security management practices · 2008-04-11 · security management practices 신수정 1.2 .2...

Security Management Practices

신수정신수정신수정신수정

Security Management PracticesSecurity Management PracticesSecurity Management PracticesSecurity Management PracticesSecurity Management PracticesSecurity Management PracticesSecurity Management PracticesSecurity Management Practices



목목목목 차차차차

1.1.1.1. Introduction Introduction Introduction Introduction

2.2.2.2. Security Management concept & principleSecurity Management concept & principleSecurity Management concept & principleSecurity Management concept & principle

3.3.3.3. Change ControlChange ControlChange ControlChange Control

4.4.4.4. Data ClassificationData ClassificationData ClassificationData Classification

5.5.5.5. Data & InformationData & InformationData & InformationData & Information

6.6.6.6. Employment Policy and PracticeEmployment Policy and PracticeEmployment Policy and PracticeEmployment Policy and Practice

7.7.7.7. Policy, Standard, Guideline and procedurePolicy, Standard, Guideline and procedurePolicy, Standard, Guideline and procedurePolicy, Standard, Guideline and procedure

8.8.8.8. Security ManagementSecurity ManagementSecurity ManagementSecurity Management

9.9.9.9. Risk ManagementRisk ManagementRisk ManagementRisk Management

10.10.10.10. Security AwarenessSecurity AwarenessSecurity AwarenessSecurity Awareness



1.1 1.1 1.1 1.1 CBK OverviewCBK OverviewCBK OverviewCBK Overview

1.1.1.1.IntroductionIntroductionIntroductionIntroduction

(1) Access controlSystems &

Methodology

(6) Security Architecture &

Model

(3) Security ManagementPractices

(9) Laws,Investigations and

Ethics

(2) Telecommunications

& NetworkSecurity

(5) Cryptography

(4) Applications &System

developmentSecurity

(10) PhysicalSecurity

(8) Business continuity planning &

DRP

(7) OperationsSecurity



1.2 1.2 1.2 1.2 Security Management PracticesSecurity Management PracticesSecurity Management PracticesSecurity Management Practices

Security management entails the identification of an organizations’ information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines that ensure confidentiality, Integrity, and availability. Management tools such as data classification, risk assessment, and risk analysis are used to identify the threats, classify assets, and to rate their vulnerabilities so that effective security controls can be implemented.

• Security Management Concepts & Principles• Change Control/Management• Data Classification• Information/Data• Employment policies & Practices• Policies, Standards, Guideline and Procedures• Role & Responsibilities• Security Awareness Training• Security Management Planning

참고참고참고참고: : : : CISSP Study Guide , ISC2CISSP Study Guide , ISC2CISSP Study Guide , ISC2CISSP Study Guide , ISC2




1.2 1.2 1.2 1.2 Security Management PracticesSecurity Management PracticesSecurity Management PracticesSecurity Management Practices

이해이해이해이해 필요사항필요사항필요사항필요사항

• The planning, organization, and roles of individuals in identifying and securing an organization’s information assets

• The development and use of policies stating management’s views and position on particular topics and the use of guidelines, standards, and procedures, to support the policies

• Security Awareness training• The importance of confidentiality, proprietary and private

information• Employment agreement, hiring, and termination practices• Risk Management practices

참고참고참고참고: : : : CISSP Study Guide , ISC2CISSP Study Guide , ISC2CISSP Study Guide , ISC2CISSP Study Guide , ISC2




2.1 2.1 2.1 2.1 Security BasicsSecurity BasicsSecurity BasicsSecurity Basics

2.2.2.2.security Management Concepts & Principlessecurity Management Concepts & Principlessecurity Management Concepts & Principlessecurity Management Concepts & Principles

(1) (1) (1) (1) Confidentiality Confidentiality Confidentiality Confidentiality

- about preventing unauthorized users about preventing unauthorized users about preventing unauthorized users about preventing unauthorized users readingreadingreadingreading information to which information to which information to which information to which they are not entitled.they are not entitled.they are not entitled.they are not entitled.

- Ensuring that information is accessible only to those authorizedEnsuring that information is accessible only to those authorizedEnsuring that information is accessible only to those authorizedEnsuring that information is accessible only to those authorized to to to to have access(BS7799)have access(BS7799)have access(BS7799)have access(BS7799)

• Privacy: protection of Privacy: protection of Privacy: protection of Privacy: protection of personal datapersonal datapersonal datapersonal data

• Secrecy: protection of data belonging to Secrecy: protection of data belonging to Secrecy: protection of data belonging to Secrecy: protection of data belonging to an organizationan organizationan organizationan organization





(2) (2) (2) (2) IntegrityIntegrityIntegrityIntegrity

- Making sure things are as they should be.Making sure things are as they should be.Making sure things are as they should be.Making sure things are as they should be.

- safeguarding the safeguarding the safeguarding the safeguarding the accuracy and completenessaccuracy and completenessaccuracy and completenessaccuracy and completeness of information & of information & of information & of information & processing methods.(BS7799)processing methods.(BS7799)processing methods.(BS7799)processing methods.(BS7799)

- In the context of computing, integrity is about preventing In the context of computing, integrity is about preventing In the context of computing, integrity is about preventing In the context of computing, integrity is about preventing unauthorized users unauthorized users unauthorized users unauthorized users writingwritingwritingwriting information to which they are not entitled.information to which they are not entitled.information to which they are not entitled.information to which they are not entitled.

- In a general system, integrity is about ensuring that system staIn a general system, integrity is about ensuring that system staIn a general system, integrity is about ensuring that system staIn a general system, integrity is about ensuring that system state te te te has not been has not been has not been has not been modified modified modified modified by those not authorized to do so. by those not authorized to do so. by those not authorized to do so. by those not authorized to do so.

(3) Availability(3) Availability(3) Availability(3) Availability

- Ensuring that authorized users have access to information & Ensuring that authorized users have access to information & Ensuring that authorized users have access to information & Ensuring that authorized users have access to information & associated assets associated assets associated assets associated assets when requiredwhen requiredwhen requiredwhen required(BS7799)(BS7799)(BS7799)(BS7799)

- About a systemAbout a systemAbout a systemAbout a system’s services being accessible s services being accessible s services being accessible s services being accessible on demandon demandon demandon demand by an by an by an by an

authorized entity.authorized entity.authorized entity.authorized entity.





(4) (4) (4) (4) AccountabilityAccountabilityAccountabilityAccountability

- The property that enables activities on a system to be The property that enables activities on a system to be The property that enables activities on a system to be The property that enables activities on a system to be traced traced traced traced to to to to individuals who may then be held individuals who may then be held individuals who may then be held individuals who may then be held responsible forresponsible forresponsible forresponsible for their actions.their actions.their actions.their actions.

