management and info security

look inside attach file

Task

Write between 600 to 800 words for each of the short-essay questions, no more than two (2) pages per question. All questions are of equal value. You should provide credible references for each question according to the Faculty of Business guidelines.

However, it is expected that answers to questions be succinct (i.e. precise and concise) with all sources of information fully referenced as per APA referencing style. See the CSU guide to APA at http://www.csu.edu.au/division/studserv/learning/referencing/index.htm

Question 1 – (5 marks)
The extended characteristics of principle if information security management are know as six Ps – planning, policy, programs, protection, people, and project management. Discuss and provide an example of each on how these principles could possible apply on current fast changing in organisations.

Question 2 – (5 marks)
Describe top-down strategic planning. How does it differ from bottom-up strategic planning? Which is usually more effective in implementing security in a large, diverse organisation?

Question 3 – (5 marks)
Discuss the purposes of unified continuity plan in information security management. Which types of organisation might use the various contingency planning components as separate plans? Why?

Question 4 – (5 marks)
List and describe the three approaches to policy development presented in chapter 5. In your opinion, which is best suited for use by a smaller organisation and why? If the target organisation are very much larger, which approach would be superior and why?

Question 5 – (5 marks)
a) How does training differ from education? Which is provided to the broader audience with regard to information security?
b) Establish a list of priority when developing a security awareness program.

Question 6 – (5 marks)
Search the Internet for the term security best practices. Compare your findings to the recommended practices outlined in the NIST documents.

Question 7 – (5 marks)
a) Describe type of measures used for information security management measurement programs.
b) Describe the recommended process for the development of information security measurement program implementation.

Question 8 – (5 marks)
Using the data classified scheme presented in the chapter 8, identify and classify the information contained in your personal computer or personal digital assistant. Based on the potential of misuse or embarrassment, what information is confidential, sensitive but unclassified, or suitable for public release?

Question 9 – (5 marks)
Using the Web, research the costs associated with the following items when implemented by a firm with 1000 employees and 50 servers (included virtual servers).
• Managed antivirus software (not open source) licenses for 500 workstations
• Cisco firewall (PIX and ASA or similar firewall devices)
• Tripwire host-based IDS for 10 servers
• Java programming continuing education training program for 10 employees
• Checkpoint Firewall solutions.

Question 10 – (5 marks)
Explain the key differences between symmetric and asymmetric encryption. Provide one software utility used in each encryption method. Which encryption method can computer process faster? Which lowers the cost associated with key management?

Rationale for question1 to 5

The rational for this assignment is for you to demonstrate your understanding of:
• planning, policy, programs, protection, people, and project management in information security context;
• the different of top-down and bottom-up security planning in diverse organisations;
• unified continuity plan and usage in information security management;
• information security policy development steps and procedures;
• training and education programs and its purposes in information security;
• how to develop a security awareness program.

Rationale question 6 to 10

This assessment item is designed to test your knowledge and understanding of some of the key ICT management and information security topics and issues.

Marking criteria

Marks will be awarded on the basis of the followings:
• how well you can describe technical terms in formal way.
• Including relevant diagrams,
• completeness of your descriptions,
• providing appropriate references,
• logical flow of discussion,
• spelling, grammar and English expression.
• the degree to which you demonstrate your understanding of facts, principles and concepts; (Value: 70%)
•  grammar and presentation; (Value: 20%) 
• referencing. (Value: 10%)

ITC358
ICT Management and Information Security

Chapter

Introduction to the Management of
Information Security

If this is the information superhighway, it’s going through

a lot of bad, bad neighborhoods. – Dorian Berger

Objectives
Upon completion of this material, you should be able to:
Describe the importance of the manager’s role in securing an organisation’s use of information technology, and understand who is responsible for protecting an organisation’s information assets
Enumerate and discuss the key characteristics of information security
Enumerate and define the key characteristics of leadership and management
Differentiate information security management from general management
2

Introduction
Information technology
The vehicle that stores and transports information from one business unit to another
The vehicle can break down
The concept of computer security has been replaced by the concept of information security
Covers a broad range of issues
From protection of data to protection of human resources
Information security is no longer the sole responsibility of a discrete group of people in the company
It is the responsibility of every employee, especially managers
3

Introduction (cont’d.)
Information security decisions should involve three distinct groups of decision makers (communities of interest)
Information security managers and professionals
Information technology managers and professionals
Non-technical business managers and professionals
4

Introduction (cont’d.)
InfoSec community
Protects the organisation’s information assets from the threats they face.
IT community
Supports the business objectives of the organisation by supplying and supporting information technology appropriate to the business needs
Non-technical general business community
Articulates and communicates organisational policy and objectives and allocates resources to the other groups
5

What Is Security?
Definitions
Security is defined as “the quality or state of being secure— to be free from danger”
Security is often achieved by means of several strategies undertaken simultaneously or used in combination with one another
Specialised areas of security
Physical security, operations security, communications security, and network security
6

What Is Security? (cont’d.)
Information security
The protection of information and its critical elements (confidentiality, integrity and availability), including the systems and hardware that use, store, and transmit that information
Through the application of policy, technology, and training and awareness programs
Policy, training and awareness programs and technology are vital concepts
7

CNSS Security Model
Figure 1-1 Components of Information security
Source: Course Technology/Cengage Learning
8

CNSS Security Model (cont’d.)
C.I.A. triangle
Confidentiality, integrity, and availability
Has expanded into a more comprehensive list of critical characteristics of information
NSTISSC (CNSS) Security Model
Also known as the McCumber Cube
Provides a more detailed perspective on security
Covers the three dimensions of information security
9

CNSS Security Model (cont’d.)
NSTISSC Security Model (cont’d.)
Omits discussion of detailed guidelines and policies that direct the implementation of controls
Weakness of this model emerges if viewed from a single perspective
Need to include all three communities of interest
10

CNSS Security Model (cont’d.)
Figure 1-2 CNSS security Model
Source: Course Technology/Cengage Learning (adapted from NSTISSI No. 4011)
11

Key Concepts of Information Security
Confidentiality
The characteristic of information whereby only those with sufficient privileges may access certain information
Measures used to protect confidentiality
Information classification
Secure document storage
Application of general security policies
Education of information custodians and end users
12

Key Concepts of
Information Security (cont’d.)
Integrity
The quality or state of being whole, complete, and uncorrupted
Information integrity is threatened
If exposed to corruption, damage, destruction, or other disruption of its authentic state
Corruption can occur while information is being compiled, stored, or transmitted
13

Key Concepts of
Information Security (cont’d.)
Availability
The characteristic of information that enables user access to information in a required format, without interference or obstruction
A user in this definition may be either a person or another computer system
Availability does not imply that the information is accessible to any user
Implies availability to authorised users
14

Key Concepts of Information Security (cont’d.)
Privacy
Information collected, used, and stored by an organisation is to be used only for the purposes stated to the data owner at the time it was collected
Privacy as a characteristic of information does not signify freedom from observation
Means that information will be used only in ways known to the person providing it
15

Key Concepts of Information Security (cont’d.)
Identification
An information system possesses the characteristic of identification when it is able to recognise individual users
Identification and authentication are essential to establishing the level of access or authorisation that an individual is granted
Authentication
Occurs when a control proves that a user possesses the identity that he or she claims

Key Concepts of Information Security (cont’d.)
Authorisation
Assures that the user has been specifically and explicitly authorised by the proper authority to access, update, or delete the contents of an information asset
User may be a person or a computer
Authorisation occurs after authentication
17

Key Concepts of Information Security (cont’d.)
Accountability
Exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process

What Is Management?
The process of achieving objectives using a given set of resources
Manager
Someone who works with and through other people by coordinating their work activities in order to accomplish organisational goals
19

What is Management? (cont’d.)
Managerial roles
Informational role
Collecting, processing, and using information that can affect the completion of the objective
Interpersonal role
Interacting with superiors, subordinates, outside stakeholders, and other parties that influence or are influenced by the completion of the task
Decisional role
Selecting from among alternative approaches, and resolving conflicts, dilemmas, or challenges
20

What is Management? (cont’d.)
Leaders
Influence employees to accomplish objectives
Lead by example; demonstrating personal traits that instill a desire in others to follow
Provide purpose, direction, and motivation to those that follow
Managers
Administers the resources of the organisation
Creates budgets, authorises expenditures and hires employees
21

Behavioural Types of Leaders
Three basic behavioral types of leaders
Autocratic
Democratic
Laissez-faire
22

Management Characteristics
Two basic approaches to management
Traditional management theory
Uses the core principles of planning, organising, staffing, directing, and controlling (POSDC)
Popular management theory
Categorises the principles of management into planning, organising, leading, and controlling (POLC)
23

Management Characteristics (cont’d.)
Source: Course Technology/Cengage Learning (adapted from Jourdan, 2003)
Figure 1-3 The planning-controlling link
24

Management Characteristics (cont’d.)
Planning
The process that develops, creates, and implements strategies for the accomplishment of objectives
Three levels of planning
Strategic, tactical, and operational
Planning process begins with the creation of strategic plans for the entire organisation
25

Management Characteristics (cont’d.)
An organisation must thoroughly define its goals and objectives
Goals are the end results of the planning process
Objectives are intermediate points that allow you to measure progress toward the goal
26

Management Characteristics (cont’d.)
Organising
The management function dedicated to the structuring of resources to support the accomplishment of objectives
Requires determining what is to be done, in what order, by whom, by which methods, and according to what timeline
27

Management Characteristics (cont’d.)
Leading
Leadership encourages the implementation of the planning and organising functions
Includes supervising employee behavior, performance, attendance, and attitude
Leadership generally addresses the direction and motivation of the human resource
28

Management Characteristics (cont’d.)
Controlling
Monitoring progress toward completion
Making necessary adjustments to achieve the desired objectives
The control function serves to assure the organisation of the validity of the plan
Determines what must be monitored as well as applies specific control tools to gather and evaluate information
29

Management Characteristics (cont’d.)
Figure 1-4 The control process
Source: Course Technology/Cengage Learning
30

Solving Problems
Step 1: Recognise and define the problem
Step 2: Gather facts and make assumptions
Step 3: Develop possible solutions
Step 4: Analyse and compare possible solutions
Step 5: Select, implement, and evaluate a solution
31

Principles of Information Security Management
The extended characteristics of information security are known as the six P’s
Planning
Policy
Programs
Protection
People
Project Management
32

Planning
Planning as part of InfoSec management
An extension of the basic planning model discussed earlier in this chapter
Included in the InfoSec planning model
Activities necessary to support the design, creation, and implementation of information security strategies
33

Planning (cont’d.)
Types of InfoSec plans
Incident response planning
Business continuity planning
Disaster recovery planning
Policy planning
Personnel planning
Technology rollout planning
Risk management planning
Security program planning
includes education, training and awareness
34

Policy
Policy
The set of organisational guidelines that dictates certain behavior within the organisation
Three general categories of policy
Enterprise information security policy (EISP)
Issue-specific security policy (ISSP)
System-specific policies (SysSPs)
35

Programs
Programs
InfoSec operations that are specifically managed as separate entities
Example: a security education training and awareness (SETA) program
Other types of programs
Physical security program
complete with fire, physical access, gates, guards, etc.
36

Protection
Executed through risk management activities
Including risk assessment and control, protection mechanisms, technologies, and tools
Each of these mechanisms represents some aspect of the management of specific controls in the overall information security plan
37

People
People
The most critical link in the information security program
Managers must recognise the crucial role that people play in the information security program
This area of InfoSec includes security personnel and the security of personnel, as well as aspects of a SETA program
38

Project Management
Project management
Identifying and controlling the resources applied to the project
Measuring progress
Adjusting the process as progress is made
39

Project Management (cont’d.)
Information security is a process, not a project
Each element of an information security program must be managed as a project
A continuous series, or chain, of projects
Some aspects of information security are not project based
They are managed processes (operations)
40

Project Management (cont’d.)
Figure 1-4 The information security program chain
Source: Course Technology/Cengage Learning
41

Project Management (cont’d.)
Project Management
The application of knowledge, skills, tools, and techniques to project activities to meet project requirements
Accomplished through the use of processes
Such as initiating, planning, executing, controlling, and closing
Involves the temporary assemblage resources to complete a project
Some projects are iterative, occurring regularly
42

Applying Project Management
to Security
First identify an established project management methodology
PMBoK is considered the industry best practice
Other project management practices exist
43

43
Project Management Body of Knowledge

Table 1-1 Project management knowledge areas
Source: Course Technology/Cengage Learning
44

PMBoK Knowledge Areas
Project integration management
Includes the processes required to coordinate occurs between components of a project
Elements of a project management effort that require integration
The development of the initial project plan
Monitoring of progress during plan execution
Control of plan revisions
Control of the changes made to resource allocations
As measured performance causes adjustments to the project plan
45

PMBoK Knowledge Areas (cont’d.)
Project plan development
The process of integrating all of the project elements into a cohesive plan
Goal is to complete the project within the allotted work time using no more than the allotted project resources
Core components of project plan
Work time, resources, and project deliverables
Changing one element affects the other two
Likely requires revision of the plan

PMBoK Knowledge Areas (cont’d.)
Figure 1-7 Project plan inputs
Source: Course Technology/Cengage Learning
47

PMBoK Knowledge Areas (cont’d.)
When integrating the disparate elements of a complex information security project, complications are likely to arise
Conflicts among communities of interest
Far-reaching impact
Resistance to new technology
48

PMBoK Knowledge Areas (cont’d.)
Project scope management
Ensures that project plan includes only those activities necessary to complete it
Scope
The quantity or quality of project deliverables
Major processes
Initiation, scope planning, definition, verification and change control
49

PMBoK Knowledge Areas (cont’d.)
Project time management
Ensures that project is finished by identified completion date while meeting objectives
Failure to meet project deadlines is among most frequently cited failures in project management
Many missed deadlines are caused by poor planning
50

PMBoK Knowledge Areas (cont’d.)
Project time management includes the following processes
Activity definition
Activity sequencing
Activity duration estimating
Schedule development
Schedule control
51

PMBoK Knowledge Areas (cont’d.)
Project cost management
Ensures that a project is completed within the resource constraints
Some projects are planned using only a financial budget
From which all resources must be procured
Includes resource planning, cost estimating, cost budgeting, and cost control
52

PMBoK Knowledge Areas (cont’d.)
Project quality management
Ensures project meets project specifications
Quality objective met
When deliverables meet requirements specified in project plan
A good plan defines project deliverables in unambiguous terms
For easy comparison against actual results
Includes quality planning, quality assurance and quality control
53

PMBoK Knowledge Areas (cont’d.)
Project human resource management
Ensures personnel assigned to project are effectively employed
Staffing a project requires careful estimates of effort required
Unique complexities
Extended clearances
Deploying technology new to the organisation
Includes organisational planning, staff acquisition and team development

PMBoK Knowledge Areas (cont’d.)
Project communications management
Conveys details of project activities to all involved
Includes the creation, distribution, classification, storage, and destruction of documents, messages, and other associated project information
Includes communications planning, information distribution, performance reporting and administrative closure

PMBoK Knowledge Areas (cont’d.)
Project risk management
Assesses, mitigates, manages, and reduces the impact of adverse occurrences on the project
Information security projects have unique risks
Includes risk identification, risk quantification, risk response development and risk response control
56

PMBoK Knowledge Areas (cont’d.)
Project procurement
Acquiring needed project resources
Project managers may simply requisition resources from organisation, or may have to purchase
Includes procurement planning, solicitation planning, solicitation, source selection, contract administration and contract closeout
57

Project Management Tools
Many tools exist
Most project managers combine software tools that implement one or more of the dominant modeling approaches
Project management certification
The Project Management Institute (PMI)
Leading global professional association
Sponsors two certificate programs: The Project Management Professional (PMP) and Certified Associate in Project Management (CAPM)
58

Project Management Tools (cont’d.)
Projectitis
Occurs when the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than accomplishing meaningful project work
Precursor to projectitis
Developing an overly elegant, microscopically detailed plan before gaining consensus for the work required
59

Work Breakdown Structure
Work breakdown structure (WBS)
Simple planning tool for creating a project plan
The project plan is first broken down into a few major tasks
Each task is placed on the WBS task list
60

Work Breakdown Structure (cont’d.)
Determine minimum attributes for each task
The work to be accomplished (activities and deliverables)
Estimated amount of effort required for completion in hours or workdays
The common or specialty skills needed to perform the task
Task interdependencies
61

Work Breakdown Structure (cont’d.)
As the project plan develops, additional attributes can be added
Estimated capital and noncapital expenses for the task
Task assignment according to specific skills
Start and end dates
Work to be accomplished
Amount of effort
Task dependencies
Start and ending dates
62

Work Breakdown Structure (cont’d.)
Work phase
Phase in which the project deliverables are prepared
Occurs after the project manager has completed the WBS
63

Table 1-2 Early draft work breakdown structure
Source: Course Technology/Cengage Learning
Work Breakdown Structure (cont’d.)
64

Table 1-3 Later draft work breakdown structure
Source: Course Technology/Cengage Learning

Task-Sequencing Approaches
Many possibilities for task assignment and scheduling
For modest and large size projects
A number of approaches can assist the project manager in this sequencing effort
Network scheduling
Refers to the web of possible pathways to project completion
66

Figure 1-8 Simple network dependency
Source: Course Technology/Cengage Learning
Task Sequencing Approaches (cont’d.)
67

Figure 1-9 Complex network dependency
Source: Course Technology/Cengage Learning
Task Sequencing Approaches (cont’d.)
68

Task Sequencing Approaches (cont’d.)
Program Evaluation and Review Technique (PERT)
Most popular technique
Originally developed in the late 1950’s for government-driven engineering projects
69

Task Sequencing Approaches (cont’d.)
Three key questions
How long will this activity take?
What activity occurs immediately before this activity can take place?
What activity occurs immediately after this activity?
Determine the critical path
By identifying the slowest path through the various activities
70

Task Sequencing Approaches (cont’d.)
Slack time
How much time is available for starting a noncritical task without delaying the project as a whole
Tasks which have slack time are logical candidates for accepting a delay
71

Task Sequencing Approaches (cont’d.)
PERT advantages
Makes planning large projects easier
By facilitating the identification of pre- and post- activities
Determines the probability of meeting requirements
Anticipates the impact of system changes
Presents information in a straightforward format understood by managers
Requires no formal training
72

Task Sequencing Approaches (cont’d.)
PERT disadvantages
Diagrams can be awkward and cumbersome, especially in very large projects
Diagrams can become expensive to develop and maintain
Due to the complexities of some project development processes
Difficulty in estimating task durations
Inaccurate estimates invalidate any close critical path calculations

Task Sequencing Approaches (cont’d.)
Figure 1-10 PERT example
Source: Course Technology/Cengage Learning
74

Task Sequencing Approaches (cont’d.)
Gantt chart
Easy to read and understand; easy to present to management
Easier to design and implement than the PERT diagrams, yielding much of the same information
Lists activities on the vertical axis of a bar chart, and provides a simple time line on the horizontal axis
75

Task Sequencing Approaches (cont’d.)
Figure 1-11 Project Gantt chart
Source: Course Technology/Cengage Learning
76

Automated Project Tools
Microsoft Project
A widely used project management tool
Keep in mind:
A software program is no substitute for a skilled and experienced project manager
Manager must understand how to define tasks, allocate scarce resources, and manage assigned resources
A software tool can get in the way of the work
Choose a tool that you can use effectively
77

Summary
What is security?
What is management?
Principles of information security management
Planning
Policy
Programs
Protection
People
Project management
Project management
Applying project management to security
Project management tools
78

ITC358
ICT Management and Information Security

Chapter 2

Planning for Security

You got to be careful if you don’t know where you’re going,

because you might not get there. – Yogi Berra

Objectives
Upon completion of this material, you should be able to:
Identify the roles in organisations that are active in the planning process
Explain the principal components of information security system implementation planning in the organisational planning scheme
Differentiate between strategic organisational InfoSec and specialised contingency planning
Describe the unique considerations and relationships between strategic and contingency plans

Figure 2-1 Information Security and Planning
Source: Course Technology/Cengage Learning
Introduction

The Role of Planning
Successful organisations utilise planning
Planning involves
Employees
Management
Stockholders
Other outside stakeholders
The physical and technological environment
The political and legal environment
The competitive environment

The Role of Planning (cont’d.)
Strategic planning includes:
Vision statement
Mission statement
Strategy
Coordinated plans for sub units
Knowing how the general organisational planning process works helps in the information security planning process

The Role of Planning (cont’d.)
Planning is creating action steps toward goals, and then controlling them
Planning provides direction for the organisation’s future
In the top-down method, an organisation’s leaders choose the direction
Planning begins with the general and ends with the specific

Values Statement
Establishes organisational principles
Makes organisation’s conduct standards clear
RWW values commitment, honesty, integrity and social responsibility among its employees, and is committed to providing its services in harmony with its corporate, social, legal and natural environments
The values, vision, and mission statements together provide the foundation for planning

Vision Statement
The vision statement expresses what the organisation wants to become
Vision statements should be ambitious
Random Widget Works will be the preferred manufacturer of choice for every business’s widget equipment needs, with an RWW widget in every machine they use

Mission Statement
Mission statement
Declares the business of the organisation and its intended areas of operations
Explains what the organisation does and for whom
Random Widget Works, Inc. designs and manufactures quality widgets and associated equipment and supplies for use in modern business environments

Figure 2-2 Microsoft’s Mission and Values Statement

Strategic Planning
Strategy is the basis for long-term direction
Strategic planning guides organisational efforts
Focuses resources on clearly defined goals
“… strategic planning is a disciplined effort to produce fundamental decisions and actions that shape and guide what an organisation is, what it does, and why it does it, with a focus on the future.”

Creating a Strategic Plan
Figure 2-3 Top-down Strategic Planning
Source: Course Technology/Cengage Learning

Creating a Strategic Plan (cont’d.)
An organisation develops a general strategy
Then creates specific strategic plans for major divisions
Each level or division translates those objectives into more specific objectives for the level below
In order to execute this broad strategy executives must define individual managerial responsibilities

Planning Levels
Strategic goals are translated into tasks
Objectives should be specific, measurable, achievable, reasonably high and time-bound (SMART)
Strategic planning then begins a transformation from general to specific objectives

Planning Levels (cont’d.)
Figure 2-4 Planning Levels
Source: Course Technology/Cengage Learning

Planning Levels (cont’d.)
Tactical Planning
Has a shorter focus than strategic planning
Usually one to three years
Breaks applicable strategic goals into a series of incremental objectives

Planning Levels (cont’d.)
Operational Planning
Used by managers and employees to organise the ongoing, day-to-day performance of tasks
Includes clearly identified coordination activities across department boundaries such as:
Communications requirements
Weekly meetings
Summaries
Progress reports

Planning and the CISO
Elements of a strategic plan
Executive summary
Mission statement and vision statement
Organisational profile and history
Strategic issues and core values
Program goals and objectives
Management/operations goals and objectives
Appendices (optional)

Planning and the CISO (cont’d.)
Tips for creating a strategic plan
Create a compelling vision statement that frames the evolving plan, and acts as a magnet for people who want to make a difference
Embrace the use of the balanced scorecard approach
Deploy a draft high level plan early, and ask for input from stakeholders in the organisation

Planning and the CISO (cont’d.)
Tips for creating a strategic plan (cont’d.)
Make the evolving plan visible
Make the process invigorating for everyone
Be persistent
Make the process continuous
Provide meaning
Be yourself
Lighten up and have some fun

Information Security Governance
Governance of information security is a strategic planning responsibility
Importance has grown in recent years
Information security objectives must be addressed at the highest levels of an organisation’s management team
To be effective and offer a sustainable approach

Information Security Governance (cont.)
Information security governance includes
Providing strategic direction
Establishing objectives
Measuring progress toward those objectives
Verifying that risk management practices are appropriate
Validating that the organisation’s assets are used properly

Information Security Governance
(cont’d.)
Actions of the Board of Directors
Inculcating a culture that recognises the importance of information security
Aligning management’s investment in information security with organisational strategies and risk environment
Assuring comprehensive development and implementation of an information security program
Demanding reports from the various layers of management on the information security program’s effectiveness and adequacy

Desired Outcomes
Outcomes of information security governance
Strategic alignment of information security with business strategy to support organisational objectives
Risk management to reduce potential impacts on information resources
Resource management with efficient use of information security knowledge and infrastructure

Desired Outcomes (cont’d.)
Outcomes of information security governance (cont’d.)
Performance measurement to ensure that organisational objectives are achieved
Value delivery by optimising information security investments in support of organisational objectives

Desired Outcomes (cont’d.)
Recommended Board of Director practices
Place information security on the board’s agenda
Identify information security leaders, hold them accountable and ensure support for them
Ensure the effectiveness of the corporation’s information security policy through review and approval
Assign information security to a key committee and ensure adequate support for that committee

Implementing Information Security Governance
Figure 2-6 General Governance Framework
Source: IDEAL is a service mark of Carnegie Mellon University

Implementing Information Security Governance (cont’d.)
Figure 2-7 The IDEAL model governance framework
Source: IDEAL is a service mark of Carnegie Mellon University

Planning for Information Security Implementation
Figure 2-8 Information security governance responsibilities
Source: Information Security Governance: A Call to Action

Planning For Information Security Implementation (cont’d.)
Roles of the CIO and CISO
Translating overall strategic plan into tactical and operational information security plans
The CISO plays a more active role in the development of the planning details than does the CIO

Planning For Information Security Implementation (cont’d.)
CISO Job Description
Creates a strategic information security plan with a vision for the future of information security
Understands the fundamental business activities and suggests appropriate information security solutions to protect these activities
Develops action plans, schedules, budgets, and status reports

Planning For Information Security Implementation (cont’d.)
Implementation can begin
After plan has been translated into IT and information security objectives and tactical and operational plans
Methods of implementation
Bottom-up
Top-down

Planning For Information Security Implementation (cont’d.)
Figure 2-9 Approaches to security implementation
Source: Course Technology/Cengage learning

Introduction to the Security Systems Development Life Cycle
An SDLC is a methodology for the design and implementation of an information system
SDLC-based projects may be initiated by events or planned
At the end of each phase, a review occurs to determine if the project should be continued, discontinued, outsourced, or postponed
SecSDLC methodology is similar to SDLC
Identification of specific threats and the risks they represent
Design and implementation of specific controls to counter those threats and manage risks posed to the organisation

Introduction to the Security Systems
Development Life Cycle (cont’d.)
Figure 2-10 Phases of the SecSDLC
Source: Course Technology/Cengage learning

Investigation in the SecSDLC
Phase begins with directive from management specifying the process, outcomes, and goals of the project and its budget
Frequently begins with the affirmation or creation of security policies (anz example)
Teams assembled to analyse problems, define scope, specify goals and identify constraints
Introduction to the Security Systems Life Development Cycle (cont’d.)

