1. Information Security Principles and Practices
by Mark Merkow and Jim Breithaupt
Chapter 4: Security Management

2. © Pearson Education Information Security: Principles and Practices
Chapter 4: Security Management
© Pearson Education Information Security: Principles and Practices

3. © Pearson Education Information Security: Principles and Practices
Objectives
Choose the appropriate type of policies (Security Policy)
Distinguish between the roles of standards, regulations, baselines خطوط الأساس , procedures, and guidelines
Organize a typical standards and policies library
Classify assets according to standard principles
© Pearson Education Information Security: Principles and Practices

4. © Pearson Education Information Security: Principles and Practices
Objectives cont.
Incorporate the separation of duties principle
Outline the minimum preemployment hiring practices
Analyze and manage risk
Outline the elements of employee security education, awareness, and training
List the eight types of people responsible for security
© Pearson Education Information Security: Principles and Practices

5. © Pearson Education Information Security: Principles and Practices
Introduction
Security policy is a definition of what it means to be secure for a system, organization
For an organization, it addresses the constraints on behavior of its members as well as constraints imposed on adversaries by mechanisms such as doors, locks, keys
بالنسبة للمنظمة ، فإنه يتناول القيود المفروضة على سلوك أعضائها فضلا عن القيود المفروضة على خصومه
© Pearson Education Information Security: Principles and Practices

6. © Pearson Education Information Security: Principles and Practices
For systems or computer system, the security policy addresses constraints on functions and flow among them, constraints on access by external systems and adversaries.
Note that: security policy is a high level definition of secure behavior
© Pearson Education Information Security: Principles and Practices

7. © Pearson Education Information Security: Principles and Practices
The effective policy contains the following information:
© Pearson Education Information Security: Principles and Practices

8. © Pearson Education Information Security: Principles and Practices
Title
Purpose
Authorizing individual
Author/sponsor
Reference to other policies
Scope
Measurement expectations
Exception process عملية استثناء
Accountability المساءلة
Compliance management and measurements description الامتثال لإدارة ووصف القياسات
Effective/expiration dates
Definition
© Pearson Education Information Security: Principles and Practices

9. © Pearson Education Information Security: Principles and Practices
Four Types of Policies
System-level policy
System-framework policy
Issue-specific policy
System-specific policy
This classification was defined by National Institute of Standards and Technology (NIST) Computer Systems Laboratory
© Pearson Education Information Security: Principles and Practices

10. © Pearson Education Information Security: Principles and Practices
Policy Level: is used for creating a management-sponsored computer security program.
Think of this as the mission statement for the IT security program.
The component of the level policy are:
Purpose: This include defining the the goals of the computer security as well as its management structure.
Scope: Scope specifies which resources (including facilities, hardware, and software), information, and personnel the programme covers.
© Pearson Education Information Security: Principles and Practices

11. © Pearson Education Information Security: Principles and Practices
Responsibilities addresses responsibilities of officials and offices throughout the organization, including the role of line managers, applications owners, users, and information processing or IT organization.
© Pearson Education Information Security: Principles and Practices

12. © Pearson Education Information Security: Principles and Practices
Normally issued by the manager or owner of the system but may originate from a high-level executive or official
Examples
Who is allowed to read or modify data in the system?
Under what conditions can data be read or modified?
Are users allowed to dial into the computer system from home or while on travel?
© Pearson Education Information Security: Principles and Practices

13. System-Framework Policies
Define the organization’s security programme elements that form the foundation for the computer security programme
Reflect information technology management’s decisions about priorities for protection, and assignment of responsibilities
© Pearson Education Information Security: Principles and Practices

14. Examples of possible system-framework policies
Business continuity planning (BCP) framework (Chapter 6).
Physical security requirements framework for data centers (Chapter 7).
Application development security framework (Chapter 13).
© Pearson Education Information Security: Principles and Practices

15. System-specific policy
States security objectives of a specific system. Define how the system should be operated to achieve objectives. Specify how the protections and features of the technology used to support or enforce the security objectives
© Pearson Education Information Security: Principles and Practices

16. Who Is Responsible for Security?
Everyone who uses information technology is responsible for maintaining the security and confidentiality of information resources and must comply with security policies and procedures
© Pearson Education Information Security: Principles and Practices

17. © Pearson Education Information Security: Principles and Practices
Chief information security officer (CISO), information resources manager, information resources security officer, owners of information resources, custodians of information resources, technical managers (network and system administrators, internal auditors, and users
© Pearson Education Information Security: Principles and Practices

18. Issue-Specific Policies cont.
May come from the head of the organization, the top management official, the chief information officer (CIO), or the computer security programme manager (e.g., CISO)
Examples
acceptable use
Internet acceptable use
Laptop security policy
© Pearson Education Information Security: Principles and Practices

19. System-Specific Policies
State security objectives of a specific system
Define how the system should be operated to achieve objectives
Specify how the protections and features of the technology used to support or enforce the security objectives
© Pearson Education Information Security: Principles and Practices

