SlideShare une entreprise Scribd logo
1  sur  47
Télécharger pour lire hors ligne
Building a Comprehensive Security
Architecture Framework
Mark Whitteker, MSIA, CISSP
Security Architect / Information Systems Security Officer
Cisco Systems, Inc.
Mark Whitteker, MSIA, CISSP, GSNA, GCFA

  Security Architect and Information Systems Security
   Officer at Cisco Systems, Inc.
  15+ years of experience in secure solutions
   development, systems and network auditing,
   forensic discovery, vulnerability assessments, and
   security management.
  Extensive background in the application of
   commercial and US government regulations and
   requirements
  Can be reached at:
    mwhittek@cisco.com
    http://www.linkedin.com/pub/mark-whitteker/3/480/68b
           © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   2
Agenda

  The Problem
  The Solution
  The Dirty Details
  Q&A




           © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   3
Why do I need a security framework?
Here’s a house built on a planned framework…


      Framework                                                                  Finished Product




            The result: an efficient and elegant home!

          © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential                      4
Why do I need a security framework?
Here’s a house built without a planned framework…




     The result: I haven’t seen my wife and children in days!

           © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   5
The Problem




       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential
Problem Description

  Few of us have the luxury of building our
   organization’s security architecture from the ground
   up
  Some security services already exist (hopefully)
  Your organization must comply with one or more
   industry standards
    ISO 27001/27002
    NIST SP 800-53
    SOX
    PCI
  You need to demonstrate to auditors your
   compliance with the resulting requirements
          © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   7
Compliance with Requirements
Can you say “Checkbox Security”?!?

  Auditors validate that all the checkboxes are
   complete
  Security professionals know (or should know) that:
    Compliance != Security

  Security is achieved by understanding the
   organization’s risks and implementing mitigation
   steps to reduce them to within management’s
   tolerance level
  So how do you show auditors compliance with
   requirements while actually improving your security
   posture?
           © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   8
If you keep going how you’ve
always gone, you’ll end up where
you’ve always been.




             © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   9
The Solution




   © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential
Bring it all together!

  Map security services to industry standards through
   a comprehensive, end-to-end security framework
  Shows auditors how you are complying with
   industry standards
  Demonstrates to management the value of security
   services


              Industry                                                           Security
             Standards                                                           Services




          © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential              11
The Dirty Details




      © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential
Comprehensive Framework Diagram




      © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   13
Implementation Phases



              Phase 3                                                         Phase 1
              Measure                                                    Define
              Success                                                 Requirements



                                       Rinse and Repeat


                                                   Phase 2
                                            Implement
                                           Requirements



       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential             14
Phase 1 - Define Requirements




       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   15
Industry Standards




       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   16
Industry Standards
Build a Requirements Crosswalk Matrix
  Most industry standards, while different, are based
   on the same security principles/requirements
  Determine where similarities exist and group them
   together
                          Industry
                         Standard A
                         Password
                         Complexity
                        Requirement

                                                              Organizational
                                                                Password
                                                               Complexity
                                                              Requirement
                          Industry
                        Standard B
                         Password
                         Complexity
                        Requirement




          © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   17
Crosswalk Example – Audit Logging

  Company must comply with ISO 27001/27002
  A business unit within the company provides
   government services and must comply with NIST
   SP 800-53 (per FISMA)
  Crosswalk matrix developed to integrate both sets
   of requirements into a single framework
                                ISO 27001
                                A.10.10.1



                                                            Organizational
                                                            Audit Logging
                                                            Requirements
                                 NIST SP
                                  800-53
                                AU-1-5, 8,
                                  11, 12



          © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   18
Crosswalk Example – Continued

  ISO 27001/27002 – A.10.10.1
    Audit logs recording user activities, exceptions, and
    information security events should be produced and kept
    for an agreed period to assist in future investigations and
    access control monitoring.
       Includes a list of 12 relevant event types
  NIST SP 800-53 AU-1-AU-5, AU-8, AU-11, AU-12
    Audit and Accountability Policy and Procedures, Auditable
    Events, Content of Audit Records, Audit Storage Capacity,
    Response to Audit Processing Failures, Time Stamps,
    Audit Record Retention, and Audit Generation




           © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   19
Crosswalk Example – Continued

  Organizational Audit Logging Requirements
    Combines requirements from both standards into a single
    set of organizational standards
    Where there are differences between the level of
    implementation/stringency, the most stringent requirement
    prevails
      Example: 3 year log retention vs. 5 year log retention
                     Organizational Requirement – 5 year retention
    Where there are conflicts, the organization must determine
    which industry standard has precedence
      May require the involvement of the legal department




           © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   20
Organizational Policies




       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   21
Organizational Policies
  Once the organizational
   requirements have been
   determined, the organization must
   now develop security policies
  Developing policies and obtaining executive approval can be a
   cumbersome and time consuming process
  Keep policies high-level and solution agnostic
     Helps to ensure successful collaboration efforts among policy
     contributors
     Minimizes need to revisit policies as technology changes
        2 year review cycle is usually sufficient
  Create as few policies as possible, but keep them domain
   specific



             © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   22
Organizational Policies Example

                           Business                            Contract Security
                                                                                                Cryptographic
 Acceptable Use          Continuity and                         for Information                                     Data Classification
                                                                                                  Controls
                       Disaster Recovery                            Systems



                                                                                                  Information
                                                                     Information                    System            Information
                              Incident
 Data Protection                                                       Security                Authorization and    Systems Auditing
                            Management
                                                                     Management                     Account           and Testing
                                                                                                 Management


