Driving Transformation to Energy Efficient Buildings, Johnson Controls, Low-res Final
Driving Factors Security Risk Mgt Controls Compliance.
-
Upload
richard-freeman -
Category
Documents
-
view
218 -
download
6
Transcript of Driving Factors Security Risk Mgt Controls Compliance.
Driving Factors
Security Risk Mgt
Controls
Compliance
Risks, Threats, Vulnerabilities
• Risk – Generalized impact statement– Ex: disclosure of ratepayer data would be bad
• Threat – a generic method of exploiting a risk– Ex: interception of data in-flight or at rest
• Vulnerability – a specific, actual, existing technical issue that could be leveraged– Ex: an unencrypted customer information file on a
server
Risk Profile: Confidential Data
• Generalized Risks:– Disclosure, Unauthorized Modification
• Threats:– Interception of data in-flight, at rest, after
transformation, after export, before destruction
• Vulnerabilities:– Unencrypted data transport– Unencrypted storage in flat files or in DB– Unencrypted storage after export to external
components– Unencrypted data prior to disposal or destruction
Reliability Engineering• Security controls fail with individual
unpredictability but consistently across large control sets or long periods of time
• Layered security controls limit the scope and impact of individual control failures
• Existing control set for this service– Firewalls, IDS, server hardening, patching, access
request controls, authentication/authorization, filesystem access controls, virus scanning, enterprise hardening baseline analysis, OS software, service software, application software, maintenance scripts
Mapping Vulnerabilities to Controls
• Vulnerability: Unencrypted data transport– Control: use NAESB, SFTP, or encrypted CD
• Vulnerability: Unencrypted data storage– Control:
• Vulnerability: Unencrypted data after transformation– Control:
• Vulnerability: Unencrypted data prior to disposal– Control:
Data Transport Mechanisms• NAESB
+ Current Market Standard+ Existing management and maintenance infrastructure+ Existing application infrastructure+ Strong authentication/encryption
• SFTP+ Strong transport encryptiono Partially existing server infrastructureo Partially existing management infrastructure for static passwords- No existing management infrastructure for ssh-keys- Use of static passwords for authentication creates possibility for
password recovery via brute-force or disclosure at endpoints- Reduced visibility from network security monitoring platform- Additional implementation risk- Additional management/maintenance risk
Data Transport Mechanisms• CD-R / DVD-R
+ Easy- Transportation via licensed/bonded couriers?- Still need to address encryption of data in transit- Physical media destruction becomes an issue- Need to develop operational procedures- Need to develop physical infrastructure for accepting, handling,
storing, and destroying media