1. ISA 562 Internet Security Theory & Practice
Information Security Management
CISSP Topic 1
ISA 562

2. Objectives
Roles of and responsibilities of individuals in a security program
Security planning in an organization
Security awareness in the organization
Differences between policies, standards, guidelines and procedures as related to security
Risk Management practices and tools

3. Introduction
Purpose of information security is to protect an organization's valuable resources, such as information, hardware and software.
Should be designed to increase organizational success.
Information systems are often critical assets that support the mission of an organization

4. Information Security TRIAD
The Overhanging goals of information security are addressed through the AIC TRIAD.

5. IT Security Requirements - I
Security Solutions should be designed with two main focus areas:
Functional Requirements:
Defines security behavior of the control measures
Selected based on risk Assessment
Properties:
They should not depend on another control:
Why?
They should fail safe by marinating security of the system in an event of a failure:

6. IT Security Requirements -II
2. Assurance Requirements:
Provides confidence that security functions is performing as expected.
Examples :
Internal/External Audit.
Threat Risk Assessments
Third Party reviews
Compliance to best practices
3. Example for Functional vs. Assurance:
Functional Requirement: a network Firewall Permits or denies traffic.
Assurance requirement: logs are generated and monitored 6 6

7. Organizational & Business Requirements
Focus on organizational mission:
Business driven
Depends upon organizational type:
Example: Military , government and commercial.
Must be sensible and cost effective
Solutions must be developed with due consideration of the mission and environment of business

8. IT Security Governance
Integral part of overall corporate governance:
Must be fully integrated into the overall risk-based threat analysis, it also
Ensures that the IT infrastructure of the company:
Meets the AIC requirements.
Supports the strategies and objectives of the company.
Includes service level agreements when outsourced. 8 8

9. Security Governance Major parts
Leadership:
Security leaders must be fully integrated into the company leadership where they can be heard.
Structure:
it occurs at many different levels of the organization and is in a layered approach.
Processes:
by following internationally accepted “best practices”:
Job rotation , Separation of duties, least privilege, mandatory vacations …etc.
Some Examples for standards : ISO & ISO 27001:2005

10. Security Blueprints
Provide a structure for organizing requirements and solutions.
they are used to ensure that security is considered from a holistic view.
Used to identify and design security requirements
Infrastructure Security Blueprints

11. Policy overview
Operational environment is a complex web of laws, regulations, requirements, competitors and partners
Change frequently and interact with each other , within this environment
Management must develop and publish overall security statements addressing
Security policies and their supporting elements such as standards , baselines and guidelines.

12. Policy overview 12 12

13. Functions of Security policy - I
Provides Management’s Goals and objectives in writing
Documents compliance
Creates the security culture
Anticipates and protects others from surprises
Establishes the security activity/function
Holds individuals personally responsible/accountable 13 13

14. Functions of Security policy-II
Address foreseeable conflicts
Ensures employees and contractors are aware of organizational policy and changes
Mandates an incident response plan
Establishes process for exception handling , rewards, discipline 14 14

15. Policy Infrastructure
High level policies are interpreted into a number of functional policies.
Functional polices are derived from overarching policy of the organizations and
create the foundation for the procedures, standards, and baselines to accomplish the security objectives
Functional polices gain their credibility from senior management’s buy-in. 15 15

16. Example Functional Policies
Data classification
Certification and accreditation
Access control
Outsourcing
Remote access
Acceptable Internet usage
Privacy
Dissemination control
Sharing control

17. Policy Implementation
Standards, procedures, baselines, and guidelines turn the objectives and goals established by management in the overarching and functional policies into actionable and enforceable actions for the employees.

18. Standards and procedure
Standards: Adoption of common hardware and software mechanism and products throughout the enterprise.
Examples: Desktop, Anti-Virus, Firewall
Procedures: required step by step actions which must be followed to accomplish a task.
Guidelines: recommendations for security product implementations, procurement and planning, etc.
Examples: ISO17799, Common Criteria, ITIL

19. Baselines
Benchmarks used to ensure that a minimum level of security configuration is provided across multiple implementations and systems.
They establish consistent implementation of security mechanisms.
Platform unique
Examples:
VPN Setup,
IDS Configuration,
Password rules 19 19

20. Three Levels of security planning
Strategic Planning: long term
Focuses on the high-level, long-range organizational requirements
Examples: overarching security policy
Tactical Level Planning: medium-term
Focus on events that will affect the entire organization.
Examples: functional plans
Operational planning: short-term
Fighting fires at the keyboard level, this
Directly affects the ability of the organization to accomplish its objectives.

