close

Вход

Забыли?

вход по аккаунту

?

3. Protection of Information Assets (25%)

код для вставкиСкачать
3. Protection of Information
Assets (25%)
Protecting Personal & Institutional Information
Assets & Data
Extra Credit Project
Jack Mason & July James
3. Protection of Information Assets (25%) 3. Protection of Information Assets
12/01/1999
3. Protection of Information Assets
(25%)
• 3. Protection of Information Assets
• (Content Area, Approximately 25% of exam)
• 3.1 Evaluate the design, implementation, and
monitoring of logical access controls to ensure the
integrity, confidentiality, and availability of
information assets.
• 3.2 Evaluate network infrastructure security to
ensure integrity, confidentiality, availability and
authorized use of the network and the information
transmitted. 3. Protection of Information Assets
2
(25%)
3. Protection of Information Assets 2
• 3. Protection of Information Assets
• 3.3 Evaluate the design, implementation,
and monitoring of environmental controls to
prevent and/or minimize potential loss.
• 3.4 Evaluate the design, implementation,
and monitoring of physical access controls
to ensure that the level of protection for
assets and facilities is sufficient to meet the
organization's business objectives.
3. Protection of Information Assets
(25%)
3
Knowledge Statements 1
• 3.01 Knowledge of the processes of design,
implementation, and monitoring of security
(e.g. gap analysis, baseline, tool selection)
• 3.02 Knowledge of encryption techniques
(e.g. DES, RSA)
• 3.03 Knowledge of public key infrastructure
(PKI) components (e.g. certification
authorities (CA), registration authorities)
• 3.04 Knowledge of digital signature
techniques
3. Protection of Information Assets
(25%)
4
Knowledge Statements 2
• 3.05 Knowledge of physical security
practices (e.g. biometrics, card swipes)
• 3.06 Knowledge of techniques for
identification, authentication, and restriction
of users to authorized functions and data
(e.g. dynamic passwords,
challenge/response, menus, profiles)
3. Protection of Information Assets
(25%)
5
Knowledge Statements 3
• 3.07 Knowledge of security software (e.g.
single sign-on, intrusion detection systems
(IDS), automated permissioning, network
address translation)
• 3.08 Knowledge of security testing and
assessment tools (e.g. penetration testing,
vulnerability scanning)
• 3.09 Knowledge of network and Internet
security (e.g. SSL, SET, VPN, tunneling)
3. Protection of Information Assets
(25%)
6
Some Possible Threats
•
•
•
•
•
•
•
Email Interception
Email Spoofing
Web Data Interception
Network & Volume Invasion
Marketing Data / Spam & Junk Mail
Viruses, Worms, Trojan Horses
Password Cracking
3. Protection of Information Assets
(25%)
7
More Possible Threats
• Mail bomb
• Denial of Service (DoS)
• Piracy of Intellectual Property
3. Protection of Information Assets
(25%)
8
Email Interception
Methods
• Script Monitor
Defenses
• Digital Certificates
– Running a script on a server that
receives email traffic, monitoring
emails for certain keywords or
number patterns. (I.E. “bomb +
president” or credit card number
patterns)
• Account Emulation
– Stealing someone’s user id and
password to gain access to their
email account.
– Digital certificates authenticate
you as the sender and are
extremely difficult to forge.
Allows very strong encryption of
email communications.
• PGP
– “Pretty Good Privacy” allows
strong encryption of your text.
Can be incorporated easily into
any text oriented program.
3. Protection of Information Assets
(25%)
9
Standard Encryption
•
•
•
•
Text is encrypted and sent by the originator
Ciphertext is decrypted by recipient
Same key is used for encryption and decryption
If key is intercepted or deciphered, encryption becomes
useless
– This is how WWII was won...