20. System-Specific Policies cont.
Normally issued by the manager or owner of the system but may originate from a high-level executive or official
Examples
Who is allowed to read or modify data in the system?
Under what conditions can data be read or modified?
Are users allowed to dial into the computer system from home or while on travel?
© Pearson Education Information Security: Principles and Practices

21. Development and Management of Security Policies
Three-level model for system security policy
Security objectives
consist of a series of statements to describe meaningful actions about specific resources
Operational security
list the rules for operating a system.
Policy implementation
the organization must determine the role technology plays in enforcing or supporting the policy
Security objectives should be based on system functionality or mission requirements but should also state the security actions to support the requirements.
© Pearson Education Information Security: Principles and Practices

22. Policy Support Documents
Provide levels of detail supporting the policy and explaining the system development, management, and operational requirements, including
Regulations: laws passed by regulators and lawmakers
Standards and baselines: topic-specific (standards) and system specific (baselines) documents that describe overall requirements for security
Guidelines: documentation that aids in compliance with standard considerations, hints, tips, and best practices in implementation
Procedures: step-by-step instructions on how to perform a specific security activity
© Pearson Education Information Security: Principles and Practices

23. Suggested Standards Taxonomy
Standards are formal written documents that describe several security concepts that are fundamental to all successful programmes
The highest level includes
Asset and data classification
Separation of duties
Pre-employment hiring practices
Education, awareness, and training
Risk analysis and management
© Pearson Education Information Security: Principles and Practices

24. Suggested Standards Taxonomy cont.
Asset Classification
Asset and data classification is needed by businesses and agencies to help determine how much security is needed for appropriate protection
Separation of Duties
Separating duties within a business or organization helps limit any individual’s ability to cause harm or perpetrate theft
© Pearson Education Information Security: Principles and Practices

25. Suggested Standards Taxonomy cont.
Preemployment Hiring Practices
Policies, standards, and procedures issued by human resources should address internal information security processes and functions
Education, Training, and Awareness
Because people are the weakest link in any security-related process, it’s crucial that a security programme address user education, awareness, and training on policies and procedures
Education must be driven top-down and must be comprehensive
Training must be ongoing (at least annually) and also take place whenever policies change
© Pearson Education Information Security: Principles and Practices

26. Suggested Standards Taxonomy cont.
Risk Analysis and Management
A risk analysis answers three fundamental questions:
What am I trying to protect?
What is threatening my system?
How much time, effort, and money am I willing to spend?
Two basic types of risk analysis
Quantitative Risk Analysis
Qualitative Risk Analysis
© Pearson Education Information Security: Principles and Practices

27. Quantitative Risk Analysis
Attempts to establish and maintain an independent set of risk metrics and statistics
Some of the calculations used for quantitative risk analysis
Annualized loss expectancy (ALE): single loss expectancy multiplied by annualized rate of occurrence
Probability: chance or likelihood that an event will occur
Threat: an event, the occurrence of which could have an undesired impact
Control: risk-reducing measure that acts to detect, prevent, or minimize loss associated with the occurrence of a specified threat
Vulnerability: the absence or weakness of a risk-reducing safeguard
© Pearson Education Information Security: Principles and Practices

28. Qualitative Risk Analysis
The most widely used approach to risk analysis
Makes use of a number of interrelated elements:
Threats: things that can go wrong or that can “attack” the system
Vulnerabilities: make a system more prone to attack or make an attack more likely to have some success or impact
Controls: the countermeasures for vulnerabilities
A risk is real when there is a presence of threat, a vulnerability that the attacker can exploit, and a high likelihood that the attacker will carry out the threat
© Pearson Education Information Security: Principles and Practices

29. A Model of The Risk Analysis Process
© Pearson Education Information Security: Principles and Practices

30. Who Is Responsible for Security?
Everyone who uses information technology is responsible for maintaining the security and confidentiality of information resources and must comply with security policies and procedures
Chief information security officer (CISO), information resources manager, information resources security officer, owners of information resources, custodians of information resources, technical managers (network and system administrators, internal auditors, and users
Chief information security officer (CISO): establishes and maintains
security and risk management programmes for information
resources.
■ Information resources manager: maintains policies and procedures
that provide for security and risk management.
■ Information resources security officer: directs policies and procedures
designed to protect information resources (e.g., identifies vulnerabilities,
develops security awareness programme, and so forth).
■ Owners of information resources: responsible for carrying out
the programme that uses the resources. This does not imply personal
ownership. These individuals may be regarded as programme
managers or delegates for the owner.
■ Custodians of information resources: provide technical facilities,
data processing, and other support services to owners and users of
information resources.
■ Technical managers (network and system administrators): provide
technical support for security of information resources.
■ Internal auditors: conduct periodic risk-based reviews of information
resources security policies and procedures.
■ Users: people who have access to information resources in accordance
with the owner-defined controls and access rules.
© Pearson Education Information Security: Principles and Practices

31. © Pearson Education Information Security: Principles and Practices
Summary
Security Management Practices domain is most concerned with the establishment and ongoing operation of the organization’s security programme.
This programme includes policies, standards, baselines, procedures, and guidance for compliance.
© Pearson Education Information Security: Principles and Practices