Download - Business information security requirements
Business Information Security RequirementsFort Hays State University Fort Hays, KS
Presented by Joshua Morrison
Information Security is…
Tolerating low levels of understood risk
Not just a function of IT department
Focus of Research
Security strategy
Security objective
Security policy Procedures Standards Guidelines baselines
Business Information Security Requirements aid in how high-level security policy is written
The CIA Triad
Confidentiality
Integrity
Availability
Confidentiality
Prevent unauthorized disclosure of information Accomplished with access controls▪ Login / Identity verification▪ File permissions▪ Encryption
Integrity
Authenticity and accuracy of information Guaranteeing accuracy includes
recovering from error / disaster to a recent stable state▪ Data backup▪ Version control
Availability
Information should be accessible to authorized entities at all times
Requires failure recovery planning Hardware, software, or human Minimize downtime of critical systems
Information is Meaningful data
Binary Data - 1/0 interpretation
information
Principle of Least Priviledge “A particular abstraction layer must
be able to access only the information and resources that are necessary for its legitimate purpose”
Greatly reduces potential risk of a security breach whether malicious or unintentional in nature
Provenance Principle
Preserving the original order and context of information
Applies to underlying data structure Ensures that information retains the
properties of being functional and meaningful in multiple contexts
Critical vs non-critical data Some data such as Personally
Identifiable Data (PII) can be categorized as generally critical Mandated by legal and regulatory concerns
Some data become critical within a given context Example – data that has yet to be backed up
in the context of disaster recovery planning Categorization used to prioritize security
planning
Risk Assessment
“the process of understanding and responding to factors that may lead to a failure in the confidentiality, integrity, or availability of an information system”
Measures the likelihood and impact of a particular information security failure
Can be qualitative, quantitative, or both
Some level of risk is assumed by any business
Risk Assessment pitfalls
Often perfunctory Counter by modeling real-world attack
scenarios Based on speculation
Use ongoing investigation / evidence Often not assessed historically and
continuously Develop a cycle for conducting risk
assessment and analyze long-term trends
Security Requirements Analysis Intensive technical vulnerability
analysis Should be done by highly competent
IT professional Concerned with protecting internal
resources from malicious attacks
Holistic approach to security requirements analysis Achieved by taking the perspective
of the threat agent (attacker) Begin with the malicious desires
(anti-goals) of the threat agent Develop a comprehensive attack
pattern repository or CAPEC Select security controls that address
vulnerabilities discovered in the CAPEC
Heartbleed bug Vulnerability – OpenSSL cryptography
library Shellshock
Vulnerability - Unix Bash shell Poodle
Vulnerability SSL v3.0
Examples of attack vectors for the CAPEC from Symantec's annual Internet Security threat report (2015)
Network Security Humans represent significant network
security challenges attacks attempt to get the victim to give
sensitive data or perform unintended actions on behalf of the attacker
Confidence tricks such as misleading authorship of emails are used to gain the trust of the victim▪ Phishing▪ Social engineering
Information security awareness training is the best way to counter these types of attacks
Network Security
Passwords Weak passwords are vulnerable to brute
force attacks or attacks using rainbow tables
Very strong passwords are hard to remember resulting in some users resorting to recording them
Multi-factor authentication is best, pairing the known password with another piece of authenticating evidence such as a fingerprint
Don’t rely too heavily on network security Protect data services within the
network inside virtualized environments virtual data centers (VDC) and
committed application implementations ,Virtual Application Data Centers (VADC)
Provide encapsulation to data services More portable, flexible, and secure
Human-based IS vulnerabilities People present a variety of
challenges to information security planning Stolen/lost laptops and mobile devices
account for many data leaks▪ Encrypt these devices or ensure that they
remain in secure locations Humans are targets for sophisticated
social engineering attacks▪ Workers must remain vigilant and informed
about specific attacks
Information Security Training Should be continuous
New threats are constantly being generated
Should be targeted Should be measurable
Necessary to gauge effectiveness of training
Should promote positive attitudes about information security
Information security positive culture the culture of a company is "a
pattern of shared basic assumptions learned by a group as it solves problems of external adaptation and internal integration, which has worked well enough to be considered valid and, therefore, to be taught to new members as the correct way to perceive, think, and feel in relation to those problems"
Information security positive culture understanding policy alone will not
ensure consistency in compliance with policy perceived cultural norms influence
outcomes Example – how consistently are
security violations being reported? Influenced by social networking and peer
relationships Consistency of reporting increased as
this behavior is perceived as the cultural norm
Information Security and Awareness Approach (ISTAAP)
Information Security Culture Assessment (ISCA) Survey used to benchmark the level of
information security culture in an organization