- This is typically done by securely identifying users, and keepinThis is typically done by securely identifying users, and keepinThis is typically done by securely identifying users, and keepinThis is typically done by securely identifying users, and keeping an g an g an g an audit trail of securityaudit trail of securityaudit trail of securityaudit trail of security----relevant events.relevant events.relevant events.relevant events.

(5) Reliability(5) Reliability(5) Reliability(5) Reliability

- Extent to which a computer can be expected to perform Extent to which a computer can be expected to perform Extent to which a computer can be expected to perform Extent to which a computer can be expected to perform its its its its intended functionintended functionintended functionintended function with the required precision on a consistent basis.with the required precision on a consistent basis.with the required precision on a consistent basis.with the required precision on a consistent basis.

- The probability of a given system performing its mission The probability of a given system performing its mission The probability of a given system performing its mission The probability of a given system performing its mission adequately adequately adequately adequately for a specified period of time under the expected operating for a specified period of time under the expected operating for a specified period of time under the expected operating for a specified period of time under the expected operating conditions.conditions.conditions.conditions.





(6) (6) (6) (6) IdentificationIdentificationIdentificationIdentification

- The process that enablers The process that enablers The process that enablers The process that enablers recognitionrecognitionrecognitionrecognition of an entity(subject or object) of an entity(subject or object) of an entity(subject or object) of an entity(subject or object) by a computer system, generally by use of unique machineby a computer system, generally by use of unique machineby a computer system, generally by use of unique machineby a computer system, generally by use of unique machine----readable user namesreadable user namesreadable user namesreadable user names

(7) Authentication(7) Authentication(7) Authentication(7) Authentication

- The act of The act of The act of The act of identifying or verifyingidentifying or verifyingidentifying or verifyingidentifying or verifying the eligibility of a workstation, the eligibility of a workstation, the eligibility of a workstation, the eligibility of a workstation, originator, or individual to access specific categories of infororiginator, or individual to access specific categories of infororiginator, or individual to access specific categories of infororiginator, or individual to access specific categories of information. mation. mation. mation. It is providing It is providing It is providing It is providing assurance assurance assurance assurance regarding the identity of a subject or regarding the identity of a subject or regarding the identity of a subject or regarding the identity of a subject or object, for example, object, for example, object, for example, object, for example, ensuringensuringensuringensuring that a particular user is who he that a particular user is who he that a particular user is who he that a particular user is who he claims to be.claims to be.claims to be.claims to be.

(8) Authorization(8) Authorization(8) Authorization(8) Authorization

- The The The The privilege grantedprivilege grantedprivilege grantedprivilege granted to an individual by management to access to an individual by management to access to an individual by management to access to an individual by management to access information based on the individualinformation based on the individualinformation based on the individualinformation based on the individual’s clearance and needs clearance and needs clearance and needs clearance and need----totototo----know know know know

principle.principle.principle.principle.





(8) (8) (8) (8) NonNonNonNon----repudiationrepudiationrepudiationrepudiation

- An authentication that with An authentication that with An authentication that with An authentication that with high assurancehigh assurancehigh assurancehigh assurance can be asserted to be can be asserted to be can be asserted to be can be asserted to be genuine, and that cannot subsequently be refuted. It is the secugenuine, and that cannot subsequently be refuted. It is the secugenuine, and that cannot subsequently be refuted. It is the secugenuine, and that cannot subsequently be refuted. It is the security rity rity rity service by which the entities involved in communication cannot bservice by which the entities involved in communication cannot bservice by which the entities involved in communication cannot bservice by which the entities involved in communication cannot be e e e deny having participation.deny having participation.deny having participation.deny having participation.

(9) Audit(9) Audit(9) Audit(9) Audit

- An independent review and examinationAn independent review and examinationAn independent review and examinationAn independent review and examination of system records and of system records and of system records and of system records and activities to test for adequacy of system controls, to ensure activities to test for adequacy of system controls, to ensure activities to test for adequacy of system controls, to ensure activities to test for adequacy of system controls, to ensure compliance compliance compliance compliance with established policy and operational procedures, with established policy and operational procedures, with established policy and operational procedures, with established policy and operational procedures, and to recommend any indicated changes in controls, policy, or and to recommend any indicated changes in controls, policy, or and to recommend any indicated changes in controls, policy, or and to recommend any indicated changes in controls, policy, or procedures.procedures.procedures.procedures.



3.1 3.1 3.1 3.1 Why change control?Why change control?Why change control?Why change control?

(1) Why is change control & change management a security issue?– Many businesses live or die on data integrity– Changes can break a security model– Modifying system breaks warranty

(2) Needed since change requester does not understand the security implications of their request

(3) Security administrator must analyze and assess carefully the impact to the system

3.3.3.3.Change Control & ManagementChange Control & ManagementChange Control & ManagementChange Control & Management

* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial



3.2 3.2 3.2 3.2 Tool & ResultTool & ResultTool & ResultTool & Result

• Tools– Checksums– Digital signatures– Tripwire

• Effective change control can uncover:– Cases of policy violation by staff; where programs are

installed or changed without following the proper notification procedures

– Possible hardware failure leading to data corruption– Viruses, worms, malicious code





3.3 3.3 3.3 3.3 ObjectObjectObjectObject

• Hardware– Disks, peripherals– Device drivers– BIOS

• Application and operating systems software– Upgrades– Service packs, patches, fixes– Changes to the firewall rulebase/proxies– Router software





3.4 3.4 3.4 3.4 For workingFor workingFor workingFor working

• For change control & management to work, you must have:– Golden copies of the software, for comparison use or

database generation– Secure infrastructure. Software must be securely

stored on physically protected media. If an intruder can get root, and change the golden copies, then the change control tools will be ineffective.





3.5 3.5 3.5 3.5 PolicyPolicyPolicyPolicy

• Policies, procedures and processes– Develop polices that will stabilize the production

processing environment by controlling all changes made to it

– Formal change control processes will help to ensure that only authorized changes are made, that they are made at the approved time, and that they are made in the approved manner

– Promptly implement security patches, command scripts, & similar from vendors, CERT, CIAC, etc.

– Have procedures for roll-back to prior versions in case of problems, don’t burn your software bridges



•CERT(computer Emergency Response Team)CERT(computer Emergency Response Team)CERT(computer Emergency Response Team)CERT(computer Emergency Response Team)•CIAC(computer Incident Advisory Capability)CIAC(computer Incident Advisory Capability)CIAC(computer Incident Advisory Capability)CIAC(computer Incident Advisory Capability)



3.5 3.5 3.5 3.5 PolicyPolicyPolicyPolicy

• 변경요청서

- 성명, 요청일자, 완료일자, 우선순위, 변경요청사항, 변경으로 인한 타 시스템의 영향, 변경사유

- 통제번호 부여

• 변경기록

- 변경자, 변경시간과 일자, 변경요청번호, 변경전후 내역

• 운영중 시스템에 대한 변경

- 승인절차, 자동화된 변경통제 소프트웨어





3.6 3.6 3.6 3.6 Configuration ManagementConfiguration ManagementConfiguration ManagementConfiguration Management

• Configuration Management– The management of changes made to a system’s

HW, SW, firmware, documentation, test, and test documentation throughout the development & operational life of the system. : 동작, 변화의 지속적인 관리, 추적, 제어(버전관리, 변경요구추적…)

– Is clearly key to product assurance program.– Can control changes to those baselines and help to

assure system integrity and tracebility throughout the software life cycle by providing a foundation for product and performance measurement.