Investigation in the SecSDLC (cont’d.)
Feasibility analysis
Determines whether the organisation has the resources and commitment to conduct a successful security analysis and design
Analysis in the SecSDLC
Prepare analysis of existing security policies and programs, along with known threats and current controls

Introduction to the Security Systems
Development Life Cycle (cont’d.)

Analysis in the SecSDLC (cont’d.)
Analyse relevant legal issues that could affect the design of the security solution
Risk management begins in this stage
The process of identifying, assessing, and evaluating the levels of risk facing the organisation, specifically the threats to the information stored and processed by the organisation
A threat is an object, person, or other entity that represents a constant danger to an asset

Introduction to the Security Systems
Development Life Cycle (cont’d.)

An attack
A deliberate act that exploits a vulnerability to achieve the compromise of a controlled system
Accomplished by a threat agent that damages or steals an organisation’s information or physical assets
An exploit
A technique or mechanism used to compromise a system
A vulnerability
An identified weakness of a controlled system in which necessary controls that are not present or are no longer effective

Introduction to the Security Systems
Development Life Cycle (cont’d.)

Table 2-1 Threats to Information Security
Introduction to the Security Systems
Development Life Cycle (cont’d.)
Source: Course Technology/Cengage Learning
(adapted from Whitman, 2003)

Some common attacks
Malicious code
Hoaxes
Back doors
Password crack
Brute force
Dictionary
Denial-of-service (DoS) and distributed denial-of-service (DDoS)
Introduction to the Security Systems
Development Life Cycle (cont’d.)

Some common attacks (cont’d.)
Spoofing
Man-in-the-middle
Spam
Mail bombing
Sniffer
Social engineering
Buffer overflow
Timing

Introduction to the Security Systems
Development Life Cycle (cont’d.)

Prioritise the risk posed by each category of threat
Identify and assess the value of your information assets
Assign a comparative risk rating or score to each specific information asset
Introduction to the Security Systems
Development Life Cycle (cont’d.)

Design in the SecSDLC
Create and develop a blueprint for security
Examine and implement key policies
Evaluate the technology needed to support the security blueprint
Generate alternative solutions
Agree upon a final design
Introduction to the Security Systems
Development Life Cycle (cont’d.)

Security models may be used to guide the design process
Models provide frameworks for ensuring that all areas of security are addressed
Organisations can adapt or adopt a framework to meet their own information security needs
Introduction to the Security Systems
Development Life Cycle (cont’d.)

A critical design element of the information security program is the information security policy
Management must define three types of security policy
Enterprise information security policies
Issue-specific security policies
Systems-specific security policies
Introduction to the Security Systems
Development Life Cycle (cont’d.)

SETA program consists of three elements
Security education, security training, and security awareness
The purpose of SETA is to enhance security by
Improving awareness
Developing skills and knowledge
Building in-depth knowledge
Introduction to the Security Systems
Development Life Cycle (cont’d.)

47
SETA
Another integral part of the InfoSec program is the security education and training program.
The SETA program consists of three elements: security education, security training, and security awareness.
The purpose of SETA is to enhance security by:
Improving awareness of the need to protect system resources;
developing skills and knowledge so computer users can perform their jobs more securely and
building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems.

Design controls and safeguards
Used to protect information from attacks by threats
Three categories of controls: managerial, operational and technical
Managerial controls
Address the design and implementation of the security planning process, security program management, risk management, and security control reviews
Introduction to the Security Systems
Development Life Cycle (cont’d.)

Operational controls cover management functions and lower level planning
Disaster recovery
Incident response planning
Personnel security
Physical security
Protection of production inputs and outputs

Introduction to the Security Systems
Development Life Cycle (cont’d.)

Technical controls
Address tactical and technical issues related to designing and implementing security in the organisation
Technologies necessary to protect information are examined and selected

Introduction to the Security Systems
Development Life Cycle (cont’d.)

Contingency planning
Prepare, react and recover from circumstances that threaten the organisation
Types of contingency planning
Incident response planning (IRP)
Disaster recovery planning (DRP)
Business continuity planning (BCP)
Records destroyed in Liverpool council fire

Introduction to the Security Systems
Development Life Cycle (cont’d.)

Physical security
Design, implementation, and maintenance of countermeasures that protect the physical resources of an organisation
Physical resources include
People
Hardware
Supporting information system elements

Introduction to the Security Systems
Development Life Cycle (cont’d.)

Implementation in the SecSDLC
Security solutions are acquired, tested, implemented, and tested again
Personnel issues are evaluated and specific training and education programs conducted
Management of the project plan
Planning the project
Supervising the tasks and action steps within the project
Wrapping up the project

Introduction to the Security Systems
Development Life Cycle (cont’d.)

Members of the development team
Champion
Team leader
Security policy developers
Risk assessment specialists
Security professionals
Systems administrators
End users
Introduction to the Security Systems
Development Life Cycle (cont’d.)

Staffing the information security function
Decide how to position and name the security function
Plan for the proper staffing of the information security function
Understand the impact of information security across every role in IT
Integrate solid information security concepts into the personnel management practices of the organisation
Introduction to the Security Systems
Development Life Cycle (cont’d.)

Information security professionals
Chief information officer (CIO)
Chief information security officer (CISO)
Security managers
Security technicians
Data owners
Data custodians
Data users
Introduction to the Security Systems
Development Life Cycle (cont’d.)

Professional certifications
CISSP
SSCP
GIAC
Security +
CISM
Introduction to the Security Systems
Development Life Cycle (cont’d.)

Maintenance and change in the SecSDLC
Once the information security program is implemented, it must be operated, properly managed, and kept up to date by means of established procedures
If the program is not adjusting adequately to the changes in the internal or external environment, it may be necessary to begin the cycle again
Introduction to the Security Systems
Development Life Cycle (cont’d.)

Aspects of a maintenance model
External monitoring
Internal monitoring
Planning and risk assessment
Vulnerability assessment and remediation
Readiness and review
Vulnerability assessment
Introduction to the Security Systems
Development Life Cycle (cont’d.)

Introduction to the Security Systems
Development Life Cycle (cont’d.)
Figure 2-11 Maintenance model
Source: Course Technology/Cengage learning

Security program management
A formal management standard can provide some insight into the processes and procedures needed
Examples include the BS7799 / ISO17799 / ISO27xxx model or the NIST models described earlier
Introduction to the Security Systems
Development Life Cycle (cont’d.)

Summary
Introduction
Components of organisational planning
Information security governance
Planning for information security implementation
Introduction to the security systems
development life cycle

ITC358
ICT Management and Information Security

Chapter 3

Planning for Contingencies

Objectives
Upon completion of this material, you should be able to:
Recognise the need for contingency planning
Describe the major components of contingency planning
Create a simple set of contingency plans, using business impact analysis (BIA)
Prepare and execute a test of contingency plans
Explain the combined contingency plan approach

Introduction
Planning for the unexpected event is the focus of this chapter
When the use of technology is disrupted and business operations come close to a standstill
Procedures are required to permit the organisation to continue essential functions if information technology support is interrupted
Over 40% of businesses that don’t have a disaster plan go out of business after a major loss **

Fundamentals of Contingency Planning
Contingency planning (CP)
The overall planning for unexpected events
Involves preparing for, detecting, reacting to, and recovering from events that threaten the security of information resources and assets
Main goal
The restoration to normal modes of operation with minimum cost and disruption to normal business activities after an unexpected event

Incident response planning (IRP)
Focuses on immediate response
Disaster recovery planning (DRP)
Focuses on restoring operations at the primary site after disasters occur
Business continuity planning (BCP)
Facilitates establishment of operations at an alternate site
Fundamentals of Contingency Planning (cont’d.)

To ensure continuity across all of the CP processes, contingency planners should
Identify the mission- or business-critical functions and the resources that support them
Anticipate potential contingencies or disasters
Select contingency planning strategies
Implement the selected strategy
Test and revise contingency plans
Fundamentals of Contingency Planning (cont’d.)

Fundamentals of Contingency Planning (cont’d.)
Develop the contingency planning policy statement
Provides the authority and guidance necessary to develop an effective contingency plan
Conduct the BIA
Helps to identify and prioritise critical IT systems and components

Fundamentals of Contingency Planning (cont’d.)
Identify preventive controls
Measures taken to reduce the effects of system disruptions can increase system availability and reduce contingency life cycle costs
Develop recovery strategies
Ensure that the system may be recovered quickly and effectively following a disruption

Fundamentals of Contingency Planning (cont.)
Develop an IT contingency plan
Contains detailed guidance and procedures for restoring a damaged system
Plan testing, training, and exercises
Testing the plan identifies planning gaps
Training prepares recovery personnel for plan activation
Both activities improve plan effectiveness and overall agency preparedness
Plan maintenance
The plan should be updated regularly to remain current with system enhancements

Fundamentals of Contingency Planning (cont’d.)
Elements of a contingency planning policy statement
An introductory statement of philosophical perspective by senior management
A statement of the scope and purpose of the CP operations
A call for periodic risk assessment and business impact analysis by the CP Team

Fundamentals of Contingency Planning (cont’d.)
Elements of a contingency planning policy statement (cont’d.)
A specification of the major components of the CP
A call for, and guidance in, the selection of recovery options and business continuity strategies
A requirement to test the various plans on a regular basis

Fundamentals of Contingency Planning (cont’d.)
Elements of a contingency planning policy statement (cont’d.)
Identification of key regulations and standards that impact CP planning and a brief overview of their relevancy
Identification of key individuals responsible for CP operations
A challenge to the individual members of the organisations
Additional administrative information

Four teams are involved in contingency planning and contingency operations
The CP team
The incident recovery (IR) team
The disaster recovery (DR) team
The business continuity plan (BC) team
Fundamentals of Contingency Planning (cont’d.)

The CP team should include
Champion
Project Manager
Team Members
Business managers
Information technology managers
Information security managers
Fundamentals of Contingency Planning (cont’d.)

Fundamentals of Contingency Planning (cont’d.)
NIST describes the need for this type of planning as:
“These procedures (contingency plans, business interruption plans, and continuity of operations plans) should be coordinated with the backup, contingency, and recovery plans of any general support systems, including networks used by the application. The contingency plans should ensure that interfacing systems are identified and contingency/disaster planning coordinated.”

Components of Contingency Planning
Figure 3-1 Contingency planning hierarchies
Source: Course Technology/Cengage Learning

Business Impact Analysis (BIA)
Provides the CP team with information about systems and the threats they face
Second phase in the CP process
A crucial component of the initial planning stages
Provides detailed scenarios of each potential attack’s impact

Business Impact Analysis (BIA)
BIA is not risk management (which focuses on identifying threats, vulnerabilities, and attacks to determine controls)
BIA assumes controls have been bypassed or are ineffective, and attack was successful

Business Impact Analysis (cont’d.)
Figure 3-2 Major tasks in contingency planning
Source: Course Technology/Cengage Learning

Business Impact Analysis (cont’d.)
The CP team conducts the BIA in the following stages:
Threat attack identification
Business unit analysis
Attack success scenarios
Potential damage assessment
Subordinate plan classification

Business Impact Analysis (cont’d.)
An organisation that uses a risk management process will have identified and prioritised threats
Update threat list and add one additional piece of information – the attack profile
An attack profile is a detailed description of activities that occur during an attack
The second major BIA task is the analysis and prioritisation of business functions within the organisation

Table 3-1 Example attack profile
Source: Course Technology/Cengage Learning
Management of Information Security, 3rd ed.

Business Impact Analysis (cont’d.)
Create a series of scenarios depicting impact of successful attack on each functional area
Attack profiles should include scenarios depicting typical attack including:
Methodology
Indicators
Broad consequences
Add alternate outcomes
Best case, worst case, and most likely

Business Impact Analysis (cont’d.)
Estimate the cost of the best, worst, and most likely outcomes
By preparing an attack scenario end case
Allows identification of what must be done to recover from each possible case

Business Impact Analysis (cont’d.)
A related plan must be developed or identified from among existing plans already in place
Each attack scenario end case is categorised as disastrous or not
Attack end cases that are disastrous find members of the organisation waiting out the attack, and planning to recover after it is over

Incident Response Plan
A detailed set of processes and procedures that anticipate, detect, and mitigate the impact of an unexpected event that might compromise information resources and assets
Procedures commence when an incident is detected

Incident Response Plan (cont’d.)
When a threat becomes a valid attack, it is classified as an information security incident if:
It is directed against information assets
It has a realistic chance of success
It threatens the confidentiality, integrity, or availability of information assets
Incident response is a reactive measure, not a preventative one

Incident Response Plan (cont’d.)
Planners develop and document the procedures that must be performed during the incident
These procedures are grouped and assigned to various roles
The planning committee drafts a set of function-specific procedures

Planners develop and document the procedures that must be performed immediately after the incident has ceased
Separate functional areas may develop different procedures
Incident Response Plan (cont’d.)

Develop procedures for tasks that must be performed in advance of the incident
Details of data backup schedules
Disaster recovery preparation
Training schedules
Testing plans
Copies of service agreements
Business continuity plans
Incident Response Plan (cont’d.)

Incident Response Plan (cont’d.)
Figure 3-3 Incident response planning
Source: Course Technology/Cengage Learning

Incident Response Plan (cont’d.)
Planning requires a detailed understanding of the information systems and the threats they face
The IR planning team seeks to develop pre-defined responses that guide users through the steps needed to respond to an incident
Enables rapid reaction without confusion or wasted time and effort

Incident Response Plan (cont’d.)
The IR team consists of professionals capable of handling the information systems and functional areas affected by an incident
Each member of the IR team must know his or her specific role, work in concert with each other, and execute the objectives of the IRP

Incident classification
Determine whether an event is an actual incident
May be challenging
Uses initial reports from end users, intrusion detection systems, host- and network-based virus detection software, and systems administrators
Careful training allows everyone to relay vital information to the IR team
Incident Response Plan (cont’d.)

Incident Response Plan (cont’d.)
Possible indicators
Presence of unfamiliar files
Presence or execution of unknown programs or processes
Unusual consumption of computing resources
Unusual system crashes

Incident Response Plan (cont’d.)
Probable indicators
Activities at unexpected times
Presence of new accounts
Reported attacks
Notification from IDS

Incident Response Plan (cont’d.)
Definite indicators
Use of dormant accounts
Changes to logs
Presence of hacker tools
Notifications by partner or peer
Notification by hacker

Incident Response Plan (cont’d.)
Occurrences of actual incidents
When these occur, the corresponding IR must be immediately activated
Loss of availability
Loss of integrity
Loss of confidentiality
Violation of policy
Violation of law

Incident Response Plan (cont’d.)
Once an actual incident has been confirmed and properly classified
IR team moves from the detection phase to the reaction phase
A number of action steps must occur quickly and may occur concurrently
These steps include notification of key personnel, the assignment of tasks, and documentation of the incident

Incident Response Plan (cont’d.)
Alert roster
A document containing contact information on the individuals to be notified in the event of an actual incident either sequentially or hierarchically
The alert message is a scripted description of the incident
Other key personnel must be notified of the incident after the incident has been confirmed, but before media or other external sources learn of it

Incident Response Plan (cont’d.)
Documentation
Begins once an incident has been confirmed and the notification process is underway
Record the who, what, when, where, why and how of each action taken during the incident
Serves as a case study after the fact to determine if the right actions were taken, and if they were effective
Can also prove the organisation did everything possible to deter the spread of the incident

The essential task of IR is to stop the incident or contain its impact
Incident containment strategies focus on two tasks
Stopping the incident
Recovering control of the systems
Incident Response Plan (cont’d.)

Incident Response Plan (cont’d.)
Containment strategies(?)
Disconnect the affected communication circuits
Dynamically apply filtering rules to limit certain types of network access
Disabling compromised user accounts
Reconfiguring firewalls to block the problem traffic
Temporarily disabling the compromised process or service

Incident Response Plan (cont’d.)
Containment strategies (cont’d.)
Taking down the conduit application or server
Stopping all computers and network devices

Incident Response Plan (cont’d.)
An incident may increase in scope or severity to the point that the IRP cannot adequately contain the incident
Each organisation will have to determine, during the business impact analysis, the point at which the incident becomes a disaster
The organisation must also document when to involve outside response

Incident Response Plan (cont’d.)
Once contained and system control regained, incident recovery can begin
The IR team must assess the full extent of the damage in order to determine what must be done to restore the systems
Incident damage assessment
Determination of the scope of the breach of confidentiality, integrity, and availability of information and information assets

Incident Response Plan (cont’d.)
Those who document the damage must be trained to collect and preserve evidence, in case the incident is part of a crime or results in a civil action

Incident Response Plan (cont’d.)
Recovery process
Identify the vulnerabilities that allowed the incident to occur and spread and resolve them
Address the safeguards that failed to stop or limit the incident, or were missing from the system in the first place and install, replace or upgrade them
Evaluate monitoring capabilities (if present) to improve detection and reporting methods, or install new monitoring capabilities

Incident Response Plan (cont’d.)
Recovery process (cont’d.)
Restore the data from backups as needed
Restore the services and processes in use where compromised (and interrupted) services and processes must be examined, cleaned, and then restored
Continuously monitor the system
Restore the confidence of the members of the organisation’s communities of interest

Incident Response Plan (cont’d.)
Before returning to routine duties, the IR team must conduct an after-action review (AAR)
A detailed examination of the events that occurred
All team members review their actions during the incident and identify areas where the IR plan worked, didn’t work, or should improve

Incident Response Plan (cont’d.)
When an incident violates civil or criminal law, it is the organisation’s responsibility to notify the proper authorities
Selecting the appropriate law enforcement agency depends on the type of crime committed: Federal, State, or local

Incident Response Plan (cont’d.)
Involving law enforcement has both advantages and disadvantages
They are usually much better equipped at processing evidence, obtaining statements from witnesses, and building legal cases
However, involvement can result in loss of control of the chain of events following an incident

Disaster Recovery Plan
The preparation for and recovery from a disaster, whether natural or man made
In general, an incident is a disaster when:
The organisation is unable to contain or control the impact of an incident, or
The level of damage or destruction from an incident is so severe the organisation is unable to quickly recover
The key role of a DRP is defining how to reestablish operations at the location where the organisation is usually located

Disaster Recovery Plan (cont’d.)
A DRP can classify disasters in a number of ways
The most common method is to separate natural disasters from man-made disasters
Another way of classifying disasters is by speed of development
Rapid onset disasters
Slow onset disasters

Disaster Recovery Plan (cont’d.)
Scenario development and impact analysis
Used to categorise the level of threat of each potential disaster
DRP must be tested regularly
Key points in the DRP
Clear delegation of roles and responsibilities
Execution of the alert roster and notification of key personnel

Disaster Recovery Plan (cont’d.)
Key points in the DRP (cont’d.)
Clear establishment of priorities
Documentation of the disaster
Action steps to mitigate the impact
Alternative implementations for the various systems components

Disaster Recovery Plan (cont’d.)
Actual events often outstrip even the best of plans
To be prepared, DRP should be flexible
If physical facilities are intact, begin restoration
If organisation’s facilities are unusable, take alternative actions
When disaster threatens the organisation at the primary site, DRP becomes BCP

Business Continuity Plan
Ensures critical business functions can continue in a disaster
Managed by CEO of the organisation
Activated and executed concurrently with the DRP when needed
While BCP reestablishes critical functions at alternate site, DRP focuses on reestablishment at the primary site

Business Continuity Plan (cont’d.)
Relies on identification of critical business functions and the resources to support them
Continuity strategies
Exclusive-use options: hot, warm and cold sites
Shared-use options: timeshare, service bureaus, mutual agreements
Determining factor is usually cost

Business Continuity Plan (cont’d.)
Hot Sites
Fully configured computer facility with all services
Warm Sites
Like hot site, but software applications not kept fully prepared
Cold Sites
Only rudimentary services and facilities kept in readiness

Business Continuity Plan (cont’d.)
Timeshares
Like an exclusive use site but leased
Service bureaus
Agency that provides physical facilities
Mutual agreements
Contract between two organisations to assist
Specialised alternatives
Rolling mobile site
Externally stored resources

Business Continuity Plan (cont’d.)
To get any BCP site running quickly organisation must be able to recover data
Options include:
Electronic vaulting
Bulk batch-transfer of data to an off-site facility
Remote journaling
Transfer of live transactions to an off-site facility
Database shadowing
Storage of duplicate online transaction data

Timing and Sequence of CP Elements
Figure 3-4 Incident response and disaster recovery
Source: Course Technology/Cengage Learning

Timing and Sequence of CP Elements (cont’d.)
Figure 3-5 Disaster recovery and business continuity planning
Source: Course Technology/Cengage Learning

Timing and Sequence of CP Elements (cont’d.)
Figure 3-6 Contingency planning implementation timeline
Source: Course Technology/Cengage Learning

Crisis Management
Crisis management
A set of focused steps that deal primarily with the people involved during and after a disaster
Crisis management team actions
Supporting personnel and their loved ones during the crisis
Determining the event’s impact on normal business operations
Making a disaster declaration

Crisis Management (cont’d.)
Crisis management team actions (cont’d.)
Keeping the public informed about the event
Communicating with outside parties
Key tasks of the crisis management team
Verifying personnel status
Activating the alert roster

Business Resumption Planning
Because the DRP and BCP are closely related, most organisations prepare them concurrently
May combine them into a single document, the business resumption plan (BRP)
Although a single planning team can develop the BRP, execution requires separate teams

Source: (http://csrc.nist.gov/fasp/FASPDocs/contingency-plan/contingencyplan-template )
Table 3-3Contingency plan template

Business Resumption Planning (cont’d.)
Components of a simple disaster recovery plan
Name of agency
Date of completion or update of the plan and test date
Agency staff to be called in the event of a disaster
Emergency services to be called (if needed) in event of a disaster

Business Resumption Planning (cont’d.)
Components of a simple disaster recovery plan (cont’d.)
Locations of in-house emergency equipment and supplies
Sources of off-site equipment and supplies
Salvage priority list
Agency disaster recovery procedures
Follow-up assessment

Testing Contingency Plans
Problems are identified during testing
Improvements can be made, resulting in a reliable plan
Contingency plan testing strategies
Desk check
Structured walkthrough
Simulation
Parallel testing
Full interruption testing

Contingency Planning:
Final Thoughts
Iteration results in improvement
A formal implementation of this methodology is a process known as continuous process improvement (CPI)
Each time the plan is rehearsed it should be improved
Constant evaluation and improvement lead to an improved outcome

Summary
Introduction
What Is Contingency Planning?
Components of Contingency Planning
Putting a Contingency Plan Together
Testing Contingency Plans
A Single Continuity Plan

ITC358
ICT Management and Information Security

Chapter 4

Information Security Policy

Each problem that I solved became a rule which served

afterwards to solve other problems – René Descartes

Objectives
Upon completion of this material you should be able to:
Define information security policy and understand its central role in a successful information security program
Describe the three major types of information security policy and explain what goes into each type
Develop, implement, and maintain various types of information security policies
Management of Information Security, 3rd ed.

