KEMBAR78
Security management concepts and principles | PPTX
DT
Uploaded byDivya Tiwari
PPTX, PDF2,714 views

Security management concepts and principles

The document discusses several key concepts in information security management including: 1. The Systems Security Engineering Capability Maturity Model (SSE-CMM) describes essential security engineering practices across the system lifecycle and aims to advance security as a mature discipline. It defines 5 capability levels. 2. Configuration management is important for securely managing changes to an organization's IT infrastructure and systems. It involves identifying configuration items, controlling changes, and reporting status. 3. The configuration management framework includes configuration items, change control, status reporting, and protection of items from unauthorized changes.

Downloaded 14 times
SECURITY MANAGEMENT CONCEPTS AND PRINCIPLES SECURITY & RISK MANAGEMENT MODULE 5 DIVYA TIWARI MEIT TERNA ENGINEERING COLLEGE
INTRODUCTION • Security management concepts and principles are inherent elements in a security policy and solution deployment. • They define the basic parameters needed for a secure environment. • They also define the goals and objectives that both policy designers and system implementers must achieve to create a secure solution. It is important for real-world security professionals. • The primary goals and objectives of security are contained within the CIA Triad, which is the name given to the three primary security principles: 1. Confidentiality 2. Integrity 3. Availability • A complete security solution should adequately address each of these tenets. • Vulnerabilities and risks are also evaluated based on the threat they pose against one or more of the CIA Triad principles. • Thus, it is a good idea to be familiar with these principles and use them as guidelines for judging all things related to security.
MEASURING ROI ON SECURITY • Future security system improvements showing the return on investment (ROI) is one of the most important tools you must show the need for system improvements. • The return on investment calculation will compare the net benefits of a project to total project costs. • The benefits to a new system can be obvious- the improved safety for building occupants and improved security for company assets. • To prepare a ROI case for your security project the first step is to collect data to show the costs and benefits for the proposed system. • What are the costs of the project? • The cost of not doing the project. What happens in the organization if you do not implement the upgrades? • After collecting all of the costs it is time to focus on the benefits. Benefits of a security system upgrade can be direct or indirect.
• Once you have compiled all the cost and benefit information it is time to calculate the return on investment. ROI = ( 𝑩𝒆𝒏𝒆𝒇𝒊𝒕 𝒂𝒇𝒕𝒆𝒓 𝑺𝒆𝒄𝒖𝒓𝒊𝒕𝒚 𝑰𝒏𝒗𝒆𝒔𝒕𝒎𝒆𝒏𝒕 −𝑪𝒐𝒔𝒕 𝒐𝒇 𝑰𝒏𝒗𝒆𝒔𝒕𝒎𝒆𝒏𝒕 𝑪𝒐𝒔𝒕 𝒐𝒇 𝑰𝒏𝒗𝒆𝒔𝒕𝒎𝒆𝒏𝒕 ) x 100
SECURITY PATCH MANAGEMENT • Security patches protect the security of devices and the data on them by applying the latest updates that respond to the latest threats. • In software engineering a patch refers to small adjustments to the code of software. • Patch updates one component of the software to fix a bug or error discovered after product release. • Security patches address vulnerabilities in the software cybercriminals might use to gain unauthorized access to device and data. • Security patches for the operating system (OS) of device like Windows, iOS, Android are crucial because an OS vulnerability can have far-reaching implications. • For individuals and their devices, effective patch management can be as simple as turning on automatic updates. • Google and Apple, for example, make it easy to have smartphone manage the work of keeping the OS and all of your apps patched to the most recent version.
• To check Android device’s security patch level, Google offers an easy online tool. • For organizations, patch management they need to oversee a wide range of equipment, often in different locations. • A patch that requires time to install may also interrupt the functioning of the device, so it’s vital to plan the timing of patches around the schedules of the people using the device. • For systems that need to operate 24/7, patching is not an easy process. Importance of Patch Management 1.Reduce exposure to cyberattacks 1.Avoid lost productivity 1.Protect your data 1.Protect customer data 1.Protect others on your network
PURPOSE OF INFORMATION SECURITY MANAGEMENT • The purpose of the information security management process is to align IT security with business security and ensure that the confidentiality, integrity and availability of the organization’s assets, information, data and IT services always matches the agreed needs of the business. • The Objectives of Information security management are: 1. Protect the interests of those relying on information. 2. Protect the systems and communications that deliver the information.
