This document provides an overview of key topics in information security:
- It discusses the challenges of implementing information security programs and outlines the importance of processes over products.
- An Information Security Management System (ISMS) is presented as the foundation for establishing security policies, procedures, and responsibilities.
- Authentication and provisioning systems are described as ways to centrally manage user identities and access across applications.
- The importance of vulnerability assessment, policy compliance, and log monitoring tools is highlighted to help detect threats, ensure compliance, and aid auditing.
- Endpoint security, access control, and data leakage prevention are outlined as methods to enforce security policies across networked devices and sensitive data.
The document provides an overview of web security. It discusses the internet and the World Wide Web, vulnerabilities and threats to web applications like phishing and SQL injection, as well as countermeasures. It also outlines a generic security model covering security policies, host security, network security, organizational security, and legal security. Finally, it examines the components of web application architecture like user interface elements, structural components involving web browsers, application servers, and database servers.
Information security management best practiceparves kamal
ISO 17799 is an internationally recognized Information Security Management Standard, first published by the International Organization for Standardization, or ISO (www.iso.ch), in December 2000.
This document provides an introduction to information security. It defines information security and outlines its objectives, which include understanding the critical characteristics of information, the comprehensive security model, and approaches to implementation. The document discusses the history of information security and components of an effective information security system. It also describes the security systems development life cycle process and provides key information security terminology.
This document discusses information systems security and control. It begins by defining security and explaining why information systems need protection. It then outlines objectives related to explaining the need for protection, assessing the business value of security, and evaluating security frameworks. The document identifies challenges like system vulnerabilities, threats, and attacks. It discusses why systems are vulnerable and the risks and threats they face. It also covers creating a control environment, including controls, disaster recovery plans, and internet security challenges. The document concludes by discussing management opportunities and challenges in security, and providing guidelines for effective security solutions.
This document outlines the topics and structure of an Information Security Management course. The course will cover planning for security, information security policy, developing security programs, risk management, protection mechanisms, personnel security, law and ethics, and security in the cloud. Assessments, case studies, presentations, labs, and class participation will be used for evaluation. Current security topics will be researched and presented. A term paper and demonstration project will also be required. The goal is to examine information security holistically within an organization.
This document introduces information security and outlines its key concepts. It defines information security as protecting information from unauthorized access, use, disclosure, disruption or destruction. Successful security involves multiple layers, including physical, personal, operations, communications, network and information security. Information has critical characteristics of availability, accuracy, authenticity, confidentiality and integrity that security aims to protect. A top-down approach to implementation led by management is most effective, following a security systems development life cycle of investigation, analysis, design, implementation and maintenance phases.
IBM i Security: Identifying the Events That Matter MostPrecisely
This presentation discusses IBM i security monitoring and integration with SIEM solutions. It covers the basics of security monitoring on IBM i, including key areas to monitor like user access, privileged users, network traffic, and database activity. It emphasizes the importance of centralized log collection and correlation through a SIEM for advanced security monitoring, threat detection, and compliance. Finally, it outlines how Precisely's Assure Monitoring and Reporting solution can help organizations by comprehensively monitoring IBM i system and database activity, generating alerts and reports, and integrating IBM i security data with other platforms in the SIEM.
Training and Tips that are very helpful to gain knowledge in the field of information Security and passing your CISSP Certification Exam.
To be CISSP Certified Please Check out the link below:
http://asmed.com/cissp-isc2/
This document discusses security technologies taught in an Illinois Institute of Technology course. It covers firewalls, intrusion detection systems, dial-up protection, and other topics. The learning objectives are to define types of firewalls, discuss firewall implementation approaches, and understand technologies like encryption and biometrics. Firewalls examined include packet filtering, proxy, stateful inspection, dynamic, and kernel proxy firewalls. Intrusion detection systems can be host-based or network-based, using signatures or anomalies. Remote authentication and terminal access control systems help secure dial-up access.
This document provides an introduction to information security. It outlines the objectives of understanding information security concepts and terms. The document discusses the history of information security beginning with early mainframe computers. It defines information security and explains the critical characteristics of information, including availability, accuracy, authenticity, confidentiality and integrity. The document also outlines approaches to implementing information security and the phases of the security systems development life cycle.
