Presentation is loading. Please wait.

Presentation is loading. Please wait.

Informations System Security Comprehensive Model NSTISSI 4011

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Informations System Security Comprehensive Model NSTISSI 4011"— Presentation transcript:

1 Informations System Security Comprehensive Model NSTISSI 4011
COEN 250 Fall 2007 T. Schwarz, S.J.

2 Information System Security
Main Goals: CIA Confidentiality Integrity Availability

3 Information System Security
Confidentiality Security Policy: Set of rules that determines whether a given subject can gain access to a specific object Confidentiality: Assurance that access controls are enforced

4 Information System Security
Integrity Quality of information that identifies how closely the data represent reality

5 Information System Security
Availability Information is provided to authorized users when it is requested

6 Information System Security
Information States Transmission Storage Processing

7 Information System Security
Security Measures Technology Policy and Practice Policy: Formulation of Security Posture Practice: Procedures followed to enhance security posture. Education, Training, Awareness

8 Information System Security
Education, Training, Awareness Procedures and Policies Technology Confidentiality Integrity Availability Transmission, Storage, Processing Three axes of ISS

9 NTISSI 4011 Training Standards
Awareness Creates sensitivity to threats and vulnerabilities of national security information systems Recognition of the need to protect data, information, and the means of processing Building working knowledge of principles and practices of INFOSEC Performance Level Skill or ability to design, execute, or evaluate agency INFOSEC security procedures and practices

10 Elements of Computer Security
Computer security should support the mission of the organization Computer security is an integral element of sound management Computer security should be cost effective Computer security responsibilities and accountability should be made explicit System owners have computer security responsibilities outside their own organizations Computer security requires a comprehensive and integrated approach Computer security should be periodically reassessed Computer security is constrained by societal factors. NIST

11 Common Threats Errors and Omissions Fraud and Theft Employee sabotage
Users Entry clerks System operators Software engineers Fraud and Theft Insiders / outsiders Computer as tools / targets Employee sabotage Loss of physical / infrastructure support Malicious hacking Espionage Industrial / foreign government Malicious codes Privacy

12 Management Controls Computer Security Policy Definition of term
“Documentation of computer security decisions.” But term encompasses wide range of meanings. Three basic types Program policy creates an organization’s computer security program Issue specific policies address specific issues such as use of crypto, private use of equipment, software installation, etc. System specific policies focuses on a single system

13 Management Controls Tools to implement policy Standards Guidelines
specify uniform use of specific technologies e.g. organization-wide identification badges Guidelines assists users, systems personnel, etc in effectively securing a system Procedures normally assist in complying with applicable security policies, standards, and guidelines

14 Management Controls Program Policy
Head of organization issues program policy to establish the org.’s computer security program. Basic Components Purpose Scope Responsibility assigned to a newly created or existing office establishes roles of officials and offices in the org. Compliance General compliance, e.g. specifying an oversight office Use of specific penalties and disciplinary actions A policy usually only creates the structure

15 Management Controls Issue-specific Policy
Applies to a specific issue such as Internet Access Privacy Use of unofficial software Basic Components Issue statement Define issue with any relevant terms, distinctions, conditions Statement of org.’s position on issue Applicability Roles and responsibilities Compliance Points of contact and supplementary information

16 Management Controls System Specific Policies Components
Security objectives concrete well defined Operational security rules Rules for operating a system: Who can do what to which specific classes and records of data, under what conditions Often accompanied by implementing procedures and guidelines

17 Management Controls System specific policy implementations
Technology plays not the sole role in enforcing system-specific policies Technology: limits printing of confidential information to a specific printer Non-technology: access to printer output is guarded

18 Management Controls Computer Security Program Management
OMB Circular A-130 establishes requirement for federal agencies to establish computer security programs Federal agencies are complex: Management occurs at different levels, at least Centralized level System level

19 Management Controls Computer Security Program Management
Sources of (Some) Requirements for Federal Unclassified Computer Security Programs A federal agency computer security program is created and operates in an environment rich in guidance and direction from other organizations. The figure illustrates some of the external sources of requirements and guidance directed toward agency management with regard to computer security. While a full discussion of each is outside the scope of this chapter, it is important to realize that a program does not operate in a vacuum; federal organizations are constrained - by both statute and regulation - in a number of ways.

