Information Assurance Professional National Security Registration Board Version 2.6.

Information Assurance Professional National Security Registration Board Version 2.6

Course Goals This presents the fundamental concepts of information assurance.This presents the fundamental concepts of information assurance. It is designed to foster a mastery level understanding of the IA process.It is designed to foster a mastery level understanding of the IA process. The intention is to prepare a trained IA professionalThe intention is to prepare a trained IA professional

Course Application You learn how to tailor a practical information assurance architecture using this BOK.You learn how to tailor a practical information assurance architecture using this BOK. As well as how to deploy an appropriate set of flexible countermeasures.As well as how to deploy an appropriate set of flexible countermeasures.

Three Assumptions Three major assumptions underlie this course:Three major assumptions underlie this course: Assumption OneAssumption One –Effective Information security requires an integrated set of business and technological processes.

The Three Assumption Assumption TwoAssumption Two Effective information security programs must be deliberately designed and deployed organization-wide through a strategic planning processEffective information security programs must be deliberately designed and deployed organization-wide through a strategic planning process

The Three Assumption Assumption ThreeAssumption Three Information security programs are systematic,Information security programs are systematic, That is, they embody an appropriate set of persistent and interacting controlsThat is, they embody an appropriate set of persistent and interacting controls These function seamlessly and as an integral element of day-to-day operation of the businessThese function seamlessly and as an integral element of day-to-day operation of the business

The Importance of Planning All three of these requirements must be satisfied for the solution to be correct.All three of these requirements must be satisfied for the solution to be correct. That condition is not arrived at by chance.That condition is not arrived at by chance. It is always derived from a valid set of common best practices.It is always derived from a valid set of common best practices.

The IBOK The IBOK is a compendium, or body-of-knowledge rather than a standardThe IBOK is a compendium, or body-of-knowledge rather than a standard It is an integration of three existing models into a single unified conceptIt is an integration of three existing models into a single unified concept The idea is that, a harmonized set of recommendations is the most authoritative statement about best practice.The idea is that, a harmonized set of recommendations is the most authoritative statement about best practice.

Best Practice Models There are at least three models that are used to guide that process,There are at least three models that are used to guide that process, –The Generally Accepted System Security Principles (GASSP), 1999 –ISO 17799 and BS 7799:2 (2002) –COBIT (2006)

Best Practice Models Each of these embodies a fundamental set of principles derived from extensive “lessons learned”Each of these embodies a fundamental set of principles derived from extensive “lessons learned” Each of these provides a useful set of high level control objectives, which can be tailored, to any organizational need.Each of these provides a useful set of high level control objectives, which can be tailored, to any organizational need. And each has the potential to serve as the basis of an effective solution.And each has the potential to serve as the basis of an effective solution.

Best Practice Models This model comprises the Information Security Body of Knowledge (IBOK).This model comprises the Information Security Body of Knowledge (IBOK). It also presents a standard implementation methodology for this BOK.It also presents a standard implementation methodology for this BOK.

Course Assumptions Individuals who successfully complete this course can be assumed to be:Individuals who successfully complete this course can be assumed to be: –Knowledgeable in the best practices for information assurance –Competent to implement security systems that are capable of being accredited by the NSRB.

Text The following are requiredThe following are required Information Security Body of Knowledge – IBOK Open Standard 2.2, International Standards Institution of Governors, 2004Information Security Body of Knowledge – IBOK Open Standard 2.2, International Standards Institution of Governors, 2004 Training Guideline, IBOK, National Standards Registration Board, 2003Training Guideline, IBOK, National Standards Registration Board, 2003

Course Description You will learn how toYou will learn how to –Create an information security architecture –Establish detailed control procedures within this framework

Course Description –Systematically identify and monitor areas of vulnerability –Assess the impact of threats as they are identified –Deploy appropriate technological and managerial countermeasures

Course Objectives At the end of this course you will be able toAt the end of this course you will be able to –Deploy an appropriate managerial and technical control framework –Establish a correct information security control set within that framework

Course Objectives Conduct a capable threat identificationConduct a capable threat identification Formulate a baseline defense in depth countermeasure setFormulate a baseline defense in depth countermeasure set

Course Objectives Be able to valuate assets and justify the countermeasures based on that valuationBe able to valuate assets and justify the countermeasures based on that valuation Be able to deploy, assess and continuously maintain operational countermeasuresBe able to deploy, assess and continuously maintain operational countermeasures

Course Agenda 3:00–3:30– Module One: Principles of Information Security 3:30–4:00– Module Two: The Information Assurance Process 4:00–4:45– Module Three: The Implementation Process 4:45-5:00– Initiate Project 5:00-5:30- Prepare Solution 5:30-5:45- Report Solution 5:45-6:00- Questions and Lessons Learned

Module One The Five Basic Goals of the Information Assurance Process

The Five Basic Goals of IA Information assurance ensures theInformation assurance ensures the –Availability –Confidentiality –Integrity –Authentication –Non-Repudiation of Origin - Of information

Definition: Confidentiality Confidentiality is the condition that insures that information is not disclosed to unauthorized persons, processes or devices.Confidentiality is the condition that insures that information is not disclosed to unauthorized persons, processes or devices. This implies the requirement for such discrete functions asThis implies the requirement for such discrete functions as –information identification and labeling –Need-to-know procedures.

Definition: Integrity Integrity is the condition of assuring trust.Integrity is the condition of assuring trust. Within the information security universe, integrity is specifically interpreted to mean:Within the information security universe, integrity is specifically interpreted to mean: –that a transmission will arrive at its destination in exactly the same form as it was sent..

Definition: Integrity That requires ensuring:That requires ensuring: –the logical correctness and reliability of the operating system –the logical completeness of the hardware and software entities –the consistency of the data and occurrences of the stored data.

Definition: Authentication Authentication is a security service designed to establish the validity of a transmission, message, or originatorAuthentication is a security service designed to establish the validity of a transmission, message, or originator It is also a means of verifying an individual’s authorizations to receive specific categories of informationIt is also a means of verifying an individual’s authorizations to receive specific categories of information

Definition: Authentication Authentication ensures that the occurrence of false identities is eliminated.Authentication ensures that the occurrence of false identities is eliminated. An individual, an organization, or a computer has to be able to prove its identity to be properly secured.An individual, an organization, or a computer has to be able to prove its identity to be properly secured.

Definition: Authentication This also implies an authorization function.This also implies an authorization function. Authorization describes the system’s ability to regulate access to resources once the identity is verified.Authorization describes the system’s ability to regulate access to resources once the identity is verified.

Definition: Availability Availability implies the ability to provide authorized users with timely and reliable access to data and information services.Availability implies the ability to provide authorized users with timely and reliable access to data and information services. It is characterized by best practices such as:It is characterized by best practices such as: –back-up power –continuous signal –off-site recovery

Definition: Availability Availability also describes the overall goal of security management.Availability also describes the overall goal of security management. Which is to ensure the requisite level of trustworthiness in day-to-day operationWhich is to ensure the requisite level of trustworthiness in day-to-day operation

Definition: Availability In reality, availability is a condition, rather than a specific security function.In reality, availability is a condition, rather than a specific security function. It is often traded off against purely security related conditions, like confidentiality.It is often traded off against purely security related conditions, like confidentiality.