The document discusses several key concepts in information security including the goals of security like prevention, detection and recovery. It covers threats, vulnerabilities, attacks and different types of controls. It also explains authentication methods like passwords, tokens, biometrics and multifactor authentication. Finally, it summarizes cryptography fundamentals including encryption, ciphers, hashing and symmetric/asymmetric encryption algorithms.
This document is a slide presentation for an introduction to information security course at Illinois Institute of Technology. It begins with an overview of the course objectives and policies. It then provides a history of information security, defining key terms. It discusses approaches to implementing security through a systems development life cycle and the roles of security professionals.
The security awareness and training program has several objectives: 1) ensure employees understand their role in protecting company information assets; 2) educate employees on the value of information security; and 3) teach employees how to recognize and report potential violations. The program covers topics such as security policies, user responsibilities, and incident reporting. It aims to provide ongoing training for existing employees and raise security awareness through less formal methods. The success of the program requires long-term commitment of resources and funding.
This document provides information about security operations centers (SOCs). It discusses why organizations build security controls and capabilities like SOCs, which are designed to reduce risk, protect businesses, and move from reactive responses to proactive threat mitigation. The document defines a SOC as a skilled team that follows processes to manage threats and reduce security risk. It outlines the major responsibilities of a SOC, which include monitoring, analyzing, and responding to security events. It also notes that effective SOCs balance people, processes, and technology. The document provides details about building a SOC and considerations in each of these domains. It includes a sample job description for a SOC analyst role.
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
This document discusses security management practices, with a focus on information security management. It covers topics such as information classification, security policies, roles and responsibilities, risk management, and security awareness training. Specifically, it provides details on establishing an information classification process, including identifying information assets, analyzing risks, defining classifications, roles for information owners and custodians, and guidelines for classifying information and applications.
Information security aims to balance information risks and controls. It began with early computer security focused on physical threats. A successful security approach uses multiple layers including physical, personal, operations, communications, network, and information security. Managing information security requires a structured methodology similar to implementing a major system, such as the Security Systems Development Life Cycle.
This document provides an overview of key concepts in information security. It defines information security, why it is important for businesses, and common information security jobs. It then discusses the history of information security and introduces the CIA triad of confidentiality, integrity and availability. The document outlines the components of risk management and assessment. It also describes different types of security controls including administrative, logical/technical, and physical controls and important principles like separation of duties and least privilege. Finally, it discusses security classification of information.
i) The document discusses security and control of information systems, including objectives to explain why protection is needed, assess value, and evaluate frameworks and tools. It outlines challenges like confidentiality, authentication, integrity and availability.
ii) It describes vulnerabilities like viruses, hacking, and weaknesses of internet technologies. System threats include spyware, denial of service attacks, and identity theft.
iii) Effective security requires management frameworks including risk assessment, policies, auditing, and ensuring business continuity during disasters. Technologies involve access control, encryption, firewalls and intrusion detection.
Cyber security series administrative control breaches Jim Kaplan CIA CFE
This webinar series is designed to help internal auditors looking to equip themselves with competencies and confidence to handle audit of IT controls and information security, and learn about the emerging technologies and their underlying risks
The series focuses on contemporary IT audit approaches relevant to Internal Auditors and the processes underlying risk based IT audits.
Session 8 of 10
This Webinar focuses on Administrative Control Breaches
• Security Administration
• Purpose of Security Tools
• Examples of Security Tools
• Security Incident Manager (SIM)
• Problems with Security Administration
• Improving Administration
This document discusses information systems security and control. It defines key concepts like vulnerability, threats, and attacks. It explains why systems are vulnerable through hardware and software problems, disasters, and network usage. The document outlines objectives to explain why systems need protection and evaluate security elements and frameworks. It discusses establishing management frameworks for security controls, creating a secure control environment, and addressing internet security challenges. Finally, it provides guidelines for user responsibilities and discusses management opportunities and challenges in securing systems.
