Download presentation
Presentation is loading. Please wait.
Published byJob Newton Modified over 9 years ago
1
McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information Security, by Schou and Shoemaker Chapter 3 Security Policy
2
3-2 Objectives Define information assets, risks, and countermeasures Structure a synergistic information assurance solution Identify the role of policy in the information assurance process Design a functional information assurance and security management system
3
3-3 Protection of Information Ensuring protection of information is difficult Weak points are in the areas of policy and process, rather than technology Breakdowns in security are likely to occur because of failure to: Understand the problem Set proper goals Follow correct procedure
4
3-4 Protection of Information Findings of Government Accountability Office (GAO) reveal the lack of: Risk-based information assurance plans Documentation of information assurance policies Programs for evaluating the effectiveness of controls Application development and change controls Implementation and software products usage control Adequate knowledge of information assurance controls
5
3-5 Definitions Assets – anything a person or organization owns that is valuable Tangible assets Intangible assets Risk – likelihood that a particular threat will produce a harmful effect Assessed in terms of their impact and probability of occurrence Increases or decreases based on number of vulnerabilities present
6
3-6 Definitions Countermeasures – set of actions to prevent or slow an impending attack from threats Information assurance process – thinking through and responding with the right set of countermeasures Other definitions include: Threats – any event that can have an undesirable affect on the condition of an asset Vulnerabilities – flaws or weak points in a protection scheme When a threat can exploit a vulnerability, the vulnerability becomes a weakness
7
3-7 Characteristics: Information Assurance Process Supports three common characteristics: Availability – ensures that information is provided to users when it is required Integrity – centers on the qualities of authenticity, accuracy, and completeness Confidentiality – need to restrict access to information or data From a system point of view, confidentiality is the assurance that access controls are enforced
8
3-8 Establishing Information Assurance Process Organizing appropriate set of countermeasures into a seamless and effective response profile Requires integrating a range of elements into a working solution Ensuring coordination: integrating functions Solutions encompass measures from a diverse range of disciplines Each discipline contributes elements that will be part of the eventual response
9
3-9 Establishing Information Assurance Process Creating the assurance process – role of design Effective programs demand integrated business and technological processes Must be designed deliberately and deployed through a strategic planning activity Solutions must be composed of an integrated set of responses, embedded in day-to-day operation, invisible to end users Security infrastructure – making the process systematic Combined set of policies, roles and responsibilities and accountabilities for a given organization Planning – formalizing the assurance process Turns abstract policies into concrete actions
10
3-10 Policy and Information Assurance Integration of diverse components is guided by information assurance policies Policies are a shared understanding of the process to be followed They must be uniform to ensure seamlessness They coordinate work across the organization They establish the critical path to assurance They are defined based on a standard
11
3-11 Policy and Information Assurance In information assurance, policies support five common aims: Prevention – security from internal and external penetration, and prevention of undesirable occurrence Detection – reaction to the nature, existence, presence, or fact of a penetration Containment – protection of sensitive data Deterrence – policies, procedures, and actions designed to discourage penetration Recovery – restoration after a failure or penetration
12
3-12 Policy and Information Assurance Three different types of policies are associated with specific types of decision making
13
3-13 Policy and Information Assurance To create awareness, the definition process should include: Definition of information as an organizational asset Identification and evaluation of the sensitivity of systems and data Creation of plans to ensure security and control of each identified system Development and implementation of training programs To enable and enforce the understanding and the use of proper information assurance measures
14
3-14 Relationship: Policy and Assurance Process A formal information assurance planning exercise is essential to the development of a tailored, organization-wide assurance scheme
15
3-15 General Requirements for the Information Assurance Process Information integrity, confidentiality, availability, authentication, and nonrepudiation Relevant needs represented in the solution Responsibility to performing functions assigned and understood explicitly Accountability and enforcement Regular and systematic assessments Participants should understand the importance Continuity of operation Conformity to legal requirements Proportionate expense Ethical use of information
16
3-16 General Requirements for the Information Assurance Process Functional elements of the comprehensive long- range information assurance planning process
17
3-17 Developing an Assurance Plan A formal representation of how the organization intends to address its policy requirements Characteristics of a strategic plan: Complete Correct Understandable Unambiguous Traceable Strategic plan should provide a description of evaluation of the system Insures that the operation of the system meets the goals defined by the plan
18
3-18 Designing a Functional Information Security System Outcome of the planning process is a formal Information Security Management System “ISMS” describes a comprehensive set of discrete management controls arrayed into an operational solution
19
3-19 Designing a Functional Information Security System Development of an ISMS must originate with the senior management
20
3-20 Defining the Information Assurance Boundaries Information assurance boundaries – based on the concept of perimeters Information assurance perimeter – the outer boundary of the space to be secured First step: establish the perimeter of the ISMS Complicated by the feasibility factor The likelihood that a task or purpose can be accomplished Based on whether the perimeter selected assures all priority assets and fits within the available resources and capabilities of the organization
21
3-21 Defining the Information Assurance Boundaries Assess the effects of threats against the financial and staff resources Factors include answers to questions such as: What is the level of criticality for each of the information assets that falls within the scope of the system? What is the degree of assurance required for each? What are the effects of identifiable threats? How accessible is the data? How complex and critical is the system?
