security management practices · 2008-04-11 · security management practices 신수정 1.2 .2...
TRANSCRIPT
Security Management Practices
신수정신수정신수정신수정
Security Management PracticesSecurity Management PracticesSecurity Management PracticesSecurity Management PracticesSecurity Management PracticesSecurity Management PracticesSecurity Management PracticesSecurity Management Practices
Security Management Practices
신수정신수정신수정신수정
목목목목 차차차차
1.1.1.1. Introduction Introduction Introduction Introduction
2.2.2.2. Security Management concept & principleSecurity Management concept & principleSecurity Management concept & principleSecurity Management concept & principle
3.3.3.3. Change ControlChange ControlChange ControlChange Control
4.4.4.4. Data ClassificationData ClassificationData ClassificationData Classification
5.5.5.5. Data & InformationData & InformationData & InformationData & Information
6.6.6.6. Employment Policy and PracticeEmployment Policy and PracticeEmployment Policy and PracticeEmployment Policy and Practice
7.7.7.7. Policy, Standard, Guideline and procedurePolicy, Standard, Guideline and procedurePolicy, Standard, Guideline and procedurePolicy, Standard, Guideline and procedure
8.8.8.8. Security ManagementSecurity ManagementSecurity ManagementSecurity Management
9.9.9.9. Risk ManagementRisk ManagementRisk ManagementRisk Management
10.10.10.10. Security AwarenessSecurity AwarenessSecurity AwarenessSecurity Awareness
Security Management Practices
신수정신수정신수정신수정
1.1 1.1 1.1 1.1 CBK OverviewCBK OverviewCBK OverviewCBK Overview
1.1.1.1.IntroductionIntroductionIntroductionIntroduction
(1) Access controlSystems &
Methodology
(6) Security Architecture &
Model
(3) Security ManagementPractices
(9) Laws,Investigations and
Ethics
(2) Telecommunications
& NetworkSecurity
(5) Cryptography
(4) Applications &System
developmentSecurity
(10) PhysicalSecurity
(8) Business continuity planning &
DRP
(7) OperationsSecurity
Security Management Practices
신수정신수정신수정신수정
1.2 1.2 1.2 1.2 Security Management PracticesSecurity Management PracticesSecurity Management PracticesSecurity Management Practices
Security management entails the identification of an organizations’ information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines that ensure confidentiality, Integrity, and availability. Management tools such as data classification, risk assessment, and risk analysis are used to identify the threats, classify assets, and to rate their vulnerabilities so that effective security controls can be implemented.
• Security Management Concepts & Principles• Change Control/Management• Data Classification• Information/Data• Employment policies & Practices• Policies, Standards, Guideline and Procedures• Role & Responsibilities• Security Awareness Training• Security Management Planning
참고참고참고참고: : : : CISSP Study Guide , ISC2CISSP Study Guide , ISC2CISSP Study Guide , ISC2CISSP Study Guide , ISC2
1.1.1.1.IntroductionIntroductionIntroductionIntroduction
Security Management Practices
신수정신수정신수정신수정
1.2 1.2 1.2 1.2 Security Management PracticesSecurity Management PracticesSecurity Management PracticesSecurity Management Practices
이해이해이해이해 필요사항필요사항필요사항필요사항
• The planning, organization, and roles of individuals in identifying and securing an organization’s information assets
• The development and use of policies stating management’s views and position on particular topics and the use of guidelines, standards, and procedures, to support the policies
• Security Awareness training• The importance of confidentiality, proprietary and private
information• Employment agreement, hiring, and termination practices• Risk Management practices
참고참고참고참고: : : : CISSP Study Guide , ISC2CISSP Study Guide , ISC2CISSP Study Guide , ISC2CISSP Study Guide , ISC2
1.1.1.1.IntroductionIntroductionIntroductionIntroduction
Security Management Practices
신수정신수정신수정신수정
2.1 2.1 2.1 2.1 Security BasicsSecurity BasicsSecurity BasicsSecurity Basics
2.2.2.2.security Management Concepts & Principlessecurity Management Concepts & Principlessecurity Management Concepts & Principlessecurity Management Concepts & Principles
(1) (1) (1) (1) Confidentiality Confidentiality Confidentiality Confidentiality
- about preventing unauthorized users about preventing unauthorized users about preventing unauthorized users about preventing unauthorized users readingreadingreadingreading information to which information to which information to which information to which they are not entitled.they are not entitled.they are not entitled.they are not entitled.
- Ensuring that information is accessible only to those authorizedEnsuring that information is accessible only to those authorizedEnsuring that information is accessible only to those authorizedEnsuring that information is accessible only to those authorized to to to to have access(BS7799)have access(BS7799)have access(BS7799)have access(BS7799)
• Privacy: protection of Privacy: protection of Privacy: protection of Privacy: protection of personal datapersonal datapersonal datapersonal data
• Secrecy: protection of data belonging to Secrecy: protection of data belonging to Secrecy: protection of data belonging to Secrecy: protection of data belonging to an organizationan organizationan organizationan organization
Security Management Practices
신수정신수정신수정신수정
2.1 2.1 2.1 2.1 Security BasicsSecurity BasicsSecurity BasicsSecurity Basics
2.2.2.2.security Management Concepts & Principlessecurity Management Concepts & Principlessecurity Management Concepts & Principlessecurity Management Concepts & Principles
(2) (2) (2) (2) IntegrityIntegrityIntegrityIntegrity
- Making sure things are as they should be.Making sure things are as they should be.Making sure things are as they should be.Making sure things are as they should be.
- safeguarding the safeguarding the safeguarding the safeguarding the accuracy and completenessaccuracy and completenessaccuracy and completenessaccuracy and completeness of information & of information & of information & of information & processing methods.(BS7799)processing methods.(BS7799)processing methods.(BS7799)processing methods.(BS7799)
- In the context of computing, integrity is about preventing In the context of computing, integrity is about preventing In the context of computing, integrity is about preventing In the context of computing, integrity is about preventing unauthorized users unauthorized users unauthorized users unauthorized users writingwritingwritingwriting information to which they are not entitled.information to which they are not entitled.information to which they are not entitled.information to which they are not entitled.
- In a general system, integrity is about ensuring that system staIn a general system, integrity is about ensuring that system staIn a general system, integrity is about ensuring that system staIn a general system, integrity is about ensuring that system state te te te has not been has not been has not been has not been modified modified modified modified by those not authorized to do so. by those not authorized to do so. by those not authorized to do so. by those not authorized to do so.
(3) Availability(3) Availability(3) Availability(3) Availability
- Ensuring that authorized users have access to information & Ensuring that authorized users have access to information & Ensuring that authorized users have access to information & Ensuring that authorized users have access to information & associated assets associated assets associated assets associated assets when requiredwhen requiredwhen requiredwhen required(BS7799)(BS7799)(BS7799)(BS7799)
- About a systemAbout a systemAbout a systemAbout a system’s services being accessible s services being accessible s services being accessible s services being accessible on demandon demandon demandon demand by an by an by an by an
authorized entity.authorized entity.authorized entity.authorized entity.
Security Management Practices
신수정신수정신수정신수정
2.1 2.1 2.1 2.1 Security BasicsSecurity BasicsSecurity BasicsSecurity Basics
2.2.2.2.security Management Concepts & Principlessecurity Management Concepts & Principlessecurity Management Concepts & Principlessecurity Management Concepts & Principles
(4) (4) (4) (4) AccountabilityAccountabilityAccountabilityAccountability
- The property that enables activities on a system to be The property that enables activities on a system to be The property that enables activities on a system to be The property that enables activities on a system to be traced traced traced traced to to to to individuals who may then be held individuals who may then be held individuals who may then be held individuals who may then be held responsible forresponsible forresponsible forresponsible for their actions.their actions.their actions.their actions.
- This is typically done by securely identifying users, and keepinThis is typically done by securely identifying users, and keepinThis is typically done by securely identifying users, and keepinThis is typically done by securely identifying users, and keeping an g an g an g an audit trail of securityaudit trail of securityaudit trail of securityaudit trail of security----relevant events.relevant events.relevant events.relevant events.
(5) Reliability(5) Reliability(5) Reliability(5) Reliability
- Extent to which a computer can be expected to perform Extent to which a computer can be expected to perform Extent to which a computer can be expected to perform Extent to which a computer can be expected to perform its its its its intended functionintended functionintended functionintended function with the required precision on a consistent basis.with the required precision on a consistent basis.with the required precision on a consistent basis.with the required precision on a consistent basis.
- The probability of a given system performing its mission The probability of a given system performing its mission The probability of a given system performing its mission The probability of a given system performing its mission adequately adequately adequately adequately for a specified period of time under the expected operating for a specified period of time under the expected operating for a specified period of time under the expected operating for a specified period of time under the expected operating conditions.conditions.conditions.conditions.
