isr kranthi final

8/2/2019 ISR Kranthi Final

1/18

Information SecurityPlan at ABCLKranthi Kumar 10BM60001


2/18

2

I. Introduction 3a. Importance given to IT in ABCLb. What is the concern

II. Information Security Plan 3

III. Framework 4a. Steps for Frameworkb. Fitting the security components into a frameworkc. Extension MCcuber model with risk assessments

IV. Plan and Organize 7

a. Risk Management

V. Implementation 14b. Security Policy

c. Asset managementd. Human resources managemente. Physical and Environmental Managementf. Communication and Operations Managementg. Access Controlh. Incident Managementi. Disaster Recovery Managementj. Compliance


3/18

3

Introduction

ABCL is a progressive downstream oil company in India over 70 years. It was nationalizedas per the government policy of India.

Importance given to IT in ABCL

It has networked all its locations over 400 and deployed all possible applications to

reap benefits from IT

It transformed into IT Savvu ABCl

It has got implemented all state of art systems such as SAP,SCM,B2B and B2C

Rich intranet apart from apecialized applications

What is the concern With increasing reliance on IT, top management became concerned with Information

security

And also with the increase in the size of the company with 6 SBUs, 3000 dealers &

distributors, 5000 vendors and 5000 retail outlets the complexity is increasing and the

information is crossing the boundaries.

So there is a need for comprehensive security plan for the company ABCL.

Information Security Plan

Information Security Plan (ISP) is designed to protect information and critical resources froma wide range of threats in order to ensure business continuity, minimize business risk, and

maximize return on investments and business opportunities. Information Technology (IT)

security is achieved by implementing a suitable set of controls, including policies, processes,

procedures, organizational structures, and software and hardware functions. These controls

need to be established, implemented, monitored, reviewed and improved, where necessary,

to ensure that the specific security.

This plan governs the privacy, security, and confidentiality of ABCL, especially highly

sensitive data, and the responsibilities of departments and individuals for such data. IT

security measures are intended to protect information assets and preserve the privacy of

ABCL employees, sponsors, suppliers, and other associated entities. Inappropriate use

exposes ABCL to risks including virus attacks, compromise of network systems and

services, and legal issues.

To effectively assess and implement security plan in information technology (IT) systems, it

is vital that a structured, information-centric process is followed


4/18

4

Framework:

This security plan is

Needed to protect the confidentiality, integrity and availability of data and safeguard

information assets and resources. To identify processes and techniques that promotes secure communications and the

appropriate protection of information.

To establish a common information security program framework that is consistent

with business needs.

This framework identifies the twelve key components that should be considered when

implementing, reviewing, or seeking to improve the value of its information security plan.

There are different ways of describing a life cycle of any process

Steps for Framework:

We will use the following steps:

Plan and organize

Risk Management

Implement

security policies

Asset management

Human resource management

Physical and Environmental Management

Communication and Operations Management

Access Control

Incident Management

Disaster Recovery Management

Compliance


5/18

5

Fitting the security components into a framework:

Mccumber cube gives a framework to implement the information security plan. It gives a

multi dimensional view required to implement information assurance program. The three

dimensions are

Security services

Information states

Counter measures

Viewing the cube from different angles provides a a way to consider risk from different

perspectives. The three primary aspects of the cube involve:

Information states These represent the various forms in which information can be found

within a system. Information is the fundamental aspect of what it is that must be protected.

Processing Information held in volatile memory or currently manipulated through the

processor

Storage This generally refers to non-volatile storage such as files on hard drives or backup

media

Transmission Information transiting network media

Countermeasures These are elements which can be used to defend a system from

attack, which can be used to protect information in its various states.

People All individuals associated with a system to include administrators and users

Policies and practices Documented policies and procedures used to guide people

interacting with the system; work f lows, separation of duties, and least privilege

Technology Hardware and software which comprise the system such as operatingsystems, applications, networking devices, and security tools


6/18

6

Security services These are the ultimate security goals of a system. They are not

concrete but intangible.