Cognic Systems provides a variety of information security services including penetration testing, vulnerability assessments, security audits, web application security testing, managed security services, and professional consulting services. Their security experts employ sophisticated tools and threat intelligence to help clients build effective security programs. Some of their key offerings are penetration testing to evaluate system vulnerabilities, vulnerability assessments to identify weaknesses, security audits to ensure compliance and catch problems, and web application testing to secure confidential data and applications from attacks.
The document discusses securing management information systems. It covers topics such as what security is, vulnerabilities, threats and attacks. It also discusses why systems are vulnerable, the business value of security, establishing management frameworks for security, creating a control environment, and management challenges around implementing effective security policies. The overall message is that security should be a high priority that requires commitment from all levels of the organization.
The document discusses cyber security and outlines the objectives, system vulnerabilities, business value of security controls, frameworks for security and control, technologies and tools, and management challenges and solutions. It provides an introduction to cyber security concepts over several pages with definitions, figures, and examples.
This is the general orientation for the new beginner who wants to make their career in IT Audit. This contains very less technical and more counselling terms and topics.
A series of Cyber security lecture notes..........................
(Endpoint, Server, and Device Security), (Identity, Authentication, and Access Management)
(Data Protection and Cryptography)
Because many organizations don't perform security unless they have to, more than 80% of all web applications are being exposed to vulnerabilities. In comes regulation. There are a number of different industries other than financial and healthcare that deal with PII and PHI but are either not regulated at all or are regulated very loosely. This presentation will discuss the various regulations (PCI, SOX, HIPAA, etc.) and what each does to address web application security, if any, as well as the shortcomings of each. Finally, it will further address industries that need to be more strictly regulated in order to better protect personal information.
Andrew Weidenhamer, Senior Security Consultant, SecureState
Andrew Weidenhamer, Senior Security Consultant, joined SecureState in January 2008. As a former member of the Profiling Team, Andrew performed technical security assessments on a weekly basis. These assessments included Internal and External Attack and Penetration Assessments, Wireless Penetration Assessments, Web Application Security Reviews, Physical Penetration Tests, and Social Engineering Assessments.
This document discusses vulnerability management and cybersecurity risks. It identifies various risks like staff risks, technology risks, and operational risks. It also discusses risk management frameworks and programs. Key aspects of vulnerability management are identified like asset identification, threat assessment, impact evaluation, and risk response. Common vulnerabilities are also listed. The document emphasizes that risk assessment and management is important to protect organizational assets and should be an ongoing process.
Cyber security and demonstration of security toolsVicky Fernandes
Presentation on Cybersecurity and demonstration of security tools, conducted by Vicky Fernandes on 10th September 2019 at Don Bosco Institute of Technology, Mumbai.
IBM i is securable BUT not secured by default. To help protect your organization from the increasing security threats, you must take control of all access points to your IBM i server. You can limit IBM i security threats by routinely assessing your risks and taking control of logon security, powerful authorities, and system access.
With the right tools and process, you can assure comprehensive control of unauthorized access and can trace any activity, suspicious or otherwise, on your IBM i systems.
Watch this on-demand webcast to learn:
• How to secure network access and communication ports
• How to implement different authentication options and tradeoffs
• How to limit the number of privileged user accounts
• How Precisely’s Assure Security can help
Effective Security Monitoring for IBM i: What You Need to KnowPrecisely
Defending against the increasing sophistication and complexity of today’s security threats requires a comprehensive, multi-layered approach. The key is to maximize the strength of each layer of your defenses, and then ask yourself “If this layer is breached, what do I have in place to prevent further damage?”
Even if you have implemented the proper layers of protection, effective security still requires a thoughtful and comprehensive approach to monitoring and reporting. Monitoring plays a critical role in any effective IT security strategy. It's like having a security guard constantly patrolling your digital infrastructure, vigilantly watching for suspicious activity and potential threats. Security monitoring allows you to detect threats as soon as possible, giving you a better chance of responding quickly and effectively.
Join us for this webinar we will cover:
• The best practices for monitoring your IBM i environment.