Definition: Availability Because availability ensures functioning…Because availability ensures functioning… There might be a time when assuring availability outweighs procedures that are necessary to secure information.There might be a time when assuring availability outweighs procedures that are necessary to secure information.

Definition: Availability The judgment to sacrifice any of the other security services for the sake of enhanced availability is a risk mitigation decisionThe judgment to sacrifice any of the other security services for the sake of enhanced availability is a risk mitigation decision Which is usually motivated by threats and vulnerabilities in the business case.Which is usually motivated by threats and vulnerabilities in the business case.

Definition: Non-Repudiation Non-repudiation of origin provides the sender with proof of deliveryNon-repudiation of origin provides the sender with proof of delivery ANDAND It underwrites the identity of the sender to the recipient.It underwrites the identity of the sender to the recipient.

Definition: Non-Repudiation As a result, neither party can later deny that the message was legitimately sent and received.As a result, neither party can later deny that the message was legitimately sent and received. Non-repudiation has ramifications for everything from purchases on e-bay, to modern battlefield orders.Non-repudiation has ramifications for everything from purchases on e-bay, to modern battlefield orders.

1.What are the Five Elements of IA? 2.What does integrity ensure? 3.What is often traded off against availability? 4.What is the value of non-repudiation to businesses? 5.What does authentication require to work properly? 6.What is a risk mitigation decision? 6.What is non-repudiation based on? 7.What is availability characterized by? 8.What does need-to-know support? 9.What basic condition does offsite backup ensure? Module One: Questions

Module Two The Information Assurance Process

Information assurance is a multifaceted process composed of fifteen elements and one critical capabilityInformation assurance is a multifaceted process composed of fifteen elements and one critical capability Each is a discrete function and each contributes differently to the overall purposes of securing information.Each is a discrete function and each contributes differently to the overall purposes of securing information. These fifteen elements comprise a lifecycle.These fifteen elements comprise a lifecycle.

The Information Assurance Process All fifteen function within that lifecycle to ensure an effective level of security.All fifteen function within that lifecycle to ensure an effective level of security. Each element plays its proper role at a logical place within the process.Each element plays its proper role at a logical place within the process.

The Information Assurance Process The outcome is adequate protection of all information assetsThe outcome is adequate protection of all information assets Adequate protection assumes the presence of all necessary safeguards !

Building a Holistic Solution Electronic assurance constitutes just one aspect of that protection.Electronic assurance constitutes just one aspect of that protection. Full protection has to incorporate all of the organizational functions and human factors relevant to security.Full protection has to incorporate all of the organizational functions and human factors relevant to security.

Building a Holistic Solution The outcome must constitute a holistic response.The outcome must constitute a holistic response. In essence the response must integrate:In essence the response must integrate: –All of the assurance measures –To protect all information –At all times

The Fifteen Principles The IBOK integrates a common body of knowledge.The IBOK integrates a common body of knowledge. That BOK itemizes fifteen aspects of security (and one critical process).That BOK itemizes fifteen aspects of security (and one critical process).

The Fifteen Principles Each must be addressed in order for a security solution to be complete.Each must be addressed in order for a security solution to be complete. These are arrayed in the lifecycle model demonstrated on the next set of slidesThese are arrayed in the lifecycle model demonstrated on the next set of slides

The Information Resource Asset Identification Is described by Risk Assessment Evaluated by a IA Lifecycle – Lifecycle Scope AND

Access Control Security of Operations Which is Maintained Which is Maintained by IA Lifecycle – Management Security Policy Security Infrastructure Defines Which Enforces Security Discipline Ethical Conduct Which is Shaped by And

IA Lifecycle – Countermeasures Continuity Compliance Process Assurance Physical Security Personnel Security NETSEC Software Assurance Crypto TechnicalCountermeasuresManagementCountermeasuresProcessCountermeasures

Principle One: Asset Identification The form of the information resource has to be understood in order to properly secure it.The form of the information resource has to be understood in order to properly secure it. Thus, everything that is part of that resource has to be identified, labeled and placed in a documented asset baseline.Thus, everything that is part of that resource has to be identified, labeled and placed in a documented asset baseline. It is also necessary to establish a system for controlling changes to that baseline.It is also necessary to establish a system for controlling changes to that baseline.

Principle Two: Risk Assessment Risk assessment defines the form of the security response.Risk assessment defines the form of the security response. Current operations as well as prospective ones are systematically evaluated using risk assessmentCurrent operations as well as prospective ones are systematically evaluated using risk assessment The goal is to identify potential threats, vulnerabilities and weaknesses within the asset baseThe goal is to identify potential threats, vulnerabilities and weaknesses within the asset base

Principle Three: Security Policy Then the organization establishes uniform policies to guide the assurance process.Then the organization establishes uniform policies to guide the assurance process. These policies are the basis for the solution.These policies are the basis for the solution. The outcome is a rational set of guidelines for information assurance.The outcome is a rational set of guidelines for information assurance.

Principle Four: Infrastructure The procedural infrastructure is a tangible realization of security policyThe procedural infrastructure is a tangible realization of security policy The organization has to design and enforce a logical and consistent set of proceduresThe organization has to design and enforce a logical and consistent set of procedures These must be directly traceable to the policies they implement.These must be directly traceable to the policies they implement.

Principle Five: Access Control One of the chief purposes of any security scheme is regulating access.One of the chief purposes of any security scheme is regulating access. This principle specifies the need for an operational structure to enable that.This principle specifies the need for an operational structure to enable that. Its aim is to grant access to legitimate users while preventing unauthorized persons from gaining access to protected information.Its aim is to grant access to legitimate users while preventing unauthorized persons from gaining access to protected information.

Principle Six: Security of Operation This involves continuous enforcement of routine security procedures.This involves continuous enforcement of routine security procedures. At its essence this revolves around the incident response capability.At its essence this revolves around the incident response capability. It also entails procedures to prevent vital information from being used by an adversary (called OPSEC).It also entails procedures to prevent vital information from being used by an adversary (called OPSEC).

Principle Seven: Continuity This details a comprehensive strategy to ensure business continuityThis details a comprehensive strategy to ensure business continuity It defines explicit practices to ensure that the business continues to operate if its information is lost or harmedIt defines explicit practices to ensure that the business continues to operate if its information is lost or harmed It also establishes the explicit disaster planning and recovery capabilityIt also establishes the explicit disaster planning and recovery capability

Principle Eight: Compliance This principle ensures that a comprehensive mechanism is in place to ensure complianceThis principle ensures that a comprehensive mechanism is in place to ensure compliance It guarantees that the stipulations of all contracts and regulations are obeyed.It guarantees that the stipulations of all contracts and regulations are obeyed. It ensures that due diligence is exercised in meeting all legal requirements.It ensures that due diligence is exercised in meeting all legal requirements.