                              Personnel
                                                                      Physical and                                      Security
  IT Operations              Security for
                                                                     Environmental             Risk Management         Compliance
     Security                Information
                                                                        Security                                       Management
                               Systems



                                                                     Standardized                   System
 Security Policy        Security Training                                                                           User Identification
                                                                      Glossary –                  Development
  Architecture           and Awareness                                                                              and Authentication
                                                                      Taxonomy                 Lifecycle Security



Source: Cisco’s Global Government Solutions Group – IT (GGSG-IT)
                   © 2010 Cisco Systems, Inc. All rights reserved.        Cisco Confidential                                              23
Organizational Policies Example (cont)
                                                       NIST SP 800-53
            ISO 27001/27002                                                                            SECURITY POLICY
                                                              Rev 2

   07.01.03, 11.02.03, 11.03.01, 11.03.02,
                  11.03.03
                                                            PL-4, PS-6                  Acceptable Use

   14.01.02, 14.01.03, 14.01.04, 14.01.05                    CP-(1-10)                  Business Continuity and Disaster Recovery Plan

 06.01.04, 06.02.03, 12.01, 12.05, 15.01.02                 SA-(1,6,9)                  Contract Security for Information

        12.03.01, 12.03.02, 15.01.06                  IA-7, SC-(8,9,12,13)              Cryptographic Controls

     07.02, 07.02.01, 07.02.02, 10.07.03                   AC-16, MP-3                  Data Classification

     06, 07.02.02, 09.01, 10, 11, 12, 15            MP-1, SC-(8,9), SI-(1,7)            Data Protection


06.01.05, 06.01.06, 13.01.01, 13.01.02, 13.02                 IR-(1-7)                  Incident Management


   06.01.01, 06.01.02, 06.01.07, 06.01.08                       PL-1                    Information Security Management


06.02.01, 07.01.03, 08.02.01, 10.02, 10.10.03,                                          Information System Authorization and Account
                                                             AC-(1,2)
       11.01.01, 11.04, 11.05, 11.06.02                                                 Management
                                                 AU-(1-11), RA-(3-5), SA
06.02.01, 07.01.01, 10.01.03, 10.10.05, 15.02,
                    15.03
                                               (5,11), CA-(1,2) AC-5, IR-3,             Information Systems Auditing & Testing
                                                        CP-4, SI-6

                                © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential                                     24
Organizational Policies Example (cont)

                                                     NIST SP 800-53
         ISO 27001/27002                                                                              SECURITY POLICY
                                                            Rev 2


        06.01.03, 10, 11, 12, 15                          SC-1, SI-1                 IT Operations Security

06.01.03, 06.01.05, 08.01, 08.02, 08.03,
        13.01, 15.01, 15.02.01
                                                           PS-(1-8)                  Personnel Security for Information Systems

   09.01, 09.02, 13.01.02, 14.01.03                       PE-(1-17)                  Physical and Environmental Security

          14.01.02, 08.02.02                                 RA-1                    Risk Management

                                                AC-1, AT-1, AU-1, CA-1,
10.10.01, 10.10.02, 13.01.01, 13.02.03,        CM-1, CP-1, RA-1, MA-1,
       15.01, 15.02.01, 15.02.02              MP-1, IA-1, IR-1, PE-1, PL-1,
                                                                                     Security Compliance Management
                                              PS-(1,7), SA-(1,9), SC-1, SI-1

          05.01.01, 05.01.02                                 PL-1                    Security Policy Architecture

     05.01.02, 06.02.03, 08.02.02                          AT-(1-4)                  Security Training and Awareness


      07.01.02 , 07.02, 07.02.01                         Appendix B                  Standardized Glossary - Taxonomy

10.01.04, 10.03.02, 10.07.04, 12.01.01,
12.04.02, 12.04.03, 12.05.01, 12.05.03
                                                         SA-(3,8,11)                 System Development Lifecycle Security


       11.02, 11.04.02, 11.05.02                           IA-(1,2)                  User Identification and Authentication


                               © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential                               25
Policy Standards




       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   26
Policy Standards

  Specific technical implementation requirements
   should be defined in policy standards
  The policies themselves contain hyperlinks and/or
   references to associated policy standards
  Policy standards do not require review/approval by
   senior management
    Defined by organizational Subject Matter Experts (SMEs)
    Doesn’t require modification of the overarching policy
  Standards can be modified/updated as technology advances
  Should be reviewed by the SMEs at least yearly to ensure
   standards stay current with industry trends

            © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   27
Policy Standards Example




       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   28
Policy Standards Example

  Cryptographic Controls policy states:
    Purpose: This policy governs the use of cryptographic
    controls and key management to protect the confidentiality
    & integrity of Cisco GGSG information assets, as well as to
    support non-repudiation.

  References multiple policy standards such as:
    Full disk encryption
    Mail, file and folder encryption
    Public Key Infrastructure (PKI)
  More than one policy may apply when defining
   standards
    Data Protection policy also closely related to CC policy

           © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   29
Policy Standards Reality Check

  Often times there isn’t simply a 1:1 mapping
   between policies and standards
  In many cases multiple policies reference the same
   standards

                                                     Cryptographic
                                                       Controls
                                                        Policy

                                                                                        Data
                  Acceptable
                                                                                      Protection
                  Use Policy
                                                                                        Policy


                                                              Email
                                                            Encryption
                                                            Standard



          © 2010 Cisco Systems, Inc. All rights reserved.        Cisco Confidential                30
Phase 2 - Implement Requirements




       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   31
Policy Implementation Procedures




       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   32
Policy Implementation Procedures

  While Policy Standards specify the technical
   implementation requirements necessary to comply
   with policies, Policy Implementation Procedures
   document the step-by-step instructions for
   implementing those standards
  They are:
    Specific
    Repeatable
    Thorough
    Validated
    Approved

  Assists in improving an organization’s CMM level
           © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   33
Procedures Example
Installing the Secure Print Client (Windows XP):
1.    Open Windows Explorer.
2.    In the Address field, type (or cut & paste) Rtp-filer09awg-gggsg-
      appsPublishedSecure-Print and press <Enter>.
3.    Double-click on the spxpinstall.bat script from the folder you just
      opened.
4.    Enter your CEC credentials (if prompted).
5.    Click Open (if prompted).
6.    If necessary, click Yes on the Cisco Security Agent window to allow
      the script to run.
7.    A command window will open and display the installation progress.