Security Management Practices
신수정신수정신수정신수정
2.1 2.1 2.1 2.1 Security BasicsSecurity BasicsSecurity BasicsSecurity Basics
2.2.2.2.security Management Concepts & Principlessecurity Management Concepts & Principlessecurity Management Concepts & Principlessecurity Management Concepts & Principles
(6) (6) (6) (6) IdentificationIdentificationIdentificationIdentification
- The process that enablers The process that enablers The process that enablers The process that enablers recognitionrecognitionrecognitionrecognition of an entity(subject or object) of an entity(subject or object) of an entity(subject or object) of an entity(subject or object) by a computer system, generally by use of unique machineby a computer system, generally by use of unique machineby a computer system, generally by use of unique machineby a computer system, generally by use of unique machine----readable user namesreadable user namesreadable user namesreadable user names
(7) Authentication(7) Authentication(7) Authentication(7) Authentication
- The act of The act of The act of The act of identifying or verifyingidentifying or verifyingidentifying or verifyingidentifying or verifying the eligibility of a workstation, the eligibility of a workstation, the eligibility of a workstation, the eligibility of a workstation, originator, or individual to access specific categories of infororiginator, or individual to access specific categories of infororiginator, or individual to access specific categories of infororiginator, or individual to access specific categories of information. mation. mation. mation. It is providing It is providing It is providing It is providing assurance assurance assurance assurance regarding the identity of a subject or regarding the identity of a subject or regarding the identity of a subject or regarding the identity of a subject or object, for example, object, for example, object, for example, object, for example, ensuringensuringensuringensuring that a particular user is who he that a particular user is who he that a particular user is who he that a particular user is who he claims to be.claims to be.claims to be.claims to be.
(8) Authorization(8) Authorization(8) Authorization(8) Authorization
- The The The The privilege grantedprivilege grantedprivilege grantedprivilege granted to an individual by management to access to an individual by management to access to an individual by management to access to an individual by management to access information based on the individualinformation based on the individualinformation based on the individualinformation based on the individual’s clearance and needs clearance and needs clearance and needs clearance and need----totototo----know know know know
principle.principle.principle.principle.
Security Management Practices
신수정신수정신수정신수정
2.1 2.1 2.1 2.1 Security BasicsSecurity BasicsSecurity BasicsSecurity Basics
2.2.2.2.security Management Concepts & Principlessecurity Management Concepts & Principlessecurity Management Concepts & Principlessecurity Management Concepts & Principles
(8) (8) (8) (8) NonNonNonNon----repudiationrepudiationrepudiationrepudiation
- An authentication that with An authentication that with An authentication that with An authentication that with high assurancehigh assurancehigh assurancehigh assurance can be asserted to be can be asserted to be can be asserted to be can be asserted to be genuine, and that cannot subsequently be refuted. It is the secugenuine, and that cannot subsequently be refuted. It is the secugenuine, and that cannot subsequently be refuted. It is the secugenuine, and that cannot subsequently be refuted. It is the security rity rity rity service by which the entities involved in communication cannot bservice by which the entities involved in communication cannot bservice by which the entities involved in communication cannot bservice by which the entities involved in communication cannot be e e e deny having participation.deny having participation.deny having participation.deny having participation.
(9) Audit(9) Audit(9) Audit(9) Audit
- An independent review and examinationAn independent review and examinationAn independent review and examinationAn independent review and examination of system records and of system records and of system records and of system records and activities to test for adequacy of system controls, to ensure activities to test for adequacy of system controls, to ensure activities to test for adequacy of system controls, to ensure activities to test for adequacy of system controls, to ensure compliance compliance compliance compliance with established policy and operational procedures, with established policy and operational procedures, with established policy and operational procedures, with established policy and operational procedures, and to recommend any indicated changes in controls, policy, or and to recommend any indicated changes in controls, policy, or and to recommend any indicated changes in controls, policy, or and to recommend any indicated changes in controls, policy, or procedures.procedures.procedures.procedures.
Security Management Practices
신수정신수정신수정신수정
3.1 3.1 3.1 3.1 Why change control?Why change control?Why change control?Why change control?
(1) Why is change control & change management a security issue?– Many businesses live or die on data integrity– Changes can break a security model– Modifying system breaks warranty
(2) Needed since change requester does not understand the security implications of their request
(3) Security administrator must analyze and assess carefully the impact to the system
3.3.3.3.Change Control & ManagementChange Control & ManagementChange Control & ManagementChange Control & Management
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
3.2 3.2 3.2 3.2 Tool & ResultTool & ResultTool & ResultTool & Result
• Tools– Checksums– Digital signatures– Tripwire
• Effective change control can uncover:– Cases of policy violation by staff; where programs are
installed or changed without following the proper notification procedures
– Possible hardware failure leading to data corruption– Viruses, worms, malicious code
3.3.3.3.Change Control & ManagementChange Control & ManagementChange Control & ManagementChange Control & Management
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
3.3 3.3 3.3 3.3 ObjectObjectObjectObject
• Hardware– Disks, peripherals– Device drivers– BIOS
• Application and operating systems software– Upgrades– Service packs, patches, fixes– Changes to the firewall rulebase/proxies– Router software
3.3.3.3.Change Control & ManagementChange Control & ManagementChange Control & ManagementChange Control & Management
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
3.4 3.4 3.4 3.4 For workingFor workingFor workingFor working
• For change control & management to work, you must have:– Golden copies of the software, for comparison use or
database generation– Secure infrastructure. Software must be securely
stored on physically protected media. If an intruder can get root, and change the golden copies, then the change control tools will be ineffective.
3.3.3.3.Change Control & ManagementChange Control & ManagementChange Control & ManagementChange Control & Management
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
3.5 3.5 3.5 3.5 PolicyPolicyPolicyPolicy
• Policies, procedures and processes– Develop polices that will stabilize the production
processing environment by controlling all changes made to it
– Formal change control processes will help to ensure that only authorized changes are made, that they are made at the approved time, and that they are made in the approved manner
– Promptly implement security patches, command scripts, & similar from vendors, CERT, CIAC, etc.
– Have procedures for roll-back to prior versions in case of problems, don’t burn your software bridges
3.3.3.3.Change Control & ManagementChange Control & ManagementChange Control & ManagementChange Control & Management
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
•CERT(computer Emergency Response Team)CERT(computer Emergency Response Team)CERT(computer Emergency Response Team)CERT(computer Emergency Response Team)•CIAC(computer Incident Advisory Capability)CIAC(computer Incident Advisory Capability)CIAC(computer Incident Advisory Capability)CIAC(computer Incident Advisory Capability)
Security Management Practices
신수정신수정신수정신수정
3.5 3.5 3.5 3.5 PolicyPolicyPolicyPolicy
• 변경요청서
- 성명, 요청일자, 완료일자, 우선순위, 변경요청사항, 변경으로 인한 타 시스템의 영향, 변경사유
- 통제번호 부여
• 변경기록
- 변경자, 변경시간과 일자, 변경요청번호, 변경전후 내역
• 운영중 시스템에 대한 변경
- 승인절차, 자동화된 변경통제 소프트웨어
3.3.3.3.Change Control & ManagementChange Control & ManagementChange Control & ManagementChange Control & Management
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
3.6 3.6 3.6 3.6 Configuration ManagementConfiguration ManagementConfiguration ManagementConfiguration Management
• Configuration Management– The management of changes made to a system’s
HW, SW, firmware, documentation, test, and test documentation throughout the development & operational life of the system. : 동작, 변화의 지속적인 관리, 추적, 제어(버전관리, 변경요구추적…)
– Is clearly key to product assurance program.– Can control changes to those baselines and help to
assure system integrity and tracebility throughout the software life cycle by providing a foundation for product and performance measurement.
3.3.3.3.Change Control & ManagementChange Control & ManagementChange Control & ManagementChange Control & Management
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
3.7 3.7 3.7 3.7 Configuration AuditingConfiguration AuditingConfiguration AuditingConfiguration Auditing
• Configuration Auditing– Is the process of conducting an independent review
and examination of systems records and activities. – The purpose is to test for adequacy of system
controls; ensure compliance with established policy and recommend indicated changes in policy, procedures and controls.
3.3.3.3.Change Control & ManagementChange Control & ManagementChange Control & ManagementChange Control & Management
* * * * From ChrisFrom ChrisFrom ChrisFrom Chris’s materials materials materials material
Security Management Practices
신수정신수정신수정신수정
4.1 4.1 4.1 4.1 Why Classification?Why Classification?Why Classification?Why Classification?
4.4.4.4.Data ClassificationData ClassificationData ClassificationData Classification
(1) Accountability for assets (BS7799)- Objective:To maintain appropriate protection of organizational
assets- All major information assets should be accounted for and have
a nominated owner- Accountability for assets helps to ensure that appropriate
protection is maintained.- Owners should be identified for all major assets and the
responsibility for the maintenance of appropriate controls should be assigned.
- Accountability should remain with the nominated owner of the assets
Security Management Practices
신수정신수정신수정신수정
4.1 4.1 4.1 4.1 Why Classification?Why Classification?Why Classification?Why Classification?
4.4.4.4.Data ClassificationData ClassificationData ClassificationData Classification
(2) Information Classification (BS7799)- Objective:To ensure that information assets receive an
appropriate level of protection- Information should be classified to indicate the need, priorities
and degree of protection- Information has varying degrees of sensitivity and criticality.- An information classification system should be used to define
an appropriate set of protection levels, and communicate the need for special handling measures.