Confidentiality Protecting information from an unauthorized or unintended disclosure

Integrity A quality which prevents the unauthorized alteration or destruction of information

Availability The ability to retrieve requisite information in a timely manner for an authorized

user

The McCumber Cube can be used by selecting a desired security service and considering

what countermeasures must be implemented to protect the affected information states.

This can be viewed as

Example:

Lets view the model for the service of availability which is one of the security services in the

model.

Network Availability:

AttackInformation

stateCounter

measuresSecuity goal

Attack

: Denial of Service

Information state:

Transmission

Counter measures:

Technolgy: Intrusiondetection

Policy: Monitoring

People: incident

response

Secuity goal:

Availabilty


7/18

7

Extension MCcuber model with risk assessments

This model could also be used in a risk framework to ascertain the level of risk present for

any given situation in a network environment. The perceived risks coupled with their

likelihood with this McCumber Cube extension could be used to evaluate system risk.

Plan and Organize

Risk management:

Risk Management refers to the process of identifying risk, assessing risk, and taking steps to

reduce risk to an acceptable level. A risk management program is an essential management

function and is critical to successfully implement and maintain an acceptable level of

security.

Detailed Outline of the Risk Assessment Process

1.Identify business process:

a. The risk methodology determines risk for a particular business process. It is the business

processes that are the foundation of the companys business and therefore risk should be

defined in regard to these processes.

b. This methodology will tie the business processes to the assets they rely on, to the

architecture that supports the assets, and to the vulnerabilities of the architecture. Together

this will lead to a determination of the risks of the business process.

2. Determine operational concerns:

a. There are three operational concerns to be considered:

i. Confidentiality the privacy and protection of data from unauthorized access or exposure.

ii. Integrity the accuracy of the data or systems used by your organization.

iii. Availability the accessibility of an asset for its intended use at a given point in time.

b. These operational concerns apply to the business process, not to each individual asset.

The operational concerns are defined with regard to the output of the business process.

Threat LikelihoodCounter

measuresRisk


8/18

8

The output after these two steps follows this template

Business Process Operational concern

Marketing planning and execution AvailabilityRefinery operations Confidentiality

3. Identify or define assets:

a. Each business process relies on multiple assets Identify the assets and data items that

are part of this business process.

b. Although the majority of assets that will be identified will be informational, an asset can be

of the following types:

i. Informational most assets that are defined will be informational; they will be data

objects.

ii. Functional for example, an Internet connection can be a functional asset.

iii. Physical any physical component or equipment can be an asset.

4. For each asset determine:

Business role.

Logical data flow.

User population.

Access rights and controls:

i. Physical access.

ii. Logical access.

a. Supporting architecture:

i. System and network hardware.

ii. System and network operating systems.

iii. System and network applications.

iv. Network protocol

v. System connectivity.

vi. Physical environment.

5. Assign asset measurements:

a. Each asset will be rated for sensitivity and criticality with regard to the critical

process in question.


9/18

9

b. The two asset measurements will be rated on a scale of 1 to 5

(1 not important, 5 extremely important):

i. Sensitivity the relative measurement of damage to the business

process if the asset was disclosed to unauthorized users, such as

competitors.

ii. Criticality the relative measurement of how crucial the asset is to

the accomplishment of the business process.

6. Determine importance:

a. Importance is a subjective rating of high, medium, low, or none assigned to each

asset.

b. This rating determines the importance of the asset to the business process.

c. The importance rating is determined from the asset measurements assigned in the

previous step and a subjective analysis of those values.

i. Although the value assigned to each asset measurement will be

independent of the operational concerns of the business process, the

importance rating will have to consider the operational concerns.

A. For example, an asset with a sensitivity value of 4 and a criticality value of 1 may have an

importance rating of high, if sensitivity is more of a concern to the process than criticality. On

the other hand, if sensitivity is of low concern and criticality is of higher concern, then the

importance rating will be low

B. There is no mathematical way to determine the importance rating; the factors above have

to be

combined with an awareness of the organizations business and operations to determine the

rating that makes the most sense.