Principle Nine: Physical Security The purpose of physical security is to control tangible information and IT assets.The purpose of physical security is to control tangible information and IT assets. It establishes an asset management process and a realistic physical protection scheme.It establishes an asset management process and a realistic physical protection scheme. It involves standard operating practices to ensure the integrity of all workspaces and physical resources within a secure boundary.It involves standard operating practices to ensure the integrity of all workspaces and physical resources within a secure boundary.

Principle Ten: Personnel Security This involves comprehensive procedures to assure worker compliance with security policy.This involves comprehensive procedures to assure worker compliance with security policy. It is based around employee screening and the assignment of roles and responsibilitiesIt is based around employee screening and the assignment of roles and responsibilities It also monitors the security activities of all employees.It also monitors the security activities of all employees.

Principle Eleven: Process Security This focuses on the development lifecycle.This focuses on the development lifecycle. It contains methods to ensure security is embedded in all development workIt contains methods to ensure security is embedded in all development work It makes certain that security functionality is baked into all products during developmentIt makes certain that security functionality is baked into all products during development

Principle Twelve: Network Security This assures network access to electronic assets.This assures network access to electronic assets. It establishes both network access control as well as network monitoring.It establishes both network access control as well as network monitoring.

Principle Twelve: Network Security This is a classic purpose of information assuranceThis is a classic purpose of information assurance It identifies users, authenticates, authorizes and controls access.It identifies users, authenticates, authorizes and controls access. It also includes elements necessary to ensure the development of secure network architectures.It also includes elements necessary to ensure the development of secure network architectures.

Principle Thirteen: Software Assurance This principle ensures continuing integrity of all application and system software.This principle ensures continuing integrity of all application and system software. That includes installing software and also analyzing and reporting on its performance.That includes installing software and also analyzing and reporting on its performance. It ensures secure operation of all software within the operational environment and resolution of anomalies and conflicts.It ensures secure operation of all software within the operational environment and resolution of anomalies and conflicts.

Principle Fourteen: Security Discipline Discipline is human centered.Discipline is human centered. It ensures that policies and procedures are understood and adhered to in a disciplined way.It ensures that policies and procedures are understood and adhered to in a disciplined way. Its purpose is to establish awareness and motivation and enforce discipline.Its purpose is to establish awareness and motivation and enforce discipline.

Principle Fifteen: Ethics This principle delineates a comprehensive code of defined ethical practices.This principle delineates a comprehensive code of defined ethical practices. This code accurately reflects community norms with respect to ethical behaviorThis code accurately reflects community norms with respect to ethical behavior It serves as a basis for the rules of conduct as well as personal accountability.It serves as a basis for the rules of conduct as well as personal accountability.

Critical Supporting Process: Cryptology Cryptology is not a principle as much as it is the basis for secure message transferCryptology is not a principle as much as it is the basis for secure message transfer It is not a principle because it isn’t at the same level as the others in the IBOKIt is not a principle because it isn’t at the same level as the others in the IBOK It is a necessary foundation requirement to secure electronic transmission.It is a necessary foundation requirement to secure electronic transmission.

Critical Supporting Process: Cryptology It is a very large topic area because it includes so many technical aspectsIt is a very large topic area because it includes so many technical aspects It entails the technical requirements for translating plaintext into encrypted transmissions.It entails the technical requirements for translating plaintext into encrypted transmissions. It also dictates the encryption methods and key structures that underlie that process.It also dictates the encryption methods and key structures that underlie that process.

Application of the Principles Each principle acts to secure the specific aspect that it is meant to assureEach principle acts to secure the specific aspect that it is meant to assure The integrated set forms a mutually supporting system that provides the desired level of assurance.The integrated set forms a mutually supporting system that provides the desired level of assurance.

Application of the Principles All information assurance processes embody an established collection of common components,All information assurance processes embody an established collection of common components, Which are designed to work together to produce an optimum solution.Which are designed to work together to produce an optimum solution. The overall solution can be understood in terms of those components and their logical interactions.The overall solution can be understood in terms of those components and their logical interactions.

Application of the Principles Moreover, they also represent an implicit structure for the process.Moreover, they also represent an implicit structure for the process. This structure has a lifecycle orientation.This structure has a lifecycle orientation.

Institutionalization Factors Establishment Means Oversight Enforcement

Overview Institutionalization factors can be used to determine if these 15 principles and one critical function have been properly established.Institutionalization factors can be used to determine if these 15 principles and one critical function have been properly established. Processes must meet the following common criteria in order to be judged as effectively practicedProcesses must meet the following common criteria in order to be judged as effectively practiced

Establishment The organization must document its commitment to each principle. Criteria for judging this are:The organization must document its commitment to each principle. Criteria for judging this are: –Explicit designation of a manager responsible for controlling ongoing operation –The placement of the manager in a position of authority sufficient to enforce decisions –The continuous maintenance of that position in the organizational decision making structure

Means Qualified employees must be provided… Criteria for judging this are:Qualified employees must be provided… Criteria for judging this are: –The necessary staff and resources are identifiably designated and deployed –It is possible to document, that staff are competent to perform their assigned roles –The deployment of staff resources is explicitly traceable to individual principles.

Oversight The organization must provide an objective means to monitor the fulfillment of the purposes of each principle. Criteria for doing this are:The organization must provide an objective means to monitor the fulfillment of the purposes of each principle. Criteria for doing this are: –Development and use of formal measures of performance –Use of analytic methods to support decision making –The designation and adherence to formal reporting lines and follow-up procedures.

Enforcement The organization must assure that each principle is adhered to. Criteria for judging this include:The organization must assure that each principle is adhered to. Criteria for judging this include: –Designation of a person accountable for enforcement –Regularly scheduled internal audit, or review of the principle for compliance –Defined procedures for corrective action.

Module Two Review 1.Why is cryptology included among the principles? 2.How do policy and infrastructure relate? 3.Why does information assurance have a lifecycle? 4.Why is asset identification the first step? 5.Why are there three areas of countermeasure? 6.How do security discipline and operation security relate? 7.What is the role of ethics in policy formulation? 8.How do continuity and operations security relate? 9.Why is software assurance important to security? 10.What is the role of compliance in security?

Module Three Implementing the Security Response

Implementation Overview Security involves identifying, prioritizing and managing a response to every plausible threat to the organization’s information assets.Security involves identifying, prioritizing and managing a response to every plausible threat to the organization’s information assets. This countermeasure deployment function is not a one-shot “front-end” to the establishment of a static security solution.This countermeasure deployment function is not a one-shot “front-end” to the establishment of a static security solution. It is a constant and organized probing of the environment to sense the presence of and respond appropriately to any potential sources of harm to the organization’s information assets.It is a constant and organized probing of the environment to sense the presence of and respond appropriately to any potential sources of harm to the organization’s information assets.

