cisa review manual 2009 information security principles of data security data inventory...
TRANSCRIPT
CISA Review Manual 2009
Information Security
Principles of Data SecurityData InventoryAuthentication
Audit TrailAdditional Audit Functions
AcknowledgmentsMaterial is sourced from: CISA® Review Manual 2011, ©2010, ISACA. All rights reserved. Used by
permission. CISM® Review Manual 2012, ©2011, ISACA. All rights reserved. Used by
permission. CISA ® Certified Information Systems Auditor All-in-One Exam Guide, Peter
H Gregory, McGraw-Hill
Author: Susan J Lincke, PhDUniv. of Wisconsin-Parkside
Reviewers/Contributors: Megan Reid, Kahili Cheng
Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning.
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.
ObjectivesStudent should know:Define information security principles: need-to-know, least privilege, segregation of duties, privacyDefine information security management positions: data owner, data custodians, security administratorDefine access control techniques: mandatory, discretionary, role-based, physical, single sign-onDefine authentication combination: single factor, two factor, three factor multifactorDefine Biometric: FRR, FAR, FER, EERDefine elements of BLP: read down, write up, tranquility principle, declassificationDefine military security policy: level of trust, confidentiality principleDefine backup rotation, incremental backup, differential backup, degauss, audit trail, audit reduction, criticality classification, sensitivity classificationDevelop an information security classification scheme that addresses confidentiality and availability
Information Security Goals
CIA Triad
Confidentiality
Integrity Availability
Conformity to Law& Privacy Requirements
Information Security Principles
Need-to-know: Persons should have ability to access data sufficient to perform primary job and no more
Least Privilege: Persons should have ability to do tasks sufficient to perform primary job and no more
Segregation of Duties: Ensure that no person can assume two roles: Origination, Authorization, Distribution, Verification
Privacy: Personal/private info is retained only when a true business need exists: Privacy is a liability Retain records for short time
Personnel office should change permissions as jobs change
Information Security Mgmt Senior Mgmt Commitment Policies & Procedures
To achieve CIA, Privacy, Legal Conformity Allocation of Responsibility
Data Owner Responsibility Security Awareness & Education Audit & Compliance Incident Handling & Response
President
BusinessExecutive
Chief Privacy Officer:Protect
customer & employee rights
Chief InfoSecurity Officer:
Articulates & enforces policies
Data Owner:Responsible for
security ofdata
Chief Security Officer:Physical Security
Security Specialist:
Design/ impl/ reviewpolicies &
procedures
Security Administrator:
Administrates computer &
Network security
Process Owner:
Responsible forsecurity of
process
IS AuditorIndependentassurance of
security objectives& controls
Some positions may be merged
Information Owneror Data Owner Is responsible for the data within business
(mgr/director - not IS staff) Determines who can have access to data and
may grant permissions directly OR Gives written permission for access directly to
security administrator, to prevent mishandling or alteration
Periodically reviews authorization to restrict authorization creep
Other Positions
Data Custodian IS employee who
safeguards the data May be Systems
Analyst or System Administrator
Security Administrator Allocates access to
employees based on written documentation
Monitors access to terminals and applications Monitors invalid login
attempts
Prepares security reports
Criticality Classification
Critical $$$$: Cannot be performed manually. Tolerance to interruption is very low
Vital $$: Can be performed manually for very short time
Sensitive $: Can be performed manually for a period of time, but may cost more in staff
Nonsensitive ¢: Can be performed manually for an extended period of time with little additional cost and minimal recovery effort
Sensitivity Classification(Example)
Confidential:Strategic Plan
Private:Salary &
Health Info
Internal:Product Plans
PublicProduct Users Manual
near Release
Internal
Sensitivity ClassificationWorkbook
SensitivityClassification
Description Information Covered
Proprietary Protects competitive edge. Material is of critical strategic importance to the company. Dissemination could result in serious financial impact.
Confidential Information protected by FERPA and breach notification law. Shall be available on a need-to-know basis only. Dissemination could result in financial liability or reputation loss.
Student information & grades
Employee information
Internal Should be accessible to management or affected parties only. Could cause internal strife.
