Académique Documents
Professionnel Documents
Culture Documents
Security
1
Objectives
2
Basic Security Concepts
• information security – perception
• information security – reality
• CIA (Confidentiality , Data integrity and
Availability) triad
• PPP (physical security, privacy, and marketplace
security ) triad
3
Basic Security Concepts
• Confidentiality – only
authorized individuals
can access data
CIA
Tirade
• Integrity – data changes
are tracked and properly
controlled
PPP
Tirade • Availability – systems
are accessible for
business needs
4
Assessing Risks
Assessment can be performed using a five-step process
5
Assessing Risk
6
Assessing Risk
7
Assessing Risk
8
Security policy
• Physical security
• Access Control
• Network security
• System security
• Auditing procedures 9
Benefits of a Security Policy
10
Inputs for a security policy
• Local laws, regulations and business contracts
11
Building a Security Policy
An organization’s security policy should cover
the following:
• Foreword: Purpose, scope, responsibilities, and
penalties for noncompliance
• Physical security: Controls to protect the people,
equipment, facilities, and computer assets
• User ID and rights management: Only authorized
individuals have access to the necessary
systems and network devices
12
Building a Security Policy Cont.
13
Building a Security Policy
Foreword
14
Building a Security Policy
Physical Security
Authentication:
• Authentication model
• Implementation technologies
• Implementation mechanism
16
Building a Security Policy
Network Security
• Specific timeframes for changing passwords on
the network devices
17
Building a Security Policy
System Security
• The systems section is used to outline the
specific settings required to secure a particular
operating system or application
– For example, for Windows NT 4.0, it may be a
requirement that every logical drive be installed
with NTFS
– For a particular UNIX flavor, shadow password files
may be required to hide user IDs and passwords
from general users
18
Building a Security Policy
Testing and Auditing
• Specify requirements for vulnerability scanners,
compliance checking tools, and other security
tools run within the environment
20
Security Resources
Web Resources
21
Summary
• The CIA triad categorizes aspects of information that
must be protected from attacks: confidentiality,
integrity, and availability.
22
Summary Cont.
• The first step in creating an effective security policy is to perform
a risk assessment within the environment. A risk assessment
consists of five steps:
– Check for existing security policies and processes
– Analyze, prioritize, and categorize resources
– Consider business concerns
– Evaluate existing security controls
– Leverage existing management and control architecture
• To estimate potential financial loss from security threats, the
following formula works well by accounting for the most important
cost factors associated with security: ALE = SLE * ARO.
• A security policy has three major benefits. It:
– Communicates a common vision for security throughout a
company
– Represents a single easy-to-use source of security
requirements
– Exists as a flexible document that should be updated at least
annually to address new security threats
23
Summary Cont.
• An effective security policy includes security requirements in the
following areas:
– Physical security
– User ID and rights management
– Systems
– Network
– Security tools
– Auditing
• There are a number of security-related certifications to help
security professionals quantify their knowledge on a resume.
• Every security professional must stay current about the latest
threats through Web resources, mailing lists, and printed
materials.
24