Information Security Management

Information Security Management
This topic will focus on the security management issues of information system security.

Introduction Security management entails the identification of an organization’s information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines. Management tools such as information classification, risk assessment, and risk analysis are used to identify threats, classify assets, and to rate system vulnerabilities so that effective controls can be implemented. Risk management is the identification, measurement, control, and minimization of loss associated with uncertain events or risks. It includes overall security review, risk analysis, selection and evaluation of safeguards, cost benefit analysis, management decision, safeguard implementation, and effectiveness review.

Objectives The CISSP should be able to:
Identify the planning, organization, and roles of individuals in identifying and securing an organization’s information assets. Define the differences between policies, standards, guidelines and procedures in terms of their application to security administration. Define the importance of security awareness so employees are aware of the need for information security. Describe the importance of risk management practices and tools to identify, prioritize, and reduce the risk to specific information assets. Define the roles of users in support of security processes

History of Information Security
This slide provides a generic overview of the how information system security has developed – from the mainframe environment and the growth of distributed environments. The key issue is that this also outlines how infosec has incorporated industrial or physical security into its sphere of responsibility.

Security Management Topics
Principles and Requirements Policy Organizational Roles and Responsibilities Information Classification Risk Management and Analysis

Section Objectives Identify the core principles of information security Describe IT security requirements Discuss the need for Information Security Requirements and Blueprints

Goals of Information Security
The common thread among good information security objectives is that they address all three core security principles. Availability Confidentiality Prevents unauthorized disclosure of systems and information. Integrity Prevents unauthorized modification of systems and information. Prevents disruption of service and productivity. The cornerstone of information Security.

IT Security Requirements
All security solutions should be designed and implemented to focus on two areas, the functional requirements of the solution, and also the assurance requirements, which really address how the functional requirements are actually working properly. No solution is complete unless it addresses these two areas. Example: a firewall addresses the functional requirements, but it is the ‘logging and monitoring’ aspect of the firewall that addresses the assurance requirements and makes the entire ‘firewall solution’ a complete solution.

IT Security Requirements (cont.)
For each security requirement and function, there must be a corresponding check or assurance that the function is working correctly. This graphic is a pictorial representation of the previous slide

Organizational & Business Requirements
Security must address the business requirements, not just a blanket where one size fits all.

IT Security Requirements Structure
The typical requirements for efficient and effective structure for information security. Note the top down model. These requirements will be defined in further detail over the next few slides, intending to promote the concept of Security Requirements and Blueprints, as suggested in the ISO guidelines, for instance. Remember that we are Not intending to develop the Blueprints for an organization in detail, only introducing the concept with a Theoretical example.

Security Blueprint Solutions
Blueprints are used to identify, develop and design security requirements for a particular business solution: Portal Enterprise Resource Planning (ERP) Supply Chain Customer Relationships Management (CRM) Manufacturing, etc. Not all aspects of a particular blueprint will apply but all should be considered. The Security Blueprints provide a method of organizing the requirements and the resulting components of a security architecture. They can be used to address the security requirements of a specific topic or across the enterprise.

Architecture Blueprints
Security Blueprint Tailored security best practices that, in total, form a comprehensive security policy program and technical architecture. Composed of several security domains, that at a minimum, are mapped from the ISO/IEC standard. As we mentioned previously, the security blueprints provide a structure for organizing requirements and solutions. They are used to ensure that security is considered from a holistic view. The ISO Code of Practice for Security Information Management provides a broad base of security controls that provides a point of reference for completeness of the components within the blueprints. The ISO reference standard does not however, provide all of the guidance that is required for an effective, holistic security architecture.

Architecture Blueprints (cont.)
This diagram provides more detail on the components that make up the blueprints. Consideration should given to each of these components in relation to the decisions and direction that they provide for the blueprint topic. You should be able to identify what each of the components contributes to the eventual solution. For example, under privacy you should be able to point to the strategy the organization has chosen to manage privacy issues. You should have the privacy policy at hand and and enabling standards and procedures. You should be able to identify what components and processes are in place to monitor adherence to privacy policies.

Infrastructure Blueprints
Individual security blueprints reflect Tailored requirements meeting the organization’s specific requirements Influenced by legal, regulatory, business, IT drivers. An effective security architecture will always be able to “connect the dots” between the business decisions of the organization, how these are reflected in the principles, policies and standards of the organization, how these have been turned into requirements and how the requirements map to the blueprints.

Quick Quiz What are the three core security principles?
What are the two types of IT security requirements? Describe each. What is the benefit of using an Information Security blueprint? Explore: Instructor should use these questions to drive general discussion. Don’t directly give the answers, only curb responses that are clearly incorrect. Try to see what responses the participants can provide. The section summary on the following page answers these questions directly. Use the section summary to highlight any points not clearly driven out during the quiz discussion.

Section Summary Confidentiality, integrity, and availability are the three core security principles. Functional requirements define security behavior of the IT product or system. Assurance requirements establish confidence that the security function will be performed as intended. Information Security blueprints provide proven models for establishing cost effective, sustainable security business practices and solutions.

Section Objectives Describe the purpose of organizational policy
List the supporting elements of policy implementation Summarize the importance of organizational roles and responsibilities Summarize the key components of the security model

Policy Overview This chart shows the hierarchy of these various instructional documents. At the top are obviously laws, regulations and requirements that the organization itself has to abide by. Then we have the general policy that is management’s statement of direction - what is expected to be accomplished to properly secure company information. Standards are separated from procedures to eliminate the confusion when such terms as standard operating procedures are used. Standards are now hardware or software mechanisms selected as the organization’s method of addressing a security risk. For instance, a specific anti-virus product or password generation token that has been chosen for use throughout the organization. Standards could also be a "guideline" established by an international or domestic organization that is accepted by management as a standard (i.e., ISO 17799). Procedures are statements of step-by-step actions to be performed to accomplish a security requirement. For instance, password changing procedures. Baselines are descriptions of how to implement security packages to ensure that implementations result in a consistent level of security throughout the organization. Different systems (platforms) have different methods of handling security issues. Baselines are created to inform user groups about how to set-up the security for each platform so that the desired level of security is achieved consistently. Guidelines are the only discretionary element of these controls. They are used to help focus people who need to make judgements in the performance of security actions, such as in user registration.