Implementation Overview As a consequence, the first step in formulating a correct security response is threat identificationAs a consequence, the first step in formulating a correct security response is threat identification That amounts to the identification of ANY threats in the organization’s technical or operating base that might lead to the loss of ANY information, of ANY valueThat amounts to the identification of ANY threats in the organization’s technical or operating base that might lead to the loss of ANY information, of ANY value And then the deployment of an effective set of controls to alleviate each vulnerability identified.And then the deployment of an effective set of controls to alleviate each vulnerability identified.

Asset Baseline Formulation and Control Model Selection and Gap Analysis Formulation and Baselining of the Control Set Asset Valuation and Resource Tradeoff Information Gathering and Chartering Assessment of Control Coverage and Effectiveness Refinement and Finalization of Control Set Model of the Implementation Process

Implementation Overview The activities above the red line are termed the “Threat Identification and Response” phaseThe activities above the red line are termed the “Threat Identification and Response” phase This part of the process drives the resource allocation decisions as well as the development and refinement of the optimum set of controls.This part of the process drives the resource allocation decisions as well as the development and refinement of the optimum set of controls.

Implementation Overview The activities below the red line are aimed at the definition of the tangible information security system.The activities below the red line are aimed at the definition of the tangible information security system. We are going to discuss each of these boxes in turn in detail.We are going to discuss each of these boxes in turn in detail.

Threat Identification Threat identification and response is composed of four elementsThreat identification and response is composed of four elements –Information Gathering and Chartering –Asset Baseline Formulation –Model Selection and Gap Analysis –Asset Valuation and Tradeoff.

Threat Identification The aim of these four activities is to achieve an understanding of the security response that is appropriate to the precise situationThe aim of these four activities is to achieve an understanding of the security response that is appropriate to the precise situation And which fits within the constraints of the organization.And which fits within the constraints of the organization. Properly executed it is conducted in the background of day-to-day organizational functioningProperly executed it is conducted in the background of day-to-day organizational functioning

Threat Identification In practice, it employs methods and tools to identify, analyze, plan for, and control any potentially harmful or undesirable event.In practice, it employs methods and tools to identify, analyze, plan for, and control any potentially harmful or undesirable event. It should be noted that while the overall aim of the threat identification and response process is to prevent or minimize the impact of security losses at the business level of the organizationIt should be noted that while the overall aim of the threat identification and response process is to prevent or minimize the impact of security losses at the business level of the organization Technical risks are also managed since they often constitute the root cause for business breaches, or losses.Technical risks are also managed since they often constitute the root cause for business breaches, or losses.

Threat Identification Threat identification and response approaches must establish a disciplined environment for proactive decision-making.Threat identification and response approaches must establish a disciplined environment for proactive decision-making. They should regularly assesses what could go wrong and then determine the approach and timing by which each potential threat will be counteredThey should regularly assesses what could go wrong and then determine the approach and timing by which each potential threat will be countered This all takes place within the constraints of practical business considerations such as resources available and time.This all takes place within the constraints of practical business considerations such as resources available and time.

Threat Identification The last part of this process is an important issue in the implementation of a realistic solution since it is highly likely that more risks will be identified than can possibly be responded to.The last part of this process is an important issue in the implementation of a realistic solution since it is highly likely that more risks will be identified than can possibly be responded to. So it is important to at least address the ones that pose the most potential harm to the corporation.So it is important to at least address the ones that pose the most potential harm to the corporation.

Threat Identification Finally, we want to stress that the form of the process as well as the scope of the solution is dictated by the type of security desired.Finally, we want to stress that the form of the process as well as the scope of the solution is dictated by the type of security desired. Consequently the substance of the identification, analysis, planning and control elements and activities required is going to vary.Consequently the substance of the identification, analysis, planning and control elements and activities required is going to vary. As we progress through this guideline it is also important to keep in mind that although the form of the process is generic, the actual considerations vary with the focus and intent of the organization.As we progress through this guideline it is also important to keep in mind that although the form of the process is generic, the actual considerations vary with the focus and intent of the organization.

Information Gathering and Chartering Operationally, the right set of organizational representatives formulates the requirements of the security system into a statement of need,Operationally, the right set of organizational representatives formulates the requirements of the security system into a statement of need, Which is then documented and authorized by the appropriate executive decision makers and published to the business at-large.Which is then documented and authorized by the appropriate executive decision makers and published to the business at-large.

Information Gathering and Chartering The only purpose of this phase is to serve as a launch pad for the decision-making regarding the specific security model utilized next.The only purpose of this phase is to serve as a launch pad for the decision-making regarding the specific security model utilized next. So logically, this element should generally define both the scope and extent of the desired solution.So logically, this element should generally define both the scope and extent of the desired solution.

Information Gathering and Chartering In practice, this stage is probably the least substantive aspect of any implementation project in the sense that it does not really touch on any of the details of the actual protection scheme.In practice, this stage is probably the least substantive aspect of any implementation project in the sense that it does not really touch on any of the details of the actual protection scheme. Nonetheless, it might be the single likeliest point of failure.Nonetheless, it might be the single likeliest point of failure. That is because everything that will happen downstream originates from this one point.That is because everything that will happen downstream originates from this one point.

Information Gathering and Chartering As a consequence, it is important for everybody who will have anything to do with the system to understand and agree on the type and degree of protection at the beginning of the process.As a consequence, it is important for everybody who will have anything to do with the system to understand and agree on the type and degree of protection at the beginning of the process. In effect this agreement should accomplish two critical purposes.In effect this agreement should accomplish two critical purposes. From a functional system standpoint it has to ensure that the problem is properly targeted.From a functional system standpoint it has to ensure that the problem is properly targeted.

Information Gathering and Chartering More importantly, it should also support the education and buy-in of the people who are actually going to be actively involved in formulating the system.More importantly, it should also support the education and buy-in of the people who are actually going to be actively involved in formulating the system. That is because it is well documented that the long- term success of any solution is directly dependent on the level of support for the process.That is because it is well documented that the long- term success of any solution is directly dependent on the level of support for the process. This not an inconsequential exercise and it can be resources intensive.This not an inconsequential exercise and it can be resources intensive.

Information Gathering and Chartering The execution of this process is generally based on the generic systems analysis approaches that have populated the organizational development body of knowledge for the past fifty years.The execution of this process is generally based on the generic systems analysis approaches that have populated the organizational development body of knowledge for the past fifty years. There are numerous recognized ways of actually conducting this.There are numerous recognized ways of actually conducting this. However there is only one absolute requirement, which is that the eventual outcome has to be sponsored at the highest levels of the companyHowever there is only one absolute requirement, which is that the eventual outcome has to be sponsored at the highest levels of the company

Information Gathering and Chartering There have been a number of studies to support the idea that the ownership security should be at the level of the Board of Directors or CEO (the best of these are summarized in DTI, 2002).There have been a number of studies to support the idea that the ownership security should be at the level of the Board of Directors or CEO (the best of these are summarized in DTI, 2002). Notwithstanding that, the literature is unanimous in stressing that effective information assurance solutions have to be thoroughly embedded in the organization and that requires across-the-board acceptance,Notwithstanding that, the literature is unanimous in stressing that effective information assurance solutions have to be thoroughly embedded in the organization and that requires across-the-board acceptance, which can only be enforced through executive sponsorship.which can only be enforced through executive sponsorship.