Introduction
Policy is the essential foundation of an effective information security program
“The success of an information resources protection program depends on the policy generated, and on the attitude of management toward securing information on automated systems”
Policy maker sets the tone and emphasis on the importance of information security
Policy objectives
Reduced risk
Compliance with laws and regulations
Assurance of operational continuity, information integrity, and confidentiality

Why Policy?
A quality information security program begins and ends with policy
Policies are the least expensive means of control and often the most difficult to implement
Basic rules for shaping a policy
Policy should never conflict with law
Policy must be able to stand up in court if challenged
Policy must be properly supported and administered

Why Policy? (cont’d.)
Figure 4-1 The bull’s eye model
Source: Course Technology/Cengage Learning

Why Policy? (cont’d.)
Bulls-eye model layers
Policies: first layer of defense
Networks: threats first meet the organisation’s network
Systems: computers and manufacturing systems
Applications: all applications systems

Why Policy? (cont’d.)
Policies are important reference documents
For internal audits
For the resolution of legal disputes about management’s due diligence
Policy documents can act as a clear statement of management’s intent

Policy, Standards, and Practices
Policy
A plan or course of action that influences decisions
For policies to be effective they must be properly disseminated, read, understood, agreed-to, and uniformly enforced
Policies require constant modification and maintenance

Policy, Standards, and Practices (cont’d.)
Types of information security policy
Enterprise information security program policy
Issue-specific information security policies
Systems-specific policies
Standards
A more detailed statement of what must be done to comply with policy
Practices
Procedures and guidelines explain how employees will comply with policy

Policies, Standards, & Practices
Figure 4-2 Policies, standards and practices
Source: Course Technology/Cengage Learning

Enterprise Information Security Policy (EISP)
Sets strategic direction, scope, and tone for organisation’s security efforts
Assigns responsibilities for various areas of information security
Guides development, implementation, and management requirements of information security program

EISP Elements
EISP documents should provide:
An overview of the corporate philosophy on security
Information about information security organisation and information security roles
Responsibilities for security that are shared by all members of the organisation
Responsibilities for security that are unique to each role within the organisation

Example ESIP Components
Statement of purpose
What the policy is for
Information technology security elements
Defines information security
Need for information technology security
Justifies importance of information security in the organisation
Information technology security responsibilities and roles
Defines organisational structure
Reference to other information technology standards and guidelines

Issue-Specific Security Policy (ISSP)
Provides detailed, targeted guidance
Instructs the organisation in secure use of a technology systems
Begins with introduction to fundamental technological philosophy of the organisation
Protects organisation from inefficiency and ambiguity
Documents how the technology-based system is controlled

Issue-Specific Security Policy (cont’d.)
Protects organisation from inefficiency and ambiguity (cont’d.)
Identifies the processes and authorities that provide this control
Indemnifies the organisation against liability for an employee’s inappropriate or illegal system use

Issue-Specific Security Policy (cont’d.)
Every organisation’s ISSP should:
Address specific technology-based systems
Require frequent updates
Contain an issue statement on the organisation’s position on an issue

Issue-Specific Security Policy (cont’d.)
ISSP topics
Email and internet use (AUP)
Minimum system configurations (GPO)
Prohibitions against hacking (Firewall)
Home use of company-owned computer equipment (Remote VPN)
Use of personal equipment on company networks (Virus spread)
Use of telecommunications technologies (well train)
Use of photocopy equipment

Components of the ISSP
Statement of Purpose
Scope and applicability
Definition of technology addressed
Responsibilities
Authorised Access and Usage of Equipment
User access
Fair and responsible use
Protection of privacy

Components of the ISSP (cont’d.)
Prohibited Usage of Equipment
Disruptive use or misuse
Criminal use
Offensive or harassing materials
Copyrighted, licensed or other intellectual property
Other restrictions

Components of the ISSP (cont’d.)
Systems management
Management of stored materials
Employer monitoring
Virus protection
Physical security
Encryption
Violations of policy
Procedures for reporting violations
Penalties for violations

Components of the ISSP (cont’d.)
Policy review and modification
Scheduled review of policy and procedures for modification
Limitations of liability
Statements of liability or disclaimers (working?)

Implementing the ISSP
Common approaches
Several independent ISSP documents
A single comprehensive ISSP document
A modular ISSP document that unifies policy creation and administration
The recommended approach is the modular policy
Provides a balance between issue orientation and policy management

System-Specific Security Policy
System-specific security policies (SysSPs) frequently do not look like other types of policy
They may function as standards or procedures to be used when configuring or maintaining systems (services configuration)
SysSPs can be separated into
Management guidance
Technical specifications
Or combined in a single policy document

Managerial Guidance SysSPs
Created by management to guide the implementation and configuration of technology
Applies to any technology that affects the confidentiality, integrity or availability of information
Informs technologists of management intent

Technical Specifications SysSPs
System administrators’ directions on implementing managerial policy
Each type of equipment has its own type of policies
General methods of implementing technical controls
Access control lists
Configuration rules

Access control lists
Include the user access lists, matrices, and capability tables that govern the rights and privileges
A similar method that specifies which subjects and objects users or groups can access is called a capability table
These specifications are frequently complex matrices, rather than simple lists or tables
Technical Specifications SysSPs (cont’d.)

Access control lists (cont’d.)
Enable administrations to restrict access according to user, computer, time, duration, or even a particular file
Access control lists regulate
Who can use the system
What authorised users can access
When authorised users can access the system
Technical Specifications SysSPs (cont’d.)

Access control lists regulate (cont’d.)
Where authorised users can access the system from
How authorised users can access the system
Restricting what users can access, e.g. printers, files, communications, and applications
Administrators set user privileges
Read, write, create, modify, delete, compare, copy

Technical Specifications SysSPs (cont’d.)

Technical Specifications SysSPs (cont’d.)
Figure 4-5 Windows XP ACL
Source: Course Technology/Cengage Learning

Technical Specifications SysSPs (cont’d.)
Configuration rules
Specific configuration codes entered into security systems
Guide the execution of the system when information is passing through it
Rule policies are more specific to system operation than ACLs
May or may not deal with users directly

Technical Specifications SysSPs (cont’d.)
Many security systems require specific configuration scripts telling the systems what actions to perform on each set of information they process

Technical Specifications SysSPs (cont’d.)
Figure 4-6 Firewall configuration rules
Source: Course Technology/Cengage Learning

Often organisations create a single document combining elements of both management guidance and technical specifications SysSPs
This can be confusing, but practical
Care should be taken to articulate the required actions carefully as the procedures are presented
Technical Specifications SysSPs (cont’d.)

Figure 4-7 IDPS configuration rules
Source: Course Technology/Cengage Learning

Guidelines for Effective Policy
For policies to be effective, they must be properly:
Developed using industry-accepted practices
Distributed or disseminated using all appropriate methods
Reviewed or read by all employees
Understood by all employees
Formally agreed to by act or assertion
Uniformly applied and enforced

Developing Information Security Policy
It is often useful to view policy development as a two-part project
First, design and develop the policy (or redesign and rewrite an outdated policy)
Second, establish management processes to perpetuate the policy within the organisation
The former is an exercise in project management, while the latter requires adherence to good business practices

Developing Information Security Policy (cont’d.)
Policy development projects should be
Well planned
Properly funded
Aggressively managed to ensure that it is completed on time and within budget
The policy development project can be guided by the SecSDLC process

Developing Information Security Policy (cont’d.)
Investigation phase
Obtain support from senior management, and active involvement of IT management, specifically the CIO
Clearly articulate the goals of the policy project
Gain participation of correct individuals affected by the recommended policies

Developing Information Security Policy (cont’d.)
Investigation phase (cont’d.)
Involve legal, human resources and end-users
Assign a project champion with sufficient stature and prestige
Acquire a capable project manager
Develop a detailed outline of and sound estimates for project cost and scheduling

Developing Information Security Policy (cont’d.)
Analysis phase should produce
New or recent risk assessment or IT audit documenting the current information security needs of the organisation
Key reference materials
Including any existing policies

Figure 4-8 End user license agreement for Microsoft Windows XP
Developing Information Security Policy (cont’d.)

Developing Information Security Policy (cont’d.)
Design phase includes
How the policies will be distributed
How verification of the distribution will be accomplished
Specifications for any automated tools
Revisions to feasibility analysis reports based on improved costs and benefits as the design is clarified

Developing Information Security Policy (cont’d.)
Implementation phase includes
Writing the policies
Making certain the policies are enforceable as written
Policy distribution is not always straightforward
Effective policy is written at a reasonable reading level, and attempts to minimise technical jargon and management terminology

Developing Information Security Policy (cont’d.)
Maintenance Phase
Maintain and modify the policy as needed to ensure that it remains effective as a tool to meet changing threats
The policy should have a built-in mechanism via which users can report problems with the policy, preferably anonymously
Periodic review should be built in to the process

Policy Comprehension
Figure 4-9 Readability statistics
Source: Course Technology/Cengage Learning

Automated Tools
Figure 4-10 The VigilEnt policy center

The Information Securities Policy
Made Easy Approach
Gathering key reference materials
Defining a framework for policies
Preparing a coverage matrix
Making critical systems design decisions
Structuring review, approval, and enforcement processes

The Information Securities Policy Made Easy Approach (cont’d.)
Figure 4-11 A sample coverage matrix
Source: Course Technology/Cengage Learning

The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (to slide 60)
Perform a risk assessment or information technology audit
To determine your organisation’s unique information security needs
Clarify the meaning of “policy” within your organisation
Ensure clear roles and responsibilities related to information security
Including responsibility for issuing and maintaining policies

The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (cont’d.)
Convince management that it is advisable to have documented information security policies
Identify the top management staff who will be approving the final information security document and all influential reviewers
Collect, read and summarise all existing internal information security awareness material

The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (cont’d.)
Gather ideas that stakeholders believe should be included in a new or updated information security policy
Examine other policies issued by your organisation
to identify prevailing format, style, tone, length, and cross-references
Identify the audience and distribution method of information security policy materials

The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (cont’d.)
Determine the extent to which the audience is literate, computer knowledgeable, and receptive to security messages
Decide whether some other awareness efforts must take place before information security policies are issued
Using ideas from the risk assessment, prepare a list of absolutely essential policy messages that must be communicated

The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (cont’d.)
If there is more than one audience, match the audiences with the bottom-line messages to be communicated through a coverage matrix
Determine how the policy material will be disseminated, noting the constraints and implications of each medium of communication

The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (cont’d.)
Review the compliance checking process, disciplinary process, and enforcement process to ensure that they all can work smoothly with the new policy document
Determine whether the number of messages is too large to be handled all at one time
If so, identify different categories of material to be issued at different times

The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (cont’d.)
Outline the topics to be included in the first document reviewed by several stakeholders
Based on comments from the stakeholders, revise the initial outline and prepare a first draft
Have the first draft reviewed by stakeholders for initial reactions, suggestions, and implementation ideas
Revise the draft in response to comments from stakeholders

The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (cont’d.)
Request top management approval on the policy
Prepare extracts of the policy document for selected purposes
Develop an awareness plan that uses the policy document as a source of ideas and requirements

The Information Securities Policy Made Easy Approach (cont’d.)
ISPME checklist (cont’d.)
Create a working papers memo indicating the disposition of all comments received from reviewers, even if no changes were made
Write a lessons-learned memo about the project so that the next version can be prepared more efficiently, better received, and more responsive
Prepare a list of next steps to implement the requirements specified in the policy document

The Information Securities Policy Made Easy Approach (cont’d.)
ISPME next steps
Post polices to intranet or equivalent
Develop a self-assessment questionnaire
Develop revised user ID issuance form
Develop agreement to comply with information security policies form
Develop tests to determine if workers understand policies
Assign information security coordinators
Train information security coordinators

The Information Securities Policy Made Easy Approach (cont’d.)
ISPME next steps (cont’d.)
Prepare and deliver a basic information security training course
Develop application specific information security policies
Develop a conceptual hierarchy of information security requirements
Assign information ownership and custodianship

The Information Securities Policy Made Easy Approach (cont’d.)
ISPME next steps (cont’d.)
Establish an information security management committee
Develop an information security architecture document

SP 800-18 Rev.1: Guide for Developing Security Plans for Federal Information Systems
NIST Special Publication 800-18, Rev. 1 reinforces a business process-centered approach to policy management
Policies are living documents
These documents must be properly disseminated (distributed, read, understood and agreed to), and managed

SP 800-18 Rev.1: Guide for Developing Security Plans for Federal Information Systems (cont’d.)
Good management practices for policy development and maintenance make for a more resilient organisation
Policy requirements
An individual responsible for reviews
A schedule of reviews
Policy requirements (cont’d.)
A method for making recommendations for reviews
An indication of policy and revision date

A Final Note on Policy
Lest you believe that the only reason to have policies is to avoid litigation, it is important to emphasise the preventative nature of policy
Policies exist, first and foremost, to inform employees of what is and is not acceptable behaviour in the organisation
Policy seeks to improve employee productivity, and prevent potentially embarrassing situations

Summary
Introduction
Why Policy?
Enterprise Information Security Policy
Issue-Specific Security Policy
System-Specific Policy
Guidelines for Policy Development

ITC358
ICT Management and Information Security

Chapter 5

Developing the Security Program

We trained hard… but every time we formed up teams we would be reorganised. I was to learn

that we meet any new situation by reorganising. And a wonderful method it can be for creating the

illusion of progress while producing confusion, inefficiency, and demoralisation.
– Petronius Arbiter, Roman Writer and Satirist, 210 B.C.

Objectives
Upon completion of this material you should be able to:
Explain the organisational approaches to information security
List and describe the functional components of an information security program
Determine how to plan and staff an organisation’s information security program based on its size

Objectives (cont’d.)
Upon completion of this material you should be able to: (cont’d.)
Evaluate the internal and external factors that influence the activities and organisation of an information security program
List and describe the typical job titles and functions performed in the information security program

Objectives (cont’d.)
Upon completion of this material you should be able to: (cont’d.)
Describe the components of a security education, training, and awareness program and explain how organisations create and manage these programs

Introduction
Some organisations use security program to describe the entire set of personnel, plans, policies, and initiatives related to information security
The term “information security program” is used here to describe the structure and organisation of the effort that contains risks to the information assets of the organisation

Organising for Security
Variables involved in structuring an information security program
Organisational culture
Size
Security personnel budget
Security capital budget
As organisations increase in size:
Their security departments are not keeping up with increasingly complex organisational infrastructures

Organising for Security (cont’d.)
Information security departments tend to form internal groups
To meet long-term challenges and handle day-to-day security operations
Functions are likely to be split into groups
Smaller organisations typically create fewer groups
Perhaps having only one general group of specialists

Organising for Security (cont’d.)
Very large organisations
More than 10,000 computers
Security budgets often grow faster than IT budgets
Even with a large budgets, the average amount spent on security per user is still smaller than any other type of organisation
Small organisations spend more than $5,000 per user on security; very large organisations spend about 1/18th of that, roughly $300 per user

Organising for Security (cont’d.)
Very large organisations (cont’d.)
Does a better job in the policy and resource management areas
Only 1/3 of organisations handled incidents according to an IR plan
Large organisations
Have 1,000 to 10,000 computers
Security approach has often matured, integrating planning and policy into the organisation’s culture

Large organisations (cont’d.)
Do not always put large amounts of resources into security
Considering the vast numbers of computers and users often involved
They tend to spend proportionally less on security
Organising for Security (cont’d.)

Security in Large Organisations
One approach separates functions into four areas:
Functions performed by non-technology business units outside of IT
Functions performed by IT groups outside of information security area
Functions performed within information security department as customer service
Functions performed within the information security department as compliance

The CISO has responsibility for information security functions
Should be adequately performed somewhere within the organisation
The deployment of full-time security personnel depends on:
Sensitivity of the information to be protected
Industry regulations
General profitability
Security in Large Organisations (cont’d.)

The more money the company can dedicate to its personnel budget
The more likely it is to maintain a large information security staff
Security in Large Organisations (cont’d.)

Security in Large Organisations (cont’d.)
Figure 5-1 Example of information security staffing in a large organisation

Security in Large Organisations (cont’d.)
Figure 5-2 Example of information security staffing in a very large organisation

Security in Medium-Sized Organisations
Medium-sized organisations
Have between 100 and 1000 computers
Have a smaller total budget
Have same sized security staff as the small organisation, but a larger need
Must rely on help from IT staff for plans and practices
Ability to set policy, handle incidents, and effectively allocate resources is worse than any other size

Security in Medium-Sized Organisations (cont’d.)
Medium-sized organisations (cont’d.)
May be large enough to implement a multi-tiered approach to security
With fewer dedicated groups and more functions assigned to each group
Tend to ignore some security functions

Security in Medium-Sized Organisations (cont’d.)
Figure 5-3 Example of information security staffing in a medium-sized organisation

Security in Small Organisations
Small organisations
Have between 10 and 100 computers
Have a simple, centralised IT organisational model
Spend disproportionately more on security
Information security is often the responsibility of a single security administrator
Have little in the way of formal policy, planning, or security measures

Security in Small Organisations (cont’d.)
Small organisations (cont’d.)
Commonly outsource their Web presence or electronic commerce operations
Security training and awareness is commonly conducted on a 1-on-1 basis
Policies (when they exist) are often issue-specific
Formal planning is often part of IT planning
Threats from insiders are less likely
Every employee knows every other employee

Security in Small Organisations (cont’d.)
Figure 5-4 Example of information security staffing in a smaller organisation
Source: Course Technology/Cengage Learning

Placing Information Security Within An Organisation
In large organisations
InfoSec is often located within the information technology department
Headed by the CISO who reports directly to the top computing executive, or CIO
An InfoSec program is sometimes at odds with the goals and objectives of the IT department as a whole

Placing Information Security Within An Organisation (cont’d.)
Because the goals and objectives of the CIO and the CISO may come in conflict
It is not difficult to understand the current movement to separate information security from the IT division
The challenge is to design a reporting structure for the InfoSec program that balances the needs of each of the communities of interest

Placing Information Security Within an Organisation (cont’d.)
Source: From Information Security Roles and
Responsibilities Made Easy, used with permission.
Figure 5-5 Wood’s Option 1: Information security reports to information technology department

Placing Information Security Within an Organisation (cont’d.)
Source: From Information Security Roles and
Responsibilities Made Easy, used with permission.
Figure 5-6 Wood’s Option 2: Information security reports to broadly defined security department

Placing Information Security Within an Organisation (cont’d.)
Source: From Information Security Roles and
Responsibilities Made Easy, used with permission.
Figure 5-7 Wood’s Option 3: Information security reports to administrative services department

Placing Information Security Within an Organisation (cont’d.)
Source: From Information Security Roles and
Responsibilities Made Easy, used with permission.
Figure 5-8 Wood’s Option 4: Information security reports to insurance and risk management department

Placing Information Security Within an Organisation (cont’d.)
Source: From Information Security Roles and
Responsibilities Made Easy, used with permission.
Figure 5-9 Wood’s Option 5: Information security reports to strategy and planning department

Placing Information Security Within an Organisation (cont’d.)
Other options
Option 6: Legal
Option 7: Internal audit
Option 8: Help desk
Option 9: Accounting and finance through IT
Option 10: Human resources
Option 11: Facilities management
Option 12: Operations

Components of the Security Program
Organisation’s information security needs
Unique to the culture, size, and budget of the organisation
Determining what level the information security program operates on depends on the organisation’s strategic plan
Also the plan’s vision and mission statements
The CIO and CISO should use these two documents to formulate the mission statement for the information security program

Information Security Roles and Titles
Types of information security positions
Those that define
Provide the policies, guidelines, and standards
Do the consulting and the risk assessment
Develop the product and technical architectures
Senior people with a lot of broad knowledge, but often not a lot of depth
Those that build
The real “techies” who create and install security solutions

Information Security Roles and Titles (cont’d.)
Types of information security positions (cont’d.)
Those that administer
Operate and administer the security tools and the security monitoring function
Continuously improve the processes
A typical organisation has a number of individuals with information security responsibilities

While the titles used may be different, most of the job functions fit into one of the following:
Chief Information Security Officer (CISO) or Chief Security Officer (CSO)
Security managers
Security administrators and analysts
Security technicians
Security staff
Information Security Roles and Titles (cont’d.)

Information Security Roles and Titles (cont’d.)
Figure 5-10 Information security roles
Source: Course Technology/Cengage Learning

Help Desk Personnel
Help desk
An important part of the information security team
Enhances the security team’s ability to identify potential problems
When a user calls the help desk with a complaint , the user’s problem may turn out to be related to a bigger problem, such as a hacker, denial-of-service attack, or a virus

Help Desk Personnel (cont’d.)
Help desk (cont’d.)
Because help desk technicians perform a specialised role in information security, they have a need for specialised training

Implementing Security Education, Training, and Awareness Programs
SETA program
Designed to reduce accidental security breaches
Consists of three elements: security education, security training, and security awareness
Awareness, training, and education programs offer two major benefits:
Improving employee behavior
Enabling the organisation to hold employees accountable for their actions

Implementing SETA
Programs (cont’d.)
Purpose of SETA is to enhance security:
By building in-depth knowledge, to design, implement, or operate security programs for organisations and systems
By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely
By improving awareness of the need to protect system resources

Source: National Institute of Standards and Technology. An Introduction to Computer Security: The NIST Handbook. SP 800-12. http://csrc.nist.gov/publications/nistpubs/800-12/.
Implementing SETA
Programs (cont’d.)
Table 5-3 Framework of security education, training and awareness

Security Education
Employees within information security may be encouraged to seek a formal education
If not prepared by their background or experience
A number of institutions of higher learning, including colleges and universities, provide formal coursework in information security

Security Education (cont’d.)
A knowledge map
Can help potential students assess information security programs
Identifies the skills and knowledge clusters obtained by the program’s graduates
Creating the map can be difficult because many academics are unaware of the numerous subdisciplines within the field of information security
Each of which may have different knowledge requirements

Source: Course Technology/Cengage Learning
Figure 5-11 Information security knowledge map
Security Education (cont’d.)

Depth of knowledge
Indicated by a level of mastery using an established taxonomy of learning objectives or a simple scale such as “understanding → accomplishment → proficiency → mastery.”
Because many institutions have no frame of reference for which skills and knowledge are required for a particular job area
They may refer to the certifications offered in that field
Security Education (cont’d.)

Once the knowledge areas are identified, common knowledge areas are aggregated into teaching domains
From which individual courses can be created
Course design
Should enable a student to obtain the required knowledge and skills upon completion of the program
Identify the prerequisite knowledge for each class
Security Education (cont’d.)

Source: Course Technology/Cengage Learning
Figure 5-12 Technical course progression
Security Education (cont’d.)

Security Training
Involves providing detailed information and hands-on instruction
To develop user skills to perform their duties securely
Management can either develop customised training or outsource

Security Training (cont’d.)
Customising training for users
By functional background
General user
Managerial user
Technical user
By skill level
Novice
Intermediate
Advanced

Training Techniques
Using the wrong method
Can hinder the transfer of knowledge
Leading to unnecessary expense and frustrated, poorly trained employees
Good training programs
Take advantage of the latest learning technologies and best practices

Training Techniques (cont’d.)
Recent developments
Less use of centralised public courses and more on-site training
Training is often for one or a few individuals
Waiting until there is a large-enough group for a class can cost companies lost productivity
Other best practices
Increased use of short, task-oriented modules
Available during the normal work week

Training Techniques (cont’d.)
Selection of the training delivery method
Not always based on the best outcome for the trainee
Often overriden by budget, scheduling, and needs of the organisation
Types of delivery methods
One-on-one
Formal class
Computer-based training (CBT)

Training Techniques (cont’d.)
Types of delivery methods (cont’d.)
Distance learning/web seminars
User support group
On-the-job training
Self-study (non-computerised)

Training methods
Use a local training program
Use a continuing education department
Use another external training agency
Hire a professional trainer, a consultant, or someone from an accredited institution to conduct on-site training
Organise and conduct training in-house using organisation’s own employees
Training Techniques (cont’d.)

Implementing Training
Seven-step methodology generally applies:
Step 1: Identify program scope, goals, and objectives
Step 2: Identify training staff
Step 3: Identify target audiences
Step 4: Motivate management and employees
Step 5: Administer the program
Step 6: Maintain the program
Step 7: Evaluate the program

Security Awareness
One of the least frequently implemented, but most effective security methods is the security awareness program
Security awareness programs:
Set the stage for training by changing organisational attitudes to realise the importance of security and the adverse consequences of its failure
Remind users of the procedures to be followed

Security Awareness (cont’d.)
Best practices
Focus on people
Refrain from using technical jargon
Use every available venue
Define learning objectives, state them clearly, and provide sufficient detail and coverage
Keep things light
Don’t overload the users
Help users understand their roles in InfoSec

Security Awareness (cont’d.)
Best practices (cont’d.)
Take advantage of in-house communications media
Make the awareness program formal
Plan and document all actions
Provide good information early, rather than perfect information late

The ten commandments of information security awareness training
Information security is a people, rather than a technical, issue
If you want them to understand, speak their language
If they cannot see it, they will not learn it
Make your point so that you can identify it and so can they.
Never lose your sense of humor
Security Awareness (cont’d.)

The ten commandments of information security awareness training (cont’d.)
Make your point, support it, and conclude it
Always let the recipients know how the behaviour that you request will affect them
Ride the tame horses
Formalise your training methodology
Always be timely, even if it means slipping schedules to include urgent information
Security Awareness (cont’d.)

Security awareness and security training are designed to modify any employee behaviour that endangers the security of the organisation’s information
Security training and awareness activities can be undermined if management does not set a good example
Security Awareness (cont’d.)

Effective training and awareness programs make employees accountable for their actions
Dissemination and enforcement of policy become easier when training and awareness programs are in place
Demonstrating due care and due diligence can help indemnify the institution against lawsuits
Security Awareness (cont’d.)

Awareness can take on different forms for particular audiences
A security awareness program can use many methods to deliver its message
Recognise that people tend to practice a tuning out process (acclimation)
Awareness techniques should be creative and frequently changed
Security Awareness (cont’d.)

Security Awareness (cont’d.)
Many security awareness components are available at little or no cost
Others can be very expensive
Examples of security awareness components
Videos
Posters and banners
Lectures and conferences
Computer-based training

Security Awareness (cont’d.)
Examples of security awareness components (cont’d.)
Newsletters
Brochures and flyers
Trinkets (coffee cups, pens, pencils, T-shirts)
Bulletin boards

Security newsletter
A cost-effective way to disseminate security information
Newsletters can be in the form of hard copy, e-mail, or intranet
Topics can include threats to the organisation’s information assets, schedules for upcoming security classes, and the addition of new security personnel
Security Awareness (cont’d.)

Security newsletter (cont’d.)
The goal is to keep the idea of information security uppermost in users’ minds and to stimulate them to care about security
Newsletters might include:
Summaries of key policies
Summaries of key news articles
A calendar of security events, including training sessions, presentations, and other activities
Announcements relevant to information security
How-to’s
Security Awareness (cont’d.)