BUILDING BLOCKS OF INFORMATION SECURITY • Encryption: Modification of data for security reasons prior to their transmissions so that it is not comprehensible without the decoding method. • Cipher: Cryptographic transformation that operates on characters or bits of data. • Cryptanalysis: Methods to break the cipher so that encrypted message can be read. • Electronic Signature: Process that operates on a message to assure message source authenticity, integrity and non-repudiation. • Non-Repudiation: Methods by which the transmitted data is tagged with sender’s identity as a proof so neither can deny the transmission. • Steganography: Method of hiding the existence of data. The bit map images are regularly used to transmit hidden messages. • Identification: It is a method by which a user claims his identity to a system.
• Authentication: It is the method by which a system verifies the identity of a user or another system. • Accountability: It is the method by which a system tracks the actions performed by a user or a process. • Authorization: It is a method by which a system grants certain permissions to a user. • Privacy: It is protection on individual data and information.
OVERVIEW OF SSE CMM • The Systems Security Engineering Capability Maturity Model (SSE-CMM) describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering. • The model is a standard metric for security engineering practices covering: 1. The entire life cycle, including development, operation, maintenance, and decommissioning activities. 2. The whole organization, including management, organizational, and engineering activities. 3. Concurrent interactions with other disciplines, such as system, software, hardware, human factors, and test engineering; system management, operation, and maintenance. 4. Interactions with other organizations, including acquisition, system management, certification, accreditation, and evaluation.
• The objective of the SSE-CMM Project is to advance security engineering as a defined, mature, and measurable discipline. • The SSE-CMM model and appraisal methods are being developed to enable: 1. Focused investments in security engineering tools, training, process definition, management practices, and improvements by engineering groups. 2. Capability-based assurance, that is, trustworthiness based on confidence in the maturity of an engineering group’s security practices and processes. 3. Selection of appropriately qualified providers of security engineering through differentiating bidders by capability levels and associated programmatic risks. • The scope of the SSE-CMM encompasses the following: 1. The SSE-CMM addresses security engineering activities that span the entire trusted product or secure system life cycle, including concept definition, requirements analysis, design, development, integration, installation, operations, maintenance, and decommissioning. 2. The SSE-CMM applies to secure product developers, secure system developers and integrators, and organizations that provide security services and security engineering.
3. The SSE-CMM applies to all types and sizes of security engineering organizations, such as commercial, government, and academic. Benefits of using SSE-CMM To Engineering Organizations To Acquiring Organizations To Evaluation Organizations
SSE-CMM RELATIONSHIP TO OTHER INITIATIVES
CAPABILITY LEVELS • Capability Level 1 – Performed Informally • Capability Level 2 – Planned and Tracked • Capability Level 3 – Well Defined • Capability Level 4 – Quantitatively Controlled • Capability Level 5 – Continuously Improving
SECURITY ENGINEERING PROCESS OVERVIEW Security Engineering Process has three main areas
Risk security risk process involves threats, vulnerabilities and impact
Engineering security is an integral part of the overall engineering process
Assurance Assurance process builds an argument establishing confidence
CONFIGURATION MANAGEMENT • An information system infrastructure is a complex and evolving system. • Changes to the system affect its ability to effectively enforce the security policies and therefore protect the organization’s assets. • The process of managing the changes to the system and its components is referred to as configuration management. • Configuration management is the process of identifying configuration items, controlling their storage, controlling change to configuration items, and reporting on their status. 1. Configuration Items—Configuration items (CIs) are unique work products that are individually controlled, tracked, and reported on. 2. CI Protection—Configuration items must be protected from unauthorized changes. Without protection of the CIs, a configuration management system cannot function. 3. Change Control—There must exist a process by which changes to configuration items are reviewed, approved, and controlled.
4. Status Reporting—Configuration management systems must be able to report the status of any configuration item and its history of changes. Moreover, the reporting feature must be capable of generating a version of the system based on the correct version of each of the configuration items.
CONFIGURATION MANAGEMENT FRAMEWORK
MU Exam Questions May 2017 • Give a brief overview of the SSE-CMM maturity model. 10 marks Dec 2017 • Explain role of configuration management in security of an organization. Give the configuration management framework. 10 marks May 2018 • What is security engineering? Give a brief overview of the SSE-CMM model. 10 marks • Discuss role of Configuration Management in the security of an organization. 10 marks Dec 2018 • Discuss role of CM in the security of an organization. 10 marks May 2019 • Explain role of configuration management in security of an organization. Give the configuration management framework. 10 marks
Security management concepts and principles