8.    When the software is done installing, click OK.



               © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   34
Security Services




       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   35
Security Services

  Security Services is the most ambiguous area of
   the framework
  It can be very simple (1-3 services), or very
   complex (dozens of services), depending on the
   size and scope of your organization
  Don’t reinvent the wheel!
  There are existing industry sources that can be
   used as a baseline
    SSE-CMM: Secure Systems Engineering Capability
    Maturity Model
    NIST SP 800-35: Guide to Information Technology Security
    Services
           © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   36
Security Services Example
Systems Security Engineering Capability Maturity Model
  Includes 11 security services:
    Administer Security Controls
    Assess Impact
    Assess Security Risks
    Assess Threats
    Assess Vulnerabilities
    Build Assurance Argument
    Coordinate Security
    Monitor Security Posture
    Provide Security Input
    Specify Security Needs
    Verify and Validate Security

           © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   37
Security Services Example
NIST SP 800-35: Guide to Information Technology Security Services
  Includes 3 categories of services:
    Management, Operational and Technical

  Management Services
    Security Program, Security Policy, Risk Management,
    Security Architecture, Certification and Accreditation, and
    Security Evaluation of IT Projects

  Operational Services
    Contingency Planning, Incident Handling, Testing, and
    Training

  Technical Services
    Firewalls, Intrusion Detection/Prevention, and Public Key
    Infrastructure

           © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   38
Phase 3 – Measure Success




       © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   39
Measure Success

  How do you know if your security program is
   successful?




          © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   40
Risk Assessments

  Perform a risk assessment!
  There are 2 types of risk assessments:
    Qualitative
       A subjective assessment of the organization’s risk, typically achieved
       through personnel interviews and surveys.
    Quantitative
       A non-subjective assessment of the organization’s risk based on
       mathematical calculations using security metrics and monetary values
       of assets.

  Which one is right for your organization?




            © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   41
Qualitative Risk Assessments

  Pros
     Calculations are simple
     Not necessary to determine monetary value or threat frequency
     Not necessary to estimate cost of risk mitigation measures
     General indication of significant risks is provided

  Cons
     Subjective in both process and metrics
     Perception of asset/resource value may not reflect actual value
     No basis is provided for cost/benefit analysis
     Not possible to track risk management performance

  Although this method is very subjective in nature, it can be very
   beneficial when an organization is young and still maturing



              © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   42
Quantitative Risk Assessments

  Pros
     Based on independently objective processes and metrics
     Value of information expressed in monetary terms is better understood
     Credible basis for cost/benefit assessment is provided
     Risk management performance can be tracked and evaluated
     Results are derived and expressed in management’s language

  Cons
     Calculations are complex
     Not practical to execute without automated tool and associated knowledge
     bases
     A substantial amount of information must be gathered

  Appropriate once an organization has reached a higher level of
   maturity, and now requires an assessment against standardized,
   objective measures

              © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   43
Other Items to Consider

  Establish a Compliance Management Program
   Configuration Management
      Develop standard configurations
         Infrastructure Devices (network, hosts, etc.)
         Data (databases, NAS, SAN, etc.)
         Applications (web server, programming languages, protocols)

   Change Management
      Any proposed change to your production environment should be
      recorded, reviewed and approved by an SME from each domain:
         Security, Infrastructure, Data, Application, Operations, Support

   Release Management
      Any changes that impact, or could potentially impact, the availability of
      a production service, should be released at scheduled intervals:
         Weekly, Monthly, Quarterly, etc.




           © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential   44
Visual Representation
•  All systems must                                                                                    Configuration
comply with configuration
                                                                                                       Management
management standards




•  All changes must be
submitted and performed
through change
management                                                                                          Change Management




•  Those changes that
impact the availability of
production systems or                                                                               Release Management
services must be bundled
into a scheduled release




                             © 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential                      45
Q&A




© 2010 Cisco Systems, Inc. All rights reserved.   Cisco Confidential
2010-02 Building Security Architecture Framework

Contenu connexe

Tendances

Security services mind map
Security services mind mapSecurity services mind map
Security services mind mapDavid Kennedy
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?rbrockway
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitectureKris Kimmerle
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? PECB
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureThe Open Group SA
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationSeccuris Inc.
 
Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0Oscar Ferreira
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Bill Ross
 
Evolution of Security Management
Evolution of Security ManagementEvolution of Security Management
Evolution of Security ManagementChristophe Briguet
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Cohesive Networks
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextDavid Sweigert
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC CertificationControlCase
 
ISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and DevelopmentsISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and DevelopmentsCertification Europe
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information SecurityJohn Macasio
 

Tendances (20)

Security services mind map
Security services mind mapSecurity services mind map
Security services mind map
 
Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?Does Anyone Remember Enterprise Security Architecture?
Does Anyone Remember Enterprise Security Architecture?
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation?
 
