MANAGEMENT
Reelika Riis132270 YVEM
Tallinn University of Technology2014
1. Information security2. General security principles3. Causes of security vulnerabilities4. Possible consequences when
ignoring information risks5. Secure-by-design culture
Content
Almost all projects use some form of
information technology. This information needs to be protected.
Security planning is an integral part of the overall project life cycle and incorporates many different aspects to be considered when planning a project.
Introduction
Information and the systems and processes
supporting IT are key organizational assets.
Information Security is about ensuring the confidentiality, availability and integrity of that information and ensuring that privacy issues are addressed as required to support the achievement of the organization’s objectives.
What is Information Security?
Confidentiality – Ensuring data is only
accessed on a need to know Integrity – Ensuring that only authorized
changes are made to data and systems Availability – Ensuring that data and systems
are available when needed
General Security Principles
A flaw can be considered a security vulnerability when one of the goals is compromised.
Information risks come in various forms
Unintentional – errors, vulnerabilities Intentional – crime, misuse, Malware
Use the CIA model as your risk indicator Confidentiality – unauthorized access to data Integrity – unapproved changes Availability – no backups
Failure in Design
Poor decision about trust Unspoken assumptions Not accounting for failure
Failure in Implementation Insecure coding techniques Insecure configuration Poor deployment practices
Causes of Security Vulnerabilities
Loss of reputation – trust factor Loss of money – was there financial damage Costly – how much did it cost to fix it Regulation – did fines have to be paid Legal – were laws not followed Loss of services – impact to the business
If Information risks are ignored, what can
happen?
Reactive approach
Audits Incidents
Proactive approach Structured risk assessment in the beginning
phase of any plan to produce or upgrade a product or service
Part of the Project Management process
Methods of finding IT Security risks
Attacks on data and applications have grown in
frequency and sophistication, making single security solution hard to provide complete protection.
Cost-effective security begins with the development of secure applications FROM THE VERY BEGINNING! Speed time-to-market Help alleviate the costs and negative publicity
Organizations should aim to institute a governance-based secure-by-design culture!
Secure-by-design culture benefits
Potential roadblocks to achieving a secure-by-
design culture
Developers goals
Product functionality On-time delivery
Security analysts goals
Eliminating vulnerabilities
Implementing security controls as early in the development process as possible
To decrease and mitigate vulnerabilities – the development
and security teams must cooperate and work closely
together!
IBM Corporation. Manage data security and application threats with a multi-tiered
approach. January 2014. http://public.dhe.ibm.com/common/ssi/ecm/en/wgs03006usen/WGS03006USEN.PDF
IBM Corporation. Defending against malware: A holistic approach to one of today’s biggest IT risks. January 2014. http://public.dhe.ibm.com/common/ssi/ecm/en/wgw03050usen/WGW03050USEN.PDF
IBM Corporation. Five critical steps to achieving an effective application security program. December 2013. http://public.dhe.ibm.com/common/ssi/ecm/en/wgw03048usen/WGW03048USEN.PDF
Vitek, D. Security Issues that Project Managers at CDC Need to Address. The CDC Unified Process Project Management Newsletter. The National Center for Public Health Informatics, June 2008, Volume 2, Issue 6. http://www2.cdc.gov/cdcup/library/newsletter/CDC_UP_Newsletter_v2_i6.pdf
Ellison, R. J. Security and Project Management. Build Security In, August 2013. https://buildsecurityin.us-cert.gov/articles/best-practices/project-management/security-and-project-management
http://blogs.msdn.com/b/apinedo/archive/2007/05/09/microsoft-and-the-as-7799-iso-17799-standards-for-information-security-management.aspx
http://securitypresentations.files.wordpress.com/2009/04/1bbf05edd1725488d26467e7be314f4c.png - picture
References
Thank you for your attention!
Top Related