Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Management Practices

Published byAlisha Neal Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Management Practices"— Presentation transcript:

1 Security Management Practices

2 Objectives Upon completion of this chapter you should be able to:
List the elements of key information security management practices Describe the key components of a security metrics program Identify suitable strategies for the implementation of a security metric program Discuss emerging trends in the certification and accreditation of U.S. federal IT systems

3 Introduction Value Proposition
Organizations strive to deliver the most value with a given level of investment Developing and using sound and repeatable information security management practices makes accomplishing this more likely Executive and supervisory groups want assurance that organizations are working toward the value proposition and measuring the quality of management practices

4 Benchmarking To generate a security blueprint
Organizations usually draw from established security models and practices Another way is to look at the paths taken by organizations similar to the one for which you are developing the plan Benchmarking Following the existing practices of a similar organization, or industry-developed standards

5 Benchmarking (cont’d.)
Can help to determine which controls should be considered Cannot determine how those controls should be implemented in your organization

6 Standards of Due Care/Due Diligence
Categories of benchmarks Standards of due care/due diligence Best practices Best practices include a sub-category of practices, called the gold standard, that are generally regarded as “the best of the best”

7 Standards of Due Care/Due Diligence (cont’d.)
Standard of due care When organizations adopt minimum levels of security for legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances Due diligence Implementing controls at this minimum standard Requires that an organization ensure that the implemented standards continue to provide the required level of protection Standard of due care and due diligence are not interchangeable terms – the former refers to establishment the latter to maintenance

8 Standards of Due Care/Due Diligence (cont’d.)
Failure to demonstrate due care or due diligence can expose an organization to legal liability If it can be shown that the organization was negligent in its information protection methods It is often impossible to provide perfect security in all areas - it is prudent to achieve reasonable security in all areas first and then work to improve individual areas to meet the highest standards “Good security now is better than perfect security never” (F.M. Avolio)

9 Recommended Security Practices
Best Practices Security efforts that seek to provide a superior level of performance in the protection of information Considered among the best in the industry Balance the need for information access with the need for adequate protection Demonstrate fiscal responsibility Companies with best practices may not be the best in every area The Federal Govt. maintains a Web site that allows government agencies to share their best security practices with other agencies

10 The Gold Standard Some organizations prefer to implement the most protective, supportive, and yet fiscally responsible standards they can Gold standard A model level of performance that demonstrates industrial leadership, quality, and concern for the protection of information Implementation requires a great deal of financial and personnel support

11 Selecting Recommended Practices
Choosing which recommended practices to implement can pose a challenge for some organizations In industries that are regulated by governmental agencies, government guidelines are often requirements For other organizations, government guidelines are excellent sources of information and can inform their selection of best practices

12 Selecting Recommended Practices (cont’d.)
Considerations for selecting best practices Does your organization resemble the identified target organization of the best practice? Are you in a similar industry as the target? Do you face similar challenges as the target? Is your organizational structure similar to the target? Are the resources you can expend similar to those called for by the best practice? Are you in a similar threat environment as the one assumed by the best practice? - a recommendation is only relevant if your organization is similar to the organization from which it comes - a strategy that works well in one industry may not work well in another - your organization must meet assumptions underlying the recommendation - a recommendation for a small company may not be appropriate for a multinational organization - a recommended practice that your organization cannot afford is of little value - since the threat landscape changes, recommendations must be current

13 Limitations to Benchmarking and Recommended Practices
The biggest barrier to benchmarking Organizations don’t talk to each other A successful attack is viewed as an organizational failure, and is kept secret, insofar as possible More and more security administrators are joining professional associations and societies like ISSA and sharing their stories and lessons learned An alternative to this direct dialogue is the publication of lessons learned The entire industry suffers because valuable lessons are not shared No two organizations are identical – so recommended practices must be modified for the target organization Recommended practices change over time – they lose their value quicly

14 Baselining A value or profile of a performance metric against which changes in the performance metric can be usefully compared Process of measuring against established standards Baseline measurements of security activities and events are used to evaluate the organization’s future security performance An example baseline is the number of attacks per week that an organization experiences

15 Baselining (cont’d.) Can provide the foundation for internal benchmarking Information gathered for an organization’s first risk assessment becomes the baseline for future comparisons

16 Support for Baselining and Recommended Practices
Self-assessment for best security practices People: Do you perform background checks on all employees with access to sensitive data, areas, or access points? Would the average employee recognize a security issue? Would they choose to report it? Would they know how to report it to the right people? These 12 questions were published by the Gartner Group as a self-assessment for recommended security practices

17 Support for Baselining and Recommended Practices (cont’d.)
Self-assessment for best security practices (cont’d.) Processes Are enterprise security policies updated on at least an annual basis, employees educated on changes, and consistently enforced? Does your enterprise follow a patch/update management and evaluation process to prioritize and mediate new security vulnerabilities? Are the user accounts of former employees immediately removed on termination?