3.7 3.7 3.7 3.7 Configuration AuditingConfiguration AuditingConfiguration AuditingConfiguration Auditing

• Configuration Auditing– Is the process of conducting an independent review

and examination of systems records and activities. – The purpose is to test for adequacy of system

controls; ensure compliance with established policy and recommend indicated changes in policy, procedures and controls.


* * * * From ChrisFrom ChrisFrom ChrisFrom Chris’s materials materials materials material



4.1 4.1 4.1 4.1 Why Classification?Why Classification?Why Classification?Why Classification?

4.4.4.4.Data ClassificationData ClassificationData ClassificationData Classification

(1) Accountability for assets (BS7799)- Objective:To maintain appropriate protection of organizational

assets- All major information assets should be accounted for and have

a nominated owner- Accountability for assets helps to ensure that appropriate

protection is maintained.- Owners should be identified for all major assets and the

responsibility for the maintenance of appropriate controls should be assigned.

- Accountability should remain with the nominated owner of the assets



4.1 4.1 4.1 4.1 Why Classification?Why Classification?Why Classification?Why Classification?


(2) Information Classification (BS7799)- Objective:To ensure that information assets receive an

appropriate level of protection- Information should be classified to indicate the need, priorities

and degree of protection- Information has varying degrees of sensitivity and criticality.- An information classification system should be used to define

an appropriate set of protection levels, and communicate the need for special handling measures.

- The responsibility for defining and periodically reviewing the classification should rest with the originator or nominated owner of data.



4.2 4.2 4.2 4.2 Classification benefitClassification benefitClassification benefitClassification benefit


• Data confidentiality, integrity & availability are improved since appropriate controls are used throughout the enterprise

• Protection mechanisms are maximized• A process exists to review the values of company

business data• Decision quality is increased since the quality of the

data upon which the decision is being made has been improved




4.3 4.3 4.3 4.3 Classification ExampleClassification ExampleClassification ExampleClassification Example


• Classification is part of a mandatory access control model to ensure that sensitive data is properly controlled and secured

• DoD multi-level security policy has 4 classifications:– Top Secret– Secret– Confidential– Unclassified

• Other levels in use are:– Eyes only– Officers only– Company confidential– Public





• (4) Top Secret - applies to the most sensitive business information which is intended strictly for use within the organization. Unauthorized disclosure could seriously and adversely impact the company, stockholders, business partners, and/or its customers

• (3) Secret - Applies to less sensitive business information which is intended for use within a company. Unauthorized disclosure could adversely impact the company, its stockholders, its business partners, and/or its customers

• (2) Confidential - Applies to personal information which is intended for use within the company. Unauthorized disclosure could adversely impact the company and/or its employees

• (1) Unclassified - Applies to all other information which does not clearly fit into any of the above three classifications. Unauthorized disclosure isn’t expected to seriously or adversely impact the company






(1) Unclassified - "common sense“, a minimum security level (especially if they are networked)

• Network sniffing software should not be installed. • A virus scanner should be installed (DOS/Windows). • Accounts should only exist for authorised persons and must always

have a password. • Screen locking with password protection should be activated

automatically after 15 minutes idle time. • Write access to network filesystems should be restricted to groups of

users or machines. • Communications software (NFS, LanManager, RAS, PPP, UUCP,

Workgroups..) should be correctly installed with security options enabled.


* * * * D: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & Verified ied ied ied –TCSEC DOD Orange book TCSEC DOD Orange book TCSEC DOD Orange book TCSEC DOD Orange book




(2) Confidential - : Orange book C1 (Discretionary Security Protection). C1 is used for co-operating users working with data of the same sensitivity level.

• Documentation: test, security design philosophy, security features user guide (description of security mechanisms from users point of view), trusted facility manual (i.e. security administration guide).

• Assurance: System Architecture: does the TCB run in protected mode?. Functions should exist for checking hardware & firmware integrity. Have the security mechanisms been successfully tested?

• User identification and authorisation is required, along with protection of authorisation data.

• Discretionary access control: access is controlled between namedusers (or user groups) and named objects.






(3) Secret -Orange book C2 + secure data transmission. • C2 (Controlled Access Protection): - As C1 plus additional requirements for: trusted facility manual (describe C2

mechanisms), identification & authorisation (no group accounts may exist), discretionary access control (control assignment of privileges) and security testing (test C2 mechanisms).

• User accountability: Users are accountable for their actions. Audit trails should be available with monitoring and alert functions. Audit logs should be protected.

• Object Re-use: Objects used by a subject should be reinitialised before use by an other subject. i.e. should not be possible to compromise security by reuse of objects.

• Secure data transmission : When sending messages or when programs communicate with each other, privacy and completeness (i.e. confidentiality and integrity) must be maintained. For certain applications it may also be necessary that the receiver be absolutely sure that the information comes from the sender and not someone else. This is called non repudiation of origin. It may also be required that the sender must be sure that the message was received by the intended receiver - non repudiation of receipt.






(4) Top Secret -Orange book B1 + secure data transmission. • B1 (Labelled Security Protection): - As in C2 plus additional requirements for identification & authentication (maintain security

compartment information), trusted facility manual (B1 mechanisms & how to change security compartment), design manual (description of the security model & mechanisms), assurance (system architecture: process isolation, integrity checking, security testing: try penetration attacks & remove flaws) and auditing (log security levels of objects).

• Labels : Maintain sensitivity labels under control of the TCB, Input/output of labelled information, label integrity (linked to objects), label human readable output, single & multi-level I/O.

• Verification of specification & design: Does the system behave according to the Design Manual? • Exporting of labelled information, exporting to multilevel and single level devices. • Mandatory access control: access control for objects & subjects is specified by the TCB (i.e. not

the user). • Not part of B1 is Covert channels and trusted path analysis. They may be necessary for some

systems. Class B2 includes these an other further requirements. • Secure data transmission: as (3) .






