Transcript Document
Tallinn University of Technology 2014 Reelika Riis 132270 YVEM
1.
2.
3.
4.
5.
Content
Information security General security principles Causes of security vulnerabilities Possible consequences when ignoring information risks Secure-by-design culture
Introduction
Almost all projects use some form of information technology.
This information needs to be protected.
Security planning is an integral part of the overall project life cycle and incorporates many different aspects to be considered when planning a project.
What is Information Security?
Information and the systems and processes supporting IT are key organizational assets. Information Security is about ensuring the confidentiality, availability and integrity of that information and ensuring that privacy issues are addressed as required to support the achievement of the organization’s objectives.
A flaw can be considered a security vulnerability when one of the goals is compromised.
General Security Principles
Confidentiality – Ensuring data is only accessed on a need to know Integrity – Ensuring that only authorized changes are made to data and systems Availability – Ensuring that data and systems are available when needed
Information risks come in various forms Unintentional – errors, vulnerabilities Intentional – crime, misuse, Malware Use the CIA model as your risk indicator Confidentiality – unauthorized access to data Integrity – unapproved changes Availability – no backups
Causes of Security Vulnerabilities
Failure in Design Poor decision about trust Unspoken assumptions Not accounting for failure Failure in Implementation Insecure coding techniques Insecure configuration Poor deployment practices
If Information risks are ignored, what can happen?
Loss of reputation – trust factor Loss of money – was there financial damage Costly – how much did it cost to fix it Regulation – did fines have to be paid Legal – were laws not followed Loss of services – impact to the business
Methods of finding IT Security risks
Reactive approach Audits Incidents Proactive approach Structured risk assessment in the beginning phase of any plan to produce or upgrade a product or service Part of the Project Management process
Secure-by-design culture benefits
Attacks on data and applications have grown in frequency and sophistication, making single security solution hard to provide complete protection.
Cost-effective security begins with the development of secure applications FROM THE VERY BEGINNING!
Speed time-to-market Help alleviate the costs and negative publicity Organizations should aim to institute a governance-based secure-by-design culture!
Potential roadblocks to achieving a secure-by-design culture
Developers goals Product functionality On-time delivery Security analysts goals Eliminating vulnerabilities Implementing security controls as early in the development process as possible
To decrease and mitigate vulnerabilities – the development and security teams must cooperate and work closely together!
References
IBM Corporation. Manage data security and application threats with a multi-tiered approach. January 2014. http://public.dhe.ibm.com/common/ssi/ecm/en/wgs03006usen/WGS03006USEN.PDF
IBM Corporation. Defending against malware: A holistic approach to one of today’s biggest IT risks. January 2014. http://public.dhe.ibm.com/common/ssi/ecm/en/wgw03050usen/WGW03050USEN.PDF
IBM Corporation. Five critical steps to achieving an effective application security program. December 2013. http://public.dhe.ibm.com/common/ssi/ecm/en/wgw03048usen/WGW03048USEN.PDF
Vitek, D. Security Issues that Project Managers at CDC Need to Address. The CDC Unified Process Project Management Newsletter. The National Center for Public Health Informatics, June 2008, Volume 2, Issue 6. http://www2.cdc.gov/cdcup/library/newsletter/CDC_UP_Newsletter_v2_i6.pdf
Ellison, R. J. Security and Project Management. Build Security In, August 2013. https://buildsecurityin.us-cert.gov/articles/best-practices/project-management/security-and project-management http://blogs.msdn.com/b/apinedo/archive/2007/05/09/microsoft-and-the-as-7799-iso-17799 standards-for-information-security-management.aspx
http://securitypresentations.files.wordpress.com/2009/04/1bbf05edd1725488d26467e7be314f4c .png
- picture
Thank you for your