18 Support for Baselining and Recommended Practices (cont’d.)
Self-assessment for best security practices (cont’d.) Processes (cont’d.) Are security group representatives involved in all stages of the project life cycle for new projects? Technology Is every possible route to the Internet protected by a properly configured firewall? Is sensitive data on laptops and remote systems encrypted?

19 Support for Baselining and Recommended Practices (cont’d.)
Self-assessment for best security practices (cont’d.) Technology (cont’d.) Do you regularly scan your systems and networks, using a vulnerability analysis tool, for security exposures? Are malicious software scanning tools deployed on all workstations and servers? NIST also provides documents specifically written to support baselining activities: - SP Revision A – Engineering Principles for Information Technology Security - SP Revision 3 – Recommended Security Controls for Federal Information Systems and Organizations - SP A – Guide for Assessing the Security Controls in Federal Information Systems All are available from crsc.nist.gov under the special publications link

20 Performance Measures in Information Security Management
Costs, benefits and performance of InfoSec Are measurable, despite the claim of some CISOs that they are not Measurement requires the design and ongoing use of an InfoSec performance management program based on effective performance metrics

21 InfoSec Performance Management
Information security performance management The process of designing, implementing and managing the use of collected data elements called measures To determine the effectiveness of the overall security program Measures are data points or computed trends that indicate the effectiveness of security countermeasures or controls

22 InfoSec Performance Management (cont’d.)
Organizations use three types of measures Those that determine the effectiveness of the execution of information security policy (ISSPs) Those that determine the effectiveness and/or efficiency of the delivery of information security services Those that assess the impact of an incident or other security event on the organization or its mission

23 InfoSec Performance Management (cont’d.)
NIST SP R1, Performance Measures in Information Security suggests Consider the following factors Measures must yield quantifiable information (percentages, averages, and numbers) Data that supports the measures needs to be readily obtainable Only repeatable information security processes should be considered for measurement Measures must be useful for tracking performance and directing resources An organization must demonstrate that it is taking effective measures in the spirit of due diligence

24 InfoSec Performance Management (cont’d.)
Critical factors for the success of an information security performance program Strong upper level management support Practical information security policies and procedures Quantifiable performance measures Results oriented measures analysis - upper management support is critical not only for the success of the program but also for the program’s implementation Specify info security management structure, identify key responsibilities, lay foundation for measuring progress and compliance Designed to capture and provide meaningful performance data Used to apply lessons learned, improve effectiveness of security controls, and plan for future security controls

25 InfoSec Metrics InfoSec metrics
Applying statistical and quantitative approaches of mathematical analysis to the process of measuring the activities and outcomes of the InfoSec program Metrics means detailed measurements Measures refers to aggregate, higher-level results The two terms are used interchangeably in some organizations The textbook treats them as intrechangable

26 InfoSec Metrics (cont’d.)
Questions to answer before collecting, designing, and using measures Why should these statistics be collected? What specific statistics will be collected? How will these statistics be collected? When will these statistics be collected? Who will collect these statistics? Where (at what point in the function’s process) will these statistics be collected?

27 Building the Performance Measures Program
An information security measures program Must be able to demonstrate value to the organization Necessary even with strong management support Capability Maturity Model Integrated (CMMI) One of the most popular references that support the development of process improvement and performance measures Developed by The Software Engineering Institute at Carnegie Mellon

28 Building the Performance Measures Program (cont’d.)
Another popular approach NIST SP R1: Performance Measurement for Information Security Major activities The identification and definition of the current information security program Development and selection of specific measures to gauge the implementation, effectiveness, efficiency, and impact of the security controls

29 Building the Performance Measures Program (cont’d.)
Phases of the Performance Measurement Guide for Information Security Figure 7-1 Information security measures development process Source: Course Technology/Cengage Learning (Based on NIST SP Rev. 1)