3. Protection of Information Assets
(25%)
10
Strong Cryptography
• “There are two kinds of cryptography in this world: cryptography that
will stop your kid sister from reading your files, and cryptography that
will stop major governments from reading your files. This book is
about the latter.” -- Bruce Schneier, Applied Cryptography: Protocols,
Algorithms, and Source Code in C.
• 40 bit cryptography is considered weak. This can be intercepted and
deciphered in seconds using today’s tools.
• By contrast, 128 bit cryptography is considered technically infeasible
to crack. Most banks require a 128 bit browser for online banking.
3. Protection of Information Assets
(25%)
11
Dual Key Cryptography
• Key pair is generated - public and private
key.
• Public key is sent to server and exchanged
with others
• Private key is guarded by the user
3. Protection of Information Assets
(25%)
12
Dual Keys Continued
• Encrypted message is generated using
recipients public key and your private key.
• Only the intended recipient with the
corresponding private key will be able to
decrypt.
• NSA hates this to be in the hands of the
general public… but you have the right to
privacy.
3. Protection of Information Assets
(25%)
13
What is a Digital Certificate?
(X.509)
• Acts as a virtual signature
• Very hard to forge
• Can be used for encryption or
authentication
• Resides in the Browser/Email Client/OS
• Free digital certificates are available
• PGP Freeware is available
3. Protection of Information Assets
(25%)
14
What is PGP?
• Created by Phil Zimmerman
– PGP is now a subsidiary of Network Associates
• Secures e-mail and files
• Based on “Public Key” Cryptography
• Users whom have never met can exchange
encrypted documents.
• Freeware
3. Protection of Information Assets
(25%)
15
How To Encrypt a Message (1)
This will describe how to encrypt a
message using Digital Certificates with
Netscape Communicator.
Clicking on the Security button
in Netscape Communicator
opens the Security Window
below:
• Obtain and install a
certificate using the
step by step
instructions at the
issuing website.
3. Protection of Information Assets
(25%)
16
How To Encrypt a Message (2)
An email that has a
digital certificate
attached will display this
icon in Communicator.
You can click on the
icon to examine the cert.
Certs emailed to you are
automatically added to
Communicator’s
database.
• Users must exchange
“public keys”.
• Can be done via
LDAP directory or
email exchange.
You can search for
certificates on public
directories (LDAP)
directly from within
Communicator
3. Protection of Information Assets
(25%)
17
How To Encrypt a Message (3)
• Once keys have been
exchanged, address an
email to the other
party.
• Click on the Security
button and select the
option for encrypting
message.
• That’s it!
3. Protection of Information Assets
(25%)
18
Certificate Fingerprint:E4:58:C8:8F:B5:90:4C:AC:AB:79:9C:6A:32:0C:3E:4E
Email Spoofing
• Happens when someone impersonates an email
user, sending messages that appear to be from the
victim’s email address.
• Spoofing can be prevented by using your Digital
Certificate or PGP to “Digitally Sign” your email
message.
• Even Certificates can be spoofed, although
difficult. Check the “Certificate Fingerprint” of
the message to be sure it’s authentic.
3. Protection of Information Assets
(25%)
19
Shopping Securely
• You should never
input sensitive info
such as Credit Card
numbers into a nonsecure website.
• Make sure website is
certified by a trusted
Certificate Authority
(CA)
List of default trusted CA’s in Communicator
3. Protection of Information Assets
(25%)
20
How to Shop Securely
• When you enter a
secure site,
Communicator’s
Security icon will
change as shown:
• Click on the Security
button to examine
which CA asserts that
this site is safe.
Note: Attempting to enter a secure
site that is not signed by a valid or
default CA will result in a
cautionary error message.
3. Protection of Information Assets
(25%)
21
Hacking In to Your Computer
• DSL and Cable internet access means round
the clock connections of home and small
business computers to the Internet.
• Greatly increases the chance of attack.
• Physical access is always a danger, too.
• Hackers can gain access to your personal
files, Quicken data, etc.