Information Gathering and Chartering One final point also must be stressed, which is that the information gathering function should not degenerate into a detailed technical problem solving process.One final point also must be stressed, which is that the information gathering function should not degenerate into a detailed technical problem solving process. The only objective of this first stage is to define the general form of the problem for the purpose of determining an explicit strategic direction.The only objective of this first stage is to define the general form of the problem for the purpose of determining an explicit strategic direction.

Information Gathering and Chartering There are many reasons why a complete framework solution may not be appropriate, ranging from a lack of resources all the way to knowledge of a specific targeted need.There are many reasons why a complete framework solution may not be appropriate, ranging from a lack of resources all the way to knowledge of a specific targeted need. These must all be identified, brought forward and agreed on in order to choose a proper scope and appropriate model for the eventual response.These must all be identified, brought forward and agreed on in order to choose a proper scope and appropriate model for the eventual response.

Information Gathering and Chartering Since the players are usually busy executives, they are never interested in the details only in the assurance that the correct target will be hit.Since the players are usually busy executives, they are never interested in the details only in the assurance that the correct target will be hit. As such the first phase has to be conducted with that single goal in mind.As such the first phase has to be conducted with that single goal in mind. Once the direction is chosen the form of the rest of the process is dependent on the model selected and that activity constitutes the rest of this stage.Once the direction is chosen the form of the rest of the process is dependent on the model selected and that activity constitutes the rest of this stage.

Information Gathering and Chartering The selection of an appropriate model is crucial.The selection of an appropriate model is crucial. Since the only way that the protection scheme will work is if the model it is based on fits the organization’s security needsSince the only way that the protection scheme will work is if the model it is based on fits the organization’s security needs The final point that we need to make before we leave this section however, is that there is no one model for information protection.The final point that we need to make before we leave this section however, is that there is no one model for information protection.

Information Gathering and Chartering The only rule is that whatever is selected should fit the exact requirements of the situation.The only rule is that whatever is selected should fit the exact requirements of the situation. This is both an intelligent design process as well as a political one.This is both an intelligent design process as well as a political one. As such the outcomes of the, information gathering process, must be rigorously adhered to in order to guide that decision-making processAs such the outcomes of the, information gathering process, must be rigorously adhered to in order to guide that decision-making process

Information Gathering and Chartering And the eventual model selected should always meet the requirements that have been “bought into” by the whole organization through the chartering process.And the eventual model selected should always meet the requirements that have been “bought into” by the whole organization through the chartering process. Since the next phase of the process starts the tactical implementation of the security solution this initial stage is the point where the strategy is set.Since the next phase of the process starts the tactical implementation of the security solution this initial stage is the point where the strategy is set.

Asset Baseline Formulation This second stage is probably the least commonly understood in that with most protection schemes the form of the assets to be protected is known.This second stage is probably the least commonly understood in that with most protection schemes the form of the assets to be protected is known. As the user knows, in the case of information security the asset base is an abstract construct, which could legitimately have many forms.As the user knows, in the case of information security the asset base is an abstract construct, which could legitimately have many forms. As such, before protection schemes can be devised the boundaries and material form of the asset must be characterized.As such, before protection schemes can be devised the boundaries and material form of the asset must be characterized.

Asset Baseline Formulation That involves gathering all of the pertinent information necessary to define the complete form of the assets that will be protected.That involves gathering all of the pertinent information necessary to define the complete form of the assets that will be protected. Which involves the meticulous identification and labeling of every item under control of the security system.Which involves the meticulous identification and labeling of every item under control of the security system. –This is not a trivial exercise. It is a prerequisite for subsequent assessment of risk because it establishes the "day one" state of the organization’s total set of information assets.It is a prerequisite for subsequent assessment of risk because it establishes the "day one" state of the organization’s total set of information assets.

Asset Baseline Formulation In practice, the aggregate set of assets is termed a “baseline”.In practice, the aggregate set of assets is termed a “baseline”. The individual components that constitute this baseline must be explicitly identified and labeled as part of the asset identification process.The individual components that constitute this baseline must be explicitly identified and labeled as part of the asset identification process. A precisely defined information asset baseline is an absolute prerequisite for the conduct of the rest of the process, since it is this explicit configuration that is maintained by the security system.A precisely defined information asset baseline is an absolute prerequisite for the conduct of the rest of the process, since it is this explicit configuration that is maintained by the security system.

Asset Baseline Formulation And because it is a tangible structure, the classification and tagging of the asset elements that constitute it is usually based on their logical interrelationships with each other.And because it is a tangible structure, the classification and tagging of the asset elements that constitute it is usually based on their logical interrelationships with each other. This is maintained as a hierarchy of elements that ranges from a view of the information asset as a single entity down to the explicit items that constitute that resource.This is maintained as a hierarchy of elements that ranges from a view of the information asset as a single entity down to the explicit items that constitute that resource. The baseline scheme that emerges at the lowest level of decomposition represents the concrete architecture of the target information asset.The baseline scheme that emerges at the lowest level of decomposition represents the concrete architecture of the target information asset.

Asset Baseline Formulation The decisions that determine what this asset base looks like are normally made using the input of a number of different participants.The decisions that determine what this asset base looks like are normally made using the input of a number of different participants. That could range from the technical staff all the way up to executive owners of a given information item.That could range from the technical staff all the way up to executive owners of a given information item. The items defined at any level in the hierarchy are given unique and appropriate labels that are explicitly associated with the overall organization of the information asset itself.The items defined at any level in the hierarchy are given unique and appropriate labels that are explicitly associated with the overall organization of the information asset itself.

Asset Baseline Formulation That is, these labels designate and relate the position of any given item in the overall "family tree" of the asset base.That is, these labels designate and relate the position of any given item in the overall "family tree" of the asset base. Once established, the formal information asset baseline is kept in a “ledger”, which is fully accounted for and maintained throughout the lifecycle of the security system.Once established, the formal information asset baseline is kept in a “ledger”, which is fully accounted for and maintained throughout the lifecycle of the security system. Since, security systems are evolutionary formal procedures also have to be put in place to systematically manage the inevitable changes to the form of the information asset baseline.Since, security systems are evolutionary formal procedures also have to be put in place to systematically manage the inevitable changes to the form of the information asset baseline.

Asset Baseline Formulation In the real-world most corporate information asset baselines are maintained in an electronic ledger, which is generically termed a “Baseline Management Ledger”, or BML.In the real-world most corporate information asset baselines are maintained in an electronic ledger, which is generically termed a “Baseline Management Ledger”, or BML. Changes at any level in the basic structure of the information asset baseline are maintained at all relevant levels in that ledger and must correctly and accurately reflect the changed status of the actual information item.Changes at any level in the basic structure of the information asset baseline are maintained at all relevant levels in that ledger and must correctly and accurately reflect the changed status of the actual information item.

