Implementing A Security Metrics Dashboard In Telefónica España
2y ago
56 Views
1 Downloads
1.18 MB
20 Pages
Report/dmca
Download PDF

Transcription

Implementing a security metricsdashboard in Telefónica EspañaVicente Segura (vsg@tid.es)TELEFÓNICA I DDate: 1/14/2009TELEFÓNICA I D 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal4th ETSI Security Workshop14 January 2009 - ETSI, Sophia Antipolis, France

Index01Introduction- Objectives- Main challenges02Methods and tools for collecting measures- High level security framework- Methods and tools03Composing derived measures- Composing department derived measures- Example of a tree of derived measures04Tool screenshots05ConclusionTELEFÓNICA I D2 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal

01 IntroductionObjectives To assess compliance andmeet some requirements:—OrganizationTo adapt to the particularstructure of the organizationDepartment1System 1 1——To assess compliance withas many standards andregulations as neededDataTELEFÓNICA I D3Department DepartmentnSystem 1 yISO 27004CoBITTo automate collection ofdata to assess compliancewhen possible 2008 Telefónica Investigación y Desarrollo, S.A. UnipersonalSystem1 .System 1 2LOPDDepartment2Telefónica

01 IntroductionChallenges To facilitate (and automate) thecollection of measures fromexisting systemsTo compose derived measuresfromthecollectedbasemeasures— AgentOrganizationWe obtain base measures ofindividual systems, but wewant to have an insight ofthe compliance of an entiredepartmentDepartment1System1 1Attribute1 1 1Attribute1 1 .System1 .Department DepartmentnSystem1 yAttribute1 1 zSBIXX Percentage ofsystems that implementsRBAC to controlTo identify proper derivedmeasures to assess complianceTELEFÓNICA I D4 2008 Telefónica Investigación y Desarrollo, S.A. UnipersonalAttribute1 1 2System1 2Department2

02 Methods and tools for collecting measuresHigh level security frameworkSecurity metrics dashboardPolicydefinitionOrganizationsecurity policyBCP andDRPEducation andawarenessEnforcementBIAMonitoring andrespondingMeasuring andreportingAwarenessand managementRisk managementProcessUser rol configurationmanagementIdentity ySource: Forrester - “Defining a high level security framework”TELEFÓNICA I D5 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal

02 Methods and tools for collecting measuresMethods for collecting measures (1/2)Security metrics dashboardAgentQuestionnaireMeasures managed byexisting systemsMeasures not managed by existing systemsProcessPeopleTELEFÓNICA I D6 2008 Telefónica Investigación y Desarrollo, S.A. UnipersonalTechnology

02 Methods and tools for collecting measuresMethods for collecting measures (2/2)Security metrics utescollectionHTTPSAgentEnvironment 1AgentQuestionnaireDB xml .csvAgentEnvironment 3AgentEnvironment 2DBDB xml .csvTELEFÓNICA I D7 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal.csv xml

02 Methods and tools for collecting measuresAgent configuration We configure itsbehaviour in an XML file:—It can send measuresperiodically—For each measuredattribute we must indicatewhere to take its:Environment 1Agent xml .csv—TELEFÓNICA I D8 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal–Value–ContextWe also can collect thequality of the measure

03 Composing derived measuresAdaptation to organization requirementsBut we are also interested in obtainingderived measures at these levelsOrganizationDepartment1System 1 1Attribute1 1 1Attribute1 1 2System 1 2Attribute1 1 .Department2System1 .Department System 1 yAttribute1 1 zMost of the measures are obtained at this levelTELEFÓNICA I D9 2008 Telefónica Investigación y Desarrollo, S.A. UnipersonalDepartmentn

03 Composing derived measuresComposing department derived measuresDepartment 1System 1 1System 1 2System 1 System 1 n43Collection agent1System attributesmeasures2Departmentattributes measuresTELEFÓNICA I D10 2008 Telefónica Investigación y Desarrollo, S.A. UnipersonalDepartment derivedmeasures

03 Composing derived measuresTree of measures for each departmentGlobal complianceAuthenticationand IdentificationBusinessContinuityBackup andrecoverySoftware controlNetwork andcommunicationsNetworksegmentation% of systems that have differentnetworks for management, usersaccess and backupNumber of systemswith differentnetworks formanagement, useraccess and backup% of systemssegmented accordingrisk requirementsNumber of systemsrightly segmentSecuremanagement% of systemsmonitored by IDS% of server whichare securelymanagedNumber of ngNumber of systemsmonitored by IDSTELEFÓNICA I D 2008 Telefónica Investigación y Desarrollo, S.A. UnipersonalAudit s ControlDerived measuresNumber of systemssecurely managedBasemeasures perdepartment

04 Tool screenshotsCompliance levels for each department* The data contained in this screenshot are not realTELEFÓNICA I D12 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal

04 Tool screenshotsCompliance levels for each department* The data contained in this screenshot are not realTELEFÓNICA I D13 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal

04 Tool screenshotsHistoric evolution of compliance* The data contained in this screenshot are not realTELEFÓNICA I D14 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal

04 Tool screenshotsManagement of measures and derived measures* The data contained in this screenshot are not realTELEFÓNICA I D15 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal

04 Tool screenshotsManagement of measures and derived measures* The data contained in this screenshot are not realTELEFÓNICA I D16 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal

04 Tool screenshotsManagement of derived measures tree* The data contained in this screenshot are not realTELEFÓNICA I D17 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal

05 Conclusion Other uses of security metrics: risk analysis? Organizations have much more information than they think: let stake it and use it Future steps:—To extend compliance assessment to other generic contexts(services, business processes). Not just areas and systems—To define ontologies to configure the agentTELEFÓNICA I D18 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal

TELEFÓNICA I D19 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal

TELEFÓNICA I D 2008 Telefónica Investigación y Desarrollo, S.A. Unipersonal

Implementing a security metrics dashboard in Telefónica España TELEFÓNICA I D Date: 1/14/2009 Vicente Segura (vsg@tid.es) 4th ETSI Security Workshop

Related Books

EquiHealth Dashboard Dashboard Planning Cornerstone

EquiHealth Dashboard Dashboard Planning Cornerstone

ePetHealth Dashboard Dashboard Planning ImproMed Infinity

ePetHealth Dashboard Dashboard Planning ImproMed Infinity

Metrics Dashboard Design - PureShare

Metrics Dashboard Design - PureShare

CHAPTER Information Security Metrics 13

CHAPTER Information Security Metrics 13

METRICS AND ANALYSIS IN SECURITY MANAGEMENT

METRICS AND ANALYSIS IN SECURITY MANAGEMENT

Implementing One Authoritative Source of Data Security .

Implementing One Authoritative Source of Data Security .

McAfee Guide to Implementing the 10 Steps to Cyber Security

McAfee Guide to Implementing the 10 Steps to Cyber Security

How do you create dashboard? Can you explain the life cycle?

How do you create dashboard? Can you explain the life cycle?

Advanced Dashboard Getting Started Guide

Advanced Dashboard Getting Started Guide

Dashboard Design for Real-Time Situation Awareness

Dashboard Design for Real-Time Situation Awareness

BI Best Practices for Dashboard Design

BI Best Practices for Dashboard Design

10 commandments for effective dashboard design

10 commandments for effective dashboard design

PopularTags

Recent Views