall
• It is imperative that managers continuously recognize the
crucial role that people play; includes
• information security personnel and the security of personnel, as well as
aspects of the SETA program
41
Project Management
42
43
Q&A
44