Policy Documents and communicates management’s goals and objectives.
Defines the organization’s response to laws, regulations, and standards of due care. Builds a foundation for a comprehensive and effective security program. Defines what assets and principles the organization considers valuable. Identifies organization goals and objectives. The organizational policy is what drives the security needs. Policy is not a one size fits all – policy must be designed to suit the organization. If it is too complex then it will not be read and understood. If too generic then it may be meaningless and irrelevant. It is good to introduce the term ‘reference’ as well, since policy is an authority or point of reference for enforcement activity. Above all, a policy must be distributed to all persons it applies to and be enforceable. Policy is a fundamental activity, which validates management commitment by providing clear identification of objectives that should be related to business objectives, and sets the stage for commitment of organizational resources.

Policy (cont.) Protects the company and employees from ‘surprises’.
Gives authority to security activity. Provides for personal responsibility/accountability. Provides a basis for interpreting or resolving conflicts that might arise. Defines the elements, functions, and scope of security team. A policy makes each employee accountable for their actions from top management to the new hire.

Policy (cont.) Ensures that all employees and contractors are aware of organizational policy. Written documentation for incident response and enforcement. Provides for exception handling, rewards, discipline. A policy provides the authority for the security and human resources areas to enforce good practice and disciplinary action. A policy is a reference point for other persons and agencies to know the intent of management – this can be important in a legal setting.

Policy Infrastructure
Once an overall organizational security policy has been approved by the governing body of the organization it is necessary to develop a supporting infrastructure of control objectives. This framework may include other functional policies such as: and internet use policy Remote access policy Fraud policy

Policy Implementation
From policies come the supporting elements: Standards Procedures Baselines Guidelines That will enforce the security policy principles on every business process and system. A policy is nothing but paper until it moves into reality. The next steps are building the policy into workable procedures and that make it meaningful to the organization.

Standards Hardware and software mechanisms and products.
Examples of Standards: Specific anti-virus software Specific access control system Specific firewall system Published guideline (e.g. ISO 17799) adopted by an organization as a standard. Standards are now hardware or software mechanisms selected as the organization’s method of addressing a security risk. For instance, a specific anti-virus product or password generation token that has been chosen for use throughout the organization. Standards are essential so that a common basis can be established and implemented. Having a common basis for the overall organization is better than having each individual department operating under their own separate (and in some cases non-compliant) domain.

Procedures Step by step required actions Examples of Procedures:
User registration Contracting for security purposes Information system material destruction Incident response Procedures are statements of step-by-step actions to be performed to accomplish a security requirement. For instance, password changing procedures. A sampling of the topics that could be addressed by procedures. Procedures, like policies are considered to be mandatory requirements.

Baselines Establishes the implementation methods for security mechanisms and products Platform unique Examples of Baselines: Configurations for intrusion detection systems Configurations for access control systems Baselines are descriptions of how to implement security mechanisms to ensure that implementations result in a consistent level of security throughout the organization. Different systems (platforms) have different methods of handling security issues. Baselines are created to inform user groups about how to set-up the security for each platform so that the desired level of security is achieved consistently.

Guidelines Recommended actions Examples of Guidelines:
Government Recommendations Security Configuration Recommendations ISO / British Standard 7799 Organizational Guidelines Product/System Evaluation Criteria Guidelines are recommendations, white papers, best practices or formats for a security program that may be used by an organization to set up or review a security program – COBiT (Control Objectives for IT), CMM are all examples of frameworks and evaluation tools used to review a security infrastructure. Organizational guidelines could include such documents as a code of ethics, ethical guidelines, code of conduct, etc.

Product/System Evaluation Criteria History

Trusted Computer System Evaluation Criteria (TCSEC)
Known as the Orange Book, published in 1983, still provides benchmark for systems produced decades later Basis for evaluating vendor security products to protect confidentiality. Guidance to users for selection of vendor products to achieve policy requirements for data confidentiality. Assurance of a certain level of security in products. Customer - metric to evaluate trust Vendor- security features to build-in D C1 C2 B1 B2 B3 A1 Lower Trust Higher Trust The purposes of the TCSEC (Orange Book). The significance of TCSEC was that it was one of the first documents to outline the security features that must be in computer system products. It has been used as the basis for future documents and international standards. Provides the user with a measurement for the evaluation of trust of a system component. Provides the vendor with guidance for the security to build in to trusted systems. Provides a basis for specifying system requirements. For instance, ACF2 was evaluated at the C2 level so it could be specified for IBM mainframe systems that required discretionary access control.

Trusted Computer System Evaluation Criteria (TCSEC)
Class Description D Minimal Protection C1 Discretionary Security Protection C2 Controlled Access Protection B1 Labeled Security Protection B2 Structured Protection B3 Security Domains A1 Verified Design These are the evaluation classes defined by the TCSEC. As you move from D to A1, increasing amounts of security functionality, and levels of assurance are required in the system. Note that D means basically unevaluated, many general computer systems can be C1, but B's are difficult, and A1, while having no additional functionality vs B3, requires formal verification of its implementation - a near impossibility for anything other than the simplest of systems.

