Security Management
Practices
Lisa M. True, CISSPNovember 17, 2003
Domain 3
Objectives for this Domain
Concepts of Information Security ManagementRoles & ResponsibilitiesRisk ManagementSecurity Policy ImplementationThe Information Classification ProcessPersonnel Security Issues Security Awareness Training
Security Management
Practices
Concepts of Information Security Management
The C.I.A. TriadConfidentiality
Integrity Availability
Disclosure, Alteration, and Destruction
D.A.D.
Security Definitions
VulnerabilityThe absence or weakness of a risk-reducing safeguard
ThreatAn event, the occurrence of which could have an undesired impact
RiskLikelihood of a threat agent taking advantage of a vulnerability
Exposure Being exposed to losses from a threat agent
SafeguardRisk reducing measure that acts to detect, prevent or minimize loss associated with the occurrence of a specific threat or category of threats
Relationships Between Different Security Components
Threat Agent
Threat
Vulnerability
Risk
Safeguard
Exposure
Asset
Directly Affects
Can be countered by a
And causes an
Can damage
Leads to
Exploits
Gives rise to
Security Definitions
IdentificationThe means in which users claim their identities to a system. Most commonly used for access control, identification is necessary for authentication and authorization
AuthenticationThe testing or reconciliation of evidence of a user’s identity. It establishes the user’s identity and ensures the users are who they say they are
AccountabilityA system’s ability to determine the actions and behavior of a single individual within a system, and to identify that particular individual
Authorization The rights and permissions granted to an individual (or process), which enable access to a computer resource
PrivacyThe level of confidentiality and privacy protection that a user is given in a system.
Security Management
Practices
Roles & Responsibilities
Roles and Responsibilities Clearly communicated and understood
Role DescriptionSenior Management
Has the ultimate responsibility for security
InfoSec Officer
Has the functional responsibility for security
OwnerDetermines the data classification
CustodianPreserves the information's C.I.A.
User/OperatorPerforms IAW the stated policies
Auditor Examines security
Security Management
Practices
Risk Management
Risk Management
Security risks start when the power is turned-on. At that point, security risks commence. The only way to deal with those security risks is via risk managementRisks can be identified & reduced, but never eliminatedNo matter how secure you make a system, it can always be broken into given sufficient resources, time, motivation and moneyPeople are usually cheaper & easier to compromise than advanced technological safeguards
Risk Management
Risk management’s main function is to mitigate risk.
Mitigating risk means to reduce the risk until it reaches a level that is acceptable to an organization.
To identify risk, we categorize into four basic elements:
The actual threatThe possible consequences of the realized threat The probable frequency of the occurrence of a threatThe extent of how confident we are that the threat will happen
Qualitative and Quantitative
There are two different risk management metrics: qualitative and quantitativeQuantitative risk management attempts to assign real numbers to costs of countermeasures and amount of damageQualitative risk management is about assessing risk possibilities and ranking the seriousness of the threats and sensitivity of assets
Risk AssessmentSince you can’t protect yourself if you do not know what you are protecting against, a risk assessment must be performedA risk assessment answers 3 fundamental questions:
Identify assets - What I am trying to protect? Identify threats - What do I need to protect against? Calculating risks - How much time, effort & money am I willing to expend to obtain adequate protection?
After risks are determined, you can then develop the policies & procedures needed to reduce the risks
Risk Analysis Formulas
Concept Derivation Formula
Exposure Factor (EF)% of asset loss caused by threat
Single Loss Expectancy (SLE)
Asset Value x Exposure Factor (EF)
Annualized Rate of Occurrence (ARO)
Frequency of threat occurrence per year
Annualized Loss Expectancy (ALE)
Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO)
Identifying AssetsTangibles
Computers, communications equipment, wiringDataSoftwareAudit records, books, documents
IntangiblesPrivacyEmployee safety & healthPasswordsImage & reputationAvailabilityEmployee morale
Identifying ThreatsEarthquake, flood, hurricane, lighteningStructural failure, asbestosUtility loss, i.e., water, power, telecommunicationsTheft of hardware, software, dataTerrorists, both political and informationSoftware bugs, malicious code, SPAM, mail bombsStrikes, labor & union problemsHackers, internal/externalInflammatory Usenet, Internet & web postingsEmployee illness, death Outbreak, epidemic
Calculating (Quantifying) Risks
This is the hard part. Insurance & historical records may help, but your actuary is your best friend.
How much damage did Kevin Mitnick do? Estimates range from $500,000 to $120,000,000
Review the risksLists should be regularly updatedSmall changes in operations or corporate structure can have significant risk implicationsChanges such as location, vendor, etc., must be included into the risk factor
Risk Analysis Steps
1. Assign value to information and assets.a. What is the value of the asset to the company?b. How much does it cost to maintain it?c. How much does it make in profits for the
company?d. How much would it be worth to the competition?e. How much would it cost to recreate or recover?f. How much did it cost to acquire or develop?
Risk Analysis Steps cont.
