Title: MANAGEMENT of
1MANAGEMENT of INFORMATION SECURITY Second Edition
2Learning Objectives
- Upon completion of this chapter, you should be
able to - Select from the dominant information security
management models, including U.S. government
sanctioned models, and customize them for your
organizations needs - Implement the fundamental elements of key
information security management practices - Follow emerging trends in the certification and
accreditation of U. S. Federal IT systems
3Introduction
- To create or maintain a secure environment, one
must design a working security plan and then
implement a management model to execute and
maintain the plan - This may begin with the creation or validation of
a security framework, followed by an information
security blueprint that describes existing
controls and identifies other necessary security
controls - A framework is the outline of the more thorough
blueprint, which is the basis for the design,
selection, and implementation of all subsequent
security controls - Most organizations draw from established security
models and practices to develop a blueprint or
methodology
4ISO/IEC 177992005
- One of the most widely referenced and often
discussed security models is Information
Technology Code of Practice for Information
Security Management, which was originally
published as British Standard BS 7799 - The purpose is to establish guidelines and
general principles for initiating, implementing,
maintaining, and improving information security
management in an organization
5ISO/IEC 177992005 (continued)
- ISO/IEC 177992005 is intended as a common basis
and practical guideline for developing
organizational security standards and effective
security management practices, and to help build
confidence in inter-organizational activities - ISO/IEC 177992005 replaced BS77991
6ISO/IEC 177992005 (continued)
- ISO/IEC 177992005 has 133 possible controls, not
all of which must be used part of the process is
to identify which are relevant - Each section includes four categories of
information - One or more objectives
- Controls relevant to the achievement of the
objectives - Implementation guidance
- Other information
7ISO/IEC 177992005 (continued)
- Many countries, including the U.S., Germany, and
Japan, have not adopted the model, claiming it is
fundamentally flawed - The global InfoSec community has not defined any
justification for the code of practice identified - The model lacks the necessary measurement
precision of a technical standard - There is no reason to believe the model is more
useful than any other approach - It is not as complete as other frameworks
- It is perceived as being hurriedly prepared,
given the tremendous impact that its adoption
could have on industry information security
controls
8Figure 6-1 177992005 Usability
9SANS SCORE and ISO/IEC 17799
- One way to determine how closely an organization
is complying with ISO 17799 is to use the SANS
SCORE Audit Checklist - The checklist provides insight into eleven
sections of ISO/IEC 17799 -
10The Eleven Sections Of ISO/IEC 17799
- Security Policy focusing mainly on InfoSec
policy - Organization of InfoSec for both the internal
organization and external parties - Asset Management including responsibility for
assets and information classification - Human Resources Security ranging from controls
prior to employment, during employment, to
termination or change of employment - Physical and Environmental Security including
secure areas and equipment security
11The Eleven Sections Of ISO/IEC 17799 (continued)
- 6. Communications and Operations Management
- Incorporating operational procedures and
responsibilities - Third-party service delivery management
- System planning and acceptance
- Protection against malicious and mobile code
- Backup
- Network security management
- Media handling
- Exchange of information
- Electronic commerce services and monitoring
12The Eleven Sections Of ISO/IEC 17799 (continued)
- 7. Access Control
- Business requirement for access control
- User access management
- User responsibilities
- Network access control
- Operating system access control
- Application and information access control
- Mobile computing and teleworking
13The Eleven Sections Of ISO/IEC 17799 (continued)
- 8. Information Systems Acquisition, Development,
and Maintenance - Security requirements of information systems
- Correct processing in applications
- Cryptographic controls
- Security of system files
- Security in development and support processes and
technical vulnerability management
14The Eleven Sections Of ISO/IEC 17799 (continued)
- 9. Information Security Incident Management
addressing reporting InfoSec events and
weaknesses and management of InfoSec incidents
and improvements - Business Continuity Management InfoSec aspects
of BCM - Compliance
- With legal standards
- With security policies and standards
- Technical compliance with information systems
audit considerations
15ISO/IEC 270012005 The InfoSec Management System
- BS77992 is the companion to BS77991, and
provides implementation details using a
Plan-Do-Check-Act cycle
16Figure 6-3BS77992 Plan-Do-Check-Act
17ISO/IEC 270012005 The InfoSec Management
System (continued)
- Plan
- Define the scope of the ISMS
- Define an ISMS policy
- Define the approach to risk assessment
- Identify the risks
- Assess the risks
- Identify and evaluate options for the treatment
of risk - Select control objectives and controls
- Prepare a Statement of Applicability(SOA)
18ISO/IEC 270012005 The InfoSec Management
System (continued)
- Do
- Formulate a Risk Treatment Plan
- Implement the Risk Treatment Plan