Identification/Authentication Labeled Subject & Object
Trusted Computer System Evaluation Criteria (TCSEC) Functionality Requirements C1 C2 B1 B2 B3 A1 Identification/Authentication Yes = DAC Audit MAC Labeled Subject & Object Device Labels Object Reuse Trusted Path This table shows for each of the evaluation classes the broad areas that security services have to be added/enhanced. The functional areas are: Identification/Authentication - user authentication mechanisms to verify identity DAC - Discretionary Access Controls, allowing owners to control access to various objects (mostly files) Audit - records of all security related actions MAC - Mandatory Access Controls, enforced by system and owners, restricted access based on subject and object labels Labeled Subject & Object, so the system can execute MAC Device Labels, so devices are restricted as to the output they create based on its classifications Object Reuse, ensures that sensitive data really is destroyed before the media is released to other subjects Trusted Path, ensures that users can securely access the TCB for login or other security critical actions Yes – New/Changed/Enhanced Functionality Required = - No Additional Requirements

Information Technology Security Evaluation Criteria (ITSEC)
The purpose of ITSEC was to: Harmonize security evaluation criteria internationally. Build on experience accumulated. Avoid different security evaluation criteria. Standardize basic concepts and approaches Across countries, across commercial, government, or military applications. Briefly describes the purpose of ITSEC. Previously each country had their own version of the evaluation criteria. ITSEC combined the European versions with the Orange Book and expanded the scope to include integrity and availability as well as confidentiality.

Common Criteria - ISO 15408 The purpose of the Common Criteria is to:
Provide a common structure and language for expressing product/system IT security requirements. Establishing a common criteria base, so that the results of product security evaluation will be meaningful to a larger audience. This lists the objectives of the Common Criteria published by NSA with input from NIST. Finalized after years of drafts and published in 12/97 (Version 1). ISO Version 2 (5/98).

Common Criteria EAL Levels
EAL-1: Documentation conformity and establishing that the Target does what its documentation claims. EAL-2: Tests the structure of the product through an evaluation, which includes the product’s design history and testing. EAL-3: Evaluates a product in design stage, with independent verification of the developer’s testing results, and evaluates the developer’s checks for vulnerabilities, the development environmental controls, and the Target’s configuration management. EAL-4: Is an even greater in-depth analysis of the development and implementation of the Target and may require more significant security engineering costs. EALs 5-7: Require even more formality in the design process and implementation, analysis of the Target’s ability to handle attacks and prevent covert channels, for products in high-risk environments.

ISO 17799 & BS 7799-2 Two documents. Two purposes. ISO 17799 BS 7799-2
Code of Practice – Guidance and Support BS Management System Standard (certifiable and measurable requirements) ISO is based upon the British Standard 7799, which was published in May 1999, an edition which itself included many enhancements and improvements on previous versions. The first version of ISO was published and adopted in December 2000.

ISO / BS ISO 17799 Comprehensive guidance on a range of controls for implementing Information Security. A package of ‘good’ advice. BS Management system standard. Used to demonstrate compliance with defined requirements. Assessments against this standard will determine that selected controls are implemented correctly and are effective. ISO is comprehensive in its coverage of security issues. It contains a substantial number of control recommendations, some extremely complex. ISO is based upon the British Standard 7799, which was published in May 1999, an edition which itself included many enhancements and improvements on previous versions. The first version of ISO was published and adopted in December 2000. ISO is a management guideline – not a technical document. It should be noted that Canada, Germany, France, the US (and perhaps some other countries) objected to the formalization of ISO Because they didn’t think that it actually formed a standard. They immediately filed a request to change ISO 17799, and fast track the review process. Also, ISO incorporates only part 1 of the BS7799 standard, part 2 was never submitted for standardization. Lastly, there is a certification process for ISO for auditors.

BS 7799-2: 10 Categories of Information Management
These are the ten categories that the B7799 covers. It can apply, as the inside of the chart implies, to any kind of business data.

Suggested ISO 17799 Blueprint Components
Management Monitoring Risk Management Compliance Incident Response Logging & Reporting Administration Policies & Standards Classification & Control Systems Planning Configuration Management Development & Maintenance Procedures Organization Third-Party Access Training & Awareness Roles & Responsibility Personnel Infrastructure Infrastructure Integrity Availability Redundancy Backup Continuity Recovery Configuration Segmentation Network Devices Operating Systems Protection Physical Intrusion / Misuse Content Malicious Software Environment Access Perimeter Network Internal Network Application Facility Internet Wireless Extranet Dial-Up Workstation LAN Servers WAN Web/ Middleware Enterprise Database Areas Equipment Media Access Control Secure Communications Confidentiality Reliable Transactions Accountability Non-Repudiation Integrity Validated Access Authentication Authorization Budgeting & Accounting Audit & Certification Compare the components viewed in this ISO Blueprint sample with the components from the prior example Blueprint. Note that the ISO model above has a Management Blueprint that extends across all the underlying blueprints, suggesting that those Management level Policies and controls cover the entire organization and all underlying blueprints, as discussed in the earlier slides. Note also that some of the components fall under different areas of control on this model than in our earlier example (Virus control is under Infrastructure as opposed to monitoring).

Security Model Components
A high level overview of a generic system security model and some of the components that companies may include. Stress the ‘foundation’ of policies and how at the top are business goals and objectives. All of these ‘blocks’ working together should allow us to reach ‘assurance’ that our security program is indeed addressing effective security.

Organizational Roles and Responsibilities
For security to be effective, it is imperative that individual roles, responsibilities, and authority are clearly communicated and understood by all. Organizations must assign security related functions to designated employees. Security is not a function of a single person nor of one group or team. Everyone must be aware of their responsibility and role in creating a secure environment.