- The responsibility for defining and periodically reviewing the classification should rest with the originator or nominated owner of data.
Security Management Practices
신수정신수정신수정신수정
4.2 4.2 4.2 4.2 Classification benefitClassification benefitClassification benefitClassification benefit
4.4.4.4.Data ClassificationData ClassificationData ClassificationData Classification
• Data confidentiality, integrity & availability are improved since appropriate controls are used throughout the enterprise
• Protection mechanisms are maximized• A process exists to review the values of company
business data• Decision quality is increased since the quality of the
data upon which the decision is being made has been improved
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
4.3 4.3 4.3 4.3 Classification ExampleClassification ExampleClassification ExampleClassification Example
4.4.4.4.Data ClassificationData ClassificationData ClassificationData Classification
• Classification is part of a mandatory access control model to ensure that sensitive data is properly controlled and secured
• DoD multi-level security policy has 4 classifications:– Top Secret– Secret– Confidential– Unclassified
• Other levels in use are:– Eyes only– Officers only– Company confidential– Public
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
4.4.4.4.Data ClassificationData ClassificationData ClassificationData Classification
• (4) Top Secret - applies to the most sensitive business information which is intended strictly for use within the organization. Unauthorized disclosure could seriously and adversely impact the company, stockholders, business partners, and/or its customers
• (3) Secret - Applies to less sensitive business information which is intended for use within a company. Unauthorized disclosure could adversely impact the company, its stockholders, its business partners, and/or its customers
• (2) Confidential - Applies to personal information which is intended for use within the company. Unauthorized disclosure could adversely impact the company and/or its employees
• (1) Unclassified - Applies to all other information which does not clearly fit into any of the above three classifications. Unauthorized disclosure isn’t expected to seriously or adversely impact the company
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
4.3 4.3 4.3 4.3 Classification ExampleClassification ExampleClassification ExampleClassification Example
Security Management Practices
신수정신수정신수정신수정
4.4.4.4.Data ClassificationData ClassificationData ClassificationData Classification
(1) Unclassified - "common sense“, a minimum security level (especially if they are networked)
• Network sniffing software should not be installed. • A virus scanner should be installed (DOS/Windows). • Accounts should only exist for authorised persons and must always
have a password. • Screen locking with password protection should be activated
automatically after 15 minutes idle time. • Write access to network filesystems should be restricted to groups of
users or machines. • Communications software (NFS, LanManager, RAS, PPP, UUCP,
Workgroups..) should be correctly installed with security options enabled.
4.3 4.3 4.3 4.3 Classification ExampleClassification ExampleClassification ExampleClassification Example
* * * * D: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & Verified ied ied ied –TCSEC DOD Orange book TCSEC DOD Orange book TCSEC DOD Orange book TCSEC DOD Orange book
Security Management Practices
신수정신수정신수정신수정
4.4.4.4.Data ClassificationData ClassificationData ClassificationData Classification
(2) Confidential - : Orange book C1 (Discretionary Security Protection). C1 is used for co-operating users working with data of the same sensitivity level.
• Documentation: test, security design philosophy, security features user guide (description of security mechanisms from users point of view), trusted facility manual (i.e. security administration guide).
• Assurance: System Architecture: does the TCB run in protected mode?. Functions should exist for checking hardware & firmware integrity. Have the security mechanisms been successfully tested?
• User identification and authorisation is required, along with protection of authorisation data.
• Discretionary access control: access is controlled between namedusers (or user groups) and named objects.
* * * * D: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & Verified ied ied ied –TCSEC DOD Orange book TCSEC DOD Orange book TCSEC DOD Orange book TCSEC DOD Orange book
4.3 4.3 4.3 4.3 Classification ExampleClassification ExampleClassification ExampleClassification Example
Security Management Practices
신수정신수정신수정신수정
4.4.4.4.Data ClassificationData ClassificationData ClassificationData Classification
(3) Secret -Orange book C2 + secure data transmission. • C2 (Controlled Access Protection): - As C1 plus additional requirements for: trusted facility manual (describe C2
mechanisms), identification & authorisation (no group accounts may exist), discretionary access control (control assignment of privileges) and security testing (test C2 mechanisms).
• User accountability: Users are accountable for their actions. Audit trails should be available with monitoring and alert functions. Audit logs should be protected.
• Object Re-use: Objects used by a subject should be reinitialised before use by an other subject. i.e. should not be possible to compromise security by reuse of objects.
• Secure data transmission : When sending messages or when programs communicate with each other, privacy and completeness (i.e. confidentiality and integrity) must be maintained. For certain applications it may also be necessary that the receiver be absolutely sure that the information comes from the sender and not someone else. This is called non repudiation of origin. It may also be required that the sender must be sure that the message was received by the intended receiver - non repudiation of receipt.
4.3 4.3 4.3 4.3 Classification ExampleClassification ExampleClassification ExampleClassification Example
* * * * D: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & Verified ied ied ied –TCSEC DOD Orange book TCSEC DOD Orange book TCSEC DOD Orange book TCSEC DOD Orange book
Security Management Practices
신수정신수정신수정신수정
4.4.4.4.Data ClassificationData ClassificationData ClassificationData Classification
(4) Top Secret -Orange book B1 + secure data transmission. • B1 (Labelled Security Protection): - As in C2 plus additional requirements for identification & authentication (maintain security
compartment information), trusted facility manual (B1 mechanisms & how to change security compartment), design manual (description of the security model & mechanisms), assurance (system architecture: process isolation, integrity checking, security testing: try penetration attacks & remove flaws) and auditing (log security levels of objects).
• Labels : Maintain sensitivity labels under control of the TCB, Input/output of labelled information, label integrity (linked to objects), label human readable output, single & multi-level I/O.
• Verification of specification & design: Does the system behave according to the Design Manual? • Exporting of labelled information, exporting to multilevel and single level devices. • Mandatory access control: access control for objects & subjects is specified by the TCB (i.e. not
the user). • Not part of B1 is Covert channels and trusted path analysis. They may be necessary for some
systems. Class B2 includes these an other further requirements. • Secure data transmission: as (3) .
4.3 4.3 4.3 4.3 Classification ExampleClassification ExampleClassification ExampleClassification Example
* * * * D: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & Verified ied ied ied –TCSEC DOD Orange book TCSEC DOD Orange book TCSEC DOD Orange book TCSEC DOD Orange book
Security Management Practices
신수정신수정신수정신수정
4.4.4.4.Data ClassificationData ClassificationData ClassificationData Classification
4.3 4.3 4.3 4.3 Classification ExampleClassification ExampleClassification ExampleClassification ExampleTitleTitleTitleTitle Detail Orange Book Reference Detail Orange Book Reference Detail Orange Book Reference Detail Orange Book Reference DDDD
CCCC1111
CCCC2222
BBBB1111
Data Sensitivity Class Data Sensitivity Class Data Sensitivity Class Data Sensitivity Class
DocumentationDocumentationDocumentationDocumentation
Test documentationTest documentationTest documentationTest documentationDesign documentation,Design documentation,Design documentation,Design documentation,Security features user manual, Security features user manual, Security features user manual, Security features user manual, Trusted facility manual Trusted facility manual Trusted facility manual Trusted facility manual
++++ ++++ ++++
AssuranceAssuranceAssuranceAssuranceSystem architecture verificationSystem architecture verificationSystem architecture verificationSystem architecture verificationHardware/firmware integrity checkingHardware/firmware integrity checkingHardware/firmware integrity checkingHardware/firmware integrity checkingSecurity testing (test for loopholes) Security testing (test for loopholes) Security testing (test for loopholes) Security testing (test for loopholes)
++++ ++++ ++++
AccountabilityAccountabilityAccountabilityAccountability User identification /User identification /User identification /User identification /authorisation authorisation authorisation authorisation ++++ ++++ ++++
Audit Trail (Audit Trail (Audit Trail (Audit Trail (BeweissicherungBeweissicherungBeweissicherungBeweissicherung) ) ) ) ++++ ++++
Access control Access control Access control Access control Discretionary access control Discretionary access control Discretionary access control Discretionary access control ++++ ++++
Object reuse :Object reuse :Object reuse :Object reuse :ReinitialisationReinitialisationReinitialisationReinitialisation of objects. of objects. of objects. of objects. ++++ ====
LabelsLabelsLabelsLabels Labels, integrity, human readable output. Labels, integrity, human readable output. Labels, integrity, human readable output. Labels, integrity, human readable output. ++++
VerificationVerificationVerificationVerification Specification and design verification Specification and design verification Specification and design verification Specification and design verification ++++
ExportingExportingExportingExporting ofofofof labelledlabelledlabelledlabelled information to multilevel & single level devices. information to multilevel & single level devices. information to multilevel & single level devices. information to multilevel & single level devices. ++++
Requirements in addition to the Orange book: Requirements in addition to the Orange book: Requirements in addition to the Orange book: Requirements in addition to the Orange book:
Secure data exchange Secure data exchange Secure data exchange Secure data exchange Peer entity authentication Peer entity authentication Peer entity authentication Peer entity authentication ++++ ++++ ====
Data integrity Data integrity Data integrity Data integrity ++++ ====
Data confidentiality Data confidentiality Data confidentiality Data confidentiality ++++ ====
Data origin authentication / Non repudiation of origin Data origin authentication / Non repudiation of origin Data origin authentication / Non repudiation of origin Data origin authentication / Non repudiation of origin ++++ ++++
Non repudiation of receipt Non repudiation of receipt Non repudiation of receipt Non repudiation of receipt ++++ ++++
Access control Access control Access control Access control ++++
Legend:+ means as previous class with additional requirements.= means same requirements as previous class.