Notification/ Request for Change Information Asset Baseline Manager Authorization by Appropriate Decision Maker Verification of Change Implementation of Change Baseline Management Ledger Generic Change Management

Asset Baseline Formulation If this is not done in a systematic and disciplined fashion the painfully constructed understanding of the form of the information asset will move out of the organization’s graspIf this is not done in a systematic and disciplined fashion the painfully constructed understanding of the form of the information asset will move out of the organization’s grasp Leaving it securing things that don’t exist and not securing things that do.Leaving it securing things that don’t exist and not securing things that do. Baseline management would be a time consuming task if it were not for commercial utilities that do this record keeping automatically.Baseline management would be a time consuming task if it were not for commercial utilities that do this record keeping automatically.

Model Selection and Risk Assessment Once the asset baseline is established the next step is usually termed “risk assessment”.Once the asset baseline is established the next step is usually termed “risk assessment”. It is in reality a gap analysis conducted against a model of correct practice and the literature is full of methodologies for carrying out that task.It is in reality a gap analysis conducted against a model of correct practice and the literature is full of methodologies for carrying out that task. These can be divided into two types, those that are based on a commonly accepted standard model and those that are based on a set of unique criteria.These can be divided into two types, those that are based on a commonly accepted standard model and those that are based on a set of unique criteria.

Model Selection and Risk Assessment Whatever the approach the actual execution always starts at the model, which implies the importance of selecting an appropriate standard as the benchmark.Whatever the approach the actual execution always starts at the model, which implies the importance of selecting an appropriate standard as the benchmark. Thus the first step in the gap analysis is to gather enough information about the situation to select the right model.Thus the first step in the gap analysis is to gather enough information about the situation to select the right model. By necessity this activity must be guided by and referenced to the project charter obtained in the first phase of this process.By necessity this activity must be guided by and referenced to the project charter obtained in the first phase of this process.

Model Selection and Risk Assessment The other essential piece is the asset baseline definitions formulated in the prior phase.The other essential piece is the asset baseline definitions formulated in the prior phase. Using these two factors for guidance, it should be possible to find the appropriate model.Using these two factors for guidance, it should be possible to find the appropriate model. Essentially the participants in the selection process decide what must be protected and what type of solution is appropriate to those implicit requirements.Essentially the participants in the selection process decide what must be protected and what type of solution is appropriate to those implicit requirements.

Model Selection and Risk Assessment The requirement for a gap analysis is common across all models of information security.The requirement for a gap analysis is common across all models of information security. That is, a gap analysis is always done the same way for the same purpose no matter what.That is, a gap analysis is always done the same way for the same purpose no matter what. In professional settings the gap analysis is usually called a “risk assessment”.In professional settings the gap analysis is usually called a “risk assessment”. That is because the point of the activity is to identify RISKS created by gaps in operating procedures.That is because the point of the activity is to identify RISKS created by gaps in operating procedures.

Model Selection and Risk Assessment This risk assessment activity is arguably the most important element in formulation of a proper security response because itThis risk assessment activity is arguably the most important element in formulation of a proper security response because it –identifies the potential threats –assesses the harm that might ensue from each –analyzes and categorizes options for response. Operationally this process is carried out by comparing the form of the current operation to the comprehensive set of ideal best practice requirements specified in the framework model.Operationally this process is carried out by comparing the form of the current operation to the comprehensive set of ideal best practice requirements specified in the framework model.

Model Selection and Risk Assessment This is done to identify the gaps that exist.This is done to identify the gaps that exist. These gaps represent the vulnerabilities and weaknesses that must be addressed by new procedures.These gaps represent the vulnerabilities and weaknesses that must be addressed by new procedures. Since a particular threat may not necessarily have much impact for a given situation, once the risk exposures are all identified they are assessed to distinguish only those that would create specific and undesirable vulnerabilities.Since a particular threat may not necessarily have much impact for a given situation, once the risk exposures are all identified they are assessed to distinguish only those that would create specific and undesirable vulnerabilities.

Model Selection and Risk Assessment Next, these vulnerabilities are carefully analyzed with respect to the particular organizational situation in order to identify the specific weaknesses that the security system needs to target directly.Next, these vulnerabilities are carefully analyzed with respect to the particular organizational situation in order to identify the specific weaknesses that the security system needs to target directly. These weaknesses are prioritized so that the ones with the most critical impacts are dealt with first.These weaknesses are prioritized so that the ones with the most critical impacts are dealt with first.

Model Selection and Risk Assessment The process can best be described by looking at it from the standpoint of the documentation that is utilized to carry it out.The process can best be described by looking at it from the standpoint of the documentation that is utilized to carry it out. In fact the tangible documentation set is so important that it is generally the only thing that an auditor uses to verify that a selected model has been implemented properly.In fact the tangible documentation set is so important that it is generally the only thing that an auditor uses to verify that a selected model has been implemented properly.

IBOK Control Objectives Explicit Set of Identified Vulnerabilities and Weaknesses Outcomes - Degree of Conformance to Control Objectives Operational Charter for Security System Elements of the Gap Analysis

Model Selection and Risk Assessment The first of these are the inputs to the assessment process.The first of these are the inputs to the assessment process. These inputs represent the set of ideal best practices that are itemized in the IBOK and their concomitant controls.These inputs represent the set of ideal best practices that are itemized in the IBOK and their concomitant controls. –That ideal is used as the point of reference for the ensuing assessment. The organization describes its degree of conformance with the relevant benchmark criteria selected from the IBOK model to document this.The organization describes its degree of conformance with the relevant benchmark criteria selected from the IBOK model to document this.

Model Selection and Risk Assessment The box in the center represents the detailed assessment outcomes that the organization will obtain as a consequence of this comparison.The box in the center represents the detailed assessment outcomes that the organization will obtain as a consequence of this comparison. As we said earlier the point is to explicitly characterize the level of compliance between a particular operation and the ideal specified in the IBOK.As we said earlier the point is to explicitly characterize the level of compliance between a particular operation and the ideal specified in the IBOK.

Model Selection and Risk Assessment Finally, the documentation produced is a precise statement of the vulnerabilities that the identified areas of non-compliance represent.Finally, the documentation produced is a precise statement of the vulnerabilities that the identified areas of non-compliance represent. This documentation will drive the activity in subsequent stages where the organization will make decisions about the actions that must be taken to address each identified weaknessThis documentation will drive the activity in subsequent stages where the organization will make decisions about the actions that must be taken to address each identified weakness As well as how it will document the security system for the purposes of management oversight and audit.As well as how it will document the security system for the purposes of management oversight and audit.

Asset Valuation and Tradeoff The product of this phase is a concrete security strategy.The product of this phase is a concrete security strategy. The input is derived from the outcomes of the prior three stages.The input is derived from the outcomes of the prior three stages. The boundary setting element is particularly important to this consideration since there is a direct relationship between resources required to establish a security level specified and the extent of the territory that must be secured.The boundary setting element is particularly important to this consideration since there is a direct relationship between resources required to establish a security level specified and the extent of the territory that must be secured.

