Establishing a Security Plan Flashcards
What is a security plan?
- a security plan is a document that describes how an organization will address its security needs
- It is a live document subject to periodic review, evaluation and revision
- a good security plan is an official record of current security practices, plus a blueprint for orderly change to improve those practices
- gives developers and users a way of measuring the effect of proposed changes leading to further improvements
What are the main contents of a security plan?
Policy - high level statement of the organizations goals on security
Current State - listing of vulnerabilities to which the system is exposed
Requirements - Functional and performance demands on the system
Recommendations - Security techniques and mechanisms to be put in place to meet the requirements
Accountability - Who is responsible for each security activity
Timetable - timelines to achieve goals
Evaluation methodology - how do you measure the effectiveness of the plan
What are the questions to be addressed (phases of the security plan)
Inspection - what needs to be protected
Protection - how to protect
Detection - how to detect intrusion
Reaction - how to react to a network attack
Reflection - how to recover from the network attack
Describe inspection
- make a formal inventory of all resources
- assign ownership to each resource
- determine value of each resource
- for each resource, list the threats that coudl cause damage
- calculate the risk impact, risk probability, risk exposure, and risk leverage for each resource
Want to protect the item with the highest risk leverage.
Describe Protection
Deploy tools for achieving the seven security goals for each resource or set of resources starting with the ones with the highest risk leverage
Describe detection
(some tools)
Signature analysis - collection of event log data
Anomaly Detection - look for unusual activities or statistically anomalous behaviour
Dynamic analysis = signature analysis + anomaly detection
Honey pots - subnetworks configured with vulnerabilities but have resources of no value
Describe reaction
- prepare strategies for incident containment
- prepare rapid response team
- develop network disconnect plan
- develop rapid recovery procedures
- assess the damage
- restore information from a trusted backup copy
- monitor the system for indications of continued attack
Describe reflection
- assemble the information from all involved
- conduct post-incident briefings to gather information that was not recorded
- produce a technical summary that can be evaluated for applicability to other systems
- Write an executive summary for upper management to understand the incident’s issues
- Re-evaluate the organization’s security plan and make changes