Budgets
Public Disclosure is not welcome, but would not adversely impact the organization
Teaching lectures
Wisconsin Statute 134.98
Restricted data includes: Social Security Number Driver’s license # or state ID # Financial account number (credit/debit) and
access code/password DNA profile (Statute 939.74) Biometric dataNational HIPAA protects: Health status, treatment, or payment
Data Classification
How do we mark classified information? How do we determine which data should be
classified to which class? How do we store, transport, handle, archive
classified information? How do we dispose of classified data? What does the law say about handling this
information? Who has authority to determine who gets access,
and what approvals are needed for access?
Handling of Sensitive Data
Confidential Private PrivilegedAccess Need to know Need to know Need to knowPaper Storage
Locked cabinet,
Locked room if unattended
Locked cabinet
Locked room if unattended
Locked cabinet or locked room if unattended
Disk Storage Password-protected,
Encrypted
Password-protected
Encrypted
Password-Protected
Labeling & Handling
Clean desk, low voice,
No SSNs, ID required
Clean desk,
low voice
Clean desk,
low voiceTransmission Encrypted
Limited email or email security notice
Encrypted
Archive Encrypted EncryptedDisposal Degauss & damage disks
Shred paper
Secure wipe
Shred paper
Reformat disks
Storage & Destruction of Confidential Information
StorageEncrypt sensitive dataAvoid touching media surfaceKeep out of direct sunlightKeep free of dust & liquids – in firm container bestAvoid magnetic, radio, or vibrating fieldsUse anti-static bags for disksAvoid spikes in temperature for disks; bring to room temperature before useWrite protect floppies/magnetic mediaStore tapes vertically
Disposing of MediaMeet record-retention schedulesReformat diskUse “Secure wipe” tool****If highly secure*****Degauss = demagnetize Physical destruction
RepairRemove memory before sending out for repair
Permission types
Read, inquiry, copy Create, write, update, append, delete Execute, check
Access Matrix Model (HRU)
File A File B File C Jack
Jack rwx rx -
Jill rwx r d
Jeff r rx rwx -
CISA Review Manual 2009
Information Asset Inventory Asset Name Course Registration
Value to Organization
Records which students are taking which classes
Location IS Main Center
Security Risk Classification
Sensitive, Vital
Asset Group(IS Server)
Peoplesoft
Data Owner Registrar: Monica Jones
Designated Custodian
IS Operations: John Lewinsky
Granted Permissions Read: Department Staff, AdvisingRead/Write: Students, Registration
Access is permitted at any time/any terminal
Workbook
Question
The person responsible for deciding who should have access to a data file is:
1. Data custodian
2. Data owner
3. Security administrator
4. Security manager
Question
Least Privilege dictates that:1. Persons should have the ability to do tasks sufficient
to perform their primary job and no more2. Access rights and permissions shall be
commensurate with a person’s position in the corporation: i.e., lower layers have fewer rights
3. Computer users should never have administrator passwords
4. Persons should have access permissions only for their security level: Confidential, Private or Sensitive
Question
A concern with personal or private information is that:1. Data is not kept longer than absolutely necessary2. Data encryption makes the retention of personal
information safe3. Private information on disk should never be taken
off-site 4. Personal data is always labeled and handled as
critical or vital to the organization
Question
The person responsible for restricting and monitoring permissions is the:
1. Data custodian
2. Data owner
3. Security administrator
4. Security manager
Security: Defense in Depth
Border RouterPerimeter firewallInternal firewallIntrusion Detection SystemPolicies & Procedures & AuditsAuthenticationAccess Controls
Four Layers of Logical Security
DatabaseApp1
App2
System 1 System 2
Two layers of general access to Networks and SystemsTwo layers of granularity of control to Applications and Databases
Access Control Techniques
Mandatory Access Control Discretionary Access Control
Login User Group Permi…John John Mgmt rwx r xJune June Billing r May May Factory r x r xAl Al BillingDon Don Billing
Role-Based Access Control
Login Role PermissionJohn Mgr A, B,C,D,E,FJune Acct. A,B,CAl Acct. A,B,CMay Factory D,E,FPat Factory D,E,F
JohnA, B, C, D, E, F
JuneA, B, C
MayD, E, F
AlA, B
DonB, C
PatD, F
TomE, F
TimE
Access Control Techniques
Mandatory Access Control: General (system-determined) access control