Security Awareness (cont’d.)
Figure 5-13 SETA awareness components: Newsletters

Security poster series
A simple and inexpensive way to keep security on people’s minds
Professional posters can be quite expensive, so in-house development may be the best solution
Keys to a good poster series:
Varying the content and keeping posters updated
Keeping them simple, but visually interesting
Making the message clear
Providing information on reporting violations
Security Awareness (cont’d.)

Security Awareness (cont’d.)
Figure 5-14 SETA awareness components: Posters
Source: Course Technology/Cengage Learning

Security Awareness (cont’d.)
Trinket programs
Inexpensive on a per-unit basis
They can be expensive to distribute
Types of trinkets
Pens and pencils, mouse pads
Coffee mugs, plastic cups
Hats, T-shirts
The messages trinket programs impart will be lost unless reinforced by other means

Security Awareness (cont’d.)
Figure 5-15 SETA awareness components: Trinkets
Source: Course Technology/Cengage Learning

Security Awareness (cont’d.)
Organisations can establish Web pages or sites dedicated to promoting information security awareness
The challenge lies in updating the messages frequently enough to keep them fresh
Tips on creating and maintaining an educational Web site
See what’s already out there
Plan ahead

Security Awareness (cont’d.)
Tips on creating and maintaining an educational Web site (cont’d.)
Keep page loading time to a minimum
Seek feedback
Assume nothing and check everything
Spend time promoting your site

Security awareness conference
Have a guest speaker or even a mini-conference dedicated to the topic
Perhaps in association with the semi-annual National Computer Security Days: October 31 and April 4
Security Awareness (cont’d.)

Summary
Introduction
Organising for security
Placing information security within an organisation
Components of the security program
Information security roles and titles
Implementing security education, training, and awareness programs

ITC358
ICT Management and Information Security

Chapter 6

Security Management Models

Security can only be achieved through constant change, through discarding old

ideas that have outlived their usefulness and adapting others to current facts.
– William O. Douglas, U.S. Supreme Court Justice

Objectives
Upon completion of this material, you should be able to:
Describe the dominant information security blueprints, frameworks and information security management models, including U.S. government-sanctioned models
Explain why access control is an essential element of information security management
Select an information security management model, and customise it to meet the needs of a particular organisation
Implement the fundamental elements of key information security management practices
Discuss emerging trends in the certification and accreditation of U.S. federal IT systems

Blueprints, Frameworks, and Security Models
To create or maintain a secure environment
Design a working security plan
Implement a management model to execute and maintain the plan
Begin by creating or validating a security framework
Create an information security blueprint to describe existing controls and identify other necessary security controls

Framework
The outline of the more thorough blueprint
Which is the basis for the design, selection, and implementation of all subsequent security controls
Most organisations draw from established security models and practices to develop a blueprint or methodology
A security model is a generic blueprint offered by a service organisation
Blueprints, Frameworks, and Security Models (cont’d.)

Access Control Models
Access controls
Regulate the admission of users into trusted areas of the organisation
Both the logical access to the information systems and the physical access to the organisation’s facilities
Maintained by means of a collection of policies, programs to carry out those policies, and technologies that enforce policies

Access Control Models (cont’d.)
Key principles of access control
Least privilege
The principle by which members of the organisation can access the minimum amount of information for the minimum amount of time necessary to perform their required duties
Need to Know
Limits a user’s access to the specific information required to perform the currently assigned task, and not merely to the category of data required for a general work function
Separation of Duties
A control requiring that significant tasks be split up in such a way that more than one individual is responsible for their completion

Categories of Access Control
Preventative
Deterrent
Detective
Corrective
Recovery
Compensating
NIST access control categories are based on operational impact to the organisation
Management
Operational (or administrative)
Technical

Categories of Access Control (cont’d.)
Table 6-1 Examples of controls by operational level and inherent characteristics
Source: Official (ISC)2 Guide to the CISSP CBK

Categories of Access Control (cont’d.)
Mandatory Access Controls (MACs)
Structured and coordinated within a data classification scheme that rates each collection of information as well as each user
These ratings are often referred to as sensitivity levels
When MACs are implemented, users and data owners have limited control over access to information resources

Data classification model
Data owners must classify the information assets for which they are responsible and review the classifications periodically
Example of classification types:
Public
For official use only
Sensitive
Classified
Categories of Access Control (cont’d.)

Data classification model (cont’d.)
The U.S. military classification scheme relies on a more complex five-level classification scheme as defined in Executive Order 12958:
Unclassified data
Sensitive but unclassified (SBU) data
Confidential data
Secret data
Top secret data
Categories of Access Control (cont’d.)

Categories of Access Control (cont’d.)
Security clearance structure
Each user of an information asset is assigned an authorisation level
Indicates the level of information classification they may access
Most organisations have developed roles and corresponding security clearances
Individuals are assigned into groups that correlate with the classifications of the of information assets they need for their work

Categories of Access Control (cont’d.)
Security clearance structure (cont’d.)
In the need-to-know principle, regardless of one’s security clearance, an individual is not allowed to view data simply because it falls within that individual’s level of clearance
Must need to know the information

Categories of Access Control (cont’d.)
Managing an information asset
Considering its storage, distribution, portability, and destruction
An information asset that has a classification designation other than unclassified or public must be clearly marked as such
Must be available only to authorised individuals
To maintain the confidentiality of classified documents, managers can implement a clean desk policy

Categories of Access Control (cont’d.)
Managing an information asset (cont’d.)
When copies of classified information are no longer valuable or too many copies exist, care should be taken to destroy them properly to discourage dumpster diving

Categories of Access Control (cont’d.)
Figure 6-1 Military data classification cover sheets
Source: Course Technology/Cengage Learning

Lattice-Based Access Controls
A variation on the MAC form of access control
Assigns users a matrix of authorisations for particular areas of access
The level of authorisation can vary
Depending on individual’s classification authorisation for each group of information assets
Lattice structure contains subjects and objects
Boundaries associated with each subject/object pair are clearly demarcated
Categories of Access Control (cont’d.)

Categories of Access Control (cont’d.)
Nondiscretionary controls
Determined by a central authority in the organisation
Can be role-based or task-based
Role-based controls are tied to a particular user’s role in an organisation
Task-based controls are tied to a particular assignment or responsibility

Categories of Access Control (cont’d.)
Discretionary Access Controls (DACs)
Implemented at the option of the data user
Users can allow general, unrestricted access, or they can allow specific individuals or sets of individuals to access the resources
Most personal computer operating systems are designed based on the DAC model
One discretionary model is rule-based access controls where access is granted based on a set of rules specified by the central authority

Categories of Access Control (cont’d.)
Other forms of access control
Content-dependent access controls
Constrained user interfaces
Temporal (time-based) isolation

Security Architecture Models
Illustrate InfoSec implementations
Can help organisations quickly make improvements through adaptation
Some models are implemented into computer hardware and software
Some are policies and practices
Some are implemented in both
Some models focus on the confidentiality of information, while others focus on the integrity of the information as it is being processed

Trusted Computing Base
Trusted Computer System Evaluation Criteria (TCSEC)
U.S. Government Department of Defense standard that defines criteria for assessing access controls in a computer system
Part of a larger series of standards collectively referred to as the Rainbow Series, due to the color-coding used to uniquely identify each document
Also known as the “Orange Book” and is considered the cornerstone of the series

Trusted Computing Base (cont’d.)
Trusted computing base (TCB)
The combination of all hardware, firmware, and software responsible for enforcing the security policy (MAC for VPN access)
In this context, security policy refers to the rules of configuration for a system, rather than a managerial guidance document
Made up of the hardware and software that has been implemented to provide security for a particular information system

Trusted Computing Base (cont’d.)
Reference monitor
A conceptual object
The piece of the system that manages access controls
It mediates all access to objects by subjects
Systems administrators must be able to audit or periodically review the reference monitor to ensure it is functioning effectively, without unauthorised modification

Trusted Computing Base (cont’d.)
Covert channels
Unauthorised or unintended methods of communications hidden inside a computer system
Types of covert channels
Storage channels, which communicate by modifying a stored object
Timing channels, which transmit information by managing the relative timing of events

Bell-LaPadula Confidentiality Model
A state machine model that helps ensure the confidentiality of an information system
Using mandatory access controls (MACs), data classification, and security clearances
A state machine model follows a conceptual approach in which the state of the content of the system being modeled is always in a known secure condition
This kind of model is provably secure

Bell-LaPadula Confidentiality Model (cont’d.)
A system that serves as a reference monitor compares the level of classification of the data with the clearance of the entity requesting access
It allows access only if the clearance is equal to or higher than the classification
BLP security rules prevent information from being moved from a level of higher security level to a level of lower security

Bell-LaPadula Confidentiality Model (cont’d.)
Access modes can be one of two types
Simple security
Prohibits a subject of lower clearance from reading an object of higher classification, but allows a subject with a higher clearance level to read an object at a lower level (read down)
The * (star) property
The * property (the write property) prohibits a high-level subject from sending messages to a lower-level object
Subjects can read down and objects can write or append up

Biba Integrity Model
Similar to Bell-LaPadula
Provides access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations
Ensures no information from a subject can be passed on to an object in a higher security level
This prevents contaminating data of higher integrity with data of lower integrity

Biba Integrity Model (cont’d.)
Assigns integrity levels to subjects and objects using two properties
The simple integrity (read) property
Permits a subject to have read access to an object only if the security level of the subject is equal to or lower than the level of the object
The integrity * (write) property
Permits a subject to have write access to an object only if the security level of the subject is equal to or higher than that of the object

Clark-Wilson Integrity Model
Built upon principles of change control rather than integrity levels
Designed for the commercial environment
Its change control principles
No changes by unauthorised subjects
No unauthorised changes by authorised subjects
The maintenance of internal and external consistency

Clark-Wilson Integrity Model (cont’d.)
Establishes a system of subject-program-object relationships
Such that the subject has no direct access to the object
The subject is required to access the object using a well-formed transaction using a validated program
Provides an environment where security can be proven through separated activities, each of which is provably secure

Clark-Wilson Integrity Model (cont’d.)
CWI model controls
Subject authentication and identification
Access to objects by means of well-formed transactions
Execution by subjects on a restricted set of programs
Elements of the CWI model
Constrained data item (CDI)
The integrity of this data item is protected

Clark-Wilson Integrity Model (cont’d.)
Elements of the CWI model (cont’d.)
Unconstrained data item
Data not controlled by Clark-Wilson
Non-validated input or any output
Integrity verification procedure (IVP)
Procedure that scans data and confirms its integrity
Transformation procedures (TPs)
Procedures that only allow changes to a constrained data item

Graham-Denning Access Control Model
Composed of three parts
A set of objects
A set of subjects (a process and a domain)
The domain is the set of constraints controlling how subjects may access objects
A set of rights
Primitive protection rights
Create or delete object, create or delete subject
Read, grant, transfer and delete access rights

Harrison-Ruzzo-Ullman Model
Defines a method to allow changes to access rights and the addition and removal of subjects and objects
A process that the Bell-LaPadula model does not have
Since systems change over time, their protective states need to change
Built on an access control matrix
Includes a set of generic rights and a specific set of commands

Brewer-Nash Model (Chinese Wall)
Also known as a Chinese Wall
Designed to prevent a conflict of interest between two parties
Requires users to select one of two conflicting sets of data, after which they cannot access the conflicting data

The ISO 27000 Series
Information Technology – Code of Practice for Information Security Management
One of the most widely referenced and discussed security models
Originally published as British Standard 7799 and then later as ISO/IEC 17799
Since been renamed ISO/IEC 27002
Establishes guidelines for initiating, implementing, maintaining, and improving information security management

The ISO 27000 Series (cont’d.)
ISO/IEC 27002 has 133 possible controls
Not all of which must be used
Need to identify which are relevant
Each section includes four categories of information:
One or more objectives
Controls relevant to the achievement of the objectives
Implementation guidance
Other information

The ISO 27000 Series (cont’d.)
Many countries did not originally adopted the model
Including the US, Germany, and Japan
Claims of fundamental flaws
Global InfoSec community has not defined any justification for the code of practice identified
Model lacks the necessary measurement precision of a technical standard
No reason to believe the model is more useful than any other approach

The ISO 27000 Series (cont’d.)
Claims of fundamental flaws (cont’d.)
Not as complete as other frameworks
Perceived as being hurriedly prepared, given the tremendous impact that its adoption could have on industry information security controls

The ISO 27000 Series (cont’d.)
ISO/IEC 27002 Sections
Security policy
Organisation of information security
Asset management
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information systems acquisition, development and maintenance

The ISO 27000 Series (cont’d.)
ISO/IEC 27002 Sections (cont’d.)
Information security incident management
Business continuity management
Compliance

Figure 6-3 ISO/IEC 27001 Plan-Do-Check-Act
Source: Course Technology/Cengage Learning
The ISO 27000 Series (cont’d.)

ISO/IEC 27001:2005 -The InfoSec Management System – Plan
Define the scope of the ISMS
Define an ISMS policy
Define the approach to risk assessment
Identify the risks
Assess the risks
Identify and evaluate options for the treatment of risk
Select control objectives and controls
Prepare a statement of applicability (SOA)
The ISO 27000 Series (cont’d.)

ISO/IEC 27001:2005 -The InfoSec Management System – Do
Formulate a risk treatment plan
Implement the risk treatment plan
Implement controls
Implement training and awareness programs
Manage operations
Manage resources
Implement procedures to detect and respond to security incidents
The ISO 27000 Series (cont’d.)

ISO/IEC 27001:2005 -The InfoSec Management System – Check
Execute monitoring procedures
Undertake regular reviews of ISMS effectiveness
Review the level of residual and acceptable risk
Conduct internal ISMS audits
Undertake regular management review of the ISMS
Record actions and events that impact an ISMS
The ISO 27000 Series (cont’d.)

ISO/IEC 27001:2005 -The InfoSec Management System – Act
Implement identified improvements
Take corrective or preventive action
Apply lessons learned
Communicate results to interested parties
Ensure improvements achieve objectives
The ISO 27000 Series (cont’d.)

Table 6-4 ISO 27000 Series current and planned standards
The ISO 27000 Series (cont’d.)

NIST Security Models (to– 74)
Notable advantages of NIST documents
Publicly available at no charge
Have been available for some time
Have been broadly reviewed by government and industry professionals
Examples
SP 800-12, Computer Security Handbook
SP 800-14, Generally Accepted Security Principles & Practices
SP 800-18, Rev. 1, Guide for Developing Security Plans for Federal Information Systems
SP 800-30, Risk Management for Information Technology Systems

NIST Security Models (cont’d.)
NIST SP 800-12: Computer Security Handbook
Excellent reference and guide for the routine management of information security
Little guidance provided on design and implementation of new security systems
Use as supplement to gain a deeper understanding of background and terminology

NIST Security Models (cont’d.)
NIST SP 800-12: Computer Security Handbook (cont’d.)
Lays out the NIST philosophy on security management by identifying 17 controls organised into three categories
Management controls: addresses security topics that can be characterised as managerial
Operational controls: addresses security controls that focus on controls implemented and executed by people (as opposed to systems)
Technical controls: focuses on security controls that the computer system executes

NIST Security Models (cont’d.)
NIST Special Publication 800-14:
Generally Accepted Principles and Practices for Securing Information Technology Systems
Describes best practices useful in the development of a security blueprint
Describes principles that should be integrated into information security processes
Documents 8 points and 33 principles

NIST Security Models (cont’d.)
Key points
Security supports organisation’s mission
Security is integral to sound management
Security should be cost-effective
Systems owners have security responsibilities outside their own organisations
Security responsibilities and accountability should be explicit
Security requires a comprehensive and integrated approach
Security should be periodically reassessed
Security is constrained by societal factors

NIST Security Models (cont’d.)
Principles of NIST SP 800-14
1. Establish a sound security policy as the foundation for design
2. Treat security as an integral part of the overall system design
3. Clearly delineate the physical and logical security boundaries governed by associated security policies
4. Reduce risk to an acceptable level
5. Assume that external systems are insecure

NIST Security Models (cont’d.)
Principles of NIST SP 800-14 (cont’d.)
6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness
7. Implement layered security (ensure no single point of vulnerability)
8. Implement tailored system security measures to meet organisational security goals
9. Strive for simplicity

NIST Security Models (cont’d.)
Principles of NIST SP 800-14 (cont’d.)
10. Design and operate an IT system to limit vulnerability and to be resilient in response
11. Minimise the system elements to be trusted
12. Implement security through a combination of measures distributed physically and logically
13. Provide assurance that the system is, and continues to be, resilient in the face of expected threats
14. Limit or contain vulnerabilities

NIST Security Models (cont’d.)
Principles of NIST SP 800-14 (cont’d.)
15. Formulate security measures to address multiple overlapping information domains
16. Isolate public access systems from mission critical resources
17. Use boundary mechanisms to separate computing systems and network infrastructures
18. Where possible, base security on open standards for portability and interoperability

NIST Security Models (cont’d.)
Principles of NIST SP 800-14 (cont’d.)
19. Use common language in developing security requirements
20. Design and implement audit mechanisms to detect unauthorised use and to support incident investigations
21. Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process

NIST Security Models (cont’d.)
Principles of NIST SP 800-14 (cont’d.)
22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains
23. Use unique identities to ensure accountability
24. Implement least privilege
25. Do not implement unnecessary security mechanisms

NIST Security Models (cont’d.)
Principles of NIST SP 800-14 (cont’d.)
26. Protect information while being processed, in transit, and in storage
27. Strive for operational ease of use
28. Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability
29. Consider custom products to achieve adequate security

NIST Security Models (cont’d.)
Principles of NIST SP 800-14 (cont’d.)
30. Ensure proper security in the shutdown or disposal of a system
31. Protect against all likely classes of attacks
32. Identify and prevent common errors and vulnerabilities
33. Ensure that developers are trained in how to develop secure software

NIST Security Models (cont’d.)
NIST Special Publication 800-18, Rev. 1: A Guide for Developing Security Plans for Federal Information Systems
Provides detailed methods for assessing, designing, and implementing controls and plans for various sized applications
Serves as a guide for the activities described in this chapter, and for the overall information security planning process
Includes templates for major application security plans

Management controls
Risk management
Review of security controls
Life cycle maintenance
Authorisation of processing (certification and accreditation)
System security plan
NIST Security Models (cont’d.)

Operational controls
Personnel security
Physical security
Production, input/output controls
Contingency planning
Hardware and systems software
Data integrity
Documentation
Security awareness, training, and education
Incident response capability
NIST Security Models (cont’d.)

NIST Security Models (cont’d.)
Technical controls
Identification and authentication
Logical access controls
Audit trails

NIST Security Models (cont’d.)
NIST Special Publication 800-30:
Risk Management Guide for Information Technology Systems
Provides a foundation for the development of an effective risk management program
Contains the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems
Strives to enable organisations to better manage IT-related risks

NIST Security Models (cont’d.)
RFC 2196 Site Security Handbook
Provides a functional discussion of important security issues along with development and implementation details
Covers security policies, security technical architecture, security services, and security incident handling
Includes discussion of the importance of security policies, and an examination of services, access controls, and other relevant areas

NIST Security Models (cont’d.)
Control Objectives for Information and Related Technology (COBIT)
Provides advice about the implementation of sound controls and control objectives for InfoSec
Created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992

COBIT presents 34 high-level objectives that cover 215 control objectives
Objectives categorised into four domains:
Plan and organise
Acquire and implement
Deliver and support
Monitor and evaluate
NIST Security Models (cont’d.)

Plan and organise
Makes recommendations for achieving organisational goals and objectives through the use of IT
10 controlling objectives (PO1 – PO10)
Acquire and implement
Focuses on specification of requirements
Acquisition of needed components
Component integration
NIST Security Models (cont’d.)

NIST Security Models (cont’d.)
Acquire and implement (cont’d.)
Examines ongoing maintenance and change requirements
7 controlling objectives (AI1 – AI7)
Delivery and support
Focuses on the functionality of the system and its use to the end user
Examines systems applications: including input, processing, and output components

Delivery and support (cont’d.)
Examines processes for efficiency and effective of operations
13 high-level controlling objectives (DS1 – DS13)
Monitor and evaluate
Seeks to examine the alignment between IT systems usage and organisational strategy
NIST Security Models (cont’d.)

NIST Security Models (cont’d.)
Monitor and evaluate (cont’d.)
Identifies the regulatory requirements for which controls are needed
Monitors the effectiveness and efficiency of IT systems against the organisational control processes in the delivery and support domain
4 high-level controlling objectives (ME1 – ME4)

COSO
A U.S. private-sector initiative
Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence
Has established a common definition of internal controls, standards and criteria
Helps organisations comply with critical regulations like Sarbanes-Oxley

COSO (cont’d.)
Built on five interrelated components:
Control environment
Risk assessment
Control activities
Information and communication
Monitoring

Information Technology Infrastructure Library
A collection of methods and practices useful for managing the development and operation of information technology infrastructures
Has been produced as a series of books
Each of which covers an IT management topic
Includes a detailed description of many significant IT-related practices
Can be tailored to many IT organisations

Information Security Governance Framework
A managerial model
Provides guidance in the development and implementation of an organisational information security governance structure
Includes recommendations for the responsibilities of members of an organisation

Information Security Governance Framework (cont’d.)
Recommendations for responsibilities of members of an organisation
Board of directors/trustees
Provide strategic oversight for information security
Senior executives
Provide oversight of a comprehensive information security program for the entire organisation
Executive team members
Oversee the organisation’s security policies and practices

Information Security Governance Framework (cont’d.)
Recommendations for responsibilities of members of an organisation (cont’d.)
Senior managers
Provide information security for the information and information systems that support the operations and assets under their control
All employees and users
Maintain security of information and information systems accessible to them

Summary
Introduction
Security Management Models
System Models (BLP, Biba, CWI, HRU, BN, etc).
ISO 27000 Series
NIST Models
Others (COBIT, COSO, ITIL, Corporate Governance)

ITC358
ICT Management and Information Security

Chapter 7

Security Management Practices

In theory there is no difference between theory and practice, but in practice there is…

(Attributed to multiple sources, including Yogi Berra and Jan L.A. Van de Snepscheut)

Objectives
Upon completion of this chapter you should be able to:
List the elements of key information security management practices
Describe the key components of a security metrics program
Identify suitable strategies for the implementation of a security metric program
Discuss emerging trends in the certification and accreditation of U.S. federal IT systems

Introduction
Value Proposition
Organisations strive to deliver the most value with a given level of investment
Developing and using sound and repeatable information security management practices makes accomplishing this more likely

Benchmarking
To generate a security blueprint
Organisations usually draw from established security models and practices
Another way is to look at the paths taken by organisations similar to the one for which you are developing the plan
Benchmarking
Following the existing practices of a similar organisation, or industry-developed standards
Can help to determine which controls should be considered
Cannot determine how those controls should be implemented in your organisation

Standards of Due Care/Due Diligence
Categories of benchmarks
Standards of due care/due diligence
Best practices
Best practices include a sub-category of practices, called the gold standard, that are generally regarded as “the best of the best”

Standards of Due Care/Due Diligence (cont’d.)
Standard of due care
When organisations adopt minimum levels of security for legal defense, they may need to show that they have done what any prudent organisation would do in similar circumstances
Due diligence
Implementing controls at this minimum standard
Requires that an organisation ensure that the implemented standards continue to provide the required level of protection
Failure to demonstrate due care or due diligence can expose an organisation to legal liability
If it can be shown that the organisation was negligent in its information protection methods

Recommended Security Practices
Best Practices
Security efforts that seek to provide a superior level of performance in the protection of information
Considered among the best in the industry
Balance the need for information access with the need for adequate protection
Demonstrate fiscal responsibility
Companies with best practices may not be the best in every area

The Gold Standard
Some organisations prefer to implement the most protective, supportive, and yet fiscally responsible standards they can
Gold standard
A model level of performance that demonstrates industrial leadership, quality, and concern for the protection of information
Implementation requires a great deal of financial and personnel support

Selecting Recommended Practices
Choosing which recommended practices to implement can pose a challenge for some organisations
In industries that are regulated by governmental agencies, government guidelines are often requirements
For other organisations, government guidelines are excellent sources of information and can inform their selection of best practices

Selecting Recommended Practices (cont’d.)
Considerations for selecting best practices
Does your organisation resemble the identified target organisation of the best practice?
Are you in a similar industry as the target?
Do you face similar challenges as the target?
Is your organisational structure similar to the target?
Are the resources you can expend similar to those called for by the best practice?
Are you in a similar threat environment as the one assumed by the best practice?

Limitations to Benchmarking and
Recommended Practices
The biggest barrier to benchmarking
Organisations don’t talk to each other
A successful attack is viewed as an organisational failure, and is kept secret, insofar as possible
More and more security administrators are joining professional associations and societies like ISSA and sharing their stories and lessons learned
An alternative to this direct dialogue is the publication of lessons learned

Baselining
A value or profile of a performance metric against which changes in the performance metric can be usefully compared
Process of measuring against established standards
Baseline measurements of security activities and events are used to evaluate the organisation’s future security performance
Can provide the foundation for internal benchmarking
Information gathered for an organisation’s first risk assessment becomes the baseline for future comparisons

Support for Baselining and Recommended Practices
Self-assessment for best security practices
People:
Do you perform background checks on all employees with access to sensitive data, areas, or access points?
Would the average employee recognise a security issue?
Would they choose to report it?
Would they know how to report it to the right people?

Self-assessment for best security practices (cont’d.)
Processes
Are enterprise security policies updated on at least an annual basis, employees educated on changes, and consistently enforced?
Does your enterprise follow a patch/update management and evaluation process to prioritise and mediate new security vulnerabilities?
Are the user accounts of former employees immediately removed on termination?
Are security group representatives involved in all stages of the project life cycle for new projects?
Support for Baselining and Recommended Practices (cont’d.)

