• No results found

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "An Overview of Information Security Frameworks. Presented to TIF September 25, 2013"

Copied!
14
0
0

Loading.... (view fulltext now)

Download now ( 14 Page )

Full text

(1)

An Overview of

Information Security

Frameworks

(2)

What is a framework?

A framework helps define an

approach to implementing,

maintaining, monitoring, and

improving information

security programs.

(3)

More about Frameworks…

Frameworks do not describe security requirements.

Security requirements come from three main

sources:

Governing policies and practices – UC System Wide

and UCD’s policies and standards.

Compliance Requirements- statutory, regulatory, and

contractual.

(4)

Commonly Used Frameworks

COBIT

ISO 27000 series

NIST SP 800 series

(5)

Control Objectives for Information and Related

Technology (COBIT)

Developed in the mid-90s by ISACA

This framework started out primarily focused on

reducing technical risks in organizations, but has

evolved recently with COBIT 5 to also include

alignment of IT with business-strategic goals.

It is the most commonly used framework to

(6)

ISO 27000 SERIES

The ISO 27000 series was developed by the

International Standards Organization

Broad information security framework that

represents a series of standards for information

security.

Used extensively in the public and private sectors

(7)

ISO 27002 – Code of Practice for

Information Security Management

Contains 11 security domains and 39 subsections:

Security Policy (1);

Organizing Information Security (2);

Asset Management (2);

Human Resources Security (3);

Physical and Environmental Security (2);

Communications and Operations Management (10);

Access Control (7);

Information Systems Acquisition, Development and

Maintenance (6);

Information Security Incident Management (2);

Business Continuity Management (1);

(8)

National Institute of Standards and

Technology (NIST) SP 800 Series

The NIST Special Publication 800 series was first published in

1990 and has grown to provide advice on just about every

aspect of information security.

Federal agencies and some federal contractors are required to

comply with NIST guidelines governing information security.

Notable publications include:

NIST 800-53 Rev. 4 (Security and Privacy Controls for Federal

Information Systems and Organizations)

(9)

NIST Family of Publications

▫ Access Control

▫ Audit & Accountability

▫ Awareness & Training

▫ Certification, Accreditation & Security Assessments

▫ Configuration Management

▫ Contingency Planning

▫ Identification & Authentication

▫ Incident Response

▫ Maintenance

▫ Media Protection

▫ Personnel Security

▫ Physical & Environmental Protection

▫ Planning

▫ Program Management

▫ Risk Assessment

▫ System & Communication Protection

▫ System & Information Integrity

(10)

20 Critical Security Controls

for Effective Cyber Defense

A recent addition to the family of frameworks - First

draft was circulated in 2009

Designed to help federal agencies and prioritize

cyber security spending.

Recommends a set of controls that are effective in

stopping known attacks

Gaining wide adoption in higher education

(11)

20 Critical Controls

Control 1: Inventory of Authorized and Unauthorized Devices

Control 2: Inventory of Authorized and Unauthorized Software

Control 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops Workstations, and Servers

Control 4: Continuous Vulnerability Assessment and Remediation

Control 5: Malware Defenses

Control 6: Application Software Security

Control 7: Wireless Device Control

Control 8: Data Recovery Capability

Control 9: Security Skills Assessment and Appropriate Training to Fill Gaps

(12)

20 Critical Controls (continue)

Control 11: Limitation and Control of Network Ports, Protocols, and Services

Control 12: Controlled Use of Administrative Privileges

Control 13: Boundary Defense

Control 14: Maintenance, Monitoring, and Analysis of Audit Logs

Control 15: Controlled Access Based on the Need to Know

Control 16: Account Monitoring and Control

Control 17: Data Loss Prevention

Control 18: Incident Response and Management

Control 19: Secure Network Engineering

(13)

20 Critical Controls (continue)

Control Family

Description

Quick Wins

• risk reduction without major procedural, architectural, or technical changes, or

• provide substantial and immediate risk reduction against very common attacks

Visibility and Attribution

Measures

• improve capabilities of organizations to monitor their networks and computer systems to detect attack attempts, locate points of entry, identify already-compromised

machines, interrupt infiltrated attackers' activities, and gain information about the sources of an attack.

Improved Information

Security Configuration

• reduce the number and magnitude of security vulnerabilities and improve the operations of networked computer systems,

and

• focus on protecting against poor security practices that could give an attacker an advantage.

(14)

Concluding Remarks….

Managing security requirements can be

challenging and overwhelming.

An information security framework can help you

organize and prioritize the work effort.

If you have any questions about security

frameworks, contact me at:

References

Download now ( PDF - 14 Page - 148.09 KB )

Related documents

Assessing Challenges Face By Pakistan R&D Sector In Context Of Knowledge Management Capabilities

These statistical values helps R&D policy maker to screen and validate the inside organizational abilities to understanding significance of knowledge management or

Dr. C. George Boeree

Beyond the details of air, water, food, and sex, he laid out five broader layers: the physiological needs, the needs for safety and security, the needs for love and belonging,

Bolt Action 9

The tool post grinder can shape the receiver every where, except for a small section just above the bolt stop lug, I finish that with files and a rotary tool.. With the grinding

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

SP 800-53 Rev 3 – Recommended Security Controls for Federal Information Systems and Organizations SP 800-53A - Guide for Assessing the Security. Controls in Federal

Technical Rules in Chinese M & A : A Scrutiny

In China, the issuance of shares shall comply with the principle of fairness and impartiality, the shares of the same class shall have the same rights and

Is the Board Neutrality Rule Trivial? Amnesia About Corporate Law in European Takeover Regulation

It is however difficult to imagine circumstances in the voting control context where such flexibility would be necessary and, it is submitted, impossible to imagine in

Design ecologies:sustaining ethnocultural significance of products through urban ecologies of creative practice

In China, the UK team visited making practices and related sites of cultural significance, including 126.. museums, art galleries, maker collectives, and government-sponsored

This document has been updated in December No changes were made to content, only style.

The Asset Life Cycle                   PLANNING Access needs Review options Cost/benefits ACQUISITION Non‐asset alternatives