Download presentation
1
Informations System Security Comprehensive Model NSTISSI 4011
COEN 250 Fall 2007 T. Schwarz, S.J.
2
Information System Security
Main Goals: CIA Confidentiality Integrity Availability
3
Information System Security
Confidentiality Security Policy: Set of rules that determines whether a given subject can gain access to a specific object Confidentiality: Assurance that access controls are enforced
4
Information System Security
Integrity Quality of information that identifies how closely the data represent reality
5
Information System Security
Availability Information is provided to authorized users when it is requested
6
Information System Security
Information States Transmission Storage Processing
7
Information System Security
Security Measures Technology Policy and Practice Policy: Formulation of Security Posture Practice: Procedures followed to enhance security posture. Education, Training, Awareness
8
Information System Security
Education, Training, Awareness Procedures and Policies Technology Confidentiality Integrity Availability Transmission, Storage, Processing Three axes of ISS
9
NTISSI 4011 Training Standards
Awareness Creates sensitivity to threats and vulnerabilities of national security information systems Recognition of the need to protect data, information, and the means of processing Building working knowledge of principles and practices of INFOSEC Performance Level Skill or ability to design, execute, or evaluate agency INFOSEC security procedures and practices
10
Elements of Computer Security
Computer security should support the mission of the organization Computer security is an integral element of sound management Computer security should be cost effective Computer security responsibilities and accountability should be made explicit System owners have computer security responsibilities outside their own organizations Computer security requires a comprehensive and integrated approach Computer security should be periodically reassessed Computer security is constrained by societal factors. NIST
11
Common Threats Errors and Omissions Fraud and Theft Employee sabotage
Users Entry clerks System operators Software engineers Fraud and Theft Insiders / outsiders Computer as tools / targets Employee sabotage Loss of physical / infrastructure support Malicious hacking Espionage Industrial / foreign government Malicious codes Privacy
12
Management Controls Computer Security Policy Definition of term
“Documentation of computer security decisions.” But term encompasses wide range of meanings. Three basic types Program policy creates an organization’s computer security program Issue specific policies address specific issues such as use of crypto, private use of equipment, software installation, etc. System specific policies focuses on a single system
13
Management Controls Tools to implement policy Standards Guidelines
specify uniform use of specific technologies e.g. organization-wide identification badges Guidelines assists users, systems personnel, etc in effectively securing a system Procedures normally assist in complying with applicable security policies, standards, and guidelines
14
Management Controls Program Policy
Head of organization issues program policy to establish the org.’s computer security program. Basic Components Purpose Scope Responsibility assigned to a newly created or existing office establishes roles of officials and offices in the org. Compliance General compliance, e.g. specifying an oversight office Use of specific penalties and disciplinary actions A policy usually only creates the structure
15
Management Controls Issue-specific Policy
Applies to a specific issue such as Internet Access Privacy Use of unofficial software Basic Components Issue statement Define issue with any relevant terms, distinctions, conditions Statement of org.’s position on issue Applicability Roles and responsibilities Compliance Points of contact and supplementary information
16
Management Controls System Specific Policies Components
Security objectives concrete well defined Operational security rules Rules for operating a system: Who can do what to which specific classes and records of data, under what conditions Often accompanied by implementing procedures and guidelines
17
Management Controls System specific policy implementations
Technology plays not the sole role in enforcing system-specific policies Technology: limits printing of confidential information to a specific printer Non-technology: access to printer output is guarded
18
Management Controls Computer Security Program Management
OMB Circular A-130 establishes requirement for federal agencies to establish computer security programs Federal agencies are complex: Management occurs at different levels, at least Centralized level System level
19
Management Controls Computer Security Program Management
Sources of (Some) Requirements for Federal Unclassified Computer Security Programs A federal agency computer security program is created and operates in an environment rich in guidance and direction from other organizations. The figure illustrates some of the external sources of requirements and guidance directed toward agency management with regard to computer security. While a full discussion of each is outside the scope of this chapter, it is important to realize that a program does not operate in a vacuum; federal organizations are constrained - by both statute and regulation - in a number of ways.