Asset Valuation and Tradeoff Operational factors that enter into the development of this strategy include…Operational factors that enter into the development of this strategy include… –What is the level of criticality of each particular information asset that falls into the asset baseline –What is the specific degree of resource commitment required to assure it? Thus the most important aspect of this might lie in the simple valuation of the assets themselves.Thus the most important aspect of this might lie in the simple valuation of the assets themselves.

Asset Valuation and Tradeoff This is the case because in the real world there are never enough resources to absolutely secure every element of the information asset baseline.This is the case because in the real world there are never enough resources to absolutely secure every element of the information asset baseline. And since that baseline is overwhelmingly composed of abstract entities, the value of that asset base is also abstract, meaning not known.And since that baseline is overwhelmingly composed of abstract entities, the value of that asset base is also abstract, meaning not known. Therefore it is essential for each organization to adopt a uniform methodology to systematically value and prioritize its information assets so that the most important assets are targeted first.Therefore it is essential for each organization to adopt a uniform methodology to systematically value and prioritize its information assets so that the most important assets are targeted first.

Asset Valuation and Tradeoff As a consequence it is our assumption that the critical success factors are defined at the business levelAs a consequence it is our assumption that the critical success factors are defined at the business level And any form of operational asset valuation must be rooted in and reflect the vision, strategies and purposes of that part of the organization.And any form of operational asset valuation must be rooted in and reflect the vision, strategies and purposes of that part of the organization. There are numerous ways of going about asset valuation.There are numerous ways of going about asset valuation.

Asset Valuation and Tradeoff The training manual uses the Balanced Scorecard approach simply because it is arguably one of the easiest and most popular of these.The training manual uses the Balanced Scorecard approach simply because it is arguably one of the easiest and most popular of these. Using a tailored scorecard the organization can assign a quantitative value for each of the identified items entered in the security baseline.Using a tailored scorecard the organization can assign a quantitative value for each of the identified items entered in the security baseline. And it can confidently allocate a security priority to it based on its relative value, as determined by the data obtained through one (or all) of these relevant categories.And it can confidently allocate a security priority to it based on its relative value, as determined by the data obtained through one (or all) of these relevant categories.

Asset Valuation and Tradeoff The benefit of this approach is that the organization will know with certainty which item to secure and in what orderThe benefit of this approach is that the organization will know with certainty which item to secure and in what order In addition it will have demonstrates that due diligence was done in making that determination.In addition it will have demonstrates that due diligence was done in making that determination. The best part of this approach is that as data is collected and refined over time the organization is able to increase its valuation effectiveness, and thus sharpen its control over its asset base.The best part of this approach is that as data is collected and refined over time the organization is able to increase its valuation effectiveness, and thus sharpen its control over its asset base.

Asset Valuation and Tradeoff The process that ensues is a political one, however it is necessary.The process that ensues is a political one, however it is necessary. That is the actual tradeoff process that is the fundamental element of strategic planning.That is the actual tradeoff process that is the fundamental element of strategic planning. This is not a scientific activity although with precisely targeted information decision makers can move ahead with some assurance that they are basing their strategies on the realities of the situation.This is not a scientific activity although with precisely targeted information decision makers can move ahead with some assurance that they are basing their strategies on the realities of the situation.

Asset Valuation and Tradeoff The assumption is that the actual deployment of the security function will meet the requirements of the organization’s security charter.The assumption is that the actual deployment of the security function will meet the requirements of the organization’s security charter. That decision-making is based onThat decision-making is based on –knowledge of the financial, equipment and personnel resources available to implement the desired level of security –the pressing business concerns and the relative value of the asset.

Asset Valuation and Tradeoff It is driven by the model that will be used to implement the actual security solutionIt is driven by the model that will be used to implement the actual security solution However the point is to have a clear fix on the asset base so that the particulars of the deployment can be planned with precision.However the point is to have a clear fix on the asset base so that the particulars of the deployment can be planned with precision. This should be both tangibly documented and publicized to the organization at large.This should be both tangibly documented and publicized to the organization at large. This also effectively concludes the threat identification and response phase of the formal information security protection process.This also effectively concludes the threat identification and response phase of the formal information security protection process.

Control Selection The next step in this process is the actual selection and validation of the control set.The next step in this process is the actual selection and validation of the control set. Since this is model specific we are going to focus the discussion in terms of the generic steps required.Since this is model specific we are going to focus the discussion in terms of the generic steps required.

Control Selection This phase involves tailoring, deploying and validating an appropriate control set.This phase involves tailoring, deploying and validating an appropriate control set. This is almost always based on some sort of standard model of correct practice.This is almost always based on some sort of standard model of correct practice. And that is 99.9% of the time the same model employed to do the gap analysis…And that is 99.9% of the time the same model employed to do the gap analysis… –Although not absolutely the required

Control Selection The outcome is unique in the sense that the deployment is determined by the situation.The outcome is unique in the sense that the deployment is determined by the situation. However there are elements that must be carried out no matter which model is selected;However there are elements that must be carried out no matter which model is selected; –Assignment of controls to a security baseline –Assessment of the effectiveness of those controls –The formulation of the final control set into a security system.

Formulating the Control Set The necessary security controls are deployed once the information asset baseline has been established and prioritized.The necessary security controls are deployed once the information asset baseline has been established and prioritized. This requires an item-by-item assessment of the information resource baseline in order to design and formalize the appropriate control set.This requires an item-by-item assessment of the information resource baseline in order to design and formalize the appropriate control set. Nonetheless in order to devise the appropriate and correct set of control procedures it is necessary to return to the risk analysis to better understand the nature of the threat.Nonetheless in order to devise the appropriate and correct set of control procedures it is necessary to return to the risk analysis to better understand the nature of the threat.

Formulating the Control Set Basically threats can be characterized as physical, or logical, from internal, or external sources.Basically threats can be characterized as physical, or logical, from internal, or external sources. Thus the analysis considers the safeguards or controls that are necessary to suitably address any and all anticipated threats.Thus the analysis considers the safeguards or controls that are necessary to suitably address any and all anticipated threats.

Formulating the Control Set That includes steps to detect a threat as close to the time that it occurs (threat response)That includes steps to detect a threat as close to the time that it occurs (threat response) And a procedure to ensure that it will be either attended to by subsequent corrective action, or that the loss that may arise from it will be effectively contained.And a procedure to ensure that it will be either attended to by subsequent corrective action, or that the loss that may arise from it will be effectively contained.

Formulating the Control Set Since adverse impacts of threats also inevitably fall into the financial arena it is important to consider the applicable ROI issues.Since adverse impacts of threats also inevitably fall into the financial arena it is important to consider the applicable ROI issues. One obvious example, is that it ought to be known whether the cost of the control (on an annual basis) would be less than any anticipated (dollar) losses.One obvious example, is that it ought to be known whether the cost of the control (on an annual basis) would be less than any anticipated (dollar) losses.