Template for Asset classification

Asset Type(inforantional/physical,logical)

Businessrole

Accesscontrols

Supportingarchitecture

Sensitivity(1 to5)

Criticality(1 to5)

Importance(high,medium,low)


10/18

10

Identify Threats and Vulnerabilities

First, identify threats that could exploit system vulnerabilities. Identify all possible

environmental, physical, human, natural, and technical threats. Consider the systems

connections, dependencies with other systems, inherited risks and controls, risks from

software faults and staff errors and malicious intent, and such factors as proximity to the

Internet, incorrect file permissions, risks from maintenance procedures and personnel

changes.

Next, consider the potential vulnerabilities associated with each threat, to produce a pair. A

vulnerability can be associated with one or more threats. Collect input from previous risk

assessments, audits, system deficiency reports, security advisories, scanning tools, security

test results, system development testing, industry and government listings

Describe Risks

Describe how each vulnerability creates a risk to the system in terms of confidentiality,

integrity, availability, accountability elements that may result in a compromise of the system.

Identify Existing Controls

Identify existing controls that reduce the likelihood or probability of a threat exploiting a

system vulnerability, and/or reduce the magnitude of impact of the exploited vulnerability on

the system. Existing controls may be management, operational or technical controls

depending on the threat / vulnerability and the risk to the system.

Determine Likelihood of Occurrence

Estimate the likelihood that a threat will exploit a vulnerability. Likelihood of occurrence is

based on a number of factors that include system architecture, system environment,information system access and existing controls; the presence, motivation, tenacity, strength

and nature of the threat; the presence of vulnerabilities; and the effectiveness of existing

controls.

Refer to this table to when estimating the likelihood that the threat will be realized and exploit

the vulnerability on the system.

Likelihood of Occurrence Levels

Likelihood Description

Negligible Unlikely ever to occur

Very Low Likely to occur two/three times every five years

Low Likely to occur once every year or less

Medium Likely to occur once every six months or less

High Likely to occur once per month or less

Very High Likely to occur multiple times per month


11/18

11

Likelihood of Occurrence Levels

Likelihood Description

Extreme Likely to occur multiple times per day

Determine Severity of Impact

Determine the magnitude or severity of impact on the systems operational capabilities and

the information it handles, if the threat is realized and exploits the associated vulnerability.

Determine the severity of impact for each threat / vulnerability pair by evaluating the potential

loss in each security category (confidentiality, integrity, availability, auditability,

accountability)

Impact Severity LevelsInsignificant Little or no impact

Minor Minimal effort to repair, restore or reconfigure

Significant Small but tangible harm, maybe noticeable by a limited audience, some

embarrassment, some effort to repair

Damaging Damage to reputation, loss of confidence, significant effort to repair

Serious Considerable system outage, loss of connected customers, business

confidence, compromise of large amount information

Critical Extended outage, permanent loss of resource, triggering business

continuity procedures, complete compromise of information

Determine Risk Levels

Risk level is the likelihood of occurrence multiplied by the severity of impact. The final value

is subject to the system business and technical owners discretion.

Risk determination

For each threat / vulnerability pair, assess the following:

- Likelihood of the threat attempting to exercise the vulnerability;- Magnitude of impact if the threat / vulnerability exploit is successful;- Adequacy of planned or existing security controls for reducing or eliminating risk;

Note: The project team must decide whether to use only currently implementedcontrols for this analysis, or to include controls that are budgeted and scheduledfor installation, and document that decision in the Report.

- Resulting risk to the information on the system from the threat and vulnerability.


12/18


13/18

13

Recommend Controls and Safeguards

Identify controls and safeguards to reduce the risk presented by each threat / vulnerability

pair with a moderate or high risk level as identified in the Risk Determination Phase. When

identifying a control or safeguard, consider:

1. Security area where it belongs, such as management, operational, technical.2. Method it employs to reduce the opportunity for the threat to exploit the vulnerability.3. Its effectiveness in mitigating the risk to information.4. Policy and architectural parameters required for its implementation in the

environment.5. Information security category (confidentiality, integrity, availability, access control,

audit, etc.) to which the safeguard applies.