21. Organizational roles and responsibilities
Every actor has a role:
Entails responsibility:
must be clearly communicated and
understood by all actors.
Duties associated with the role Specific must be assigned
Examples:
Securing
Reviewing violation reports
Attending awareness training

22. Specific Roles and Responsibilities (duties)- 1
Executive Management:
Publish and endorse security policy
establishing goals, objectives
overall responsibility for asset protection.
Information systems security professionals:
Security design, implementation, management,
Review of the organization security policies. 22 22

23. Specific Roles and responsibilities - 2
Owners:
information classification
set user access conditions
decide on business continuality priorities
Custodians:
Security of the information entrusted to them
Information System Auditor
Auditing assurance guarantees.
Users
Compliance with procedures (AIC) and policies

24. Personal Security: Hiring staff
Background checks/Security clearances
Check references/ educational records
Sign Employment agreement
Examples:
Non-disclosure agreements
Non-compete agreements
Low level Checks
Consult the Human Resources (H.R.) department
Termination procedures

25. Third party considerations
Established procedures to address these groups on an individual basis.
Examples of third party are:
Vendors/Suppliers
Contractors
Temporary Employees
Customers

26. Personnel good practices
Job description and defended roles and responsibilities
Least privilege/Need to know
Compliance with need to share
Separation of duties
Job rotation
Mandatory vacations

27. Security Awareness Awareness training
Provides employees with a reminder of their security responsibilities.
Motivate personnel to comply with requirements
Examples:
Videos
Newsletters
Posters
Key-chains, etc. 27 27

28. Training and Education
Job training
Provides skills needed to perform the security functions in their jobs.
Focus on security-related job skills
Specifically address security requirements of the organization, etc.
Professional Education
Provides decision-making, and security management skills that are important for the success of an organizations security program.

29. Good training practices
Address the audience
Management
Data Owner and custodian
Operations personnel
User
Support personnel

30. Risk from NIST SP
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability,
and the resulting impact of that adverse event on the organization (SP800-30) 30 30

31. Definitions Related to Risk
Threat: the Potential for a mal-actor to exercise a specific vulnerability.
Vulnerability: A Flaw or weakness in system security procedures, design, implementation or internal controls that could be exercised and could result in a security breach or violation of systems security policy.
Likelihood: the probability that a potential vulnerability may be exercised within the threat environment.
Countermeasures: A risk reduction control
maybe technical, operational or management controls or a combination of these type

32. Risk Management concept flow

33. Risk Management Definitions
Asset: Something that is valued by the organization to accomplish its goals and objectives
Threat: Any potential danger to information or an information systems.
Examples:
Unauthorized access, Hardware failure, Loss of key personnel
Threat Agent: Anything that has the potential of causing a threat.
Exposure: An opportunity for a threat to cause loss.
Vulnerability: Is a weakness that could be exploited.
Attack: An Intentional action trying to cause harm.
Countermeasures and safeguards: Are those measures and actions that are taken to protect systems.
Risk: The probability that some unwanted event could occur
Residual Risk: The amount of risk remaining after countermeasures and safeguards are applied

34. Risk Management
The purpose of risk management is to identify potential problems
Before they occur
So that risk-handling activities may be planned and invoked as needed
Across the life of the product or project

35. The Risk Equation

36. Risk Factors
The Risk arises when threat-agent attack assets and vulnerabilities are present
Residual Risk happens when threat-agent attack assets and countermeasures are in place but are not sufficient

37. Risk Management
Risk Management identifies and reduces total risks ( threats, vulnerabilities, & asset value)
Mitigating controls: Safeguards & Countermeasures reduce risk
Residual Risk should be set to an acceptable level

38. Purpose of risk Analysis
Identifies and justifies risk mitigation efforts
Identifies the threats to business processes and information systems
Justifies the implementation of specific countermeasures to mitigate risk
Describes current security posture
Conducted based on risk to the organization's objectives/mission

39. Benefits of Risk Analysis
Focuses policy and resources
Identifies areas with specific risk requirements
Part of good IT Governance
Supports
Business continuity process
Insurance and liability decisions
Legitimizes security awareness programs

40. Emerging threats factors
Risk Assessment must also address emerging threats
New technology
Change in culture of the organization or environment
Unauthorized use of technology, etc.
Can come from many different areas
May be discovered by periodic risk assessments

41. Sources to identity threats
Users
Systems administrators
Security officers
Auditors
Operations
Facility records
Community and government records
Vendor/security provider alerts
Other types of threats :
Natural disasters – flood, tornado, etc.
Environment-overcrowding or poor moral
Facility -physical security or location of building

42. Risk analysis key factors
Obtain senior management support
Establish the risk assessment team
Define and approve the purpose and scope of the risk assessment team
Select team members
State the official authority and responsibility of the team
Have management review findings and recommendations
Risk team members
Some of the areas which should be included:
Information System Security, IT & Operations Management, Internal Audit, Physical security, etc

43. Use of automated tools for risk management
Objectives is to minimize manual effort
Can be time consuming to setup
Perform calculations quickly
Estimate future expected losses
Determine the benefit of security measures

44. Preliminary security evaluation
Identify vulnerabilities
Review existing security measures
Document findings
Obtain management review and approval

45. Risk analysis types Two types of Risk analysis
Quantitative Risk analysis
Qualitative Risk analysis
Both provide valuable metrics
Both are often required to get a full picture

