Safeguards Frameworks and Controls

Richard Baskerville

Theory of Secure Information Systems

Features: Safeguards and Controls

T1

T2

T3

T4

Tn

. . .

F1

F2

F3

Fl. . .

O1

O2

O3

Om

. . .

T F O

Security Functions

• Loss avoidance

• Deterrence

• Loss prevention

• Loss detection

• Recovery

• Vulnerability correction

Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5), 46-49.

Basic Attributes of SecurityBaskerville, R., & Sainsbury, R. (2005, 11-12 July). Securing Against the Possibility of an Improbable Event: Concepts for Managing

Predictable Threats and Normal Compromises. Paper presented at the European Conference on Information Warfare and Security,

Glamorgan University, UK.

Eliminate serious threats, prevent attacks, limit intrusion scope, e.g. anti-virus, encryption, firewalls, passwords and biometric ID systems.

Respond quickly or actively to unprotected security problems, restoration of system after attack, e.g., data backups, drive images, mirrored servers, extra staff

PREVENTATIVE

RESTORATIVE

Information Security Standards

• ISO/IEC 27001

• ISO/IEC 27002 (17799)

• CobIT

• ITIL

• PCI

• NIST

• Common Criteria

ISO/IEC

27000

Library of

Standards

Guidance and Standards: Examples

• Quality Standards

– ISO/IEC 27001

• Technical Standards

– ISO/IEC 27002

• Professional Standards

– COBIT (Control Objectives for IT), a generally applicable

and accepted standard for good information technology

security and control practices in organizations.

• Industry Practices and Standards

– ITIL (IT Infrastructure Library)

– Payment Card Industry (PCI) Standard

– NIST 800-12 Computer Security Handbook

• Qualification Criteria

– ITSEC, TCSEC, Common Criteria

Quality Standards

Example: ISO/IEC 27001

ISO/IEC 27001

This standard has evolved toward the

development of management systems for

information security and provides a stronger

basis for third party audit and certification. It

offers a managerially-oriented complement to

operatd the technologically-oriented ISO 27002.

Structure of the Information Security

Management System (ISMS)ISO 27001

• Leadership - top management must demonstrate leadership and commitment to

the ISMS, mandate policy, and assign information security roles, responsibilities

and authorities.

• Planning - outlines the process to identify, analyze and plan to treat information

security risks, and clarify the objectives of information security.

• Support - adequate, competent resources must be assigned, awareness raised,

documentation prepared and controlled.

• Operation - a bit more detail about assessing and treating information security

risks, managing changes, and documenting things (partly so that they can be

audited by the certification auditors).

• Performance evaluation - monitor, measure, analyze and evaluate/audit/review

the information security controls, processes and management system in order to

make systematic improvements where appropriate.

• Improvement - address the findings of audits and reviews (e.g. nonconformities

and corrective actions), make continual refinements to the ISMS

Technical Standards

ISO/IEC 27002:2005

ISO/IEC 27002

• Security Policy

• Organization of Information Security

• Human Resources Security

• Asset Management

• Access Control

• Cryptography

• Physical And Environmental Security

• Operations security

• Communications Security

• Information Systems Acquisition, Development, Maintenance

• Supplier Relationships

• Information Security Incident management

• Information Security Aspects of Business Continuity

• Compliance

Overview of Controls

Specimen control from ISO/IEC 27002:2013 Information Security Policies

Provide management

direction and support for

information security in

accordance with business

requirements and relevant

laws and regulations.

ISO 27002

Organization of Information Security

• Establishes a management framework to initiate and control the implementation and operation of information security within the organization

• Ensure the security of teleworking and use of mobile devices.

ISO 27002

Human Resource Security

• Ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.

• Ensure that employees and contractors are aware of and fulfil their information security responsibilities.

• Protect the organization’s interests as part of the process of changing or terminating employment.

ISO 27002

Asset Management

• Identify organizational assets and define appropriate protection responsibilities.

• Ensure that information receives an appropriate level of protection in accordance with its importance to the organization.

• Prevent unauthorized disclosure, modification, removal or destruction of information stored on media.

ISO 27002

Access Control

• Limit access to information and information processing facilities.

• Ensure authorized user access and to prevent unauthorized access to systems and services.

• Make users accountable for safeguarding their authentication information.

• Prevent unauthorized access to systems and applications.

ISO 27002

Cryptography

• Ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.

ISO 27002

Physical and Environmental Security

• Prevent unauthorized physical access,

damage and interference to the

organization’s information and

information processing facilities.

• Prevent loss, damage, theft or

compromise of assets and

interruption to the organization’s

operations.

ISO 27002

Operations Security

• Ensure correct and secure operations of information processing facilities.

• Ensure that information and information processing facilities are protected against malware.

• Protect against loss of data.

• Record events and generate evidence.

• Ensure the integrity of operational systems.

• Prevent exploitation of technical vulnerabilities.

• Minimise the impact of audit activities on operational systems.

ISO 27002

Communications Security

• Ensure the protection of information in networks and its supporting information processing facilities.

• Maintain the security of information transferred within an organization and with any external entity.

ISO 27002

System Acquisition, Development and

Maintenance

• Ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.

• Ensure that information security is designed and implemented within the development lifecycle of information systems.

• Ensure the protection of data used for testing.

ISO 27002

Supplier Relations

• To ensure protection of the organization’s assets that is accessible by suppliers.

• Maintain an agreed level of information security and service delivery in line with supplier agreements.

ISO 27002

Information Security Incident

Management

Ensure a consistent and effective approach

to the management of information security

incidents, including communication on

security events and weakness

ISO 27002

Information Security Aspects of Business

Continuity Management

• Information security continuity should be embedded in the organization’s business continuity management systems.