2. Estimate potential loss per risk.a. What physical damage can take place and how
much would that cost?b. How much productivity can be lost and how much
would that cost?c. What’s the value lost if confidential information is
disclosed?d. What is the cost of recovering from a virus attack?e. What is the cost of recovering from a hacker
attack?f. How much would it cost if critical devices failed?g. Calculate the single loss expectancy (SLE) for each
risk and scenario.
Risk Analysis Steps cont.3. Perform a threat analysis.
a. Gather information about the likelihood of each risk taking place from people in each department, past records, and official security resources that provide this type of data.
b. Calculate the probability of occurrence for each risk identified.
c. Calculate the annualized rate of occurrence, which is how many times each risk could happen in a year.
4. Derive the overall loss potential per risk.a. Combine potential loss and probabilityb. Calculate the annualized loss expectancy (ALE) per
risk by using the information calculated in the first three steps.
Risk Analysis Steps cont.
5. Choose remedial measures to counteract each risk.
6. Reduce, assign, or accept the risk.a. Risk reduction methods.
i. Install security controls and components.ii. Improve procedures.iii. Alter Environment.iv. Provide early detection methods to catch the risk as it’s happening
and reduce the possible damage it can cause.v. Produce a contingency plan of how business can continue if a
specific risk takes place, reducing extending damages at risk.vi. Erect barriers to the risk.
b. Risk assignment.i. Buy insurance to transfer some or all of the risk.
c. Risk acceptance or rejection.i. Live with the risks and spend no money towards protection.
Qualitative Scenario Procedures
A scenario is written that addresses each major threat.The scenario is reviewed by business unit managers for a reality check.The RA team recommends and evaluates the various safeguards for each threat.The RA team works through each finalized scenario using a threat, asset, and safeguard.The team prepares their findings and submits them to management.
Qualitative Risk Analysis
Rating LevelExposure Percentage
Blank or 0 No measurable loss
1 20% loss
2 40% loss
3 60% loss
4 80% loss
5 100% loss
Quantitative vs. Qualitative RA
Property Quantitative QualitativeCost/benefit analysis
Yes No
Financial hard costs Yes No
Can be automated Yes No
Guesswork involved Low High
Complex calculations
Yes No
Volume of information required
High Low
Time/work involved High Low
Ease of communication
High Low
Cost/Benefit Analysis
Cost of a lossOften hard to determine accurately
Cost of preventionLong term/short term
Adding up the numbersOutput of an Excel spreadsheet listing assets, risks & possible lossesFor each loss, know its probability, predicted loss & amount of money needed to defend against the loss
Safeguard Selection Criteria
Cost/Benefit Analysis(ALE before safeguard)-(ALE after safeguard)-(annual safeguard cost)=value of safeguard to organization
Level of Manual OperationsAmount of manual intervention required to operate the safe guard - Automation increases reliability
Auditability and Accountability FeaturesRecovery Ability
No asset destruction during activation or resetNo covert channel access to or through the control during resetNo security loss or increase in exposure after activation or resetDefaults to a state that does not enable any operator access or rights until the controls are fully operational
Vendor RelationsOpen source, no back doors, past performance
Security Management
Practices
Security Policy Implementation
Information Security Policies
Policy is perhaps the most crucial element in a corporate information security infrastructureMarcus Ranum defines a firewall as “the implementation of your Internet security policy. If you haven’t got a security policy, you haven’t got a firewall. Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do”Corporate computing is a complex operation. Effective policies can rectify many of the weaknesses and faults
Senior Management Commitment
Fundamentally important to any security program’s success is the senior management’s high-level statement of commitment to the information security policy process, and a senior managements understanding of how important security controls and protections are to the enterprise’s continuity. Senior management must be aware of the importance of security implementation to preserve the organization’s viability (and for their own “Due Care” protection), and must publicly support that process throughout the enterprise.
Policy Types
RegulatoryEnsures standards set by a specific industry, regulated by law
AdvisoryWritten to strongly suggest certain types of behaviors which should take place
InformativeNon-enforceable, written to inform of certain topics
Information Security Policies
Benefits:Ensure systems are utilized in the manner intended forEnsure users understand their roles & responsibilitiesControl legal liability
Information Security Policies
Components of an effective policy:TitlePurposeAuthorizing individualAuthor/sponsorReference to other policiesScopeMeasurement expectationsException processAccountabilityEffective/expiration datesDefinitions
Information Security Policies
How to ensure that policies are understood:Jargon free/non-technical languageRather then, “when creating software authentication codes, users must endeavor to use codes that do not facilitate nor submit the company to vulnerabilities in the event that external operatives break such codes”, use “passwords that are guessable should not be used”.
FocusedJob position independentNo procedures, techniques or methods
Policy is the approach. The specific details & implementations should be in another document
Responsibility for adherenceUsers must understand the magnitude & significance of the policy. “I thought this policy didn’t apply to me” should never be heard.