Security-by-Design in Enterprise Architecture
Security-by-Design in Enterprise ArchitectureSecurity-by-Design in Enterprise Architecture
Security-by-Design in Enterprise Architecture
 
Information Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your OrganziationInformation Security Architecture: Building Security Into Your Organziation
Information Security Architecture: Building Security Into Your Organziation
 
Oasys Stonesoft Aligned with ITIL
Oasys Stonesoft Aligned with ITILOasys Stonesoft Aligned with ITIL
Oasys Stonesoft Aligned with ITIL
 
Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0Cybersecurity domains-map-3.0
Cybersecurity domains-map-3.0
 
Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015Security architecture analyses brief 21 april 2015
Security architecture analyses brief 21 april 2015
 
Evolution of Security Management
Evolution of Security ManagementEvolution of Security Management
Evolution of Security Management
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
 
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 Compliance
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
 
CMMC Certification
CMMC CertificationCMMC Certification
CMMC Certification
 
ISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and DevelopmentsISO 27001 Information Security Management Systems Trends and Developments
ISO 27001 Information Security Management Systems Trends and Developments
 
Enterprise Architecture and Information Security
Enterprise Architecture and Information SecurityEnterprise Architecture and Information Security
Enterprise Architecture and Information Security
 
ISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust FrameworkISO 27005 - Digital Trust Framework
ISO 27005 - Digital Trust Framework
 

En vedette

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Urogynics do you exert and squirt
Urogynics   do you exert and squirtUrogynics   do you exert and squirt
Urogynics do you exert and squirtWomensHealthFan
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?AlienVault
 
Information Technology (IT) Security Framework for Kenyan Small and Medium En...
Information Technology (IT) Security Framework for Kenyan Small and Medium En...Information Technology (IT) Security Framework for Kenyan Small and Medium En...
Information Technology (IT) Security Framework for Kenyan Small and Medium En...CSCJournals
 
Cloud Security Alliance, Atlanta Chapter Meeting Q1 2012 - SSAE16 SOC 1 2 3 I...
Cloud Security Alliance, Atlanta Chapter Meeting Q1 2012 - SSAE16 SOC 1 2 3 I...Cloud Security Alliance, Atlanta Chapter Meeting Q1 2012 - SSAE16 SOC 1 2 3 I...
Cloud Security Alliance, Atlanta Chapter Meeting Q1 2012 - SSAE16 SOC 1 2 3 I...Phil Agcaoili
 
Summary-ECSM_4edition
Summary-ECSM_4editionSummary-ECSM_4edition
Summary-ECSM_4editionRalf Braga
 
Iso2700
Iso2700 Iso2700
Iso2700 madunix
 
схемы по политике кибербезопасности
схемы по политике кибербезопасностисхемы по политике кибербезопасности
схемы по политике кибербезопасностиDmitry Sanatov
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security FrameworkNada G.Youssef
 
Data Center Security: Always a Main Concern for Businesses
Data Center Security:  Always a Main Concern for BusinessesData Center Security:  Always a Main Concern for Businesses
Data Center Security: Always a Main Concern for Businessescyrusone
 
Data Center Security
Data Center SecurityData Center Security
Data Center Securitydevalnaik
 
Data Center Security
Data Center SecurityData Center Security
Data Center SecurityCisco Canada
 
The Security Framework for Workflow Management Systems
The Security Framework for Workflow Management SystemsThe Security Framework for Workflow Management Systems
The Security Framework for Workflow Management SystemsSwanky Hsiao
 

En vedette (14)

NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Urogynics do you exert and squirt
Urogynics   do you exert and squirtUrogynics   do you exert and squirt
Urogynics do you exert and squirt
 
Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?Whats New in OSSIM v2.2?
Whats New in OSSIM v2.2?
 
Campus jueves
Campus juevesCampus jueves
Campus jueves
 
Information Technology (IT) Security Framework for Kenyan Small and Medium En...
Information Technology (IT) Security Framework for Kenyan Small and Medium En...Information Technology (IT) Security Framework for Kenyan Small and Medium En...
Information Technology (IT) Security Framework for Kenyan Small and Medium En...
 
Cloud Security Alliance, Atlanta Chapter Meeting Q1 2012 - SSAE16 SOC 1 2 3 I...
Cloud Security Alliance, Atlanta Chapter Meeting Q1 2012 - SSAE16 SOC 1 2 3 I...Cloud Security Alliance, Atlanta Chapter Meeting Q1 2012 - SSAE16 SOC 1 2 3 I...
Cloud Security Alliance, Atlanta Chapter Meeting Q1 2012 - SSAE16 SOC 1 2 3 I...
 
Summary-ECSM_4edition
Summary-ECSM_4editionSummary-ECSM_4edition
Summary-ECSM_4edition
 
Iso2700
Iso2700 Iso2700
Iso2700
 
схемы по политике кибербезопасности
схемы по политике кибербезопасностисхемы по политике кибербезопасности
схемы по политике кибербезопасности
 
Chapter 3: Information Security Framework
Chapter 3: Information Security FrameworkChapter 3: Information Security Framework
Chapter 3: Information Security Framework
 
Data Center Security: Always a Main Concern for Businesses
Data Center Security:  Always a Main Concern for BusinessesData Center Security:  Always a Main Concern for Businesses
Data Center Security: Always a Main Concern for Businesses
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
 
The Security Framework for Workflow Management Systems
The Security Framework for Workflow Management SystemsThe Security Framework for Workflow Management Systems
The Security Framework for Workflow Management Systems
 

Similaire à 2010-02 Building Security Architecture Framework

Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarControlCase
 
Posecco clustering meeting
Posecco clustering meetingPosecco clustering meeting
Posecco clustering meetingfcleary
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfAmyPoblete3
 