More Related Content

PPT
1. security management practices
by7wounders
 
PPT
The Perimeter Protection Issues, Technique and Operation
byHafiza Abas
 
PPT
Security Management Practices
byamiable_indian
 
PPTX
Security management.pptx
byAhmadUsman79
 
PDF
1. Security and Risk Management
bySam Bowne
 
PPT
Physical security
byDhani Ahmad
 
PPTX
Risk assessment
bykajal kumari
 
PPT
Policy formation and enforcement.ppt
byImXaib
 
1. security management practices
by7wounders
 
The Perimeter Protection Issues, Technique and Operation
byHafiza Abas
 
Security Management Practices
byamiable_indian
 
Security management.pptx
byAhmadUsman79
 
1. Security and Risk Management
bySam Bowne
 
Physical security
byDhani Ahmad
 
Risk assessment
bykajal kumari
 
Policy formation and enforcement.ppt
byImXaib
 

What's hot

PPTX
Security risk management
byPrachi Gulihar
 
PPT
Information security management
byUMaine
 
PPTX
Vulnerability Assessment
byprimeteacher32
 
PPT
Security policy
byDhani Ahmad
 
PDF
Application Security | Application Security Tutorial | Cyber Security Certifi...
byEdureka!
 
PDF
Security Awareness Training
byDaniel P Wallace
 
PDF
1. introduction to cyber security
byAnimesh Roy
 
PPS
Physical security.ppt
byFaheem Ul Hasan
 
PPTX
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
PPTX
cyber security presentation.pptx
bykishore golla
 
PPTX
Cyber Security Awareness Session for Executives and Non-IT professionals
byKrishna Srikanth Manda
 
PPTX
Security Policies and Standards
byprimeteacher32
 
DOCX
The CIA Triad - Assurance on Information Security
byBharath Rao
 
PPTX
Access Controls
byprimeteacher32
 
PPT
information security management
byGurpreetkaur838
 
PPT
IT Security Awareness-v1.7.ppt
byOoXair
 
PPTX
Introduction to cyber security amos
byAmos Oyoo
 
PPTX
Data security
byAbdulBasit938
 
PPTX
INFORMATION SECURITY
byAhmed Moussa
 
PDF
Access Control Presentation
byWajahat Rajab
 
Security risk management
byPrachi Gulihar
 
Information security management
byUMaine
 
Vulnerability Assessment
byprimeteacher32
 
Security policy
byDhani Ahmad
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
byEdureka!
 