4.3 4.3 4.3 4.3 Classification ExampleClassification ExampleClassification ExampleClassification ExampleTitleTitleTitleTitle Detail Orange Book Reference Detail Orange Book Reference Detail Orange Book Reference Detail Orange Book Reference DDDD

CCCC1111

CCCC2222

BBBB1111

Data Sensitivity Class Data Sensitivity Class Data Sensitivity Class Data Sensitivity Class

DocumentationDocumentationDocumentationDocumentation

Test documentationTest documentationTest documentationTest documentationDesign documentation,Design documentation,Design documentation,Design documentation,Security features user manual, Security features user manual, Security features user manual, Security features user manual, Trusted facility manual Trusted facility manual Trusted facility manual Trusted facility manual

++++ ++++ ++++

AssuranceAssuranceAssuranceAssuranceSystem architecture verificationSystem architecture verificationSystem architecture verificationSystem architecture verificationHardware/firmware integrity checkingHardware/firmware integrity checkingHardware/firmware integrity checkingHardware/firmware integrity checkingSecurity testing (test for loopholes) Security testing (test for loopholes) Security testing (test for loopholes) Security testing (test for loopholes)

++++ ++++ ++++

AccountabilityAccountabilityAccountabilityAccountability User identification /User identification /User identification /User identification /authorisation authorisation authorisation authorisation ++++ ++++ ++++

Audit Trail (Audit Trail (Audit Trail (Audit Trail (BeweissicherungBeweissicherungBeweissicherungBeweissicherung) ) ) ) ++++ ++++

Access control Access control Access control Access control Discretionary access control Discretionary access control Discretionary access control Discretionary access control ++++ ++++

Object reuse :Object reuse :Object reuse :Object reuse :ReinitialisationReinitialisationReinitialisationReinitialisation of objects. of objects. of objects. of objects. ++++ ====

LabelsLabelsLabelsLabels Labels, integrity, human readable output. Labels, integrity, human readable output. Labels, integrity, human readable output. Labels, integrity, human readable output. ++++

VerificationVerificationVerificationVerification Specification and design verification Specification and design verification Specification and design verification Specification and design verification ++++

ExportingExportingExportingExporting ofofofof labelledlabelledlabelledlabelled information to multilevel & single level devices. information to multilevel & single level devices. information to multilevel & single level devices. information to multilevel & single level devices. ++++

Requirements in addition to the Orange book: Requirements in addition to the Orange book: Requirements in addition to the Orange book: Requirements in addition to the Orange book:

Secure data exchange Secure data exchange Secure data exchange Secure data exchange Peer entity authentication Peer entity authentication Peer entity authentication Peer entity authentication ++++ ++++ ====

Data integrity Data integrity Data integrity Data integrity ++++ ====

Data confidentiality Data confidentiality Data confidentiality Data confidentiality ++++ ====

Data origin authentication / Non repudiation of origin Data origin authentication / Non repudiation of origin Data origin authentication / Non repudiation of origin Data origin authentication / Non repudiation of origin ++++ ++++

Non repudiation of receipt Non repudiation of receipt Non repudiation of receipt Non repudiation of receipt ++++ ++++

Access control Access control Access control Access control ++++

Legend:+ means as previous class with additional requirements.= means same requirements as previous class.





• In MAC systems, every subject and object in a system has a sensitivity label and a set of categories:– classification [category]– Top Secret [CEO, CFO, Board Members]– Confidential [Internal employees, auditors]

• The function of categories is that even someone with the highest classification isn’t automatically cleared to see all information at that level. This support the concept of need to know




4.4 4.4 4.4 4.4 Classification CriteriaClassification CriteriaClassification CriteriaClassification Criteria


• Value• Age/Useful Life• Authorization• Custody• Reproduction• Logging• Marking & Marking & Marking & Marking & LabellingLabellingLabellingLabelling

* * * * From ChrisFrom ChrisFrom ChrisFrom Chris’s materials materials materials material



4.5 4.5 4.5 4.5 Misc Misc Misc Misc IssuesIssuesIssuesIssues


• In a commercial setting, responsibility for assigning data classification labels is on the person who created or updated the information

• With the exception of general business correspondence, all externally-provided information which is not public in nature must have a data classification system label.

• All tape reels, floppy disks and other computer storage media containing secret, confidential, or private information must be externally labelled with the appropriate sensitivity classification

• Holders of sensitive information must take appropriate steps to ensure that these materials are not available to unauthorized persons.




5.1 5.1 5.1 5.1 Data vs. InformationData vs. InformationData vs. InformationData vs. Information

5.5.5.5.Data /InformationData /InformationData /InformationData /Information

• Data are physical phenomena chosen by convention to represent certain aspect of our conceptual and real world. The meanings we assign to data are called information. Data is used to transmit and store information and to derive new information by manipulating the data according to formal rules

• Controlling access to information can be elusive and may have to be replaced by controlling access to data.

• If there is a close link between Information and corresponding data, the two approaches may give very similar results. However, this is not always the case.

* * * * From From From From SungkwonSungkwonSungkwonSungkwon’ssss materialmaterialmaterialmaterial



5.2 5.2 5.2 5.2 Data/Information ProblemData/Information ProblemData/Information ProblemData/Information Problem


• Covert channel: respond time or memory usage is used to signal information

• Inference problem: combinations of statistical queries give information on individual entries.

• Data aggregation- occurs when smaller pieces of information are assembled

together to provide the ‘big picture’- Through data collection techniques



5.3 5.3 5.3 5.3 ResponsibilityResponsibilityResponsibilityResponsibility


• Owner- business manager of other person who is responsible for that

information asset- Responsible for determining the sensitivity and criticality of the

information- Periodically reviews that classification to ensure that it still meets the

business needs- Ensure that security controls are in place commensurate with the

classification- Reviews and ensures currency of the previously granted access rights



5.3 5.3 5.3 5.3 ResponsibilityResponsibilityResponsibilityResponsibility


• Custodian- Information Systems person- Perform backups according to requirements established by the

information owner- When necessary restore lost or damaged file

• End User- Any employees, contractors or other users who access the information

form time to time- Maintaining confidentiality of usernames & passwords



6.1 6.1 6.1 6.1 Staffing ProcessStaffing ProcessStaffing ProcessStaffing Process

6.6.6.6.Employment policies & practicesEmployment policies & practicesEmployment policies & practicesEmployment policies & practices

• Defining the position(job description)- Separation of duties- Least privilege: Need to know

• Determining the sensitivity of position• Filling the position- background check

• Training- Responsibility & duty- Very cost-effective

* * * * From From From From SungkwonSungkwonSungkwonSungkwon’ssss materialmaterialmaterialmaterial



6.2 6.2 6.2 6.2 Background checkBackground checkBackground checkBackground check


What does a background check prevent potentially prevent against:– lawsuits from terminated employees– lawsuits from 3rd-parties or customers for negligent hiring– unqualified employees– lost business and profits– time wasted recruiting, hiring and training– theft, embezzlement or property damage– money lost (to recruiters fees, signing bonus)– negligent hiring lawsuit– decrease in employee moral– workplace violence, or sexual harassment suits






• Who should be checked? Employee background checks should be performed for all sensitive positions. Information security staff in sensitive positions include those responsible for:– firewall administration– e-commerce management– Kerberos administrator– SecurID & Password usage– PKI and certificate management– router administrator