3. Protection of Information Assets
(25%)
22
Stopping Hackers
• Set up a personal/home firewall.
• Encrypt your sensitive files!!!
– PGP, all platforms.
– Mac OS 9 Built-In Encryption Feature
• Don’t give out your passwords to anyone!
• Use difficult passwords - not simple
dictionary style words.
3. Protection of Information Assets
(25%)
23
Password Strength
• Simple words out of a dictionary make bad
passwords.
• Use mixed upper and lower case characters.
• Use non-alphanumeric characters such as:
~!@#$%^&*()_+=-{}[]|\:;”’/?.>,<`
• Avoid sharing passwords, even with friends
and family.
3. Protection of Information Assets
(25%)
24
Password Strength Examples
• Using a simple passphrase such as “coffee” is
simple to hack, takes about 40 minutes to break.
• Using random alphanumerics is significantly more
difficult: A passphrase such as “bR1a9Az” takes
about 22 years to crack.
• Using the full range of the keyboard with truly
random characters is totally infeasible to crack. A
passphrase like “,ThX1pD<V+” would take 3.8 x
8
10 years to crack.
3. Protection of Information Assets
(25%)
25
Key Strength Comparison
• Most browsers ship with a default of 40 bit
encryption capabilities.
• You must upgrade to a 128 bit encryption
capable browser for most online banking.
Small Group
Academic
Network
Large
Company
Military
Intelligence
Agency
weeks
days
hours
milliseconds
microseconds
56
centuries
decades
years
hours
seconds
64
millenia
centuries
decades
days
minutes
80
infeasible
infeasible
infeasible
centuries
centuries
128
infeasible
infeasible
infeasible
infeasible
millennia
Key Length
(bits)
Individual
Attacker
40
3. Protection of Information Assets
(25%)
26
Strong Encryption Browsers
• Netscape Communicator is freely available
for all platforms with 128 bit encryption
capability and full features.
• 128 bit capable version of Microsoft
Internet Explorer is available for Windows
and Macintosh. (Mac version has limited features.)
• You may have to install additional plug ins
to get 128 bit capabilities out of MSIE.
3. Protection of Information Assets
(25%)
27
Viruses
• Computer viruses are
100% man made.
• Can be transmitted via
email, disk, network,
etc…
• Most are harmless
experiments.
• Some are intended to
wreak havoc on
individuals and networks.
3. Protection of Information Assets
(25%)
28
Virus Protection
• Get a virus protection package and install it
on your computer.
• Check the vendor’s website for
downloadable updates and alerts on new
viruses.
• Don’t open email or attachments from
unknown sources.
3. Protection of Information Assets
(25%)
29
Safeguarding Customer Information
Gramm-Leach-Bliley Act (GLBA) Compliance
3. Protection of Information Assets
(25%)
30
Why was GLBA enacted?
Section 501 of the Gramm-Leach-Bliley Act requires
Financial Institutions to establish standards
relating to administrative, technical and physical
information safeguards to protect customer
records and information.
31
3. Protection of Information Assets
(25%)
Safeguard Objectives:
• Ensure security and confidentially of
customer records and information.
• Protect against any anticipated threats or
hazards to the security of the records.
• Protect against unauthorized access or use
of records or information which could result
in harm or inconvenience to customer.
3. Protection of Information Assets
(25%)
32
Information Security Plan
• Written to insure security and confidentiality of
non-public customer financial information (NPI).
• Protect against any anticipated threats and hazards.
33
• Protect against unauthorized
access or use.
3. Protection of Information Assets
(25%)
Non-public customer information
(NPI)
•
•
•
•
•
•
•
•
•
Credit card numbers
Social Security numbers
Drivers license numbers
Student loan data
Income information
Credit histories
Customer files with NPI
NPI Consumer information
Bank Account data
3. Protection of Information Assets
(25%)
34
Financial Institutions
Including Colleges
and
Universities must ensure
that their security programs
provide adequate protection
to customer information
in whatever format –
electronic or hardcopy.