Self-assessment for best security practices (cont’d.)
Technology
Is every possible route to the Internet protected by a properly configured firewall?
Is sensitive data on laptops and remote systems encrypted?
Do you regularly scan your systems and networks, using a vulnerability analysis tool, for security exposures?
Are malicious software scanning tools deployed on all workstations and servers?

Support for Baselining and Recommended Practices (cont’d.)

Performance Measures in Information Security Management
Costs, benefits and performance of InfoSec
Are measurable, despite the claim of some CISOs that they are not
Measurement requires the design and ongoing use of an InfoSec performance management program based on effective performance metrics

InfoSec Performance Management
Information security performance management
The process of designing, implementing and managing the use of collected data elements called measures
To determine the effectiveness of the overall security program
Measures are data points or computed trends that indicate the effectiveness of security countermeasures or controls

InfoSec Performance Management (cont’d.)
Organisations use three types of measures
Those that determine the effectiveness of the execution of information security policy (ISSPs)
Those that determine the effectiveness and/or efficiency of the delivery of information security services
Those that assess the impact of an incident or other security event on the organisation or its mission

InfoSec Performance Management (cont’d.)
NIST SP 800-55 R1, Performance Measures in Information Security suggests
Consider the following factors
Measures must yield quantifiable information (percentages, averages, and numbers)
Data that supports the measures needs to be readily obtainable
Only repeatable information security processes should be considered for measurement
Measures must be useful for tracking performance and directing resources

InfoSec Performance Management (cont’d.)
Critical factors for the success of an information security performance program
Strong upper level management support
Practical information security policies and procedures
Quantifiable performance measures
Results oriented measures analysis

InfoSec Metrics
InfoSec metrics
Applying statistical and quantitative approaches of mathematical analysis to the process of measuring the activities and outcomes of the InfoSec program
Metrics means detailed measurements
Measures refers to aggregate, higher-level results
The two terms are used interchangeably in some organisations

Questions to answer before collecting, designing, and using measures
Why should these statistics be collected?
What specific statistics will be collected?
How will these statistics be collected?
When will these statistics be collected?
Who will collect these statistics?
Where (at what point in the function’s process) will these statistics be collected?
InfoSec Metrics (cont’d.)

Building the Performance Measures Program
An information security measures program
Must be able to demonstrate value to the organisation
Necessary even with strong management support
Capability Maturity Model Integrated (CMMI)
One of the most popular references that support the development of process improvement and performance measures
Developed by The Software Engineering Institute at Carnegie Mellon

Building the Performance Measures Program (cont’d.)
Another popular approach
NIST SP 800 – 55 R1: Performance Measurement for Information Security
Major activities
The identification and definition of the current information security program
Development and selection of specific measures to gauge the implementation, effectiveness, efficiency, and impact of the security controls

Building the Performance Measures Program (cont’d.)
Figure 7-1 Information security measures development process
Source: Course Technology/Cengage Learning (Based on NIST SP 800-55 Rev. 1)

Specifying InfoSec Measures
Assess and quantify what will be measured
One of the critical tasks
While InfoSec planning and organising activities may only require time estimates
You must obtain more detailed measurements when assessing the effort spent to complete production tasks and the time spent completing project tasks

Collecting InfoSec Measures
Some thought must go into the processes used for data collection and record keeping
Once the question of what to measure is answered
The how, when, where, and who questions of metrics collection must be addressed
Designing the collection process requires consideration of the metric’s intent
Along with a thorough knowledge of how production services are delivered

Collecting InfoSec Measures (cont’d.)
Determine whether the measures used will be macro-focus or micro-focus
Macro-focus measures examine the performance of the overall security program
Micro-focus measures examine the performance of an individual controller or group of controls within the information security program
Or use both macro- and micro-focus measures in a limited assessment

Collecting InfoSec Measures (cont’d.)
Organisations manage what they measure
It is important to prioritise individual metrics in the same manner as the performance they measure
Use a simple low-, medium-, or high-priority ranking system
Or a weighted scale approach
Involves assigning values to each measure based on its importance in the overall information security program, and on the overall risk mitigation goals and the criticality of the systems

Collecting InfoSec Measures (cont’d.)
Performance targets
Make it possible to define success in the security program
Many measures have a 100% target goal
Other types of performance measures
Those that determine relative effectiveness, efficiency, or impact of information security on the organisation’s goals
Are more subjective and require solid native and subjective reasoning

Table 7-2a Example performance measures documentation
Source: NIST SP 800-55, Rev 1
Collecting InfoSec Measures (cont’d.)

Table 7-2b Example performance measures documentation
Source: NIST SP 800-55, Rev 1
Collecting InfoSec Measures (cont’d.)

Table 7-3a Measures template and instructions
Source: NIST SP 800-55, Rev 1
Collecting InfoSec Measures (cont’d.)

Table 7-3b Measures template and instructions
Source: NIST SP 800-55, Rev 1

Collecting InfoSec Measures (cont’d.)
Candidate Measures
Percentage of the organisation’s information systems budget devoted to information security
Percentage of high vulnerabilities mitigated within organisationally defined time periods after discovery
Percentage space of remote access points used to gain unauthorised access
Percentage of information systems personnel that have received security training

Collecting InfoSec Measures (cont’d.)
Candidate Measures (cont’d.)
Average frequency of audit records review and analysis for inappropriate activity
Percentage of new systems that have completed certification and accreditation (C&A) prior to their implementation
Percentage approved and implemented configuration changes identified in the latest automated baseline configuration

Collecting InfoSec Measures (cont’d.)
Candidate Measures (cont’d.)
Percentage of information systems that have conducted annual contingency plan testing
Percentage of users with access to shared accounts
Percentage of incidents reported within required time frame per applicable incident category
Percentage of system components that undergo maintenance in accordance with formal maintenance schedules

Collecting InfoSec Measures (cont’d.)
Candidate Measures (cont’d.)
Percentage of media that passes sanitisation procedures testing
Percentage of physical security incidents allowing unauthorised entry into facilities containing information assets
Percentage of employees who are authorised access to information systems only after they sign an acknowledgment that they have read and understood the appropriate policies

Collecting InfoSec Measures (cont’d.)
Candidate Measures (cont’d.)
Percentage of individuals screened before being granted access to organisational information and information systems
Percentage of vulnerabilities remediated within organisation-specified time frames
Percentage of system and service acquisition contracts that include security requirements and/or specifications

Collecting InfoSec Measures (cont’d.)
Candidate Measures (cont’d.)
Percentage of mobile computers and devices that perform all cryptographic operations using organisationally specified cryptographic modules operating in approved modes of operations
Percentage of operating system vulnerabilities for which patches have been applied or that have been otherwise mitigated

InfoSec Performance Measurement Implementation
Information security performance measures must be implemented and integrated into ongoing information security management operations
It is insufficient to simply collect these measures once
Performance measurement is an ongoing, continuous improvement operation

Figure 7-2 Information security measurement program implementation process
Source: Course Technology/Cengage Learning
Collecting InfoSec Measures (cont’d.)

Reporting InfoSec Performance Measures
Listing the measurements collected does not adequately convey their meaning
Decisions must be made about how to present correlated metrics
Consider to whom the results of the performance measures program should be disseminated, and how they should be delivered

Emerging Trends In Certification And Accreditation
Accreditation
The authorisation of an IT system to process, store, or transmit information.
It is issued by a management official and serves as a means of assuring that systems are of adequate quality
Challenges managers and technical staff to find the best methods to assure security, given technical constraints, operational constraints, and mission requirements

Emerging Trends In Certification And Accreditation (cont’d.)
Certification
The comprehensive evaluation of the technical and nontechnical security controls of an IT system
Supports the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements
Organisations pursue accreditation or certification to gain a competitive advantage
Also provides assurance to customers

SP 800-37: Guidelines for Security Certification and Accreditation of Federal Information Technology Systems
Develops standard guidelines and procedures for certifying and accrediting Federal IT systems
Including the critical infrastructure of the U.S.
Defines essential minimum security controls for Federal IT systems

SP 800-37: Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.)
Promotes the development of public and private sector assessment organisations
And certification of individuals capable of providing cost effective, high quality, security certifications based on standard guidelines and procedures

SP 800-37: Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.)
Benefits of the security certification and accreditation (C&A) initiative (cont’d.)
More complete, reliable, information for authorising officials
Leads to better understanding of complex IT systems and associated risks and vulnerabilities, and informed decisions by management officials

SP 800-37: Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.)
Benefits of the security certification and accreditation (C&A) initiative (cont’d.)
Greater availability of competent security evaluation and assessment services
More secure IT systems within the Federal government

Figure 7-3 Special publications supporting SP 800-37
Source: Course Technology/Cengage Learning (Based on NIST SP 800-37)

Three-step security controls selection process
Step 1: Characterise the system
Step 2: Select the appropriate minimum security controls for the system
Step 3: Adjust security controls based on system exposure and risk decision
SP 800-37: Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.)

Systems certified to one of three levels
Security Certification Level 1
The entry-level certification appropriate for low priority (concern) systems
Security Certification Level 2
The mid-level certification appropriate for moderate priority (concern) systems
SP 800-37: Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.)

Systems certified to one of three levels (cont’d.)
Security Certification Level 3
The top-level certification appropriate for high priority (concern) systems
SP 800-37: Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.)

SP 800-53 Rev 3: Recommended Security Controls for Federal Information Systems and Organisations
SP 800-53 is part two of the C&A project
Its purpose is to establish a set of standardised, minimum security controls for IT systems addressing low, moderate, and high levels of concern for confidentiality, integrity, and availability

SP 800-53 Rev 3: Recommended Security Controls for Federal Information Systems and Organisations (cont’d.)
SP 800-53 (cont’d.)
Controls are broken into the three familiar general classes of security controls: management, operational, and technical
Critical elements represent important security-related focus areas for the system
Each critical element addressed by one or more security controls

SP 800-53 Rev 3: Recommended Security Controls for Federal Information Systems and Organisations (cont’d.)
SP 800-53 (cont’d.)
As technology evolves, so will the set of security controls, requiring additional control mechanisms

Figure 7-4 Participants in the certification and accreditation process

The Future of Certification and Accreditation
Newer NIST documents focus less upon certification and accreditation strategy
And more on a holistic risk management strategy incorporating an authorisation strategy rather than accreditation
Certification is being replaced by the term “security control assessment”

Figure 7-5 Risk management framework
Source: Course Technology/Cengage Learning (Based on content from NIST Risk Management Framework, SP 800-53 Rev. 1)

Summary
Introduction
Security management practices
Emerging trends in certification and accreditation

ITC358
ICT Management and Information Security

Chapter 8

Risk Management: Identifying and Assessing Risk

Once we know our weaknesses, they cease to do us any harm.

G.C. Lichtenberg, German physicist, philosopher

Objectives
Upon completion of this chapter you should be able to:
Define risk management and its role in the organisation
Use risk management techniques to identify and prioritise risk factors for information assets
Assess risk based on the likelihood of adverse events and the effects on information assets when events occur
Document the results of risk identification

Introduction
Information security departments are created primarily to manage IT risk
Managing risk is one of the key responsibilities of every manager within the organisation
In any well-developed risk management program, two formal processes are at work
Risk identification and assessment
Risk control

Risk Management
“If you know the enemy and know yourself, you need not fear the result of a hundred battles
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat
If you know neither the enemy nor yourself, you will succumb in every battle”
— Sun Tzu

Knowing Yourself
Identifying, examining and understanding the information and how it is processed, stored, and transmitted
Armed with this knowledge, one can initiate an in-depth risk management program
Risk management is a process
Safeguards and controls that are devised and implemented are not install-and-forget devices

Knowing the Enemy
Identifying, examining, and understanding the threats facing the organisation’s information assets
Must fully identify those threats that pose risks to the organisation and the security of its information assets
Risk management
The process of assessing the risks to an organisation’s information and determining how those risks can be controlled or mitigated

Accountability for Risk Management
Communities of interest must work together
Evaluating the risk controls
Determining which control options are cost-effective
Acquiring or installing the appropriate controls
Overseeing processes to ensure that the controls remain effective
Identifying risks
Assessing risks
Summarising the findings

Risk Identification
Figure 8-1 Risk identification process
Source: Course Technology/Cengage Learning

Risk Identification (cont’d.)
Risk identification begins with the process of self-examination
Managers identify the organisation’s information assets
Classify them into useful groups
Prioritise them by their overall importance

Creating an Inventory of Information Assets
Identify information assets
Includes people, procedures, data and information, software, hardware, and networking elements
This step should be done without pre-judging the value of each asset
Values will be assigned later in the process

Table 8-1 Organisational assets used in systems
Source: Course Technology/Cengage Learning
Creating an Inventory of Information Assets (cont’d.)

Inventory process requires a certain amount of planning
Whether automated or manual (Laptop borrowing/remote usage logbook)
Determine which attributes of each information asset should be tracked
Depends on the needs of the organisation and its risk management efforts
Creating an Inventory of Information Assets (cont’d.)

Creating an Inventory of Information Assets (cont’d.)
Potential asset attributes (remote VPN)
Name, IP address
MAC address, asset type
Serial number, manufacturer name
Manufacturer’s model or part number
Software version, update revision, or FCO number
Physical location, logical location
Controlling entity

Creating an Inventory of Information Assets (cont’d.)
Identifying people, procedures and data assets
Responsibility for identifying, describing, and evaluating these information assets should be assigned to managers who possess the needed knowledge, experience, and judgment
As these assets are identified, they should be recorded using a reliable data-handling process like the one used for hardware and software

Sample attributes for people, procedures, and data assets
People
Position name/number/ID
Supervisor name/number/ID
Security clearance level
Special skills
Procedures
Description
Intended purpose
Creating an Inventory of Information Assets (cont’d.)

Sample attributes for people, procedures, and data assets (cont’d.)
Procedures (cont’d.)
Software/hardware/networking elements to which it is tied
Location where it is stored for reference
Location where it is stored for update purposes
Data
Classification
Owner/creator/manager
Size of data structure
Data structure used
Online or offline
Location
Backup procedures
Creating an Inventory of Information Assets (cont’d.)

Classifying and Categorising Assets
Determine whether the asset categories are meaningful
Inventory should also reflect each asset’s sensitivity and security priority
A classification scheme categorises information assets based on their sensitivity and security needs
Each of these categories designates the level of protection needed for a particular information asset

Classifying and Categorising Assets (cont’d.)
Some asset types, such as personnel, may require an alternative classification scheme that would identify the clearance needed to use the asset type
Classification categories must be comprehensive and mutually exclusive

Assessing Values for Information Assets
Assign a relative value:
As each information asset is identified, categorised, and classified
Comparative judgments made to ensure that the most valuable information assets are given the highest priority
Relevant questions
Which asset is the most critical to the success of the organisation?

Assessing Values for Information Assets
Relevant questions (cont’d.)
Which asset generates the most revenue?
Which asset generates the highest profitability?
Which asset is the most expensive to replace?
Which asset is the most expensive to protect?
Which asset’s loss or compromise would be the most embarrassing or cause the greatest liability?

Figure 8-2 Sample asset classification worksheet
Source: Course Technology/Cengage Learning

Listing Assets in Order of Importance
The final step in the risk identification process is to list the assets in order of importance
This goal can be achieved by using a weighted factor analysis worksheet

Table 8-2 Example weighted factor analysis worksheet
Source: Course Technology/Cengage Learning
Listing Assets in Order of Importance (cont’d.)

Threat Identification
Any organisation typically faces a wide variety of threats
If you assume that every threat can and will attack every information asset
The project scope becomes too complex
To make the process less unwieldy, each step in the threat identification and vulnerability identification processes is managed separately and then coordinated at the end

Each threat presents a unique challenge to information security
Must be handled with specific controls that directly address the particular threat and the threat agent’s attack strategy
Before threats can be assessed in the risk identification process
Each must be further examined to determine its potential to affect the targeted information asset
This process is a threat assessment
Threat Identification (cont’d.)

Table 8-3 Threats to information security
Threat Identification (cont’d.)

Source: Adapted from M. E. Whitman. Enemy at the gates: Threats to information security. Communications of the ACM, August
2003. Reprinted with permission
Threat Identification (cont’d.)
Weighted ranks of threats to information security

Threat Identification (cont’d.)
Vulnerability Assessment
Begin to review every information asset for each threat
This review leads to the creation of a list of vulnerabilities that remain potential risks to the organisation
Vulnerabilities are specific avenues that threat agents can exploit to attack an information asset
At the end of the risk identification process, a list of assets and their vulnerabilities has been developed

Threat Identification (cont’d.)
Vulnerability Assessment (cont’d.)
This list serves as the starting point for the next step in the risk management process – risk assessment

Table 8-4 Vulnerability assessment of a DMZ router
Threat Identification (cont’d.)

The TVA Worksheet
At the end of the risk identification process, a list of assets and their vulnerabilities has been developed
Another list prioritises threats facing the organisation based on the weighted table discussed earlier
These lists can be combined into a single worksheet

Threat Vulnerability Asset
31

Table 8-5 Sample TVA spreadsheet
The TVA Worksheet (cont’d.)

Figure 8-3 Risk identification estimate factors
Introduction to Risk Assessment
The goal is to create a method to evaluate the relative risk of each listed vulnerability

Likelihood
The overall rating of the probability that a specific vulnerability will be exploited
Often using numerical value on a defined scale (such as 0.1 – 1.0)
Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset, i.e. 1-100, low-med-high, etc

Assessing Potential Loss
Questions to ask when assigning likelihood values
Which threats present a danger to this organisation’s assets in the given environment?
Which threats represent the most danger to the organisation’s information?
How much would it cost to recover from a successful attack?
Which threats would require the greatest expenditure to prevent?
Which of the aforementioned questions is the most important to the protection of information from threats within this organisation?

Percentage of Risk
Mitigated by Current Controls
If a vulnerability is fully managed by an existing control, it can be set aside
If it is partially controlled, estimate what percentage of the vulnerability has been controlled

Uncertainty
It is not possible to know everything about every vulnerability
The degree to which a current control can reduce risk is also subject to estimation error
Uncertainty is an estimate made by the manager using judgment and experience

Risk Determination
Example
Asset A has a value of 50 and has one vulnerability, which has a likelihood of 1.0 with no current controls. Your assumptions and data are 90% accurate
Asset B has a value of 100 and has two vulnerabilities: vulnerability #2 has a likelihood of 0.5 with a current control that addresses 50% of its risk; vulnerability # 3 has a likelihood of 0.1 with no current controls. Your assumptions and data are 80% accurate

Risk Determination (cont’d.)
Example (cont’d.)
The resulting ranked list of risk ratings for the three vulnerabilities is as follows:
Asset A: Vulnerability 1 rated as 55 = (50 × 1.0) – 0% + 10%
Asset B: Vulnerability 2 rated as 35 = (100 × 0.5) – 50% + 20%
Asset B: Vulnerability 3 rated as 12 = (100 × 0.1) – 0 % + 20%

Likelihood and Consequences
Likelihood and consequence rating
Another approach
From the Australian and New Zealand Risk Management Standard 4360i
Uses qualitative methods of determining risk based on a threat’s probability of occurrence and expected results of a successful attack
Consequences (or impact assessment) are evaluated on 5 levels ranging from insignificant (level 1) to catastrophic (level 5), as assessed by the organisation
Qualitative likelihood assessments levels are represented by values ranging from A (almost certain) to E (rare), as determined by the organisation

Identify Possible Controls
For each threat and its associated vulnerabilities that have residual risk, create a preliminary list of control ideas
Three general categories of controls exist:
Policies
Programs
Technical controls

Likelihood and Consequences (cont’d.)
Table 8-6 Consequence levels for organisational threats
Source: Risk management plan templates and forms from www.treasury.act.gov.au/actia/Risk.htm

Likelihood and Consequences (cont’d.)
Table 8-7 Likelihood levels for organisational threats
Source: Risk management plan templates and forms from www.treasury.act.gov.au/actia/Risk.htm

Likelihood and Consequences
(cont’d.)
Consequences and likelihoods are combined
Enabling the organisation to determine which threats represent the greatest danger to the organisation’s information assets
The resulting rankings can then be inserted into the TVA tables for use in risk assessment

Likelihood and Consequences (cont’d.)
Table 8-8 Qualitative risk analysis matrix
Source: Risk management plan templates and forms from www.treasury.act.gov.au/actia/Risk.htm

Documenting the Results
of Risk Assessment
Goals of the risk management process
To identify information assets and their vulnerabilities
To rank them according to the need for protection
In preparing this list, a wealth of factual information about the assets and the threats they face is collected
Information about the controls that are already in place is also collected
The final summarised document is the ranked vulnerability risk worksheet

Table 8-9 Ranked vulnerability risk worksheet
Source: Course Technology/Cengage Learning

Documenting the Results of Risk Assessment (cont’d.)
What should the documentation package look like?
What are the deliverables from this stage of the risk management project?
The risk identification process should designate what function the reports serve, who is responsible for preparing them, and who reviews them

Table 8-10 Risk identification and assessment deliverables
Documenting the Results of Risk Assessment (cont’d.)
Source: Course Technology/Cengage Learning

Summary
Introduction
Risk management
Risk identification
Risk assessment
Documenting the results of risk assessment

ITC358
ICT Management and Information Security

Chapter 9

Risk Management: Controlling Risk

Weakness is a better teacher than strength. Weakness must be learned to understand the obstacles that strength brushes aside. – Mason Cooley, U.S. aphorist

Objectives
Upon completion of this chapter, you should be able to:
Recognise and select from the risk mitigation strategy options to control risk
Evaluate risk controls and formulate a cost-benefit analysis using existing conceptual frameworks
Explain how to maintain and perpetuate risk controls
Describe the OCTAVE Method and other approaches to managing risk

Introduction
To keep up with the competition, organisations must design and create a safe environment in which business processes and procedures can function
This environment must maintain confidentiality and privacy and assure the integrity and availability of organisational data
These objectives are met via the application of the principles of risk management

Risk Control Strategies
An organisation must choose one of four basic strategies to control risks
Avoidance
Applying safeguards that (to) eliminate or reduce the remaining uncontrolled risks for the vulnerability
Transference (insurance)
Shifting the risk to other areas or to outside entities
Mitigation
Reducing the impact if the vulnerability is exploited
Acceptance
Understanding the consequences and accepting the risk without control or mitigation

Avoidance
The risk control strategy that attempts to prevent the exploitation of the vulnerability
Avoidance is accomplished through:
Application of policy
Application of training and education
Countering threats
Implementation of technical security controls and safeguards

Transference
The control approach that attempts to shift the risk to other assets, other processes, or other organisations
May be accomplished by rethinking how services are offered
Revising deployment models
Outsourcing to other organisations
Purchasing insurance
Implementing service contracts with providers

Mitigation
The control approach that attempts to reduce the damage caused by the exploitation of vulnerability
Using planning and preparation
Depends upon the ability to detect and respond to an attack as quickly as possible
Types of mitigation plans
Disaster recovery plan (DRP)
Incident response plan (IRP)
Business continuity plan (BCP)

Mitigation (cont’d.)
Table 9-1 Summaries of mitigation plans
Source: Course Technology/Cengage Learning

Acceptance
The choice to do nothing to protect an information asset
To accept the loss when it occurs
This control, or lack of control, assumes that it may be a prudent business decision to examine the alternatives and conclude that the cost of protecting an asset does not justify the security expenditure

Acceptance (cont.)
Before using the acceptance strategy, the organisation must:
Determine the level of risk to the information asset
Assess the probability of attack and the likelihood of a successful exploitation of a vulnerability
Approximate the ARO (rate of occurrence) of the exploit
Estimate the potential loss from attacks
Perform a thorough cost benefit analysis

Acceptance (cont.)
Before using the acceptance strategy, the organisation must: (cont’d.)
Evaluate controls using each appropriate type of feasibility
Decide that the particular asset did not justify the cost of protection

Managing Risk
Risk appetite (also known as risk tolerance)
The quantity and nature of risk that organisations are willing to accept
As they evaluate the trade-offs between perfect security and unlimited accessibility
The reasoned approach to risk is one that balances the expense (in terms of finance and the usability of information assets) against the possible losses if exploited

Managing Risk (cont’d.)
Residual risk
When vulnerabilities have been controlled as much as possible, there is often remaining risk that has not been completely removed, shifted, or planned for
Residual Risk is a combined function of:
Threats, vulnerabilities and assets, less the effects of the safeguards in place

Managing Risk (cont’d.)
The goal of information security is not to bring residual risk to zero
Bring it in line with an organisation’s risk appetite
If decision makers have been informed of uncontrolled risks and the proper authority groups within the communities of interest decide to leave residual risk in place, then the information security program has accomplished its primary goal

Once a control strategy has been selected and implemented:
The effectiveness of controls should be monitored and measured on an ongoing basis
To determine its effectiveness and the accuracy of the estimate of the residual risk
Managing Risk (cont’d.)

Managing Risk (cont’d.)
Source: Course Technology/Cengage Learning
Figure 9-1 Residual risk

Risk control involves selecting one of the four risk control strategies
For the vulnerabilities present
If the loss is within the range of losses the organisation can absorb, or if the attacker’s gain is less than expected costs of the attack, the organisation may choose to accept the risk
Otherwise, one of the other control strategies will have to be selected
Managing Risk (cont’d.)

Managing Risk (cont’d.)
Source: Course Technology/Cengage Learning
Figure 9-2 Risk-handling action points

Guidelines for risk control strategy selection
When a vulnerability exists
Implement security controls to reduce the likelihood of a vulnerability being exercised
When a vulnerability can be exploited
Apply layered controls to minimise the risk or prevent occurrence
When the attacker’s potential gain is greater than the costs of attack
Apply technical or managerial controls to increase the attacker’s cost, or reduce his gain
When potential loss is substantial
Apply design controls to limit the extent of the attack, thereby reducing the potential for loss
Managing Risk (cont’d.)

