Security Systems

avatar
Created by
Indi

Cards (251)

  • Security Management
    Putting in place an effective security system requires planning, resources and effort from all levels in an organization
  • Support from the management of an organization
    • It is the only entity that can effectively provide: a list of assets and information to be protected, the resources to setup and maintain the system: equipment, training, education, the means to enable enforcement of policy compliance and revision
  • Security Management
    1. Properly identifying and valuing a company's assets
    2. Implementing security policies, procedures, standards, and guidelines to provide integrity, confidentiality, and availability
    3. Using various management tools to classify data and perform risk analysis and assessments
    4. Identifying vulnerabilities and exposure rates and ranking the severity of identified vulnerabilities
    5. Implementing effective countermeasures to mitigate risk in a cost-effective manner
    6. Providing protection for the resources it is responsible for and the company overall
    7. Ensuring that a security program is set up that recognizes the threats that can affect these resources and putting the necessary protective measures into effect
    8. Assigning responsibility and identifying the roles necessary to get the security program off the ground and to keep it thriving and evolving as the environment changes
    9. Integrating the program into the current business environment and monitoring its accomplishments
  • Security Management
    • The security program needs to be driven by the management to have a better chance of being effective
    • The security program needs to be developed in terms of the whole of the organization and then refined to fit the specific areas within the organization
  • Security Management Responsibilities
    • Help achieve business goals
    • Work with all internal and external stakeholders
    • Develop and implement security policies, procedures, standards, guidelines
    • Perform risk analysis, assessments, and security audits
    • Implement and monitor security programs
    • Ensure compliance
  • Security Management Responsibilities
    • Determining objectives, scope, policies, priorities, and strategies
    • Defining a clear scope and goals expected to be accomplished from a security program
    • Evaluating business objectives, security risks, user productivity, and functionality requirements and objectives
    • Defining steps to ensure that all of these issues are accounted for and properly addressed
  • Many companies look at the business and productivity elements of the equation only and figure that information and computer security fall within the IT administrator's responsibilities. In these situations, management is not taking computer and information security seriously, the consequence of which is that security will most likely remain underdeveloped, unsupported, underfunded, and unsuccessful. Security needs to be addressed at the highest levels of management. The IT administrator can consult with management on the subject, but the security of a company should not be delegated entirely to the IT or security administrator.
  • Top-down approach to security
    • The initiation, support, and direction come from top management, work their way through middle management, and then reach staff members
    • More aligned with the organization's long-term strategic goals
    • More likely to be effective due to support of management
    • May not address short-term issues
  • Bottom-up approach to security
    • Security program developed without getting proper management support and direction
    • Ad-hoc, focus on short-term issues
    • Not aligned with strategic goals, lack support from top management, difficult in large organisations, likely ineffective
  • Top-Down Approach to Security
    1. Determining the functionality and realizing the end result expected
    2. Developing and implementing procedures, standards, and guidelines that support the security policy
    3. Identifying the security countermeasures and methods to be put into place
    4. Developing baselines and configurations for the chosen security controls and methods
  • If security starts with a solid foundation and develops over time with understood goals and objectives, a company does not need to make drastic changes midstream. The process can be methodical, requiring less time, funds, and resources, and provide a proper balance between functionality and protection.
  • Roles in an organisation
    • Senior manager
    • Data owner
    • Data custodian
    • Data users
  • Senior manager
    The person who has ultimate legal responsibility to protect the assets of an organisation. Examples: CEO (commercial organisation), Commander (military), Director/Secretary (government organisation). The Senior Manager is the one that makes final decision on how to manage risks in the organisation.
  • Data owner
    Usually a senior executive within the management group of the company, or the head of a specific department. The information owner has the corporate responsibility for data protection and would be the one held liable for any negligence when it comes to protecting the company's information assets. Information owners should dictate which users can access their resources and what those users can do with those resources after they access them.
  • Data custodian
    The person or group that actually helps the Data Owner protect the data. The Data Custodian typically has technical knowledge and skills and acts as an adviser to the Data Owner and follow the directions of the Data Owner. Examples: system administrators, database administrators, and security staff.
  • Data users
    People who actually use the data. The level of the access to the data depends on their specific role granted. They are required to have awareness of data security, need to know security policies and procedures relevant to the data that they use. They also help protect the data, and hence also play the role of data custodian.
  • Security Management Concepts
    • Policies
    • Standards
    • Procedures
    • Baselines
    • Guidelines
  • Policies
    Establish the glue that ensures everyone has a common set of expectations and communicates management's goals and objectives.
  • Procedures, standards, guidelines, and baselines
    Different components that support the implementation of the security policy.
  • Types of security policies
    • Organizational or program policy
    • Functional, issue-specific policies
    • System-specific policies
  • Standards
    Define the requirements. Provide the agreements that enable interoperability within the organization through the use of common protocols. Simplify the operation of the security controls within the company and increase efficiency.
  • Procedures
    Step-by-step instructions in support of the policies, standards, guidelines, and baselines. Indicate how the policy will be implemented and who does what to accomplish the tasks. Provide clarity and a common understanding to the operation required to effectively support the policy on a consistent basis.
  • Baselines
    Provide descriptions of how to implement security packages to ensure that these implementations are consistent throughout the organization. An analysis of the available configuration settings and subsequent settings desired, forms the basis for future, consistent implementation of the standard.
  • Guidelines
    Discretionary or optional controls used to enable individuals to make judgments with respect to security actions.
  • Policy
    Defines the objectives, scope, and responsibilities of the security program
  • Standard
    Mandatory requirements that must be met
  • Guideline
    Discretionary or optional controls used to enable individuals to make judgments with respect to security actions
  • Baseline
    Descriptions of how to implement security packages to ensure consistent implementation throughout the organization
  • Procedure
    Indicates how the policy will be implemented and who does what to accomplish the tasks
  • Procedures provide clarity and a common understanding to the operation required to effectively support the policy on a consistent basis
  • Vulnerability
    Weakness in any component of an information system
  • Threat
    A possible scenario where a threat agent exploits a vulnerability and causes damage to a system
  • Risk
    Measure of the likelihood and impact of a threat
  • Countermeasure
    Safeguard to prevent or mitigate risk
  • Incident
    Some damage has occurred
  • The words "vulnerability," "threat," "risk," and "exposure" often are used to represent the same thing, even though they have different meanings and relationships to each other
  • Vulnerability
    A software, hardware, procedural, or human weakness that may provide an attacker an open door to enter a computer or network and have unauthorized access to resources
  • Threat
    Any potential danger to information or systems
  • Risk
    The likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact
  • Exposure (Incident)

    An instance of being exposed to losses from a threat agent