Organizational Roles and Responsibilities (cont.)
Responsibilities to consider include: Executive Management - assigned overall responsibility for asset protection. Information Systems Security Professionals - responsible for the design, implementation, management, and review of the organization’s security policies, standards, baselines, procedures, and guidelines. Note: executive management could potentially include specific organizational roles such as the CISO (Chief Information Security Officer), CTO (Chief Technology Officer, CRO (Chief Risk Officer), CSO (Chief Security Officer), etc.

Owners - responsible for: ensuring that appropriate security, consistent with the organization’s security policy, is implemented in their information systems determining appropriate sensitivity or classification levels determining access privileges

Custodian – a function who has “custody” of the system/databases, not necessarily belonging to them, for any period of time. Usually network administration or operations. Users - responsible to use resources and preserve availability, integrity, and confidentiality of assets - responsible to adhere to security policy. IS/IT Function - responsible for implementing and adhering to security policies. Custodians are the functions who normally operate the systems for the owners.

Information Systems Auditor - responsible for: providing independent assurance to management on the appropriateness of the security objectives. determining whether the security policy, standards, baselines, procedures, and guidelines are appropriate and effective to comply with the organization’s security objectives. Identifying whether the objectives and controls are being achieved.

Hiring Procedures Background checks. Follow up on references.
Verification of educational records. Sign employment agreements: Non-disclosure. Business ethics including telephone and Internet usage. There may be some legality concerns when it comes to background checks. National law supersedes any company policy.

Hiring Procedures (cont.)
If low level checks are done at initial hiring - be alert for need for further checks if internal movement within company to higher level classification. Hiring must be co-ordinated with Human Resources department (not just local manager). Use standard checklists for hiring interviews. Cover points such as keys, ID card, passwords, equipment loaned out to employee (laptops, cell phones, pagers). Low level checks – if someone comes in at a low-level job then subsequently moves to a higher level position, there should be further checks done. The appropriateness of background checks may have to follow legal statutes, ie. Privacy laws, etc.

Termination Procedures
Use standard checklists for termination interviews. Ensure all access cards and tools are returned. Remove user access immediately upon departure. Suspension/disciplinary procedures Keep inventory of all equipment given to user – remote access tokens, keys , ID cards, cellphones, pagers, credit cards, laptops, software so that they can be recovered on termination

Good Practices Job descriptions and defined roles and responsibilities
Least privilege / need to know Separation of duties Forces collusion in order to manipulate the system for unauthorized purposes. Job rotation Mandatory vacations Job Rotation Breaks up collusion and provides opportunities to review authorizations (usually grow over time, and so this gives us the opportunity to review). Job rotation also provided trained backup. Mandatory vacations Provides the opportunity to detect fraud. Also, when people are on vacation, their access to the site should be closely monitored.

Security Awareness Awareness material provides employees with a reminder of their security responsibilities Training provides skills needed to perform the security functions in their jobs Education provides decision-making, and security management skills that are important for the success of an organization’s security program.

Raising the Collective Awareness
Variety of methods – videos, newsletters, posters, briefings, key-chains, trinkets, etc. Motivate personnel to comply with requirements. To be effective, the campaign must be creative and frequently changed. Should reward practices such as protecting the physical area and equipment, protecting passwords, and reporting security violations. Variety of training methods: Lectures/presentations – short segments with plenty of visuals using slides, view graphs, videos and flip-charts Posters Newsletters/bulletins Awards Electronic notices (e.g. banners, message of the day, last access) Stickers/coasters/notepads Drills and exercises Use of Web pages

Providing Training Material & Courses
Training should be focused on security-related job skills. Specify and address security requirements of the organization. Increase the ability to hold employees accountable for their actions. Specialized or technical training is needed for specific personnel, such as configuring firewalls or conducting audits. Such security requirements should address What is the mode of operation within the organization? Different types of access requirements for users/programs Security procedures/considerations for information handling Review existing and enhancements for reporting procedures Examples of unauthorized actions and follow up procedures Periodic reindoctrination Procedures are needed to support each of the above issues.

Information System Security Education
Education that is more in-depth is typically targeted for information systems security professionals in order to gain expertise . Normally this is accomplished through external programs and should be regarded as part of career development.

Good Practices Speak Audience’s Language by addressing interests of:
Management Data owner and custodian User Operations Support personnel Management interests – overall costs savings (a Risk Analysis will yield this type of information) , the need to protect information, and the need for efficient and effective security Data owner and custodian interests – easy to follow instructions. User interests – productivity, easy compliance, understanding requirements Operations personnel interests – non-intrusive security Support personnel interests – their role, cost-effective compliance

Good Practices Topics include items such as:
Policies, standards, procedures, baselines, and guidelines Errors, accidents, and omissions Physical and environmental hazards Continuity Planning Malicious code/logic Media handling responsibilities Incident reporting Social engineering

Information Security Assurance Mechanisms
Internal/External Audit Reports COBIT, IIA’s Red Book, Yellow Book, etc. Periodic Review by Management Security Reviews (Internal), Checklists, Supervision Third Party Reviews Attack and Penetration Tests Policy Review Threat Risk Assessments Many assurance mechanisms will be reviewed in their particular domains i.e., IDS’s, Audit logs, BCP Tests, however some are applicable especially to the area of INFOSEC such as overall CobiT reviews ( and other audit techniques. CobiT – control objective for Information Technology. IIA’s (Institute of Internal Auditors) Red Book – practices framework document. GAO Yellow Book – U. S. General Accounting Office – Government Auditing Standards.

Quick Quiz What are the supporting elements of policy implementation?
What is the importance of defining organizational roles and responsibilities when implementing organizational policy? Explore: Instructor should use these questions to drive general discussion. Don’t directly give the answers, only curb responses that are clearly incorrect. Try to see what responses the participants can provide. The section summary on the following page answers these questions directly. Use the section summary to highlight any points not clearly driven out during the quiz discussion.