• What can be checked for an applicant:

– Credit Report – SSN searches – Workers Compensation Reports – Criminal Records – Motor Vehicle Report – Education Verification & Credential Confirmation – Reference Checks– Prior Employer Verification




6.3 6.3 6.3 6.3 Employment AgreementEmployment AgreementEmployment AgreementEmployment Agreement


• Non-disclosure• Restrictions on dissemination of corporate

information, i.e., press, analysts, law enforcement




6.4 6.4 6.4 6.4 TerminationTerminationTerminationTermination


• Policies and procedures should come down from HR• Should address:

– how to handle employee’s departure– shutting down accounts– forwarding e-mail and voice-mail– lock and combination changes– system password changes




6.5 6.5 6.5 6.5 Separation of dutySeparation of dutySeparation of dutySeparation of duty


• The principle of separating of duties is that an organization should carefully separate duties, so that people involved in checking for inappropriate use are not also capable of make such inappropriate use

• No person should be responsible for completing a task involving sensitive, valuable or critical information from beginning to end. Likewise, a single person must not be responsible for approving their own work




6.5 6.5 6.5 6.5 Separation of dutySeparation of dutySeparation of dutySeparation of duty


* * * * From CISA Review From CISA Review From CISA Review From CISA Review

SP

SA

AP

Data Entry

Operator

DBASecurity 관리자관리자관리자관리자

Tape Librarian

SP

QA

****

X

X

X

SA AP

****

X

X

X

X

X

X

X

***X

X

X

X

X

X

X****

X

X

X

X

XX

***

X

X

X

XX

***

X

X

X

X

X

***

X

DE Operator DBA Security Librarian QA

***

***

X

X

X

XX

X

XX

X

XX

X



7.1 7.1 7.1 7.1 DefinitionDefinitionDefinitionDefinition

7.7.7.7.Policy, Standard, Guideline & proceduresPolicy, Standard, Guideline & proceduresPolicy, Standard, Guideline & proceduresPolicy, Standard, Guideline & procedures

• Policy- a high-level statement beliefs, goals, and objectives

and a general means for their attainment for a subject area.

• Procedure- spells out the specific steps of how the policy &

supporting standards and how guidelines will be implemented. A procedure is a description of tasksthat must be executed in a specific order.



7.1 7.1 7.1 7.1 DefinitionDefinitionDefinitionDefinition


• Standard- a mandatory activity, action, rule or regulation

designed to provide policies with the support structure and specific direction they require to be effective.

• Guideline- a more general statement of how to achieve the

policies, objectives by providing a framework within which to implement procedures. Where standards are mandatory, guidelines are recommendations.



7.2 7.2 7.2 7.2 Information Security PolicyInformation Security PolicyInformation Security PolicyInformation Security Policy


• Policy is perhaps the most crucial element in a corporate information security infrastructure

• Marcus Ranum defines a firewall as “the implementation of your Internet security policy. If you haven’t got a security policy, you haven’t got a firewall. Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do”

• Corporate computing is a complex operation. Effective policies can rectify many of the weaknesses and faults






• Benefits:– Ensure systems are utilized in the manner intended

for– Ensure users understand their roles & responsibilities– Control legal liability






• Components of an effective policy:– Title– Purpose– Authorizing individual– Author/sponsor– Reference to other policies– Scope– Measurement expectations– Exception process– Accountability– Effective/expiration dates– Definitions






• How to ensure that policies are understood:– Jargon free/non-technical language– Rather then, “when creating software authentication codes, users

must endeavor to use codes that do not facilitate nor submit thecompany to vulnerabilities in the event that external operativesbreak such codes”, use “passwords that are guessable should not be used”.

• Focused• Job position independent• No procedures, techniques or methods

– Policy is the approach. The specific details & implementations should be in another document

• Responsibility for adherence– Users must understand the magnitude & significance of the

policy. “I thought this policy didn’t apply to me” should never be heard.





• How should policies be disseminated?– New hires should get hard copies at orientation– Rehires should go through orientation– Hard copies– Web/corporate intranet– Brochures– Videos– Posters– e-mail/voice-mail



8.8.8.8.Security ManagementSecurity ManagementSecurity ManagementSecurity Management

• ISO/IEC TR 13335-1: Concepts and models for IT security – for IT 보안책임자

• ISO/IEC TR 13335-2: Managing and planning IT security –for IT와 관련 있는 책임을 가진 manager

• ISO/IEC TR 13335-3: Techniques for the management of IT security

• ISO/IEC TR 13335-4: Selection of safeguards• ISO/IEC TR 13335-5: Application of IT security services &

mechanism : provides guidance in determining the security safeguards for external network connection

• GMIT(Guidelines for the Management of IT Security)• ISO(the International Organization for Standardization)• IEC(the International Electrotechnical Commission)• JTC(Joint Technical committee)• Type 3 : when a technical committee has collected data of a different kind from that which is normally

published as an International Standard

8.1 8.1 8.1 8.1 Security Management (ISO)Security Management (ISO)Security Management (ISO)Security Management (ISO)



• Concepts - IT security management requires corporate security

objectives, strategies, and policies- Security awareness is an essential element for IT

security- Effective security requires accountability and explicit

assignment of security responsibilities• Elements- Assets, Threats, Vulnerabilities, impact, risk and

safeguards

8.2 8.2 8.2 8.2 ISO/IEC TR 13335-1




• ISO/IEC TR 13335-1: IT Security management Processes

- Risk management- Risk analysis- Security awareness- Monitoring and compliance testing

8.2 8.2 8.2 8.2 ISO/IEC TR 13335-1




RiskSafeguard

(보안대책보안대책보안대책보안대책)

Vulnerabilities(취약성취약성취약성취약성)

Threat(위협위협위협위협)

ProtectionRequirement Values

Assetsexpose

haveIndicate

exploit

IncreaseProtect

against(방어)

Met by

8.2 8.2 8.2 8.2 ISO/IEC TR 13335-1


Increase

Increase

Relationships



Corporate IT Security Policy

Baseline Approach Informal Approach

Safeguards

Detailed Risk Analysis Combined approach

Follow up

Corporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy optionsCorporate Risk Analysis strategy options

ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security

Organizational aspects of IT security

IT security recommendations

IT system security policy

IT security plan

Security AwarenessImplementationImplementationImplementationImplementation

Risk Risk Risk Risk ManagementManagementManagementManagement


8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2(Managing & Planning IT Security





Safeguards


Follow up






IT security plan




8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2(Managing & Planning IT Security)



Corporate Business PolicyDerived form objectives and

strategy

CorporateMarketing Policy

Policy RelationshipPolicy RelationshipPolicy RelationshipPolicy Relationship

CorporateIT Security Policy



CorporateSecurity Policy

CorporateIT Policy

DepartmentIT Security Policy

System A, B, C…IT Security Policy

Objective: what is to be achievedStrategy: How to achieve the objectivePolicy: the rule for achieving the objective