3. Protection of Information Assets
(25%)
35
FTC Ruling
consumer’s
information is
not a privacy
issue but is one
of security.
Compliance with FERPA does not exempt colleges and universities
from GLBA safeguarding regulations.
3. Protection of Information Assets
(25%)
36
FERPA vs.. GLBA
• The Family Education
Rights and Privacy Act
addresses the privacy of
student information.
• Gramm- Leach-Bliley Act
addresses the security of
customer records and
information.
3. Protection of Information Assets
(25%)
37
University Actions
• Has established a committee to insure compliance.
• Committee meets regularly to review and insure
compliance with the act.
• Performs risk assessment and regular testing.
• Oversees service providers and contracts.
• Trains staff to maintain security and confidentially.
3. Protection of Information Assets
(25%)
38
Why Protect your Identity?
Identity Theft
3. Protection of Information Assets
(25%)
39
Statistics on Identity Theft in
New Jersey
4802 Complaints / year
•
•
•
•
•
•
•
•
1. Credit Card Fraud 2,350 -- 49%
2. Phone or Utilities Fraud 867--18%
3. Bank Fraud 669 --14%
4. Government Documents/Benefits Fraud 396 --8%
5. Loan Fraud 356 --7%
6. Employment-Related Fraud 260 -- 5%
7. Attempted Identity Theft 477 --10%
8. Other 710 -- 15%
3. Protection of Information Assets
(25%)
40
What is Identity Theft?
• Under ID Theft Act, identity theft is defined very
broadly as:
knowingly using, without authority, a
means of identification of another person
to commit any unlawful activity.
(unlawful activity: a violation of Federal law, or a felony
under State or local law).
3. Protection of Information Assets
(25%)
41
Identity
Theft
When someone steals your identity, they are usually
using your credit to obtain goods and services for
themselves that “you” will have to pay for.
42
3. Protection of Information Assets
(25%)
How Does an Identity Thief Get
Your Information?
• Stealing files from places where you work, go to
school, shop, get medical services, bank, etc.
• Stealing your wallet or purse.
• Stealing information from your home or car.
• Stealing from your mailbox or from mail in transit.
• Sending a bogus email or calling with a false
promise or fraudulent purpose.
- For example: pretending to be from a bank,
creating a false website, pretending to be
a real company, fake auditing letters.
3. Protection of Information Assets
(25%)
43
From: PNC Bank
Sent: May 17, 2004 6:31 PM
To: abuse@Miami.edu
Subject: To All PNC bank users
Dear PNC user,
During our regular update and verification of the user data, you
must confirm your credit card details.
Please confirm you information by clicking link below.
http://Cards.bank.com pncfeatures/cardmember access.shtml
3. Protection of Information Assets
(25%)
44
How Does an Identity Thief
Use Your Information?
• Obtains Credit Cards in your name or
makes charges on your existing accounts (42%).
• Obtains Wireless or telephone equipment or services
in your name (20%).
• Forges checks, makes unauthorized EFTs, or open
bank accounts in your name (13%).
• Works in your name (9%).
• Obtains personal, student, car and mortgage loans,
or cashes convenience checks in your name (7%).
• Other uses: obtains drivers license in your name.
3. Protection of Information Assets
(25%)
45
Victims of Identity Theft
• If your identity is stolen, do the
following immediately:
– Contact the fraud department of
the three major credit bureaus
(Equifax, Experian, Trans Union).
– Contact your creditors and check
your accounts.
– File a police report.
- File a complaint with the FTC.
3. Protection of Information Assets
(25%)
46
Recovery
• Take back control of
your identity:
– Close any fraudulent
accounts.
– Put passwords on
your accounts.
– Change old
passwords and create
new PIN codes.
