logging in or signing up Security is a Management Issue Mehrmann Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: Embed: Flash iPad Copy Does not support media & animations WordPress Embed Customize Embed URL: Copy Thumbnail: Copy The presentation is successfully added In Your Favorites. Views: 1049 Category: Business & Fin.. License: All Rights Reserved Like it (0) Dislike it (0) Added: March 30, 2008 This Presentation is Public Favorites: 3 Presentation Description Security is a Management Issue, by Louis Mehrmann, Executive Blueprints, privacy and security Comments Posting comment... Premium member Presentation Transcript Executive Blueprints, Inc : Executive Blueprints, Inc Security is a Management ISSUE By Louis W. Mehrmann Security is a Management Issue Index : Security is a Management Issue Index 1. Introduction 2. Definitions 3. Vulnerabilities and Risks 4. Policy and Procedures 5. Controls 6. Selective Protection Concept 7. Implementation Checklist Preparation : Preparation To get the most of this tutorial, we suggest that you prepare with writing instruments and your canvas (blank paper) available as you follow along. You can document your personal ideas and observations as you follow the presentation. For best results, group participation or review is recommended. It is also suggested that you go through the entire process and then review the what you have learned in practice. Look for this icon in the top right corner as a prompt for you to document your personal strategy canvas. Introduction : Introduction Security is a management issue, …………………………..not a technological one. The technology exists to assist management in the implementation and achievement of their security objectives. Technology, however, is only a tool to be used in support of plans, programs, and guidelines which Management must specify. These plans and programs should be developed to meet the needs of the organization to address its vulnerabilities to the risks of financial loss from unplanned, unintended events. How Safe Are You From Becoming a Headline : How Safe Are You From Becoming a Headline I Have to do Something so this Doesn’t Happen To Our Company, But What ? Could this Happen To Us ? What should I Do ? Who Can Help Me ? Information Security Definition : Information Security Definition Modification Disclosure Destruction Business Information Assets Definition: The protection of Information Assets from unauthorized disclosure, modification or destruction by either accidental or intentional means. Vulnerabilities : Vulnerabilities ERRORS AND OMISSIONS DISHONEST EMPLOYEES FIRE AND NATURAL DISASTERS DISGRUNTLED EMPLOYEES WATER OTHER (*) (*) including strangers Highly Dependent On Nature of the Business Resources (type of information) Risk Evaluation : Risk Evaluation Losses Controls $ Additional Security Measures Balanced Risk Options Avoid Assign Assume Identify Hazards : Identify Hazards Natural Hazards Fire Storm Flood Earthquake Volcanic Eruption Other Man Made Hazards Errors Omissions Mischief Vandalism Arson Riot War Fraud Embezzlement Theft Eavesdropping Other Key Issues : Key Issues There are Several Major Issues With Regard to Organization Security: First is the need for a policy and active security program. Second is the need for access controls both physical and logical. Third is the need for audit and control programs to ensure that the security program is effective. Fourth is the need for a contingency plan to protect the organization from harm during periods of time when information processing services are unavailable. We will briefly touch on each of these areas of need and wrap up with a few ideas on how to implement an effective security program. Security Policy : Security Policy Every organization should have a published organization-wide policy relating to the protection of the organization’s information assets. The policy should be signed by the organization’s CEO. The policy should set direction and provide broad guidance. Detailed guidelines should be spelled out in other documents. The policy should be disseminated throughout the entire organization. Employees should be required to sign a statement that they have read and understand the security policy. The policy should be regularly reviewed and updated to maintain currency with the organization’s structure and assets. Security Manager : Security Manager Security is a line management responsibility. However, the need exists for a knowledgeable security management (staff) function. Ideally, this security manager staff position should be: High in the organization Outside of the Data Processing function Capable of administering an organization-wide perspective Responsible for assisting the CEO formulate and maintain currency of the security policy Responsible for assisting line management to - Interpret the security policy - Establish departmental guidelines - Communicate guidelines to employees Responsible for the coordination of periodic security audits Ownership Program : Ownership Program The heart of a good security system is an effective “ownership program” which includes having all of the information assets identified and ownership of each asset assigned and acknowledged. We will just touch on this concept here but a complete tutorial is available on-line under the Ownership and Classification education module. An Owner is defined as: An individual responsible for a specific information asset Having “property rights” to that asset The person responsible for making decisions on asset classification and protection The approver of application controls and authorizer of access to the asset A key participant in the risk assessment, risk acceptance and contingency planning processes Other ownership program roles are: Custodians – those who have “authorized possession” of the asset (normally a data processor) Users – those who have “authorized access” to the asset Education and Awareness : Education and Awareness An integral component of a good security program is an effective education and awareness process. Due to the dynamics of information assets and the ever changing environment requires an on-going need to educate and maintain a constant level of awareness of the need to protect and preserve key Information. An effective education and awareness program will: Provide an orientation tutorial and guidelines for all new employees Periodically advise and update all employees of the need for information asset security Elevate the level of awareness for security through seminars, films, publications, bulleting boards Immediately alert all employees of potential threats Train all employees on the effective use of access controls, SPAM prevention, etc. Define and assign individual management responsibilities Implement an annual certification process Provide