22
3-22 Defining the Information Assurance Boundaries Decision process that underlies setting the boundaries for the ISMS based on the value of the asset
23
3-23 Building the Information Assurance Boundaries Specifies rules for the behaviors needed to counteract threats to the information assets Fundamental activities that should be recognizable include: Top-down understanding and refinement Progressive (or iterative) enhancement Optimization based on feasibility Continuous control Measurement and assessment
24
3-24 Building the Information Assurance Boundaries Identification of realistic threats
25
3-25 Building the Information Assurance Boundaries Optimum set of controls Step 1: Organizational setup Launches the process, an awareness exercise Requires total up-front commitment from all involved Step 2: Asset identification and baselining Form of the asset must be known and categorized Aggregate set of secured assets is termed a baseline Step 3: Risk analysis Evaluates the damage that might occur and analyzes and categorizes the acceptable options
26
3-26 Building the Information Assurance Boundaries Step 4: Asset valuation What is the level of criticality of each particular information asset in the asset baseline? What is the specific degree of resource commitment required to assure it? Step 5: Selection of a control set Involves the specification, design, scheduling, and installation of a working control set Information and associated controls, must be directly traceable to each other
27
3-27 Building the Information Assurance Boundaries Step 6: Operational testing Validation takes place after the deployment of the system Employs assumptions developed in the risk analysis
28
3-28 Building the Information Assurance Boundaries Step 7: Finalization of the baseline Aggregate controls are finalized into the released version of the security system Baseline that represents operational form of the information assurance system is maintained under strict configuration management
29
3-29 Maintaining Information Assurance Over Time Ensures that the information assurance system continues to be appropriate to the environment A disciplined and systematic process is used to guarantee that the protection will be maintained A continuous process based on continuous feedback from operations
30
3-30 Handling Expectations Information assurance operates under process entropy that causes well-defined processes to eventually fall apart Exception processes – rapid response agents who respond to new or unexpected incidents Attributes of countermeasures Timely – ensure effective remediation Responsive – evolved directly from the threat Disciplined – structured and followed systematically Usable – involves all types of users in the solution
31
3-31 Essential Role of Accountability in Maintaining Assurance Accountability – mechanism that enables the internal control function Tasks to be executed to ensure accountability: Establish a direct link between identified risks and accountable parties Ensure that accountable parties understand their duties Ensure that accountable parties have accepted their responsibilities Ensure that accountable parties are capable of responding to incidents Enforcement should be tailored to the information assurance policies
32
3-32 Communicating Organization and Technical Direction Success of the information assurance process rests on effective communication Participants must understand the rules of behavior Information assurance schemes are complex and subject to change Behavior must be attuned to the situation
33
3-33 Ensuring Organizational Awareness To ensure organizational awareness All applicable policy, procedure goals, and nuances of operation must be communicated Communication process must be formally structured and carefully managed Participants should understand the reasons for adequate protection Ensured by an awareness or “buy-in” program prior to establishing the system
34
3-34 Enforcing Discipline Activities need to be performed on a disciplined basis and in a repeatable way Consistent performance – essential to success Effective control relies on the ability to Supervise and enforce individual and group behavior Monitor employee performance Invoke willingness and ability of individuals to follow procedure continuously on a daily basis
35
3-35 Review Process Management review Evaluates the performance of individuals and the execution of the process Supports decisions about boundary settings, corrective actions, and allocation of resources Identifies and reports variations from that plan and/or the defined procedures and presents evidence Informs supervisory personnel and staff about a failure to perform properly Involves the participation of the individual who has been assigned accountability for the process
36
3-36 Review Process Technical reviews Focus on items related to the performance of technology against requirements Technical components include hardware, software, and documentation Entails questions such as Proper implementation Performance conformity to specifications Purpose achievement Supports technical and management personnel with direct responsibility Discovers and reports vulnerabilities that affect performance
37
3-37 Formal versus Informal Review Inspections – considerable analysis is conducted prior to the generation of findings Walkthroughs – findings are reported with the action items as general recommendations Audits ensure trust to the process of walkthroughs Identifies emerging problems Offers independent certification of conformance Lists applicable standards, criteria, and evidences that support audit conclusions Audits usually require A common model, or standard, as the reference point Sound documentary evidence of processes, procedures, and other deliverables to support findings
38
3-38 Measuring Performance Ability to base management decisions on data is an important aspect of an ongoing information assurance maintenance process Measurement programs Allow decision making based on evidence Allow assessment of performance Bring deviations to the right person’s attention This is ensured by regularized reviews of each operational element
39
3-39 Measuring Performance Attributes of an effective assessment program: Factual – values are directly observable Adaptable – measures are used that appropriately fit the circumstance Meaningful – Outcomes are understandable to all Rule: whatever measures are selected must be applied consistently and uniformly
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.