-
What are the aspects of Security Administration?
Planning, Risk Analysis, Policy, Physical Control
-
What is a document describing how an org will address it's security needs?
Security Plan
-
A Security Plan should include(6)?
Policy, Current State, Requirements, Recommended Controls, Accountability, Timetable, Continuing Attention
-
high level statement and should specify goals, responsibility, and commitment
policy is
-
Who gets access, What resources should be accessed, What types of access for each user per resource
In policy a high level statement says
-
Policy should specify and should be
- Goals, Responsibility, Committment to security
- Top Down
-
To find the current state of security, a company must perform
Risk Analysis
-
Investigation of the system, environment, and vulnerabilities who is responsible
Risk Analysis
-
Performing a risk analysis can be a
political nightmare
-
With planning this is, what needs to be done
Requirements
-
direct the implementation of requirements
constraints
-
"Only campus machines should be authenticated into the library system" is a ____ & "Not all faculty are on site" is a ____
requirement & constraint
-
Remove or reduce a vulnerability
controls
-
"graduating students leave unattended e-mail accounts" is a ____ & "match student enrollment with email accounts each semester" is a _____
vulnerability, control
-
Controls counter
Vulnerabilities
-
Requirements specify ___ should be accomplished not ___
What, How
-
Hire programmers(is an art) telling them what you want is good but when you tell them how to do it they will make a horrible program
software developers dilemma
-
Requirements must have (7)
- Correctness( and understandability)
- Consistency
- Completeness
- Realism
- Need
- Verifiability
- Traceability
-
correlation between requirment and the function/data related to it
Traceability
-
Planning-Controls include:
-
Responsibility for implementation
Planning- Accountability
-
People who have the responsibility for implementation include:
users, project leaders, managers, database admin, informaiton officers H/R(best friend)
-
Phased development? Order of implementation? What if things change?
Planning- timetable
-
need _____ for change not just "we are agile"
procedure
-
periodic reviews, changes in software/hardware, discovered vulnerabilities
planning- continual attention
-
need to change policy to account for new technology
needs to be an active, living document
continual attention
-
computer hardware group, system administrators, system programmers, application programmers, data entry personnel, physical security personnel, representative users
planning- team members
-
someone who cares and has the power to make changes work
chmapion
-
All of these must come together for IA to really work - Commitment
- Champions
- Constant Training
- Awareness
- Funding
-
In case of a catastrophy we need to have a
continuity plan
-
long duration issues, fall back plans, redunancy, death of a principal
Catastrophes
-
Need these for a good one
Assess business impact
Develop a startegy(policy)
Develop a plan(procedures)
Try it out!!!!!!!
Continuity Plans
-
procedures for dealing with a secuiry incident
incident response plans
-
what is an incident
who should take charge
what actions should be taken
Advance planning is key
people: director, lead technician, advisors
incident response plans need
-
legal issues
preserve evidence
keep records(perfect)
public relations
considerations of an incident response plan
-
what controls need t be changed, did the incident reponse plan work?
after an incident
-
Planning:
University of Utah
Hartwick College
Brandeis University
- not perfect but good
- pretty, business bingo, BAD
- Very Good Policy
|
|