Title: Best Practices for Information Security Management
1Best Practices forInformation Security Management
- Bob Small, CISSP, CEH
- small_at_software.org
- March 2006
2Take-away Messages
- Defense in depth solutions
- Effective security requires a rigorous risk
management process - Must be effective and cost effective
- Think about it from the adversarys perspective
3Key Elements of Security
4Defense In Depth
Speed bumps are a better metaphor for
information security than bank vaults
5Risk Management Process
6International Standards for ISMS
Information Security Management System
These standards are accepted as industry best
practices
7Control Areas In ISO 17799
Security Policy
Organization of Information Security
Asset Management
Human Resource Security
Communications and Operations Management
Physical and Environmental Security
Information Systems Acquisition, Development and
Maintenance
Access Control
Information Security Incident Management
Compliance
Business Continuity Management
133 controls in 11 areas
8Security Policy
Objective Provide management direction and
support for information security in accordance
with business requirements and relevant laws and
regulations
- It must be reviewed periodically
9Security Must Be Managed In All Relationships
Each arrow represents a contract, MOA, SLA, etc.
10Information Assets Must Be Managed
- Inventory of Assets
- Tangible
- Intangible
11Human Resources Security
12Think Creatively About Information Security
13ISMS Resources
- ISO 17799, Code of Practice for Information
Security Management - ISO 27001, Information Security Management
Systems Requirements
http//www.iso.org
- National Institute for Standards Technology
- SP 800-70, The NIST Security Configuration
Checklists Program - SP 800-66, An Introductory Resource Guide for
Implementing the Health Insurance Portability
and Accountability Act (HIPAA) Security Rule - SP 800-30, Risk Management Guide for Information
Technology Systems
http//csrc.nist.gov
- INCITS CS1 (Cybersecurity)
http//www.incits.org
14Thank You
?
?
?
?
?
?
?
?
?