Security Management Practices
신수정신수정신수정신수정
4.3 4.3 4.3 4.3 Classification ExampleClassification ExampleClassification ExampleClassification Example
4.4.4.4.Data ClassificationData ClassificationData ClassificationData Classification
• In MAC systems, every subject and object in a system has a sensitivity label and a set of categories:– classification [category]– Top Secret [CEO, CFO, Board Members]– Confidential [Internal employees, auditors]
• The function of categories is that even someone with the highest classification isn’t automatically cleared to see all information at that level. This support the concept of need to know
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
4.4 4.4 4.4 4.4 Classification CriteriaClassification CriteriaClassification CriteriaClassification Criteria
4.4.4.4.Data ClassificationData ClassificationData ClassificationData Classification
• Value• Age/Useful Life• Authorization• Custody• Reproduction• Logging• Marking & Marking & Marking & Marking & LabellingLabellingLabellingLabelling
* * * * From ChrisFrom ChrisFrom ChrisFrom Chris’s materials materials materials material
Security Management Practices
신수정신수정신수정신수정
4.5 4.5 4.5 4.5 Misc Misc Misc Misc IssuesIssuesIssuesIssues
4.4.4.4.Data ClassificationData ClassificationData ClassificationData Classification
• In a commercial setting, responsibility for assigning data classification labels is on the person who created or updated the information
• With the exception of general business correspondence, all externally-provided information which is not public in nature must have a data classification system label.
• All tape reels, floppy disks and other computer storage media containing secret, confidential, or private information must be externally labelled with the appropriate sensitivity classification
• Holders of sensitive information must take appropriate steps to ensure that these materials are not available to unauthorized persons.
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
5.1 5.1 5.1 5.1 Data vs. InformationData vs. InformationData vs. InformationData vs. Information
5.5.5.5.Data /InformationData /InformationData /InformationData /Information
• Data are physical phenomena chosen by convention to represent certain aspect of our conceptual and real world. The meanings we assign to data are called information. Data is used to transmit and store information and to derive new information by manipulating the data according to formal rules
• Controlling access to information can be elusive and may have to be replaced by controlling access to data.
• If there is a close link between Information and corresponding data, the two approaches may give very similar results. However, this is not always the case.
* * * * From From From From SungkwonSungkwonSungkwonSungkwon’ssss materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
5.2 5.2 5.2 5.2 Data/Information ProblemData/Information ProblemData/Information ProblemData/Information Problem
5.5.5.5.Data /InformationData /InformationData /InformationData /Information
• Covert channel: respond time or memory usage is used to signal information
• Inference problem: combinations of statistical queries give information on individual entries.
• Data aggregation- occurs when smaller pieces of information are assembled
together to provide the ‘big picture’- Through data collection techniques
Security Management Practices
신수정신수정신수정신수정
5.3 5.3 5.3 5.3 ResponsibilityResponsibilityResponsibilityResponsibility
5.5.5.5.Data /InformationData /InformationData /InformationData /Information
• Owner- business manager of other person who is responsible for that
information asset- Responsible for determining the sensitivity and criticality of the
information- Periodically reviews that classification to ensure that it still meets the
business needs- Ensure that security controls are in place commensurate with the
classification- Reviews and ensures currency of the previously granted access rights
Security Management Practices
신수정신수정신수정신수정
5.3 5.3 5.3 5.3 ResponsibilityResponsibilityResponsibilityResponsibility
5.5.5.5.Data /InformationData /InformationData /InformationData /Information
• Custodian- Information Systems person- Perform backups according to requirements established by the
information owner- When necessary restore lost or damaged file
• End User- Any employees, contractors or other users who access the information
form time to time- Maintaining confidentiality of usernames & passwords
Security Management Practices
신수정신수정신수정신수정
6.1 6.1 6.1 6.1 Staffing ProcessStaffing ProcessStaffing ProcessStaffing Process
6.6.6.6.Employment policies & practicesEmployment policies & practicesEmployment policies & practicesEmployment policies & practices
• Defining the position(job description)- Separation of duties- Least privilege: Need to know
• Determining the sensitivity of position• Filling the position- background check
• Training- Responsibility & duty- Very cost-effective
* * * * From From From From SungkwonSungkwonSungkwonSungkwon’ssss materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
6.2 6.2 6.2 6.2 Background checkBackground checkBackground checkBackground check
6.6.6.6.Employment policies & practicesEmployment policies & practicesEmployment policies & practicesEmployment policies & practices
What does a background check prevent potentially prevent against:– lawsuits from terminated employees– lawsuits from 3rd-parties or customers for negligent hiring– unqualified employees– lost business and profits– time wasted recruiting, hiring and training– theft, embezzlement or property damage– money lost (to recruiters fees, signing bonus)– negligent hiring lawsuit– decrease in employee moral– workplace violence, or sexual harassment suits
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
6.2 6.2 6.2 6.2 Background checkBackground checkBackground checkBackground check
6.6.6.6.Employment policies & practicesEmployment policies & practicesEmployment policies & practicesEmployment policies & practices
• Who should be checked? Employee background checks should be performed for all sensitive positions. Information security staff in sensitive positions include those responsible for:– firewall administration– e-commerce management– Kerberos administrator– SecurID & Password usage– PKI and certificate management– router administrator
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
6.2 6.2 6.2 6.2 Background checkBackground checkBackground checkBackground check
6.6.6.6.Employment policies & practicesEmployment policies & practicesEmployment policies & practicesEmployment policies & practices
• What can be checked for an applicant:
– Credit Report – SSN searches – Workers Compensation Reports – Criminal Records – Motor Vehicle Report – Education Verification & Credential Confirmation – Reference Checks– Prior Employer Verification
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
6.3 6.3 6.3 6.3 Employment AgreementEmployment AgreementEmployment AgreementEmployment Agreement
6.6.6.6.Employment policies & practicesEmployment policies & practicesEmployment policies & practicesEmployment policies & practices
• Non-disclosure• Restrictions on dissemination of corporate
information, i.e., press, analysts, law enforcement
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
6.4 6.4 6.4 6.4 TerminationTerminationTerminationTermination
6.6.6.6.Employment policies & practicesEmployment policies & practicesEmployment policies & practicesEmployment policies & practices
• Policies and procedures should come down from HR• Should address:
– how to handle employee’s departure– shutting down accounts– forwarding e-mail and voice-mail– lock and combination changes– system password changes
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
6.5 6.5 6.5 6.5 Separation of dutySeparation of dutySeparation of dutySeparation of duty
6.6.6.6.Employment policies & practicesEmployment policies & practicesEmployment policies & practicesEmployment policies & practices
• The principle of separating of duties is that an organization should carefully separate duties, so that people involved in checking for inappropriate use are not also capable of make such inappropriate use
• No person should be responsible for completing a task involving sensitive, valuable or critical information from beginning to end. Likewise, a single person must not be responsible for approving their own work
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
6.5 6.5 6.5 6.5 Separation of dutySeparation of dutySeparation of dutySeparation of duty
6.6.6.6.Employment policies & practicesEmployment policies & practicesEmployment policies & practicesEmployment policies & practices
* * * * From CISA Review From CISA Review From CISA Review From CISA Review
SP
SA
AP
Data Entry
Operator
DBASecurity 관리자관리자관리자관리자
Tape Librarian
SP
QA
****
X
X
X
SA AP
****
X
X
X
X
X
X
X
***X
X
X
X
X
X
X****
X
X
X
X
XX
***
X
X
X
XX
***
X
X
X
X
X
***
X
DE Operator DBA Security Librarian QA
***
***
X
X
X
XX
X
XX
X
XX
X
Security Management Practices
신수정신수정신수정신수정
7.1 7.1 7.1 7.1 DefinitionDefinitionDefinitionDefinition
7.7.7.7.Policy, Standard, Guideline & proceduresPolicy, Standard, Guideline & proceduresPolicy, Standard, Guideline & proceduresPolicy, Standard, Guideline & procedures
• Policy- a high-level statement beliefs, goals, and objectives
and a general means for their attainment for a subject area.
• Procedure- spells out the specific steps of how the policy &
supporting standards and how guidelines will be implemented. A procedure is a description of tasksthat must be executed in a specific order.
Security Management Practices
신수정신수정신수정신수정
7.1 7.1 7.1 7.1 DefinitionDefinitionDefinitionDefinition
7.7.7.7.Policy, Standard, Guideline & proceduresPolicy, Standard, Guideline & proceduresPolicy, Standard, Guideline & proceduresPolicy, Standard, Guideline & procedures
• Standard- a mandatory activity, action, rule or regulation
designed to provide policies with the support structure and specific direction they require to be effective.
