McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information Security, by Schou and Shoemaker Permission required for reproduction or display. PowerPoint to Accompany Information Assurance for the Enterprise Schou - Shoemaker Chapter 1 Discovering What To Secure

1-2 Objectives In this chapter, you will learn: Why “knowing what to secure” is the first step in ensuring security Why information has to be controlled like any other organizational asset Why the process of change has to be rigorously controlled

1-3 Information Unlike other assets Information is intangible Information represents value It is hard to develop an effective security response if you are unsure what it is you are securing

1-4 Assurance Process First step is to inventory assets Process is called baselining Outcome is called a baseline Baseline - precise specification of content and interrelationship of organization’s information items Contains only items that the organization considers valuable

1-5 Baselining Documents the asset base - or resource base - of the organization. That documentation is the only tangible record of the form of the asset base. Has to be maintained throughout the lifecycle of the information assurance process.

1-6 Asset Base The Asset Base: Is dynamic Information it contains is constantly changing Information of value is directly related to the business case Evolves with the business case Must be aligned with changes to the business case Only concrete representation of the information that supports mission and purpose

1-7 Changes to the Asset Base Changing the Asset Base: Must have a process to evaluate and control any changes to the baseline Organization’s understanding of contents of asset base can be lost Additions to the business case will produce new kinds of information New information is extremely valuable to the success of a product or organization

1-8 Ensuring Continuous Knowledge Asset management Ensures contents of information base are always known and documented Establishes and maintains precise description of Information asset base Constituent elements Inter-relationships Ensures permanent accounting that enables asset status to be known at all times

1-9 Asset Management Complex organizational process Assures documentation is accurate Assures all security policies are implemented correctly

1-10 Asset Management Comprised of six interdependent activities: Process implementation Asset identification Control of change Status accounting Asset evaluation Version management

1-11 Process Implementation Requires an asset management plan Enumerates activities that make up the asset management process Procedures Timetable Defines and assigns organizational roles Responsibilities Personal inter-relationships Specifies interactions between activities

1-12 Process Implementation The Process Implementation Plan Establishes overall approach to accounting for and maintaining status of all information of value Provides complete lifecycle strategy Assures up-to-date status of information assets Maintains baselines and versions Provides up-to-date list of decision makers authorized to approve alterations Organization must make commitment to maintain plan throughout lifecycle

1-13 Process Implementation Risk management Organization’s authorized response to risk Based on assessment of risk each hazard represents Aided by well-defined baselines Ensures that only relevant threats are dealt with Disaster recovery plan Ensures ability to recover assets after a disaster Is the critical outcome of good baseline management

1-14 Asset Identification Goal of asset identification: To establish accurate record of the precise form of the items in the information asset base Based on formal identification scheme Items must be identified and labeled Labels designate and relate position within the family tree of the asset base Establishes “day one” form of the asset Always associated with the business case

1-15 Two Pass Approach Two pass process First pass describes baseline components at a high-level of functioning Second provides more detailed descriptions

1-16 Increasing Levels of Control Information can be described at one or all of these levels:

1-17 Hierarchy of Components General approach to the design process:

1-18 Control of Change Change control is a continuous process Information is always evolving Items are continuously added to baselines Form and content of baselines change Effective change management is dependent on asset identification

1-19 Status Accounting Good status accounting: Maintains a running account of all asset baselines Performs routine reporting activities needed to convey knowledge to managers Usually maintained in electronic repository or ledger Used by change control to perform impact analysis Updated when change has been approved and implemented

1-20 Asset Evaluation Good asset evaluation: Ensures continuing integrity of the asset base Is done on a routine, scheduled basis Assesses the degree of correctness of the baseline Tests: accuracy of the description placement of the item labeling of information resources Evaluates the appropriateness and effectiveness of established safeguards

1-21 Asset Evaluation Results are communicated to designated executives Anomalies are resolved by managerial actions By definition, anomalies are latent vulnerabilities Reporting process is in the asset management plan

1-22 Version Management Version management is required for: Multiple, simultaneous versions of the same asset baseline Previous, or superseded, versions must be kept in separate archives Studying the data yields useful information about long-term behavior and evolution of the resource

1-23 Maintaining Integrity Components necessary for maintaining integrity in the organization: Establishing the Checkpoint Documenting the Decision Assigning Authority Implementing the Change Accounting for Information Other Considerations

1-24 Establishing the Checkpoint Assures continuous integrity by controlling all changes to all formally established baselines Checkpoint for receiving and processing requests must be located at a single point in the organization

1-25 Documenting the Decision Document decisions so that change protocols are understood Method for requesting changes must be: clearly understood consistently applied standardized in format No single format applicable to all situations

1-26 Documenting the Decision Organizational requirements that necessitate the change The operational timeframe and proposed schedule Information items impacted Controls impacted Costs and resource commitments Staff capabilities required Any software or tool requirements Any anticipated changes in procedure caused by the change Any anticipated change in the way the baseline is kept (for example, libraries) Any audit considerations Any disaster recovery considerations If they exist, the impacts on the various versions Documentation, at a minimum, needs to include:

1-27 Assigning Authority Decisions have to be made by an assigned authority to assure accountability First step is to identify and designate the proper decision maker Typically assigned based on operational responsibilities Person who should be held accountable for approving changes to an information asset should also be the one responsible for managing its generation and use

1-28 Assigning Authority The decision to change a baseline can be approved only by the authorized decision maker The decision maker must have the authority to enforce the decisions that they make To assure the integrity of the change, the decision maker should be able to allocate the resources oversee the activities