Managing Risk (cont’d.)
Source: Course Technology/Cengage Learning
Figure 9-3 Risk control cycle

Feasibility and Cost-Benefit Analysis
Before deciding on the strategy for a specific vulnerability
All readily accessible information about the consequences of the vulnerability must be explored
Ask “what are the advantages of implementing a control as opposed to the disadvantages of implementing the control?”
There are a number of ways to determine the advantage or disadvantage of a specific control
The primary means are based on the value of the information assets that it is designed to protect

Cost-Benefit Analysis
Economic feasibility
The criterion most commonly used when evaluating a project that implements information security controls and safeguards
Begin a cost-benefit analysis by:
Evaluating the worth of the information assets to be protected and the loss in value if those information assets are compromised
This decision-making process is called
Cost-benefit analysis or economic feasibility study

Cost-Benefit Analysis (cont’d.)
It is difficult to determine the value of information
It is also difficult to determine the cost of safeguarding it
Factors that affect the cost of a safeguard
Cost of development or acquisition of hardware, software, and services
Training fees
Cost of implementation
Service and maintenance costs

Cost-Benefit Analysis (cont’d.)
Benefit
The value to the organisation of using controls to prevent losses associated with a specific vulnerability
Usually determined by valuing the information assets exposed by the vulnerability and then determining how much of that value is at risk and how much risk there is for the asset
This is expressed as the annualised loss expectancy (ALE)

Cost-Benefit Analysis (cont’d.)
Asset valuation
The process of assigning financial value or worth to each information asset
The value of information differs within and between organisations
Based on the characteristics of information and the perceived value of that information
Involves estimation of real and perceived costs associated with the design, development, installation, maintenance, protection, recovery, and defense against loss and litigation

Cost-Benefit Analysis (cont’d.)
Asset valuation components
Value retained from the cost of creating the information asset
Value retained from past maintenance of the information asset
Value implied by the cost of replacing the information
Value from providing the information
Value acquired from the cost of protecting the information

Cost-Benefit Analysis (cont’d.)
Asset valuation components (cont’d.)
Value to owners
Value of intellectual property
Value to adversaries
Loss of productivity while the information assets are unavailable
Loss of revenue while information assets are unavailable

Cost-Benefit Analysis (cont’d.)
An organisation must be able to place a dollar value on each information asset it owns, based on:
How much did it cost to create or acquire?
How much would it cost to recreate or recover?
How much does it cost to maintain?
How much is it worth to the organisation?
How much is it worth to the competition?

Cost-Benefit Analysis (cont’d.)
Potential loss is that which could occur from the exploitation of vulnerability or a threat occurrence
Ask these questions:
What loss could occur, and what financial impact would it have?
What would it cost to recover from the attack, in addition to the financial impact of damage?
What is the single loss expectancy for each risk?

A single loss expectancy (SLE)
The calculation of the value associated with the most likely loss from an attack
SLE is based on the value of the asset and the expected percentage of loss that would occur from a particular attack
SLE = asset value (AV) x exposure factor (EF)
Where EF is the percentage loss that would occur from a given vulnerability being exploited
This information is usually estimated
Cost-Benefit Analysis (cont’d.)

In most cases, the probability of a threat occurring is the probability of loss from an attack within a given time frame
This value is commonly referred to as the annualised rate of occurrence (ARO)
ALE = SLE * ARO
Cost-Benefit Analysis (cont’d.)

Cost-Benefit Analysis (cont’d.)
CBA determines whether or not a control alternative is worth its associated cost
CBAs may be calculated before a control or safeguard is implemented
To determine if the control is worth implementing
Or calculated after controls have been implemented and have been functioning for a time

Cost-Benefit Analysis (cont’d.)
Cost-benefit analysis formula
CBA = ALE(prior) – ALE(post) – ACS
ALE (prior to control) is the annualised loss expectancy of the risk before the implementation of the control
ALE (post-control) is the ALE examined after the control has been in place for a period of time
ACS is the annual cost of the safeguard

Other Methods of Establishing Feasibility
Organisational feasibility analysis
Examines how well the proposed information security alternatives will contribute to the operation of an organisation
Operational feasibility
Addresses user and management acceptance and support
Addresses the overall requirements of the organisation’s stakeholders
Technical feasibility
Examines whether or not the organisation has or can acquire the technology to implement and support the alternatives
Political feasibility
Defines what can and cannot occur based on the consensus and relationships between the communities of interest

Alternatives to Feasibility Analysis
Benchmarking
Due care and due diligence
Best business practices
Gold standard
Government recommendations
Baseline

Recommended Risk Control Practices
Organisations typically look for a more straightforward method of implementing controls
This preference has prompted an ongoing search for ways to design security architectures that go beyond the direct application of specific controls for specific information asset vulnerability

Qualitative and Hybrid Measures
Quantitative assessment
Performs asset valuation with actual values or estimates
May be difficult to assign specific values
Qualitative assessment
Use scales instead of specific estimates
Hybrid assessment
Tries to improve upon the ambiguity of qualitative measures without using an estimating process

A Single Source Approach to Risk Management
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method
Defines the essential components of a comprehensive, systematic, context-driven, self-directed information security risk evaluation
Allows an organisation to make information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information technology assets
The operational or business units and the IT department work together to address the information security needs of the organisation

The OCTAVE Methods
Three variations of the OCTAVE method
The original OCTAVE method, (forms the basis for the OCTAVE body of knowledge)
Was designed for larger organisations with 300 or more users
OCTAVE-S
For smaller organisations of about 100 users
OCTAVE-Allegro
A streamlined approach for information security assessment and assurance
For more information: www.cert.org/octave/

Microsoft Risk Management Approach
Microsoft Corporation also promotes a risk management approach
Four phases in the Microsoft InfoSec risk management process:
Assessing risk
Conducting decision support
Implementing controls
Measuring program effectiveness

Microsoft Risk Management Approach (cont’d.)
Assessing Risk: Identification and prioritisation of risks facing the organisation
Plan data gathering – discuss keys to success and preparation guidance
Gather risk data – outline the data collection process and analysis
Prioritise risks – outline prescriptive steps to qualify and quantify risks

Microsoft Risk Management Approach (cont’d.)
Conducting Decision Support: Identify and evaluate available controls
Define functional requirements – create the necessary requirements to mitigate risks
Select possible control solutions – outline approach to identify mitigation solutions
Review solution – evaluate proposed controls against functional requirements

Microsoft Risk Management Approach (cont’d.)
Identify and evaluate available controls (cont’d.)
Estimate risk reduction – endeavor to understand reduced exposure or probability of risks
Estimate solution cost – evaluate direct and indirect costs associated with mitigation solutions
Select mitigation strategy – complete cost-benefit analysis to identify the most cost-effective mitigation solution

Implementing controls: deployment and operation of the controls selected from the cost-benefit analyses and other mitigating factors from the previous step
Seek holistic approach – incorporate people, process, and technology in mitigation solution
Organise by defense-in-depth – arrange mitigation solutions across the business
Microsoft Risk Management Approach (cont’d.)

Microsoft Risk Management Approach (cont’d.)
Measuring program effectiveness: ongoing assessment of the effectiveness of the risk management program
Develop risk scoreboard – understand risk posture and progress
Measure program effectiveness – evaluate the risk management program for opportunities to improve

Figure A-1 Security Risk Management Guide
Microsoft Risk Management Approach (cont’d.)
Source: Course Technology/Cengage Learning

Microsoft Risk Management Approach (cont’d.)
Additional information is available at:
www.microsoft.com/technet/security/topics/complianceandpolicies/secrisk/default.mspx

FAIR
The Factor Analysis of Information Risk (FAIR) framework includes:
A taxonomy for information risk
Standard nomenclature for information risk terms
A framework for establishing data collection criteria
Measurement scales for risk factors
A computational engine for calculating risk

FAIR (cont’d.)
The Factor Analysis of Information Risk (FAIR) framework includes: (cont’d.)
A modeling construct for analysing complex risk scenarios
See http://fairwiki.riskmanagementinsight.com

FAIR (cont’d.)
Basic FAIR analysis is comprised of ten steps in four stages
Stage 1 – Identify scenario components
1. Identify the asset at risk
2. Identify the threat community under consideration
Stage 2 – Evaluate loss event frequency
3. Estimate the probable threat event frequency
4. Estimate the threat capability (TCap)

FAIR (cont’d.)
Stage 2 – Evaluate loss event frequency (cont’d.)
5. Estimate Control strength (CS)
6. Derive Vulnerability (Vuln)
7. Derive Loss Event Frequency (LEF)
Stage 3 – Evaluate probable loss magnitude (PLM)
8. Estimate worst-case loss
9. Estimate probable loss

FAIR (cont’d.)
Stage 4 – Derive and articulate Risk
10. Derive and articulate Risk
Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low

FAIR (cont’d.)
Figure 9-4 Factor analysis of information risk (FAIR)
Source: Course Technology/Cengage Learning (Based on concepts from Jack A. Jones)

ISO 27005 Standard for Information Security Risk Management
The ISO 27000 series includes a standard for the performance of Risk Management
ISO 27005
See http://www.27000.org/iso-27005.htm

ISO 27005 Standard for Information Security Risk Management (cont’d.)
The 27005 document includes a five-stage risk management methodology
Information security risk assessment (ISRA)
Information security risk treatment
Information security risk acceptance
Information security risk communication
Information security risk monitoring and review

Other Methods
Figure 9-5 ENISA ranking of risk management methods
Source: Course Technology/Cengage Learning

Summary
Introduction
Risk control strategies
Risk control strategy selection
Categories of controls
Feasibility studies and cost-benefit analysis
Risk management discussion points
Recommended risk control practices
The OCTAVE method

Summary (cont’d.)
The Microsoft risk management approach
FAIR
ISO 27005 Standard for Information Risk Management

ITC358
ICT Management and Information Security

Chapter 10

Protection Mechanisms

People are the missing link to improving Information Security. Technology alone can’t solve the challenges of Information Security. – The Human Firewall Council

Objectives
Upon completion of this chapter, you should be able to:
Describe the various access control approaches, including authentication, authorisation, and biometric access controls
Identify the various types of firewalls and the common approaches to firewall implementation
Enumerate and discuss the current issues in dial-up access and protection
Identify and describe the types of intrusion detection systems and the two strategies on which they are based
Explain cryptography and the encryption process, and compare and contrast symmetric and asymmetric encryption

Introduction
Technical controls
Usually an essential part of information security programs
Insufficient if used alone
Must be combined with sound policy and education, training, and awareness efforts
Examples of technical security mechanisms
Access controls, firewalls, dial-up protection, intrusion detection systems, scanning and analysis tools, and encryption systems

Introduction (cont’d.)
Figure 10-1 Sphere of security
Source: Course Technology/Cengage Learning

Access Controls
The four processes of access control
Identification
Obtaining the identity of the person requesting access to a logical or physical area
Authentication
Confirming the identity of the person seeking access to a logical or physical area
Authorisation
Determining which actions that a person can perform in that physical or logical area
Accountability
Documenting the activities of the authorised individual and systems
A successful access control approach always incorporates all four of these elements

Identification
A mechanism that provides information about a supplicant that requests access
Identifier (ID)
The label applied to the supplicant
Must be a unique value that can be mapped to one and only one entity within the security domain
Examples: name, first initial and surname

Authentication
Authentication mechanism types
Something you know
Something you have
Something you are
Something you produce
Strong authentication
Uses at least two different authentication mechanism types

Authentication (cont’d.)
Something you know
A password, passphrase, or other unique code
A password is a private word or combination of characters that only the user should know
A passphrase is a plain-language phrase, typically longer than a password, from which a virtual password is derived
Passwords should be at least eight characters long and contain at least one number and one special character

Table 10-1 Password power
Source: Course Technology/Cengage Learning

Authentication (cont’d.)
Something you have
Something that the user or system possesses
Examples:
A card, key, or token
A dumb card (such as an ATM card) with magnetic stripes
A smart card containing a processor
A cryptographic token (a processor in a card that has a display)
Tokens may be either synchronous or asynchronous

Authentication (cont’d.)
Figure 10-3 Access control tokens
Source: Course Technology/Cengage Learning

Authentication (cont’d.)
Something you are
Something inherent in the user that is evaluated using biometrics
Most technologies that scan human characteristics convert the images to obtain minutiae (unique points of reference that are digitised and stored in an encrypted format)
Something you produce
Something the user performs or produces
Includes technology related to signature recognition and voice recognition

Authentication (cont’d.)
Figure 10-4 Recognition characteristics
Source: Course Technology/Cengage Learning

Authorisation
Types of authorisation
Each authenticated user
The system performs an authentication process to verify the specific entity and then grants access to resources for only that entity
Members of a group
The system matches authenticated entities to a list of group memberships, and then grants access to resources based on the group’s access rights
Across multiple systems
A central system verifies identity and grants a set of credentials to the verified entity

Evaluating Biometrics
Biometric evaluation criteria
False reject rate (Type I error)
Percentage of authorised users who are denied access
False accept rate (Type II error)
Percentage of unauthorised users who are allowed access
Crossover error rate (CER)
Point at which the number of false rejections equals the number of false acceptances

Acceptability of Biometrics
Note: Iris Scanning has experienced rapid growth in popularity and due to it’s acceptability, low cost, and effective security

Figure 10-4 Recognition characteristics
Source: Harold F. Tipton and Micki Krause. Handbook of Information Security Management. Boca Raton, FL: CRC Press, 1998: 39–41.

Managing Access Controls
A formal access control policy
Determines how access rights are granted to entities and groups
Includes provisions for periodically reviewing all access rights, granting access rights to new employees, changing access rights when job roles change, and revoking access rights as appropriate

Firewalls
Any device that prevents a specific type of information from moving between two networks
Between the outside (untrusted network: e.g., the Internet), and the inside (trusted network)
May be a separate computer system
Or a service running on an existing router or server
Or a separate network with a number of supporting devices

The Development of Firewalls
Packet filtering firewalls
First generation firewalls
Simple networking devices that filter packets by examining every incoming and outgoing packet header
Selectively filter packets based on values in the packet header
Can be configured to filter based on IP address, type of packet, port request, and/or other elements present in the packet

The Development of Firewalls (cont’d.)
Table 10-4 Packet filtering example rules
Source: Course Technology/Cengage Learning

The Development of Firewalls
(cont’d.)
Application-level firewalls
Second generation firewalls
Consists of dedicated computers kept separate from the first filtering router (edge router)
Commonly used in conjunction with a second or internal filtering router – or proxy server
The proxy server, rather than the Web server, is exposed to the outside world from within a network segment called the demilitarised zone (DMZ), an intermediate area between a trusted network and an untrusted network

The Development of Firewalls
(cont’d.)
Application-level firewalls (cont’d.)
Implemented for specific protocols
Stateful inspection firewalls
Third generation firewalls
Keeps track of each network connection established between internal and external systems using a state table
State tables track the state and context of each packet exchanged by recording which station sent which packet and when

The Development of Firewalls
(cont’d.)
Stateful inspection firewalls (cont’d.)
Can restrict incoming packets by allowing access only to packets that constitute responses to requests from internal hosts
If the stateful inspection firewall receives an incoming packet that it cannot match to its state table
It uses ACL rights to determine whether to allow the packet to pass

The Development of Firewalls
(cont’d.)
Dynamic packet filtering firewall
Fourth generation firewall
Allows only a particular packet with a specific source, destination, and port address to pass through the firewall
Understands how the protocol functions, and opens and closes firewall pathways
An intermediate form between traditional static packet filters and application proxies

Firewall Architectures
Each firewall generation can be implemented in several architectural configurations
Common architectural implementations
Packet filtering routers
Screened-host firewalls
Dual-homed host firewalls
Screened-subnet firewalls

Firewall Architectures (cont’d.)
Packet filtering routers
Most organisations with an Internet connection use some form of router between their internal networks and the external service provider
Many can be configured to block packets that the organisation does not allow into the network
Such an architecture lacks auditing and strong authentication
The complexity of the access control lists used to filter the packets can grow to a point that degrades network performance

Firewall Architectures (cont’d.)
Figure 10-5 Packet filtering firewall
Source: Course Technology/Cengage Learning

Firewall Architectures (cont’d.)
Screened-host firewall systems
Combine the packet filtering router with a separate, dedicated firewall such as an application proxy server
Allows the router to screen packets
Minimises network traffic and load on the internal proxy
The application proxy examines an application layer protocol, such as HTTP, and performs the proxy services
Bastion host
A single, rich target for external attacks
Should be very thoroughly secured

Firewall Architectures (cont’d.)
Figure 10-6 Screened-host firewall
Source: Course Technology/Cengage Learning

Firewall Architectures (cont’d.)
Dual-homed host firewalls
The bastion host contains two network interfaces
One is connected to the external network
One is connected to the internal network
Requires all traffic to travel through the firewall to move between the internal and external networks
Network-address translation (NAT) is often implemented with this architecture, which converts external IP addresses to special ranges of internal IP addresses
These special, nonroutable addresses consist of three different ranges:
10.x.x.x: greater than 16.5 million usable addresses
192.168.x.x: greater than 65,500 addresses
172.16.0.x – 172.16.15.x: greater than 4000 usable addresses

Firewall Architectures (cont.)
Figure 10-7 Dual-homed host firewall
Source: Course Technology/Cengage Learning

Screened-Subnet Firewalls
Consists of one or more internal bastion hosts located behind a packet filtering router, with each host protecting the trusted network
The first general model uses two filtering routers, with one or more dual-homed bastion hosts between them
The second general model shows connections routed as follows:
Connections from the untrusted network are routed through an external filtering router
Connections from the untrusted network are routed into—and then out of—a routing firewall to the separate network segment known as the DMZ
Second general model (cont’d.)
Connections into the trusted internal network are allowed only from the DMZ bastion host servers

Firewall Architectures (cont.)

Figure 10-8 Screened subnet (DMZ)
Source: Course Technology/Cengage Learning
Firewall Architectures (cont.)

Selecting the Right Firewall
Questions to ask when evaluating a firewall:
Firewall technology:
What type offers the right balance between protection and cost for the organisation’s needs?
Cost:
What features are included in the base price? At extra cost? Are all cost factors known?
Maintenance:
How easy is it to set up and configure the firewall?
Maintenance: (cont’d.)
How accessible are the staff technicians who can competently configure the firewall?
Future growth:
Can the candidate firewall adapt to the growing network in the target organisation?

Managing Firewalls
Any firewall device must have its own configuration
Regulates its actions
Regardless of firewall implementation
Policy regarding firewall use
Should be articulated before made operable
Configuring firewall rule sets can be difficult
Each firewall rule must be carefully crafted, placed into the list in the proper sequence, debugged, and tested

Managing Firewalls (cont’d.)
Configuring firewall rule sets (cont’d.)
Proper sequence: perform most resource-intensive actions after the most restrictive ones
Reduces the number of packets that undergo intense scrutiny
Firewalls deal strictly with defined patterns of measured observation
Are prone to programming errors, flaws in rule sets, and other inherent vulnerabilities
Firewalls are designed to function within limits of hardware capacity
Can only respond to patterns of events that happen in an expected and reasonably simultaneous sequence

Managing Firewalls (cont’d.)
Firewall best practices
All traffic from the trusted network allowed out
The firewall is never accessible directly from the public network
Simple Mail Transport Protocol (SMTP) data is allowed to pass through the firewall
Should be routed to a SMTP gateway
All Internet Control Message Protocol (ICMP) data should be denied

Managing Firewalls (cont’d.)
Firewall best practices (cont’d.)
Telnet (terminal emulation) access to all internal servers from the public networks should be blocked
When Web services are offered outside the firewall
HTTP traffic should be handled by some form of proxy access or DMZ architecture

Intrusion Detection and Prevention Systems
The term intrusion detection/prevention system (IDPS) can be used to describe current anti-intrusion technologies
Can detect an intrusion
Can also prevent that intrusion from successfully attacking the organisation by means of an active response

Intrusion Detection and Prevention Systems (cont’d.)
IDPSs work like burglar alarms
Administrators can choose the alarm level
Can be configured to notify administrators via e-mail and numerical or text paging
Like firewall systems, IDPSs require complex configurations to provide the level of detection and response desired

The newer IDPS technologies
Different from older IDS technologies
IDPS technologies can respond to a detected threat by attempting to prevent it from succeeding
Types of response techniques:
The IDPS stops the attack itself
The IDPS changes the security environment
The IDPS changes the attack’s content
Intrusion Detection and Prevention Systems (cont’d.)

IDPSs are either network based to protect network information assets
Or host based to protect server or host information assets
IDPS detection methods
Signature based
Statistical anomaly based
Intrusion Detection and Prevention Systems (cont’d.)

Intrusion Detection and Prevention Systems (cont’d.)
Figure 10-9 Intrusion detection and prevention systems
Source: Course Technology/Cengage Learning

Host-Based IDPS
Configures and classifies various categories of systems and data files
IDPSs provide only a few general levels of alert notification
Unless the IDPS is very precisely configured, benign actions can generate a large volume of false alarms
Host-based IDPSs can monitor multiple computers simultaneously

Network-Based IDPS
Monitor network traffic
When a predefined condition occurs, notifies the appropriate administrator
Looks for patterns of network traffic
Match known and unknown attack strategies against their knowledge base to determine whether an attack has occurred
Yield many more false-positive readings than host-based IDPSs

Signature-Based IDPS
Examines data traffic for something that matches the preconfigured, predetermined attack pattern signatures
Also called knowledge-based IDPS
The signatures must be continually updated as new attack strategies emerge
A weakness of this method:
If attacks are slow and methodical, they may slip undetected through the IDPS, as their actions may not match a signature that includes factors based on duration of the events

Statistical Anomaly-Based IDPS
Also called behavior-based IDPS
First collects data from normal traffic and establishes a baseline
Then periodically samples network activity, based on statistical methods, and compares the samples to the baseline
When activity falls outside the baseline parameters (clipping level)
The IDPS notifies the administrator
Advantage: Able to detect new types of attacks, because it looks for abnormal activity of any type

Managing Intrusion Detection and Prevention Systems
If there is no response to an alert, then an alarm does no good
IDPSs must be configured to differentiate between routine circumstances and low, moderate, or severe threats
A properly configured IDPS can translate a security alert into different types of notifications
A poorly configured IDPS may yield only noise

Managing Intrusion Detection and Prevention Systems (cont’d.)
Most IDPSs monitor systems using agents
Software that resides on a system and reports back to a management server
Consolidated enterprise manager
Software that allows the security professional to collect data from multiple host- and network-based IDPSs and look for patterns across systems and subnetworks
Collecting responses from all IDPSs
Used to identify cross-system probes and intrusions

Remote Access Protection
War-dialer
A device used by an attacker to locate an organisation’s dial-up connection points
Network connectivity using dial-up connections
Usually much simpler and less sophisticated than Internet connections
Simple user name and password schemes are usually the only means of authentication

RADIUS and TACACS
Systems that authenticate the credentials of dial-up access users
Typical dial-up systems place the authentication of users on the system connected to the modems
A Remote Authentication Dial-In User Service (RADIUS) system
Centralises the management of user authentication
Placing the responsibility for authenticating each user in the central RADIUS server

RADIUS and TACACS (cont’d.)
A remote access server receives a request for a network connection from a dial-up client
It passes the request along with the user’s credentials to the RADIUS server, which validates the credentials
The Terminal Access Controller Access Control System (TACACS) works similarly
Based on a client/server configuration

RADIUS and TACACS (cont’d.)
Figure 10-10 RADIUS configuration
Source: Course Technology/Cengage Learning

Managing Dial-Up Connections
Organisations that continue to offer dial-up (VPN to be concerned) remote access must:
Determine how many dial-up connections the organisation has
Control access to authorised modem numbers
Use call-back whenever possible
Use token-based authentication if at all possible

Wireless Networking Protection
Most organisations that make use of wireless networks use an implementation based on the IEEE 802.11 protocol
The size of a wireless network’s footprint
Depends on the amount of power the transmitter/receiver wireless access points (WAP) emit
Sufficient power must exist to ensure quality connections within the intended area
But not allow those outside the footprint to connect

Wireless Networking Protection (cont’d.)
War driving
Moving through a geographic area or building, actively scanning for open or unsecured WAPs
Common encryption protocols used to secure wireless networks
Wired Equivalent Privacy (WEP)
Wi-Fi Protected Access (WPA)

Wired Equivalent Privacy (WEP)
Provides a basic level of security to prevent unauthorised access or eavesdropping
Does not protect users from observing each others’ data
Has several fundamental cryptological flaws
Resulting in vulnerabilities that can be exploited, which led to replacement by WPA

Wi-Fi Protected Access (WPA)
WPA is an industry standard
Created by the Wi-Fi Alliance
Some compatibility issues with older WAPs
IEEE 802.11i
Has been implemented in products such as WPA2
WPA2 has newer, more robust security protocols based on the Advanced Encryption Standard
WPA /WPA 2 provide increased capabilities for authentication, encryption, and throughput

Wi-Max
Wi-Max (WirelessMAN)
An improvement on the technology developed for cellular telephones and modems
Developed as part of the IEEE 802.16 standard
A certification mark that stands for Worldwide Interoperability for Microwave Access

Bluetooth
A de-facto industry standard for short range (approx 30 ft) wireless communications between devices
The Bluetooth wireless communications link can be exploited by anyone within range
Unless suitable security controls are implemented
In discoverable mode devices can easily be accessed
Even in nondiscoverable mode, the device is susceptible to access by other devices that have connected with it in the past

Bluetooth (cont’d.)
Does not authenticate connections
It does implement some degree of security when devices access certain services like dial-up accounts and local-area file transfers
To secure Bluetooth enabled devices:
Turn off Bluetooth when you do not intend to use it
Do not accept an incoming communications pairing request unless you know who the requestor is

Managing Wireless Connections
One of the first management requirements is to regulate the size of the wireless network footprint
By adjusting the placement and strength of the WAPs
Select WPA or WPA2 over WEP
Protect preshared keys

Scanning and Analysis Tools
Used to find vulnerabilities in systems
Holes in security components, and other unsecured aspects of the network
Conscientious administrators frequently browse for new vulnerabilities, recent conquests, and favorite assault techniques
Security administrators may use attacker’s tools to examine their own defenses and search out areas of vulnerability

Scanning and Analysis Tools (cont’d.)
Scanning tools
Collect the information that an attacker needs to succeed
Footprinting
The organised research of the Internet addresses owned by a target organisation
Fingerprinting (nmap –sV des_host)
The systematic examination of all of the organisation’s network addresses
Yields useful information about attack targets

Port Scanners
A port is a network channel or connection point in a data communications system
Port scanning utilities (port scanners)
Identify computers that are active on a network, as well as their active ports and services, the functions and roles fulfilled by the machines, and other useful information

Port Scanners (cont’d.)
Well-known ports
Those from 0 through 1023
Registered ports are those from 1024 through 49151
Dynamic and private ports are those from 49152 through 65535
Open ports must be secured
Can be used to send commands to a computer, gain access to a server, and exert control over a networking device

Table10-5 Commonly used port numbers
Source: Course Technology/Cengage Learning
Port Scanners (cont’d.)