• Guideline- a more general statement of how to achieve the
policies, objectives by providing a framework within which to implement procedures. Where standards are mandatory, guidelines are recommendations.
Security Management Practices
신수정신수정신수정신수정
7.2 7.2 7.2 7.2 Information Security PolicyInformation Security PolicyInformation Security PolicyInformation Security Policy
7.7.7.7.Policy, Standard, Guideline & proceduresPolicy, Standard, Guideline & proceduresPolicy, Standard, Guideline & proceduresPolicy, Standard, Guideline & procedures
• Policy is perhaps the most crucial element in a corporate information security infrastructure
• Marcus Ranum defines a firewall as “the implementation of your Internet security policy. If you haven’t got a security policy, you haven’t got a firewall. Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do”
• Corporate computing is a complex operation. Effective policies can rectify many of the weaknesses and faults
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
7.2 7.2 7.2 7.2 Information Security PolicyInformation Security PolicyInformation Security PolicyInformation Security Policy
7.7.7.7.Policy, Standard, Guideline & proceduresPolicy, Standard, Guideline & proceduresPolicy, Standard, Guideline & proceduresPolicy, Standard, Guideline & procedures
• Benefits:– Ensure systems are utilized in the manner intended
for– Ensure users understand their roles & responsibilities– Control legal liability
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
7.2 7.2 7.2 7.2 Information Security PolicyInformation Security PolicyInformation Security PolicyInformation Security Policy
7.7.7.7.Policy, Standard, Guideline & proceduresPolicy, Standard, Guideline & proceduresPolicy, Standard, Guideline & proceduresPolicy, Standard, Guideline & procedures
• Components of an effective policy:– Title– Purpose– Authorizing individual– Author/sponsor– Reference to other policies– Scope– Measurement expectations– Exception process– Accountability– Effective/expiration dates– Definitions
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
7.2 7.2 7.2 7.2 Information Security PolicyInformation Security PolicyInformation Security PolicyInformation Security Policy
7.7.7.7.Policy, Standard, Guideline & proceduresPolicy, Standard, Guideline & proceduresPolicy, Standard, Guideline & proceduresPolicy, Standard, Guideline & procedures
• How to ensure that policies are understood:– Jargon free/non-technical language– Rather then, “when creating software authentication codes, users
must endeavor to use codes that do not facilitate nor submit thecompany to vulnerabilities in the event that external operativesbreak such codes”, use “passwords that are guessable should not be used”.
• Focused• Job position independent• No procedures, techniques or methods
– Policy is the approach. The specific details & implementations should be in another document
• Responsibility for adherence– Users must understand the magnitude & significance of the
policy. “I thought this policy didn’t apply to me” should never be heard.
Security Management Practices
신수정신수정신수정신수정
7.2 7.2 7.2 7.2 Information Security PolicyInformation Security PolicyInformation Security PolicyInformation Security Policy
7.7.7.7.Policy, Standard, Guideline & proceduresPolicy, Standard, Guideline & proceduresPolicy, Standard, Guideline & proceduresPolicy, Standard, Guideline & procedures
• How should policies be disseminated?– New hires should get hard copies at orientation– Rehires should go through orientation– Hard copies– Web/corporate intranet– Brochures– Videos– Posters– e-mail/voice-mail
Security Management Practices
신수정신수정신수정신수정
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
• ISO/IEC TR 13335-1: Concepts and models for IT security – for IT 보안책임자
• ISO/IEC TR 13335-2: Managing and planning IT security –for IT와 관련 있는 책임을 가진 manager
• ISO/IEC TR 13335-3: Techniques for the management of IT security
• ISO/IEC TR 13335-4: Selection of safeguards• ISO/IEC TR 13335-5: Application of IT security services &
mechanism : provides guidance in determining the security safeguards for external network connection
• GMIT(Guidelines for the Management of IT Security)• ISO(the International Organization for Standardization)• IEC(the International Electrotechnical Commission)• JTC(Joint Technical committee)• Type 3 : when a technical committee has collected data of a different kind from that which is normally
published as an International Standard
8.1 8.1 8.1 8.1 Security Management (ISO)Security Management (ISO)Security Management (ISO)Security Management (ISO)
Security Management Practices
신수정신수정신수정신수정
• Concepts - IT security management requires corporate security
objectives, strategies, and policies- Security awareness is an essential element for IT
security- Effective security requires accountability and explicit
assignment of security responsibilities• Elements- Assets, Threats, Vulnerabilities, impact, risk and
safeguards
8.2 8.2 8.2 8.2 ISO/IEC TR 13335-1
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Security Management Practices
신수정신수정신수정신수정
• ISO/IEC TR 13335-1: IT Security management Processes
- Risk management- Risk analysis- Security awareness- Monitoring and compliance testing
8.2 8.2 8.2 8.2 ISO/IEC TR 13335-1
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Security Management Practices
신수정신수정신수정신수정
RiskSafeguard
(보안대책보안대책보안대책보안대책)
Vulnerabilities(취약성취약성취약성취약성)
Threat(위협위협위협위협)
ProtectionRequirement Values
Assetsexpose
haveIndicate
exploit
IncreaseProtect
against(방어)
Met by
8.2 8.2 8.2 8.2 ISO/IEC TR 13335-1
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Increase
Increase
Relationships
Security Management Practices
신수정신수정신수정신수정
Corporate IT Security Policy
Baseline Approach Informal Approach
Safeguards
Detailed Risk Analysis Combined approach
Follow up
Corporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy options
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
Organizational aspects of IT security
IT security recommendations
IT system security policy
IT security plan
Security AwarenessImplementationImplementationImplementationImplementation
Risk Risk Risk Risk ManagementManagementManagementManagement
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2(Managing & Planning IT Security
Security Management Practices
신수정신수정신수정신수정
Corporate IT Security Policy
Baseline Approach Informal Approach
Safeguards
Detailed Risk Analysis Combined approach
Follow up
Corporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy options
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
Organizational aspects of IT security
IT security recommendations
IT system security policy
IT security plan
Security AwarenessImplementationImplementationImplementationImplementation
Risk Risk Risk Risk ManagementManagementManagementManagement
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2(Managing & Planning IT Security)
Security Management Practices
신수정신수정신수정신수정
Corporate Business PolicyDerived form objectives and
strategy
CorporateMarketing Policy
Policy RelationshipPolicy RelationshipPolicy RelationshipPolicy Relationship
CorporateIT Security Policy
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2(Managing & Planning IT Security)
CorporateSecurity Policy
CorporateIT Policy
DepartmentIT Security Policy
System A, B, C…IT Security Policy
Objective: what is to be achievedStrategy: How to achieve the objectivePolicy: the rule for achieving the objective
Security Management Practices
신수정신수정신수정신수정
Corporate Business objectives & Strategies
CorporateMarketing.. Policy
Policy Relationship(NSW Government Agency) Policy Relationship(NSW Government Agency) Policy Relationship(NSW Government Agency) Policy Relationship(NSW Government Agency)
CorporateIT Security Policy
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2(Managing & Planning IT Security)
CorporateSecurity Policy
CorporateIT Policy
DepartmentIT Security Policy
Policy on specificsecurity issue
SpecificIT System Security Policy
Security Management Practices
신수정신수정신수정신수정
• Corporate IT security policy element- IT security requirement(in terms of confidentiality, integrity,
availability, accountability, authenticity and reliability)- Assignment of responsibilities- Security in development & procurement- Directives and procedures- Information classification- Risk management strategies- Contingency planning and incident handling- Personnel issues including awareness and training - Legal & regulatory obligations- Outsourcing management
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2(Managing & Planning IT Security
Security Management Practices
신수정신수정신수정신수정
Corporate IT Security Policy
Baseline Approach Informal Approach
Safeguards
Detailed Risk Analysis Combined approach
Follow up
Corporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy options
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
Organizational aspects of IT security
IT security recommendations
IT system security policy
IT security plan
Security AwarenessImplementationImplementationImplementationImplementation
Risk Risk Risk Risk ManagementManagementManagementManagement
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2(Managing & Planning IT Security)
Security Management Practices
신수정신수정신수정신수정
Policy RelationshipPolicy RelationshipPolicy RelationshipPolicy Relationship
CorporateIT Security Officer
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2(Managing & Planning IT Security)
CorporateSecurity Officer
CorporateIT Security Policy &
Directives
CorporateManagement
IT project or System
Security officer
DepartmentIT Security
Officer
DepartmentIT Security Policy &
Directives
IT Project or System Security Policy
IT steeringCommittee
IT securityForum
IT representatives
IT userrepresentatives
Security Management Practices
신수정신수정신수정신수정
• IT security forum- Advise the IT steering committee regarding strategic security planning- Formulate a corporate IT security policy in support of the IT strategy and obtain
approval from the IT steering committee- Translate the corporate IT security policy into an IT security program- Monitor the implementation of the IT security program- Review the effectiveness of the corporate IT security policy - Promote the awareness of IT security issues- Advise on resources needed to support the planning process and IT security program
implementation
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Security Management Practices
신수정신수정신수정신수정
• Corporate IT security officer- Act as the focus of all IT security aspects within the organization- Oversight of the implementation of the IT security program- Liaison with & reporting to the IT security forum & the corporate security officer- Maintaining the corporate IT security policy & directives- Coordinating incident investigations- Managing corporate-wide awareness program- Determining the terms of reference for IT project & system security officer
• IT project and IT system security officer- May not be a full time role- Liaison with & reporting to the corporate IT security manager- Issuing & Maintaining the IT project or system security policy - Developing & implementing if the security plan- Day-to-day monitoring of implementation & use of the IT safeguards- Initiating & assisting in incident investigation
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Security Management Practices
신수정신수정신수정신수정
Corporate IT Security Policy
Baseline Approach Informal Approach
Safeguards
Detailed Risk Analysis Combined approach
Follow up
Corporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy options
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
Organizational aspects of IT security
IT security recommendations
IT system security policy
IT security plan
Security AwarenessImplementationImplementationImplementationImplementation
Risk Risk Risk Risk ManagementManagementManagementManagement
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2(Managing & Planning IT Security)
Security Management Practices
신수정신수정신수정신수정
• Baseline approach- Is to select a set of safeguards to achieve a baseline level of
protection for all systems.