Section Summary Standards, procedures, baselines, and guidelines are the supporting elements of policy implementation. These elements help enforce the security policy principles within each business process and on each system. For security to be effective, it is imperative that individual roles, responsibilities, and authority are clearly communicated and understood by all. ISO provides comprehensive guidance on a range of controls for implementing information security. BS is the management system standard and can be used to demonstrate compliance with defined requirements.

Section Objectives Describe the purpose of information classification
List the benefits of information classification Summarize the steps involved in ensuring classification effectiveness

Information Classification Objectives
Ensure that information assets receive an appropriate level of protection. Provide security classifications that will indicate the need and priorities for security protection. Minimize risks of unauthorized information alteration. Avoid unauthorized disclosure. Maintain competitive edge. Protect legal tactics. Comply with privacy laws, regulations and industry standards. Protect legal tactics means maintaining the confidentiality of an organization’s legal department’s approach to lawsuits, and other legal activities.

Information Classification Benefits
Awareness among employees and customers of the organization’s commitment to protect information. Identification of critical information. Identification of sensitivity to modification. Enable focus on integrity controls. Sensitive to the need to protect confidential information. Understanding of value of information. Meeting legal requirements. Some additional benefits of classification. Makes users aware that they are using information that the organization is committed to protecting from unauthorized access. Provides the identification of information that is considered to be critical for the business success. If integrity is a concern, classification can identify data that must only be modified in authorized ways. If confidentiality is a concern, classification can ensure that users understand the value of the information to the organization and the need to protect it. How to protect it can also be identified.

Information Classification Examples
FOUO - For official use only Financially sensitive Sensitive management Proprietary – competitive edge Private – records about individuals, trade secrets, etc This is a sampling of the terminology frequently used in the Private Sector. Following the term is the usual protection purpose or a definition of the type of information.

Information Classification
Information is classified by the Information Owner or designate. Accurate classification depends on the ability and knowledge of the classifier. Must be aware of regulations and customer and business expectations. Classification must be done in a consistent manner – often the decisions can be somewhat arbitrary. All classified items must be clearly labeled. Classification process must include manner for declassifying and destroying material.

Information Classification (cont.)
All data handled by the organization must be reviewed for classification Paper, magnetic, video and audio recordings, facsimile, scratch paper, etc. Consider the following as part of classification: Exclusive possession (trade secret, etc) Utility (usefulness) Cost of creation/recreation Liability (for protection) Convertibility/negotiability (EFT, etc) Operational impact (if unavailable) Addresses some of the considerations that are involved in deciding what information to mark with its classification. For instance, competitive edge information could be very valuable to the organization as well as to competitors, knowing what the potential risks to the compromise of information are can help determine the need for classification, and the evaluation of protective measures may indicate that they are inadequate to protect the information.

Information Classification (cont.)
Marking and Labeling Mark sensitive magnetic or optical media Mark both cover and inside of documents Label documents (or objects) for access control permissions - such as in directories, files, or database fields Document labeling refers to the marking of classification on hard copy. Object labeling refers to the marking of classification on magnetic media (files). Age - often the value of nondisclosure decreases with time, so that after a certain age the classification is lowered. Note that in the military some classified documents have the label that they are automatically declassified after so many years. Useful life - once the information has been superceded, for instance, the original information can often be declassified. Associations - information associated with individuals that comes under privacy law would need to be classified for protection. Some legal information associated with ongoing cases or business affairs could also be classified so that it wouldn’t be disclosed to unauthorized persons.

Assurance of Classification Effectiveness and Adherence
Periodic checks for documents left in ‘open view’. Information Flow Matrix review. Data Dictionary review. Check for correct disposal/shredding of documents/media. Review of access levels of users. Physical Security including access by maintenance and cleaning personnel.

Quick Quiz What are some of the benefits of information classifications? What types of information should be reviewed for classifications? Explore: Instructor should use these questions to drive general discussion. Don’t directly give the answers, only curb responses that are clearly incorrect. Try to see what responses the participants can provide. The section summary on the following page answers these questions directly. Use the section summary to highlight any points not clearly driven out during the quiz discussion.

Section Summary Information classifications help ensure that information assets receive the appropriate level of protection. All media containing data handled by the organization must be reviewed for classification, including paper, magnetic media, video, audio, facsimile, etc. Classifications must be done in a consistent manner.

Section Objectives Define the key risk management terms
Describe the importance of a risk analysis List examples of potential threats Describe the two types of risk analysis – quantitative and qualitative Describe the safeguards selection principles

Risk Management Definitions
Asset - a resource (physical or logical) that is valued by the organization. Threat - any potential danger to information or an information system. Threat Agent – the source that has the potential of causing a threat. Exposure - instance of being exposed to losses from a threat. Vulnerability - an information system weakness that could be exploited. Attack – an action intending harm by exploiting a vulnerability. Countermeasures and Safeguards - an entity that mitigates the potential risk. Risk - likelihood of an unwanted event occurring. Residual Risk - the portion of risk that remains.

Risk Management Information Security Concept Flow
This overview was taken from the Common Criteria. It shows the relationships among the key components. Threats, Vulnerabilities, and Asset values are used to identify the overall risk of an organization’s assets.

