Company Profile - Security Assessment

Download Report

Transcript Company Profile - Security Assessment

Information Security Management
A Process Driven Approach
by Peter Benson and Phillip Mawson
Copyright Security-Assessment.com 2004
Overview







Information Security Management (ISM)
Task centred approach to ISM
Pro’s and Con’s
Process centred approach to ISM
Pro’s and Con’s
Process Example
Questions
Copyright Security-Assessment.com 2004
Information Security Management
Challenges





Security threat growing
Pressure to reduce IT operational spend
Centralisation of infrastructure access technology
Growth of online e-business
Rapidly changing environments
Copyright Security-Assessment.com 2004
Information Security Management
Process Centred vs task centred Security
Management
 Task: A unit of work
 Process: A complete end to end set of tasks that
together create values for a client.
 Generally speaking Security Management today is
task focused
Copyright Security-Assessment.com 2004
Task Centred Approach





Define Policy (password age 30 days)
Audit environment against policy
Identify level of non compliance
Action plan to address non-compliance
Re-audit environment to assess progress
Copyright Security-Assessment.com 2004
Task Centred Approach
Disadvantages




Lots of tasks
It’s expensive
Often business value is unclear
Susceptible to policy idealism
(long live practical security policies)
Copyright Security-Assessment.com 2004
Process Centred Approach
Existing security
processes
security process quality
system
Assess existing
processes
Recommend
process
improvements
Copyright Security-Assessment.com 2004
Implement
process
improvements
Process Centred Approach
Advantages





Starting point is current state
Overcomes snapshot limitations
Process focus keeps things practical
Process view is cheaper than policy view
Simplified technology roadmap
Copyright Security-Assessment.com 2004
Security Patch Management Process
Identify & Assess
Security patch
assessment
Deploy low priority
Deploy High Priority
Deployment will be
bundled with other patch
update activity. No
specific action is required
for this update
Deploy Medium poririty
Manage
Test deployment
plan
Responsibility Colour Code
Test deployment
plan
Assurance Group
Gain change
approval
Gain change
approval
Begin patch
deployment
Begin patch
deployment
• Monitor
One Week Maximum
IS Operations Group
One Month Maximum
Information Security group
Deployment
complete
Deployment
complete
Monitor
This process should occur
continuously iterating once a month as
a maximum.
• Audit
Ensure network devices are
securely configured to prevent
unauthorised access.
Securely configured means;
- AV software has not been
disabled
- on access scanning is
enabled
- scheduled scanning is
enabled
- etc
Copyright Security-Assessment.com 2004
Identify All Company Owned Data
networks
This includes all;
- Laptops
- Desktops
- Servers
This is referring to IP data
communication networks
Identify all network devices
connected to Company owned
networks
Ensure all relevant security
patches are installed and
operating on all appropriate
network devices.
This will include many devices
that do not require antivirus
software such as;
- Printers
- Routers
Perform process improvement and compliance
• Manage
24 Hours Maximum
• Identify & Assess
The vendor security patch severity rating is
assessed against the cost of deploying the
patch.
Supporting decision criteria should be developed
and agreed with those accountable for
information security.
The outcome of these criteria will be a
deployment rating. High, medium, low.
New Software security patch
notification or change in severity
rating.
Identify & Assess
Identify & Assess
24 Hours Maximum
New Software security patch
notification or change in severity
rating.
Security patch
assessment
Deploy low priority
Deployment will be
bundled with other patch
update activity. No
specific action is required
for this update
Deploy Medium poririty
Manage
Copyright Security-Assessment.com 2004
The vendor security patch severity rating is
assessed against the cost of deploying the
patch.
Supporting decision criteria should be developed
and agreed with those accountable for
information security.
The outcome of these criteria will be a
deployment rating. High, medium, low.
Deploy High Priority
Manage
Manage
Test deployment
plan
Responsibility Colour Code
Test deployment
plan
Assurance Group
Gain change
approval
Begin patch
deployment
Deployment
complete
Monitor
Copyright Security-Assessment.com 2004
Gain change
approval
Begin patch
deployment
Deployment
complete
One Week Maximum
IS Operations Group
One Month Maximum
Information Security group
Monitor
Monitor
This process should occur
continuously iterating once a month as
a maximum.
Identify All company owned data
networks
Perform root cause analysis of
identified process failures and
recommend process
improvements
This includes all;
- Laptops
- Desktops
- Servers
Copyright Security-Assessment.com 2004
This is referring to IP data
communication networks
Identify all network devices
connected to data networks
Ensure all relevant security
patches are installed and
operating on all appropriate
network devices.
This will include many devices
that do not require patching
software such as;
- Printers
- photocopiers
Information Security Management
Process Centred Approach – quick tips




Process owners, doers and reviewers
Process abdication is bad
But we don’t have a process for that ???
Measurement is key
Copyright Security-Assessment.com 2004
Questions
Copyright Security-Assessment.com 2004