Presentation is loading. Please wait.

Presentation is loading. Please wait.

MANAGEMENT of INFORMATION SECURITY Second Edition.

Published byLynette Burke Modified over 9 years ago

Similar presentations

Presentation on theme: "MANAGEMENT of INFORMATION SECURITY Second Edition."— Presentation transcript:

1 MANAGEMENT of INFORMATION SECURITY Second Edition

2 Learning Objectives Upon completion of this chapter, you should be able to: Select from the dominant information security management models, including U.S. government sanctioned models, and customize them for your organization’s needs Implement the fundamental elements of key information security management practices Follow emerging trends in the certification and accreditation of U. S. Federal IT systems Learning Objectives Upon completion of this chapter you should be able to: Recognize the importance of information technology and understand who is responsible for protecting an organization’s information assets Know and understand the definition and key characteristics of information security Know and understand the definition and key characteristics of leadership and management Recognize the characteristics that differentiate information security management from general management Management of Information Security - Chapter 6

3 Introduction To create or maintain a secure environment, one must design a working security plan and then implement a management model to execute and maintain the plan This may begin with the creation or validation of a security framework, followed by an information security blueprint that describes existing controls and identifies other necessary security controls A framework is the outline of the more thorough blueprint, which is the basis for the design, selection, and implementation of all subsequent security controls Most organizations draw from established security models and practices to develop a blueprint or methodology Introduction To create or maintain a secure environment, one must design a working security plan and then implement a management model to execute and maintain the plan. This may begin with the creation or validation of a security framework, followed by an information security blueprint that describes existing controls and identifies other necessary security controls. A framework is the outline of the more thorough blueprint, which is the basis for the design, selection, and implementation of all subsequent security controls. To design a security blueprint, most organizations draw from established security models and practices. A security model is a generic blueprint offered by a service organization. One way to create the blueprint is to look at what other organizations have done (benchmarking). One way to select a methodology is to adapt or adopt an existing security management model or set of practices. Management of Information Security - Chapter 6

4 INFORMATION SECURITY MANAGEMENT STANDARDS / MODELS
ISO/IEC 27001 ISO/IEC 27002 NIST COBIT COSO

5 ISO/IEC 17799:2005 One of the most widely referenced and often discussed security models is Information Technology – Code of Practice for Information Security Management, which was originally published as British Standard BS 7799 The purpose is to establish “guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization” Management of Information Security, 2nd Edition

6 ISO/IEC 17799:2005 (continued) “ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities” ISO/IEC 17799:2005 replaced BS7799:1 Management of Information Security, 2nd Edition

7 Brief History of ISO/IEC 17799:2005 (MG)
2007 BS 7799 – 1 Controls ISO/IEC 17799 ISO/IEC 27002 BS 7799 – 2 Specifications / Requirements ISO/IEC 27001 Management of Information Security - Chapter 6

8 Management of Information Security - Chapter 6

9 Management of Information Security - Chapter 6

10 ISO/IEC 17799:2005 (continued) ISO/IEC 17799:2005 has 133 possible controls, not all of which must be used; part of the process is to identify which are relevant Each section includes four categories of information: One or more objectives Controls relevant to the achievement of the objectives Implementation guidance Other information Management of Information Security, 2nd Edition

11 ISO/IEC 17799:2005 (continued) Many countries, including the U.S., Germany, and Japan, have not adopted the model, claiming it is fundamentally flawed: The global InfoSec community has not defined any justification for the code of practice identified The model lacks “the necessary measurement precision of a technical standard” There is no reason to believe the model is more useful than any other approach It is not as complete as other frameworks It is perceived as being hurriedly prepared, given the tremendous impact that its adoption could have on industry information security controls Management of Information Security, 2nd Edition

12 Figure :2005 Usability Management of Information Security, 2nd Edition

13 SANS SCORE and ISO/IEC 17799 One way to determine how closely an organization is complying with ISO is to use the SANS SCORE Audit Checklist The checklist provides insight into eleven sections of ISO/IEC 17799 Management of Information Security, 2nd Edition

14 The Eleven Sections Of ISO/IEC 17799
Security Policy – focusing mainly on InfoSec policy Organization of InfoSec – for both the internal organization and external parties Asset Management – including responsibility for assets and information classification Human Resources Security – ranging from controls prior to employment, during employment, to termination or change of employment Physical and Environmental Security – including secure areas and equipment security Management of Information Security, 2nd Edition

15 The Eleven Sections Of ISO/IEC 17799 (continued)
6. Communications and Operations Management Incorporating operational procedures and responsibilities Third-party service delivery management System planning and acceptance Protection against malicious and mobile code Backup Network security management Media handling Exchange of information Electronic commerce services and monitoring Management of Information Security, 2nd Edition

16 The Eleven Sections Of ISO/IEC 17799 (continued)
7. Access Control Business requirement for access control User access management User responsibilities Network access control Operating system access control Application and information access control Mobile computing and teleworking Management of Information Security, 2nd Edition

