Presentation is loading. Please wait.

Presentation is loading. Please wait.

McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information.

Published byIra Lambert Modified over 8 years ago

Similar presentations

Presentation on theme: "McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information."— Presentation transcript:

1 McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information Security, by Schou and Shoemaker Permission required for reproduction or display. PowerPoint to Accompany Information Assurance for the Enterprise Schou - Shoemaker Chapter 1 Discovering What To Secure

2 1-2 Objectives In this chapter, you will learn: Why “knowing what to secure” is the first step in ensuring security Why information has to be controlled like any other organizational asset Why the process of change has to be rigorously controlled

3 1-3 Information Unlike other assets Information is intangible Information represents value It is hard to develop an effective security response if you are unsure what it is you are securing

4 1-4 Assurance Process First step is to inventory assets Process is called baselining Outcome is called a baseline Baseline - precise specification of content and interrelationship of organization’s information items Contains only items that the organization considers valuable

5 1-5 Baselining Documents the asset base - or resource base - of the organization. That documentation is the only tangible record of the form of the asset base. Has to be maintained throughout the lifecycle of the information assurance process.

6 1-6 Asset Base The Asset Base: Is dynamic Information it contains is constantly changing Information of value is directly related to the business case Evolves with the business case Must be aligned with changes to the business case Only concrete representation of the information that supports mission and purpose

7 1-7 Changes to the Asset Base Changing the Asset Base: Must have a process to evaluate and control any changes to the baseline Organization’s understanding of contents of asset base can be lost Additions to the business case will produce new kinds of information New information is extremely valuable to the success of a product or organization

8 1-8 Ensuring Continuous Knowledge Asset management Ensures contents of information base are always known and documented Establishes and maintains precise description of Information asset base Constituent elements Inter-relationships Ensures permanent accounting that enables asset status to be known at all times

9 1-9 Asset Management Complex organizational process Assures documentation is accurate Assures all security policies are implemented correctly

10 1-10 Asset Management Comprised of six interdependent activities: Process implementation Asset identification Control of change Status accounting Asset evaluation Version management

11 1-11 Process Implementation Requires an asset management plan Enumerates activities that make up the asset management process Procedures Timetable Defines and assigns organizational roles Responsibilities Personal inter-relationships Specifies interactions between activities

12 1-12 Process Implementation The Process Implementation Plan Establishes overall approach to accounting for and maintaining status of all information of value Provides complete lifecycle strategy Assures up-to-date status of information assets Maintains baselines and versions Provides up-to-date list of decision makers authorized to approve alterations Organization must make commitment to maintain plan throughout lifecycle

13 1-13 Process Implementation Risk management Organization’s authorized response to risk Based on assessment of risk each hazard represents Aided by well-defined baselines Ensures that only relevant threats are dealt with Disaster recovery plan Ensures ability to recover assets after a disaster Is the critical outcome of good baseline management

14 1-14 Asset Identification Goal of asset identification: To establish accurate record of the precise form of the items in the information asset base Based on formal identification scheme Items must be identified and labeled Labels designate and relate position within the family tree of the asset base Establishes “day one” form of the asset Always associated with the business case

15 1-15 Two Pass Approach Two pass process First pass describes baseline components at a high-level of functioning Second provides more detailed descriptions

16 1-16 Increasing Levels of Control Information can be described at one or all of these levels:

17 1-17 Hierarchy of Components General approach to the design process:

18 1-18 Control of Change Change control is a continuous process Information is always evolving Items are continuously added to baselines Form and content of baselines change Effective change management is dependent on asset identification

19 1-19 Status Accounting Good status accounting: Maintains a running account of all asset baselines Performs routine reporting activities needed to convey knowledge to managers Usually maintained in electronic repository or ledger Used by change control to perform impact analysis Updated when change has been approved and implemented

20 1-20 Asset Evaluation Good asset evaluation: Ensures continuing integrity of the asset base Is done on a routine, scheduled basis Assesses the degree of correctness of the baseline Tests: accuracy of the description placement of the item labeling of information resources Evaluates the appropriateness and effectiveness of established safeguards

21 1-21 Asset Evaluation Results are communicated to designated executives Anomalies are resolved by managerial actions By definition, anomalies are latent vulnerabilities Reporting process is in the asset management plan