6. Whether the cost of the safeguard is commensurate with its reduction in risk.

If more than one safeguard is identified for the same threat / vulnerability pair, list them in

this column in separate rows and continue with the analysis steps. The residual risk level

must be evaluated during this phase of the assessment and may be further evaluated in risk

management activities outside the scope of this project.

If the recommended safeguard cannot be completely implemented in the environment due to

cost, management, operational or technical constraints, document the circumstances and

continue with the analysis.

Consider control elements implemented as policies and procedures, training, and improved

policy enforcement.

Determine Residual Likelihood of Occurrence

Follow the directions in section 2.4 of the Risk Determination phase, while assuming the

selected safeguard has been implemented.

Determine Residual Severity of Impact

Follow the directions of the Risk Determination phase while assuming the selected

safeguard has been implemented.

Determine Residual Risk Levels

Determine the residual risk level for the threat/vulnerability pair and its associated risk once

the recommended safeguard is implemented. The residual risk level is determined by

examining the likelihood of occurrence of the threat exploiting the vulnerability and the

impact severity factors in categories of Confidentiality, Integrity and Availability.

Follow the directions in of the Risk Determination phase to determine the residual risk level

once the recommended safeguard is implemented.

Depending on the nature and circumstances of threats and vulnerabilities, a recommendedsafeguard may reduce the risk level to Low .


14/18

14

For new systems, the next steps would include creating a sensitivity assessment, system

security requirements, risk assessment report, and system security plan in the SDLC.

The following Risk register template shows all the threats, vulnerabilities and its risk level

and corresponding strategies.

Implementation:

Security Policy

The objective of information security policy is to provide management direction and support

for information security in accordance with business requirements and governing laws and

regulations. Information security policies will be approved by management, and published

and communicated to all employees and relevant external parties. These policies will set out

approach to managing information security and will align with relevant statewide policies.

Information security policies will be reviewed at planned intervals or if significant changes

occur to ensure their continuing suitability, adequacy, and effectiveness. Each policy will

have an owner who has approved management responsibility for the development, review,

and evaluation of the policy. Reviews will include assessing opportunities for improvement of

information security policies and approach to managing information security in response to

changes to companies environment, new threats and risks, business circumstances, legal

and policy implications, and technical environment.

The following are some of the security policies implemented to control the information

security

Information Security Compliance Policy


15/18

15

Acceptable Use of Information Technology Resources

Confidentiality Agreement

Information Security Roles & Responsibilities

Data Classification & Handling Policy

Identity and Access Management Policy

Password Standards Backup & Recovery Guidelines

Data Sanitization Guidelines

Media Destruction Procedure

Asset management

Information assets:

It is a requirement of Information Standard 44, Information asset custodianship (IS44) that

company identify their information assets establish and maintain an information asset

register. company may wish to use this register or establish a separate one, to record theinformation security classification of its information assets. For information assets that are

public records, their retention and disposal must be managed in accordance with a retention

and disposal schedule approved by the state archivist

Control of technology devices

It is a requirement of Information Security Policy Mandatory Clauses that Company

identify their ICT assets, document them and assign owners for the maintenance of

information security controls. ICT assets must be assigned information security controls

commensurate with the highest level of security classification applied to the information

assets contained within or transmitted via the ICT asset.

Human resources management

Pre-employment

Depending on the nature of the business, consideration should be given as to whether:

specific information security clauses should be included in terms and conditions of

employment (eg. responsibilities and disciplinary processes)

additional scrutiny is required during the recruitment and selection phase for

positions involving exposure to classified or sensitive information or where relevantlegislation is in place (eg. security assessments and criminal history checks).

During employment

Induction, training and awareness programs

The information security induction, training and awareness program should:

address all levels of staff and all areas of the agency

cover the following:

general employee responsibilities

information security responsibilities concerned with particular

the correct operation of information systems and ICT facilities and devices


16/18

16

reporting of information security events, weaknesses and incidents

Information security related responsibilities within the agency code of

conduct and the disciplinary penalties for breaches.