17 The Eleven Sections Of ISO/IEC 17799 (continued)
8. Information Systems Acquisition, Development, and Maintenance Security requirements of information systems Correct processing in applications Cryptographic controls Security of system files Security in development and support processes and technical vulnerability management Management of Information Security, 2nd Edition

18 The Eleven Sections Of ISO/IEC 17799 (continued)
9. Information Security Incident Management addressing reporting InfoSec events and weaknesses and management of InfoSec incidents and improvements Business Continuity Management – InfoSec aspects of BCM Compliance With legal standards With security policies and standards Technical compliance with information systems audit considerations Management of Information Security, 2nd Edition

19 ISO/IEC 27001:2005 – The InfoSec Management System
BS7799:2 is the companion to BS7799:1, and provides implementation details using a Plan-Do-Check-Act cycle Management of Information Security, 2nd Edition

20 Management of Information Security - Chapter 6

21 Figure 6-3 BS7799:2 – Plan-Do-Check-Act
Management of Information Security - Chapter 6

22 ISO/IEC 27001:2005 – The InfoSec Management System (continued)
Plan Define the scope of the ISMS Define an ISMS policy Define the approach to risk assessment Identify the risks Assess the risks Identify and evaluate options for the treatment of risk Select control objectives and controls Prepare a Statement of Applicability(SOA) Management of Information Security, 2nd Edition

23 ISO/IEC 27001:2005 – The InfoSec Management System (continued)
Do Formulate a Risk Treatment Plan Implement the Risk Treatment Plan Implement controls Implement training and awareness programs Manage operations Manage resources Implement procedures to detect and respond to security incidents Management of Information Security, 2nd Edition

24 ISO/IEC 27001:2005 – The InfoSec Management System (continued)
Check Execute monitoring procedures Undertake regular reviews of ISMS effectiveness Review the level of residual and acceptable risk Conduct internal ISMS audits Undertake regular management review of the ISMS Record actions and events that impact an ISMS Management of Information Security, 2nd Edition

25 ISO/IEC 27001:2005 – The InfoSec Management System (continued)
Act Implement identified improvements Take corrective or preventive action Apply lessons learned Communicate results to interested parties Ensure improvements achieve objectives Management of Information Security, 2nd Edition

26 ISO/IEC 27001:2005 – The InfoSec Management System (continued)
In 2005, BS 7799:2 was updated and codified as ISO/IEC 27001:2005, and is the foundation for third-party certification Its major sections include: Introduction Scope Terms and definitions ISMS Management responsibility Management review ISMS improvement Management of Information Security, 2nd Edition

27 ISO/IEC 27001:2005 – The InfoSec Management System (continued)
Proposed use of 27001:2005 Use within organizations to formulate security requirements and objectives Use within organizations as a way to ensure that security risks are cost-effectively managed Use within organizations to ensure compliance with laws and regulations Use within organizations as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met Management of Information Security, 2nd Edition

28 ISO/IEC 27001:2005 – The InfoSec Management System (continued)
Proposed use of 27001:2005 (continued) Definition of new InfoSec management processes Identification and clarification of existing InfoSec management processes Used by the management of organizations to determine the status of InfoSec management activities Used by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives, and standards adopted by an organization Management of Information Security, 2nd Edition

29 ISO/IEC 27001:2005 – The InfoSec Management System (continued)
Proposed use of 27001:2005 (continued) Used by organizations to provide relevant information about InfoSec policies, directives, standards, and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons Implementation of business-enabling InfoSec Used by organizations to provide relevant information about InfoSec to customers Management of Information Security, 2nd Edition

30 NIST Security Models NIST documents have two notable advantages:
They are publicly available at no charge They have been available for some time and thus have been broadly reviewed by government and industry professionals SP , Computer Security Handbook SP , Generally Accepted Security Principles & Practices SP , Guide for Developing Security Plans SP , Security Self-Assessment Guide-IT Systems SP , Risk Management for Information Technology Systems NIST Security Models NIST documents have two notable advantages: 1) they are publicly available at no charge; and 2) they have been available for some time and thus have been broadly reviewed by government and industry professionals. SP , Computer Security Handbook SP , Generally Accepted Security Principles & Practices SP , Guide for Developing Security Plans SP , Security Self-Assessment Guide-IT Systems SP , Risk Management for Information Technology Systems Management of Information Security - Chapter 6

31 NIST SP 800-12 The Computer Security Handbook
Excellent reference and guide for the routine management of information security Little provided on design and implementation of new security systems; use as supplement to gain a deeper understanding of background and terminology NIST SP SP is entitled The Computer Security Handbook, and is an excellent reference and guide for the routine management of information security. It provides little guidance, however, on design and implementation of new security systems; use it as a supplement to gain a deeper understanding in the background and terminology. also lays out the NIST philosophy on security management by identifying 17 controls organized into three categories: The Management Controls section addresses security topics that can be characterized as managerial. The Operational Controls section addresses security controls that focus on controls that are, broadly speaking, implemented and executed by people (as opposed to systems). The Technical Controls section focuses on security controls that the computer system executes. Management of Information Security - Chapter 6