Corporate Business objectives & Strategies

CorporateMarketing.. Policy

Policy Relationship(NSW Government Agency) Policy Relationship(NSW Government Agency) Policy Relationship(NSW Government Agency) Policy Relationship(NSW Government Agency)

CorporateIT Security Policy



CorporateSecurity Policy

CorporateIT Policy

DepartmentIT Security Policy

Policy on specificsecurity issue

SpecificIT System Security Policy



• Corporate IT security policy element- IT security requirement(in terms of confidentiality, integrity,

availability, accountability, authenticity and reliability)- Assignment of responsibilities- Security in development & procurement- Directives and procedures- Information classification- Risk management strategies- Contingency planning and incident handling- Personnel issues including awareness and training - Legal & regulatory obligations- Outsourcing management


8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2(Managing & Planning IT Security





Safeguards


Follow up






IT security plan







Policy RelationshipPolicy RelationshipPolicy RelationshipPolicy Relationship

CorporateIT Security Officer



CorporateSecurity Officer

CorporateIT Security Policy &

Directives

CorporateManagement

IT project or System

Security officer

DepartmentIT Security

Officer

DepartmentIT Security Policy &

Directives

IT Project or System Security Policy

IT steeringCommittee

IT securityForum

IT representatives

IT userrepresentatives



• IT security forum- Advise the IT steering committee regarding strategic security planning- Formulate a corporate IT security policy in support of the IT strategy and obtain

approval from the IT steering committee- Translate the corporate IT security policy into an IT security program- Monitor the implementation of the IT security program- Review the effectiveness of the corporate IT security policy - Promote the awareness of IT security issues- Advise on resources needed to support the planning process and IT security program

implementation

8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2




• Corporate IT security officer- Act as the focus of all IT security aspects within the organization- Oversight of the implementation of the IT security program- Liaison with & reporting to the IT security forum & the corporate security officer- Maintaining the corporate IT security policy & directives- Coordinating incident investigations- Managing corporate-wide awareness program- Determining the terms of reference for IT project & system security officer

• IT project and IT system security officer- May not be a full time role- Liaison with & reporting to the corporate IT security manager- Issuing & Maintaining the IT project or system security policy - Developing & implementing if the security plan- Day-to-day monitoring of implementation & use of the IT safeguards- Initiating & assisting in incident investigation

8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2






Safeguards


Follow up






IT security plan







• Baseline approach- Is to select a set of safeguards to achieve a baseline level of

protection for all systems.

• Advantage- The time & effort on safeguard selection is reduced- The same or similar baseline safeguard can be adopted for

many systems without great effort

• Disadvantage- Baseline can be set too high or too low.- Difficulties in managing security changes

8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2




• Informal approach- Is not based on structured methods, but exploits the

knowledge and experience of individuals

• Advantage- No additional skills need to be learnt to do this analysis- Quicker than detailed analysis

• Disadvantage- Likelihood of missing some risks- Subjective- Little justification for the safeguards- Difficulties in managing security changes

8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2




• Detailed Risk Analysis- Identification, Valuation, Level of threat, Vulnerability

• Advantage- Security Level is identified- Effective in managing security changes

• Disadvantage- Considerable amount of time, effort and expertise

8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2




• Combined Risk Analysis- Identify those systems which are at high risk or critical to

business operation using a high level risk analysis- Based on these results, the systems are categorized into –

require a detailed risk analysis? baseline protection sufficient?- In most circumstances this option offers the most cost effective

approach and is a highly recommended risk analysis option

• Disadvantage- If the high level risk analysis leads to inaccurate results,…

8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2






Safeguards


Follow up






IT security plan





Safeguard selectionSafeguard selectionSafeguard selectionSafeguard selectionRisk AcceptanceRisk AcceptanceRisk AcceptanceRisk Acceptance



• Safeguard selection- Those which prevent, reduce, monitor, detect or correct unwanted

incidents and recover from them- HW(backup, keys), SW(electronic signatures, logging),

Communication(FW, encryption), Physical(fence, badges), personnel, administration

- For new systems – include security architecture- Ensure effective operations- Change -> awareness program, change management and

configuration management

• Risk Acceptance- Identify and assess Residual risk- Classify the residual risks into “acceptable” and “unacceptable” for the

organization- IF the “unacceptable” risks cannot be tolerate , additional safeguards

liming the risk.


8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2





Safeguards


Follow up






IT security plan







• IT system security policy - Should be based on the corporate and departmental security policy- Comprise a set of principles and rules for the protection of systems

and services- The policies must be implemented by the application of appropriate

safeguards to the system and services to ensure that as adequatelevel of protection is achieved

- Key issues- definition of the considered IT system and its boundary- definition of the business objectives to be achieved with the system- potential adverse business impacts - level of investment in IT- significant threat, vulnerability, security safeguard- cost of safeguard


8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2





Safeguards


Follow up






IT security plan







• IT system security plan- A document which defines the coordinated actions to be undertaken

to implement an IT system security policy- Should contain the primary actions to be undertaken within short,

medium and long range, and the associated costs, and an implementation time schedule

- Contents- an overall security architecture and design- a short review of IT system- an identification of the safeguards and confidence of the safeguards- Identification and definition of actions to implement the safeguards- a detailed work plan for the implementation of the safeguards- project control activity- the security awareness and training requirement- requirements for the development of security operating procedures


8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2





Safeguards


Follow up






IT security plan







• Implementation of safeguards- Responsibility: IT system Security officer- Ensure : the cost of safeguards within the approved range,

correctly implemented, operating as required by the IT plan- Need Operational and administrative procedures- Security Training and awareness- Approval process(accreditation): the formal process of

approving the implementation of the safeguards specified in the IT system security plan. Approval -> authorization for the IT system or service to be put into operation.

8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2




• Security Awareness- Should be implemented at all levels of the organization- Should pass the knowledge of the corporate IT security policy

and assure a complete understanding of the security guidelines and the appropriate actions

- Should cover the objectives of the corporate security plan- Should be repeated periodically - The aim of an awareness program: Significant IT System Risk

exist! Major consequence!