• The benefits of combining your IBM i monitoring with other IT systems
• A demonstration of a new Assure Security Monitoring and Reporting interface
Management Information System PresentationAaDi Malik
The document discusses securing a management information system. It lists five group members and introduces MIS which provides managers with information for decision making. It then discusses security strategies, vulnerabilities, threats, and attacks. It explains why systems are vulnerable, the business value of security controls, and how to establish a management framework including general and application controls and creating a secure control environment.
Definitive Security Testing Checklist Shielding Your Applications against Cyb...Knoldus Inc.
The protection of applications against cyber threats is paramount. With hackers becoming increasingly sophisticated, organizations must prioritize robust security testing practices. In this informative session, we will unveil a comprehensive security testing checklist designed to fortify your applications against potential vulnerabilities and attacks.
This document discusses security metrics and how they can be used to measure an organization's security posture over time. It begins by explaining why security metrics are important for benchmarking security investments, ensuring compliance, and identifying security issues. It then defines what a security metric is and provides examples of common metrics. The document outlines best practices for deciding which metrics to collect, how to collect them, and how metrics can be used to perform effective risk analysis and demonstrate the financial impact of security. It also provides a hypothetical example of creating security metrics for a point-of-sale system and calculating a risk score. Finally, it discusses challenges with security metrics and provides references for further reading.
This document discusses the importance of information security policies and processes. It defines information and explains that information can take many forms and must be appropriately protected. It then discusses the importance of information, what constitutes information security, and why information security is needed to protect organizations. Key risks like data breaches are outlined. The document emphasizes that information security is an organizational issue, not just an IT issue, and stresses the importance of people, processes, and technology in an information security program. It provides an overview of some common information security standards and regulations like ISO 27001 and HIPAA.
Similar to Meletis BelsisManaging and enforcing information security (20)
This document discusses the potential for using multimedia in enterprise security user training. It argues that traditional training methods like posters and emails are ineffective. Multimedia could provide more effective training through interactive presentations using audio, video, images and text. Examples show multimedia has been successfully used in other training domains. The document concludes that a multimedia training tool could improve security awareness if designed carefully to avoid helping adversaries understand security systems and policies.
This document proposes a system to improve how Computer Security Incident Response Teams (CSIRTs) store and share security incident data. Currently, CSIRTs use various data structures and methods to record incident details, limiting collaboration. The authors propose a system using CORBA that allows incident data to be stored in a central database and accessed securely via a web interface or standalone application. This would facilitate information sharing between CSIRTs and give users different views of the data based on their roles. A natural language interface is also suggested to allow complex queries without technical expertise. The system aims to address current problems around incident data management and access.
Security is a major concern for organizations and individuals as information has become more valuable. The need for security has existed since information first became important. While firewalls and antivirus software provide some protection, they do not make an organization fully secure. Security involves processes for prevention, detection, reaction, and forensics. It is difficult to implement security perfectly due to costs, user resistance, evolving threats, and time/budget constraints for security teams. Hackers use various techniques like information gathering, password cracking, viruses, denial of service attacks, sniffing, and system exploits to compromise targets. Organizations implement defenses like firewalls, intrusion detection, honeypots, anti-sniffing measures, antivirus software, security awareness
VoIP Security: An Overview discusses the security challenges of Voice over IP (VoIP) technology. It notes that VoIP inherits vulnerabilities from TCP/IP networks and uses the corporate network, making it complex to secure. Common VoIP threats include denial of service attacks, interception attacks, covert channels, and vulnerabilities in VoIP platforms. The document outlines example attacks and tools used by hackers. It recommends countermeasures like network separation, encryption of SIP and RTP, firewalls, intrusion detection systems, and hardening VoIP infrastructure and devices. VoIP honeypots can also be used to detect attackers.