• Advantage- The time & effort on safeguard selection is reduced- The same or similar baseline safeguard can be adopted for
many systems without great effort
• Disadvantage- Baseline can be set too high or too low.- Difficulties in managing security changes
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Security Management Practices
신수정신수정신수정신수정
• Informal approach- Is not based on structured methods, but exploits the
knowledge and experience of individuals
• Advantage- No additional skills need to be learnt to do this analysis- Quicker than detailed analysis
• Disadvantage- Likelihood of missing some risks- Subjective- Little justification for the safeguards- Difficulties in managing security changes
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Security Management Practices
신수정신수정신수정신수정
• Detailed Risk Analysis- Identification, Valuation, Level of threat, Vulnerability
• Advantage- Security Level is identified- Effective in managing security changes
• Disadvantage- Considerable amount of time, effort and expertise
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Security Management Practices
신수정신수정신수정신수정
• Combined Risk Analysis- Identify those systems which are at high risk or critical to
business operation using a high level risk analysis- Based on these results, the systems are categorized into –
require a detailed risk analysis? baseline protection sufficient?- In most circumstances this option offers the most cost effective
approach and is a highly recommended risk analysis option
• Disadvantage- If the high level risk analysis leads to inaccurate results,…
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Security Management Practices
신수정신수정신수정신수정
Corporate IT Security Policy
Baseline Approach Informal Approach
Safeguards
Detailed Risk Analysis Combined approach
Follow up
Corporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy options
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
Organizational aspects of IT security
IT security recommendations
IT system security policy
IT security plan
Security AwarenessImplementationImplementationImplementationImplementation
Risk Risk Risk Risk ManagementManagementManagementManagement
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2(Managing & Planning IT Security)
Safeguard selectionSafeguard selectionSafeguard selectionSafeguard selectionRisk AcceptanceRisk AcceptanceRisk AcceptanceRisk Acceptance
Security Management Practices
신수정신수정신수정신수정
• Safeguard selection- Those which prevent, reduce, monitor, detect or correct unwanted
incidents and recover from them- HW(backup, keys), SW(electronic signatures, logging),
Communication(FW, encryption), Physical(fence, badges), personnel, administration
- For new systems – include security architecture- Ensure effective operations- Change -> awareness program, change management and
configuration management
• Risk Acceptance- Identify and assess Residual risk- Classify the residual risks into “acceptable” and “unacceptable” for the
organization- IF the “unacceptable” risks cannot be tolerate , additional safeguards
liming the risk.
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2
Security Management Practices
신수정신수정신수정신수정
Corporate IT Security Policy
Baseline Approach Informal Approach
Safeguards
Detailed Risk Analysis Combined approach
Follow up
Corporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy options
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
Organizational aspects of IT security
IT security recommendations
IT system security policy
IT security plan
Security AwarenessImplementationImplementationImplementationImplementation
Risk Risk Risk Risk ManagementManagementManagementManagement
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2(Managing & Planning IT Security)
Security Management Practices
신수정신수정신수정신수정
• IT system security policy - Should be based on the corporate and departmental security policy- Comprise a set of principles and rules for the protection of systems
and services- The policies must be implemented by the application of appropriate
safeguards to the system and services to ensure that as adequatelevel of protection is achieved
- Key issues- definition of the considered IT system and its boundary- definition of the business objectives to be achieved with the system- potential adverse business impacts - level of investment in IT- significant threat, vulnerability, security safeguard- cost of safeguard
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2
Security Management Practices
신수정신수정신수정신수정
Corporate IT Security Policy
Baseline Approach Informal Approach
Safeguards
Detailed Risk Analysis Combined approach
Follow up
Corporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy options
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
Organizational aspects of IT security
IT security recommendations
IT system security policy
IT security plan
Security AwarenessImplementationImplementationImplementationImplementation
Risk Risk Risk Risk ManagementManagementManagementManagement
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2(Managing & Planning IT Security)
Security Management Practices
신수정신수정신수정신수정
• IT system security plan- A document which defines the coordinated actions to be undertaken
to implement an IT system security policy- Should contain the primary actions to be undertaken within short,
medium and long range, and the associated costs, and an implementation time schedule
- Contents- an overall security architecture and design- a short review of IT system- an identification of the safeguards and confidence of the safeguards- Identification and definition of actions to implement the safeguards- a detailed work plan for the implementation of the safeguards- project control activity- the security awareness and training requirement- requirements for the development of security operating procedures
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2
Security Management Practices
신수정신수정신수정신수정
Corporate IT Security Policy
Baseline Approach Informal Approach
Safeguards
Detailed Risk Analysis Combined approach
Follow up
Corporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy options
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
Organizational aspects of IT security
IT security recommendations
IT system security policy
IT security plan
Security AwarenessImplementationImplementationImplementationImplementation
Risk Risk Risk Risk ManagementManagementManagementManagement
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2(Managing & Planning IT Security)
Security Management Practices
신수정신수정신수정신수정
• Implementation of safeguards- Responsibility: IT system Security officer- Ensure : the cost of safeguards within the approved range,
correctly implemented, operating as required by the IT plan- Need Operational and administrative procedures- Security Training and awareness- Approval process(accreditation): the formal process of
approving the implementation of the safeguards specified in the IT system security plan. Approval -> authorization for the IT system or service to be put into operation.
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Security Management Practices
신수정신수정신수정신수정
• Security Awareness- Should be implemented at all levels of the organization- Should pass the knowledge of the corporate IT security policy
and assure a complete understanding of the security guidelines and the appropriate actions
- Should cover the objectives of the corporate security plan- Should be repeated periodically - The aim of an awareness program: Significant IT System Risk
exist! Major consequence!