Vulnerability Scanners
Capable of scanning networks for very detailed information
Variants of port scanners
Identify exposed user names and groups, show open network shares, and expose configuration problems and other server vulnerabilities

Packet Sniffers
A network tool that collects and analyses packets on a network
It can be used to eavesdrop on network traffic
Connects directly to a local network from an internal location
To use a packet sniffer legally, you must:
Be on a network that the organisation owns
Be directly authorised by the network’s owners
Have the knowledge and consent of the users
Have a justifiable business reason for doing so

Content Filters
Protect the organisation’s systems from misuse
And unintentional denial-of-service conditions
A software program or a hardware/software appliance that allows administrators to restrict content that comes into a network
Common application of a content filter
Restriction of access to Web sites with non-business-related material, such as pornography, or restriction of spam e-mail
Content filters ensure that employees are using network resources appropriately

Trap and Trace
Growing in popularity
Trap function
Describes software designed to entice individuals who are illegally perusing the internal areas of a network
Trace
A process by which the organisation attempts to determine the identity of someone discovered in unauthorised areas of the network or systems
If the identified individual is outside the security perimeter
Policy will guide the process of escalation to law enforcement or civil authorities

Managing Scanning and Analysis Tools
The security manager must be able to see the organisation’s systems and networks from the viewpoint of potential attackers
The security manager should develop a program to periodically scan his or her own systems and networks for vulnerabilities with the same tools that a typical hacker might use
Using in-house resources, contractors, or an outsourced service provider

Managing Scanning and Analysis Tools (cont’d.)
Drawbacks:
Tools do not have human-level capabilities
Most tools function by pattern recognition, so they only handle known issues
Most tools are computer-based, so they are prone to errors, flaws, and vulnerabilities of their own
Tools are designed, configured, and operated by humans and are subject to human errors
Some governments, agencies, institutions, and universities have established policies or laws that protect the individual user’s right to access content
Tool usage and configuration must comply with an explicitly articulated policy, and the policy must provide for valid exceptions

Cryptography
Encryption
The process of converting an original message into a form that cannot be understood by unauthorised individuals
Cryptology
The science of encryption
Composed of two disciplines: cryptography and cryptanalysis

Cryptography (cont’d.)
Cryptology (cont’d.)
Cryptography
Describes the processes involved in encoding and decoding messages so that others cannot understand them
Cryptanalysis
The process of deciphering the original message (or plaintext) from an encrypted message (or ciphertext), without knowing the algorithms and keys used to perform the encryption

Cryptography (cont’d.)
Algorithm
A mathematical formula or method used to convert an unencrypted message into an encrypted message
Cipher
The transformation of the individual components of an unencrypted message into encrypted components
Ciphertext or cryptogram
The unintelligible encrypted or encoded message resulting from an encryption

Cryptography (cont’d.)
Cryptosystem
The set of transformations that convert an unencrypted message into an encrypted message
Decipher
To decrypt or convert ciphertext to plaintext
Encipher
To encrypt or convert plaintext to ciphertext

Cryptography (cont’d.)
Key
The information used in conjunction with the algorithm to create the ciphertext from the plaintext
Can be a series of bits used in a mathematical algorithm, or the knowledge of how to manipulate the plaintext

Keyspace
The entire range of values that can possibly be used to construct an individual key
Plaintext (differ to Cleartext??)
The original unencrypted message that is encrypted and results from successful decryption
Steganography
The process of hiding messages, usually within graphic images
Work factor
The amount of effort (usually expressed in hours) required to perform cryptanalysis on an encoded message
Cryptography (cont’d.)

Encryption Operations
Common ciphers
Most commonly used algorithms include three functions: substitution, transposition, and XOR
In a substitution cipher, you substitute one value for another
A monoalphabetic substitution uses only one alphabet
A polyalphabetic substitution uses two or more alphabets

Encryption Operations (cont’d.)
Transposition cipher (or permutation cipher)
Simply rearranges the values within a block to create the ciphertext
Can be done at the bit level or at the byte (character) level
XOR cipher conversion
The bit stream is subjected to a Boolean XOR function against some other data stream, typically a key stream

Encryption Operations (cont’d.)
XOR works as follows:
‘0’ XOR’ed with ‘0’ results in a ‘0’. (0  0 = 0)
‘0’ XOR’ed with ‘1’ results in a ‘1’. (0  1 = 1)
‘1’ XOR’ed with ‘0’ results in a ‘1’. (1  0 = 1)
‘1’ XOR’ed with ‘1’ results in a ‘0’. (1  1 = 0)
If the two values are the same, you get “0”; if not, you get “1”
Process is reversible; if you XOR the ciphertext with the key stream, you get the plaintext

Encryption Operations (cont’d.)
Vernam cipher
Also known as the one-time pad
Was developed at AT&T
Uses a set of characters that are used for encryption operations only one time and then discarded
Values from this one-time pad are added to the block of text, and the resulting sum is converted to text

Encryption Operations (cont’d.)
Book or running key cipher
Used in the occasional spy movie
Uses text in a book as the algorithm to decrypt a message
The key relies on two components:
Knowing which book to use
A list of codes representing the page number, line number, and word number of the plaintext word

Encryption Operations (cont’d.)
Symmetric encryption
Known as private key encryption, or symmetric encryption
The same key (a secret key) is used to encrypt and decrypt the message
Methods are usually extremely efficient
Requiring easily accomplished processing to encrypt or decrypt the message
Challenge in symmetric key encryption is getting a copy of the key to the receiver

Encryption Operations (cont’d.)
Figure 10-11 Symmetric encryption
Source: Course Technology/Cengage Learning

Encryption Operations (cont’d.)
Data Encryption Standard (DES)
Developed in 1977 by IBM
Based on the Data Encryption Algorithm which uses a 64-bit block size and a 56-bit key
A Federally approved standard for non-classified data
Was cracked in 1997 when the developers of a new algorithm, Rivest-Shamir-Aldeman, offered a $10,000 reward for the first person or team to crack the algorithm

Encryption Operations (cont’d.)
Data Encryption Standard (cont’d.)
Fourteen thousand users collaborated over the Internet to finally break the encryption
Triple DES (3DES) was developed as an improvement to DES and uses as many as three keys in succession

Encryption Operations (cont’d.)
Advanced Encryption Standard (AES)
The successor to 3DES
Based on the Rinjndael Block Cipher
Features a variable block length and a key length of either 128, 192, or 256 bits
In 1998, it took a computer designed by the Electronic Freedom Frontier more than 56 hours to crack DES
The same computer would take approximately 4,698,864 quintillion years to crack AES

Encryption Operations (cont’d.)
Asymmetric encryption
Also known as public key encryption
Uses two different, but related keys
Either key can be used to encrypt or decrypt the message
However, if Key A is used to encrypt the message, then only Key B can decrypt it; conversely, if Key B is used to encrypt a message, then only Key A can decrypt it
This technique is most valuable when one of the keys is private and the other is public
Problem: it requires four keys to hold a single conversation between two parties, and the number of keys grows geometrically as parties are added

Figure 10-12 Public key encryption
Source: Course Technology/Cengage Learning
Encryption Operations (cont’d.)

Digital signatures
Encrypted messages that are independently verified by a central facility (registry) as authentic
When the asymmetric process is reversed, the private key encrypts a message, and the public key decrypts it
The fact that the message was sent by the organisation that owns the private key cannot be refuted
This nonrepudiation is the foundation of digital signatures
Encryption Operations (cont’d.)

Digital certificate
An electronic document, similar to a digital signature, attached to a file certifying that the file is from the organisation it claims to be from and has not been modified from the original format
A certificate authority (CA)
An agency that manages the issuance of certificates and serves as the electronic notary public to verify their origin and integrity
Encryption Operations (cont’d.)

Encryption Operations (cont’d.)
Public key infrastructure (PKI)
The entire set of hardware, software, and cryptosystems necessary to implement public key encryption
PKI systems are based on public key cryptosystems and include digital certificates and certificate authorities

Encryption Operations (cont’d.)
PKI provides the following services
Authentication
Digital certificates in a PKI system permit individuals, organisations, and Web servers to authenticate the identity of each of the parties in an Internet transaction
Integrity
A digital certificate demonstrates that the content signed by the certificate has not been altered while in transit
Confidentiality
PKI keeps information confidential by ensuring that it is not intercepted during transmission over the Internet

Encryption Operations (cont’d.)
PKI provides the following services (cont’d.)
Authorisation
Digital certificates issued in a PKI environment can replace user IDs and passwords, enhance security, and reduce overhead required for authorisation processes and controlling access privileges for specific transactions
Nonrepudiation (contrast to steganography)
Digital certificates can validate actions, making it less likely that customers or partners can later repudiate a digitally signed transaction, such as an online purchase

Encryption Operations (cont’d.)
Figure 10-13 Digital signature
Source: Course Technology/Cengage Learning

Hybrid systems
Pure asymmetric key encryption is not widely used except in the area of certificates
It is typically employed in conjunction with symmetric key encryption, creating a hybrid system
The hybrid process in current use is based on the Diffie-Hellman key exchange method, which provides a way to exchange private keys using public key encryption without exposure to any third parties
Encryption Operations (cont’d.)

Hybrid systems (cont’d.)
In this method, asymmetric encryption is used to exchange symmetric keys so that two organisations can conduct quick, efficient, secure communications based on symmetric encryption
Diffie-Hellman provided the foundation for subsequent developments in public key encryption
Encryption Operations (cont’d.)

Figure 10-14 Hybrid encryption
Source: Course Technology/Cengage Learning
Encryption Operations (cont’d.)

100

Using Cryptographic Controls
Modem cryptosystems can generate unbreakable ciphertext
Possible only when the proper key management infrastructure has been constructed and when the cryptosystems are operated and managed correctly
Cryptographic controls can be used to support several aspects of the business:
Confidentiality and integrity of e-mail and its attachments

101

Using Cryptographic Controls (cont’d.)
Cryptographic controls can be used to support several aspects of the business: (cont’d.)
Authentication, confidentiality, integrity, and nonrepudiation of e-commerce transactions
Authentication and confidentiality of remote access through VPN connections
A higher standard of authentication when used to supplement access control systems

102

Using Cryptographic Controls (cont’d.)
Secure Multipurpose Internet Mail Extensions (S/MIME)
Builds on Multipurpose Internet Mail Extensions (MIME) encoding format
Adds encryption and authentication via digital signatures based on public key cryptosystems
Privacy Enhanced Mail (PEM, for instance *.CRT format)
Proposed by the Internet Engineering Task Force (IETF) as a standard that will function with public key cryptosystems
Uses 3DES symmetric key encryption and RSA for key exchanges and digital signatures

103

Pretty Good Privacy (PGP)
Developed by Phil Zimmerman
Uses the IDEA Cipher
A 128-bit symmetric key block encryption algorithm with 64-bit blocks for message encoding
Like PEM, it uses RSA for symmetric key exchange and to support digital signatures
Using Cryptographic Controls (cont’d.)

104

Using Cryptographic Controls (cont’d.)
IP Security (IPSec)
The primary and dominant cryptographic authentication and encryption product of the IETF’s IP Protocol Security Working Group
Combines several different cryptosystems:
Diffie-Hellman key exchange for deriving key material between peers on a public network
Public key cryptography for signing the Diffie-Hellman exchanges to guarantee the identity of the two parties
Bulk encryption algorithms, such as DES, for encrypting the data
Digital certificates signed by a certificate authority to act as digital ID cards

105

Using Cryptographic Controls (cont’d.)
IPSec has two components:
The IP Security protocol
Specifies the information to be added to an IP packet and indicates how to encrypt packet data
The Internet Key Exchange, which uses asymmetric key exchange and negotiates the security associations

106

Using Cryptographic Controls (cont’d.)
IPSec works in two modes of operation:
Transport (http over SSL = remote VPN)
Only the IP data is encrypted, not the IP headers themselves
Allows intermediate nodes to read the source and destination addresses
Tunnel (site-to-site VPN)
The entire IP packet is encrypted and inserted as the payload in another IP packet
Often used to support a virtual private network

107

Using Cryptographic Controls (cont’d.)
Secure Electronic Transactions (SET)
Developed by MasterCard and VISA to provide protection from electronic payment fraud
Encrypts credit card transfers with DES for encryption and RSA for key exchange
Secure Sockets Layer (SSL)
Developed by Netscape in 1994 to provide security for e-commerce transactions
Uses RSA for key transfer
On IDEA, DES, or 3DES for encrypted symmetric key-based data transfer

108

Secure Hypertext Transfer Protocol
Provides secure e-commerce transactions and encrypted Web pages for secure data transfer over the Web, using different algorithms
Secure Shell (SSH)
Provides security for remote access connections over public networks by using tunneling, authentication services between a client and a server
Used to secure replacement tools for terminal emulation, remote management, and file transfer applications
Using Cryptographic Controls (cont’d.)

109

Cryptosystems provide enhanced and secure authentication
One approach is provided by Kerberos (V5 currently), which uses symmetric key encryption to validate an individual user’s access to various network resources
Keeps a database containing the private keys of clients and servers that are in the authentication domain that it supervises
Kerberos system knows these private keys and can authenticate one network node (client or server) to another
Kerberos also generates temporary session keys—that is, private keys given to the two parties in a conversation
Using Cryptographic Controls (cont’d.)

110

Managing Cryptographic Controls
Don’t lose your keys
Know who you are communicating with
It may be illegal to use a specific encryption technique when communicating to some nations
Every cryptosystem has weaknesses
Give access only to those with a business need
When placing trust into a certificate authority, ask “Who watches the watchers?”
There is no security in obscurity
Security protocols and the cryptosystems they use are installed and configured by humans
They are only as good as their installers
Make sure that your organisation’s use of cryptography is based on well-constructed policy and supported with sound management procedures

111

Summary
Introduction
Access controls
Firewalls
Intrusion detection and prevention systems
Dial-up protection
Wireless network protection
Scanning and analysis tools
Cryptography

112

ITC358
ICT Management and Information Security

Chapter 11

Personnel and Security

I’ll take fifty percent efficiency to get one hundred percent loyalty.

– Samuel Goldwyn, U.S. film producer

Objectives
Upon completion of this chapter, you should be able to:
Identify the skills and requirements for information security positions
List the various information security professional certifications, and identify which skills are encompassed by each
Discuss and implement information security constraints on the general hiring processes
Explain the role of information security in employee terminations
Describe the security practices used to control employee behavior and prevent misuse of information

Introduction
Maintaining a secure environment
Requires that the InfoSec department be carefully structured and staffed with appropriately credentialed personnel
Proper procedures must be integrated into all human resources activities
Including hiring, training, promotion, and termination practices

Staffing the Security Function
Selecting an effective mix of information security personnel
Requires consideration of several criteria
Some are within the control of the organisation
Others are not
Supply and demand for personnel with critical information security skills
When demand rises quickly, initial supply often fails to meet it
As demand becomes known, professionals enter the job market or refocus their job skills to gain the required skills, experience, and credentials

Staffing the Security Function (cont’d.)
To move the InfoSec discipline forward, managers should:
Learn more about the requirements and qualifications for information security positions and relevant IT positions
Learn more about information security budgetary and personnel needs
Grant the information security function (and CISO) an appropriate level of influence and prestige

Qualifications and Requirements
Desired abilities for information security professionals
Understanding of how organisations are structured and operated
Recognising that InfoSec is a management task that cannot be handled with technology alone
Work well with people and communicate effectively using both written and verbal communication
Acknowledging the role of policy in guiding security efforts

Qualifications and Requirements (cont’d.)
Desired abilities for information security professionals (cont’d.)
Understanding of the essential role of information security education and training
Helps make users part of the solution, rather than part of the problem
Perceive the threats facing an organisation
Understand how these threats can become attacks, and safeguard the organisation
Understanding how to apply technical controls

Qualifications and Requirements (cont.)
Desired abilities for information security professionals (cont’d.)
Demonstrated familiarity with the mainstream information technologies
Including Disk Operating System (DOS), Windows, Linux, and UNIX
Understanding of IT and InfoSec terminology and concepts

Entering the Information Security Profession
Many InfoSec professionals enter the field
After careers in law enforcement or the military
Or careers in other IT areas, such as networking, programming, database administration, or systems administration
Organisations can foster greater professionalism
By clearly defining their expectations and establishing explicit position descriptions

Figure 11-1 Information security career paths
Source: Course Technology/Cengage Learning
Entering the Information Security Profession (cont’d.)

Information Security Positions
Types of Information security positions
Definers provide the policies, guidelines, and standards
People who consult, do risk assessment and develop the product and technical architectures
Senior people with a broad knowledge, but not a lot of depth
Builders are the real techies, who create and install security solutions
Those that administer the security tools, the security monitoring function, and the people who continuously improve the processes
Where all the day-to-day, hard work is done

Figure 11-2 Possible information security positions and reporting relationships
Source: Course Technology/Cengage Learning
Information Security Positions (cont’d.)

Chief Information Security Officer (CISO)
Typically considered the top information security officer in the organisation
Usually not an executive-level position
Frequently reports to the CIO
Business managers first and technologists second
They must be conversant in all areas of information security
Including technology, planning, and policy
Information Security Positions (cont’d.)

Certified Information Systems Security Professional (CISSP)
Most common qualification for the CISO
A graduate degree in criminal justice, business, technology, or another related field is usually required for the CISO
CISO candidates should have experience in security management, planning, policy, and budgets
Information Security Positions (cont’d.)

Information Security Positions (cont’d.)
Security Manager
It is not uncommon for a security manager to have a CISSP
Should have experience in traditional business activities, including budgeting, project management, personnel management, hiring and firing
Must be able to draft middle- and lower-level policies, as well as standards and guidelines
Several types exist, and the people tend to be much more specialised than CISOs

Information Security Positions (cont’d.)
Security technicians
Technically qualified individuals who configure firewalls and IDSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technology is properly implemented
Typical information security entry-level position, albeit a technical one

Information Security Positions (cont’d.)
Technical qualifications and position requirements for a security technician vary
Organisations typically prefer expert, certified, proficient technicians
Job requirements usually includes some level of experience with a particular hardware and software package
Experience using the technology is usually required

Information Security Professional Credentials
Many organisations rely on professional certifications
To ascertain the level of proficiency possessed by any given candidate
Many certification programs are relatively new
Their precise value is not fully understood by most hiring organisations
Certifying bodies work to educate their constituent communities on the value and qualifications of their certificate recipients

Information Security Professional Credentials (cont’d.)
Employers struggle to match certifications to position requirements
Potential information security workers try to determine which certification programs will help them in the job market

(ISC)2 Certifications
Certified Information Systems Security Professional
One of the most prestigious certifications
Recognises mastery of domains of an internationally recognised InfoSec common body of knowledge
Access Control
Application Security
Business Continuity and Disaster Recovery Planning
Cryptography

(ISC)2 Certifications (cont’d.)
Certified Information Systems Security Professional (cont’d.)
Recognises mastery of domains of an internationally recognised InfoSec common body of knowledge (cont’d.)
Information Security and Risk Management
Legal, Regulations, Compliance and Investigations
Operations Security
Physical (Environmental) Security
Security Architecture and Design
Telecommunications and Network Security

Systems Security Certified Practitioner
More applicable to an entry-level security manager than a technician
Most questions focus on the operational InfoSec
Focuses on practices, roles, and responsibilities covering seven domains:
Access controls
Analysis and monitoring
Cryptography
Malicious code
Networks and Telecommunications
Risk, Response and Recovery
Security Operations and Administration
(ISC)2 Certifications (cont’d.)

(ISC)2 Certifications (cont’d.)
ISSAP®: Information Systems Security Architecture Professional
Access control systems and methodology
Telecommunications and network security
Cryptography
Requirements analysis and security standards, guidelines, criteria
Technology-related business continuity planning and disaster recovery planning
Physical security integration

(ISC)2 Certifications (cont’d.)
ISSEP®: Information Systems Security Engineering Professional
Systems security engineering
Certification and accreditation
Technical management
U.S. government information assurance regulations

ISSMP®: Information Systems Security Management Professional
Business continuity planning (BCP) and disaster recovery planning (DRP) and continuity of operations
Planning (COOP) enterprise security management practices
Enterprise-wide system development security
Law, investigations, forensics, and ethics
Overseeing compliance of operations security
(ISC)2 Certifications (cont’d.)

ISACA Certifications
Certified Information Systems Auditor
A certification of the Information Systems Audit and Control Association and Foundation
Appropriate for auditing, networking, and security professionals
Exam covers:
IS audit process (10 percent)
IT governance (15 percent)
Systems and infrastructure life cycle (16 percent)
IT service delivery and support (14 percent)
Protection of information assets (31 percent)
Business continuity and disaster recovery (14 percent)

Certified Information Security Manager (CISM)
Geared toward experienced information security managers
Assures executive management that a candidate has the required background knowledge needed for effective security management and consulting
Exam covers:
Information security governance (23 percent)
Information risk management (22 percent)
Information security program development (17 percent)
Information security program management (24 percent)
Incident management and response (14 percent)

ISACA Certifications (cont’d.)