Discretionary Access Control: Person with permissions controls access
Role-Based Access Control: Access control determined by role in organization
Physical Access Control: Locks, fences, biometrics, badges, keys
Workbook:
Role-Based Access ControlRole Name Information Access
(e.g., Record or Form) andPermissions (e.g., RWX)
Instructor Grading Form RW Student Transcript (current students) RTransfer credit form R
Advising Student Transcript (current students) RFee Payment RTransfer credit form R
Registration Fee Payment RWTransfer credit form RW
Military Security Policy
Person has an Authorization Level or Level of Trust (S,D) = (sensitivity, domain) for Subject
Object has a Security Class Confidentiality Property: Subject can access object if it dominates the object’s classification
level
Class Finance Engineering Personnel
Top Secret Customer list New plans
Secret Dept. Budgets
Code Personnel review
Confidential Expenses Emails Salary
Non-Classified
Balance sheet
Users Manuals
Position Descriptions
(Secret, Eng)(Confid., Finance)
Bell and La Padula Model (BLP)
Property of Confinement: Read Down: if Subject’s
class is >= Object’s class Write Up: if Subject’s class
is <= Object’s class
Tranquility Principle: Object’s class cannot change
Declassification: Subject can lower his/her own class
Top Secret
Secret
Confidential
Non-Classified
write
read
& write
read
read
Joe => (Secret)
System Access Control
Establish rules for access to information resources Create/maintain user profiles Allocate user IDs requiring authentication (per
person, not group) Notify users of valid use and access before and
upon login Ensure accountability and auditability by logging
user activities Log events Report access control configuration & logs
Application-Level Access Control
Create/change file or database structure Authorize actions at the:
Application levelFile levelTransaction levelField level
Log network & data access activities to monitor access violations
Recommended Password Allocation
User allocatedrandomly-generated
password
First time login:change password
UserSecurity Admin
Verify user ID(e.g., call back)
NotifySecurity admin
Inform user In controlled
manner
[Forgot Password]
Enter 3 invalidPasswords
Account[locked]
[Invalid passwordAttempts]
System Automatically
unlocks
[Auto] timeout
Account[unlocked]
Account[unlocked]
[Manual]
Password Rules
One-way encrypted using a strong algorithm Never displayed (except ***) Never written down and retained near terminal or in desk Passwords should be changed every 30 days, by notifying
user in advance A history of passwords should prevent user from using same
password in 1 year Passwords should be >= 8 (better 12) characters, including 3
of: alpha, numeric, upper/lower case, and special characters Passwords should not be identifiable with user, e.g., family
member or pet name
Creating a Good PasswordMerry ChristmasBad
Password
Good Password
Merry Xmas
mErcHr2yOu
MerryChrisToYou
MerChr2You
MerryJul
MaryJul
Mary*Jul,rttuc,sd J3446sjqw
(Keypad shiftRight …. Up)
(Abbreviate)
(Lengthen)
(convert vowelsto numeric)
M5rryXm1s
MXemrarsy
(IntertwineLetters)
GladJesBirth
(Synonym)
Admin & Login ID Rules
Restrict number of admin accounts Admin password should only be known by one user Admin accounts should never be locked out, whereas
others are Admin password can be kept in locked cabinet in sealed
envelope, where top manager has key Login IDs should follow a confidential internal naming rule Common accounts: Guest, Administrator, Admin should
be renamed Session time out should require password re-entry
Single Sign OnAdvantages One good password
replaces lots of passwords
IDs consistent throughout system(s)
Reduced admin work in setup & forgotten passwords
Quick access to systems
Disadvantages Single point of failure -> total
compromise Complex software
development due to diverse OS
Expensive implementation
Secondary Domains
App1 DB2 App3
Primary Domain (System)
Enter Password
Authentication Combinations
Single Factor: Something you knowLogin & Password
Multifactor Authentication: Using two or more authentication methods. Add:Two Factor: Add one of:
Something you have: Card or ID Something you are or do: Biometric
Three Factor: Uses all three: e.g., badge, thumb, pass code
Biometrics
Biometrics: Who you are or what you do Susceptible to error
False Rejection Rate (FRR): Rate of users rejected in error
False Acceptance Rate (FAR): Rate of users accepted in error
Failure to Enroll Rate (FER): Rate of users who failed to successfully register
Equal Error Rate EER:
