1. security management practices

Security Management Security Management PracticesPractices

Security Management PracticesSecurity Management Practices

Information Security ManagementInformation Security Management

The Big Three - CIAThe Big Three - CIA

The Information Classification processThe Information Classification process

Security Policy implementationSecurity Policy implementation

The roles and responsibilities of Security The roles and responsibilities of Security

AdministrationAdministration

Risk Management Assessment toolsRisk Management Assessment tools

Security Awareness trainingSecurity Awareness training

Information Security ManagementInformation Security Management

To protect an organization’s valuable resources, such as information, hardware, and software

Identification of an organization’s information assets

The development, documentation, and implementation of policies, standards, procedures, and guidelines

Ensure Availability, Integrity and Confidentiality

Information Security Management Information Security Management Cont…Cont…

Through the selection and application of appropriate safeguards, Information Security helps the organization’s mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets

Information systems are often critical assets that support the mission of an organization

However, including Information Security considerations in the management of information systems does not completely eliminate the possibility that these assets will be harmed.

Availability, Integrity and Confidentiality

Availability Availability is the assurance that a computer system is

accessible by authorized users whenever needed.

The Threat Denial of Service & Distributed Denial of Service Natural disasters (e.g., fires, floods, storms, or

earthquakes) Human actions (e.g., bombs or strikes)

Availability Cont…Availability Cont…

The Action Contingency planning — which may involve business

resumption planning, alternative-site processing, or simply disaster recovery planning — provides an alternative means of processing, thereby ensuring availability.

Physical, Technical, and Administrative controls are important aspects of security initiatives

The Physical controls Restrict unauthorized persons from coming into contact

with computing resources and Facilities

Availability Cont…Availability Cont…

The Technical controls Fault-tolerance mechanisms (e.g., hardware redundancy,

disk mirroring, and application checkpoint restart) Electronic vaulting (i.e., automatic backup to a secure, off-

site location) Access control software to prevent unauthorized users

The Administrative controls access control policies, operating procedures, contingency

planning, and user training

IntegrityIntegrity

Integrity Protection of Information System or Processes from

intentional or accidental unauthorized changes Protect the process or program used to manipulate the

data from unauthorized modification.

The Threat Hackers, Masqueraders, Unauthorized user activity Unprotected downloaded files, networks, and unauthorized

programs (e.g., Trojan horses and viruses) Authorized users can corrupt data and programs

accidentally or intentionally

Integrity Cont…Integrity Cont…

The Action Granting access on a need-to-know (least privilege) basis Separation of duties Rotation of duties

Need-to-Know Access (Least Privilege) Grant access only to those files and programs that they

absolutely need to perform their assigned job functions Restrict through use of well-formed transactions (recording

of data/program modifications in a log)

Integrity Cont…Integrity Cont…

Separation of Duties

No single employee has control of a transaction from beginning to end

Rotation of Duties

Change Job assignments periodically Works well when used in conjunction with a separation of

duties Helps organization when losing a key employee

“The security program must employ a careful balance between ideal security and practical productivity”

ConfidentialityConfidentiality

ConfidentialityConfidentiality Protection of information within systems so that

unauthorized people, resources, and processes cannot access that information

The Threat Hackers, Masqueraders, Unauthorized user activity Unprotected downloaded files, networks, and unauthorized

programs (e.g., Trojan horses and viruses) Social Engineering

The Action Granting access on a need-to-know (least privilege) basis Well-Formed Transaction AwarenessAwareness

Risk Analysis and Assessment

Risk Management

The processes of identifying, analyzing and assessing, mitigating, or transferring risk are generally characterized as Risk Management

Risk Management Process

What could happen (threat event)? If it happened, how bad could it be (threat impact)? How often could it happen (threat frequency, annualized)? How certain are the answers to the first three questions

(recognition of uncertainty)? What can be done (risk mitigation)? How much will it cost (annualized)? Is it cost-effective (cost/benefit analysis)?

Risk Analysis and Assessment Cont…Risk Analysis and Assessment Cont…

Risk Analysis

This term represents the process of analyzing a target environment and the relationships of its risk-related attributes

Qualitative / Quantitative

Quantitative risk analysis attempts to assign independently objective numeric numbers (i.e., monetary values) to all elements of the risk analysis

Qualitative risk analysis, on the other hand, does not attempt to assign numeric values at all, but rather is scenario oriented


Risk Assessment

This term represents the assignment of value to assets, threat frequency (annualized), consequence (i.e., exposure factors), and other elements of chance

Information Asset Information is regarded as an intangible asset separate

from the media on which it resides Simple cost of replacing the information The cost of replacing supporting software Costs associated with loss of the information’s

confidentiality, availability, and integrity Supporting hardware and network


Exposure Factor (EF) A measure of the magnitude of loss or impact on the value

of an asset A percent, ranging from 0 to 100%, of asset value loss

arising from a threat event

Single Loss ExpectancySingle Loss Expectancy = Asset Value X Exposure Factor

Annualized Rate of Occurrence (ARO) The frequency with which a threat is expected to occur For example, a threat occurring once in ten years has an