32 HOMEWORK: (MG) Find information on the following topics: Enron Scandal
Sarbanes Oxley (SOX) Basel Accord Management of Information Security - Chapter 6

33 Management of Information Security - Chapter 6

34 NIST SP 800-12 The Computer Security Handbook (continued)
Lays out the NIST philosophy on security management by identifying 17 controls organized into three categories: The Management Controls section addresses security topics that can be characterized as managerial The Operational Controls section addresses security controls that focus on controls that are, broadly speaking, implemented and executed by people (as opposed to systems) The Technical Controls section focuses on security controls that the computer system executes Management of Information Security - Chapter 6

35 NIST Special Publication Generally Accepted Principles and Practices for Securing Information Technology Systems Describes best practices useful in the development of a security blueprint Describes principles that should be integrated into information security processes Documents 8 points and 33 principles NIST Special Publication NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information Technology Systems, describes best practices and provides information on commonly accepted information security principles that can direct the security team in the development of a security blueprint. It also describes the philosophical principles that the security team should integrate into the entire information security process, expanding upon the components of SP The more significant points made in NIST SP are as follows: 1) Security Supports the Mission of the Organization. 2) Security is an Integral Element of Sound Management. 3) Security Should Be Cost-Effective 4) Systems Owners Have Security Responsibilities Outside Their Own Organizations. 5) Security Responsibilities and Accountability Should Be Made Explicit. 6) Security Requires a Comprehensive and Integrated Approach. 7) Security Should Be Periodically Reassessed. 8) Security is Constrained by Societal Factors. Principle 1. Establish a sound security policy as the “foundation” for design. Principle 2. Treat security as an integral part of the overall system design. Principle 3. Clearly delineate the physical and logical security boundaries governed by associated security policies. Principle 4. Reduce risk to an acceptable level. Principle 5. Assume that external systems are insecure. Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease in other aspects of operational effectiveness. Principle 7. Implement layered security (Ensure no single point of vulnerability). Principle 8. Implement tailored system security measures to meet organizational security goals. Principle 9. Strive for simplicity. Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in response. Principle 11. Minimize the system elements to be trusted. Principle 12. Implement security through a combination of measures distributed physically and logically. Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of expected threats. Principle 14. Limit or contain vulnerabilities. Principle 15. Formulate security measures to address multiple overlapping information domains. Principle 16. Isolate public access systems from mission critical resources. Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures. Principle 18. Where possible, base security on open standards for portability and interoperability. Principle 19. Use common language in developing security requirements. Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support incident investigations. Principle 21. Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process. Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains. Principle 23. Use unique identities to ensure accountability. Principle 24. Implement least privilege. Principle 25. Do not implement unnecessary security mechanisms. Principle 26. Protect information while being processed, in transit, and in storage. Principle 27. Strive for operational ease of use. Principle 28. Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability. Principle 29. Consider custom products to achieve adequate security. Principle 30. Ensure proper security in the shutdown or disposal of a system. Principle 31. Protect against all likely classes of “attacks.” Principle 32. Identify and prevent common errors and vulnerabilities. Principle 33. Ensure that developers are trained in how to develop secure software. Management of Information Security - Chapter 6

36 Management of Information Security - Chapter 6

37 NIST Special Publication 800-14 Key Points
The more significant points made in NIST SP are: Security supports the mission of the organization Security is an integral element of sound management Security should be cost-effective Systems owners have security responsibilities outside their own organizations Security responsibilities and accountability should be made explicit Security requires a comprehensive and integrated approach Security should be periodically reassessed Security is constrained by societal factors Management of Information Security - Chapter 6

38 NIST Special Publication 800-14 Principles
Principle 1. Establish a sound security policy as the “foundation” for design Principle 2. Treat security as an integral part of the overall system design Principle 3. Clearly delineate the physical and logical security boundaries governed by associated security policies Principle 4. Reduce risk to an acceptable level Principle 5. Assume that external systems are insecure Management of Information Security, 2nd Edition

39 NIST Special Publication 800-14 Principles (continued)
Principle 6. Identify potential trade-offs between reducing risk and increased costs and decreases in other aspects of operational effectiveness Principle 7. Implement layered security (Ensure no single point of vulnerability) Principle 8. Implement tailored system security measures to meet organizational security goals Principle 9. Strive for simplicity Management of Information Security - Chapter 6

40 NIST Special Publication 800-14 Principles (continued)
Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in response Principle 11. Minimize the system elements to be trusted Principle 12. Implement security through a combination of measures distributed physically and logically Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of expected threats Principle 14. Limit or contain vulnerabilities Management of Information Security, 2nd Edition