20
Management Controls Computer Security Program Management
Example for placement of computer security program level and system level functions
21
Management Controls Computer Security Risk Management
Basic assumption: Computers can never be fully secured Risk Assessment Process of analyzing and interpreting risk 3 basic activities Determining assessment scope and methodology Collecting and analyzing data Interpreting risk analysis results
22
Management Controls Computer Security Risk Management
Components of Risk Assessment Asset Valuation Consequence Assessment Threat Identification Vulnerabilities Safeguards Likelihood
23
Management Controls Assurance
Degree of confidence that the security measures work as intended to protect system and information Not a measurement Accreditation Management official’s formal acceptance of adequacy of a system’s security Components Technical features Do they operate as intended? Operational practices Is the system operated according to stated procedures? Overall security Are there threats that are not addressed? Remaining risks Acceptability?
24
Operational Controls Personnel / User Issues
Two principles Separation of duties Least privilege Staffing Job definition Sensitivity determination Filling position Screening applicants Selecting individual Training and Awareness Creation
25
Operational Controls Personnel / User Issues
User Administration User account management Identification Authentication Access Verification Auditing Verify periodically legitimacy of current accounts and access authorizations Modification / Removal of Access Contractor Access Management Public Access Considerations
26
Operational Controls Contingency & Disaster Preparation
Contingency planning in six steps Identification of mission-critical functions Identification of resources that support critical functions Anticipation of potential contingencies / disasters Selecting contingency planning strategies Implementing contingency strategies Testing and revisiting strategies
27
Operational Controls Incident Response
Incident Response: Actions taken to deal with an incident. Detection Countermeasures Incident Response: Containment & Repair
28
Operational Controls Incident Response
Establishment of Successful Incident Handling Capability Components Understanding of constituency Education of constituency Centralized communication Expertise in requisite technology Links to other groups assisting in incident handling, as needed Technical support Nationwide / worldwide reporting facility for incidents Rapid communications Secure communications for incidents involving national security
29
Operational Controls Awareness, Training, & Education
Basic premise: people are fallible Two main benefits Improvement of employment behavior Buy-in Knowledge and skills Increased ability to hold employees accountable Dissemination and enforcement of policies presupposes awareness
30
Operational Controls Awareness, Training, & Education
“What” Information Training “How” Knowledge Education “Why” Insight
31
Operational Controls Security Considerations in Computer Support and Operations
Everything done to run a computer system User support – Help desk Needs to recognize which problems are security related Example: Failed login can result from logout caused by hacker running a password guessing attack Software support Control of software used on a system Software can only be modified with proper authorization
32
Operational Controls Security Considerations in Computer Support and Operations
Configuration Management Goal: to ensure that changes to the system do not unintentionally or unknowingly diminish security Backups critical for contingency planning Media control Provide physical and environmental protection and accountability for removable media Documentation Maintenance
33
Operational Controls Physical and Environmental Security
Protect computer systems from Interruptions in providing computer services Physical damage Unauthorized access of information Example: Tempest program Loss of control over system Physical theft Mobile and portable systems present new range of issues
34
Technical Controls Identification and Authentication
Means by which a user provides a claimed identity to the system Authentication Means of establishing the validity of the claim Identification and Authentication based on What you know. E.g. password, pass-phrase, (secret key, private key). What you have. Physical key, smart card. What you are. Biometrics. Where you are. E.g. trusted machine, access to room, …
35
Technical Controls Logical Access Control
Ability to do something with a computing resource Access control Means by which this ability is explicitly enabled or restricted Not to be confused with Authorization Permission to use computer resource Authentication Proof of identity
36
Technical Controls Logical Access Control
Access Criteria typically based on Identity Roles Location Time Personnel files only accessible during normal business hours Transactions Phone inquiry answered by computer Computer authenticates inquirer If too complicated, requires human clerk to answer Computer grants clerk permission to access inquirer’s record for the duration of the transaction
37
Technical Controls Audit Trails
Series of records of computer events Auditing Review and analysis of management, operational, and technical controls Establishing audit trails helps to establish Individual accountability Reconstruction of events Intrusion detection Problem analysis
38
Technical Controls Cryptography
Tool to establish C, I, & A Relies on technology and key management
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.