Professional Documents
Culture Documents
Lecture
3
10-02-2020
Information
Security
Management
Dr. Muhammad Nadeem Sial
muhammad.sial@kcl.ac.uk, nadeem_606@yahoo.com
Course Outline
• Information Security Governance & Risk Management
• Cryptography
• Access Control
• Telecommunication and Network Security
• Software Development Security
• Security Architecture & Design
• Operations Security
• Business Continuity & Disaster Recovery Planning
• Legal, Regulations, Investigations and Compliance
• Physical (Environment) Security 3
Course Outline (CISSP 7Th Edition by James Michael Stewart)
• Info Security Governance & Risk Mgt • Security Architecture & Design
• Chapter 1: Security Governance Through Principles and • Chapter 8: Principles of Security Models, Design &
Policies Capabilities
• Chapter 2: Personnel Security and Risk Mgt Concepts • Chapter 9: Security Vulnerabilities, Threats and
• Chapter 5: Protecting Security of Assets Countermeasures
• Cryptography • Chapter 15: Security Assessment and Testing
• Chapter 6: Cryptography and Symmetric Key Algorithms • Operations Security
• Chapter 7: PKI and Cryptographic Applications • Chapter 16: Managing Security Operations
• Access Control • Business Continuity & Disaster Recovery Planning
• Chapter 13: Managing Identity and Authentication • Chapter 3 Business Continuity Planning
• Chapter 14: Controlling and Monitoring Access • Chapter 17 Preventing and Responding to Incidents
• Telecommunication and NW Security • Chapter 18 Disaster Recovery Planning
• Chapter 11: Secure Network Architecture and Securing • Legal, Regulations, Investigations and Compliance
Network Components • Chapter 4: Laws, Regulations, and Compliance
• Chapter 12: Secure Comm and Network Attacks • Chapter 19: Incidents and Ethics
• Software Dev Security • Physical (Environment) Security
• Chapter 20: Software Dev Security • Chapter 10: Physical Security Requirements
• Chapter 21 Malicious Code and Application Attacks 4
Course Outline (ISM Standards)
• FIPS-140-2 (Radio Encryptors, Crypto Modules, IP Encryptor, Encryption Boards,
• Operationally Critical Threat Asset Vulnerability Evaluation (OCTAVE)
Secure USB / Token, Secure Gateway)
• Common Criteria (IDS, IPS, OS, Firewall, Router, Trusted computing, Enterprise • Information Technology Infrastructure Library (ITIL) - Best practices
Security Mgmt Access Control, VoIP, IPE, Mobile Devices, Biometric Verification for IT Service Management by UK government
Mechanisms)
• Security Models
• ISO 27001:2013 & 2005
• Special Publication 800-27, Engg Principles for Information Tech
• Security & Audit Frameworks, Methodologies and Architecture Security (EP-ITS), NIST 33 Security Principles
• ISO27001 • ISO/IEC 17799 or BS 7799: Information Technology – Code of Practice
• CoBIT for Information Security Management
• COSO • RFC 2196, Site Security Handbook
• NIST SP 800-53, Minimum Security Controls for Federal IT Systems • SP 800-12, Computer Security Handbook
• SABSA (Zachman Framework)
• SP 800-14, Generally Accepted Security Principles & Practices
• ToGAF
• SP 800-18, Guide for Developing Security Plans
• Risk Assessment Methodologies / Risk Analysis & Management • SP 800-26, Security Self-Assessment Guide-IT Systems
• SP 800-30: Risk Management Guide for Information Technology Systems
• VISA International Security Model
• ISO 27005
• Gold Standard
• ISO 31000 Risk Management
• CCTA Risk Analysis & Management Method (CRAMM) • SP 800-37, Guidelines for the Security Certification and Accreditation
of Federal IT Systems
• NIST SP 800-160 Volume 1 (NIST 800-64), Systems Security Engineering
Considerations for a Multidisciplinary Approach in the Engineering of
Trustworthy Secure Systems 5
6
Common Criteria FIPS-140-2 Phases of System Risk Assessment Security & Audit
• IDS • Radio Encryptors Development Life Methodologies / Frameworks,
• IPS • Crypto Modules Cycle (SDLC) Risk Analysis & Methodologies and
• NIST SP 800-160 Management Architecture
• OS • IP Encryptor Information
• Firewall • Encryption Technology Volume 1 (NIST • SP 800-30 • ISO27001
• Router
Operationally 800-64) • ISO 27005 • CoBIT
Boards Infrastructure
• Trusted computing
Critical Threat • ISO 31000 Risk • COSO
• Secure USB / Library (ITIL) - Best
• Enterprise Security
Asset Vulnerability Management
Token practices for IT • NIST 800-53
Management Access Evaluation
• Secure Gateway Service • CCTA Risk • SABSA (Zachman
Control (OCTAVE)
Management by Analysis & Framework)
• VoIP
UK government Management • ToGAF
• IP Encryptor
• Method (CRAMM)
Mobile Devices
• Biometric
Verification
Mechanisms
Projects & Case Studies
Projects & Case Studies
Topic Proposal & Case Study Project Report Presentation
Approval • Study relevant • Prepare results, • Presentation will
• Submit your documents/ vulnerabilities, be for 15-20
proposed topic standards suggestions and minutes
with objectives/ • Study overall • After
scope / selected organizational IS assessment along presentation
organization / architecture / with there will be 5
system for case system security recommendation mins question &
study architecture • Deadline: 2 answer session
• Select an • Apply selected Weeks after Mid
organization/ standard for Term Exam
system to apply organization/
the selected topic system
for Case Study assessment
• Deadline: 17 Feb, • Weaknesses?