• Ensure availability of information processing facilities.

ISO 27002

Compliance

• Avoid breaches of legal, statutory,

regulatory or contractual obligations

related to information security and of

any security requirements

• Ensure that information security is

implemented and operated in

accordance with the organizational

policies and procedures.

ISO 27002

Essential Safeguards

Essential Safeguards Essential Safeguards

Industry Practices & Standards

Examples:

ITIL

PCI

NIST 800

ITIL

• Best practices and guidelines for managing information technology services

• Integrated, process-based approach

• Originated as a 1980's UK government drive

• Focus on quality, efficient, cost-effective delivery of IT services

IT Infrastructure Library

Major ITIL Volumes

• Software asset management

• Service support

• Service delivery

• Planning to implement service management

• ICT infrastructure management

• Application management

• Security management

• The business perspective

ITIL Structure

ITIL Securiity

Initial Security Effort: Risk

AnalysisSecurity

Requirements

Minimum Security Baseline

Requirements Feasibility Analysis

Negotiate & Define SLA

SLA

Negotiate & Define OLA

Customer

IT Service Org.

OLAImplementMonitor

Report

Modify

adapted from Weil, Steven, (2004) "How ITIL Can Improve Information Security" Security Focus (http://www.securityfocus.com/infocus/1815)

▪ Security Management Products▸ Policies▸ Processes▸ Procedures▸ Work instructions

Payment Card Industry

Data Security Standard• Build and Maintain a Secure Network

– Install and maintain a firewall configuration to protect data

– Do not use vendor-supplied defaults for system passwords and other security parameters

• Protect Cardholder Data– Protect stored data

– Encrypt transmission of cardholder data and sensitive information across public networks

• Maintain a Vulnerability Management Program– Use and regularly update anti-virus software

– Develop and maintain secure systems and applications

• Implement Strong Access Control Measures– Restrict access to data by business need-to-know

– Assign a unique ID to each person with computer access

– Restrict physical access to cardholder data

• Regularly Monitor and Test Networks– Track and monitor all access to network resources and cardholder data

– Regularly test security systems and processes.

• Maintain an Information Security Policy– Maintain a policy that addresses information security

NIST Computer Security Handbook

Special Publication 800-12

NIST Computer Security Division

• SP 800-12 An Introduction to Computer Security: The NIST Handbook, October

1995

• SP 800-14 Generally Accepted Principles and Practices for Securing Information

Technology Systems, September 1996

• SP 800-18 Guide for Developing Security Plans for Information Technology

Systems, December 1998

• SP 800-26 Security Self-Assessment Guide for Information Technology Systems,

November 2001

• SP 800-30 Risk Management Guide for Information Technology Systems, July 2002

• SP 800-33 Underlying Technical Models for Information Technology Security,

December 2001

• SP 800-34 Contingency Planning Guide for Information Technology Systems, June

2002

• SP 800-55 Security Metrics Guide for Information Technology Systems, July 2003

• SP 800-65 Integrating Security into the Capital Planning and Investment Control

Process, January 2005

http://csrc.nist.gov/publications/nistpubs/

NIST SP 800-14 Reference Model

• Accountability - The responsibilities and accountability of owners, providers and users of

information systems and other parties...should be explicit.

• Awareness - Owners, providers, users and other parties should readily be able, consistent

with maintaining security, to gain appropriate knowledge of and be informed about the

existence and general extent of measures...for the security of information systems.

• Ethics - The Information systems and the security of information systems should be provided

and used in such a manner that the rights and legitimate interest of others are respected.

• Multidisciplinary - Measures, practices and procedures for the security of information

systems should take account of and address all relevant considerations and viewpoints....

• Proportionality - Security levels, costs, measures, practices and procedures should be

appropriate and proportionate to the value of and degree of reliance on the information

systems and to the severity, probability and extent of potential harm....

• Integration - Measures, practices and procedures for the security of information systems

should be coordinated and integrated with each other and other measures, practices and

procedures of the organization so as to create a coherent system of security.

• Timeliness - Public and private parties, at both national and international levels, should act in

a timely coordinated manner to prevent and to respond to breaches of security of

information systems.

• Reassessment - The security of information systems should be reassessed periodically, as

information systems and the requirements for their security vary over time.

• Democracy - The security of information systems should be compatible with the legitimate

use and flow of data and information in a democratic society.

OECD's Guidelines for the Security of Information Systems

Qualification Criteria

Example: Common Criteria

Common Criteria

The CC philosophy is to provide assurance based upon an evaluation (active investigation) of the IT product or system that is to be trusted. Evaluation has been the traditional means of providing assurance and is the basis for prior evaluation criteria documents. In aligning the existing approaches, the CC adopts the same philosophy. The CC proposes measuring the validity of the documentation and of the resulting IT product or system by expert evaluators with increasing emphasis on scope, depth, and rigor.

(Common Criteria v 2.1, Part 3 p. 2)

ISO/IEC 15408

Participants

• Canada: Communications Security Establishment

• France: Service Central de la Sécurité des Systèmes d'Information

• Germany: Bundesamt für Sicherheit in der Informationstechnik

• Netherlands: Netherlands National Communications Security Agency

• United Kingdom: Communications-Electronics Security Group

• United States: National Institute of Standards and Technology

• United States: National Security Agency

Common Criteria

Context Model

Common Criteria

Goal Model

Common Criteria

Common Criteria Structure

Safeguards Frameworks and Controls

Richard Baskerville