Global Information Assurance Certification (GIAC)
System Administration, Networking and Security Organisation (SANS)
Developed a series of technical security certifications known as the GIAC
GIAC family of certifications can be pursued independently
Or combined to earn a comprehensive certification called GIAC Security Engineer (GSE), at a silver, gold or platinum level
Other SANS certifications:
Security Professional (GISP)
GIAC Security Leadership Certification (GSLC)

GIAC Certifications
Information security fundamentals (GISF)
Security essentials certification (GSEC)
Certified firewall analyst (GCFW)
Certified intrusion analyst (GCIA)
Certified incident handler (GCIH)
Certified Windows security administrator (GCWN)
Certified UNIX security administrator (GCUX)
Certified forensics analyst (GCFA)
Securing Oracle Certification (GSOC)
Intrusion Prevention (GIPS)
Cutting Edge Hacking Techniques (GHTQ)
Web Application Security (GWAS)
Reverse Engineering Malware (GREM)
Assessing Wireless Networks (GAWN)
Global Information Assurance Certification (cont’d)

Security+
The CompTIA Security+ certification
Tests for security knowledge mastery
Must have two years of on-the-job networking experience with emphasis on security
Exam covers industry-wide topics including:
Systems security (21%)
Network infrastructure (20%)
Access control (17%)
Assessments & audits (15%)
Cryptography (15%)
Organisational Security (12%)

Certified Computer Examiner (CCE)
A computer forensics certification
Provided by the International Society of Forensic Computer Examiners
Topics include
Acquisition, marking, handling, and storage of evidence procedures
Chain of custody
Essential “core” forensic computer examination procedures
“Rules of evidence” for computer examinations

Certified Computer Examiner (cont’d.)
A computer forensics certification (cont’d.)
Topics include: (cont’d.)
Basic PC hardware construction and theory
Very basic networking theory
Basic data recovery techniques
Authenticating MS Word documents and accessing and interpreting metadata
Basic optical recording processes and accessing data on optical media
Basic password recovery techniques
Basic Internet issues

Certification Costs
Preferred certifications can be expensive
Most experienced professionals find it difficult to do well on the exams without at least some review
Certifications recognise experts in their respective fields
The cost of certification deters those who might otherwise take the exam just to see if they can pass

Certification Costs (cont’d.)
Most examinations:
Require between two and three years of work experience
They are often structured to reward candidates who have significant hands-on experience

Figure 11-3 Preparing for security certification
Certification Costs (cont’d.)
Source: Course Technology/Cengage Learning

Employment Policies and Practices
Management should integrate solid information security concepts
Across all of the organisation’s employment policies and practices
Including information security responsibilities into every employee’s job description and subsequent performance reviews
Can make an entire organisation take information security more seriously

Hiring
From an information security perspective, hiring employees is laden with potential security pitfalls
Information security considerations should become part of the hiring process
Job descriptions
Provide complete job descriptions when advertising open positions
Omit the elements of the job description that describe access privileges

Hiring (cont’d.)
Interviews
Information security should advise human resources
Limit the information provided to the candidates on the access rights of the position
When an interview includes a site visit
Tour should avoid secure and restricted sites, because the visitor could observe enough information about the operations or information security functions to represent a potential threat to the organisation

Hiring (cont’d.)
New hire orientation
New employees should receive an extensive information security briefing
As part of their orientation
On-the-job security training
Conduct periodic SETA activities
Keeps security at the forefront of employees’ minds and minimises employee mistakes
Security checks
Conduct a background check before extending an offer

Hiring (cont’d.)
Common background checks
Identity checks: personal identity validation
Education and credential checks: institutions attended, degrees and certifications earned, and certification status
Previous employment verification: where candidates worked, why they left, what they did, and for how long
Reference checks: validity of references and integrity of reference sources

Hiring (cont’d.)
Common background checks (cont’d.)
Worker’s compensation history: claims
Motor vehicle records: driving records, suspensions, and other items noted in the applicant’s public record
Drug history: drug screening and drug usage, past and present
Medical history: current and previous medical conditions, usually associated with physical capability to perform the work in the specified position

Hiring (cont’d.)
Common background checks (cont’d.)
Credit history: credit problems, financial problems, and bankruptcy
Civil court history: involvement as the plaintiff or defendant in civil suits
Criminal court history: criminal background, arrests, convictions, and time served

Contracts and Employment
Once a candidate has accepted a job offer
The employment contract becomes an important security instrument
It is important to have these contracts and agreements in place at the time of the hire

Security as Part of Performance Evaluation
Organisations should incorporate information security components into employee performance evaluations
To heighten information security awareness and change workplace behavior,
Employees pay close attention to job performance evaluations
Including information security tasks in them will motivate employees to take more care when performing these tasks

Termination Issues
When an employee leaves an organisation, the following tasks must be performed:
Disable access to the organisation’s systems
Return all removable media
Hard drives must be secured
File cabinet and door locks must be changed
Keycard access must be revoked
Personal effects must be removed
Escort the former employee from the premises

Termination Issues (cont’d.)
Many organisations conduct an exit interview
To remind the employee of any contractual obligations
Such as nondisclosure agreements
To obtain feedback on the employee’s tenure in the organisation
Methods for handling employee outprocessing: hostile and friendly

Termination Issues (cont’d.)
Hostile departure
Security cuts off all logical and keycard access before the employee is terminated
The employee reports for work, and is escorted into the supervisor’s office to receive the bad news
The individual is then escorted from the workplace and informed that his or her personal property will be forwarded, or is escorted to his or her office, cubicle, or personal area to collect personal effects

Termination Issues (cont’d.)
Hostile departure (cont’d.)
Once personal property has been gathered, the employee is asked to surrender all keys, keycards, and other organisational identification and access devices, PDAs, pagers, cell phones, and all remaining company property
Then escorted from the building

Termination Issues (cont’d.)
Friendly departure
The employee may have tendered notice well in advance of the actual departure date
Difficult for security to maintain positive control over the employee’s access and information usage
Employee accounts are usually allowed to continue, with a new expiration date
The employee can come and go at will
Usually collects any belongings and leaves without escort, dropping off all organisational property before departing

Termination Issues (cont’d.)
In either circumstance:
Offices and information used by departing employees must be inventoried, their files stored or destroyed, and all property returned to organisational stores
Departing employees may have collected and taken home information or assets that could be valuable in their future jobs
Scrutinising system logs may allow an organisation to determine whether a breach of policy or a loss of information has occurred

Personnel Security Practices
Methods of monitoring and controlling employees
To minimise their opportunities to misuse information
Separation of duties is used to make it difficult for an individual to violate information security and breach the confidentiality, integrity, or availability of information
Two-man control requires that two individuals review and approve each other’s work before the task is considered complete

Figure 11-5 Personnel security controls
Personnel Security Practices (cont’d.)
Source: Course Technology/Cengage Learning

Personnel Security Practices (cont’d.)
Methods of monitoring and controlling employees (cont’d.)
Job rotation is another control used to prevent personnel from misusing information assets
Requires that every employee be able to perform the work of at least one other employee
Task rotation
All critical tasks can be performed by multiple individuals

Personnel Security Practices (cont’d.)
Job rotation and task rotation ensure
No one employee is performing actions that cannot be knowledgeably reviewed by another employee
Each employee should be required to take mandatory vacation
This policy gives the organisation a chance to perform a detailed review of everyone’s work

Personnel Security Practices (cont’d.)
Limiting access to information
Minimises opportunities for employee misuse
Employees should be able to access only the information they need, and only for the period required to perform their tasks
This idea is referred to as the principle of least privilege
Ensures that no unnecessary access to data occurs
If all employees can access all the organisation’s data all the time, it is almost certain that abuses will occur

Security of Personnel and Personal Data
Organisations are required by law to protect sensitive or personal employee information
Examples: employee addresses, phone numbers, Social Security numbers, medical conditions, and names and addresses of family members
Responsibility extends to customers, patients, and anyone with whom the organisation has business relationships

Security of Personnel and Personal Data (cont’d.)
Personnel data is no different than other data that information security is expected to protect
But more regulations cover its protection
Information security procedures should ensure that this data receives at least the same level of protection as the other important data in the organisation

Security Considerations for Nonemployees
Many individuals who are not employees often have access to sensitive organisational information
Relationships with individuals in this category should be carefully managed to prevent threats to information assets from materialising
Temporary workers
Not employed by the organisation for which they’re working

Temporary workers (cont’d.)
May not be subject to the contractual obligations or policies that govern employees
Unless specified in its contract with the organisation, the temporary agency may not be liable for losses caused by its workers
Access to information should be limited to what is necessary to perform their duties
Security Considerations for Nonemployees (cont’d.)

Contract employees
Professional contractors may require access to all areas of the organisation to do their jobs
Service contractors usually need access only to specific facilities
Should not be allowed to wander freely
In a secure facility, all service contractors are escorted from room to room, and into and out of the facility
Security Considerations for Nonemployees (cont’d.)

Regulations for service agreements or contracts:
Require 24 to 48 hours’ notice of a maintenance visit
Require all on-site personnel to undergo background checks
Require advance notice for cancellation or rescheduling of a maintenance visit
Security Considerations for Nonemployees (cont’d.)

Consultants
Have their own security requirements and contractual obligations
Should be handled like contract employees
Special requirements, such as information or facility access requirements, should be integrated into the contract before facility access is granted
Protecting your information may not be their number one priority
Apply the principle of least privilege
Security Considerations for Nonemployees (cont’d.)

Business partners
Strategic alliances with other organisations to exchange information, integrate systems, or enjoy some other mutual advantage
A prior agreement must specify the levels of exposure that both organisations are willing to tolerate
Security and technology consultants must be prescreened, escorted, and subjected to nondisclosure agreements
Security Considerations for Nonemployees (cont’d.)

Business partners (cont’d.)
If the strategic partnership evolves into an integration of the systems of both companies
Competing groups may be provided with information that neither parent organisation expected
Nondisclosure agreements are an important part of any such collaborative effort
Security level of both systems must be examined before any physical integration takes place
A vulnerability on one system becomes vulnerability for all linked systems
Security Considerations for Nonemployees (cont’d.)

Summary
Introduction
Staffing the security function
Information security professional credentials
Employment policies and practices

ITC358
ICT Management and Information Security

Chapter 12

Law and Ethics

In law a man is guilty when he violates the rights of others.

In ethics he is guilty if he only thinks of doing so. – Immanuel Kant

Objectives
Upon completion of this chapter, you should be able to:
Differentiate between law and ethics
Describe the ethical foundations and approaches that underlie modern codes of ethics
Identify major national and international laws that relate to the practice of information security
Describe the role of culture as it applies to ethics in information security
Identify current information on laws, regulations, and relevant professional organisations

Introduction
All information security professionals must understand the scope of an organisation’s legal and ethical responsibilities
Understand the current legal environment
Keep apprised of new laws, regulations, and ethical issues as they emerge
To minimise the organisation’s liabilities
Educate employees and management about their legal and ethical obligations
And proper use of information technology

Law and Ethics in Information Security
Laws
Rules adopted and enforced by governments to codify expected behaviour in modern society
The key difference between law and ethics is that law carries the sanction of a governing authority and ethics do not
Ethics are based on cultural mores
Relatively fixed moral attitudes or customs of a societal group

Information Security and the Law
InfoSec professionals and managers must understand the legal framework within which their organisations operate
Can influence the organisation to a greater or lesser extent, depending on the nature of the organisation and the scale on which it operates

Types of Law
Civil law
Pertains to relationships between and among individuals and organisations
Criminal law
Addresses violations harmful to society
Actively enforced and prosecuted by the state
Tort law (search Tort law in Australia)
A subset of civil law that allows individuals to seek redress in the event of personal, physical, or financial injury

Types of Law (cont’d.)
Private law
Regulates the relationships among individuals and among individuals and organisations
Family law, commercial law, and labour law
Public law
Regulates the structure and administration of government agencies and their relationships with citizens, employees, and other governments
Criminal, administrative, and constitutional law

Table 12-1a: Key U.S. laws of interest to information security professionals

Table 12-1b: Key U.S. laws of interest to information security professionals

Relevant U.S. Laws
The Computer Fraud and Abuse Act of 1986 (CFA Act)
The cornerstone of many computer-related federal laws and enforcement efforts
Amended in October 1996 by the National Information Infrastructure Protection Act
Modified several sections of the previous act, and increased the penalties for select crimes
Further modified by the USA Patriot Act of 2001
Provides law enforcement agencies with broader latitude to combat terrorism-related activities
The USA Patriot Act was updated and extended, in many cases permanently
Through the USA Patriot Improvement and Reauthorisation Act of 2005

Relevant U.S. Laws (cont’d.)
The Computer Security Act of 1987
One of the first attempts to protect federal computer systems
Established minimum acceptable security practices
Established a Computer System Security and Privacy Advisory Board within the Department of Commerce
Requires mandatory periodic training in computer security awareness and accepted computer security practice for all users of Federal computer systems

Relevant U.S. Laws (cont’d.)
The Computer Security Act of 1987 (cont’d.)
Charged the National Bureau of Standards and the NSA (now NIST) with the development of:
Standards, guidelines, and associated methods and techniques for computer systems
Uniform standards and guidelines for most federal computer systems
Technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in federal computer systems
Guidelines for operators of federal computer systems containing sensitive information in training their employees in security awareness
Validation procedures for, and evaluation of the effectiveness of, standards and guidelines
Through research and liaison with other government and private agencies

Relevant U.S. Laws (cont’d.)
Privacy Laws
Many organisations collect, trade, and sell personal information as a commodity
Individuals are becoming aware of these practices and looking to governments to protect their privacy
Aggregation of data from multiple sources permits unethical organisations to build databases with alarming quantities of personal information

Relevant U.S. Laws (cont’d.)
Privacy Laws (cont’d.)
The Privacy of Customer Information Section of the section of regulations covering common carriers
Specifies that any proprietary information shall be used explicitly for providing services, and not for any marketing purposes
The Federal Privacy Act of 1974 regulates the government’s use of private information
Ensure that government agencies protect the privacy of individuals’ and businesses’ information

Relevant U.S. Laws (cont’d.)
Privacy Laws (cont’d.)
The Electronic Communications Privacy Act of 1986
A collection of statutes that regulates the interception of wire, electronic, and oral communications
These statutes work in cooperation with the Fourth Amendment of the U.S. Constitution
Prohibits search and seizure without a warrant

Relevant U.S. Laws (cont’d.)
Health Insurance Portability & Accountability Act Of 1996 (HIPAA)
An attempt to protect the confidentiality and security of health care data
Establishes and enforces standards
Standardises electronic data interchange
Requires organisations that retain health care information to use information security mechanisms to protect this information
Also requires an assessment of the organisation’s InfoSec systems, policies, and procedures

Relevant U.S. Laws (cont’d.)
HIPAA (cont’d.)
Provides guidelines for the use of electronic signatures
Based on security standards ensuring message integrity, user authentication, and nonrepudiation
Fundamental privacy principles:
Consumer control of medical information
Boundaries on the use of medical information
Accountability for the privacy of private information
Fundamental privacy principles: (cont’d.)
Balance of public responsibility for the use of medical information for the greater good measured against impact to the individual
Security of health information

Relevant U.S. Laws (cont’d.)
The Financial Services Modernisation Act
Also called Gramm-Leach-Bliley Act of 1999
Applies to banks, securities firms, and insurance companies
Requires all financial institutions to disclose their privacy policies
Describing how they share nonpublic personal information
Describing how customers can request that their information not be shared with third parties
Ensures that the privacy policies in effect in an organisation are fully disclosed when a customer initiates a business relationship
Distributed at least annually for the duration of the professional association

Relevant U.S. Laws (cont’d.)
Export and Espionage Laws
Economic Espionage Act (EEA) of 1996
An attempt to protect intellectual property and competitive advantage
Attempts to protect trade secrets from the foreign government that uses its classic espionage apparatus to spy on a company
Also between two companies
Or a disgruntled former employee

Relevant U.S. Laws (cont’d.)
Export and Espionage Laws
The Security and Freedom through Encryption Act of 1997
Provides guidance on the use of encryption
Institutes measures of public protection from government intervention
Reinforces an individual’s right to use or sell encryption algorithms
Prohibits the federal government from requiring the use of encryption for contracts, grants, and other official documents, and correspondence

Relevant U.S. Laws (cont’d.)
Figure 12-1: Export restrictions
Source: Course Technology/Cengage Learning

Relevant U.S. Laws (cont’d.)
U.S. Copyright Law
Extends protection to intellectual property, including words published in electronic formats
‘Fair use’ allows material to be quoted so long as the purpose is educational and not for profit, and the usage is not excessive
Proper acknowledgement must be provided to the author and/or copyright holder of such works
Including a description of the location of source materials, using a recognised form of citation

Relevant U.S. Laws (cont’d.)
Freedom of Information Act of 1966
All Federal agencies are required to disclose records requested in writing by any person
Applies only to Federal agencies and does not create a right of access to records held by Congress, the courts, or by state or local government agencies
Sarbanes-Oxley Act of 2002
Enforces accountability for the financial record keeping and reporting at publicly traded corporations

Relevant U.S. Laws (cont’d.)
Sarbanes-Oxley Act of 2002 (cont’d.)
Requires that the CEO and chief financial officer (CFO) assume direct and personal accountability for the completeness and accuracy of a publicly traded organisation’s financial reporting and record-keeping systems
As these executives attempt to ensure that the systems used to record and report are sound, the related areas of availability and confidentiality are also emphasised

International Laws and Legal Bodies
International trade is governed by international treaties and trade agreements
Many domestic laws and customs do not apply
There are currently few international laws relating to privacy and information security
Because of cultural differences and political complexities of the relationships among nations

International Laws and Legal Bodies (cont’d.)
European Council Cyber-Crime Convention
Empowers an international task force to oversee a range of Internet security functions
Standardises technology laws internationally
Attempts to improve the effectiveness of international investigations into breaches of technology law
Goal is to simplify the acquisition of information for law enforcement agents in certain types of international crimes, as well as the extradition process

International Laws and Legal Bodies (cont’d.)
The Digital Millennium Copyright Act
A U.S.-based international effort to reduce the impact of copyright, trademark, and privacy infringement, especially via the removal of technological copyright protection measures
European Union Directive 95/46/EC
Increases individual rights to process and freely move personal data
Database Right
U.K. version of this directive

State and Local Regulations
Information security professionals must understand state laws and regulations
Ensure that their organisation’s security policies and procedures comply
Georgia Computer Systems Protection Act
Has various computer security provisions
Establishes specific penalties for use of information technology to attack or exploit information systems in organisations
Requires that a business may not discard a record containing personal information unless it shreds, erases, modifies, or otherwise makes the information irretrievable

Policy Versus Law
Difference between policy and law
Ignorance of policy is an acceptable defense
Policies must be:
Distributed to all individuals who are expected to comply with them
Readily available for employee reference
Easily understood, with multilingual, visually impaired and low-literacy translations
Acknowledged by employee with consent form
Uniformly enforced for all employees

Ethics in Information Security
The student of information security is not expected to study the topic of ethics in a vacuum, but within a larger ethical framework
Information security professionals may be expected to be more articulate about the topic than others in the organisation
Often must withstand a higher degree of scrutiny

Ethics in Information Security (cont’d.)
The Ten Commandments of Computer Ethics
From the Computer Ethics Institute
Thou shalt not:
Use a computer to harm other people
Interfere with other people’s computer work
Snoop around in other people’s computer files
Use a computer to steal
Use a computer to bear false witness
Copy or use proprietary software for which you have not paid

Ethics in Information Security (cont’d.)
The Ten Commandments of Computer Ethics (cont’d.)
Thou shalt not: (cont’d.)
Use other people’s computer resources without authorisation or proper compensation
Appropriate other people’s intellectual output
Think about the social consequences of the program you are writing or the system you are designing
Always use a computer in ways that ensure consideration and respect for fellow humans

Ethics and Education
Differences in computer use ethics
Not exclusively cultural
Found among individuals within the same country, within the same social class, and within the same company
Key studies reveal that the overriding factor in leveling the ethical perceptions within a small population is education
Employees must be trained on the expected behaviours of an ethical employee

Deterring Unethical and Illegal Behaviour
InfoSec personnel should do everything in their power to deter unethical and illegal acts
Using policy, education and training, and technology as controls to protect information
Categories of unethical behaviour
Ignorance
Accident
Intent

Deterring Unethical and Illegal Behavior (cont’d.)
Deterrence
Best method for preventing an illegal or unethical activity
Examples: laws, policies, and technical controls
Laws and policies and their associated penalties only deter if three conditions are present:
Fear of penalty
Probability of being caught
Probability of penalty being administered

Professional Organisations and their Codes of Ethics
Some professional organisations have established codes of conduct and/or codes of ethics
Members are expected to follow
Codes of ethics can have a positive effect on an individual’s judgment regarding computer use
Security professionals must act ethically
According to the policies and procedures of their employers, their professional organisations, and the laws of society

Association of Computing Machinery
A respected professional society
Originally established in 1947 as “the world’s first educational and scientific computing society”
One of the few organisations that strongly promotes education and provides discounted membership for students
Code of ethics requires members to perform their duties in a manner befitting an ethical computing professional

International Information Systems Security Certification Consortium, Inc. (ISC)2
Code of ethics applies to information security professionals who have earned one of their certifications
Includes four mandatory canons:
Protect society, the commonwealth, and the infrastructure
Act honorably, honestly, justly, responsibly, and legally
Provide diligent and competent service to principals
Advance and protect the profession

System Administration, Networking, and Security Institute (SANS)
Professional research and education cooperative organisation
Over 156,000 security professionals, auditors, system and network administrators
SANS GIAC code of ethics requires:
Respect for the public
Respect for the certification
Respect for my employer
Respect for myself

Information Systems Audit and Control Association (ISACA)
A professional association with a focus on auditing, control, and security
Membership comprises both technical and managerial professionals
Has a code of ethics for its professionals
Requires many of the same high standards for ethical performance as the other organisations and certifications

Information Systems Audit and Control Association (cont’d.)
Code of ethics tenets
Support the implementation of, and encourage compliance with, appropriate standards, procedures, and information systems controls
Perform duties with objectivity, due diligence and professional care, using professional standards and best practices
Serve in the interest of stakeholders in a lawful and honest manner, maintain high standards of conduct and character, and not engage in acts discreditable to the profession

Information Systems Audit and Control Association (cont.)
Code of ethics tenets (cont’d.)
Maintain the privacy and confidentiality of information obtained in the course of their duties
Unless disclosure is required by legal authority
Such information shall not be used for personal benefit or released to inappropriate parties
Maintain competency in their respective fields, and agree to undertake only those activities that they can reasonably expect to complete with professional competence

Information Systems Audit and Control Association (cont’d.)
Code of ethics tenets (cont’d.)
Inform appropriate parties of the results of work performed, revealing all significant facts known to them
Support the professional education of stakeholders in enhancing their understanding of information systems security and control

Information Systems Security Association
Nonprofit society of information security professionals
Mission is to bring together qualified practitioners of information security for information exchange and educational development
Provides conferences, meetings, publications, and information resources to promote information security awareness and education
Promotes a code of ethics
Similar to that of other organisations
“Promoting management practices that will ensure the confidentiality, integrity, and availability of organisational information resources.”

Organisational Liability and the Need for Counsel
What if an organisation does not support or encourage strong ethical conduct by its employees?
What if an organisation does not behave ethically?
If an employee, acting with or without the authorisation, performs an illegal or unethical act, causing some degree of harm, the organisation can be held financially liable for that action

Organisational Liability and the Need for Counsel (cont’d.)
An organisation increases its liability if it refuses to take measures (due care) to make sure that every employee knows what is acceptable and what is not, and the consequences of illegal or unethical actions
Due diligence requires that an organisation make a valid and ongoing effort to protect others

Key Law Enforcement Agencies
Federal Bureau of Investigation’s InfraGard Program
Promotes efforts to educate, train, inform, and involve the business and public sector in information security
Every FBI field office has established an InfraGard chapter and collaborates with public and private organisations and the academic community to share information about attacks, vulnerabilities, and threats
InfraGard’s dominant contribution is the free exchange of information to and from the private sector in the subject areas of threats and attacks on information resources

Key Law Enforcement Agencies (cont’d.)
National Security Agency (NSA)
The nation’s cryptologic organisation
Coordinates, directs, and performs highly-specialised activities to protect U.S. information systems and produce foreign intelligence information
Responsible for signal intelligence and information system security

Key Law Enforcement Agencies (cont’d.)
National Security Agency (cont’d.)
Information Assurance Directorate (IAD) provides information security “solutions including the technologies, specifications and criteria, products, product configurations, tools, standards, operational doctrine, and support activities needed to implement the protect, detect and report, and respond elements of cyber defense.”

Key Law Enforcement Agencies (cont’d.)
U.S. Secret Service is a department within the Department of the Treasury
In addition to its well-known mission to protect key members of the U.S. government
Also charged with the detection and arrest of any person committing a U.S. federal offense relating to computer fraud, as well as false identification crimes
Department of Homeland Security
Formed when U.S. Secret Service was transferred to it from the Department of the Treasury

Managing Investigations in the Organisation
When (not if) an organisation finds itself dealing with a suspected policy or law violation
Must appoint an individual to investigate it
How the internal investigation proceeds
Dictates whether or not the organisation has the ability to take action against the perpetrator if in fact evidence is found that substantiates the charge
In order to protect the organisation, and to possibly assist law enforcement in the conduct of an investigation
The investigator (CISO, InfoSec Manager or other appointed individual) must document what happened and how

Managing Investigations in the Organisation (cont’d.)
Forensics
The coherent application of methodical investigatory techniques to present evidence of crimes in a court or court-like setting
Digital forensics
The investigation of what happened and how
Involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and/or root cause analysis

Managing Investigations in the Organisation (cont’d.)
Digital forensics (cont’d.)
Like traditional forensics, it follows clear, well-defined methodologies, but still tends to be as much art as science
Evidentiary material (EM)
Also called item of potential evidentiary value
Any information that could potentially support the organisations legal- or policy-based case against a suspect
An item does not become evidence until it is formally admitted to evidence by a judge or other ruling official

Digital forensics can be used for two key purposes:
Investigate allegations of digital malfeasance
A crime against or using digital media, computer technology or related components
Perform root cause analysis
If an incident occurs and the organisation suspects an attack was successful, digital forensics can be used to examine the path and methodology used to gain unauthorised access, as well as to determine how pervasive and successful the attack was
Managing Investigations in the Organisation (cont’d.)

Managing Investigations in the Organisation (cont’d.)
Digital forensics approaches
Protect and forget (a.k.a. patch and proceed)
Focuses on the defense of the data and the systems that house, use, and transmit it
Apprehend and prosecute (a.k.a. pursue and prosecute)
Focuses on the identification and apprehension of responsible individuals, with additional attention on the collection and preservation of potential EM that might support administrative or criminal prosecution

Affidavits and Search Warrants
Investigations begin with an allegation or an indication of an incident
Forensics team requests permission to examine digital media for potential EM
An affidavit is sworn testimony
That the investigating officer has certain facts they feel warrant the examination of specific items located at a specific place
Search warrant
Permission to search for EM at the specified location and/or to seize items to return to the investigator’s lab for examination
Created when an approving authority signs the affidavit or creates a synopsis form based on it

Digital Forensics Methodology
Steps in the digital forensics methodology
Identify relevant items of evidentiary value
Acquire (seize) the evidence without alteration or damage
Take steps to assure that the evidence is at every step verifiably authentic and is unchanged from the time it was seized
Analyse the data without risking modification or unauthorised access
Report the findings to the proper authority

Digital Forensics Methodology
Figure 12-2: Digital forensics process
Source: Course Technology/Cengage Learning

Evidentiary Procedures
Organisations should develop specific procedures and guidance for their use
Who may conduct an investigation
Who may authorise an investigation
What affidavit-related documents are required
What search warrant-related documents are required
What digital media may be seized or taken offline
What methodology should be followed
What methods are required for chain of custody or chain of evidence
What format the final report should take, and to whom it should it be given

Summary
Introduction
Law and ethics in information security
The legal environment
Ethical concepts in information security
Professional organisations’ codes of ethics
Organisational liability and the need for counsel
Key U.S. Federal agencies
Managing investigations in the organisation
Management of Information Security, 3rd ed.

Turn in your highest-quality paper
Get a qualified writer to help you with

“ management and info security ”

Get high-quality paper

Guarantee! All work is written by expert writers!

Still stressed from student homework?

Get quality assistance from academic writers!

Order now