Sie sind auf Seite 1von 33

Security Management

- Premanand Lotlikar

26th August, 2007


Agenda
• Introduction
• Objective of Security Mgmt
• Basic Concepts
• Benefits
• Relationship with other processes
• Activities in SLM
• Process Control
• Key Performance Indicators
• Cost
• Possible Problems
Introduction
• According to the latest statistical analysis, it is
estimated there are over 1.1 billion Internet
users worldwide1
• The Internet is full of useful information, in fact, it
is estimated that there are between 15 and 30
billion different websites in existence today2

• 1 World Internet Users and Population Stats. (2007, March 19). Internet
World Stats. http://www.internetworldstats.com/stats.htm
• 2The size of the World Wide Web. (2007, February 25). Pandia Search
Engine News. http://www.pandia.com/sew/383-web-size.html
Introduction
Introduction

651 million people around the world now use email regularly
This figure is expected to grow steadily over the next four years, reaching
850 million users by the end of 2008
Time wasted deleting junk e-mail costs American businesses nearly $22 billion a
year.
Security Statistics. (2005) Aladdin: Securing the Global Village
http://www.esafe.com/home/csrt/statistics/statistics_2005.asp
Introduction
• Security Threats
• Telecom Threats
– War Dialing
– Unauthorized Remote Access
– Unauthorized ISP Access
– Unsecured Authorized Modems
– Proxy Impersonation
– Denial of Service
– Message Tampering
• VoIP Threats
Unauthorized Remote Access
Modems
Unauthorized ISP Access
Non-Secure Authorized Modems
Voice System Attacks
Security Gap Left by Traditional
Data Firewall
Security System for Traditional
Voice Network
Identity Threats
Objectives
• To meet the security requirements of SLA
and external requirements (legislations,
policies etc.)
• To provide a basic level of security,
independent of external requirement
Basic Concepts
• Safety: refers to not being vulnerable to
known risks
• Tool to provide this is security
• Confidentiality: protecting information
against unauthorized access and use
• Integrity: accuracy, completeness and
timeliness of information
• Availability
Benefits
• Minimize downtime, exposure, and loss of critical
information caused by security attacks
• Minimizing damage to business, company brand,
customer loyalty, intellectual property, and employee
productivity
• Prevent or minimize the spread of security attacks within
the enterprise and stop the propagation of worms,
viruses, and other pathogens
• Control internal information for compliance with
regulations (for example, Sarbanes-Oxley and the Basel
II Accord) and prevent liabilities under the regulatory
mandates
• Focus on business rather than security incident recovery
Relationship with other processes
• Configuration Mgmt
• Incident Mgmt
• Problem Mgmt
• Change Mgmt
• Availability Mgmt
• Capacity Mgmt
• Service Level Mgmt
• IT Continuity Mgmt
Security Mgmt Process
Activities in SLM
• Plan
• Implement
• Evaluate
• Maintenance
• Reporting
Plan
• Includes defining the security section of
the SLA
• Business terms in SLA are converted to
operational terms in OLA
• Hence OLA can be considered as the
security plan for the service provider
• SLA should define the security
requirements in measurable terms
Implement
• Classification and management of IT resources:
– Providing input for maintaining CI’s & CMDB
– Classifying the IT resources
• Personnel security:
– Tasks & responsibilities in job description
– Screening
– Confidentiality agreement for personnel
– Training
– Guidelines for personnel for dealing with security
incidents
– Disciplinary measures
– Increasing security awareness
Implement
• Managing security:
– Implementation of responsibilities
– Written operating instructions
– Internal regulations
– Security guideline for the entire lifecycle
(development, testing, acceptance, operations, maintenance & phasing out)
– Separating the dev environment from test and
production
– Procedures for dealing with incidents
– Implementation of recovery facilities
– Implementation of virus protection measures
– Handling and security of data media
Implementation
• Access control:
– Implementation of access and access control
policy
– Maintenance of access privileges of users &
application to networks and network services
– Maintenance of network security barriers
– Implementation of measures of identification
and authentication
Evaluate
• 3 forms of evaluation:
– Self-assessments: primarily implemented by the line
organization of the process
– Internal audits: undertaken by internal IT auditors
– External audits: undertaken by external IT auditors
• Main activities are:
– Verifying compliance with the security plan and the
implementation of the plan
– Performing security audits on IT systems
– Identifying and responding to inappropriate use of IT
resources
Maintenance
• Includes the maintenance of the security
section of the SLA and detailed security
plans (OLA)
• Carried out on the basis of the results of
the Evaluation process
• Any changes are subject to Change Mgmt
Reporting
• It is not a sub-process but an output of the
other sub-processes
• Provides information about achieved
security performance and security issues
• Important both to the customer and
service provider
• Customer must be correctly informed
about the efficiency of the efforts and the
actual security measures
Reporting
• Planning:
– Reports about the UC and OLA
– Reports about the annual security plans and
action plans
• Implementation:
– Status reports about implementations
– List of security incidents and responses
– Identification of incident trends
– Status of the awareness program
Reporting
• Evaluation:
– Report about performance of sub-processes
– Results of audits, review & internal
assessments
– Warnings, identification of new threats
• Any specific report/s
Critical Success Factors
• Full mgmt commitment and involvement
• User involvement when developing the
process
• Clear and separated responsibilities
• Over-tasked IT staff
• Missing or poor co-ordination among
business units
• Lack of security governance model
Cost
Possible Problems
• Commitment
• Awareness
• Verification
• Change Mgmt
• Ambition
• Over-reliance on stronghold/fortress
techniques
Thank you!