Vous êtes sur la page 1sur 33

Security Management

- Premanand Lotlikar

26th August, 2007

• Introduction
• Objective of Security Mgmt
• Basic Concepts
• Benefits
• Relationship with other processes
• Activities in SLM
• Process Control
• Key Performance Indicators
• Cost
• Possible Problems
• According to the latest statistical analysis, it is
estimated there are over 1.1 billion Internet
users worldwide1
• The Internet is full of useful information, in fact, it
is estimated that there are between 15 and 30
billion different websites in existence today2

• 1 World Internet Users and Population Stats. (2007, March 19). Internet
World Stats. http://www.internetworldstats.com/stats.htm
• 2The size of the World Wide Web. (2007, February 25). Pandia Search
Engine News. http://www.pandia.com/sew/383-web-size.html

651 million people around the world now use email regularly
This figure is expected to grow steadily over the next four years, reaching
850 million users by the end of 2008
Time wasted deleting junk e-mail costs American businesses nearly $22 billion a
Security Statistics. (2005) Aladdin: Securing the Global Village
• Security Threats
• Telecom Threats
– War Dialing
– Unauthorized Remote Access
– Unauthorized ISP Access
– Unsecured Authorized Modems
– Proxy Impersonation
– Denial of Service
– Message Tampering
• VoIP Threats
Unauthorized Remote Access
Unauthorized ISP Access
Non-Secure Authorized Modems
Voice System Attacks
Security Gap Left by Traditional
Data Firewall
Security System for Traditional
Voice Network
Identity Threats
• To meet the security requirements of SLA
and external requirements (legislations,
policies etc.)
• To provide a basic level of security,
independent of external requirement
Basic Concepts
• Safety: refers to not being vulnerable to
known risks
• Tool to provide this is security
• Confidentiality: protecting information
against unauthorized access and use
• Integrity: accuracy, completeness and
timeliness of information
• Availability
• Minimize downtime, exposure, and loss of critical
information caused by security attacks
• Minimizing damage to business, company brand,
customer loyalty, intellectual property, and employee
• Prevent or minimize the spread of security attacks within
the enterprise and stop the propagation of worms,
viruses, and other pathogens
• Control internal information for compliance with
regulations (for example, Sarbanes-Oxley and the Basel
II Accord) and prevent liabilities under the regulatory
• Focus on business rather than security incident recovery
Relationship with other processes
• Configuration Mgmt
• Incident Mgmt
• Problem Mgmt
• Change Mgmt
• Availability Mgmt
• Capacity Mgmt
• Service Level Mgmt
• IT Continuity Mgmt
Security Mgmt Process
Activities in SLM
• Plan
• Implement
• Evaluate
• Maintenance
• Reporting
• Includes defining the security section of
the SLA
• Business terms in SLA are converted to
operational terms in OLA
• Hence OLA can be considered as the
security plan for the service provider
• SLA should define the security
requirements in measurable terms
• Classification and management of IT resources:
– Providing input for maintaining CI’s & CMDB
– Classifying the IT resources
• Personnel security:
– Tasks & responsibilities in job description
– Screening
– Confidentiality agreement for personnel
– Training
– Guidelines for personnel for dealing with security
– Disciplinary measures
– Increasing security awareness
• Managing security:
– Implementation of responsibilities
– Written operating instructions
– Internal regulations
– Security guideline for the entire lifecycle
(development, testing, acceptance, operations, maintenance & phasing out)
– Separating the dev environment from test and
– Procedures for dealing with incidents
– Implementation of recovery facilities
– Implementation of virus protection measures
– Handling and security of data media
• Access control:
– Implementation of access and access control
– Maintenance of access privileges of users &
application to networks and network services
– Maintenance of network security barriers
– Implementation of measures of identification
and authentication
• 3 forms of evaluation:
– Self-assessments: primarily implemented by the line
organization of the process
– Internal audits: undertaken by internal IT auditors
– External audits: undertaken by external IT auditors
• Main activities are:
– Verifying compliance with the security plan and the
implementation of the plan
– Performing security audits on IT systems
– Identifying and responding to inappropriate use of IT
• Includes the maintenance of the security
section of the SLA and detailed security
plans (OLA)
• Carried out on the basis of the results of
the Evaluation process
• Any changes are subject to Change Mgmt
• It is not a sub-process but an output of the
other sub-processes
• Provides information about achieved
security performance and security issues
• Important both to the customer and
service provider
• Customer must be correctly informed
about the efficiency of the efforts and the
actual security measures
• Planning:
– Reports about the UC and OLA
– Reports about the annual security plans and
action plans
• Implementation:
– Status reports about implementations
– List of security incidents and responses
– Identification of incident trends
– Status of the awareness program
• Evaluation:
– Report about performance of sub-processes
– Results of audits, review & internal
– Warnings, identification of new threats
• Any specific report/s
Critical Success Factors
• Full mgmt commitment and involvement
• User involvement when developing the
• Clear and separated responsibilities
• Over-tasked IT staff
• Missing or poor co-ordination among
business units
• Lack of security governance model
Possible Problems
• Commitment
• Awareness
• Verification
• Change Mgmt
• Ambition
• Over-reliance on stronghold/fortress
Thank you!