1-29 Implementing the Change All changes have to be initiated and approved through a formal implementation process Request is submitted to the person responsible for maintaining the accuracy of the baseline That individual assures that the change is authorized and will not affect integrity of the item or the asset baseline Change is made once authorization is received Changes at any level in the representation must: Be maintained at each relevant level Reflect correctly and accurately the changed status of the actual asset base

1-30 Accounting for Information Formal accounting functions assure the contents of the asset base are always accurate and known Each baseline is treated as if it were a separate account in a ledger Individual transactions are entered as they occur The aim is to document and record all transactions for that baseline Gathering the following helps assure that this function operates as intended: Label and description of the information item How formally the item is controlled Description of the controls Measures to support monitoring integrity of the item

1-31 Other Considerations Escalation policies must always be considered Once systems and their data are moved up to operational status a greater change authority is needed In complex situations, asset baselines must evolve through a single integrated and coordinated function If third parties could change baselines without authority, the integrity of the entire asset could be destroyed without anyone in the organization knowing it There is no greater threat to the integrity of information than uncontrolled change

1-32 Establishing the Assurance Function The details of establishing the assurance function: Basing the Response on the Risks Timing Requirements Corrective Action Requirements Financial Factors Likelihood

1-33 Basing the Response on the Risks With the baseline established, information assurance maintains the integrity of the information asset base To deploy assurance functions, the risks must be understood fully A control that has been set to counter an identified threat is a countermeasure To identify needed countermeasures, the organization must identify the threats The outcome is an inventory of risks and the associated countermeasures

1-34 Timing Requirements Every threat has different timing requirements The old axiom about “closing the barn door after the horse has escaped” is an example of how timing is an important security issue The feasibility of the countermeasure is based on its ability to react quickly enough to overcome the threat Electronic penetrations move at the speed of the computer itself A thief breaking into the computer room allows a little more time to respond

1-35 Corrective Action Requirements A corrective action is the specific response that an organization deploys for a given situation A range of possible corrective actions exist for a given threat The most effective actions may not be feasible because of technical, physical, or resource limitations Corrective actions factor feasibility and cost into the equation, resulting in selection of a countermeasure that is the most practical, rather than the one that is the best for all cases

1-36 Financial Factors Finance is the most important element Most easily understood and accepted by the people in the organization Typically describes the return on investment (ROI) for a given countermeasure If the cost of implementing is greater than the conceivable loss, it is pointless to consider it In the case of low-value assets, the expense of maintaining a given level of security may outweigh the financial loss

1-37 Likelihood Likelihood is composed of two factors: frequency of occurrence (of the threat) extent of the harm that might result Uncertainty describes the priority of the threat Expressed as a level of confidence—from 0 to 100% Once the analysis of the risks is complete, the organization will know: precisely what information assets it holds the type and priority of the threats to the items in the baseline and the countermeasures to mitigate them

1-38 Documenting the Countermeasures The relationship of information items to assurance controls

1-39 Documenting the Assurance Solution Preparing and documenting a set of work practices establishes the link between each item of information and the countermeasures to protect it To be certain work practices are designed and documented correctly, the following have to be considered: Sequence and Timing Monitoring Accountabilities Documentation and Reporting Problem Resolution

1-40 Sequence and Timing Sequencing and timing countermeasures Countermeasures can’t be applied at the same time Must be sequenced properly It is important that personnel understand what task to do first Not a good practice to assume that everybody knows the sequence

1-41 Sequence and Timing These might be the countermeasures specified for the personnel function. Consider the importance of the sequence. 1.Background checks will be performed for all new hires 2.An initial employee orientation will be held to obtain confidentiality agreements 3.Employees will receive regularly scheduled security training 4.Employee violations of policy and procedure will be disciplined 5.Employees will be given periodic random background checks 6.Employees will report all security incidents they see 7.Employee-reported security incidents will be recorded and quantified 8.Employees leaving the organization will be processed using secure personnel practice 9.Unfriendly terminations will be processed as security incidents

1-42 Monitoring Monitoring has two purposes. It assures that the relationship between the information and its countermeasures will be supervised It allows the organization to evolve the countermeasures as threats arise A focused monitoring process assures both of these functions

1-43 Accountabilities Explicit accountability for oversight and problem resolution should be assigned as part of the description of the countermeasures Requires supervisory roles and responsibilities be defined for each countermeasure Performance of duties needs to be overseen using the monitoring process just discussed Consequences of a failure to meet assigned obligations must be spelled out

1-44 Documentation and Reporting Established and maintained through a statement of the steps required to assure recording and reporting of incidents Statement defines: what information will be captured specifically how it will be recorded and reported The statement identifies all management reports to be produced

1-45 Problem Resolution Problem resolution process Statement about how problems will be resolved: Defines how typical problems with operations will be handled as they are identified Defines who is responsible for their resolution Defines the criteria that will be used to determine if the problem has been resolved properly Closes the loop in ensuring consistent application of the process Guarantees that problems that arise during operation will be dealt with systematically

1-46 Keeping the System Aligned The baseline must be properly aligned with the evolution of the operating infrastructure of the organization It is inappropriate to develop a static representation and to fail to maintain it Effectiveness implies a commitment to continuous monitoring, adjustment, and updating of the baseline This process should include continual and regular feedback from the operational environment A well-executed feedback system generates a high degree of organizational buy-in or universal acceptance