22 1-22 Version Management Version management is required for: Multiple, simultaneous versions of the same asset baseline Previous, or superseded, versions must be kept in separate archives Studying the data yields useful information about long-term behavior and evolution of the resource

23 1-23 Maintaining Integrity Components necessary for maintaining integrity in the organization: Establishing the Checkpoint Documenting the Decision Assigning Authority Implementing the Change Accounting for Information Other Considerations

24 1-24 Establishing the Checkpoint Assures continuous integrity by controlling all changes to all formally established baselines Checkpoint for receiving and processing requests must be located at a single point in the organization

25 1-25 Documenting the Decision Document decisions so that change protocols are understood Method for requesting changes must be: clearly understood consistently applied standardized in format No single format applicable to all situations

26 1-26 Documenting the Decision Organizational requirements that necessitate the change The operational timeframe and proposed schedule Information items impacted Controls impacted Costs and resource commitments Staff capabilities required Any software or tool requirements Any anticipated changes in procedure caused by the change Any anticipated change in the way the baseline is kept (for example, libraries) Any audit considerations Any disaster recovery considerations If they exist, the impacts on the various versions Documentation, at a minimum, needs to include:

27 1-27 Assigning Authority Decisions have to be made by an assigned authority to assure accountability First step is to identify and designate the proper decision maker Typically assigned based on operational responsibilities Person who should be held accountable for approving changes to an information asset should also be the one responsible for managing its generation and use

28 1-28 Assigning Authority The decision to change a baseline can be approved only by the authorized decision maker The decision maker must have the authority to enforce the decisions that they make To assure the integrity of the change, the decision maker should be able to allocate the resources oversee the activities

29 1-29 Implementing the Change All changes have to be initiated and approved through a formal implementation process Request is submitted to the person responsible for maintaining the accuracy of the baseline That individual assures that the change is authorized and will not affect integrity of the item or the asset baseline Change is made once authorization is received Changes at any level in the representation must: Be maintained at each relevant level Reflect correctly and accurately the changed status of the actual asset base

30 1-30 Accounting for Information Formal accounting functions assure the contents of the asset base are always accurate and known Each baseline is treated as if it were a separate account in a ledger Individual transactions are entered as they occur The aim is to document and record all transactions for that baseline Gathering the following helps assure that this function operates as intended: Label and description of the information item How formally the item is controlled Description of the controls Measures to support monitoring integrity of the item

31 1-31 Other Considerations Escalation policies must always be considered Once systems and their data are moved up to operational status a greater change authority is needed In complex situations, asset baselines must evolve through a single integrated and coordinated function If third parties could change baselines without authority, the integrity of the entire asset could be destroyed without anyone in the organization knowing it There is no greater threat to the integrity of information than uncontrolled change

32 1-32 Establishing the Assurance Function The details of establishing the assurance function: Basing the Response on the Risks Timing Requirements Corrective Action Requirements Financial Factors Likelihood

33 1-33 Basing the Response on the Risks With the baseline established, information assurance maintains the integrity of the information asset base To deploy assurance functions, the risks must be understood fully A control that has been set to counter an identified threat is a countermeasure To identify needed countermeasures, the organization must identify the threats The outcome is an inventory of risks and the associated countermeasures

34 1-34 Timing Requirements Every threat has different timing requirements The old axiom about “closing the barn door after the horse has escaped” is an example of how timing is an important security issue The feasibility of the countermeasure is based on its ability to react quickly enough to overcome the threat Electronic penetrations move at the speed of the computer itself A thief breaking into the computer room allows a little more time to respond

35 1-35 Corrective Action Requirements A corrective action is the specific response that an organization deploys for a given situation A range of possible corrective actions exist for a given threat The most effective actions may not be feasible because of technical, physical, or resource limitations Corrective actions factor feasibility and cost into the equation, resulting in selection of a countermeasure that is the most practical, rather than the one that is the best for all cases

36 1-36 Financial Factors Finance is the most important element Most easily understood and accepted by the people in the organization Typically describes the return on investment (ROI) for a given countermeasure If the cost of implementing is greater than the conceivable loss, it is pointless to consider it In the case of low-value assets, the expense of maintaining a given level of security may outweigh the financial loss