This document discusses IMS security. It provides an overview of IMS architecture, noting its complexity due to supporting different access media and TCP/IP vulnerabilities. Threats to IMS are then outlined, including denial of service attacks, interception attacks, fraud attacks, and vulnerabilities in VoIP platforms. Hacking tools for attacking IMS are also listed. The document concludes with recommendations for IMS countermeasures such as encryption, firewalls, security gateways, antivirus software, network hardening techniques, and IDS/IPS systems.
seo proposal | Kiyado Innovations LLP pdfdiyakiyado
Crafting a compelling SEO proposal? Learn how to structure a winning SEO proposal template with essential elements and tips for client engagement. Elevate your SEO strategy with expert insights and examples
The advent of social media has revolutionized communication, transforming the way people connect, share, and interact globally. At the forefront of this digital revolution are visionary entrepreneurs who recognized the potential of the internet to foster social connections and create communities. This essay explores the founders of some of the most influential social media platforms, their journeys, and the lasting impact they have made on society.
Mark Zuckerberg, along with his college roommates Eduardo Saverin, Andrew McCollum, Dustin Moskovitz, and Chris Hughes, founded Facebook in 2004. Initially created as a social networking site for Harvard University students, Facebook rapidly expanded to other universities and eventually to the general public. Zuckerberg's vision was to create an online directory that connected people through their real-life social networks.
Twitter, founded in 2006 by Jack Dorsey, Biz Stone, and Evan Williams, brought a new dimension to social media with its microblogging platform. Dorsey envisioned a service that allowed users to share short, real-time updates, limited to 140 characters (now 280). This concise format encouraged rapid sharing of information and fostered a culture of brevity and immediacy.
Kevin Systrom and Mike Krieger co-founded Instagram in 2010, focusing on photo and video sharing. Systrom, who studied photography, wanted to create an app that made mobile photos look professional. The app's unique filters and easy-to-use interface quickly gained popularity, amassing over a million users within two months of its launch.
Instagram's emphasis on visual content has had a significant cultural impact. It has popularized the concept of influencers, giving rise to a new industry where individuals can monetize their popularity and reach. The platform has also revolutionized digital marketing, enabling brands to connect with consumers in more authentic and engaging ways. Acquired by Facebook in 2012, Instagram continues to be a dominant force in social media, shaping trends and cultural norms.
Reid Hoffman founded LinkedIn in 2002 with the goal of creating a professional networking platform. Unlike other social media sites focused on personal connections, LinkedIn was designed to connect professionals, facilitate job searches, and foster business relationships. The platform allows users to create professional profiles, network with colleagues, and share industry insights.
LinkedIn has become an indispensable tool for job seekers, recruiters, and businesses. It has transformed the job market by making it easier to find and connect with potential employers and employees. LinkedIn's influence extends beyond job searches; it has become a hub for professional development, thought leadership, and industry news. Hoffman's vision has significantly impacted how professionals manage their careers and build their networks.
Jan Koum and Brian Acton co-founded WhatsApp in 2009, aiming to create a simple, reliable..
Have you ever built a sandcastle at the beach, only to see it crumble when the tide comes in? In the digital world, our information is like that sandcastle, constantly under threat from waves of cyberattacks. A cybersecurity course is like learning to build a fortress for your information!
This course will teach you how to protect yourself from sneaky online characters who might try to steal your passwords, photos, or even mess with your computer. You'll learn about things like:
* **Spotting online traps:** Phishing emails that look real but could steal your info, and websites that might be hiding malware (like tiny digital monsters).
* **Building strong defenses:** Creating powerful passwords and keeping your software up-to-date, like putting a big, strong lock on your digital door.
* **Fighting back (safely):** Learning how to identify and avoid threats, and what to do if something does go wrong.
By the end of this course, you'll be a cybersecurity champion, ready to defend your digital world and keep your information safe and sound!
Jarren Duran Fuck EM T shirts Jarren Duran Fuck EM T shirtsexgf28
Jarren Duran Fuck EM T shirts
https://www.pinterest.com/youngtshirt/jarren-duran-fuck-em-t-shirts/
Happy to Pay Fine for Expletive shirt,Happy to Pay Fine for Expletive T shirts,Jarren Duran Fuck EM T shirts Grabs yours today. tag and share who loves it.
Meletis BelsisManaging and enforcing information security
1. Managing and Enforcing Information SecurityManaging and Enforcing Information Security
June 2008June 2008
Belsis Meletis
MPhil, MRes, BSc
CWNA, CWSP, Network+, C|EH, ISO27001LA
3. Information SecurityInformation Security
• Information Security is difficult to implement due to
the following:
• The cost of implementing a security system should not
exceed the value of the data to be secured.