Post-employment

It is recommended that company also ensure that procedures are in place for termination of

employment.

To meet this requirement, it is suggested that agencies implement:

exit interviews that ensure the employee understands their continuing responsibilities

for maintaining information confidentiality and

separation checklists that confirm:

Exit interview has been conducted

All has been returned (eg. access cards/keys, credit cards, mobile phones)

The employees user ID has been disabled and access rights revoked.

Physical and Environmental Management

Building controls and secure areas

The level of building and secure area controls to be implemented would depend on the

classification of information assets stored

Equipment security

The level of controls to be applied to agency equipment would depend on the classification

of the information assets the equipment stores. The company should provide some guidance

with regard to the following controls:

preparation and handling

removal from workplace and monitoring

discussing classified information (including telephone and video conference)

copying and storage

electronic transmission

archive and disposal

Communication and Operations Management

Responsibilities and procedures for the management and operation of all information

processing facilities will be established. As a matter of policy, segregation of duties will be

implemented, where appropriate, to reduce the risk of negligent of deliberate system or

information misuse. Precautions will be used to prevent and detect the introduction of

malicious code and unauthorized mobile code to protect the integrity of software and

information. To prevent unauthorized disclosure, modification, removal or destruction of

information assets, and interruption to business activities, media will be controlled and

physically protected. Procedures for handling and storing information will be established andcommunicated to protect information from unauthorized disclosure or misuse. Exchange of


17/18

17

sensitive information and software with other agencies and organizations will be based on a

formal exchange policy. Media containing information will be protected against unauthorized

access, misuse or corruption during transportation beyond companys physical boundaries.

Company should mange

Application integrity

Backup procedures

Network security

Media handling

Information exchange

eCommerce

Access Control

Access to information, information systems, information processing facilities, and business

processes will be controlled on the basis of business and security requirements. Formal

procedures will be developed and implemented to control access rights to information,

information systems, and services to prevent unauthorized access. Users will be made

aware of their responsibilities for maintaining effective access controls, particularly regarding

the use of passwords. Users will be made aware of their responsibilities to ensure

unattended equipment has appropriate protection. A clear desk policy for papers and

removable storage devices and a clear screen policy will be implemented, especially in work

areas accessible by the public. Steps will be taken to restrict access to operating systems to

authorized users. Protection will be required commensurate with the risks when using mobile

computing and teleworking facilities.

Company should incorporate some of the following to manage the access control

Access control policy

Authentication

User access

User responsibilities

Network access

Operating system access

Application and information access

Incident Management

Information security incidents will be communicated in a manner allowing timely corrective

action to be taken. Formal incident reporting and escalation procedures will be established

and communicated to all users. Responsibilities and procedures will be established to

handle information security incidents once they have been reported.

Event/weakness reporting

Companies should develop their policies and/or procedures for information securityevent and weakness reporting


18/18

18

Incident procedures

Companies should develop their procedures to manage information security incidents

Disaster Recovery Management

The objective of business continuity management is to counteract interruptions to business

activities and to protect critical business processes from the effects of major failures of

information systems or disasters and to ensure their timely resumption. A business continuity

management process will be established to minimize the impact on company and recover

from loss of information assets to an acceptable level through a combination of preventive

and recovery controls. A managed process will be developed and maintained for business

continuity throughout the agency that addresses the information security requirements

needed for company business continuity

Compliance

Legal requirements

Company should manage information security related legal requirements is included

.However, this is no replacement for agencies seeking legal advice on the specific legal

requirements that apply to them from their internal legal section.

Policy requirements

Information security policies, procedures and compliance should be reviewed and reported

on to appropriate management at least annually to ensure the reliability and overalleffectiveness of the security controls for all information systems, networks infrastructures

and applications.

Audit requirements

Company should ensure that appropriately qualified personnel are assigned to audit the

compliance of the information environment against companys policies, processes and

industry technical standards to ensure appropriate security levels are maintained. These

personnel should, where practical, not be involved in the operational information or systems

environment of the company.

isr kranthi final

Documents