Industry 4.0 Security
Industry 4.0 SecurityIndustry 4.0 Security
Industry 4.0 SecurityDuncan Purves
 
Cisco Connect Ottawa 2018 data centre security
Cisco Connect Ottawa 2018 data centre securityCisco Connect Ottawa 2018 data centre security
Cisco Connect Ottawa 2018 data centre securityCisco Canada
 
Industrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksIndustrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksPriyanka Aash
 
Cisco Connect 2018 Singapore - Cybersecurity strategy
Cisco Connect 2018 Singapore - Cybersecurity strategy  Cisco Connect 2018 Singapore - Cybersecurity strategy
Cisco Connect 2018 Singapore - Cybersecurity strategy NetworkCollaborators
 
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB
 
Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Mukesh Chinta
 
Tonight, March 5th – Class 7 (last class) your test” on ICS.docx
Tonight, March 5th – Class 7 (last class)   your test” on ICS.docxTonight, March 5th – Class 7 (last class)   your test” on ICS.docx
Tonight, March 5th – Class 7 (last class) your test” on ICS.docxturveycharlyn
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsYusuf Hadiwinata Sutandar
 
Cost effective auditing of web applications and networks in smb
Cost effective auditing of web applications and networks in smbCost effective auditing of web applications and networks in smb
Cost effective auditing of web applications and networks in smbLalit Choudhary
 
Cyber-Security Certifications
Cyber-Security CertificationsCyber-Security Certifications
Cyber-Security CertificationsNithin Sai
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Standards Customer Council
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyCloud Standards Customer Council
 
Build and enforce defense in depth - an algo sec-cisco tetration webinar
Build and enforce defense in depth - an algo sec-cisco tetration webinarBuild and enforce defense in depth - an algo sec-cisco tetration webinar
Build and enforce defense in depth - an algo sec-cisco tetration webinarAlgoSec
 

Similaire à 2010-02 Building Security Architecture Framework (20)

CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171 CMMC DFARS/NIST SP 800-171
CMMC DFARS/NIST SP 800-171
 
Maintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish KirtikarMaintaining Data Privacy with Ashish Kirtikar
Maintaining Data Privacy with Ashish Kirtikar
 
Posecco clustering meeting
Posecco clustering meetingPosecco clustering meeting
Posecco clustering meeting
 
ControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdfControlCase CMMC Basics Deck Final.pdf
ControlCase CMMC Basics Deck Final.pdf
 
Industry 4.0 Security
Industry 4.0 SecurityIndustry 4.0 Security
Industry 4.0 Security
 
Presentacion nac
Presentacion nacPresentacion nac
Presentacion nac
 
Cisco Connect Ottawa 2018 data centre security
Cisco Connect Ottawa 2018 data centre securityCisco Connect Ottawa 2018 data centre security
Cisco Connect Ottawa 2018 data centre security
 
Industrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & FrameworksIndustrial IoT Security Standards & Frameworks
Industrial IoT Security Standards & Frameworks
 
Cisco Connect 2018 Singapore - Cybersecurity strategy
Cisco Connect 2018 Singapore - Cybersecurity strategy  Cisco Connect 2018 Singapore - Cybersecurity strategy
Cisco Connect 2018 Singapore - Cybersecurity strategy
 
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
PECB Webinar: ICS Security Management System using ISO 27001 Standard as the ...
 
Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6Cisco cybersecurity essentials chapter - 6
Cisco cybersecurity essentials chapter - 6
 
Tonight, March 5th – Class 7 (last class) your test” on ICS.docx
Tonight, March 5th – Class 7 (last class)   your test” on ICS.docxTonight, March 5th – Class 7 (last class)   your test” on ICS.docx
Tonight, March 5th – Class 7 (last class) your test” on ICS.docx
 
Iio t security std
Iio t security stdIio t security std
Iio t security std
 
Biznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital ForensicsBiznet GIO National Seminar on Digital Forensics
Biznet GIO National Seminar on Digital Forensics
 
Cost effective auditing of web applications and networks in smb
Cost effective auditing of web applications and networks in smbCost effective auditing of web applications and networks in smb
Cost effective auditing of web applications and networks in smb
 
PSOIOT-1151.pdf
PSOIOT-1151.pdfPSOIOT-1151.pdf
PSOIOT-1151.pdf
 
Cyber-Security Certifications
Cyber-Security CertificationsCyber-Security Certifications
Cyber-Security Certifications
 
Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0Cloud Security Standards: What to Expect and What to Negotiate V2.0
Cloud Security Standards: What to Expect and What to Negotiate V2.0
 
Latest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and PrivacyLatest Developments in Cloud Security Standards and Privacy
Latest Developments in Cloud Security Standards and Privacy
 
Build and enforce defense in depth - an algo sec-cisco tetration webinar
Build and enforce defense in depth - an algo sec-cisco tetration webinarBuild and enforce defense in depth - an algo sec-cisco tetration webinar
Build and enforce defense in depth - an algo sec-cisco tetration webinar
 

Plus de Raleigh ISSA

Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9Raleigh ISSA
 
Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8Raleigh ISSA
 
Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7Raleigh ISSA
 
Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6Raleigh ISSA
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account securityRaleigh ISSA
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014Raleigh ISSA
 
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter   april meeting - managing a security & privacy governan...Raleigh issa chapter   april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...Raleigh ISSA
 
April 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slidesApril 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slidesRaleigh ISSA
 
March 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info secMarch 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info secRaleigh ISSA
 
March 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slidesMarch 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slidesRaleigh ISSA
 
February 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slidesFebruary 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slidesRaleigh ISSA
 
2014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 20142014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 2014Raleigh ISSA
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Raleigh ISSA
 
2013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 20132013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 2013Raleigh ISSA
 
