Models of Security Management Matt Cupp

Overview What is Security Management? What is Security Management? ISO/IEC ISO/IEC NIST Special Publication NIST Special Publication NIST Special Publication NIST Special Publication Other Models Other Models

Security Management The process of managing a defined level of security on information and services. The process of managing a defined level of security on information and services. The identification of an organization’s information assets and the development, documentation and implementation of policies, standards, procedures and guidelines. The identification of an organization’s information assets and the development, documentation and implementation of policies, standards, procedures and guidelines.

ISO/IEC Information security standard published and most recently revised in June 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Information security standard published and most recently revised in June 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Information security is defined within the standard in the context of the C-I-A triangle. Provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Information security is defined within the standard in the context of the C-I-A triangle.

CIA Triangle

ISO/IEC Sections 1 – 3: Introduction Sections 1 – 3: Introduction 4: Risk assessment and treatment - analysis of the organization's information security risks 4: Risk assessment and treatment - analysis of the organization's information security risks 5: Security policy - management direction 5: Security policy - management direction 6: Organization of information security - governance of information security 6: Organization of information security - governance of information security 7: Asset management - inventory and classification of information assets 7: Asset management - inventory and classification of information assets 8: Human resources security - security aspects for employees joining, moving and leaving an organization 8: Human resources security - security aspects for employees joining, moving and leaving an organization 9: Physical and environmental security - protection of the computer facilities 9: Physical and environmental security - protection of the computer facilities 10: Communications and operations management - management of technical security controls in systems and networks 10: Communications and operations management - management of technical security controls in systems and networks

ISO/IEC : Access control - restriction of access rights to networks, systems, applications, functions and data 11: Access control - restriction of access rights to networks, systems, applications, functions and data 12: Information systems acquisition, development and maintenance - building security into applications 12: Information systems acquisition, development and maintenance - building security into applications 13: Information security incident management - anticipating and responding appropriately to information security breaches 13: Information security incident management - anticipating and responding appropriately to information security breaches 14: Business continuity management - protecting, maintaining and recovering business-critical processes and systems 14: Business continuity management - protecting, maintaining and recovering business-critical processes and systems 15: Compliance - ensuring conformance with information security policies, standards, laws and regulations 15: Compliance - ensuring conformance with information security policies, standards, laws and regulations

NIST Special Publication Provides a broad overview of computer security and control areas. It also emphasizes the importance of the security controls and ways to implement them. Provides a broad overview of computer security and control areas. It also emphasizes the importance of the security controls and ways to implement them. Initially this document was aimed at the federal government although most practices in this document can be applied to the private sector as well. Specifically it was written for those people in the federal government responsible for handling sensitive systems. Initially this document was aimed at the federal government although most practices in this document can be applied to the private sector as well. Specifically it was written for those people in the federal government responsible for handling sensitive systems.

Identifies 17 controls organized into 3 categories Management Controls Management Controls Techniques and concerns that focus on managing the computer security program and the risk attributed to it Techniques and concerns that focus on managing the computer security program and the risk attributed to it Operational Controls Operational Controls Addresses security controls that are implemented and executed by people (not systems) Addresses security controls that are implemented and executed by people (not systems) Technical Controls Technical Controls Focuses on security controls that the computer system executes Focuses on security controls that the computer system executes

NIST Special Publication A.K.A - Generally Accepted Principles and Practices for Securing Information Technology Systems A.K.A - Generally Accepted Principles and Practices for Securing Information Technology Systems Describes common security principles that are used. It provides a high level description of what should be incorporated within a computer security policy. Describes common security principles that are used. It provides a high level description of what should be incorporated within a computer security policy. Describes what can be done to improve existing security as well as how to develop a new security practice. Eight principles and fourteen practices are described within the document. Describes what can be done to improve existing security as well as how to develop a new security practice. Eight principles and fourteen practices are described within the document.

Other Models NIST Special Publication NIST Special Publication Guide for Developing Security Plans for Information Technology Systems Guide for Developing Security Plans for Information Technology Systems NIST Special Publication NIST Special Publication Security Self-Assessment Guide for Information Technology Systems Security Self-Assessment Guide for Information Technology Systems NIST Special Publication NIST Special Publication Risk Management Guide for Information Technology Systems Risk Management Guide for Information Technology Systems Hybrid Models by combining multiple methods Hybrid Models by combining multiple methods

Conclusion What is Security Management? What is Security Management? ISO/IEC ISO/IEC NIST Special Publication NIST Special Publication NIST Special Publication NIST Special Publication Other Models Other Models

References Francisco, Wayne. GHD Infrastructure Security. April Francisco, Wayne. GHD Infrastructure Security. April Guttman, Barbara. Swanson, Marianne. Generally Accepted Principles and Practices for Securing Information Technology Systems. September Guttman, Barbara. Swanson, Marianne. Generally Accepted Principles and Practices for Securing Information Technology Systems. September AM.htm AM.htm en.wikipedia.org/wiki/Security_management en.wikipedia.org/wiki/Security_management