Security Awareness Training
byDaniel P Wallace
 
1. introduction to cyber security
byAnimesh Roy
 
Physical security.ppt
byFaheem Ul Hasan
 
Cybersecurity Attack Vectors: How to Protect Your Organization
byTriCorps Technologies
 
cyber security presentation.pptx
bykishore golla
 
Cyber Security Awareness Session for Executives and Non-IT professionals
byKrishna Srikanth Manda
 
Security Policies and Standards
byprimeteacher32
 
The CIA Triad - Assurance on Information Security
byBharath Rao
 
Access Controls
byprimeteacher32
 
information security management
byGurpreetkaur838
 
IT Security Awareness-v1.7.ppt
byOoXair
 
Introduction to cyber security amos
byAmos Oyoo
 
Data security
byAbdulBasit938
 
INFORMATION SECURITY
byAhmed Moussa
 
Access Control Presentation
byWajahat Rajab
 

Similar to Security management concepts and principles

PDF
CISSP Preview - For the next generation of Security Leaders
byNUS-ISS
 
PDF
Andrew kozma - security 101 - atlseccon2011
byAtlantic Security Conference
 
PPT
Secure Software Development Models and Methods integrated with CMMI.ppt
byNeha Sharma
 
PDF
Chapter 3 - Security Management Concepts & Principles.pdf
byaishahmrawy
 
PDF
1-Computer_Security_EENG-524_Lecture-01.pdf
byUmarr Alie Sesay
 
PPT
Unit 4 standards.ppt
byClashWithGROUDON
 
PDF
Unit 1&2.pdf
byNdheh
 
DOCX
mangement MEASURE OF CYBER SECURITY MANAGMNET
bysachinpd1008
 
PPTX
crisc_wk_5.pptx
bydotco
 
DOCX
Project Quality-SIPOCSelect a process of your choice and creat.docx
bywkyra78
 
PDF
CIA-Triad-Presentation.pdf
byBabyBoy55
 
PDF
Security Level Analysis of Academic Information Systems Based on Standard ISO...
byIJCSIS Research Publications
 
ODP
CISSP Week 12
byjemtallon
 
PDF
Mergers and Acquisition Security - Areas of Interest
byMatthew Rosenquist
 
PPT
chapter 1. Introduction to Information Security
byelmuhammadmuhammad
 
PDF
(eBook PDF) Information Security: Principles and Practices 2nd Edition
byrrnohojhxx852
 
PPTX
Information Systems.pptx
byKnownId
 
DOCX
11What is Security 1.1 Introduction The central role of co.docx
bymoggdede
 
PPT
Network Security, Change Control, Outsourcing
byNicholas Davis
 
PDF
Understanding security operation.pptx
byPiyush Jain
 
CISSP Preview - For the next generation of Security Leaders
byNUS-ISS
 
Andrew kozma - security 101 - atlseccon2011
byAtlantic Security Conference
 
Secure Software Development Models and Methods integrated with CMMI.ppt
byNeha Sharma
 
Chapter 3 - Security Management Concepts & Principles.pdf
byaishahmrawy
 
1-Computer_Security_EENG-524_Lecture-01.pdf
byUmarr Alie Sesay
 
Unit 4 standards.ppt
byClashWithGROUDON
 
Unit 1&2.pdf
byNdheh
 
mangement MEASURE OF CYBER SECURITY MANAGMNET
bysachinpd1008
 
crisc_wk_5.pptx
bydotco
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
bywkyra78
 
CIA-Triad-Presentation.pdf
byBabyBoy55
 
Security Level Analysis of Academic Information Systems Based on Standard ISO...
byIJCSIS Research Publications
 
CISSP Week 12
byjemtallon
 
Mergers and Acquisition Security - Areas of Interest
byMatthew Rosenquist
 
chapter 1. Introduction to Information Security
byelmuhammadmuhammad
 
(eBook PDF) Information Security: Principles and Practices 2nd Edition
byrrnohojhxx852
 
