A Year Affair with Security: the Development of a Security Program and Manager Holt, Laurence...
11
A Year Affair with Security: the Development of a Security Program and Manager Holt, Laurence Proceedings of the 3rd annual conference on Information security curriculum development, 130-135, 2006 Presented by Tamera Goodman March 8, 2010
-
Upload
angelica-gallagher -
Category
Documents
-
view
212 -
download
0
Transcript of A Year Affair with Security: the Development of a Security Program and Manager Holt, Laurence...
A Year Affair with Security: the Development of a Security Program and ManagerHolt, LaurenceProceedings of the 3rd annual conference on Information security curriculum development, 130-135, 2006
Presented by Tamera GoodmanMarch 8, 2010
2
Organization
• Introduction• Initial State• Initial Assessment• Define• Control• Monitor• Conclusions
3
Introduction
• New security manager of a global, decentralized hospital• Firewalls and good engineers• No policy• No infrastructure• No governance• No Strategy
4
Initial State
• The initial challenges:• learn enough about the company to define what the business
needed to be secure• to create a security program to fulfill this definition• to identify the key corporate IT and business leaders• Meet regulatory compliance deadlines
5
Initial State, cont.Model Advantages Disadvantages
Risk Based Only those controlsneeded are appliedwhich minimizes costs
If risk assessment iswrong or outdated,controls may not besufficient
Standards Based Collective developmentof standards assures thatthey meet a wide rangeof situations and are likely to be comprehensive
Costs may be wasted onun-needed controlsLocal situation may beunique and not covered by a template model
6
Initial Assessment
7
Define
8
Control
• Human Accounts • Service Accounts• Privileged Accounts• Console Access System • Protect Critical Applications And Services• Prevent critical applications or services from being tampered• Enforce Separation Of Duties• Identify and enforce differing access policies for development, QA and
production support groups• Use Only Approved Protocols
9
Monitoring
• “In God we trust, all others we monitor”• Monitoring is not just logging• Witman and Mattord (2006) say, “… the ultimate goal of information
security is to achieve nothingness.”• In their 2006 Global Security Survey, Deloitte reports that viruses, worms,
and spyware/malware were two of the top sources of external breaches• Despite difficulty, monitoring is vital
10
Conclusions
• The author found that:• definition is the most critical task of a security program• much work already done by others that could be utilized but should not
be accepted carte blanche just because it was stated to be good• It’s challenging because the business, threat and technology• environments are constantly changing
11
Conclusions, cont.
• Thank you for your time• Questions and feedback are welcome