adequate documentation and instructions for periodic audits Access Control : Access Control Physical Access Control There are 3 basic areas for most facilities PUBLIC, PRIVATE, and RESTRICTED Access to other than public should be limited to: - Persons who work there on that shift - Authorized, escorted visitors Physical controls to be considered include: - Limited entrances - Combination locks - Badge access - Closed Circuit TV - Limiting number of persons - Low visibility of the facility Access Control : Access Control Data Classification Classification of information is its systematic labeling to indicate a specific set of protective controls on the basis of its sensitivity to destruction, modification, and disclosure. We will just touch on this concept here but a complete tutorial is available on-line under the Ownership and Classification education module. Labels communicate sensitivity A label indicates controls based on guidelines Guidelines are assigned by the owner Custodians and Users abide by the rules Access Control : Access Control Individual Identification and Authentication Each individual accessing sensitive resources must have a unique ID and Password. Passwords should Never be shared Be non-trivial Be of sufficient length to resist an exhaustive attack Be non-predictable Be changed periodically (at least every six months) Not be reused for an extended period of time Contain no vowels Other forms of identification Magnetic stripe cards Palm geometry Fingerprints Signature Voice Data Access Controls : Data Access Controls Utilizes special software with the intent of restricting user access to job related resources. Access rules must be kept current Records should be kept on all accesses Unsuccessful tries should be limited (3 and out rule) Alert for suspicious unauthorized attempts Special controls should be in place for dial-up access Cryptography should be used for transmission or storage of sensitive information Audit and Control : Audit and Control Management Controls Management controls are basic business controls applied to information assets and include: Separation of duties Span of management control Change control (see additional education materials for this topic under Executive Blueprints education index) DP function separate from principal users Work processed according to procedures Timely detection of errors Error correction, recovery, restart procedures Personnel procedures including job rotation, hiring, and termination Management Reviews Periodic management reviews should be conducted utilizing a variety of techniques including self-assessment, peer, and outside formal audit. Internal/External Audit Audits should be conducted to review security procedures, plus physical & logical access controls. An integral part of the audit should be independent testing and penetration tests. Also, include the obvious but quite often overlooked simple exposure areas such as locked desks, clean desks, locked terminals, locked offices, shredding of confidential documents, and password confidentiality Application & Development Controls : Application & Development Controls Application and Development Controls The primary focus in this area is on ensuring that the applications used for access and/or manipulating information assets do “what and only what” they are intended to do. Controls should ensure that: There is complete accountability for changes Changes are independently authorized by user management Changes are agreed to by the development manager No programmer has access to live data Standards have been documented, agreed to, and are being enforced Procedures are used to evaluate the validity, accuracy, and performance of applications. Typical procedures employed here are phase reviews, walk-thrus, and inspections. Contingency Planning : Contingency Planning Contingency Planning addresses three key areas: Emergency plans Backup plans Recovery plans It is not a Data Processing plan. It is a business plan that addresses all critical business functions. The plan should be clearly documented, distributed to all business functions and stored off-site. Individual responsibilities and alternates should be defined for implementation of the plan. Vital records (critical and sensitive to destruction) should be backed up regularly, stored off-site in a controlled environment and periodically audited for completeness. Users who are responsible for keeping the business running while Data Processing restores service should have a documented plan with alternate procedures for critical business functions. Plans should be tested yearly at a minimum by utilizing a variety of methods such as drills, exercises, walk-thrus, and third party reviews. Selective Protection Concept : Selective Protection Concept Implementation Checklist : Implementation Checklist Check these process steps for implementation status Review Ownership Process : Review Ownership Process Have we identified our critical information assets Have we analyzed our ability to protect our information assets Have we provided for adequate protection Have we considered needs and opportunity to enhance our procedures Have we gained the support of all employees to protect our assets Certificate of Achievement : Certificate of Achievement www.ExecutiveBlueprints.com/certificates/091064.htm Free Certificate of Achievement for Completing this Course! Click on the link below to print your free on-line Certificate of Achievement. Click on the special link above and connect to our web site Type Your Name as you would like it to appear on the Certificate Change your Page Setup or Printer to LANDSCAPE Print your certificate Note – Requires the ability to connect to the Internet and local connected printer. About Executive Blueprints, Inc : About Executive Blueprints, Inc Business Consulting Professionals Affiliated Consultants with years of Executive Business management and “real life” experience and success Characterized by a passion for learning and talent for teaching. We consolidate experience and relevant information into seminars, self-paced tutorials, coaching and targeted support Projects to accommodate the demands of modern management.www.ExecutiveBlueprints.com So much more from : BizRolodex of Discounts Executive Coaching Business Consulting Travel Tips and the list keeps growing Go to www.ExecutiveBlueprints.com for Calendar of Seminars Case Studies Training Tools electronic Books Email Newsletter Executive Blueprints is designed and managed by business leaders, with input and suggestions from business leaders, to support the efforts of current and future business leaders. Get Connected, share your knowledge and learn from the experience of other successful executives. So much more from www.ExecBlue.com You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.