I MPLEMENTING IT S ECURITY FOR S MALL AND M EDIUM E NTERPRISES Short Presentation by Subhash...
-
Upload
shannon-ferguson -
Category
Documents
-
view
214 -
download
0
Transcript of I MPLEMENTING IT S ECURITY FOR S MALL AND M EDIUM E NTERPRISES Short Presentation by Subhash...
IMPLEMENTING IT SECURITY FOR SMALL AND MEDIUM ENTERPRISES
Short Presentation by Subhash Uppalapati.
- Edgar R. Weippl and Markus Klemen
INTRODUCTION
Small and Medium Enterprises(SMEs) < 400 employees
Fewer Resources and less expertise in IT security
Limited Know-how regarding IT security
A PRAGMATIC APPROACH FOR SMES
Aspect 1: Inspection
Aspect 2: Protection
Aspect 3: Detection
Aspect 4: Reaction
Aspect 5: Reflection
ASPECT 1: INSPECTION Inspection: “To determine which key processes and
corporate functions are essential, the capabilities they require and their interaction with one another”.
This aspect consists of five steps:
1.Resource inventory
Thorough inventory of company’s resources and assets.
2.Threat assessment
Identifies what threatens the identified assets. Threats categories (human error, natural disasters, system failures, malicious acts, and collateral damage)
ASPECT 1: INSPECTION (CONTD…)
3.Loss analysis
Potential angles to focus are theft of resources, deletion of information, theft of information, disclosure of information, corruption of information etc.
4. Identification of vulnerabilitiesWhere are weaknesses in the company? These might be technical(security design flaws) or organizational weakness(e.g., social engineering).
5.Assignment of safeguardsAvoidance, mitigation, transference or acceptance
6.Evaluation of current statusAfter the above five steps, re-assess and test.
ASPECT 2: PROTECTION
Protection: “The objects that need protection, the required level of protection, and how to reach this level by creating a comprehensive security design”.
This aspect consists of five steps:
1.Awareness
Awareness training for 1 or 2 hours once in a year
2. Access
Physical + logical
ASPECT 2: PROTECTION (CONTD…)
3.Authentication and Authorization
Using existing access control technologies like Kerberos, Active directory
4.Availability
Lack of redundant server systems lead to developing and updating outage emergency plans.
5.Confidentiality
Information is the important asset.
ASPECT 3: DETECTION
Detection: “Process that intend to minimize the losses from a security incident that could interrupt the core business processes”.
This aspect consists of three steps:1.Classify intruder types
Who is likely to attack from outside? How tough is the competition in the branch?
2.Enumerate intrusion methods
Most probable intrusion methods and the corresponding process
Requires highly know-how of intrusion detection and recommends consulting specialists.
ASPECT 3: DETECTION (CONTD…)
3.Assess intrusion detection methods
Logging, Simple Network Management Protocol(SNMP)
ASPECT 4: REACTION
Reaction: “How to respond to security incidents. It must define the process of reacting to certain threat scenarios”.
This aspect consists of three steps.
1.Develop response plan
Guidelines on how to proceed in case of emergency
2.Assessing the damage
Administrator should thoroughly assess the damage before starting the recovery procedures.
ASPECT 4: REACTION (CONTD…)
3. Incident recovery procedures
Recovery procedures should be defined, management-approved, and tested.
ASPECT 5: REFLECTION
Reflection: “After security incidents are handled, follow-up steps should be taken to put incidents behind and continue normal operations”.
Only one main step
1. Incident documentation and evaluation
Incident should be documented properly and discussed with partners and colleagues.
Incident response should be evaluated and if improvements are necessary, should be added to the IR plan.
MAIN COMMUNICATION PATH FOR IT SECURITY-RELATED ISSUES IN SMES
Stakeholders1. Decision maker
2. IT administrator
3. User
4. External consultants
IT ADMINISTRATOR
Responsibilities like changing printer toner, assigning and modifying user rights in operating systems, setting up and maintaining internet connections etc.
Can neglect security with so many responsibilities
Recognizes the impact once the company has been hit by a serious incident.
Three scenarios of the amount of IT personnel resource1. No dedicated administrator2. One dedicated administrator3. More than one dedicated administrator
IT USER
Believe it or not 77% of information theft is caused by company employees(Cox, 2001)
Not appropriate – restrictions on web surfing, private e-mailing, or individual desktop settings
Apply restrictions with care and communicate the reason
Gain the employee understanding and support