3. Protection of Information Assets
(25%)
47
Prevention
Protect yourself
Protect others
Guard against fraud:
• Sign cards as soon as they arrive.
• Keep records of account numbers
and phone numbers.
• Keep an eye on your card during
transactions. Also be aware of who
is around you, is anyone else
listening?
• Check your credit report and
credit
cardAssets
monthly statements. 48
3. Protection
of Information
(25%)
Annual credit
bureau report
• New Jersey residents are entitled to one free
annual credit report.
• If you are denied credit, you are allowed to
request one free copy of your credit report.
• Check your report for accurate
information, open accounts, balance
information, loan information, etc.
3. Protection of Information Assets
(25%)
49
Credit Bureau Links
• Equifax – www.equifax.com
– To order a report, 1-800-685-1111
– To report fraud, 1-800-525-6285
• Experian – www.experian.com
–
–
To order a report, 1-888-397-3742
To report fraud, 1-888-397-3742
Trans Union – www.tuc.com
– To order a report, 1-800-916-8800
– To report fraud, 1-800-680-7289
3. Protection of Information Assets
(25%)
50
Have you been a Victim?
3. Protection of Information Assets
(25%)
51
You may be a victim if:
•
•
•
•
You are denied credit.
You stop getting mail.
You start getting collection calls/mail.
You start getting new bills for accounts
you do not have or services you did not
authorize.
• Your bank account balances drops.
3. Protection of Information Assets
(25%)
52
Damages
•
•
•
•
Time
Money
Credit rating
Reputation
3. Protection of Information Assets
(25%)
53
Good Practices
• Photocopy the contents of your wallet/purse.
• Photocopy your passport (keep a copy at home
and one with you when you travel).
• Empty your wallet/purse of non-essential
identifiers.
• Do not use any information provided by the
people who may be trying to scam you look it
up yourself.
• Shred documents before you depose of them.
3. Protection of Information Assets
(25%)
54
GLBA requires us to
PROTECT CONSUMERS from
substantial harm or inconvenience.
3. Protection of Information Assets
(25%)
55
What can we do to guard NPI?
• Keep confidential
information private.
• Use care when asking or
giving SSN.
• Use secure disposal
methods.
• Protect the privacy of data
transmissions.
• Improve procedures.
3. Protection of Information Assets
(25%)
56
Actions to prevent Others
from becoming Victims
• Determine what information you need.
• Provide a secure workplace.
• Always ask for a student’s ID or debtors
account number.
• Keep prying eyes away from customer’s
information.
• Don’t expose NPI information to the
outside world.
3. Protection of Information Assets
(25%)
57
Actions to prevent Others
from becoming Victims
• Take care when you provide employee’s or
customers’ personal information to others.
• Know & explain how you handle personal
information.
• Ask for written permission prior to sharing
personal information.
• Report problems or concerns to managers or
supervisors.
3. Protection of Information Assets
(25%)
58
Remember to always maintain
confidentiality, security and
integrity :
Avoid
–
–
–
–
–
unauthorized disclosure
removing information from your office
sharing information
tossing information in the trash
down loading or e-mailing information.
3. Protection of Information Assets
(25%)
59
General Privacy
• Do not provide correcting
information for account
verification questions.
• Be suspicious.
• Be paranoid.
• Don’t be afraid to say no
when asked for information
that is not required to
conduct the current
business transaction.
3. Protection of Information Assets
(25%)
60
What are university assets?
3. Protection of Information Assets
(25%)
61
University Assets
Are customer
information and
records assets?
3. Protection of Information Assets
(25%)
62
Safeguarding Information
• Information takes many forms.
• Information is stored in various ways.
• Data assets have unique risks.
3. Protection of Information Assets
(25%)
63
Safeguarding Information
Your Role:
•
•
•
•
•
•
Ensure Physical Security.
Select and Protect hard to guess passwords.
Avoid email traps and disclosures.
Back up files.
