Information Security: Model, Process and Outputs Presentation to PRIA WG November 10, 2006

2 Agenda Information Security Method Example

3 Information Security Method The problem…simply stated? The solution: –Model –Process –Outputs

4 Problem: Managing Information Risk Severity: Low Likelihood: Low Severity: Moderate Likelihood: Low Severity: Low Likelihood: Moderate Severity: High Likelihood: Low Severity: Moderate Likelihood: Moderate Severity: Low Likelihood: High Severity: Moderate Likelihood: High Severity: High Likelihood: Moderate Severity: High Likelihood: High * In some cases, consequence severity may not change. The goal then is to drive “likelihood of occurrence” to zero. (increasing ) Severity of Consequence* Likelihood of Occurrence (increasing )

5 Security Solution: Model / Process / Outputs Five component security model Step-by-step security solution development process Ten “must have” outputs for understanding, managing and monitoring your security solution

6 Information Security Model Information Security Model 1. Business & Risk Description (Foundation) 2. Policy and Architecture (Framework) 3. Solution Specification (People, Processes & Technology) 4. Support (Testing, Maintenance & Sustainability) 5. Education (Initial and Continual)

7 Information Security Model (cont.) Business & Risk Description –Overall description of business scenario(s) –Understanding of information assets, users, and operational environment –Identification and summarization of business risks associated with information assets Framework –Definition of an information security policy Major statements (requirements) regarding information security Can be considered the “what is allowed / not allowed” document –Definition of an information security architecture The “big picture” that ties together information resources and how they should be protected Identifies the major information systems and the interconnectivity between those systems

8 Information Security Model (cont.) Solution –Detailed specifications Technology Procedures Personnel –Implementation planning –Implementation and test –Certification & accreditation Support Program –Follow-on Testing, Re-certification & Reporting –Maintenance & Monitoring –Insurance & Contingency Planning Awareness Program –General security literature –Specific “How to…” guides –Periodic “refresher” courses

9 Information Security Process Expands on the Model A step-by-step, manageable approach to defining, deploying, operating and maintaining an information security solution Generates the ten “must have” outputs Security Solution Information Security Model

10 Information Security Process (cont.) 1A Define Business Functions 1A Define Business Functions 1B Define Assets 1B Define Assets 1C Define Operational Environ. 1C Define Operational Environ. 1D Summarize Risks 1D Summarize Risks Business & Risk Description 2A Develop Policy 2A Develop Policy 2B Develop Solution Arch. 2B Develop Solution Arch. Framework 4C Develop Contingency Plans 4C Develop Contingency Plans 4B Monitor Solution 4B Monitor Solution 4A Maintain Solution 4A Maintain Solution Support Program 5 Educate Personnel 5 Educate Personnel Awareness Program 3A Specify Solution 3A Specify Solution 3B Implement Solution 3B Implement Solution Solution Assess and Re-assess Risk Throughout Process Major Executive Review

11 The Results A security solution: –Derived from business requirements –Derived from defined business risks –Results in appropriate protection of business assets Risk management capability –Each step after the risk summarization step forces a risk mitigation review for each identified risk –What one step cannot address, another step will address –The monitoring step ensures that risk management and monitoring always exists

12 The Results (cont.) Documented solution to support: –Change control –Awareness training –Audits and accreditation A review process: –Two major reviews Risk Summary Review Solution Specification Review –Major reviews intended for trade-off analyses –Risk mitigation reviews after each step following Risk Summarization Step –Other reviews can be performed as needed and in-line with already established corporate review procedures

13 The Results: Ten “Must Have” Outputs Business Description (Use Cases) Risk Summary Security Policy Security Architecture Security Solution Spec

14 The Results: Ten “Must Have” Outputs Solution Implement. Plan Solution Maint. Plan Solution Monit. Plan Contingency Plans Education Program Plan

15 Ongoing Process… There is no “one-time” solution to managing information security risks Conditions change  Risks change Each output is a living document that needs to be reviewed for accuracy and relevancy –Periodically (i.e., time-driven events) –Ad hoc (i.e., event-driven events) Reapply process (or portions of process) as needed based on changing risks

16 Example: eRecording (Business Analysis) County Recorder (eRecording System) eRec Docs Settlement Agent Assets:eRecording Documents Participants:Settlement Agent and County Recorder Workflow:Electronic Recording of a Closed eMortgage Communications:Internet based Applications:Web Browser / eRecording System

17 Example: eRecording (Risk Analysis) Potential vulnerabilities: –Unprotected eRecording documents –Unprotected communications –Insecure eRecording System Potential threats: –Untrustworthy settlement agent –Man-in-the-Middle (phishing, pharming, etc.) –Internet based attacks (worms, viruses, etc.) Potential risks (i.e., threats exploiting vulnerabilities) –Corrupted eRecording documents –Exposure of settlement agent’s eRecording account information –eRecording System is down and unavailable All potential risks can be bubbled up to be financial, reputation or safety risks.

18 Example: eRecording (Policy & Architecture) Secure the eRecording documents (integrity, authentication) Secure the communications (authentication, confidentiality) Secure the eRecording System (integrity, authentication, availability) County Recorder (eRecording System) eMtg Settlement Agent

19 Example: eRecording (Technology & Procedures) Secure the eRecording Documents: –Technology:XML Digital Signature –Procedure:Trusted Personnel Program for Settlement Agents Secure the Communications: –Technology:SSL/VPN –Procedure:Trusted Procedure for Issuing and Managing Accounts at the eRecording System Secure the eRecording System: –Technology:Crypto, Redundancy –Procedure:Secure Configuration, Ensure Security Patches are Installed and Up to Date, Trusted Personnel Program for eRecording Operators

20 Example: eRecording (Maintenance) Maintenance: –eRecording System maintenance Performance testing Security patches –eRecording Documents maintenance Standards updates Updates to data in eRecording documents (e.g., privacy issues?)

21 Example: eRecording (Monitoring) Monitoring –Identify security incidents of concern: Multiple failed attempts to authenticate to eRecording System eRecording System downtime Integrity check failures within eRecording System Integrity check failures within eRecording Documents –Determine reporting procedures for security incidents Audit and review lower level security incidents Alerts and notifications for higher level security incidents –Internal notifications –External notifications

22 Example: eRecording (Business Continuity) Disaster recovery procedures for eRecording System –Temporary operations –Fully restored operations Failover operations for non-disaster events at eRecording System –Smooth switch over to temporary operations –Process for converting back to original operations

23 Example: eRecording (Education) Educate settlement agents: –Importance of secured eRecording Documents –Importance of acting as a trustworthy settlement agent –Accessing and using the eRecording System –Identifying and reporting security incidents Educate eRecording System operators: –Importance of a secured and available eRecording System –Operating, maintaining and monitoring the eRecording System –Security incident response procedures –Business continuity and disaster recovery procedures

Thank you! Questions? Yuriy Dzambasow A&N Associates, Inc x107