41 NIST Special Publication 800-14 Principles (continued)
Principle 15. Formulate security measures to address multiple overlapping information domains Principle 16. Isolate public access systems from mission critical resources Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures Principle 18. Where possible, base security on open standards for portability and interoperability Principle 19. Use common language in developing security requirements Management of Information Security - Chapter 6

42 NIST Special Publication 800-14 Principles (continued)
Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support incident investigations Principle 21. Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains Management of Information Security - Chapter 6

43 NIST Special Publication 800-14 Principles (continued)
Principle 23. Use unique identities to ensure accountability Principle 24. Implement least privilege Principle 25. Do not implement unnecessary security mechanisms Principle 26. Protect information while being processed, in transit, and in storage Principle 27. Strive for operational ease of use Principle 28. Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability Management of Information Security, 2nd Edition

44 NIST Special Publication 800-14 Principles (continued)
Principle 29. Consider custom products to achieve adequate security Principle 30. Ensure proper security in the shutdown or disposal of a system Principle 31. Protect against all likely classes of “attacks” Principle 32. Identify and prevent common errors and vulnerabilities Principle 33. Ensure that developers are trained in how to develop secure software Management of Information Security, 2nd Edition

45 NIST Special Publication A Guide for Developing Security Plans for Information Technology Systems Provides detailed methods for assessing, designing, and implementing controls and plans for various-sized applications Serves as a guide for the activities described in this chapter, and for the overall information security planning process It includes templates for major application security plans NIST Special Publication NIST SP A Guide for Developing Security Plans for Information Technology Systems, provides detailed methods for assessing, designing, and implementing controls and plans for various sized applications. SP serves as a guide for the activities described in this chapter, and for the overall information security planning process. It includes templates for major application security plans. Management of Information Security - Chapter 6

46 Management of Information Security - Chapter 6

47 NIST Special Publication 800-26 17 Areas Defining the core of the NIST Security Management Structure
Management Controls Risk Management Review of Security Controls Life Cycle Maintenance Authorization of Processing (Certification and Accreditation) System Security Plan Operational Controls Personnel Security Physical Security Production, Input/Output Controls Contingency Planning Hardware and Systems Software Data Integrity Documentation Security Awareness, Training, and Education Incident Response Capability Technical Controls Identification and Authentication Logical Access Controls Audit Trails NIST Special Publication Management Controls 1. Risk Management 2. Review of Security Controls 3. Life Cycle Maintenance 4. Authorization of Processing (Certification and Accreditation) 5. System Security Plan Operational Controls 6. Personnel Security 7. Physical Security 8. Production, Input/Output Controls 9. Contingency Planning 10. Hardware and Systems Software 11. Data Integrity 12. Documentation 13. Security Awareness, Training, and Education 14. Incident Response Capability Technical Controls 15. Identification and Authentication 16. Logical Access Controls 17. Audit Trails These 17 areas are the core of the NIST security management structure. Management of Information Security - Chapter 6

48 NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems
Provides a foundation for the development of an effective risk management program Contains both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems Strives to enable organizations to better manage IT-related risks NIST Special Publication NIST SP Risk Management Guide for Information Technology Systems provides a foundation for the development of an effective risk management program, containing both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations to better manage IT-related mission risks. Management of Information Security - Chapter 6

49 Management of Information Security - Chapter 6

50 RFC 2196 Site Security Handbook
The Security Area Working Group within the IETF has created RFC 2196, the Site Security Handbook that provides a functional discussion of important security issues along with development and implementation details Covers security policies, security technical architecture, security services, and security incident handling Also includes discussion of the importance of security policies, and expands into an examination of services, access controls, and other relevant areas RFC 2196 Site Security Handbook The Security Area Working Group within the IETF has created RFC 2196. The Security Area Working Group acts as an advisory board for the protocols and areas developed and promoted through the Internet Society. RFC 2196: Site Security Handbook does provide a good functional discussion of important security issues and provides an overview of five basic areas of security, along with development and implementation details. There are chapters on such important topics as security policies, security technical architecture, security services, and security incident handling. The architecture chapter begins with a discussion of the importance of security policies, and expands into an examination of services, access controls, and other relevant areas. Management of Information Security - Chapter 6

51 Control Objectives for Information and related Technology (COBIT)
Control Objectives for Information and related Technology (COBIT) also provides advice about the implementation of sound controls and control objectives for InfoSec COBIT was created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992 Management of Information Security, 2nd Edition

52 Control Objectives for Information and related Technology (COBIT) (continued)
COBIT presents 34 high-level objectives that cover 215 control objectives; these objectives are categorized into four domains: Plan and organize Acquire and implement Deliver and support Monitor and evaluate Management of Information Security, 2nd Edition

53 These COBIT characteristics emphasise the basic principle of the COBIT framework which is that IT resources are managed by IT processes to achieve IT goals that respond to business requirements. (IT Governance Institute, 2007) Management of Information Security - Chapter 6