Log off your computer when not in use.
Do not open emails with attachments from unknown
sources.
• Obliterate data before giving up your computer.
• Recognize social engineering tactics.
3. Protection of Information Assets
(25%)
64
Safeguarding Information
Your role as a user….
What else can you do?
3. Protection of Information Assets
(25%)
65
Check your work area!
•
•
•
•
Do you leave NPI reports on your desk?
Is NPI stored in unlocked file cabinets?
Keep computer disks secure.
Do not save NPI on your computer C drive.
3. Protection of Information Assets
(25%)
66
Safeguarding Information
Your role….
The University has many policies and
procedures to help you, learn them.
3. Protection of Information Assets
(25%)
67
University Regulations &
Guidelines related to Safeguarding
Standards for University Operations Handbook
• Confidentiality
• Accounting for Financial Resources
• Acceptable Use of Network &Computing Resources:
–
–
–
–
–
Agreement for Accessing Information
Acceptable Use Policy
Guidelines for Interpretation of Acceptable Use
Acceptable Use Supplement
Basics
3. Protection of Information Assets
(25%)
68
Potential Damages to Any U.
•
•
•
•
•
•
Reputation
Violation of federal and state laws
Fines
Reparation costs
Recovery costs
Increased prevention costs
Georgia Tech accidental release of credit card to the internet cost them
over $1,000,000.
3. Protection of Information Assets
(25%)
69
Expectations
• All University employees are responsible for securing
and caring for University property, resources and other
assets.
• University relies on the attention and cooperation of
every member of the community to prevent, detect and
report the misuse of university assets.
3. Protection of Information Assets
(25%)
70
Prevention
• Protect yourself
• Protect others
3. Protection of Information Assets
(25%)
71
Safeguarding customer
information and university assets
is everyone’s job!
3. Protection of Information Assets
(25%)
72
Information Security
Management
(ISO/IEC 17799:2000) &
Certified Risk Analysis Methodology
Management (CRAMM)
ISO - International Standardization
Organization
3. Protection of Information Assets (25%) 3. Protection of Information Assets
12/01/1999
Migrating
Migrating from compliance with the IM&T
(Info. Management Tech) Security
Manual to compliance with BS7799
Overview
Implementation - assistance available
3. Protection of Information Assets
(25%)
74
What is Information Security
Management (ISM)?
An enabling mechanism
whose application ensures that information
may be shared in a manner
which ensures
the appropriate protection of that
information
&
associated information assets
75
3. Protection of Information Assets
(25%)
Basic Components
• Confidentiality: protecting sensitive
information from unauthorized disclosure
• Integrity: safeguarding the accuracy and
completeness of information/data
• Availability: ensuring that information and
associated services are available to users
when required
3. Protection of Information Assets
(25%)
76
Problem
• Until early 90’s information was handled by
many organizations in an ad hoc and,
generally, unsatisfactory manner
• In a period of increasing need to share
information, there was little or no
assurance that such information could or
would be safeguarded
• What control measures there were focussed
almost entirely on computer data, to the
exclusion of other forms of information
3. Protection of Information Assets
(25%)
77
Code of Practice
• 1993: in conjunction with a number of
leading UK companies and organizations
produced an ISM Code of Practice incorporating the best information security
practices in general use.
• Addressed all forms of information;e.g.
computer data, written, spoken, microfiche
etc
3. Protection of Information Assets
(25%)
78
Code of Practice - Aims
• To provide
– A common basis for organizations to develop,
implement, and measure effective information
security management practice
– Confidence in inter-organisational dealings
3. Protection of Information Assets
(25%)
79
Balance
• A common concern amongst organizations
is that the application of security measures
often has an adverse impact on, or interferes
with, operational processes
• BS7799 processes are flexible enough to
ensure that the right balance can be struck security with operational efficiency!
