What is the goal of security audits and the importance of establishing best practices within and organization?
Please refer attachment. Needs in text citations with proper APA format
*
Copyright © 2012, Elsevier Inc. All Rights Reserved
Chapter 5
Commonality
Cyber Attacks
Protecting National Infrastructure, 1st ed.
Copyright © 2012, Elsevier Inc. All Rights Reserved
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Certain security attributes must be present in all aspects and areas of national infrastructure to ensure maximum resilience against attack
Best practices, standards, and audits establish a low-water mark for all relevant organizations
Audits must be both meaningful and measurable
Often the most measurable things aren’t all that meaningful
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Introduction
Copyright © 2012, Elsevier Inc. All rights Reserved
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Common security-related best practice standards
Federal Information Security Management Act (FISMA)
Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry Data Security Standard (PCI DSS)
ISO/IEC 27000 Standard (ISO27K)
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Introduction
Copyright © 2012, Elsevier Inc. All rights Reserved
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Fig. 5.1 – Illustrative security audits for two organizations
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Fig. 5.2 – Relationship between meaningful and measurable requirements
*
The primary motivation for proper infrastructure protection should be success based and economic
Not the audit score
Security of critical components relies on
Step #1: Standard audit
Step #2: World-class focus
Sometimes security audit standards and best practices proven through experience are in conflict
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Meaningful Best Practices for Infrastructure Protection
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Fig. 5.3 – Methodology to achieve world-class infrastructure
protection practices
*
Four basic security policy considerations are recommended
Enforceable: Policies without enforcement are not valuable
Small: Keep it simple and current
Online: Policy info needs to be online and searchable
Inclusive: Good policy requires analysis in order to include computing and networking elements in the local nat’l infrastructure environment
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Locally Relevant and
Appropriate Security Policy
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Fig. 5.4 – Decision process for security policy analysis
*
Create an organizational culture of security protection
Culture of security is one where standard operating procedures provide a secure environment
Ideal environment marries creativity and interest in new technologies with caution and a healthy aversion to risk
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Culture of Security Protection
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Fig. 5.5 – Spectrum of organizational culture of security options
*
Organizations should be explicitly committed to infrastructure simplification
Common problems found in design and operation of national infrastructure
Lack of generalization
Clouding the obvious
Stream-of-consciousness design
Nonuniformity
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Infrastructure Simplification
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Fig. 5.6 – Sample cluttered engineering chart
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Fig. 5.7 – Simplified engineering chart
*
How to simplify a national infrastructure environment
Reduce its size
Generalize concepts
Clean interfaces
Highlight patterns
Reduce clutter
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Infrastructure Simplification
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Key decision-makers need certification and education programs
Hundred percent end-user awareness is impractical; instead focus on improving security competence of decision-makers
Senior Managers
Designers and developers
Administrators
Security team members
Create low-cost, high-return activities to certify and educate end users
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Certification and Education
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Fig. 5.8 – Return on investment (ROI) trends for security education
*
Create and establish career paths and reward structures for security professionals
These elements should be present in national infrastructure environments
Attractive salaries
Career paths
Senior managers
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Career Path and Reward Structure
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Companies and agencies being considered for national infrastructure work should be required to demonstrate past practice in live security incidents
Companies and agencies must do a better job of managing their inventory of live incidents
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Responsible Past Security Practice
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
Companies and agencies being considered for national infrastructure work should provide evidence of the following past practices
Past damage
Past prevention
Past response
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
Responsible Past Security Practice
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer
*
A national commonality plan involves balancing the following concerns
Plethora of existing standards
Low-water mark versus world class
Existing commissions and boards
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 5 – Commonality
National Commonality Program
The University of Adelaide, School of Computer Science
The University of Adelaide, School of Computer Science
*
Chapter 2 — Instructions: Language of the Computer
*
Chapter 2 — Instructions: Language of the Computer