FRR = FARFAR increasesFRR increases
CISA Review Manual 2009
Biometrics with Best Response & Lowest EER
Type (Top Best) Advantages Disadvantages
Palm Social acceptance Physical contact
Hand (3D) Social acceptance, low storage
Not unique, injury affects
Iris No direct contact High cost, high storage
Retina Low FAR High cost, 1-2 cm away: invasive
Fingerprint Low cost, More storage=Lower EER
Physical contact-> grime ->poor quality image
Voice Phone use, social acceptance
High storage, playback, voice change, background noise
Signature Easy to use, low cost Uniqueness, writing onto tablet differs from paper
Face Social acceptance Not unique, overcome with high storage
Biometric Info Mgmt & Security (BIMS) Policy Identification & authentication procedures Backup authentication Safe transmission/storage of biometric data Security of physical hardware Validation testing
Auditors should ensure documentation & use is professional
IS Auditor Verifies…
Written Policies & Procedures are professional & implemented
Access follows need-to-know Security awareness & training implemented Data owners & data custodians meet responsibility for
safeguarding data Security Administrator provides physical and logical
security for IS program, data, and equipment Authorization is documented and consistent with reality See Chapter 5.5 CISA Review Manual for specific details
Question
A form of biometrics that is considered invasive by users is:
1. Retina
2. Iris
3. 3D hand
4. Signature
Question
A form of biometrics that is not prone to error is
1. Retina
2. Voice
3. Finger
4. Signature
Question
Julie is a Data Owner. She configures permissions in the database to enable users to access the forms she thinks they should be able to access. This technique is known as
1. Bell and La Padula Model
2. Mandatory Access Control
3. Role-Based Access Control
4. Discretionary Access Control
CISA Review Manual 2009
Question
John has a security clearance of (Engineering, Confidential). Using Bell and La Padula Model, John can write to:
1. Confidential
2. Top Secret, Secret, and Confidential
3. Confidential and Unclassified
4. Unclassified
CISA Review Manual 2009
Backup & Offsite Library
Backups are kept off-site (1 or more) Off-site is sufficiently far away (disaster-
redundant) Library is equally secure as main site; unlabelled Library has constant environmental control
(humidity-, temperature-controlled, UPS, smoke/water detectors, fire extinguishers)
Detailed inventory of storage media & files is maintained
Backup Rotation:Grandfather/Father/Son
Grandfather
Dec ‘09 Jan ‘10 Feb ‘10 Mar ‘10 Apr ‘10
May 1 May 7 May 14 May 21
May 22 May 23 May 24 May 25 May 26 May 27 May 28
Father
Son
graduates
Frequency of backup = daily, 3 generations
Incremental & Differential Backups
Daily Events Full Differential Incremental
Monday: Full Backup Monday Monday Monday
Tuesday: A Changes Tuesday Saves A Saves A
Wednesday: B Changes Wed’day Saves A + B Saves B
Thursday: C Changes Thursday Saves A+B+C Saves C
Friday: Full Backup Friday Friday Friday
If a failure occurs on Thursday, what needs to be reloaded for Full, Differential, Incremental?
Which methods take longer to backup? To reload?
Backup Labeling
Data Set Name = Master Inventory Volume Serial # = 12.1.24.10Date Created = Jan 24, 2010
Accounting Period = 3W-1Q-2010Offsite Storage Bin # = Jan 2010
Backup could be disk…
Audit Trail
Audit trail tracks responsibility Who did what when? Periodic review will help to find excess-authority access, login
successes & failures, and track fraud Attackers often want to change the audit trail (to hide tracks) Audit trail must be hard to change:
Write-once devices Digital signatures Security & systems admins and managers may have READ-only
access to log Audit trail must be sensitive to privacy
Personal information may be encrypted
Audit Trail Tools
Audit Reduction: Emphasize important logs - eliminate unimportant logs
Trend/ Variance-Detection: Notices changes from normal user or system behavior (e.g., login during night)
Attack/Signature Detection: A sequence of log events may signal an attack (e.g., 1000 login attempts)
Question
Audit trails:
1. Should be modifiable only by security administrators
2. Should be difficult to change (e.g., write-once)
3. Should only save important logs, using log reduction
4. Should avoid encryption to ensure no loss and quick access
Definitions extracted from:All-In-One CISA Exam Guide
Interactive Crossword Puzzle
To get more practice the vocabulary from this section click on the picture below. For a word bank look at the previous slide.