Information Systems.pptx
byKnownId
 
11What is Security 1.1 Introduction The central role of co.docx
bymoggdede
 
Network Security, Change Control, Outsourcing
byNicholas Davis
 
Understanding security operation.pptx
byPiyush Jain
 

More from Divya Tiwari

PPTX
Digital stick by Divya & Kanti
byDivya Tiwari
 
PPTX
Predicting house price
byDivya Tiwari
 
PPTX
Testing strategies -2
byDivya Tiwari
 
PPTX
Testing strategies part -1
byDivya Tiwari
 
PPTX
Performance measures
byDivya Tiwari
 
PPTX
Programming using MPI and OpenMP
byDivya Tiwari
 
PPTX
IoT applications and use cases part-2
byDivya Tiwari
 
PPTX
Io t applications and use cases part-1
byDivya Tiwari
 
PPTX
Planning for security and security audit process
byDivya Tiwari
 
PPTX
Web services
byDivya Tiwari
 
PPTX
Responsive web design with html5 and css3
byDivya Tiwari
 
PPTX
Mac protocols for ad hoc wireless networks
byDivya Tiwari
 
PPTX
Routing protocols for ad hoc wireless networks
byDivya Tiwari
 
Digital stick by Divya & Kanti
byDivya Tiwari
 
Predicting house price
byDivya Tiwari
 
Testing strategies -2
byDivya Tiwari
 
Testing strategies part -1
byDivya Tiwari
 
Performance measures
byDivya Tiwari
 
Programming using MPI and OpenMP
byDivya Tiwari
 
IoT applications and use cases part-2
byDivya Tiwari
 
Io t applications and use cases part-1
byDivya Tiwari
 
Planning for security and security audit process
byDivya Tiwari
 
Web services
byDivya Tiwari
 
Responsive web design with html5 and css3
byDivya Tiwari
 
Mac protocols for ad hoc wireless networks
byDivya Tiwari
 
Routing protocols for ad hoc wireless networks
byDivya Tiwari
 

Recently uploaded

PPTX
E waste_management_module 4.pptx_22_scheme_VTU
byvarshinijs3
 
PPT
Basic electronics concepts like what is resistor , inductor capacitor
byibrahimshaikh112026
 
PPTX
Chapter 4 Geosynthetics materials for soil improvement .pptx
byFanastic
 
PDF
International Journal of Network Security & Its Applications (IJNSA)
byIJNSA Journal
 
PPTX
COLLAGE PLACEMENT MANAGEMENT SYSTEM.pptx
bychaitanyachopade08
 
PPT
GSM concepts_Slide with frame structure.ppt
byATULJOSHI721117
 
PPTX
Semiconductor and diode theory and application.pptx
bygetnetzegeye
 
PDF
How Are Learning-Based Methods Reshaping Trajectory Planning in Autonomous D...
byimagnejane
 
PPTX
An improved feature extraction algorithm of EEG signals
byAnirban Nath
 
PDF
Project photos of Caliagua's new Telemark project for FivePoint.
byjhines4
 
PDF
LOW POWER CLASS AB SI POWER AMPLIFIER FOR WIRELESS MEDICAL SENSOR NETWORK
byRandyClara
 
PPT
lec0_Introduction_to_cmos_vlsi_design.ppt
bysrijeett
 
PDF
Overcoming QoS Challenges in a Full Automotive Ethernet Architecture
byRealTime-at-Work (RTaW)
 
PPT
23 EL PGS Sec-I (Shared).ppt power generation systems
byMehran university of engineering technology Pakistan
 
PDF
Certified Kubernetes Security Specialist (CKS): Unit 8
byVICTOR MAESTRE RAMIREZ
 
PPTX
UNIT - V - Flexible Manufacturing System.pptx
byrameshrajendhra
 
PPTX
GEMM tiling for weight stationary NCKU AISlab
bye24111071
 
PDF
The CULTURIST Design Portfolio 2025 architecture and interior
bydesign and architecture
 
PDF
Boundary Conditions of field components.pdf
byRCC Institute of Information Technology
 
PPTX
Understanding UL Wire Options that Surpass Industry Standards
byEpec Engineered Technologies
 