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Security Management Practices
신수정신수정신수정신수정
Corporate IT Security Policy
Baseline Approach Informal Approach
Safeguards
Detailed Risk Analysis Combined approach
Follow up
Corporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy options
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
Organizational aspects of IT security
IT security recommendations
IT system security policy
IT security plan
Security AwarenessImplementationImplementationImplementationImplementation
Risk Risk Risk Risk ManagementManagementManagementManagement
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2(Managing & Planning IT Security)
MaintenanceMaintenanceMaintenanceMaintenanceSecurity ComplianceSecurity ComplianceSecurity ComplianceSecurity ComplianceMonitoringMonitoringMonitoringMonitoringIncident HandlingIncident HandlingIncident HandlingIncident Handling
Security Management Practices
신수정신수정신수정신수정
• Maintenance of safeguards- Resource allocation for Maintenance- Periodic re-validation - Upgrade- Responsibility- HW, SW change -> exiting safeguard- Advance in technology
• Security Compliance(security audit, security review)- External or internal personnel- Use of checklists relating to the IT projects or system security policy- Spot check
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Security Management Practices
신수정신수정신수정신수정
• Monitoring- What has been achieved with the targets and deadlines set out- Whether or not the achievements are satisfactory and where specific
initiatives did or did not work- Logs
• Incident handling- Provide the ability to react to accidental or deliberate disruption of
normal IT system operation- Objectives: to react to an incident in a sensible an effective manager,
and to learn from the incident so that future similar adverse events may be precluded
- Documentation: who, what time…
8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Security Management Practices
신수정신수정신수정신수정
• Techniques for- Assessing the IT security objectives, strategy, and
policies- Deciding on the corporate risk analysis options- Carrying out the combined approach- Implementing the IT security plan - Carrying out the follow-up procedures
8.4 8.4 8.4 8.4 ISO/IEC TR 13335-3
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Security Management Practices
신수정신수정신수정신수정
IT Security Objective, Strategy, and PolicyIT Security Objectives and Strategy
IT Security Policy
Corporate Risk Analysis Strategy OptionsBaseline Approach Informal Approach Detailed Risk Analysis Combined Approach
Implementation of the IT Security PlanSafeguards
AccreditationAwareness Training
Combined ApproachHigh Level Risk Analysis
Detailed Risk Analysis Baseline Approach
Risk AcceptanceSection of Safeguard
IT System Security PolicyIT Security Plan
Follow upSecurity Compliance CheckingChange Management
MonitoringIncident HandlingMaintenance
8.4 8.4 8.4 8.4 ISO/IEC TR 13335-3
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Management of IT securityManagement of IT securityManagement of IT securityManagement of IT security
Security Management Practices
신수정신수정신수정신수정
• Guidance on selection of- Safeguards according to the type and characteristics
of the IT system- Safeguards according to assessments of security
concerns and threats- Safeguards according to the results of a risk analysis
review• References to safeguard manuals• Establishment of organization-wide baseline
8.5 8.5 8.5 8.5 ISO/IEC TR 13335-4(Selection of safeguards)
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Security Management Practices
신수정신수정신수정신수정
• Guidance on selection of- Safeguards according to the type and characteristics
of the IT system- Safeguards according to assessments of security
concerns and threats- Safeguards according to the results of a risk analysis
review• References to safeguard manuals• Establishment of organization-wide baseline
8.5 8.5 8.5 8.5 ISO/IEC TR 13335-4(Selection of safeguards)
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Security Management Practices
신수정신수정신수정신수정
• Baseline security- The minimum level if security defined by the
organization for a set of IT systems. This level of baseline security is achieved by implementing a minimum set of safeguards known as baseline controls
- Selection of safeguards for one or more IT systems according to safeguards catalogues
- “baseline” for the whole organization: a minimum level(always fulfilled), a medium level(deviation upwards or downwards possible)
8.5 8.5 8.5 8.5 ISO/IEC TR 13335-4(Selection of safeguards)
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
Security Management Practices
신수정신수정신수정신수정
Basic AssessmentIdentification of the IT system
Identification of environmental conditionsAssessment of existing safeguard
ISO: Selection of baseline safeguards for an IT system ISO: Selection of baseline safeguards for an IT system ISO: Selection of baseline safeguards for an IT system ISO: Selection of baseline safeguards for an IT system
8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management
8.5 8.5 8.5 8.5 ISO/IEC TR 13335-4(Selection of safeguards)
Selection of baseline safeguards according toIT systems
Stand-alone workstationsWorkstation connected to an internal network
Server connected to an internal networkWorkstation connected to an external network
Server connected to an external networkWorkstation connected to an internal & an
external networkServer connected to an internal & an external
network
Selection of baseline safeguards according tosecurity requirements and concernsAssessment of security requirement
Standalone workstationWorkstation connected to an internal network
Server connected to an internal networkWorkstation connected to an external network
Server connected to an external networkWorkstation connected to an internal & an
external networkServer connected to an internal & an external
network
What type of assessment?What type of assessment?What type of assessment?What type of assessment?
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
9.1 9.1 9.1 9.1 Risk ManagementRisk ManagementRisk ManagementRisk Management
• Risk Management– Risk Identification– Risk Analysis(qualitative, quantitative)– Risk Response planning– Risk monitoring and control
• Risk Assessment- Impact- Likelihood/Probability
Risk Assessment
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
9.2 9.2 9.2 9.2 Risk Assessment MethodRisk Assessment MethodRisk Assessment MethodRisk Assessment Method
• Qualitative– The process of assessing the impact and likelihood of
identified risks– Prioritizes risks according to their potential effect – Judge and intuition– Delphi technique
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
9.2 9.2 9.2 9.2 Risk Assessment MethodRisk Assessment MethodRisk Assessment MethodRisk Assessment Method
• Qualitative Pros- Calculations are simple and readily understood and execute- Not necessary to determine quantitative threat frequency & impact data- Not necessary to estimate the cost of recommended risk mitigation measures
& calculate cost/benefit- A general indication of significant areas of risk that should be addressed is
provided
• Qualitative Con- Risk assessment & results are essentially subjective in both process & metrics.
Use of independently objective metrics is eschewed.- No effort is made to develop an objective monetary basis for the value of
targeted information assets- No basis is provided for cost/benefit analysis of risk mitigation measures. Only
subjective indication of a problem- It is not possible to track risk management performance objectively when all
measures are subjective
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
9.2 9.2 9.2 9.2 Risk Assessment MethodRisk Assessment MethodRisk Assessment MethodRisk Assessment Method
• Quantitative– The process to analyze numerically the probability of each
risk and its consequence, as well as the extent of risk.
• Method- ALE(Annual Loss Expectation)=Estimated Impact $*
Estimated frequency per year- Scoring : Weighted risk score=weight factor*risk
level- NPV=PV(Benefits)-PV(Costs)- BCR(Benefit-cost ratio)=PV(Benefits)/PV(Costs)- IRR- Decision Tree
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
9.2 9.2 9.2 9.2 Risk Assessment MethodRisk Assessment MethodRisk Assessment MethodRisk Assessment Method
• Quantitative Pros– Assessment & results are based substantially on independently objective
processes & metrics. Thus, meaningful statistical analysis is supported– The value of information (availability, confidentiality & integrity) as
expressed in monetary terms with supporting rationale, is betterunderstood. Thus, the basis for expected loss is better understood.
– A credible basis for cost/benefit assessment of risk mitigation measures is provided. Thus, information security budget decision-making is supported
• Quantitative Cons– Calculations are complex. If they are not understood or effectively
explained, management may mistrust the results of black-box testing– A substantial amount of information about the target information & its IT
environment must be gathered– There is not yet a standard, independently developed & maintained threat
population & frequency knowledge base. Thus, users must rely on the credibility of the vendors who develop & support the automated tools or do perform the research.
Security Management Practices
신수정신수정신수정신수정
9.3 9.3 9.3 9.3 Risk Assessment ElementsRisk Assessment ElementsRisk Assessment ElementsRisk Assessment Elements
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
RiskSafeguard
(보안대책보안대책보안대책보안대책)
Vulnerabilities(취약성취약성취약성취약성)
Threat(위협위협위협위협)
ProtectionRequirement Values
Assetsexpose
haveIndicate
exploit
IncreaseProtect
against(방어)
Met by
Increase
Increase
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
Asset
Controlcoversthreat
Threatcircumventscontrol
Unreliablecontrolover threat
Control(safeguard)
Vulnera-bility
9.3 9.3 9.3 9.3 Risk Assessment ElementsRisk Assessment ElementsRisk Assessment ElementsRisk Assessment Elements
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
Establishment of Review Boundary
Identification of Assets
Valuation of assets and Establishment of dependencies between assets
Assessment of Risks
ThreatAssessment
Selection of safeguards
Risk Acceptance
IT System security policy
9.4 9.4 9.4 9.4 Risk Management ProcessRisk Management ProcessRisk Management ProcessRisk Management Process
Assessment ofVulnerabilities
Identification of existing/planned
safeguard
IT security plan
Yes
No
IdentificationReview of constraints
Risk AnalysisRisk AnalysisRisk AnalysisRisk Analysis
ISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingDetailed risk analysisDetailed risk analysisDetailed risk analysisDetailed risk analysis
Security Management Practices
신수정신수정신수정신수정
9.5 9.5 9.5 9.5 Establishment of review boundaryEstablishment of review boundaryEstablishment of review boundaryEstablishment of review boundary
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
• Boundary description- IT assets (HW, SW, information…)- People (staff, subcontractor… )- environment (building, facilities…)- activities (operations …)
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
Establishment of Review Boundary
Identification of Assets
Valuation of assets and Establishment of dependencies between assets
Assessment of Risks
ThreatAssessment
Selection of safeguards
Risk Acceptance
IT System security policy
9.6 9.6 9.6 9.6 Asset IdentificationAsset IdentificationAsset IdentificationAsset Identification
Assessment ofVulnerabilities
Identification of existing/planned
safeguard
IT security plan
Yes
No
IdentificationReview of constraints
Risk AnalysisRisk AnalysisRisk AnalysisRisk Analysis
ISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingDetailed risk analysisDetailed risk analysisDetailed risk analysisDetailed risk analysis
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
Establishment of Review Boundary
Identification of Assets
Valuation of assets and Establishment of dependencies between assets
Assessment of Risks
ThreatAssessment
Selection of safeguards
Risk Acceptance
IT System security policy
9.7 9.7 9.7 9.7 Asset ValuationAsset ValuationAsset ValuationAsset Valuation
Assessment ofVulnerabilities
Identification of existing/planned
safeguard
IT security plan
Yes
No
IdentificationReview of constraints
Risk AnalysisRisk AnalysisRisk AnalysisRisk Analysis
ISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingDetailed risk analysisDetailed risk analysisDetailed risk analysisDetailed risk analysis
Security Management Practices
신수정신수정신수정신수정
9.7 9.7 9.7 9.7 Asset ValuationAsset ValuationAsset ValuationAsset Valuation
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
• Should be done for each asset(or group)• Represents the importance of the assets• Give a value each for confidentiality, integrity, and availability• Qualitative, Quantitative• Method- Delphi method- Scale (1-10) rank- Logarithm scale(100$-2, 1백만$-6)- negligible-low-medium-high-very high
AssetValue ?Loss period ?