HEALTH FIRST CASE STUDY
Designing Information Security
Jamie Ramon MDDoctor
Chris Ramon RDDietician
TerryLicensed
Practicing Nurse
PatSoftware Consultant
Define Sensitivity Classification
Sensitivity
Classification
Description Information Covered
Proprietary Protects competitive edge. Material is of critical strategic importance to the company and its dissemination could result in serious financial impact.
Confidential Information protected by law. Shall be made available or visible on a need-to-know basis only. Dissemination could result in financial liability or reputation loss.
Privileged Should be accessible to management or affected parties only. Could cause internal strife or external embarrassment if released: for use with particular parties within the organization.
Public Disclosure is not welcome, but would not adversely impact the organization
OR
Information is public record
Define Sensitivity Classification
Medical appointments
Credit card information
Budget
Personnel records
Patient treatmentContracts & Licenses
Business
Statistics
How should classes be treated?Table 4.1.2: Handling of Sensitive Data
Proprietary Confidential PrivilegedAccess Need to know Need to know Need to knowPaper Storage Locked cabinet,
Locked room if unattended
Locked cabinetLocked room if unattended
Locked cabinet or locked room if unattended
Disk Storage Password-protected,Encrypted
Password-protectedEncrypted
Password-Protected
Labeling and Handling
‘Confidential’Clean desk, low voice,shut door policy
Clean desk,low voice,shut door policy
Clean desk,low voice,shut door policy
Transmission Encrypted Encrypted Archive Encrypted Encrypted Disposal Degauss & damage
disksShred paper
Secure wipe, damage disksShred paper
Reformat disks
Special
Define Roles & Role-Based Access Control
Role Name Information Access (e.g., Record or Form)
and Permissions (e.g., RWX)
Health Plan EligibilityHealth Plan: Eligibility: ActiveMaximum Benefit: Co-Pay: Deductible:ExclusionsIn-Plan Benefits Out-of-Plan Benefits Coordination of Benefits
Specific Procedure RequestProcedure Coverage Max. Coverage Co-pay / Non-coveredDates Patient Resp Amounts
Information Asset Inventory Asset Name Course Registration
Value to Organization
Records which students are taking which classes
Location IS Main Center
Security Risk Classification
Sensitive, Vital
IS Server Peoplesoft
Data Owner (Who decides who should have access?)
Designated Custodian
(Who takes care of backups and sys admin functions?)
Granted Permissions Read: Department Staff, AdvisingRead/Write: Students, Registration
Access is permitted at any time/any terminal
Workbook
ReferenceSlide # Slide Title Source of Information
5 Information Security Principles CISA: page 117 – 119 & CISM: page 187
6 Information Security Mgmt CISM: page 94, 95
10 Criticality Classification CISA: page 127 Exhibit 2.18
16 Storage & Destruction Confidential Information CISA: page 346, 347
27 Access Control Techniques CISA: page 323, 385
31 System Access Control CISA: page 337
32 Application-Level Access Control CISA: page 337
34 Password Rules CISA: page 338, 339
36 Admin & Login ID Rules CISA: page 338, 339
37 Single Sign On CISA: page 341
39 Biometrics CISA: page 339
40 Biometrics with Best Response & Lowest EER CISA: page 339, 340
41 Biometric Info Mgmt & Security (BIMS) Policy CISA: page 341
48 Backup & Offsite Library CISA: page 301, 302
49 Backup Rotation: Grandfather/Father/Son CISA: page 303
50 Incremental & Differential Backups CISA: page 304
53 Audit Trail Tools CISA: page 345