E waste_management_module 4.pptx_22_scheme_VTU
byvarshinijs3
 
Basic electronics concepts like what is resistor , inductor capacitor
byibrahimshaikh112026
 
Chapter 4 Geosynthetics materials for soil improvement .pptx
byFanastic
 
International Journal of Network Security & Its Applications (IJNSA)
byIJNSA Journal
 
COLLAGE PLACEMENT MANAGEMENT SYSTEM.pptx
bychaitanyachopade08
 
GSM concepts_Slide with frame structure.ppt
byATULJOSHI721117
 
Semiconductor and diode theory and application.pptx
bygetnetzegeye
 
How Are Learning-Based Methods Reshaping Trajectory Planning in Autonomous D...
byimagnejane
 
An improved feature extraction algorithm of EEG signals
byAnirban Nath
 
Project photos of Caliagua's new Telemark project for FivePoint.
byjhines4
 
LOW POWER CLASS AB SI POWER AMPLIFIER FOR WIRELESS MEDICAL SENSOR NETWORK
byRandyClara
 
lec0_Introduction_to_cmos_vlsi_design.ppt
bysrijeett
 
Overcoming QoS Challenges in a Full Automotive Ethernet Architecture
byRealTime-at-Work (RTaW)
 
23 EL PGS Sec-I (Shared).ppt power generation systems
byMehran university of engineering technology Pakistan
 
Certified Kubernetes Security Specialist (CKS): Unit 8
byVICTOR MAESTRE RAMIREZ
 
UNIT - V - Flexible Manufacturing System.pptx
byrameshrajendhra
 
GEMM tiling for weight stationary NCKU AISlab
bye24111071
 
The CULTURIST Design Portfolio 2025 architecture and interior
bydesign and architecture
 
Boundary Conditions of field components.pdf
byRCC Institute of Information Technology
 
Understanding UL Wire Options that Surpass Industry Standards
byEpec Engineered Technologies
 
In this document
Powered by AI

Overview of security management principles; CIA Triad: Confidentiality, Integrity, Availability; critical for creating a secure solution.

Importance of ROI in security upgrades; includes cost evaluation and potential benefits to improve safety and security.

Role of security patches in protecting devices; importance of effective patch management for reducing cyberattack exposure.

Aligning IT security with business needs; key objectives include protecting systems and communications for information integrity.Key elements like encryption, ciphers, electronic signatures, and their roles in ensuring information security integrity and non-repudiation.Introduction to SSE-CMM and its focus on enhancing security engineering processes across an organization for better practices.

SSE-CMM application across various organization types; benefits to engineering, acquiring, and evaluation organizations.

Describes capability levels in SSE-CMM from informal practices to continuous improvement.

Three main areas of security engineering process: Risk, Engineering, and Assurance to establish security confidence.

Importance of managing changes in systems for enforcing security policies; configuration items and change control process.

Detailed overview and management framework for ensuring security compliance within an organization's infrastructure.

Sample examination questions related to SSE-CMM model, configuration management roles, and security engineering to reinforce key learning.