20 Management Controls Computer Security Program Management
Example for placement of computer security program level and system level functions

21 Management Controls Computer Security Risk Management
Basic assumption: Computers can never be fully secured Risk Assessment Process of analyzing and interpreting risk 3 basic activities Determining assessment scope and methodology Collecting and analyzing data Interpreting risk analysis results

22 Management Controls Computer Security Risk Management
Components of Risk Assessment Asset Valuation Consequence Assessment Threat Identification Vulnerabilities Safeguards Likelihood

23 Management Controls Assurance
Degree of confidence that the security measures work as intended to protect system and information Not a measurement Accreditation Management official’s formal acceptance of adequacy of a system’s security Components Technical features Do they operate as intended? Operational practices Is the system operated according to stated procedures? Overall security Are there threats that are not addressed? Remaining risks Acceptability?

24 Operational Controls Personnel / User Issues
Two principles Separation of duties Least privilege Staffing Job definition Sensitivity determination Filling position Screening applicants Selecting individual Training and Awareness Creation

25 Operational Controls Personnel / User Issues
User Administration User account management Identification Authentication Access Verification Auditing Verify periodically legitimacy of current accounts and access authorizations Modification / Removal of Access Contractor Access Management Public Access Considerations

26 Operational Controls Contingency & Disaster Preparation
Contingency planning in six steps Identification of mission-critical functions Identification of resources that support critical functions Anticipation of potential contingencies / disasters Selecting contingency planning strategies Implementing contingency strategies Testing and revisiting strategies

27 Operational Controls Incident Response
Incident Response: Actions taken to deal with an incident. Detection Countermeasures Incident Response: Containment & Repair

28 Operational Controls Incident Response
Establishment of Successful Incident Handling Capability Components Understanding of constituency Education of constituency Centralized communication Expertise in requisite technology Links to other groups assisting in incident handling, as needed Technical support Nationwide / worldwide reporting facility for incidents Rapid communications Secure communications for incidents involving national security

29 Operational Controls Awareness, Training, & Education
Basic premise: people are fallible Two main benefits Improvement of employment behavior Buy-in Knowledge and skills Increased ability to hold employees accountable Dissemination and enforcement of policies presupposes awareness

30 Operational Controls Awareness, Training, & Education
“What” Information Training “How” Knowledge Education “Why” Insight

31 Operational Controls Security Considerations in Computer Support and Operations
Everything done to run a computer system User support – Help desk Needs to recognize which problems are security related Example: Failed login can result from logout caused by hacker running a password guessing attack Software support Control of software used on a system Software can only be modified with proper authorization

32 Operational Controls Security Considerations in Computer Support and Operations
Configuration Management Goal: to ensure that changes to the system do not unintentionally or unknowingly diminish security Backups critical for contingency planning Media control Provide physical and environmental protection and accountability for removable media Documentation Maintenance

33 Operational Controls Physical and Environmental Security
Protect computer systems from Interruptions in providing computer services Physical damage Unauthorized access of information Example: Tempest program Loss of control over system Physical theft Mobile and portable systems present new range of issues

34 Technical Controls Identification and Authentication
Means by which a user provides a claimed identity to the system Authentication Means of establishing the validity of the claim Identification and Authentication based on What you know. E.g. password, pass-phrase, (secret key, private key). What you have. Physical key, smart card. What you are. Biometrics. Where you are. E.g. trusted machine, access to room, …

35 Technical Controls Logical Access Control
Ability to do something with a computing resource Access control Means by which this ability is explicitly enabled or restricted Not to be confused with Authorization Permission to use computer resource Authentication Proof of identity

36 Technical Controls Logical Access Control
Access Criteria typically based on Identity Roles Location Time Personnel files only accessible during normal business hours Transactions Phone inquiry answered by computer Computer authenticates inquirer If too complicated, requires human clerk to answer Computer grants clerk permission to access inquirer’s record for the duration of the transaction

37 Technical Controls Audit Trails
Series of records of computer events Auditing Review and analysis of management, operational, and technical controls Establishing audit trails helps to establish Individual accountability Reconstruction of events Intrusion detection Problem analysis

38 Technical Controls Cryptography
Tool to establish C, I, & A Relies on technology and key management

Download ppt "Informations System Security Comprehensive Model NSTISSI 4011"

Similar presentations

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.

1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Software Quality Assurance Plan

Software Quality Assurance Plan
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
Agenda COBIT 5 Product Family Information Security COBIT 5 content

Agenda COBIT 5 Product Family Information Security COBIT 5 content
Auditing Computer Systems

Auditing Computer Systems
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
The Islamic University of Gaza

The Islamic University of Gaza
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Information Systems Security Officer

Information Systems Security Officer
Stephen S. Yau CSE465 & CSE591, Fall 2006 1 Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,

Stephen S. Yau CSE465 & CSE591, Fall Information Assurance (IA) & Security Overview Concepts Security principles & strategies Techniques Guidelines,
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Session 3 – Information Security Policies

Session 3 – Information Security Policies

Similar presentations

Ads by Google