Risk Management Definition
A discipline for living with the possibility that future events may cause harm. Risk Management reduces risks by defining and controlling threats and vulnerabilities. (Threats, Vulnerability, & Asset Value) = Total Risk Concept of mitigating controls: Total Risk - Countermeasures = Residual Risk

Risk Management Control Objectives
Risk levels in the red area indicate immediate action should be taken to reduce the risk. Risk levels in the orange area indicate that actions should be planned and initiated to reduce the risk. Risk levels in the yellow area indicate these should be monitored and prepared to respond if they are realized. Risk levels in the green area indicate no specific actions need to be taken. Consequence of Occurrence Probability of Occurrence

How Much Security is Enough?
This decision is the balance between the cost to protect an asset against the level of acceptable risk. To determine the answer to this question, we must understand the: Adversary, means, motives, and opportunity; Asset value; Threats; Vulnerabilities; Resulting Risk; Countermeasures; and Risk tolerance. Security is a Balancing Act!!!

Adversaries, Means, Motives, and Opportunities
Curiosity Prestige & Thrill Monetary Gain & Revenge Industry Espionage National Security Script Kiddy Hackers Crackers Insiders Competitors, Organized Crime Motive Adversary Cyber Warrior Financial Damage Sophisticated Tools, Expertise and infinite resources Spy, expertise, resources, tools Classified Information and services Infinite Time, Tools, Social Engineering Scripts Tools, books Adversary and motive related to financial damage.

Purpose of Risk Analysis
Identify the threats to business processes and information systems. Justify the implementation of specific countermeasures to mitigate risk.

Importance of Risk Analysis
Risk Analysis is important in order to ensure that the resources and policy of an organization are directed appropriately. Focus To identify the areas of risk to an organization or functional area. To identify special circumstances that may need better controls – regulatory and financial areas. Risk analysis is not a cookie cutter approach – it requires an in depth look at the organization as a whole and at each functional area. Risk is different from one area to another and risk analysis and management must reflect those differences. Some areas under the influence of regulation – Security Exchange regulations, and HIPAA require better controls – security and review than other areas. With limited personnel, budgets and tools, risk management ensures that the resources of the organization are targeted at the areas of greatest risk and in the meantime making sure that there are no gaps in the security process.

Additional Benefits of Risk Analysis
May be applicable to The business continuity process. Insurance and liability. Implementing countermeasures, new controls and procedures. Legitimizing security awareness programs.

Examples of Threats Threats include, but are not limited to:
Unauthorized access Hardware failure Utility failure Loss of key personnel Human errors Neighboring hazards Tampering Disgruntled employees

Emerging Threats Factor
Risk Assessment must also include emerging threats: New technology Change in culture Unauthorized use of technology (i.e., wireless technologies, rogue modems, PDAs - Personal Digital Assistants, unlicensed software) The threat of PDA’s includes theft of corporate data, poor controls over wireless transmission against interception, risk of multiple copies of data if not updated correctly. Unlicensed software – 52 of 55 police departments in UK found to be using pirated copies of MC software.

Input Sources to Identify Threats
Includes, but is not limited to: Users System administrators Auditors Security officers Operations Facility records Community records Government records Watchdog alerts (CERT/CC, Bugtraq, etc.)

Risk Analysis Key Factors
Obtain Management Support. Define and approve purpose and scope of Risk Assessment Team. Select team members. State official authority and responsibility of team. Have Management review findings and recommendations. The next few slides will examine the steps to Risk Analysis beginning with Obtaining Management Support – this is the most critical step for an effective risk analysis and a subsequent risk management program.

Suggested Team Members
Information System Security IT & Operations management System and network administrators Internal audit Physical security Business process and information owners Advisors (Human Resources, Legal, Emergency Measures Coordinator, Safety Officers)

Preliminary Security Evaluation
Identify vulnerabilities related to: Natural disasters Environment - work scene Facility Access controls Data processing controls Review existing security measures. Document findings. Obtain management review and approval. Natural disasters – flood, tornado, earthquake, forest fire, lightning Environment - Overcrowding or poor morale Facility - Physical security or location of building Access Controls - Logical and physical access control Data processing controls – prevention of improper modification Include all existing controls – be careful not to be too biased when examining existing controls – be objective and factual – list both strengths and vulnerabilities – potential risks Document all findings – leave nothing to memory – provides lists of reasons for assumptions and conclusions

Risk Analysis Types Subtopics
Quantitative Risk Analysis Primary Steps Automated Tools Qualitative Risk Analysis There are two methods of performing a risk analysis, quantitative or qualitative. First, we will discuss quantitative risk analysis.

Quantitative Risk Analysis - Definition
Attempts to assign independently objective numeric values (e.g., monetary values) to the elements of the risk assessment and to the assessment of potential losses. When all elements (asset value, impact, threat frequency, safeguard effectiveness, safeguard costs, uncertainty and probability) are quantified, the process is considered to be fully quantitative.

Quantitative Risk Analysis Difficulties
Purely quantitative risk analysis can be difficult to achieve -- quantitative measures must be applied to qualitative elements. Usually requires substantial time and personnel resources to complete the quantitative process.

Three Steps for Quantitative
Three primary steps are: Estimate potential losses Conduct a threat analysis Determine annual loss expectancy

Step One Estimate potential losses (SLE – Single Loss Expectancy)
SLE = Asset Value ($) X Exposure Factor (%) Exposure Factor is percentage of asset loss when threat is successful Types of loss to consider: Physical destruction/theft of assets Loss of data Theft of information Indirect theft of assets Delayed processing

Step Two Conduct threat analysis ARO – Annual Rate of Occurrence
Number of exposures or incidents that could be expected per year. Likelihood of an unwanted event happening.

Annualized Loss Expectancy (ALE) =
Step Three Determine Annual Loss Expectancy Combine potential loss and rate/year Magnitude of risk = Annual Loss Expectancy Guide Security measures Amount to spend Formula is: ALE = amount of loss/incident multiplied by the rate/year. Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO)

Using Automated Tools Objective minimize manual effort.
After database created. Rerun analysis with different parameters to answer the “what ifs”. Perform calculations quickly. Estimate future expected losses. Determine benefit of security measures.