Formulating the Control Set Another consideration is the frequency with which the threat occurs.Another consideration is the frequency with which the threat occurs. If the historical rate of occurrence is high than even a low ROI (per incident) item could prove to be a good investment.If the historical rate of occurrence is high than even a low ROI (per incident) item could prove to be a good investment.

Formulating the Control Set The other issue is the PROBABILITY that a threat might occur.The other issue is the PROBABILITY that a threat might occur. Probability should never be confused with frequency.Probability should never be confused with frequency. In essence the question has to be asked what the probabilities are that harm might ensue if it DOES occur.In essence the question has to be asked what the probabilities are that harm might ensue if it DOES occur.

Formulating the Control Set For instance, burglars might very infrequently visit your house but when they DO the likelihood is high that they will take something.For instance, burglars might very infrequently visit your house but when they DO the likelihood is high that they will take something. Thus these two related factors have to be balanced with each other when doing a threat assessment.Thus these two related factors have to be balanced with each other when doing a threat assessment.

Formulating the Control Set In essence the question that has to be answered for a particular control is how likely is it that a given occurrence will produce mischief.In essence the question that has to be answered for a particular control is how likely is it that a given occurrence will produce mischief. That is because in reality, some threats may occur many times within the period of a year’s time, especially those associated with unintentional actions of users or employees.That is because in reality, some threats may occur many times within the period of a year’s time, especially those associated with unintentional actions of users or employees.

Formulating the Control Set Finally, it must be recognized that there is always an uncertainty in all of these cases that dictates that baseline control formulation should always be an iterative function.Finally, it must be recognized that there is always an uncertainty in all of these cases that dictates that baseline control formulation should always be an iterative function. Basically uncertainty can be estimated as a level of confidence, from zero to 100 percent on any control.Basically uncertainty can be estimated as a level of confidence, from zero to 100 percent on any control.

Formulating the Control Set What this expresses is the necessity, or usefulness of the associated control (e.g., this should be considered to be 91% necessary).What this expresses is the necessity, or usefulness of the associated control (e.g., this should be considered to be 91% necessary). It should be noted that the failure to integrate uncertainty factors into the risk analysis will reduce the overall level of trust in the effectiveness of the resultant control baseline.It should be noted that the failure to integrate uncertainty factors into the risk analysis will reduce the overall level of trust in the effectiveness of the resultant control baseline.

Assessment of Control Coverage It is necessary to validate the selected control set in order to assure the effectiveness as well as confirm the accuracy of the defensive scheme.It is necessary to validate the selected control set in order to assure the effectiveness as well as confirm the accuracy of the defensive scheme. This always takes place after it is operationally deployed.This always takes place after it is operationally deployed. That is, it is formulated into an active baseline and placed under effective baseline control.That is, it is formulated into an active baseline and placed under effective baseline control.

Assessment of Control Coverage From an IT management standpoint this activity is a standard beta test functionFrom an IT management standpoint this activity is a standard beta test function in the sense that the essence of the process is the ongoing comparison of expected performance with the actual result of executing the process.in the sense that the essence of the process is the ongoing comparison of expected performance with the actual result of executing the process.

Assessment of Control Coverage The assessment process is planned, implemented and monitored in the same fashion as any other testing activity.The assessment process is planned, implemented and monitored in the same fashion as any other testing activity. It normally embodies the criteria and factors considered during the threat analysis and baseline formulation process, but operational issues can be added at this point as well.It normally embodies the criteria and factors considered during the threat analysis and baseline formulation process, but operational issues can be added at this point as well. The intention is to be able to say with assurance that the aggregate control set is effective given the aims of the protection scheme.The intention is to be able to say with assurance that the aggregate control set is effective given the aims of the protection scheme.

Assessment of Control Coverage Operationally, this should be done within a specified time-frame as well as a defined reporting and decision making structure.Operationally, this should be done within a specified time-frame as well as a defined reporting and decision making structure. Because the overall purpose of this step is to produce a finalized baseline the organization must treat it exactly like a projectBecause the overall purpose of this step is to produce a finalized baseline the organization must treat it exactly like a project In the sense that the outcome of the process is a fully functioning security control set.In the sense that the outcome of the process is a fully functioning security control set.

Assessment of Control Coverage Once the project purposes and timelines are set, generally speaking each control must have a set of performance assessment criteria assigned.Once the project purposes and timelines are set, generally speaking each control must have a set of performance assessment criteria assigned. The purpose of this is to underwrite precise monitoring of the effectiveness of each component of the security baseline.The purpose of this is to underwrite precise monitoring of the effectiveness of each component of the security baseline. Therefore these criteria must be both measurable and able to be recorded.Therefore these criteria must be both measurable and able to be recorded.

Assessment of Control Coverage Then on execution of the process the outcomes associated with each control are recorded.Then on execution of the process the outcomes associated with each control are recorded. The organization uses the ongoing outcomes of the operational use of the control, to assess its effectiveness.The organization uses the ongoing outcomes of the operational use of the control, to assess its effectiveness. This assessment is based on the performance criteria set for that particular control as well as the assumptions about cost and occurrence that were part of the baseline formulation process.This assessment is based on the performance criteria set for that particular control as well as the assumptions about cost and occurrence that were part of the baseline formulation process.

Control Objective Beta Test Process Performance Criteria Control Objective Performance in Operational Environment Baseline Formulation Assumptions Recorded Outcomes Assessment of Control Effectiveness Aggregation of control objective test results Final Implementation of Control Baseline Assessment of Baseline Effectiveness

Assessment of Control Coverage Then, once the testing step is complete the aggregate set of results for the control baseline is assessed for the purposes of formalizing a finalized set of security control objectives.Then, once the testing step is complete the aggregate set of results for the control baseline is assessed for the purposes of formalizing a finalized set of security control objectives. These controls represent the operational realization of the security system and their baseline representation is maintained under strict change control by the configuration management system.These controls represent the operational realization of the security system and their baseline representation is maintained under strict change control by the configuration management system.

Assessment of Control Coverage The released version of this baseline is managed by that function in the same manner as a software releaseThe released version of this baseline is managed by that function in the same manner as a software release That is, no changes are allowed without authorization and subsequent verification of the correctness and effectiveness of the change.That is, no changes are allowed without authorization and subsequent verification of the correctness and effectiveness of the change.

Module Three Review 1.Why are two baselines needed? 2.What is the reason for tradeoffs? 3.What is the reason for top-down sponsorship? 4.What are the criteria for determining feasibility? 5.What is the purpose of the beta test of controls? 6.Why are the final baselines strictly controlled? 6.Why is buy-in a success factor? 7.What is the role of risk assessment? 8.What is the purpose of asset valuation? 9.Why must system boundaries be decided?

End of Personal Instruction

Information Assurance Professional National Security Registration Board Version 2.6.

Similar presentations

Presentation on theme: "Information Assurance Professional National Security Registration Board Version 2.6."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Information Assurance Professional National Security Registration Board Version 2.6.

Similar presentations

Presentation on theme: "Information Assurance Professional National Security Registration Board Version 2.6."— Presentation transcript:

Similar presentations

About project

Feedback