Asset age ?
How lost ?
Who values ?
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
Establishment of Review Boundary
Identification of Assets
Valuation of assets and Establishment of dependencies between assets
Assessment of Risks
ThreatAssessment
Selection of safeguards
Risk Acceptance
IT System security policy
9.8 9.8 9.8 9.8 Threat AssessmentThreat AssessmentThreat AssessmentThreat Assessment
Assessment ofVulnerabilities
Identification of existing/planned
safeguard
IT security plan
Yes
No
IdentificationReview of constraints
Risk AnalysisRisk AnalysisRisk AnalysisRisk Analysis
ISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingDetailed risk analysisDetailed risk analysisDetailed risk analysisDetailed risk analysis
Security Management Practices
신수정신수정신수정신수정
A threat - some action or event that can lead to a loss.- Possible source of harm for the IT system
Source of threat Examples of threat types(1) Nature/ Act of God: earthquake, flood, fire, gases,….(2) HW suppliers : unreliable, ineffective, incompatible HW, improper
maintenance…(3) SW suppliers: erroneous, ineffective SW, improper maintenance…(4) Contractors: erroneous, ineffective SW, untimely provision of
services…(5) Competitors: sabotage, lawsuits, espionage(6) Debt and equity holders: financial distress through foreclosure on
claims(7) Unions: strike, sabotage(8) Governments: financial distress through regulation(9) Environmentalists(10) Hackers: theft, espionage
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
9.8 9.8 9.8 9.8 Threat AssessmentThreat AssessmentThreat AssessmentThreat Assessment
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
Establishment of Review Boundary
Identification of Assets
Valuation of assets and Establishment of dependencies between assets
Assessment of Risks
ThreatAssessment
Selection of safeguards
Risk Acceptance
IT System security policy
9.9 9.9 9.9 9.9 Vulnerability AssessmentVulnerability AssessmentVulnerability AssessmentVulnerability Assessment
Assessment ofVulnerabilities
Identification of existing/planned
safeguard
IT security plan
Yes
No
IdentificationReview of constraints
Risk AnalysisRisk AnalysisRisk AnalysisRisk Analysis
ISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingDetailed risk analysisDetailed risk analysisDetailed risk analysisDetailed risk analysis
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
9.9 9.9 9.9 9.9 Vulnerability AssessmentVulnerability AssessmentVulnerability AssessmentVulnerability Assessment
• Vulnerability– Weakness which allow a threat to occur– Vulnerability in itself does not cause harm
• Example– Unprotected connections– Untrained users– Wrong selection of password– Lack of access control– No backup copies
• Output– A list of vulnerabilities andAssessment of the ease of exploitation.E.g. on a scale high, medium, low.
Asset
Controlcoversthreat
Threatcircumventscontrol
Unreliablecontrolover threat
Control(safeguard)
Vulera-bility
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
Establishment of Review Boundary
Identification of Assets
Valuation of assets and Establishment of dependencies between assets
Assessment of Risks
ThreatAssessment
Selection of safeguards
Risk Acceptance
IT System security policy
9.10 9.10 9.10 9.10 Identifying Identifying Identifying Identifying Existing safeguard(control)
Assessment ofVulnerabilities
Identification of existing/planned
safeguard
IT security plan
Yes
No
IdentificationReview of constraints
Risk AnalysisRisk AnalysisRisk AnalysisRisk Analysis
ISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingDetailed risk analysisDetailed risk analysisDetailed risk analysisDetailed risk analysis
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
9.10 9.10 9.10 9.10 Identifying Identifying Identifying Identifying Existing safeguard(control)
• Existing safeguard(control)– They can reduce threats and/or vulnerabilities– They can be vulnerabilities itself if they are mot functioning
or used correctly– All future safeguards should be compatible to the existing
ones– This identification includes safeguards which are planned
but not yet implemented• Output
– A list of all existing &Planned safeguards, and theirImplementation and use status.
Asset
Controlcoversthreat
Threatcircumventscontrol
Unreliablecontrolover threat
Control(safeguard)
Vulera-bility
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
Establishment of Review Boundary
Identification of Assets
Valuation of assets and Establishment of dependencies between assets
Assessment of Risks
ThreatAssessment
Selection of safeguards
Risk Acceptance
IT System security policy
9.11 9.11 9.11 9.11 Assessment of RiskAssessment of RiskAssessment of RiskAssessment of Risk
Assessment ofVulnerabilities
Identification of existing/planned
safeguard
IT security plan
Yes
No
IdentificationReview of constraints
Risk AnalysisRisk AnalysisRisk AnalysisRisk Analysis
ISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingDetailed risk analysisDetailed risk analysisDetailed risk analysisDetailed risk analysis
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
9.11 9.11 9.11 9.11 Assessment of RiskAssessment of RiskAssessment of RiskAssessment of Risk
• Risk=f(value of Assets, likelihood of Threats, ease of exploitation of the Vulnerabilities by the threat , Existing Safeguard)
• Output– A list of measured risks for each of impacts of disclosure,
modification, non-availability, and destruction for ach of the assets of the considered IT system.
• The measure of risk– Help identify which risks should be dealt with first when
selecting safeguards.
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
Establishment of Review Boundary
Identification of Assets
Valuation of assets and Establishment of dependencies between assets
Assessment of Risks
ThreatAssessment
Selection of safeguards
Risk Acceptance
IT System security policy
9.12 9.12 9.12 9.12 Selection of safeguardSelection of safeguardSelection of safeguardSelection of safeguard
Assessment ofVulnerabilities
Identification of existing/planned
safeguard
IT security plan
Yes
No
IdentificationReview of constraints
Risk AnalysisRisk AnalysisRisk AnalysisRisk Analysis
ISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingDetailed risk analysisDetailed risk analysisDetailed risk analysisDetailed risk analysis
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
9.12 9.12 9.12 9.12 Selection of safeguardSelection of safeguardSelection of safeguardSelection of safeguard
• Identification of safeguards- Avoid risk, transfer risk, reduce threat, reduce
vulnerability, reduce the possible impact, detect unwanted events, react and recover from them
- The cost factor- A balance of operational(physical, personnel,
administrative) and technical(HW, SW, communication) safeguards
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
Establishment of Review Boundary
Identification of Assets
Valuation of assets and Establishment of dependencies between assets
Assessment of Risks
ThreatAssessment
Selection of safeguards
Risk Acceptance
IT System security policy
9.13 9.13 9.13 9.13 Risk AcceptanceRisk AcceptanceRisk AcceptanceRisk Acceptance
Assessment ofVulnerabilities
Identification of existing/planned
safeguard
IT security plan
Yes
No
IdentificationReview of constraints
Risk AnalysisRisk AnalysisRisk AnalysisRisk Analysis
ISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingDetailed risk analysisDetailed risk analysisDetailed risk analysisDetailed risk analysis
Security Management Practices
신수정신수정신수정신수정
9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management
Establishment of Review Boundary
Identification of Assets
Valuation of assets and Establishment of dependencies between assets
Assessment of Risks
ThreatAssessment
Selection of safeguards
Risk Acceptance
IT System security policy
9.14 9.14 9.14 9.14 IT system Security policy & planIT system Security policy & planIT system Security policy & planIT system Security policy & plan
Assessment ofVulnerabilities
Identification of existing/planned
safeguard
IT security plan
Yes
No
IdentificationReview of constraints
Risk AnalysisRisk AnalysisRisk AnalysisRisk Analysis
ISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingDetailed risk analysisDetailed risk analysisDetailed risk analysisDetailed risk analysis
Security Management Practices
신수정신수정신수정신수정
10. 10. 10. 10. Security AwarenessSecurity AwarenessSecurity AwarenessSecurity Awareness
10.1 10.1 10.1 10.1 Security AwarenessSecurity AwarenessSecurity AwarenessSecurity Awareness
• Must be driven from the top-down• Must be comprehensive, all the way down to the
floppy & hard copies• Education
– Hard copies– Web-based– Training & education
Security Management Practices
신수정신수정신수정신수정
10. 10. 10. 10. Security AwarenessSecurity AwarenessSecurity AwarenessSecurity Awareness
10.2 10.2 10.2 10.2 Security Awareness ProgramSecurity Awareness ProgramSecurity Awareness ProgramSecurity Awareness Program
• Security awareness program is intended to– Indoctrinate system users and support personnel– Tell them what they are expected to do, why, and the
possible repercussions to the company– Specify the security requirements including: mode of
operation, access requirement, information handling, reporting procedures, unauthorized action
– Conduct periodic reviews of the information• The program must effectively communicate the
organization’s information security requirements and motivate employees and other users to comply with the requirements
Security Management Practices
신수정신수정신수정신수정
10. 10. 10. 10. Security AwarenessSecurity AwarenessSecurity AwarenessSecurity Awareness
• Appropriate topics for security awareness training– Policy, procedure and standard– Error, accident and omission– Physical and environmental hazards– Information warfare– Malicious code/logic– Intrusion
10.3 10.3 10.3 10.3 Security Awareness TrainingSecurity Awareness TrainingSecurity Awareness TrainingSecurity Awareness Training