1. Integrating Physical & Logical Security Jorge Sebastião, CISSP, ISP, BSLA Founder and CEO “ Security is:… a continuous skilled process which safeguards your business value…” Jorge S., 1999
9. Threats and risks Human faults Operational disruptions Software Faults In-compatability Fraud Forgery Access Control Espionage Illegal copying Virus Natural phenomena Fire, Smoke, Explosion Destruction, Sabotage Power Failure Water Damage Leakage Theft Vandalism Delivery Problem Service Disruption Loss of Key personnel Notice to quit, Sickness
16. Securing the System Effective security requires a balanced application of all methods Personnel System Security Computer Security Physical Security Process Encryption
21. Identity and Access Management Strategic Context Physical Security Network / System Application / Data Suppliers, Partners, Customers Employees
22.
23. Identity and Access Management Interoperability Control Loosely-coupled, Dynamic exterior Tightly-coupled, Persistent interior Intranet Extranets Customers Partners/Suppliers Employees Consumers Internet
24. Identity and Access Management Flexibility Intranet Extranets Internet Control Customers Partners/Suppliers Employees Consumers Federation, Cooperation Integration
25. Physical Security Physical Security Sprinkler hallon Alarm System UPS CCTV System Intrusion Detection Intercom Evacuation Physical Access Control Elevator Fire HVAC Lighting Power Mgmt
35. Identity and Access Management Context Business policy: legal, liability, assurance for transactions Relationships to organization Applications/Services: access control and authorization Identity and information Presentation/Personalization: Identification Relationships Authentication: Identity (Person)
36. Architecture and Infrastructure Directory Access Mgmt Portal/Device Identity Mgmt Policy Propagation Administration Control Access Resources Authentication Authorization User Device? Applications Platforms Databases Physical Services
37.
38. Where to spend? High Low Excessive Exposure Low High R I S K SECURITY INVESTMENT Excessive Cost Appropriate Security
39. Return On Investment (ROI)? ROI Curve Security Investment ROI design= 21% ROI implementation= 21% ROI testing= 12% ROI
40. Security Architecture Incidence Response Operational Monitoring Administration Change Procedures Guidelines Roles and Responsibilities Incident Reporting Physical Dynamic Controls Selection Policy Configurations Baselines Standards Awareness Education Training Logical BIA Mapping Perimeter Architecture InfoSec Policy Security Organization Conceptual P > D + R Strategy Scope Executive InfoSec Policy Steering Committee Contextual Time (Risk Management) Technology Process People
42. Knowledge Base Incidence Response Applying the Knowledge Incidence Response Multiple Sources of Information Partners, Vendors, CERT ,… Internal Security Research Internet, Mailing lists and other sources ADMINISTER
44. Incidence Response Incident Response Analyse Contain Eliminate Restore Lessons Policy Refine Policy Continuous Monitoring T-1 T 0 T 1 T 1 T 3 T 4 T N Communicate
45. Integrated Infosec Framework Vulnerability & Risk Assessment Assess, Audits VA, Pen-Testing, Risk Technology Strategy & Usage Technology, Tools Policy Insfosec Policy, Standards Security Architecture and Technical Standards Technical Architecture Technical Standards, Baselines Security Model Information Classification and Controls Administrative and End-User Guidelines and Procedures Implementation and Configurations Administration Guidelines and Procedures Recovery Processes Incidence Response Processes Enforcement Processes Compliance Mgmt Processes CEO, Senior Management ISMS, Information Assets, IT Infrastructure Awareness, Training, Education Monitoring Processes Monitoring Processes Security Strategy Business Initiatives & Processes Business Initiatives & Processes Vulnerabilities Threats