Tuesday, August 31, 2010

Security Responsibility

Who is responsible for the security?
The CEO is ultimately responsible for the security. The CEO may delegate the responsibility to a CIO or CISO. The CISO is dependent on the CEO for funding, and support for follow through on security policies.

Bottom up vs Top Down

Top Down: Top down is where security and buy off is implemented at the CEO level first, then its brought down to the user level.

Bottom Up: This is where a user sees the need, then convinces each level of management to implement the additional security.

Top Down approach is more effective.
Posted by at No comments:

Monday, August 30, 2010

Fundamental Principles of Security

3 Main principles of security programs.
  • Availability
  • Integrity
  • Confidentiality
Availability
  • Is data safe? (Brown outs, earth quakes, floods, server failure, no single point of failure, environmental factors)
  • Is it recoverable? (Backed up, co-storage location)
Integrity
  • Information and systems are Reliable
  • Unauthorized modifications are prevented
  • Software and hardware modify data correctly
  • Prevent stupid user activity
  • Systems and software need to be Hacker proof.
  • Strict Access controls, intrusion detection, and hashing data.
  • Data in transit should be protected by encryption
Confidentiality
  • Prevent unauthorized disclosure
  • Shoulder surfing (looking at another user interaction)
  • Social engineering (tricking users into sharing information)
  • Not encrypting data
  • Sharing secrets
  • Not using care in protecting information
Note: Functional Requirements: "Does this solution carry out the required tasks?" Assurance requirements: "How sure are we of the level of protection this solution provides?"
Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)