Subtopics Quantitative Risk Analysis Qualitative Risk Analysis
The second method of performing a risk analysis is to use qualitative methods, which are primarily based on scenarios.

Qualitative Risk Analysis - Definition
Scenario oriented Does not attempt to assign absolute numeric values to components. Purely qualitative risk analysis is possible.

Qualitative Risk Analysis - Process
Rank seriousness of threats and sensitivity of assets. Qualitative grades such as: Blank (no effect) Low Medium High Perform a carefully reasoned risk assessment.

Qualitative Risk Analysis – Scenarios
Match threats to assets via scenarios. Describe range of threats. Potential act Assets subject to loss Procedure Write scenario for each major threat. Functional managers credibility/practicality review. Evaluate use of safeguards.

Qualitative Risk Analysis – Scenarios (cont.)
Test scenarios Based on test results, document findings Current/planned protection Remaining deficiencies Scalability Limited security study -- 2 or 3 one-page scenarios. Broad study hundreds of scenarios. Advantages Communication Identifying security strengths and vulnerabilities Evaluating safeguards Doing a test of the scenarios encourages interaction and communication between departments – quite often this will uncover hidden relationships between departments and processes that may have been missed otherwise.

Other Risk Analysis Methods
Failure Modes and Effects Analysis Examine potential failures of each part or module Examine effects of failure at three levels Immediate level (part or module) Intermediate level (process or package) System-wide Collect total impact for failure of given modules Determine whether module should be strengthened or further supported Failure modes and effects analysis comes from the field of engineering, and is primarily used in determining risk analysis of failures in hardware. However, the same techniques can be used in software or system analysis. For each component or part of a system, determine the possible ways that it can fail. (In hardware this is usually a result of a part burning out or failing under load. Failures of digital software can be more complex.) For each type of failure, determine the impact ofthe failure at three different levels of operation: at the immediate level within the module, at an intermediate level in a given business process or software package, and in the business or information system as a whole. Remember that a failure within a given module may affect processes outside of the process that "owns" the module. (Assessment is usually ranked on a scale of severity, such as minimal impact where the module can continue to operate even in face of the failure, moderate, and critical impact where the module or system cannot continue to function as a result of the failure. These are generally given a numeric value.) Having determined the failure modes and effects, a summation is made of the total impact of the failure of a given part or component. Components with a very high total impact are then re-examined. In hardware systems such parts might be "over-engineered" to strengthen them, or provision for redundant backup might be made. (In computer systems the addition of a UPS is almost automatic, since the failure of power has a critical impact all every part of the system.) In terms of software, highly critical components might be subject to recoding, additional error trapping, additional debugging attention, or additional testing. For further reference: "Systems Reliability and Failure Prevention", Herbert Hecht, Artech House 2004,

Other Risk Analysis Methods
Fault Tree Analysis Sometimes known in information security as ‘spanning tree analysis’ Create a "tree" of all possible threats to or faults of the system ‘Branches’ are general categories such as network threats, physical threats, component failures, etc. Prune ‘branches’ that do not apply If system is not networked, eliminate network branch Concentrate on remaining threats Fault tree analysis appears to be obvious when stated, but can help to avoid both blind spots *and* excessive work. Generally speaking, risk analysis starts with some kind of brainstorming of possible risks, and then proceeds to deal with each of the noted risks. Categorizing the risks in a fault tree, or spanning tree, will likely prompt thoughts of additional related risks, which can be added to the tree. Eliminating categories of risks that do not relate to the system under discussion also appears obvious when stated, but the level of relevance of certain risks may not be obvious if they have not been categorized. The creation of a "universal" fault tree can be done to provide a tool for all risk analysis projects, which can speed up the early part of the risk assessment. There are numerous software programs supporting fault tree or spanning tree analysis. Note that many of these programs specialize in a particular topic, such as fire prevention. For further reference: "Systems Reliability and Failure Prevention", Herbert Hecht, Artech House 2004,

The Value of Information
Determine asset costs and value. Cost to acquire, develop, and maintain. Value to owners, custodians, users, or adversaries. Recognize cost and value in the real world. Price others are willing to pay (published references, mailing lists, etc.).. Value of intellectual property (trade secrets, patents, copyrights, etc.).

Factors that affect Information Valuation
Circumstances that affect value Time-sensitive value of information. Replacement without disruption/loss. Any undesirable results from disclosure/modification/denial-of-use. Lost opportunity costs if value not established.

Comparison This chart has two purposes:
Lists the 6 methods of valuing information (checklists & questionnaires are different methods included together because they fit the same way on the continuum). To identify whether these methods are more qualitative or quantitative in nature. The Delphi Method Each member independently and anonymously writes down comments and suggestions about ways to deal with a problem or issue Ideas are compiled, reproduced, and distributed to members for observation and reaction Each member provides feedback to the entire group concerning each of the comments and proposed solutions The members reach consensus on which solution is most acceptable to the group as a whole.