37 1-37 Likelihood Likelihood is composed of two factors: frequency of occurrence (of the threat) extent of the harm that might result Uncertainty describes the priority of the threat Expressed as a level of confidence—from 0 to 100% Once the analysis of the risks is complete, the organization will know: precisely what information assets it holds the type and priority of the threats to the items in the baseline and the countermeasures to mitigate them

38 1-38 Documenting the Countermeasures The relationship of information items to assurance controls

39 1-39 Documenting the Assurance Solution Preparing and documenting a set of work practices establishes the link between each item of information and the countermeasures to protect it To be certain work practices are designed and documented correctly, the following have to be considered: Sequence and Timing Monitoring Accountabilities Documentation and Reporting Problem Resolution

40 1-40 Sequence and Timing Sequencing and timing countermeasures Countermeasures can’t be applied at the same time Must be sequenced properly It is important that personnel understand what task to do first Not a good practice to assume that everybody knows the sequence

41 1-41 Sequence and Timing These might be the countermeasures specified for the personnel function. Consider the importance of the sequence. 1.Background checks will be performed for all new hires 2.An initial employee orientation will be held to obtain confidentiality agreements 3.Employees will receive regularly scheduled security training 4.Employee violations of policy and procedure will be disciplined 5.Employees will be given periodic random background checks 6.Employees will report all security incidents they see 7.Employee-reported security incidents will be recorded and quantified 8.Employees leaving the organization will be processed using secure personnel practice 9.Unfriendly terminations will be processed as security incidents

42 1-42 Monitoring Monitoring has two purposes. It assures that the relationship between the information and its countermeasures will be supervised It allows the organization to evolve the countermeasures as threats arise A focused monitoring process assures both of these functions

43 1-43 Accountabilities Explicit accountability for oversight and problem resolution should be assigned as part of the description of the countermeasures Requires supervisory roles and responsibilities be defined for each countermeasure Performance of duties needs to be overseen using the monitoring process just discussed Consequences of a failure to meet assigned obligations must be spelled out

44 1-44 Documentation and Reporting Established and maintained through a statement of the steps required to assure recording and reporting of incidents Statement defines: what information will be captured specifically how it will be recorded and reported The statement identifies all management reports to be produced

45 1-45 Problem Resolution Problem resolution process Statement about how problems will be resolved: Defines how typical problems with operations will be handled as they are identified Defines who is responsible for their resolution Defines the criteria that will be used to determine if the problem has been resolved properly Closes the loop in ensuring consistent application of the process Guarantees that problems that arise during operation will be dealt with systematically

46 1-46 Keeping the System Aligned The baseline must be properly aligned with the evolution of the operating infrastructure of the organization It is inappropriate to develop a static representation and to fail to maintain it Effectiveness implies a commitment to continuous monitoring, adjustment, and updating of the baseline This process should include continual and regular feedback from the operational environment A well-executed feedback system generates a high degree of organizational buy-in or universal acceptance

Download ppt "McGraw-Hill/Irwin Copyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved. Information Assurance for the Enterprise: A Roadmap to Information."

Similar presentations

Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
Software Quality Assurance Plan

Software Quality Assurance Plan
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.

Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
Auditing Concepts.

Auditing Concepts.
ITIL: Service Transition

ITIL: Service Transition
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Laboratory Personnel Dr/Ehsan Moahmen Rizk.

Laboratory Personnel Dr/Ehsan Moahmen Rizk.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Remedy, a BMC Software company Change Management Maximize Speed and Minimize Risk in the Change Process.

Remedy, a BMC Software company Change Management Maximize Speed and Minimize Risk in the Change Process.
INTERNAL CONTROLS. Session Objectives Understand why an organization should have internal controls Understand the key components of internal controls.

INTERNAL CONTROLS. Session Objectives Understand why an organization should have internal controls Understand the key components of internal controls.
© 2008 Prentice Hall11-1 Introduction to Project Management Chapter 11 Managing Project Execution Information Systems Project Management: A Process and.

© 2008 Prentice Hall11-1 Introduction to Project Management Chapter 11 Managing Project Execution Information Systems Project Management: A Process and.
Project Execution.

Project Execution.
Release & Deployment ITIL Version 3

Release & Deployment ITIL Version 3
Session No. 3 ICAO Safety Management Standards ICAO SMS Framework

Session No. 3 ICAO Safety Management Standards ICAO SMS Framework

Similar presentations

Ads by Google