• Industries pay huge amount of money for industrial
espionage.
• Users feel that security is going to take their freedom
away and so they often sabotage the security
measures.
• Computer prices have fallen dramatically and the
number of hackers have been multiplied.
• Security managers work under strict money and time
schedule.
• Hackers often cooperate with known criminals.
• Almost 80% of attacks come from Internal threats and
partners.
• The number of technologies, standards and
methodologies exist today are enough to confuse even
experts.
4. Information SecurityInformation Security
“In the real world, security involves processes. It involves preventive
technologies, but also detection and reaction processes, and an
entire forensics system to hunt down and prosecute the guilty.
Security is not a product; it itself is a process.…. ”
Bruce Schneier
(Secrets and Lies, Wiley and Sons Inc.)
5. Information SecurityInformation Security
• Security contains a number of
tools , processes and techniques.
• These in general cover three
main requirements:
– Confidentiality
– Integrity
– Availability
• Depending on the security
requirements a system has, one
can concentrate only on one of
the previous or all of them.
• A new requirement enforced
today is non-repudiation.
7. ISMSISMS
• Security should always start with the development of
an ISMS system.
• The Information Security Management System(ISMS) is
the part of the overall management system, based on
business risk approach, to establish, implement, operate ,
monitor, review, maintain and improve information security
(ISO 27001 Standard).
• The management system should include:
• Organisational structure and Responsibilities
• Policies, Procedures , Processes and Practises
• Planning Activities and Resources
8. Information Security Management Program ImplementationInformation Security Management Program Implementation
Policy
&
Standards
Physicalaccess
RemoteAccess
InternetPolicy
Appl.Security
Policy
System Policy
Technology
Standards
VPN
Tokens
Firewalls
Implementation
GuidelinesInstallation and configuration
Operational Management
Corporate Policy
Operations
Host-Sec.
ContentSec.
ProcessManagemen
t
9. ISO27001 AdvantagesISO27001 Advantages
• ISO 27001 is an International Standard giving requirements related to
Information Security Management System.
• The advantages of an ISO27001 Certification :
• Ensure confidentiality, integrity and availability of information to
maintain competitive edge, cash-flow, profitability and commercial
image.
• Comply with legal, statutory, regulatory and contractual
requirements.
• Improve corporate governance and assurance to stakeholders such
as shareholders, clients, consumers and suppliers.
• Identify threats to assets, vulnerabilities, likelihood of occurrence and
potential impact to appropriate allocate investment.
11. Authentication and ProvisioningAuthentication and Provisioning
• The management Headache
Applications and Locations are added almost daily.
Changes to headcounts have by
multiplied.
The cost of IT Management has been increased (e.g. it is
estimated that the cost to reset a password in a medium
size organisation is $20)
Maintain Security Standards compliance is necessary
(i.e. ISO27001,SoX,PCI).
Many man-hours of management time spent approving
resource requests
12. Authentication and ProvisioningAuthentication and Provisioning
• The Security Headache
User provisioning for all applications is time consuming
13%-15% of help desk phone calls involve password reset.
Users use yellow stickers to write and remember the
different passwords.
Long lag time between user termination & disablement of
IDs.
Users have to access different applications and platforms
(i.e. HPUX, Linux, Windows2003) .
Security Auditors require many different information.
Authentication method may be different for each application
(e.g. Password Policies, Tokens, Idle Timeout)
User needs to
manually sign
in to every
application!
User
Mainframe
Apps
Intranet
Web Apps
13. Identity ChaosIdentity Chaos
Enterprise Directory
HRHR
SystemSystem
InfraInfra
ApplicationApplication
LotusLotus
Notes AppsNotes Apps
In-HouseIn-House
ApplicationApplication
COTSCOTS
ApplicationApplication
NOSNOS
In-HouseIn-House
ApplicationApplication
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
•Authorization
•Identity Data
•Authentication
•Authentication
•Authorization
•Identity Data
•Authentication
•Authorization
•Identity Data
14. Authentication and ProvisioningAuthentication and Provisioning
• Identity Management Systems allows individuals to use a user name,
password or other personal identification to sign on to the enterprise
applications
• IDM Systems Offer
• Centralized management of all user identities and access rights.