8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2






Safeguards


Follow up






IT security plan





MaintenanceMaintenanceMaintenanceMaintenanceSecurity ComplianceSecurity ComplianceSecurity ComplianceSecurity ComplianceMonitoringMonitoringMonitoringMonitoringIncident HandlingIncident HandlingIncident HandlingIncident Handling



• Maintenance of safeguards- Resource allocation for Maintenance- Periodic re-validation - Upgrade- Responsibility- HW, SW change -> exiting safeguard- Advance in technology

• Security Compliance(security audit, security review)- External or internal personnel- Use of checklists relating to the IT projects or system security policy- Spot check

8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2




• Monitoring- What has been achieved with the targets and deadlines set out- Whether or not the achievements are satisfactory and where specific

initiatives did or did not work- Logs

• Incident handling- Provide the ability to react to accidental or deliberate disruption of

normal IT system operation- Objectives: to react to an incident in a sensible an effective manager,

and to learn from the incident so that future similar adverse events may be precluded

- Documentation: who, what time…

8.3 8.3 8.3 8.3 ISO/IEC TR 13335-2




• Techniques for- Assessing the IT security objectives, strategy, and

policies- Deciding on the corporate risk analysis options- Carrying out the combined approach- Implementing the IT security plan - Carrying out the follow-up procedures

8.4 8.4 8.4 8.4 ISO/IEC TR 13335-3




IT Security Objective, Strategy, and PolicyIT Security Objectives and Strategy

IT Security Policy

Corporate Risk Analysis Strategy OptionsBaseline Approach Informal Approach Detailed Risk Analysis Combined Approach

Implementation of the IT Security PlanSafeguards

AccreditationAwareness Training

Combined ApproachHigh Level Risk Analysis

Detailed Risk Analysis Baseline Approach

Risk AcceptanceSection of Safeguard

IT System Security PolicyIT Security Plan

Follow upSecurity Compliance CheckingChange Management

MonitoringIncident HandlingMaintenance

8.4 8.4 8.4 8.4 ISO/IEC TR 13335-3


Management of IT securityManagement of IT securityManagement of IT securityManagement of IT security



• Guidance on selection of- Safeguards according to the type and characteristics

of the IT system- Safeguards according to assessments of security

concerns and threats- Safeguards according to the results of a risk analysis

review• References to safeguard manuals• Establishment of organization-wide baseline

8.5 8.5 8.5 8.5 ISO/IEC TR 13335-4(Selection of safeguards)




• Baseline security- The minimum level if security defined by the

organization for a set of IT systems. This level of baseline security is achieved by implementing a minimum set of safeguards known as baseline controls

- Selection of safeguards for one or more IT systems according to safeguards catalogues

- “baseline” for the whole organization: a minimum level(always fulfilled), a medium level(deviation upwards or downwards possible)





Basic AssessmentIdentification of the IT system

Identification of environmental conditionsAssessment of existing safeguard

ISO: Selection of baseline safeguards for an IT system ISO: Selection of baseline safeguards for an IT system ISO: Selection of baseline safeguards for an IT system ISO: Selection of baseline safeguards for an IT system



Selection of baseline safeguards according toIT systems

Stand-alone workstationsWorkstation connected to an internal network

Server connected to an internal networkWorkstation connected to an external network

Server connected to an external networkWorkstation connected to an internal & an

external networkServer connected to an internal & an external

network

Selection of baseline safeguards according tosecurity requirements and concernsAssessment of security requirement

Standalone workstationWorkstation connected to an internal network

Server connected to an internal networkWorkstation connected to an external network

Server connected to an external networkWorkstation connected to an internal & an

external networkServer connected to an internal & an external

network

What type of assessment?What type of assessment?What type of assessment?What type of assessment?



9. 9. 9. 9. Risk ManagementRisk ManagementRisk ManagementRisk Management

9.1 9.1 9.1 9.1 Risk ManagementRisk ManagementRisk ManagementRisk Management

• Risk Management– Risk Identification– Risk Analysis(qualitative, quantitative)– Risk Response planning– Risk monitoring and control

• Risk Assessment- Impact- Likelihood/Probability

Risk Assessment




9.2 9.2 9.2 9.2 Risk Assessment MethodRisk Assessment MethodRisk Assessment MethodRisk Assessment Method

• Qualitative– The process of assessing the impact and likelihood of

identified risks– Prioritizes risks according to their potential effect – Judge and intuition– Delphi technique





• Qualitative Pros- Calculations are simple and readily understood and execute- Not necessary to determine quantitative threat frequency & impact data- Not necessary to estimate the cost of recommended risk mitigation measures

& calculate cost/benefit- A general indication of significant areas of risk that should be addressed is

provided

• Qualitative Con- Risk assessment & results are essentially subjective in both process & metrics.

Use of independently objective metrics is eschewed.- No effort is made to develop an objective monetary basis for the value of

targeted information assets- No basis is provided for cost/benefit analysis of risk mitigation measures. Only

subjective indication of a problem- It is not possible to track risk management performance objectively when all

measures are subjective





• Quantitative– The process to analyze numerically the probability of each

risk and its consequence, as well as the extent of risk.

• Method- ALE(Annual Loss Expectation)=Estimated Impact $*

Estimated frequency per year- Scoring : Weighted risk score=weight factor*risk

level- NPV=PV(Benefits)-PV(Costs)- BCR(Benefit-cost ratio)=PV(Benefits)/PV(Costs)- IRR- Decision Tree





• Quantitative Pros– Assessment & results are based substantially on independently objective

processes & metrics. Thus, meaningful statistical analysis is supported– The value of information (availability, confidentiality & integrity) as

expressed in monetary terms with supporting rationale, is betterunderstood. Thus, the basis for expected loss is better understood.

– A credible basis for cost/benefit assessment of risk mitigation measures is provided. Thus, information security budget decision-making is supported

• Quantitative Cons– Calculations are complex. If they are not understood or effectively

explained, management may mistrust the results of black-box testing– A substantial amount of information about the target information & its IT

environment must be gathered– There is not yet a standard, independently developed & maintained threat

population & frequency knowledge base. Thus, users must rely on the credibility of the vendors who develop & support the automated tools or do perform the research.



9.3 9.3 9.3 9.3 Risk Assessment ElementsRisk Assessment ElementsRisk Assessment ElementsRisk Assessment Elements


RiskSafeguard

(보안대책보안대책보안대책보안대책)

Vulnerabilities(취약성취약성취약성취약성)

Threat(위협위협위협위협)

ProtectionRequirement Values

Assetsexpose

haveIndicate

exploit

IncreaseProtect

against(방어)

Met by

Increase

Increase




Asset

Controlcoversthreat

Threatcircumventscontrol

Unreliablecontrolover threat

Control(safeguard)

Vulnera-bility

9.3 9.3 9.3 9.3 Risk Assessment ElementsRisk Assessment ElementsRisk Assessment ElementsRisk Assessment Elements




Establishment of Review Boundary

Identification of Assets

Valuation of assets and Establishment of dependencies between assets

Assessment of Risks

ThreatAssessment

Selection of safeguards

Risk Acceptance

IT System security policy

9.4 9.4 9.4 9.4 Risk Management ProcessRisk Management ProcessRisk Management ProcessRisk Management Process

Assessment ofVulnerabilities

Identification of existing/planned

safeguard

IT security plan

Yes

No

IdentificationReview of constraints

Risk AnalysisRisk AnalysisRisk AnalysisRisk Analysis

ISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingISO: Risk Management involvingDetailed risk analysisDetailed risk analysisDetailed risk analysisDetailed risk analysis