Information Security Policies
How should policies be disseminated?New hires should get hard copies at orientationRehires should go through orientationPeriodic awareness trainingHard copiesWeb/corporate intranetBrochuresVideosPosterse-mail/voice-mail
Policy HierarchySenior Management Statement of Policy
General Organizational Policies
Functional Policies
Mandatory Standards
Recommended Guidelines
Detailed Procedures
Baselines
General Overviews
Specs. of hardware and software
Recommended actions and operational guides
Step by step actions
Strategic
Tactical
Security Management
Practices
The Information Classification Process
Information Classification Benefits
Demonstrates an organization's commitment to security protectionsHelps identify which information is the most sensitive or vital to an organizationSupports the tenets of confidentiality, integrity, and availability as it pertains to dataHelps identify which protections apply to which informationMay be required for regulatory, compliance, or legal reasons
Information Classification Procedures
1. Identify the administrator/custodian.2. Specify the criteria of how the information will
be classified and labeled.3. Classify the data by its owner, who is subject
to review by a supervisor.4. Specify and document any exceptions to the
classification policy.5. Specify the controls that will be applied to
each classification level.6. Specify the termination procedures for
declassifying the information or for transferring custody of the information to another entity.
7. Create an enterprise awareness program about the classification controls.
Classification Criteria
ValueNumber one commonly used criteria in private sector
AgeClassification may be lowered if value decreases over time
Useful LifeInformation made obsolete due to new information
Personal Association If information is personally associated with specific individuals or is addressed by a privacy law, it may need to be classified
Military Data Classification
Classification Definition Example
Top Secret Cause grave damage Espionage data, weapon blueprints
Secret Cause serious damage Troop plans, nuclear facilities
Confidential Serious effects Secrets
Sensitive (BU) Minor secret, May not cause serious
effect
Medical data, test scores
Unclassified Not sensitive or classified
Recruiting info
Private Sector Data Classification
Classification
Definition Example
SensitiveProtect from
modificationFinancial, project
Confidential Company onlyTrade secrets, health care,
code
Private Personal infoWork history, HR info, Medical
info
ProprietaryCould reduce competitive edge
Technical specs
Public Everything else Upcoming projects
Other Data Classification Points
With the exception of general business correspondence, all externally-provided information which is not public in nature must have a data classification system labelAll tape reels, floppy disks and other computer storage media containing secret, confidential, or private information must be externally labeled with the appropriate sensitivity classificationHolders of sensitive information must take appropriate steps to ensure that these materials are not available to unauthorized persons (“open view”)“Need-to-know”
Distribution of Classified Information
Court Order
Government Contracts
Senior-level ApprovalMay need confidentiality agreement
Security Management
Practices
Personnel Security Issues
Personnel Security TermsSeparation of duties
Security is enhanced through the division of responsibilities
CollusionMore than one person is needed to to cause some type of fraud
Job rotationDo not keep people in one position forever
Employment Policies & Practices
Background checks/security clearancesChecking public records provides critical information needed to make the best hiring decision. Conducting these often simple checks verifies the information provided on the application is current and true, and gives the employer an immediate measurement of an applicant’s integrity.
Background Checks
What does a background check prevent potentially prevent against:
lawsuits from terminated employeeslawsuits from 3rd-parties or customers for negligent hiringunqualified employeeslost business and profitstime wasted recruiting, hiring and trainingtheft, embezzlement or property damagemoney lost (to recruiters fees, signing bonus)negligent hiring lawsuitdecrease in employee moralworkplace violence, or sexual harassment suits
Background ChecksWho should be checked? Employee background checks should be performed for all sensitive positions. Information security staff in sensitive positions include those responsible for:
firewall administratione-commerce managementKerberos administratorSecurID & Password usagePKI and certificate managementrouter administrator
Background Checks
What can be checked for an applicant:
Credit Report SSN searches Workers Compensation Reports Criminal Records Motor Vehicle Report Education Verification & Credential Confirmation Reference ChecksPrior Employer Verification
Military Security ClearanceOf the most meticulous background checks is those requiring a DoD security clearance. A defense security clearance is generally only requested for individuals in the following categories whose employment involves access to sensitive government assets:
Members of the militaryCivilian employees working for the Department of Defense or other government agenciesEmployees of government contractors
Military Security Clearance
A DoD review, more correctly known as a personnel security investigation is comprised of the following:
a search of investigative files and other records held by federal agencies, including the FBI and, if appropriate, overseas countriesa financial checkfield interviews of references (in writing, by telephone, or in person), to include coworkers, employers, personal friends, educators, neighbors, and other individuals, as appropriatea personal interview with the applicant conducted by an Investigator
Employment Agreement
Non-competeNon-disclosureRestrictions on dissemination of corporate information, i.e., press, analysts, law enforcement
Hiring & Termination
Policies and procedures should come down from HRDrug screening, personality testsShould address:
how to handle employee’s departureshutting down accountsforwarding e-mail and voice-maillock and combination changessystem password changesCollect keys, badges, …
Security Management
Practices
Security Awareness Training
Security AwarenessAwareness
Live/Interactive PresentationsPublishing/DistributionIncentivesReminders
Training and EducationSecurity-related job training for operators and specific usersAwareness training for specific departments or personnel groups with security-sensitive positionsTechnical security training for IT support personnel and system administratorsAdvanced InfoSec training for security practitioners and information systems auditorsSecurity training for senior managers, functional managers, and business unit managers.
Thanks !!!!!
Any Questions ????