Security management concepts and principles

  • 1.
    SECURITY MANAGEMENT CONCEPTS ANDPRINCIPLES SECURITY & RISK MANAGEMENT MODULE 5 DIVYA TIWARI MEIT TERNA ENGINEERING COLLEGE
  • 2.
    INTRODUCTION • Security managementconcepts and principles are inherent elements in a security policy and solution deployment. • They define the basic parameters needed for a secure environment. • They also define the goals and objectives that both policy designers and system implementers must achieve to create a secure solution. It is important for real-world security professionals. • The primary goals and objectives of security are contained within the CIA Triad, which is the name given to the three primary security principles: 1. Confidentiality 2. Integrity 3. Availability • A complete security solution should adequately address each of these tenets. • Vulnerabilities and risks are also evaluated based on the threat they pose against one or more of the CIA Triad principles. • Thus, it is a good idea to be familiar with these principles and use them as guidelines for judging all things related to security.
  • 3.
    MEASURING ROI ONSECURITY • Future security system improvements showing the return on investment (ROI) is one of the most important tools you must show the need for system improvements. • The return on investment calculation will compare the net benefits of a project to total project costs. • The benefits to a new system can be obvious- the improved safety for building occupants and improved security for company assets. • To prepare a ROI case for your security project the first step is to collect data to show the costs and benefits for the proposed system. • What are the costs of the project? • The cost of not doing the project. What happens in the organization if you do not implement the upgrades? • After collecting all of the costs it is time to focus on the benefits. Benefits of a security system upgrade can be direct or indirect.
  • 4.
    • Once youhave compiled all the cost and benefit information it is time to calculate the return on investment. ROI = ( 𝑩𝒆𝒏𝒆𝒇𝒊𝒕 𝒂𝒇𝒕𝒆𝒓 𝑺𝒆𝒄𝒖𝒓𝒊𝒕𝒚 𝑰𝒏𝒗𝒆𝒔𝒕𝒎𝒆𝒏𝒕 −𝑪𝒐𝒔𝒕 𝒐𝒇 𝑰𝒏𝒗𝒆𝒔𝒕𝒎𝒆𝒏𝒕 𝑪𝒐𝒔𝒕 𝒐𝒇 𝑰𝒏𝒗𝒆𝒔𝒕𝒎𝒆𝒏𝒕 ) x 100
  • 5.
    SECURITY PATCH MANAGEMENT •Security patches protect the security of devices and the data on them by applying the latest updates that respond to the latest threats. • In software engineering a patch refers to small adjustments to the code of software. • Patch updates one component of the software to fix a bug or error discovered after product release. • Security patches address vulnerabilities in the software cybercriminals might use to gain unauthorized access to device and data. • Security patches for the operating system (OS) of device like Windows, iOS, Android are crucial because an OS vulnerability can have far-reaching implications. • For individuals and their devices, effective patch management can be as simple as turning on automatic updates. • Google and Apple, for example, make it easy to have smartphone manage the work of keeping the OS and all of your apps patched to the most recent version.
  • 6.
    • To checkAndroid device’s security patch level, Google offers an easy online tool. • For organizations, patch management they need to oversee a wide range of equipment, often in different locations. • A patch that requires time to install may also interrupt the functioning of the device, so it’s vital to plan the timing of patches around the schedules of the people using the device. • For systems that need to operate 24/7, patching is not an easy process. Importance of Patch Management 1.Reduce exposure to cyberattacks 1.Avoid lost productivity 1.Protect your data 1.Protect customer data 1.Protect others on your network
  • 7.
    PURPOSE OF INFORMATIONSECURITY MANAGEMENT • The purpose of the information security management process is to align IT security with business security and ensure that the confidentiality, integrity and availability of the organization’s assets, information, data and IT services always matches the agreed needs of the business. • The Objectives of Information security management are: 1. Protect the interests of those relying on information. 2. Protect the systems and communications that deliver the information.
  • 8.
    BUILDING BLOCKS OFINFORMATION SECURITY • Encryption: Modification of data for security reasons prior to their transmissions so that it is not comprehensible without the decoding method. • Cipher: Cryptographic transformation that operates on characters or bits of data. • Cryptanalysis: Methods to break the cipher so that encrypted message can be read. • Electronic Signature: Process that operates on a message to assure message source authenticity, integrity and non-repudiation. • Non-Repudiation: Methods by which the transmitted data is tagged with sender’s identity as a proof so neither can deny the transmission. • Steganography: Method of hiding the existence of data. The bit map images are regularly used to transmit hidden messages. • Identification: It is a method by which a user claims his identity to a system.
  • 9.