ARO of 1/10 or 0.1


Annualized Loss Expectancy (ALE)

Annualized Loss Expectancy = Single Loss Expectancy X Annualized Rate of

Occurrence

Probability The chance or likelihood that an event will occur For example, the probability of getting a 6 on a single roll of

a die is 1/6, or 0.16667 The Probability can between 0 to 1

Safeguard Risk Analysis and Assessment Cont…Risk Analysis and Assessment Cont… occurrence of a

specified threat or category of threats


Safeguard Effectiveness The degree, expressed as a percent, from 0 to 100%, to

which a safeguard can be characterized as effectively mitigating a vulnerability and reducing associated loss risks

Uncertainty The degree, expressed as a percent, from 0.0% to 100%,

to which there is less than complete confidence in the value of any element of the risk assessment

Tasks of Information Risk Management

Establish Information Risk Management Policy IRM policy should begin with a high-level policy statement and

supporting objectives, scope, constraints, responsibilities, and approach

Communicate and Enforce

Establish an IRM Team Top Down Approach will work well

Establish IRM Methodology and Tools Determine current status of Information Security Plan Strategic risk assessment

Identify and Measure Risk Perform Risk Assessment based on the IRM policy and IRM Perform Risk Assessment based on the IRM policy and IRM

methodology & toolsmethodology & tools

Information Protection EnvironmentInformation Protection Environment

Threat Analysis Asset Identification and Valuation Vulnerability Analysis Risk Evaluation Risk Evaluation Interim Reports and Recommendations Establish Risk Acceptance Criteria

Example : do not accept more than a 1 in 100 chance of losing $1,000,000

Mitigate Risk Safeguard Selection and Risk Mitigation Analysis Cost/Benefit Analysis Final Report Monitor Information Risk Management Performance

Security Technology and ToolsSecurity Technology and Tools

Qualitative versus Quantitative Approach

The Qualitative Approach is much more subjective approach to the valuation of information assets and the scaling of risk

In General the risks are described as “low,” “medium,” or “high”

The Quantitative is talks about real numbers Uses Algorithms ALE=ARO X (Asset Value X Exposure Factor = SLE)

Assume the asset value is $1M, the exposure factor is 50%, and the annualized rate of occurrence is 1/10 (once in ten years)

($1M X 50% = $500K) X 1/10 = $50K

Pros an Cons of Qualitative ApproachPros an Cons of Qualitative Approach

ProsPros Calculations, if any, are simple Usually not necessary to determine the monetary value of

Information (CIA) Not necessary to determine quantitative threat frequency and

impact data Not necessary to estimate the cost of recommended risk mitigation

measures and calculate cost/benefit because the process is not quantitative.

A general indication of significant areas of risk

ConsCons The risk assessment and results are essentially subjective in both

process and metrics The perception of value may not realistically reflect actual value at

risk Only subjective indication of a problem It is not possible to track risk management performance objectively

when all measures are subjective

Pros and Cons of Quantitative ApproachPros and Cons of Quantitative Approach

Pros Meaningful statistical analysis is supported The value of information (CIA), as expressed in monetary terms

with supporting rationale, is better understood. Thus, the basis for expected loss is better understood

Information security budget decision making is supported Risk management performance can be tracked and evaluated. Risk assessment results are derived and expressed in

management’s language, monetary value, percentages, and probability annualized. Thus, risk is better understood.

Cons Calculations are complex. Not practical to execute a quantitative risk assessment without

using a recognized automated tool and associated knowledge bases,

A substantial amount of information gathering is required Standard, independent Threat population and threat frequency

knowledgebase not yet developed and maintained, so vendor dependent

Information Classification

Information Protection Requirements

Data confidentiality, integrity, and availability are improved because appropriate controls are used for all data across the enterprise

The organization gets the most for its information protection dollar because protection mechanisms are designed and implemented where they are needed most, and less costly controls can be put in place for non-critical information

The quality of decisions is improved because the data upon which the decisions are made can be trusted

The company is provided with a process to review all business functions and informational requirements on a periodic basis to determine appropriate data classifications

Data ClassificationData Classification

Classification is part of a mandatory access control Classification is part of a mandatory access control model to ensure that sensitive data is properly model to ensure that sensitive data is properly controlled and securedcontrolled and secured

DoD multi-level security policy has 4 classifications:DoD multi-level security policy has 4 classifications: Top SecretTop Secret SecretSecret ConfidentialConfidential UnclassifiedUnclassified

Other levels in use are:Other levels in use are: Eyes onlyEyes only Officers onlyOfficers only Company confidentialCompany confidential PublicPublic

Data Classification Cont…Data Classification Cont…

Top SecretTop Secret - applies to the most sensitive business - applies to the most sensitive business information which is intended strictly for use within the information which is intended strictly for use within the organization. Unauthorized disclosure could seriously and organization. Unauthorized disclosure could seriously and adversely impact the company, stockholders, business adversely impact the company, stockholders, business partners, and/or its customerspartners, and/or its customers

