McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information Security, by Schou and Shoemaker Chapter 4 Building and Documenting an Information Assurance Framework

4-2 Objectives Difference between policies and procedures What is an information assurance structure How to tailor an information assurance structure How to document and information assurance infrastructure

4-3 Control Process Control process is implemented through a framework of standard procedures They need to be coherent, rational, and understandable They are tailored for efficiency and effectiveness

4-4 Difference Between Policy and Procedure Level of focus The focus of policies is long-term and strategic The focus of procedures is short-term and day- to-day

4-5 Procedure A specification of sequence and timing of steps of a response A description of action to be taken to achieve a goal A definition of actions performed as part of routine operation A method rather than the outcome A tangible mechanism for evaluating whether the system has met its intended goals In case of information, procedures: Specify the set of assurance activities that must be executed to ensure security Define all information assurance and security actions

4-6 Infrastructure An information assurance infrastructure is an essential part of security as it: Specifies the steps the organization will take to ensure security Makes the process tangible so that it is understood and executed properly Describes how all information assurance and security practices will be established and enforced Ensures that the information within the infrastructure is overseen and managed

4-7 Five Pillars of Assurance Confidentiality – ensures that information is not disclosed to unauthorized persons, processes, or devices Integrity – reflects the logical correctness of essential components Availability – provides authorized users with timely, reliable access to data and information services Authentication – confirms authorization to acquire specific items of information Non-repudiation – provides proof of delivery and provides identification

4-8 Instituting a Sustainable Security Operation Two conditions have to be satisfied: A concrete reference point has to be adopted and documented to guide the process The organization has to follow all specified security practices rigorously

4-9 Role of Policy in Creating an Infrastructure Policies state the approach that will be followed to enforce the five pillars of security They should be both comprehensive and coherent They constitute the framework that dictates the scope and application of the information assurance process They must have the right set of procedures to enact it Procedures are progressively refined, until the desired level of control is established Eventual product of this logical decomposition process is the finalized information assurance infrastructure

4-10 Role of Policy in Creating an Infrastructure Information assurance infrastructure is an array of control behaviors Designed to ensure security and applicable to all levels Standard approach characteristics: Concrete and can be tailored into specifics of the tasks to be performed Outcomes can be used to judge whether the information assurance process is operating properly Outcomes of these tasks can be assessed and specific responsibility can be assigned Establishes tangible accountability for information assurance and security performance

4-11 Ensuring a Disciplined Process: Establishing the Culture Only way to assure security is by demanding disciplined performance of assigned duties Requires a high degree of disciplined practice by people responsible for carrying out the tasks The managers The workers Requires the right level of information assurance and security practice

4-12 Ensuring a Disciplined Process: Establishing the Culture Effective information assurance process has to ensure that the people within the system are operating in a secure manner

4-13 Ensuring a Disciplined Process: Establishing the Culture Information assurance safeguards are aimed at: Identifying suspicious or undesirable behavior Build a baseline of acceptable, or normal, practices to judge performance Embedding a comprehensive understanding of information assurance Policies Procedures Work practices

4-14 Developing An Information Assurance Infrastructure Nine essential qualities of a correctly functioning system: Suitability Accuracy Interoperability Compliance Integrity Maturity Fault tolerance Recoverability Replaceability

4-15 Developing An Information Assurance Infrastructure Refinement process

4-16 Ensuring Common Understanding: Metrics and Security Tailoring specifics will require derivation from: Policies expressed as a formal specification Perspectives of stakeholders Outcome should be a substantive set of documented practices Should characterize the information assurance functions Requirements must be communicated unambiguously Terms and measures used should be integrated into a single document Need for a deliberate program to develop an appropriate set of common metrics

4-17 Ensuring Common Understanding: Metrics and Security Organizational environment determines the metrics Nature, rigor, and application will vary based on the demand of the security situation Basis for decision is the level of control required to establish an assurable system Achieved by continuing to break down each measure into sub-factors Sub-factors should also be traceable through the hierarchy of measures Measurement set must be refined and updated continuously

4-18 Accommodating Human Factors in the Infrastructure Disciplined performance determines how correctly each procedure will be followed Behavior of humans within the infrastructure is: Ensured by the monitoring and enforcing compliance of documented procedures Harder to assure since it is governed by perceptions and emotions rather than logical rules Challenging, as motivating people to comply requires continuous oversight and strict enforcement Feasible with coherent and explicit definition of acceptable behavior

4-19 Documentation: Conveying the Form of the Infrastructure Every information assurance infrastructure has to be documented completely Documentation should communicate the three vital elements of the process: Policies Procedures Work instructions Mechanism that is employed to document these is the Information Assurance Manual