54 (IT Governance Institute, 2007)
Management of Information Security - Chapter 6

55 Control Objectives for Information and related Technology (COBIT) (continued)
Plan and organize Makes recommendations for achieving organizational goals and objectives through the use of IT Ten controlling objectives (PO1 – PO10) Acquire and implement Focuses on specification of requirements Acquisition of needed components Integration of these components into the organization’s systems Examines ongoing maintenance and change requirements Seven controlling objectives (AI1 – AI7) Management of Information Security, 2nd Edition

56 Control Objectives for Information and related Technology (COBIT) (continued)
Delivery and support Focuses on the functionality of the system and its use to the end user Examines systems applications, including input, processing, and output components Examines processes for efficiency and effectiveness of operations 13 high-level controlling objectives (DS1 – DS13) Management of Information Security, 2nd Edition

57 Control Objectives for Information and related Technology (COBIT) (continued)
Monitor and evaluate Seeks to examine the alignment between IT systems usage and organizational strategy Identifies the regulatory requirements for which controls are needed Monitors the effectiveness and efficiency of IT systems against the organizational control processes in the delivery and support domain Four high-level controlling objectives (ME1 – ME4) Management of Information Security, 2nd Edition

58 Committee of Sponsoring Organizations of the Treadway Commission (COSO)
COSO is a U.S. private-sector initiative formed in 1985 Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence COSO has established a common definition of internal controls, standards and criteria, and helps organizations comply with critical regulations like Sarbanes-Oxley Management of Information Security, 2nd Edition

59 Committee of Sponsoring Organizations of the Treadway Commission (COSO) (continued)
COSO is built on five interrelated components: Control environment Risk assessment Control activities Information and communication Monitoring Management of Information Security, 2nd Edition

60 SECURITY MANAGEMENT PRACTICES

61 Security Management Practices
In information security, two categories of benchmarks are used Standards of due care/due diligence Best practices Best practices include a subcategory of practices—called the gold standard—that are general regarded as “the best of the best” Security Management Practices In information security, two categories of benchmarks are used: standards of due care/due diligence, and best practices. Best practices include a sub-category of practices—called the gold standard—that are general regarded as “the best of the best.” Management of Information Security - Chapter 6

62 Standards of Due Care/Due Diligence
When organizations adopt minimum levels of security for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances; this is known as a standard of due care Implementing controls at this minimum standard, and maintaining them, demonstrates that an organization has performed due diligence Standards of Due Care/Due Diligence When organizations adopt minimum levels of security for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances; this is known as a standard of due care. Implementing controls at this minimum standard, and maintaining them, demonstrates that an organization has performed due diligence. Due diligence requires that an organization ensure that the implemented standards continue to provide the required level of protection. Failure to support a standard of due care or due diligence can expose an organization to legal liability, provided it can be shown that the organization was negligent in its application or lack of application of information protection. Management of Information Security - Chapter 6

63 Standards of Due Care/Due Diligence (continued)
Due diligence requires that an organization ensure that the implemented standards continue to provide the required level of protection Failure to support a standard of due care or due diligence can expose an organization to legal liability, provided it can be shown that the organization was negligent in its application or lack of application of information protection Management of Information Security - Chapter 6

64 Best Security Practices
Security efforts that seek to provide a superior level of performance in the protection of information are referred to as best business practices or simply best practices Some organizations refer to these as recommended practices Security efforts that are among the best in the industry are referred to as best security practices Best Security Practices Security efforts that seek to provide a superior level of performance in the protection of information are referred to as best business practices or simply best practices. Some organizations refer to these as recommended practices. Security efforts that are among the best in the industry are referred to as best security practices These practices balance the need for information access with the need for adequate protection. Best practices seek to provide as much security as possible for information and information systems while demonstrating fiscal responsibility and ensuring information access. Companies with best practices may not be the best in every area; they may only have established an extremely high quality or successful security effort in one area. Management of Information Security - Chapter 6

65 Best Security Practices (continued)
These practices balance the need for information access with the need for adequate protection; best practices seek to provide as much security as possible for information and information systems, while demonstrating fiscal responsibility and ensuring information access Companies with best practices may not be the best in every area; they may only have established an extremely high quality or successful security effort in one area Management of Information Security - Chapter 6

66 The Gold Standard Best business practices are not sufficient for organizations that prefer to set the standard by implementing the most protective, supportive, and yet fiscally responsible standards they can They strive toward the gold standard, a model level of performance that demonstrates industrial leadership, quality, and concern for the protection of information The implementation of gold standard security requires a great deal of support, both in financial and personnel resources The Gold Standard Best business practices are not sufficient for organizations that prefer to set the standard by implementing the most protective, supportive, and yet fiscally responsible standards they can. They strive toward the gold standard, a model level of performance that demonstrates industrial leadership, quality, and concern for the protection of information. The implementation of gold standard security requires a great deal of support, both in financial and personnel resources. Management of Information Security - Chapter 6