• Automated (de-)provisioning of accounts
• Centralized access management for heterogeneous networks
(e.g. Web applications, Systems )
• Strong and flexible password management policies
• User Account Self Management
• Identification/removal of inactive accounts
• Full automated workflow approval path
• Reset passwords (revalidate users)
• Monitor all Identity related events
• IDM requires Roles and Processes to be clearly defined
• IDM reduces the Organization Cost and increases Productivity
16. Authentication and ProvisioningAuthentication and Provisioning
• Single Sign On (SSO) allow users to log in to
virtually any system using a single log on procedure,
• Allows administrators to choose an authentication
method (e.g. Tokes, Passwords, Biometrics)
• Seamless authentication for heterogeneous
environments.
• Centrally provide Session Management
• End-to-end audits of user activity across disparate
systems
• Reduces frustrations from multiple passwords
• Reduces the threats from the yellow stickers
• Provide Workstation features like
• Station Lock
• Proximity Detectors and RF Badges
• Single Sing Off
• Session Migration
• SSO Integrates with user provisioning solutions to
further Increase productivity time.
User ID &User ID &
PasswordPassword
TokenToken
SmartSmart
CardCard
MS CAPIMS CAPI
CertificateCertificate
BiometricsBiometrics
LDAPLDAP
RF BadgeRF Badge
ju9$7%%a&uju9$7%%a&u
r2d2q3
&%$@((^g%$@#&&%$@((^g%$@#&
dk4&4j7%w#psikep84m$sodk4&4j7%w#psikep84m$so
PKIPKI
CertificateCertificate
encryptedencrypted
passtickepassticke
tt
Sign-OnSign-On
ServerServer
Application HostsApplication Hosts
NT/UNIXNT/UNIX
OS/390OS/390
NovellNovell
AS400AS400
Web ServersWeb Servers
17. INNOVA S.A.INNOVA S.A.
AgendaAgenda
• Information Security
• ISMS
• Authentication and Provisioning
• Monitoring and Compliance
• Data Protection
• Innova S.A
18. Monitoring and ComplianceMonitoring and Compliance
• What Do I Need To Do?
– Businesses everywhere are attempting to cost effectively comply
with multiple external & internal mandates (e.g.
ISO27001,SoX,PCI).
– Administrators have to defend their systems against new
vulnerabilities.
– Security experts need to identify incidents.
– Auditors need to see proof of due care that IT security policies are
sufficient, in place, and effective
• How Do I Do It?
– Automatically test platforms for security compliance on a
scheduled basis
– Regularly test systems for new vulnerabilities.
– Enforce the regular analysis of log files to detect unauthorized
actions.
19. Vulnerability Assessment ToolsVulnerability Assessment Tools
• Regular tests ensure that systems are protected from new
vulnerabilities.
• Vulnerability Assessment tools have databases with
thousands of vulnerabilities.
• Frequent update of these tools are necessary.
• Two types of VA tools
• Internet Based Services
• Network Internal
• Some of these tools offer compliance scans with
different standards i.e. PCI
• VA tools allows managers to schedule automated
assessment jobs.
• Reports from these tools are used to patch vulnerable
systems and/or develop strategic security plans.
• Reports can also be submitted to Security Auditors.
20. Policy CompliancePolicy Compliance
• Enterprises are finding that implementing new regulatory policies and
procedures in an automated and efficient manner is very challenging.
• The effort of translating the policy into actual technical controls and triggers is
complicated and cumbersome
• Policy Compliant platforms connect to corporate systems and test system
configuration against pre specified security policies (i.e. size and type of
passwords, Administrator access type)
• Policy Compliance platforms:
• Assist Enterprises to maintain configuration baseline over time.
• Maps industry-accepted frameworks, standards (i.e. ISO27001, PCI, SoX) and
corporate policies to a set of technical controls and policies
• Provide assessment of heterogeneous systems (i.e. Unix, Windows).