2013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 20132013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 2013Raleigh ISSA
 
2013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 20132013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 2013Raleigh ISSA
 
2013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 20132013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 2013Raleigh ISSA
 
2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith Pigues2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith PiguesRaleigh ISSA
 
2013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 20132013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 2013Raleigh ISSA
 
2013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 20132013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 2013Raleigh ISSA
 

Plus de Raleigh ISSA (20)

Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9Raleigh issa chapter updates-slides-2014-9
Raleigh issa chapter updates-slides-2014-9
 
Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8Raleigh issa chapter updates-slides-2014-8
Raleigh issa chapter updates-slides-2014-8
 
Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7Raleigh issa chapter updates-slides-2014-7
Raleigh issa chapter updates-slides-2014-7
 
Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6Raleigh issa chapter updates-slides-2014-6
Raleigh issa chapter updates-slides-2014-6
 
Managing privileged account security
Managing privileged account securityManaging privileged account security
Managing privileged account security
 
A10 issa d do s 5-2014
A10 issa d do s 5-2014A10 issa d do s 5-2014
A10 issa d do s 5-2014
 
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter   april meeting - managing a security & privacy governan...Raleigh issa chapter   april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...
 
April 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slidesApril 2014 Raleigh ISSA chapter update slides
April 2014 Raleigh ISSA chapter update slides
 
March 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info secMarch 2014 B2B - Breaking into info sec
March 2014 B2B - Breaking into info sec
 
March 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slidesMarch 2014 Raleigh ISSA chapter update slides
March 2014 Raleigh ISSA chapter update slides
 
February 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slidesFebruary 2014 Raleigh Chapter ISSA Board update slides
February 2014 Raleigh Chapter ISSA Board update slides
 
2014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 20142014-01 Raleigh ISSA Chapter Updates January 2014
2014-01 Raleigh ISSA Chapter Updates January 2014
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
 
2013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 20132013-11 Raleigh ISSA Chapter Updates November 2013
2013-11 Raleigh ISSA Chapter Updates November 2013
 
2013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 20132013-10 Raleigh ISSA Chapter Updates October 2013
2013-10 Raleigh ISSA Chapter Updates October 2013
 
2013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 20132013-09 Raleigh ISSA Chapter Updates September 2013
2013-09 Raleigh ISSA Chapter Updates September 2013
 
2013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 20132013-08 Raleigh ISSA Chapter Updates August 2013
2013-08 Raleigh ISSA Chapter Updates August 2013
 
2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith Pigues2013-07 How to Win with Customers - Keith Pigues
2013-07 How to Win with Customers - Keith Pigues
 
2013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 20132013-07 Raleigh ISSA Chapter Updates July 2013
2013-07 Raleigh ISSA Chapter Updates July 2013
 
2013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 20132013-06 Raleigh ISSA Chapter Updates June 2013
2013-06 Raleigh ISSA Chapter Updates June 2013
 

Dernier

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.francesco barbera
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxYounusS2
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfAnna Loughnan Colquhoun
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 

Dernier (20)

Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.Digital magic. A small project for controlling smart light bulbs.
Digital magic. A small project for controlling smart light bulbs.
 
Babel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptxBabel Compiler - Transforming JavaScript for All Browsers.pptx
Babel Compiler - Transforming JavaScript for All Browsers.pptx
 
Spring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdfSpring24-Release Overview - Wellingtion User Group-1.pdf
Spring24-Release Overview - Wellingtion User Group-1.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 