67 Selecting Best Practices
Choosing which recommended practices to implement can pose a challenge for some organizations In industries that are regulated by governmental agencies, government guidelines are often requirements For other organizations, government guidelines are excellent sources of information and can inform their selection of best practices Selecting Best Practices Choosing which recommended practices to implement can pose a challenge for some organizations. In industries that are regulated by governmental agencies, government guidelines are often requirements. For other organizations, government guidelines are excellent sources of information about what other organizations are required to do to control information security risks, and can inform their selection of best practices. When considering best practices for your organization, consider the following: Does your organization resemble the identified target organization of the best practice? Are you in a similar industry as the target? Do you face similar challenges as the target? Is your organizational structure similar to the target? Are the resources you can expend similar to those called for by the best practice? Are you in a similar threat environment as the one assumed by the best practice? Management of Information Security - Chapter 6

68 Selecting Best Practices (continued)
When considering best practices for your organization, consider the following: Does your organization resemble the identified target organization of the best practice? Are you in a similar industry as the target? Do you face similar challenges as the target? Is your organizational structure similar to the target? Are the resources you can expend similar to those called for by the best practice? Are you in a similar threat environment as the one assumed by the best practice? Management of Information Security - Chapter 6

69 Best Practices Microsoft has published a set of best practices in security at its Web site: Use antivirus software Use strong passwords Verify your software security settings Update product security Build personal firewalls Back up early and often Protect against power surges and loss Best Practices Microsoft has published a set of best practices in security at its Web site: Use antivirus software Use strong passwords Verify your software security settings Update product security Build personal firewalls Back up early and often Protect against power surges and loss Management of Information Security - Chapter 6

70 Benchmarking and Best Practices Limitations
The biggest problem with benchmarking in information security is that organizations don’t talk to each other; a successful attack is viewed as an organizational failure, and is kept secret, insofar as possible However, more and more security administrators are joining professional associations and societies like ISSA and sharing their stories and lessons learned An alternative to this direct dialogue is the publication of lessons learned Benchmarking and Best Practices Limitations The biggest problem with benchmarking in information security is that organizations don’t talk to each other; a successful attack is viewed as an organizational failure, and is kept secret, insofar as possible. However, more and more security administrators are joining professional associations and societies like ISSA and sharing their stories and lessons learned. An alternative to this direct dialogue is the publication of lessons learned. Management of Information Security - Chapter 6

71 Baselining A baseline is a “value or profile of a performance metric against which changes in the performance metric can be usefully compared” Baselining is the process of measuring against established standards In InfoSec, baselining is the comparison of security activities and events against the organization’s future performance Baselining can provide the foundation for internal benchmarking, as information gathered for an organization’s first risk assessment becomes the baseline for future comparisons Baselining A baseline is a “value or profile of a performance metric against which changes in the performance metric can be usefully compared.” Baselining is the process of measuring against established standards. In InfoSec, baselining is the comparison of security activities and events against the organization’s future performance. Baselining can provide the foundation for internal benchmarking, as information gathered for an organization’s first risk assessment becomes the baseline for future comparisons. The Gartner group offers twelve questions as a self assessment for best security practices. People: 1) “Do you perform background checks on all employees with access to sensitive data, areas, or access points? 2) “Would the average employee recognize a security issue? 3) “Would they choose to report it? 4) “Would they know how to report it to the right people? Processes: 5) “Are enterprise security policies updated on at least an annual basis, employees educated on changes, and consistently enforced? 6) “Does your enterprise follow a patch/update management and evaluation process to prioritize and mediate new security vulnerabilities? 7) “Are the user accounts of former employees immediately removed on termination? 8) “Are security group representatives involved in all stages of the project life cycle for new projects? Technology: 9) “Is every possible route to the Internet protected by a properly configured firewall? 10) “Is sensitive data on laptops and remote systems encrypted? 11) “Do you regularly scan your systems and networks, using a vulnerability analysis tool, for security exposures? 12) “Are malicious software scanning tools deployed on all workstations and servers?” Management of Information Security - Chapter 6