30 Specifying InfoSec Measures
Assess and quantify what will be measured One of the critical tasks While InfoSec planning and organizing activities may only require time estimates You must obtain more detailed measurements when assessing the effort spent to complete production tasks and the time spent completing project tasks Production-level statistics depend greatly on the number of systems and the number of users of those systems

31 Collecting InfoSec Measures
Some thought must go into the processes used for data collection and record keeping Once the question of what to measure is answered The how, when, where, and who questions of metrics collection must be addressed Designing the collection process requires consideration of the metric’s intent Along with a thorough knowledge of how production services are delivered

32 Collecting InfoSec Measures (cont’d.)
Determine whether the measures used will be macro-focus or micro-focus Macro-focus measures examine the performance of the overall security program Micro-focus measures examine the performance of an individual controller or group of controls within the information security program Or use both macro- and micro-focus measures in a limited assessment

33 Collecting InfoSec Measures (cont’d.)
Organizations manage what they measure It is important to prioritize individual metrics in the same manner as the performance they measure Use a simple low-, medium-, or high-priority ranking system Or a weighted scale approach Involves assigning values to each measure based on its importance in the overall information security program, and on the overall risk mitigation goals and the criticality of the systems

34 Collecting InfoSec Measures (cont’d.)
Performance targets Make it possible to define success in the security program Many measures have a 100% target goal Other types of performance measures Those that determine relative effectiveness, efficiency, or impact of information security on the organization’s goals Are more subjective and require solid native and subjective reasoning

35 Collecting InfoSec Measures (cont’d.)
This is part 1 of a sample performance measures document Table 7-2a Example performance measures documentation Source: NIST SP , Rev 1

36 Collecting InfoSec Measures (cont’d.)
This is part 2 of a sample performance measures document Table 7-2b Example performance measures documentation Source: NIST SP , Rev 1

37 Collecting InfoSec Measures (cont’d.)
Candidate Measures Percentage of the organization's information systems budget devoted to information security Percentage of high vulnerabilities mitigated within organizationally defined time periods after discovery Percentage space of remote access points used to gain unauthorized access Percentage of information systems personnel that have received security training

38 Collecting InfoSec Measures (cont’d.)
Candidate Measures (cont’d.) Average frequency of audit records review and analysis for inappropriate activity Percentage of new systems that have completed certification and accreditation (C&A) prior to their implementation Percentage approved and implemented configuration changes identified in the latest automated baseline configuration

39 Collecting InfoSec Measures (cont’d.)
Candidate Measures (cont’d.) Percentage of information systems that have conducted annual contingency plan testing Percentage of users with access to shared accounts Percentage of incidents reported within required time frame per applicable incident category Percentage of system components that undergo maintenance in accordance with formal maintenance schedules

40 Collecting InfoSec Measures (cont’d.)
Candidate Measures (cont’d.) Percentage of media that passes sanitization procedures testing Percentage of physical security incidents allowing unauthorized entry into facilities containing information assets Percentage of employees who are authorized access to information systems only after they sign an acknowledgment that they have read and understood the appropriate policies

41 Collecting InfoSec Measures (cont’d.)
Candidate Measures (cont’d.) Percentage of individuals screened before being granted access to organizational information and information systems Percentage of vulnerabilities remediated within organization-specified time frames Percentage of system and service acquisition contracts that include security requirements and/or specifications

42 Collecting InfoSec Measures (cont’d.)
Candidate Measures (cont’d.) Percentage of mobile computers and devices that perform all cryptographic operations using organizationally specified cryptographic modules operating in approved modes of operations Percentage of operating system vulnerabilities for which patches have been applied or that have been otherwise mitigated

43 InfoSec Performance Measurement Implementation
Information security performance measures must be implemented and integrated into ongoing information security management operations It is insufficient to simply collect these measures once Performance measurement is an ongoing, continuous improvement operation

44 Collecting InfoSec Measures (cont’d.)
This illustration shows the process for security measurement program implementation Figure 7-2 Information security measurement program implementation process Source: Course Technology/Cengage Learning

45 Reporting InfoSec Performance Measures
Listing the measurements collected does not adequately convey their meaning Decisions must be made about how to present correlated metrics Consider to whom the results of the performance measures program should be disseminated, and how they should be delivered Simply providing charts and/or data will not correctly convey meaning - must also provide analysis