• Provide risk-based reports and proposed remediation techniques.
• Improve Operational Cost and ensure policy compliance.
• Prove Compliance to internal and external Auditors
21. Monitoring and AnalysisMonitoring and Analysis
• Enterprise IT Infrastructure elements provide a number
of Audit/log records
• Logs grow large to be viewed using manual techniques
• Log and audit data are usually written in the local platforms
• Cross platform analysis of log data are almost impossible
• Monitoring tools collect records from different
platforms.
• Collected logs can be correlated, analyzed and viewed
in real time.
• Provide advance visualization techniques of the status
of the Infrastructure
• Forensics analysis help respond to security incidents
and identify malicious acts.
• Help Engineers in detecting and solving network
problems.
• Assist in the Audit process by being able to produce
proofs.
• Provides an "information warehouse" for corporate
data that can be mined as a knowledge resource using
built-in index and search technologies
23. Endpoint SecurityEndpoint Security
• Today Enterprise Infrastructures are not isolated
• Sales employees use laptop computers and PDAs to connect to the
corporate networks.
• Teleworking is a new trend to reduce corporate OpEx
• Standby engineers use laptop to connect to the corporate networks almost
daily.
• Threats to the endpoints can be easily provide a door for adversaries to access
the corporate network (e.g. Virus, Trojan Horses, Unpatched Systems).
• Endpoint security software ensures that endpoints are compliant with the
corporate security Policy:
• Endpoint security provides central control over the endpoint devices used by
employees and partners.
• Spec aliased endpoint clients can be installed on the enterprise Critical
Infrastructure Servers.
• Host Intrusion Protection
• Antivirus
• Buffer Overflow Protection
• File/Disk Encryption
• Personal Firewall
• Application Control
• Host Integrity Checking
• Patch Management
24. Endpoint SecurityEndpoint Security
2 4
Mobile
User
SSL VPN
On-Demand NAC
Wireless
On-Demand
and 802.1x
NAC Mobile User or Guest
Home
User
Partner
or Supplier
Web Application
On-Demand NAC
WAN
Router
In Line
NAC
Ethernet
802.1x NAC
Ethernet
DHCP NAC
Remote Office
Embedded
Windows Device
Wired User
Wired User
IPSec VPN
API NAC
25. Access ControlAccess Control
• Enterprises today based their business almost solely on the data stored in their
IT Systems.
• Controlling access on these data is vital for the protection of the Enterprise.
• Access Control platforms allow Administrators to centrally control and enforce
access on the Corporate data:
• Enforce access accountability and segregation of duties
• Centrally apply access control policies and rules to reduce administrative
cost and complexity
• Enforce fine level of control on
• Files and Folders
• Processes
• Privileged Programs
• Network Connections
• Terminals
• Reduce cross-platform management overhead and meet internal and
external audit requirement
• Access control tools required that a defined access control policy exist
26. Data LeakageData Leakage
• Data leakage tools provide finer level of control on the
access restrictions allowed on the corporate data.
• Data leakage enforces the corporate access control
policy by providing deep content inspection:
• Automated discovery of corporate confidential
information stored on endpoints and servers.
• Network Scan to detect and stop confidential
information transmitted using different types of
applications and protocols e.g. IM, Emails,
HTTP,FTP.
• Controls the distribution of information using
USB Drives, CDROMS, Emails, and printouts at
the point of use where information is accessed
and stored.
• Display alerts for data access violation and
develop Incident Response Workflows.
• Control data input /output from heterogeneous
applications and databases.
• Provide a cost effective way to receive Standards
Compliance for Legacy and Web Applications.
EMAIL & WEB UPLOADS
IM / FTP / P2P
FILE TRANSFER
REMOVABLE
MEDIA
(CD, USB…)
HARDCOPY
(Printers, PDF)
NETWORK
RESOURCES
LEGACY APPS
ENTERPRISE
APPLICATIONS
(Clipboard, Exports)
UNSTRUCTURED DATA
& FILE SHARING
(Copy, Move…)