72 Baselining Example The Gartner group offers twelve questions as a self assessment for best security practices People: Do you perform background checks on all employees with access to sensitive data, areas, or access points? Would the average employee recognize a security issue? Would they choose to report it? Would they know how to report it to the right people? Baselining A baseline is a “value or profile of a performance metric against which changes in the performance metric can be usefully compared.” Baselining is the process of measuring against established standards. In InfoSec, baselining is the comparison of security activities and events against the organization’s future performance. Baselining can provide the foundation for internal benchmarking, as information gathered for an organization’s first risk assessment becomes the baseline for future comparisons. The Gartner group offers twelve questions as a self assessment for best security practices. People: 1) “Do you perform background checks on all employees with access to sensitive data, areas, or access points? 2) “Would the average employee recognize a security issue? 3) “Would they choose to report it? 4) “Would they know how to report it to the right people? Processes: 5) “Are enterprise security policies updated on at least an annual basis, employees educated on changes, and consistently enforced? 6) “Does your enterprise follow a patch/update management and evaluation process to prioritize and mediate new security vulnerabilities? 7) “Are the user accounts of former employees immediately removed on termination? 8) “Are security group representatives involved in all stages of the project life cycle for new projects? Technology: 9) “Is every possible route to the Internet protected by a properly configured firewall? 10) “Is sensitive data on laptops and remote systems encrypted? 11) “Do you regularly scan your systems and networks, using a vulnerability analysis tool, for security exposures? 12) “Are malicious software scanning tools deployed on all workstations and servers?” Management of Information Security - Chapter 6

73 Baselining Example (continued)
Processes Are enterprise security policies updated on at least an annual basis, employees educated on changes, and policies consistently enforced? Does your enterprise follow a patch/update management and evaluation process to prioritize and mediate new security vulnerabilities? Are the user accounts of former employees immediately removed on termination? Are security group representatives involved in all stages of the project life cycle for new projects? Management of Information Security - Chapter 6

74 Baselining Example (continued)
Technology Is every possible route to the Internet protected by a properly configured firewall? Is sensitive data on laptops and remote systems encrypted? Do you regularly scan your systems and networks, using a vulnerability analysis tool, for security exposures? Are malicious software scanning tools deployed on all workstations and servers? Management of Information Security - Chapter 6

75 Metrics in InfoSec Management
When an organization applies statistical and quantitative approaches of mathematical analysis to the process of measuring the activities and outcomes of the InfoSec program, it is using InfoSec metrics InfoSec metrics enable organizations to measure the level of effort required to meet the stated objectives of the InfoSec program Management of Information Security, 2nd Edition

76 Metrics in InfoSec Management (continued)
Specifying InfoSec metrics requires the assessment and quantification of what will be measured Collecting InfoSec metrics is daunting to some organizations, and requires thoughtful consideration of the intent of the metric, along with a thorough knowledge of how production services are delivered Management of Information Security, 2nd Edition

77 Metrics in InfoSec Management (continued)
Interpreting InfoSec metrics requires both raw data as well as the context Decisions also need to be made regarding presentation of correlated metrics, as well as color use to denote specific results Disseminating InfoSec metrics requires the CISO to consider who gets them, as well as method of delivery Management of Information Security, 2nd Edition

78 CERTIFICATION & ACCREDITATION

79 Emerging Trends In Certification and Accreditation
In security management, accreditation is the authorization of an IT system to process, store, or transmit information It is issued by a management official and serves as a means of assuring that systems are of adequate quality It also challenges managers and technical staff to find the best methods to assure security, given technical constraints, operational constraints, and mission requirements Management of Information Security, 2nd Edition

80 Emerging Trends In Certification and Accreditation (continued)
Certification is “the comprehensive evaluation of the technical and nontechnical security controls of an IT system to support the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements” Organizations pursue accreditation or certification to gain a competitive advantage, or to provide assurance or confidence to customers Management of Information Security, 2nd Edition

81 SP 800-37 Guidelines for Security C & A of Federal IT Systems
Develops standard guidelines and procedures for certifying and accrediting federal IT systems including the critical infrastructure of the United States Defines essential minimum security controls for federal IT systems Promotes the development of public and private sector assessment organizations and certification of individuals capable of providing cost effective, high-quality security certifications based on standard guidelines and procedures SP Guidelines for the Security Certification and Accreditation of Federal IT systems. NIST promotes a new System Certification and Accreditation Project designed to: Develop standard guidelines and procedures for certifying and accrediting federal IT systems including the critical infrastructure of the United States Define essential minimum security controls for federal IT systems Promote the development of public and private sector assessment organizations and certification of individuals capable of providing cost effective, high quality, security certifications based on standard guidelines and procedures The specific benefits of the security certification and accreditation (C&A) initiative include: More consistent, comparable, and repeatable certifications of IT systems More complete, reliable, information for authorizing officials—leading to better understanding of complex IT systems and associated risks and vulnerabilities—and therefore, more informed decisions by management officials Greater availability of competent security evaluation and assessment services More secure IT systems within the federal government” This project is also designed to promote development of: A standardized process for certifying and accrediting Federal information systems including the critical infrastructure of the United States Minimum security controls for Federal information and IS supporting confidentiality, integrity, and availability Techniques and procedures for verifying the effectiveness of security controls for Federal IS Robust, automated tools supporting the certification and accreditation process Public and private sector assessment organizations capable of providing cost effective, high quality, certification services focuses on a three-step security controls selection process: Step 1: Characterize The System Step 2: Select The Appropriate Minimum Security Controls For The System Step 3: Adjust Security Controls Based On System Exposure And Risk Decision Management of Information Security - Chapter 6

