Security Issues that a Project Manager at CDC
-
Upload
kevin-lyday-cissp-pmp-cea-cippg-cgeit -
Category
Documents
-
view
102 -
download
1
Transcript of Security Issues that a Project Manager at CDC
![Page 1: Security Issues that a Project Manager at CDC](https://reader036.fdocuments.in/reader036/viewer/2022062503/587f234e1a28ab350c8b75e1/html5/thumbnails/1.jpg)
Security Issues that a Project Manager at CDC
Needs to Address
Presented by Kevin Lyday, CISSP, PMPTo the CDC Project Management Community of Practice
May 16, 2008
![Page 2: Security Issues that a Project Manager at CDC](https://reader036.fdocuments.in/reader036/viewer/2022062503/587f234e1a28ab350c8b75e1/html5/thumbnails/2.jpg)
Current Assessment
Q1. When must Web-based applications be scanned for vulnerabilities?
A2. Changes must be scanned for vulnerabilities prior to production. This includes new applications and changes to existing code.*
Q2. Who is responsible for the use of OCISO approved testing tools to test web application code changes?
A2 The CIO’s Information System Security Officer.*
*CDC policy “Web-based Applications: Vulnerability Testing And Change Management”, Dated 01/26/2008
![Page 3: Security Issues that a Project Manager at CDC](https://reader036.fdocuments.in/reader036/viewer/2022062503/587f234e1a28ab350c8b75e1/html5/thumbnails/3.jpg)
Current Assessment
Q3. During which EPLC project phase should security planning be considered?
A3. Initiation (Determine if the Business Needs Statement contains any potential security concerns.)*
Q4. Who is responsible for the C&A process during the system’s life cycle?
A4. The information system owner, the Designated Approving Authority (DAA), and the certification agent all play key roles.**
* EPLC Overview Document, March 17, 2008 Draft v1)
** IT Security Program Plan, August 2007
![Page 4: Security Issues that a Project Manager at CDC](https://reader036.fdocuments.in/reader036/viewer/2022062503/587f234e1a28ab350c8b75e1/html5/thumbnails/4.jpg)
Q5. If a website is run by a contractor on behalf of the government and is not a .gov domain, and is primarily viewed by government employees, is it required to be Section 208 (machine-readable privacy policy) compliant?
A5. The machine-readable privacy policy requirements, applies to "all executive branch departments and agencies and their contractors that use IT or that operate websites for purposes of interacting with the public; and relevant cross-agency initiatives, including those that further electronic government.*
* OMB Memorandum M-03-22,
Current Assessment
![Page 5: Security Issues that a Project Manager at CDC](https://reader036.fdocuments.in/reader036/viewer/2022062503/587f234e1a28ab350c8b75e1/html5/thumbnails/5.jpg)
Information Security Components
Communications
![Page 7: Security Issues that a Project Manager at CDC](https://reader036.fdocuments.in/reader036/viewer/2022062503/587f234e1a28ab350c8b75e1/html5/thumbnails/7.jpg)
Confidentiality
Information has Confidentiality when discloser or exposure to unauthorized
individuals or system is prevented.
![Page 8: Security Issues that a Project Manager at CDC](https://reader036.fdocuments.in/reader036/viewer/2022062503/587f234e1a28ab350c8b75e1/html5/thumbnails/8.jpg)
IntegrityIntegrity means that data can not be created, changed, or deleted without
authorization
![Page 9: Security Issues that a Project Manager at CDC](https://reader036.fdocuments.in/reader036/viewer/2022062503/587f234e1a28ab350c8b75e1/html5/thumbnails/9.jpg)
AvailabilityThe computing systems used to process the information, and the security controls used to protect the information are all available and functioning correctly when the information is needed.
![Page 10: Security Issues that a Project Manager at CDC](https://reader036.fdocuments.in/reader036/viewer/2022062503/587f234e1a28ab350c8b75e1/html5/thumbnails/10.jpg)
Planning to Develop a New Application?
Security must be designed into the system from the very beginning, reviewed periodically during the project, and be maintained throughout the life of the system
Security costs must be budgeted from the very beginning of the project
Security policies, practices, and requirements must be reviewed and understood from the very beginning
![Page 11: Security Issues that a Project Manager at CDC](https://reader036.fdocuments.in/reader036/viewer/2022062503/587f234e1a28ab350c8b75e1/html5/thumbnails/11.jpg)
Data Compromise
1. Design and write poor applications
2. Do not perform a security assessment of the system
3. Do not use server side certificates (SSL)
4. Do not hash passwords or encrypt sensitive data
5. Do not utilize access control management
Ten Easy Ways to Compromise Your Data
![Page 12: Security Issues that a Project Manager at CDC](https://reader036.fdocuments.in/reader036/viewer/2022062503/587f234e1a28ab350c8b75e1/html5/thumbnails/12.jpg)
Data Compromise
6. Mix your sensitive and non sensitive data
7. Do not change default admin passwords
8. Do not encrypt backups/No back ups at all!
9. Do not separate development/staging/testing environments from production environment
10. Do not waste your time on user training
Ten Easy Ways to Compromise Your Data
![Page 13: Security Issues that a Project Manager at CDC](https://reader036.fdocuments.in/reader036/viewer/2022062503/587f234e1a28ab350c8b75e1/html5/thumbnails/13.jpg)
Final Thoughts
Top 5 “Kevinisms” Data security is like a relationship… ignore it and your data will go
to someone else So you are a trusting person? Go on a vacation and leave your
teenager and the keys to your Lexus at home. Ignorance is bliss until your name/organization appears on the
front page of the newspaper (CDC missing laptops) Data security is expensive, not doing it is even more so. A strong coop will keep the chickens in and the fox out!