2010-02 Building Security Architecture Framework

  • 1. Building a Comprehensive Security Architecture Framework Mark Whitteker, MSIA, CISSP Security Architect / Information Systems Security Officer Cisco Systems, Inc.
  • 2. Mark Whitteker, MSIA, CISSP, GSNA, GCFA   Security Architect and Information Systems Security Officer at Cisco Systems, Inc.   15+ years of experience in secure solutions development, systems and network auditing, forensic discovery, vulnerability assessments, and security management.   Extensive background in the application of commercial and US government regulations and requirements   Can be reached at: mwhittek@cisco.com http://www.linkedin.com/pub/mark-whitteker/3/480/68b © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
  • 3. Agenda   The Problem   The Solution   The Dirty Details   Q&A © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
  • 4. Why do I need a security framework? Here’s a house built on a planned framework… Framework Finished Product The result: an efficient and elegant home! © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
  • 5. Why do I need a security framework? Here’s a house built without a planned framework… The result: I haven’t seen my wife and children in days! © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
  • 6. The Problem © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential
  • 7. Problem Description   Few of us have the luxury of building our organization’s security architecture from the ground up   Some security services already exist (hopefully)   Your organization must comply with one or more industry standards ISO 27001/27002 NIST SP 800-53 SOX PCI   You need to demonstrate to auditors your compliance with the resulting requirements © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
  • 8. Compliance with Requirements Can you say “Checkbox Security”?!?   Auditors validate that all the checkboxes are complete   Security professionals know (or should know) that: Compliance != Security   Security is achieved by understanding the organization’s risks and implementing mitigation steps to reduce them to within management’s tolerance level   So how do you show auditors compliance with requirements while actually improving your security posture? © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
  • 9. If you keep going how you’ve always gone, you’ll end up where you’ve always been. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
  • 10. The Solution © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential
  • 11. Bring it all together!   Map security services to industry standards through a comprehensive, end-to-end security framework   Shows auditors how you are complying with industry standards   Demonstrates to management the value of security services Industry Security Standards Services © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
  • 12. The Dirty Details © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential
  • 13. Comprehensive Framework Diagram © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
  • 14. Implementation Phases Phase 3 Phase 1 Measure Define Success Requirements Rinse and Repeat Phase 2 Implement Requirements © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
  • 15. Phase 1 - Define Requirements © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
  • 16. Industry Standards © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
  • 17. Industry Standards Build a Requirements Crosswalk Matrix   Most industry standards, while different, are based on the same security principles/requirements   Determine where similarities exist and group them together Industry Standard A Password Complexity Requirement Organizational Password Complexity Requirement Industry Standard B Password Complexity Requirement © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
  • 18. Crosswalk Example – Audit Logging   Company must comply with ISO 27001/27002   A business unit within the company provides government services and must comply with NIST SP 800-53 (per FISMA)   Crosswalk matrix developed to integrate both sets of requirements into a single framework ISO 27001 A.10.10.1 Organizational Audit Logging Requirements NIST SP 800-53 AU-1-5, 8, 11, 12 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
  • 19. Crosswalk Example – Continued   ISO 27001/27002 – A.10.10.1 Audit logs recording user activities, exceptions, and information security events should be produced and kept for an agreed period to assist in future investigations and access control monitoring. Includes a list of 12 relevant event types   NIST SP 800-53 AU-1-AU-5, AU-8, AU-11, AU-12 Audit and Accountability Policy and Procedures, Auditable Events, Content of Audit Records, Audit Storage Capacity, Response to Audit Processing Failures, Time Stamps, Audit Record Retention, and Audit Generation © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
  • 20. Crosswalk Example – Continued   Organizational Audit Logging Requirements Combines requirements from both standards into a single set of organizational standards Where there are differences between the level of implementation/stringency, the most stringent requirement prevails Example: 3 year log retention vs. 5 year log retention Organizational Requirement – 5 year retention Where there are conflicts, the organization must determine which industry standard has precedence May require the involvement of the legal department © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
  • 21. Organizational Policies © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
  • 22. Organizational Policies   Once the organizational requirements have been determined, the organization must now develop security policies   Developing policies and obtaining executive approval can be a cumbersome and time consuming process   Keep policies high-level and solution agnostic Helps to ensure successful collaboration efforts among policy contributors Minimizes need to revisit policies as technology changes 2 year review cycle is usually sufficient   Create as few policies as possible, but keep them domain specific © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
  • 23. Organizational Policies Example Business Contract Security Cryptographic Acceptable Use Continuity and for Information Data Classification Controls Disaster Recovery Systems Information Information System Information Incident Data Protection Security Authorization and Systems Auditing Management Management Account and Testing Management Personnel Physical and Security IT Operations Security for Environmental Risk Management Compliance Security Information Security Management Systems Standardized System Security Policy Security Training User Identification Glossary – Development Architecture and Awareness and Authentication Taxonomy Lifecycle Security Source: Cisco’s Global Government Solutions Group – IT (GGSG-IT) © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
  • 24. Organizational Policies Example (cont) NIST SP 800-53 ISO 27001/27002 SECURITY POLICY Rev 2 07.01.03, 11.02.03, 11.03.01, 11.03.02, 11.03.03 PL-4, PS-6 Acceptable Use 14.01.02, 14.01.03, 14.01.04, 14.01.05 CP-(1-10) Business Continuity and Disaster Recovery Plan 06.01.04, 06.02.03, 12.01, 12.05, 15.01.02 SA-(1,6,9) Contract Security for Information 12.03.01, 12.03.02, 15.01.06 IA-7, SC-(8,9,12,13) Cryptographic Controls 07.02, 07.02.01, 07.02.02, 10.07.03 AC-16, MP-3 Data Classification 06, 07.02.02, 09.01, 10, 11, 12, 15 MP-1, SC-(8,9), SI-(1,7) Data Protection 06.01.05, 06.01.06, 13.01.01, 13.01.02, 13.02 IR-(1-7) Incident Management 06.01.01, 06.01.02, 06.01.07, 06.01.08 PL-1 Information Security Management 06.02.01, 07.01.03, 08.02.01, 10.02, 10.10.03, Information System Authorization and Account AC-(1,2) 11.01.01, 11.04, 11.05, 11.06.02 Management AU-(1-11), RA-(3-5), SA 06.02.01, 07.01.01, 10.01.03, 10.10.05, 15.02, 15.03 (5,11), CA-(1,2) AC-5, IR-3, Information Systems Auditing & Testing CP-4, SI-6 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