82 SP 800-37 Guidelines for Security C & A of Federal IT Systems (continued)
The specific benefits of the security certification and accreditation (C&A) initiative include: More consistent, comparable, and repeatable certifications of IT systems More complete, reliable, information for authorizing officials—leading to better understanding of complex IT systems and associated risks and vulnerabilities—and therefore, more informed decisions by management officials Greater availability of competent security evaluation and assessment services More secure IT systems within the federal government Management of Information Security - Chapter 6

83 Figure 6-4 Special Publications Supporting SP 800-37
Management of Information Security - Chapter 6

84 SP 800-37 Guidelines for Security C & A of Federal IT Systems (continued)
focuses on a three-step security controls selection process Step 1: Characterize the system Step 2: Select the appropriate minimum security controls for the system Step 3: Adjust security controls based on system exposure and risk decision SP Guidelines for the Security Certification and Accreditation of Federal IT systems. NIST promotes a new System Certification and Accreditation Project designed to: Develop standard guidelines and procedures for certifying and accrediting federal IT systems including the critical infrastructure of the United States Define essential minimum security controls for federal IT systems Promote the development of public and private sector assessment organizations and certification of individuals capable of providing cost effective, high quality, security certifications based on standard guidelines and procedures The specific benefits of the security certification and accreditation (C&A) initiative include: More consistent, comparable, and repeatable certifications of IT systems More complete, reliable, information for authorizing officials—leading to better understanding of complex IT systems and associated risks and vulnerabilities—and therefore, more informed decisions by management officials Greater availability of competent security evaluation and assessment services More secure IT systems within the federal government” This project is also designed to promote development of: A standardized process for certifying and accrediting Federal information systems including the critical infrastructure of the United States Minimum security controls for Federal information and IS supporting confidentiality, integrity, and availability Techniques and procedures for verifying the effectiveness of security controls for Federal IS Robust, automated tools supporting the certification and accreditation process Public and private sector assessment organizations capable of providing cost effective, high quality, certification services focuses on a three-step security controls selection process: Step 1: Characterize The System Step 2: Select The Appropriate Minimum Security Controls For The System Step 3: Adjust Security Controls Based On System Exposure And Risk Decision Management of Information Security - Chapter 6

85 Planned Federal System Certifications
Systems are to be certified to one of three levels Security Certification Level 1 - The entry-level certification appropriate for low priority (concern) systems Security Certification Level 2 - The mid-level certification appropriate for moderate priority (concern) systems Security Certification Level 3 - The top-level certification appropriate for high priority (concern) systems Management of Information Security - Chapter 6

86 SP 800-53: Minimum Security Controls for Federal IT Systems
SP is part two of the Certification and Accreditation project Its purpose is to establish a set of standardized, minimum security controls for IT systems addressing low, moderate, and high levels of concern for confidentiality, integrity, and availability Controls are broken into the three familiar general classes of security controls: management, operational, and technical SP Minimum Security Controls for Federal IT Systems SP is part two of the Certification and Accreditation project. Its purpose is to “establish a set of standardized, minimum security controls for IT systems addressing low, moderate, and high levels of concern for confidentiality, integrity, and availability.” As in earlier NIST documents, especially SP , security controls are broken into the three familiar general classes of security controls - management, operational, and technical. New to the certification and accreditation criteria is the concept of critical elements, initially defined in SP Critical elements represent “important security-related focus areas for the system with each critical element addressed by one or more security controls.” As technology evolves so will the set of security controls, requiring additional control mechanisms. Management of Information Security - Chapter 6

87 SP 800-53: Minimum Security Controls for Federal IT Systems (continued)
Critical elements represent important security-related focus areas for the system, with each critical element addressed by one or more security controls As technology evolves, so will the set of security controls, requiring additional control mechanisms Management of Information Security - Chapter 6

88 Figure 6-5 Participants in the C&A Process
Management of Information Security - Chapter 6

89 Summary Introduction Security Management Models
Security Management Practices Emerging Trends in Certification and Accreditation Management of Information Security - Chapter 6

Download ppt "MANAGEMENT of INFORMATION SECURITY Second Edition."

Similar presentations

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.

Information Privacy and Data Protection Lexpert Seminar David YoungDecember 9, 2013 Breach Prevention – Due Diligence and Risk Reduction.
Software Quality Assurance Plan

Software Quality Assurance Plan
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
TEL2813/IS2820 Security Management

TEL2813/IS2820 Security Management
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Management of Information Security Chapter 06 Security Management Models And Practices Security can only be achieved through constant change, through.

Management of Information Security Chapter 06 Security Management Models And Practices Security can only be achieved through constant change, through.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Security Management Practices

Security Management Practices
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Risk Assessment Frameworks

Risk Assessment Frameworks
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Purpose of the Standards

Purpose of the Standards
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-

Similar presentations

Ads by Google