46. Quantitative risk analysis
Assign independently objective numeric monetary values
Fully quantitative if all elements of the risk analysis are quantified
difficult to achieve
Requires substantial time and personnel resources

47. Determining asset value
Cost to acquire, develop, and maintain
Value to owners, custodians, or users
Liability for protection
Recognize cost and value in the real world
Price others are willing to pay
Value of intellectual property
Convertibility/negotiability

48. Quantitative analysis steps
Estimate potential losses
SLE – Single Loss Expectancy
SLE = Asset Value ($) X Exposure Factor (%)
Exposure Factor=% of asset loss when threat is successful
Types of loss to consider
Physical destruction/theft, Loss data, etc
Conduct threat analysis
ARO-Annual Rate of Occurrence
Expected number of exposures/incidents per year
Likelihood of an unwanted event happening
Determine Annual Loss Expectancy (ALE)
Combine potential loss and rate/year
Magnitude of risk = Annual Loss Expectancy
Purpose of ALE
Justify security countermeasures
ALE=SLE * ARO

49. Qualitative Risk analysis
Scenario oriented
Does not attempt to assign absolute numeric values to risk components
Purely qualitative risk analysis is possible
Qualitative risk analysis factors
Rank seriousness of the threats and sensitivity of assets
Perform a carefully reasoned risk assessment

50. Other risk analysis methods
Failure modes and effects analysis
Potential failures of each part or module
Examine effects of failure at three levels
Immediate level (part or module)
Intermediate level (process or package)
System-wide
Fault tree analysis
Sometimes called “spanning tree analysis”
Create a “tree” of all possible threats to, or faults of the system
“Branches” are general categories such as network threats, physical threats, component failures, etc.
Prune “branches” that do not apply
Concentrate on remaining threats.

51. Risk mitigation options
Risk Acceptance
Risk Reduction
Risk Transference
Risk Avoidance

52. The right amount of security
Cost/Benefit analysis- balance between the cost to protect and asset value
To estimate, need to know:
Asset value
Threats, Adversary, means , motives, and opportunity.
Vulnerabilities and Resulting risk
Countermeasures
Risk tolerance

53. Countermeasures selection principles
Based on cost/benefit analysis, total cost of safeguard
Selection and acquisition
Construction and placement
Environment modification
Nontrivial operating cost
Maintenance, testing
Potential side effects
Cost must be justified by the potential loss
Accountability
At least one person for each safeguard
Associate directly with performance reviews
Absence of design secrecy

54. Countermeasures selection principles (Continued)
Audit capability
Must be testable
Include auditors in design and implementation
Vendor Trustworthiness
Review past performance
Independence of control and subject
Safeguards control/constrain subjects
Controllers administer the safeguards
Controllers and subject are from different populations
Universal application
Impose safeguards uniformly
Minimize exceptions

55. Countermeasures selection principles (Continued)
Compartmentalization and defense in depth
Safeguard’s role
Consider to improve security through layers of security
Isolation, economy and least common mechanism
Isolate from other safeguards
Simple design is more cost effective and reliable, etc
Acceptance and tolerance by personnel
Care must be taken to avoid implementing controls that pose an unreasonable constrains
Less intrusive controls are more acceptable
Minimize human intervention
Reduces the possibility of errors and “exceptions” by reducing the reliance on administrative staff to maintain the control 55 55

56. Countermeasures selection principles (Continued)
Sustainability
Reaction and recovery
Countermeasures should do the following when activated
Avoids asset destruction and stops further damage
Prevents disclosure of sensitive information through a covert channel
Maintains confidence in system security
Captures information related to the attack and attacker
Override and fail-safe defaults
Residual and reset

57. Basis and origin of ethics
Religion, law, tradition, culture
National interest
Individual rights
Enlightened self interest
Common good/interest
Professional ethics/practices
Standards of good practice

58. Ethics Formal ethical theories Common ethical fallacies
Teleology: Ethics in terms of goals, purposes, or ends
Deontology: Ethical behavior is duty
Common ethical fallacies
Computers are a game
Law-abiding citizen, Free information
Shatterproof
Candy-from-a-baby
Hackers
Difficult to define
Start with senior management

59. Codes of ethics - examples
Relevant professional codes of ethics include:
Internet Activities Board (IAB)
Any activity is unethical & unacceptable that purposely:
Seeks to gain unauthorized access to the internet resources
Disrupts the intended use of the internet
Wastes resources through such actions
Destroys the integrity of computer-based information
Compromises the privacy of users
Involves negligence in the conduct of internet-wide experiments

60. Codes of ethics - examples
Relevant professional codes of ethics include:
(ISC)2 and other professional codes:
ISC2 Code of ethics preamble
Protect society, the commonwealth, and the infrastructure
Provide diligent and competent services to principals,etc
Auditors
Professional codes may have legal importance 60 60

61. References
ISC2 CBK Material
ISC2 official Guide
CISSP All-in-one