  • 25. Organizational Policies Example (cont) NIST SP 800-53 ISO 27001/27002 SECURITY POLICY Rev 2 06.01.03, 10, 11, 12, 15 SC-1, SI-1 IT Operations Security 06.01.03, 06.01.05, 08.01, 08.02, 08.03, 13.01, 15.01, 15.02.01 PS-(1-8) Personnel Security for Information Systems 09.01, 09.02, 13.01.02, 14.01.03 PE-(1-17) Physical and Environmental Security 14.01.02, 08.02.02 RA-1 Risk Management AC-1, AT-1, AU-1, CA-1, 10.10.01, 10.10.02, 13.01.01, 13.02.03, CM-1, CP-1, RA-1, MA-1, 15.01, 15.02.01, 15.02.02 MP-1, IA-1, IR-1, PE-1, PL-1, Security Compliance Management PS-(1,7), SA-(1,9), SC-1, SI-1 05.01.01, 05.01.02 PL-1 Security Policy Architecture 05.01.02, 06.02.03, 08.02.02 AT-(1-4) Security Training and Awareness 07.01.02 , 07.02, 07.02.01 Appendix B Standardized Glossary - Taxonomy 10.01.04, 10.03.02, 10.07.04, 12.01.01, 12.04.02, 12.04.03, 12.05.01, 12.05.03 SA-(3,8,11) System Development Lifecycle Security 11.02, 11.04.02, 11.05.02 IA-(1,2) User Identification and Authentication © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
  • 26. Policy Standards © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
  • 27. Policy Standards   Specific technical implementation requirements should be defined in policy standards   The policies themselves contain hyperlinks and/or references to associated policy standards   Policy standards do not require review/approval by senior management Defined by organizational Subject Matter Experts (SMEs) Doesn’t require modification of the overarching policy   Standards can be modified/updated as technology advances   Should be reviewed by the SMEs at least yearly to ensure standards stay current with industry trends © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
  • 28. Policy Standards Example © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
  • 29. Policy Standards Example   Cryptographic Controls policy states: Purpose: This policy governs the use of cryptographic controls and key management to protect the confidentiality & integrity of Cisco GGSG information assets, as well as to support non-repudiation.   References multiple policy standards such as: Full disk encryption Mail, file and folder encryption Public Key Infrastructure (PKI)   More than one policy may apply when defining standards Data Protection policy also closely related to CC policy © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
  • 30. Policy Standards Reality Check   Often times there isn’t simply a 1:1 mapping between policies and standards   In many cases multiple policies reference the same standards Cryptographic Controls Policy Data Acceptable Protection Use Policy Policy Email Encryption Standard © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
  • 31. Phase 2 - Implement Requirements © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
  • 32. Policy Implementation Procedures © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
  • 33. Policy Implementation Procedures   While Policy Standards specify the technical implementation requirements necessary to comply with policies, Policy Implementation Procedures document the step-by-step instructions for implementing those standards   They are: Specific Repeatable Thorough Validated Approved   Assists in improving an organization’s CMM level © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
  • 34. Procedures Example Installing the Secure Print Client (Windows XP): 1.  Open Windows Explorer. 2.  In the Address field, type (or cut & paste) Rtp-filer09awg-gggsg- appsPublishedSecure-Print and press <Enter>. 3.  Double-click on the spxpinstall.bat script from the folder you just opened. 4.  Enter your CEC credentials (if prompted). 5.  Click Open (if prompted). 6.  If necessary, click Yes on the Cisco Security Agent window to allow the script to run. 7.  A command window will open and display the installation progress. 8.  When the software is done installing, click OK. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
  • 35. Security Services © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
  • 36. Security Services   Security Services is the most ambiguous area of the framework   It can be very simple (1-3 services), or very complex (dozens of services), depending on the size and scope of your organization   Don’t reinvent the wheel!   There are existing industry sources that can be used as a baseline SSE-CMM: Secure Systems Engineering Capability Maturity Model NIST SP 800-35: Guide to Information Technology Security Services © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
  • 37. Security Services Example Systems Security Engineering Capability Maturity Model   Includes 11 security services: Administer Security Controls Assess Impact Assess Security Risks Assess Threats Assess Vulnerabilities Build Assurance Argument Coordinate Security Monitor Security Posture Provide Security Input Specify Security Needs Verify and Validate Security © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37
  • 38. Security Services Example NIST SP 800-35: Guide to Information Technology Security Services   Includes 3 categories of services: Management, Operational and Technical   Management Services Security Program, Security Policy, Risk Management, Security Architecture, Certification and Accreditation, and Security Evaluation of IT Projects   Operational Services Contingency Planning, Incident Handling, Testing, and Training   Technical Services Firewalls, Intrusion Detection/Prevention, and Public Key Infrastructure © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
  • 39. Phase 3 – Measure Success © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
  • 40. Measure Success   How do you know if your security program is successful? © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40
  • 41. Risk Assessments   Perform a risk assessment!   There are 2 types of risk assessments: Qualitative A subjective assessment of the organization’s risk, typically achieved through personnel interviews and surveys. Quantitative A non-subjective assessment of the organization’s risk based on mathematical calculations using security metrics and monetary values of assets.   Which one is right for your organization? © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41
  • 42. Qualitative Risk Assessments   Pros Calculations are simple Not necessary to determine monetary value or threat frequency Not necessary to estimate cost of risk mitigation measures General indication of significant risks is provided   Cons Subjective in both process and metrics Perception of asset/resource value may not reflect actual value No basis is provided for cost/benefit analysis Not possible to track risk management performance   Although this method is very subjective in nature, it can be very beneficial when an organization is young and still maturing © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
  • 43. Quantitative Risk Assessments   Pros Based on independently objective processes and metrics Value of information expressed in monetary terms is better understood Credible basis for cost/benefit assessment is provided Risk management performance can be tracked and evaluated Results are derived and expressed in management’s language   Cons Calculations are complex Not practical to execute without automated tool and associated knowledge bases A substantial amount of information must be gathered   Appropriate once an organization has reached a higher level of maturity, and now requires an assessment against standardized, objective measures © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43
  • 44. Other Items to Consider   Establish a Compliance Management Program Configuration Management Develop standard configurations Infrastructure Devices (network, hosts, etc.) Data (databases, NAS, SAN, etc.) Applications (web server, programming languages, protocols) Change Management Any proposed change to your production environment should be recorded, reviewed and approved by an SME from each domain: Security, Infrastructure, Data, Application, Operations, Support Release Management Any changes that impact, or could potentially impact, the availability of a production service, should be released at scheduled intervals: Weekly, Monthly, Quarterly, etc. © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44
  • 45. Visual Representation •  All systems must Configuration comply with configuration Management management standards •  All changes must be submitted and performed through change management Change Management •  Those changes that impact the availability of production systems or Release Management services must be bundled into a scheduled release © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
  • 46. Q&A © 2010 Cisco Systems, Inc. All rights reserved. Cisco Confidential