Secret -Secret - Applies to less sensitive business information which Applies to less sensitive business information which is intended for use within a company. Unauthorized disclosure is intended for use within a company. Unauthorized disclosure could adversely impact the company, its stockholders, its could adversely impact the company, its stockholders, its business partners, and/or its customersbusiness partners, and/or its customers

Confidential -Confidential - Applies to personal information which is Applies to personal information which is intended for use within the company. Unauthorized disclosure intended for use within the company. Unauthorized disclosure could adversely impact the company and/or its employeescould adversely impact the company and/or its employees

Unclassified -Unclassified - Applies to all other information which does Applies to all other information which does not clearly fit into any of the above three classifications. not clearly fit into any of the above three classifications. Unauthorized disclosure isn’t expected to seriously or Unauthorized disclosure isn’t expected to seriously or adversely impact the companyadversely impact the company

Information Classification Cont…

Information Protection Environment Getting started: questions to ask

• Is there an executive sponsor for this project?• What are you trying to protect, and from what?• Are there any regulatory requirements to consider?• Has the business accepted ownership responsibilities for the

data?

Policy• An essential tool in establishing a data classification scheme• Define information as an asset of the business unit• Declare local business managers as the owners of information• Establish IT as the custodians of corporate information• Clearly define roles and responsibilities of those involved in the

ownership and classification of information• Define the classifications and criteria that must be met for each• Determine the minimum range of controls to be established for

each classification


Risk Analysis Identify major functional areas of information Analyze the classification requirements Determine the risk associated Determine the effect of loss Build a table

Establishing classifications Public: information that, if disclosed outside the company,

would not harm the organization, its employees, customers, or business partners.

Internal Use Only: information that is not sensitive to disclosure within the organization, but could harm the company if disclosed externally.

Company Confidential: sensitive information that requires “need-toknow” before access is given


Defining roles and responsibilities Information owner - A business executive or business

manager who is responsible for a company business information asset

Information custodian - The information custodian, usually an information technology or operations person, is the system administrator or operator for the Information Owner, with primary responsibilities dealing with running the program for the owner and backup and recovery of the business information

Application owner - Manager of the business unit who is fully accountable for the performance of the business function served by the application

User manager - The immediate manager or supervisor of an employee


Defining roles and responsibilities Security administrator - Any company employee who

owns an “administrative” user ID that has been assigned attributes or privileges that are associated with any type of access control system

Security analyst - Person responsible for determining the data security directions (strategies, procedures, guidelines) to ensure information is controlled and secured based on its value, risk of loss or compromise, and ease of recoverability

Change control analyst - Person responsible for analyzing requested changes to the Information Technology infrastructure and determining the impact on applications

Data analyst - This person analyzes the business requirements to design the data structures and recommends data definition standards and physical platforms


► Defining roles and responsibilities Solution provider - Person who participates in the

solution (application) development and delivery processes in deploying business solutions

End user - Any employee, contractor, or vendor of the company who uses information systems resources as part of their job

Process owner - This person is responsible for the management, implementation, and continuous improvement of a process that has been defined to meet a business need

Product line manager - Person responsible for understanding business requirements and translating them into product requirements, working with the vendor/user area


Identifying owners The proper owner must be from the business Senior management support is a key success factor Information owners must be given the necessary authority

Classifying information and applications Collect the metadata about their business functions Review the definitions for the information classifications

Ongoing monitoring Ensure compliance with policy and established procedures periodically review the data to ensure they are still

appropriately classified

Policies, Procedures, Standards, Baselines

Policy - An information security policy contains senior management’s directives to create an information security program, establish its goals, measures, and target and assign responsibilities

Standards - Standards are mandatory activities, actions, rules, or regulations designed to provide policies with the support structure and specific direction they require to be meaningful and effective

Procedures - Procedures spell out the step-by-step specifics of how the policy and the supporting standards and guidelines will actually be implemented in an operating environment

Guidelines - Guidelines are more general statements designed to achieve the policy’s objectives by providing a framework within which to implement controls not covered by procedures

The Policy Chart The Policy Chart

Awareness Program

Security policies, standards, procedures, baselines, and guidelines

Threats to physical assets and stored information Threats to open network environments Laws and regulations they are required to follow Specific organization or department policies they are

required to follow How to identify and protect sensitive (or classified)

information How to store, label, and transport information Who they should report security incidents to, regardless

of whether it is just a suspected or an actual incident Email/Internet policies and procedures Social engineering

Implementation (Delivery) Options

Posters Posting motivational and catchy slogans Videotapes Classroom instruction Computer-based delivery, such as CD-ROM, DVD,

intranet access, Web-based access, etc. Brochures/flyers Pens/pencils/keychains (any type of trinket) with

motivational slogans Post-it notes with a message on protecting the

Information Technology system Stickers for doors and bulletin boards

Implementation (Delivery) Options Cont…

Cartoons/articles published monthly or quarterly in an in-house newsletter or specific department notices

Special topical bulletins (security alerts in this instance)

Monthly email notices related to security issues or email broadcasts of security advisories

Security banners or pre-logon messages that appear on the computer monitor

Distribution of items as an incentive

1. security management practices

Education