9.5 9.5 9.5 9.5 Establishment of review boundaryEstablishment of review boundaryEstablishment of review boundaryEstablishment of review boundary


• Boundary description- IT assets (HW, SW, information…)- People (staff, subcontractor… )- environment (building, facilities…)- activities (operations …)







Assessment of Risks

ThreatAssessment


Risk Acceptance


9.6 9.6 9.6 9.6 Asset IdentificationAsset IdentificationAsset IdentificationAsset Identification



safeguard

IT security plan

Yes

No










Assessment of Risks

ThreatAssessment


Risk Acceptance


9.7 9.7 9.7 9.7 Asset ValuationAsset ValuationAsset ValuationAsset Valuation



safeguard

IT security plan

Yes

No






9.7 9.7 9.7 9.7 Asset ValuationAsset ValuationAsset ValuationAsset Valuation


• Should be done for each asset(or group)• Represents the importance of the assets• Give a value each for confidentiality, integrity, and availability• Qualitative, Quantitative• Method- Delphi method- Scale (1-10) rank- Logarithm scale(100$-2, 1백만$-6)- negligible-low-medium-high-very high

AssetValue ?Loss period ?

Asset age ?

How lost ?

Who values ?







Assessment of Risks

ThreatAssessment


Risk Acceptance


9.8 9.8 9.8 9.8 Threat AssessmentThreat AssessmentThreat AssessmentThreat Assessment



safeguard

IT security plan

Yes

No






A threat - some action or event that can lead to a loss.- Possible source of harm for the IT system

Source of threat Examples of threat types(1) Nature/ Act of God: earthquake, flood, fire, gases,….(2) HW suppliers : unreliable, ineffective, incompatible HW, improper

maintenance…(3) SW suppliers: erroneous, ineffective SW, improper maintenance…(4) Contractors: erroneous, ineffective SW, untimely provision of

services…(5) Competitors: sabotage, lawsuits, espionage(6) Debt and equity holders: financial distress through foreclosure on

claims(7) Unions: strike, sabotage(8) Governments: financial distress through regulation(9) Environmentalists(10) Hackers: theft, espionage


9.8 9.8 9.8 9.8 Threat AssessmentThreat AssessmentThreat AssessmentThreat Assessment







Assessment of Risks

ThreatAssessment


Risk Acceptance


9.9 9.9 9.9 9.9 Vulnerability AssessmentVulnerability AssessmentVulnerability AssessmentVulnerability Assessment



safeguard

IT security plan

Yes

No







9.9 9.9 9.9 9.9 Vulnerability AssessmentVulnerability AssessmentVulnerability AssessmentVulnerability Assessment

• Vulnerability– Weakness which allow a threat to occur– Vulnerability in itself does not cause harm

• Example– Unprotected connections– Untrained users– Wrong selection of password– Lack of access control– No backup copies

• Output– A list of vulnerabilities andAssessment of the ease of exploitation.E.g. on a scale high, medium, low.

Asset

Controlcoversthreat



Control(safeguard)

Vulera-bility







Assessment of Risks

ThreatAssessment


Risk Acceptance


9.10 9.10 9.10 9.10 Identifying Identifying Identifying Identifying Existing safeguard(control)



safeguard

IT security plan

Yes

No







9.10 9.10 9.10 9.10 Identifying Identifying Identifying Identifying Existing safeguard(control)

• Existing safeguard(control)– They can reduce threats and/or vulnerabilities– They can be vulnerabilities itself if they are mot functioning

or used correctly– All future safeguards should be compatible to the existing

ones– This identification includes safeguards which are planned

but not yet implemented• Output

– A list of all existing &Planned safeguards, and theirImplementation and use status.

Asset

Controlcoversthreat



Control(safeguard)

Vulera-bility







Assessment of Risks

ThreatAssessment


Risk Acceptance


9.11 9.11 9.11 9.11 Assessment of RiskAssessment of RiskAssessment of RiskAssessment of Risk



safeguard

IT security plan

Yes

No







9.11 9.11 9.11 9.11 Assessment of RiskAssessment of RiskAssessment of RiskAssessment of Risk

• Risk=f(value of Assets, likelihood of Threats, ease of exploitation of the Vulnerabilities by the threat , Existing Safeguard)

• Output– A list of measured risks for each of impacts of disclosure,

modification, non-availability, and destruction for ach of the assets of the considered IT system.

• The measure of risk– Help identify which risks should be dealt with first when

selecting safeguards.







Assessment of Risks

ThreatAssessment


Risk Acceptance


9.12 9.12 9.12 9.12 Selection of safeguardSelection of safeguardSelection of safeguardSelection of safeguard



safeguard

IT security plan

Yes

No







9.12 9.12 9.12 9.12 Selection of safeguardSelection of safeguardSelection of safeguardSelection of safeguard

• Identification of safeguards- Avoid risk, transfer risk, reduce threat, reduce

vulnerability, reduce the possible impact, detect unwanted events, react and recover from them

- The cost factor- A balance of operational(physical, personnel,

administrative) and technical(HW, SW, communication) safeguards







Assessment of Risks

ThreatAssessment


Risk Acceptance


9.13 9.13 9.13 9.13 Risk AcceptanceRisk AcceptanceRisk AcceptanceRisk Acceptance



safeguard

IT security plan

Yes

No










Assessment of Risks

ThreatAssessment


Risk Acceptance


9.14 9.14 9.14 9.14 IT system Security policy & planIT system Security policy & planIT system Security policy & planIT system Security policy & plan



safeguard

IT security plan

Yes

No






10. 10. 10. 10. Security AwarenessSecurity AwarenessSecurity AwarenessSecurity Awareness

10.1 10.1 10.1 10.1 Security AwarenessSecurity AwarenessSecurity AwarenessSecurity Awareness

• Must be driven from the top-down• Must be comprehensive, all the way down to the

floppy & hard copies• Education

– Hard copies– Web-based– Training & education




10.2 10.2 10.2 10.2 Security Awareness ProgramSecurity Awareness ProgramSecurity Awareness ProgramSecurity Awareness Program

• Security awareness program is intended to– Indoctrinate system users and support personnel– Tell them what they are expected to do, why, and the

possible repercussions to the company– Specify the security requirements including: mode of

operation, access requirement, information handling, reporting procedures, unauthorized action

– Conduct periodic reviews of the information• The program must effectively communicate the

organization’s information security requirements and motivate employees and other users to comply with the requirements




• Appropriate topics for security awareness training– Policy, procedure and standard– Error, accident and omission– Physical and environmental hazards– Information warfare– Malicious code/logic– Intrusion

10.3 10.3 10.3 10.3 Security Awareness TrainingSecurity Awareness TrainingSecurity Awareness TrainingSecurity Awareness Training

security management practices · 2008-04-11 · security management practices 신수정 1.2 .2...

Documents