3. Protection of Information Assets
(25%)
80
Assets - Examples
3. Protection of Information Assets
(25%)
81
The Standard
• And
– Personnel Security. Measures to
reduce risks of human error, theft,
fraud or misuse of facilities
– Physical/Environmental Security. Prevention
of unauthorized access, interference to IT
services and damage
– Computer and Network Management. To
Ensure correct and secure operation of
computer and network facilities
82
3. Protection of Information Assets
(25%)
The Standard
• ………….
– System Access Control. Controls to prevent
unauthorized access to computer systems
– System Development and Maintenance. A
security program complementing
development/maintenance of IT systems
– BCP. Measures to protect critical business
processes from major failures and disasters
– Compliance. To avoid breaches of statutory
or contractual requirements and ensure the
ISMS is operational
3. Protection of Information Assets
(25%)
83
Controls
Each of these Categories contains a number of
security controls, mandatory or otherwise,
which can be implemented as part of the
information security risk management
strategy
The same controls will not, necessarily apply
across the board, owing to the varying nature
84
of organizations,
risk factors etc
3. Protection of Information Assets
(25%)
The Crux of the Matter
• Information is subject to numerous risks;
which can be grouped together under the
generic headings of:
– Accidental
– Natural
– Deliberate
• A risk being the product, in this case, of the
threat to information and its assets, and
vulnerability to
the
threats
85
3. Protection of Information Assets
(25%)
Risk Analysis
• The point is:
– An effective risk management strategy cannot
be implemented until the risks are identified
and measured (that is, analyzed)
• It almost goes without saying, that Analysis
should be based upon a sound and proven
methodology
• therefore the we will use CRAMM
3. Protection of Information Assets
(25%)
86
CRAMM
• Developed in 1985, CRAMM Risk Analysis
Methodology is a complete package,
containing:
– the risk analysis process itself
– associated documentation (inc. report
functionality; results and conclusions)
– training
– software support tools
3. Protection of Information Assets
(25%)
87
CRAMM Version 4.0
• This version, the latest, includes
– Full support for BS7799 including
•
•
•
•
•
GAP analysis
Implementation of a security improvement program
Statement of Applicability
Risk Modeling for multi-role organizations
AND undertake a Risk Analysis !
• A fit with BS7799: Part 2
3. Protection of Information Assets
(25%)
89
Management Framework: ISMS
Policy Document
Step 1
Define the Policy
Step 2
Define Scope
of ISMS
Scope of ISMS
Information Assets
Step 3
T. V. I.
Risk Assessment
Undertake RA
Results & Conclusions
Step 4
Degree of Assurance
Required
Manage Risk
Select Control Options
Step 5
Control Objectives
Additional Controls
Step 6
Select Controls
Statement of
Applicability
Statement
90
(NB: Additional controls would incorporate
DPA
1998, Caldicott
3. Protection
of Information
Assets and Info Governance requirements)
(25%)
And then……..
• Develop and implement security policies which
comply with your specific requirements in terms
of BS7799
• Review and Maintain
• Simple, isn’t it?
• No, it is appreciated that compliance with BS7799
is a significant undertaking
• But, as the benefits themselves are significant…it
is not only good practice, but makes good sense to
adopt the standard
91
3. Protection of Information Assets
(25%)
You are Not Alone
• CRAMM risks models are being developed for specific
organizations (e.g. Acute Trusts)
• Such models will encompass approximately 90 - 95% of
organizations
• Pioneer Projects - results of which will be fed into the
overall implementation process
• Training
• Development and maintenance program
• FAQs
• Help Desk
• User Groups
92
3. Protection of Information Assets
(25%)
Thanks for Coming!
For further information, contact:
Dr. A. Rush, Ph.D.
arush@Miami.edu
3. Protection of Information Assets
(25%)
93
Документ
Категория
Презентации
Просмотров
17
Размер файла
3 743 Кб
Теги
1/--страниц
Пожаловаться на содержимое документа