46 Emerging Trends In Certification And Accreditation
The authorization of an IT system to process, store, or transmit information. It is issued by a management official and serves as a means of assuring that systems are of adequate quality Challenges managers and technical staff to find the best methods to assure security, given technical constraints, operational constraints, and mission requirements

47 Emerging Trends In Certification And Accreditation (cont’d.)
The comprehensive evaluation of the technical and nontechnical security controls of an IT system Supports the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements Organizations pursue accreditation or certification to gain a competitive advantage Also provides assurance to customers

48 SP : Guidelines for Security Certification and Accreditation of Federal Information Technology Systems Develops standard guidelines and procedures for certifying and accrediting Federal IT systems Including the critical infrastructure of the U.S. Defines essential minimum security controls for Federal IT systems NIST System Certification and Accreditation Project

49 SP : Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.) Promotes the development of public and private sector assessment organizations And certification of individuals capable of providing cost effective, high quality, security certifications based on standard guidelines and procedures

50 SP : Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.) Benefits of the security certification and accreditation (C&A) initiative More consistent, comparable, and repeatable certifications of IT systems

51 SP : Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.) Benefits of the security certification and accreditation (C&A) initiative (cont’d.) More complete, reliable, information for authorizing officials Leads to better understanding of complex IT systems and associated risks and vulnerabilities, and informed decisions by management officials

52 SP : Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.) Benefits of the security certification and accreditation (C&A) initiative (cont’d.) Greater availability of competent security evaluation and assessment services More secure IT systems within the Federal government

53 Figure 7-3 Special publications supporting SP 800-37
This illustration shows the relationship between SP and other NIST publications - it is in the students interest to be familiar with these Figure 7-3 Special publications supporting SP Source: Course Technology/Cengage Learning (Based on NIST SP )

54 SP : Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.) Three-step security controls selection process Step 1: Characterize the system Step 2: Select the appropriate minimum security controls for the system Step 3: Adjust security controls based on system exposure and risk decision

55 SP : Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.) Systems certified to one of three levels Security Certification Level 1 The entry-level certification appropriate for low priority (concern) systems Security Certification Level 2 The mid-level certification appropriate for moderate priority (concern) systems

56 SP : Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.) Systems certified to one of three levels (cont’d.) Security Certification Level 3 The top-level certification appropriate for high priority (concern) systems

57 SP 800-53 Rev 3: Recommended Security Controls for Federal Information Systems and Organizations
SP is part two of the C&A project Its purpose is to establish a set of standardized, minimum security controls for IT systems addressing low, moderate, and high levels of concern for confidentiality, integrity, and availability

58 SP Rev 3: Recommended Security Controls for Federal Information Systems and Organizations (cont’d.) SP (cont’d.) Controls are broken into the three familiar general classes of security controls: management, operational, and technical Critical elements represent important security-related focus areas for the system Each critical element addressed by one or more security controls

59 SP Rev 3: Recommended Security Controls for Federal Information Systems and Organizations (cont’d.) SP (cont’d.) As technology evolves, so will the set of security controls, requiring additional control mechanisms

60 Figure 7-4 Participants in the certification and accreditation process

61 The Future of Certification and Accreditation
Newer NIST documents focus less upon certification and accreditation strategy And more on a holistic risk management strategy incorporating an authorization strategy rather than accreditation Certification is being replaced by the term “security control assessment”

62 Figure 7-5 Risk management framework
This illustration shows a new 6-step risk management framework promoted by NIST - focus is on enterprise-wide, near real-time risk management Figure 7-5 Risk management framework Source: Course Technology/Cengage Learning (Based on content from NIST Risk Management Framework, SP Rev. 1)

Download ppt "Security Management Practices"

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Software Quality Assurance Plan

Software Quality Assurance Plan
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Management of Information Security, 4th Edition

Management of Information Security, 4th Edition
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Environmental Management Systems An Overview With Practical Applications.

Environmental Management Systems An Overview With Practical Applications.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
Management of Information Security Chapter 06 Security Management Models And Practices Security can only be achieved through constant change, through.

Management of Information Security Chapter 06 Security Management Models And Practices Security can only be achieved through constant change, through.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Security Management Practices

Security Management Practices
MANAGEMENT of INFORMATION SECURITY Second Edition.

MANAGEMENT of INFORMATION SECURITY Second Edition.

Similar presentations

Ads by Google