Empirical evidence supports the value of using ISTAAP to instill an information security-positive culture
Information Security and Awareness Approach (ISTAAP)
ISTAAP is cyclical with 4 main phases Planning and Objectives (PO) Develop Training and Awareness (DTA) Targeted Implementation (TI) Evaluate Effectiveness (EE)
ISTAAP phases PO and DTA
The Planning and Objectives phase derives training objectives from the company's security strategy, security policy, and regulatory requirements
DTA - Develop Training and Awareness techniques include everything from hands-on training sessions to web-based training and email
ISTAAP phase TI and EE
TI - Groups of stakeholders receive training on key concepts via their preferred method of delivery
EE - taking the ISCA to determine the effect of the training on security culture as well as the effectiveness of the specific training actions. Identify future training opportunities
Standards Based Information Security Models Benefits of adopting IS standard
Comprehensive and systematic approach
Battle tested Can employ certified professionals to
implement Can effectively report level of
compliance with a standard Can purchase software to facilitate
standard implementation
ISO/EIC 27001 Joint publication by the International
Organization for Standardization (ISO) and the International Electrotechnical Commission (EIC)
Controls-oriented information security standard
Uses plan-do-check-act cycle International standard used in business and
government Has high level support for policy Defines risk assessment procedure
ISO/EIC 27002
Separate document used with ISO/EIC 27001
Repository of security related best practices
Comprehensive Non IS topic – fire safety IS topic – removable media policy
guidelines Compatible with other high level
standards besides ISO/EIC 27001 Recommend referring to this document
even with an in-house security strategy
Information security auditing Evaluate the effectiveness of
controls gather information about how a unit
operates identify points at which errors are
possible Identify system controls designed to
prevent or detect such occurrences (countermeasures)
Auditing concludes with testing and evaluating how well IS controls function
Regulatory / Legal concerns in IS Business should seek to exceed
minimum standards set by state and federal regulations HIPPA, OSHA etc.
The legal field of information security regulation is relatively young Case law is constantly being established
As information crosses state and national boundaries, more restrictive regulation may apply
Ethical concerns in IS
obligations to stakeholders should be considered when writing IS policy Communicate to stakeholders how their
personal information is used by the company
Combine ethical concerns with regulatory concerns when considering changes to IS policy
Disaster recovery planning Ensure the continued operation of
critical workflow functions despite the loss of support systems
Disasters come from many sources Natural disaster Inadvertent action Deliberate action
A Six-Stage Business Continuity and Disaster Recovery Planning Cycle - Cook
1. Emergency Operations2. Insurance – Insurance plan3. Communication Plan4. IT/SCM Infrastructure5. Employee Relations 6. Legal and Regulatory
Data Breach Planning
1. Investigation of the incident2. Identify and execute corrective
measures3. Identify applicable law4. Determine if notifications are
required5. Notification and communication
plan
Cloud Data Service (CSP) Providers Offers low cost high performance
Ideal for big data CSP security practices not
transparent CSP security not auditable by the
client
Care must be taken to analyze contracts and policy of CSP partners Must trust them with sensitive
information
Economic Factors
Business goals and IS goals in turn are prioritized by budgetary concerns accurate valuation of threat in risk
assessment is very important Human motivation aspects of
economic theory should be considered in IS policy Incentives liability
Writing IS Policy
Policies are high level Documents that support policies are
more granular Procedures Standards Guidelines Baselines
Conclusion
As predicted, it was possible to create a list of best practices regarding Business Information Security Requirements
Further research may yield more requirements or add additional scope to existing requirements
Business Information Security Requirements (1) All 3 aspects of the Confidentiality,
Integrity, and Accessibility (CIA) triad should be upheld
The Principle of Least privilege and the Provenance Principle should be upheld
It should be an easily understood document that is used as a reference point
It should be reviewed and modified as a company changes
Business Information Security Requirements (2) Each iteration of the policy should be
dated and archived All persons who are subject to the
policy must have easy access to it It should support proper
management of liability and incentives as they relate to IS
Determine if the proposed policy would require changes to the risk assessment or auditing cycles
Business Information Security Requirements (3) Determine if the proposed policy
would require changes to security requirements analysis . ex. adding a new attack pattern to the CAPEC
Determine if the proposed policy would comply with existing legal and regulatory restrictions
Determine if the proposed policy could negatively affect stakeholders
Business Information Security Requirements (4) Determine if the proposed policy would circumvent
current network security status Determine if the policy is in compliance with all
adopted security standards Determine if the policy affects disaster recovery or
data breach response planning Determine if the policy requires any new security
awareness training Determine how the policy will impact information
security culture Determine if extraordinary security measures are
required eg. assessing the security practices of a new cloud data provider