    • Authentication: Itis the method by which a system verifies the identity of a user or another system. • Accountability: It is the method by which a system tracks the actions performed by a user or a process. • Authorization: It is a method by which a system grants certain permissions to a user. • Privacy: It is protection on individual data and information.
  • 10.
    OVERVIEW OF SSECMM • The Systems Security Engineering Capability Maturity Model (SSE-CMM) describes the essential characteristics of an organization’s security engineering process that must exist to ensure good security engineering. • The model is a standard metric for security engineering practices covering: 1. The entire life cycle, including development, operation, maintenance, and decommissioning activities. 2. The whole organization, including management, organizational, and engineering activities. 3. Concurrent interactions with other disciplines, such as system, software, hardware, human factors, and test engineering; system management, operation, and maintenance. 4. Interactions with other organizations, including acquisition, system management, certification, accreditation, and evaluation.
  • 11.
    • The objectiveof the SSE-CMM Project is to advance security engineering as a defined, mature, and measurable discipline. • The SSE-CMM model and appraisal methods are being developed to enable: 1. Focused investments in security engineering tools, training, process definition, management practices, and improvements by engineering groups. 2. Capability-based assurance, that is, trustworthiness based on confidence in the maturity of an engineering group’s security practices and processes. 3. Selection of appropriately qualified providers of security engineering through differentiating bidders by capability levels and associated programmatic risks. • The scope of the SSE-CMM encompasses the following: 1. The SSE-CMM addresses security engineering activities that span the entire trusted product or secure system life cycle, including concept definition, requirements analysis, design, development, integration, installation, operations, maintenance, and decommissioning. 2. The SSE-CMM applies to secure product developers, secure system developers and integrators, and organizations that provide security services and security engineering.
  • 12.
    3. The SSE-CMMapplies to all types and sizes of security engineering organizations, such as commercial, government, and academic. Benefits of using SSE-CMM To Engineering Organizations To Acquiring Organizations To Evaluation Organizations
  • 13.
    SSE-CMM RELATIONSHIP TOOTHER INITIATIVES
  • 14.
    CAPABILITY LEVELS • CapabilityLevel 1 – Performed Informally • Capability Level 2 – Planned and Tracked • Capability Level 3 – Well Defined • Capability Level 4 – Quantitatively Controlled • Capability Level 5 – Continuously Improving
  • 15.
    SECURITY ENGINEERING PROCESS OVERVIEW SecurityEngineering Process has three main areas
  • 16.
    Risk security risk processinvolves threats, vulnerabilities and impact
  • 17.
    Engineering security is anintegral part of the overall engineering process
  • 18.
    Assurance Assurance process buildsan argument establishing confidence
  • 19.
    CONFIGURATION MANAGEMENT • Aninformation system infrastructure is a complex and evolving system. • Changes to the system affect its ability to effectively enforce the security policies and therefore protect the organization’s assets. • The process of managing the changes to the system and its components is referred to as configuration management. • Configuration management is the process of identifying configuration items, controlling their storage, controlling change to configuration items, and reporting on their status. 1. Configuration Items—Configuration items (CIs) are unique work products that are individually controlled, tracked, and reported on. 2. CI Protection—Configuration items must be protected from unauthorized changes. Without protection of the CIs, a configuration management system cannot function. 3. Change Control—There must exist a process by which changes to configuration items are reviewed, approved, and controlled.
  • 20.
    4. Status Reporting—Configurationmanagement systems must be able to report the status of any configuration item and its history of changes. Moreover, the reporting feature must be capable of generating a version of the system based on the correct version of each of the configuration items.
  • 21.
  • 22.
    MU Exam Questions May2017 • Give a brief overview of the SSE-CMM maturity model. 10 marks Dec 2017 • Explain role of configuration management in security of an organization. Give the configuration management framework. 10 marks May 2018 • What is security engineering? Give a brief overview of the SSE-CMM model. 10 marks • Discuss role of Configuration Management in the security of an organization. 10 marks Dec 2018 • Discuss role of CM in the security of an organization. 10 marks May 2019 • Explain role of configuration management in security of an organization. Give the configuration management framework. 10 marks