Rating Likelihood and Consequences
Likelihood and Consequences rating Likelihood Consequence Rare (very low) E Insignificant (low - no business impact) 1 Unlikely (low) D Minor (low – minor business impact, some loss of confidence) 2 Moderate (medium) C Moderate (Medium – business is interrupted, loss of confidence) 3 Likely (high) B Major (High – business is disrupted, major loss of confidence) 4 Almost Certain (very high) A Catastrophic (High – business cannot continue) 5 Likelihood Qualification – how to arrive at a likelihood rating An example of a matrix that can be used to compare likelihood and consequence for risks. The matrix allows us to arrive at a likelihood rating, which can dictate whether to take action or not. This, used in conjunction with the ANZ 4360 Standard (on next slide) is fast becoming a world standard for managing risk. How to Qualify Likelihood Rating Skill ( High skill level required  low or no skill required) 1 = high skill required  5 = no skill required Ease of Access (very difficult to do  very simple to do) 1 = very difficult  5 = simple Incentive (high incentive  Low incentive) 1 = low or no incentive  5 = high incentive Resource (requires expensive or rare equipment  no resources required 1 = Rare/expensive  5 = No resource required Total (add rating and divide by 4) 1 = E, 2 = D, 3 = C, 4 = B, 5 = A

Risk Levels (ANZ 4360 Standard)
Consequence: Insignificant Minor Moderate Major Catastrophic Likelihood: 1 2 3 4 5 A (almost certain) H E B (likely) M C (possible) L D (unlikely) E (rare) Extreme Risk: Immediate action required to mitigate the risk or decide to not proceed High Risk: Action should be taken to compensate for the risk Moderate Risk: Action should be taken to monitor the risk Low Risk: Routine acceptance of the risk The ANZ 4360 (Australia/New Zealand) is fast becoming a worldwide standard. It is a tool for government and private sector to help manage risk to a standard that is fast becoming a world benchmark in many industries including financial and health, as well as others. Its authors describe it as a “generic framework for establishing the context, identifying, evaluating, treating, monitoring and communicating risk.”

Remedial Selection Measures
Risk Reduction: Provide countermeasures to reduce the risk and strengthen the security posture Risk Transference: Transfer risk to another party. Example: Insurance Risk Acceptance: Accepting the risk and absorbing the cost when and if occurs Risk Avoidance: Decide not to continue with the activity or not to support the situation that causes the risk

Risk Acceptance Security is the balance of protection measures against the acceptance of risk. Risk Acceptance: Is a cost decision The amount of investment required to lower the risk. Is a pain decision The ability to deal with ongoing security incidents. Is a visibility decision The potential impact to corporate reputation. Should not be a surprise decision Accepting risk without knowing it.

Countermeasure and Safeguard Selection Principles
Cost Effectiveness Cost/benefit analysis Total cost of safeguard Selection Acquisition (materials and mechanisms) Construction and placement Environment modification Nontrivial operating cost Maintenance, Testing When evaluating the benefit of a countermeasure be sure to include all costs not just initial purchase price.

Countermeasure and Safeguard Cost Effectiveness
Cost must justify the potential loss, where cost must never exceed the benefit (ALE before Safeguard) – (ALE after Safeguard) – (Annual cost of Safeguard) = Value of Safeguard Example: (ALE before Safeguard, $10,000) – (ALE after Safeguard, $1000) – (Annual cost of Safeguard, $500) = Value of Safeguard, $8500 A countermeasure’s cost should be compared to the potential cost of the loss of the asset and the cost should never exceed the benefit of implementing the countermeasure.

Selection Principles (cont.)
Accountability At least one person for each safeguard Associate directly with performance Absence of design secrecy Changeability of safeguards Audit Capability Must be testable Include auditors in design and implementation

Vendor trustworthiness Review past performance Independence of control and subject Safeguards control/constrain subjects Controllers administer safeguards Controllers and subjects different populations Universal application Impose safeguards uniformly Minimize exceptions Independence of control and subject means that the countermeasure is subject to segregation of duties so that the person maintaining the countermeasure is in a separate population group than the persons or activity being controlled by the countermeasure We’ll discuss this in the legal area, but ensure that all safeguards are imposed uniformly on the entire population base. Otherwise they may not be enforceable.

Compartmentalization and defense in depth Safeguard’s role Relative to environment and other safeguards Compartmentalization localizes vulnerability Depth establishes serial hurdles Isolation, economy, and least common mechanism Isolate from other safeguards Minimize dependence on common mechanisms Simple design cost effective and reliable Consider the improved security through layers of security

Acceptance and tolerance by personnel Avoid unreasonable constraints Minimum human intervention Manual functions weakest in a safeguard Sustainability More automatic = more sustainable

Reaction and recovery Evaluate reaction when activated Avoid asset destruction Does not provide covert channel Does not panic personnel Does stop loss Does identify suspect

Override and fail-safe defaults Safeguards must have shutdown capability Default to lack of permission Residuals and reset Conditions after safeguard activation Assets at least as secure as before Asset protection during resetting Erasure of residual data The selection should be based on the capabilities of the primary function. If products offer the same primary function, review secondary functions to distinguish among the products.

Quick Quiz What is a threat? How does risk management reduce risk?
What are the two types of risk analysis? Explore: Instructor should use these questions to drive general discussion. Don’t directly give the answers, only curb responses that are clearly incorrect. Try to see what responses the participants can provide. The section summary on the following page answers these questions directly. Use the section summary to highlight any points not clearly driven out during the quiz discussion.

Section Summary A threat is any potential danger to information or an information system. Risk management reduces risk by defining and controlling threats and vulnerabilities. The two types of risk analysis are quantitative and qualitative risk analysis.

Questions?

Section of ISO 27002 Risk assessment
Security policy - management direction Organization of information security - governance of information security Asset management - inventory and classification of information assets Human resources security - security aspects for employees joining, moving and leaving an organization Physical and environmental security - protection of the computer facilities Communications and operations management - management of technical security controls in systems and networks Access control - restriction of access rights to networks, systems, applications, functions and data Information systems acquisition, development and maintenance - building security into applications Information security incident management - anticipating and responding appropriately to information security breaches Business continuity management - protecting, maintaining and recovering business-critical processes and systems Compliance - ensuring conformance with information security policies, standards, laws and regulations

Information Security Management

Similar presentations

Presentation on theme: "Information Security Management"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Information Security Management

Similar presentations

Presentation on theme: "Information Security Management"— Presentation transcript:

Similar presentations

About project

Feedback