4-20 Information Assurance Manual Communicates the organization’s specific approach to information assurance and security Serves as a reference point for developing standard operating procedures Integrates all required procedures and work practices for each policy into a statement of purpose

4-21 Information Assurance Manual Advantages: Implements and ensures continuous performance of processes Valuable tool for communicating to stakeholders Advertises new initiatives and accomplishments Itemizes every procedure the organization will follow to comply with each stated policy Facilitates the day-to-day assignment of specific employee responsibility Key mechanism for demonstrating due diligence in performance of information assurance

4-22 Ensuring Sustainability: Documentation Set Documentation set – procedures, work practices, and information assurance manual A complete set of operating procedures are written to implement each policy Operating procedure defines what will be done on a day-to-day basis Work practices are developed for each procedure Itemizes the behaviors designated to accomplish each procedure

4-23 Implementation: Achieving the Right Level of Detail At the minimum every documented procedure states: Steps to be taken, their measurement, and their evaluation criteria Expected output, the measurement, and evaluation criteria Interrelationship with other procedures Qualifications and skills of people performing the procedure Tools, rules, practices, methodologies, and conventions employed

4-24 Implementation: Achieving the Right Level of Detail Ten areas of information assurance should be itemized using this policy/procedure/work instruction model: Physical security practices Personnel security practices Operational security practices Network security practices Software security practices Development process security practices Transmission security/encryption practices Business continuity practices Legal and regulatory compliance practices Ethical practices

4-25 Walking the Talk – the Role of Detailed Work Practices Specifications communicate the steps chosen to ensure an end-to-end information assurance process Specification of management practices Lays out the details of the management oversight and control function Specification of operations practices Roadmap for the execution and maintenance of the specific process Specification of assurance and accountability practices Verification and validation of the execution of assurance functions

4-26 Tailoring a Concrete Information Assurance System Effective information assurance and security depends on establishing the right set of policies, procedures, and work practices, tailored into a concrete infrastructure It is necessary to satisfy at least five generic requirements: Understand the resource Maintain the resource Develop the resource Use the resource Manage the resource

4-27 Tailoring a Concrete Information Assurance System Tailoring process Ensures that it is correctly aligned with the environmental, sensitivity, and information assurance requirements of the situation Involves the preparation of a relevant response to six areas discussed further: Context Scope System operation General purpose Environment Sensitivity

4-28 Tailoring a Concrete Information Assurance System Context - understand the context in which the system operates Determines the assurance approach Scope - must be defined Unique and meaningful boundaries have to be established Logical interrelationships have to be made explicit

4-29 Tailoring a Concrete Information Assurance System System operation - components should be categorized in terms of their role Designate specific purpose of each asset Protection has to be aligned with purpose Analyze, understand, and address threats General purpose - function of each component Simple description that satisfies two goals: Allows users to make informed assignments of priorities for the protected components Allows users to coordinate the implementation and management of the functions assigned to them

4-30 Tailoring a Concrete Information Assurance System Environmental considerations – technical and environmental factors that might impact the assurance process Sensitivity requirements - specify the sensitivity of each item Characterized based on risk category: High risk – comprises of information characterized as critical and would result in significant losses Medium risk – would be an important concern but not necessarily critical Low risk – some minimal level of risk; not vital

4-31 Types of Controls Information assurance control procedures fall into four categories:

4-32 Types of Controls In addition to application it is important: To understand the operational status of the control In the designing process Some controls will exist while others will need to be established To have a complete understanding of: Where procedures have been implemented already Where it must be developed

4-33 Types of Controls Classification is based on a decision about whether each necessary control item is: In place – a measure must be both operational and judged to be effective Planned – includes specific control functions planned, but not actually operational In place and planned – have part of the control in place while other parts are still missing Not feasible – control measures would be desirable but not cost effective nor feasible

4-34 Management Controls These controls are behavioral Implement information assurance policies and procedures Regulate access to protected information through procedures Deployed based on the assessed impact of the threats they are designed to address

4-35 Development and Implementation Process Controls These controls ensure that information assurance protection is designed into the system from inception Used primarily during the system development phase Ensures that appropriate technical, physical, administrative, and personnel security requirements are satisfied Based on the verification and validation review process

4-36 Operational Controls The day-to-day procedures that protect the operation from a wide variety of threats Operational controls fall into six categories: Physical and environmental protection Production and input/output control Contingency planning Installation and update controls Configuration management control Documentation control

4-37 Technical Controls Technical controls include: Automated access controls – control access Authorization controls – provide the appropriate level of access to each entity Detect unauthorized activities Integrity control procedures – protect data from accidental or malicious alteration or destruction