2020 • Suggestions?
• Improvements?
7
Information Security
Governance & Risk
Management
8
Information Security Governance & Risk Management
• Ensure that the organization will continue to exist and will grow or expand
over time
• Maintain business processes while striving toward growth and resiliency
Info Sec Governance & Risk Mgmt: Aspects of Governance
Legislative and
regulatory
compliance
needs
Auditing and
validation (Govt Industry
regulations or guidelines or
industry best license reqs
practices)
Info Sec Governance & Risk Mgmt: Summary
Security
Security needs to
governance is
be managed &
implementation Security is an
Security is a governed
of a security organizational
business throughout
solution & mgmt process, not just
operational issue organization, not
method that are IT administration
just in IT
tightly
department
interconnected
12
Info Sec Governance & Risk Mgmt: Objectives
14
Align Security Function to Goals, Mission & Objectives of Organization
People
Technology
Processes
17
18
Standards,
Procedures
&
Guidelines
Security Policy
Security Program
Align Security Function: Documents
Align Security Function: Summary
19
Security
Governance
Information Security Governance & Risk Management
20
Info Sec Governance & Risk Mgmt: Objectives
Exercise due
Ensure compliance diligence to
Formal control
to all applicable discover risks and
frameworks
laws & regulations due care to protect
against known risks
22
Understand & Apply Security Governance: Organizational Processes
Steering Committee
• Makes decisions on strategic and tactical issues for an organization
• Security steering committee makes security-based decisions to help define acceptable levels of
risk for the organization
• Security-based steering committee includes input from multiple individuals throughout
organization
• They meet regularly to review changes to the security policies and programs
25
Understand & Apply Security Governance: Organizational Processes
• A steering committee includes several executives and provides overall direction for the
organization
• An oversight or audit committee provides oversight for internal functions
• These committees will typically report to the board of directors
• An audit committee can gather data from either internal or external entities
• Goal is to evaluate the integrity of financial data, security controls, auditor performance and
compliance with applicable laws & regulations
• Provide input to top level mgmt, including chief executive officer (CEO) and board of directors
26
Understand & Apply Security Governance: Objectives
Organizational Processes
(acquisitions, governance
committees)
• Security steering committee?
Security policy
accurately reflects an
Identifying data
organization's goals,
owners
mission and
objectives Senior
Management
Roles
29
30
• Access data during day-to-day tasks Users
• Responsible for following procedures for accessing and using data
Data
Custodians
• IT personnel who are responsible for maintaining and protecting the data
Data Owners
• Mgmt personnel having overall responsibility for protecting their data, proper labeling and marking
• Overall responsibility for all data under their purview Senior
Management
• Overall responsibility and accountability for all security
• Can delegate their authority to lower roles to manage responsibility but cannot delegate responsibility
Understand & Apply Security Governance: Security Roles & Responsibilities
Information Security Governance
Typical Organization Chart
President
(Board of Directors/ Trustees)
CIO
Security Director
• Knowledge of organization’s information assets and their criticality to ongoing business operations
• Validate/ ratify the key assets they want to protect and their protection levels and priorities
• Endorse essential security requirements so that security culture prevails at all levels of the
enterprise
• Ensure that needed organizational functions, resources and supporting infrastructure are
available and properly utilized to fulfill the information-security related directives of the
board, regulatory compliance and other demands
33
Understand & Apply Security Governance: Security Roles & Responsibilities
36
Understand & Apply Security Governance: Security Roles & Responsibilities
Establishing Communication
• Senior Management
• Attend business strategy meetings to become more aware and understand the
updated business strategies and objectives
• Periodic one-to-one meetings held with senior management to understand the
business objectives from their perspective
• Business Process Owners
• Join operation review meetings to realize the challenges and requirements of daily
operations and their dependencies
• Initiate monthly one-to-one meetings held with different process owners to gain
continued support in the implementation of information security governance and
address current individual security related issues
38
Understand & Apply Security Governance: Security Roles & Responsibilities
Establishing Communication
• Other Management
• Line managers, supervisors and department heads charged with various security and risk
management-related functions, including ensuring adequate security requirement awareness and
policy compliance, must be informed of their responsibilities.
• Employees
• Timely training and education programs
• Centralized on-board training program for new hires
• Organizational education material on updated strategies and policies
• Personnel instructed to access the intranet or e-mail-based notifications for periodic reminders or
ad hoc adaptations
• Support senior management and business process owners by assigning an information security
governance coordinator within each functional unit to obtain accurate feedback of daily practices in
a timely manner
39
Information Security Governance
Security Oriented Organization
President
(Board of Directors/ Trustees)
CIO
42