- Implement controls
- Implement training and awareness programs
- Manage operations
- Manage resources
- Implement procedures to detect and respond to
security incidents
19ISO/IEC 270012005 The InfoSec Management
System (continued)
- Check
- Execute monitoring procedures
- Undertake regular reviews of ISMS effectiveness
- Review the level of residual and acceptable risk
- Conduct internal ISMS audits
- Undertake regular management review of the ISMS
- Record actions and events that impact an ISMS
20ISO/IEC 270012005 The InfoSec Management
System (continued)
- Act
- Implement identified improvements
- Take corrective or preventive action
- Apply lessons learned
- Communicate results to interested parties
- Ensure improvements achieve objectives
21ISO/IEC 270012005 The InfoSec Management
System (continued)
- In 2005, BS 77992 was updated and codified as
ISO/IEC 270012005, and is the foundation for
third-party certification - Its major sections include
- Introduction
- Scope
- Terms and definitions
- ISMS
- Management responsibility
- Management review
- ISMS improvement
22ISO/IEC 270012005 The InfoSec Management
System (continued)
- Proposed use of 270012005
- Use within organizations to formulate security
requirements and objectives - Use within organizations as a way to ensure that
security risks are cost-effectively managed - Use within organizations to ensure compliance
with laws and regulations - Use within organizations as a process framework
for the implementation and management of controls
to ensure that the specific security objectives
of an organization are met
23ISO/IEC 270012005 The InfoSec Management
System (continued)
- Proposed use of 270012005 (continued)
- Definition of new InfoSec management processes
- Identification and clarification of existing
InfoSec management processes - Used by the management of organizations to
determine the status of InfoSec management
activities - Used by the internal and external auditors of
organizations to determine the degree of
compliance with the policies, directives, and
standards adopted by an organization
24ISO/IEC 270012005 The InfoSec Management
System (continued)
- Proposed use of 270012005 (continued)
- Used by organizations to provide relevant
information about InfoSec policies, directives,
standards, and procedures to trading partners and
other organizations with whom they interact for
operational or commercial reasons - Implementation of business-enabling InfoSec
- Used by organizations to provide relevant
information about InfoSec to customers
25NIST Security Models
- NIST documents have two notable advantages
- They are publicly available at no charge
- They have been available for some time and thus
have been broadly reviewed by government and
industry professionals - SP 800-12, Computer Security Handbook
- SP 800-14, Generally Accepted Security Principles
Practices - SP 800-18, Guide for Developing Security Plans
- SP 800-26, Security Self-Assessment Guide-IT
Systems - SP 800-30, Risk Management for Information
Technology Systems
26NIST SP 800-12 The Computer Security Handbook
- Excellent reference and guide for the routine
management of information security - Little provided on design and implementation of
new security systems use as supplement to gain a
deeper understanding of background and terminology
27NIST SP 800-12 The Computer Security Handbook
(continued)
- Lays out the NIST philosophy on security
management by identifying 17 controls organized
into three categories - The Management Controls section addresses
security topics that can be characterized as
managerial - The Operational Controls section addresses
security controls that focus on controls that
are, broadly speaking, implemented and executed
by people (as opposed to systems) - The Technical Controls section focuses on
security controls that the computer system
executes
28NIST Special Publication 800-14Generally
Accepted Principles and Practices for Securing
Information Technology Systems
- Describes best practices useful in the
development of a security blueprint - Describes principles that should be integrated
into information security processes - Documents 8 points and 33 principles
29NIST Special Publication 800-14Key Points
- The more significant points made in NIST SP
800-14 are - Security supports the mission of the organization
- Security is an integral element of sound
management - Security should be cost-effective
- Systems owners have security responsibilities
outside their own organizations - Security responsibilities and accountability
should be made explicit - Security requires a comprehensive and integrated
approach - Security should be periodically reassessed
- Security is constrained by societal factors
30NIST Special Publication 800-14Principles
- Principle 1. Establish a sound security policy as
the foundation for design - Principle 2. Treat security as an integral part
of the overall system design - Principle 3. Clearly delineate the physical and
logical security boundaries governed by
associated security policies - Principle 4. Reduce risk to an acceptable level
- Principle 5. Assume that external systems are
insecure
31NIST Special Publication 800-14Principles
(continued)
- Principle 6. Identify potential trade-offs
between reducing risk and increased costs and
decreases in other aspects of operational
effectiveness - Principle 7. Implement layered security (Ensure
no single point of vulnerability) - Principle 8. Implement tailored system security
measures to meet organizational security goals - Principle 9. Strive for simplicity
32NIST Special Publication 800-14Principles
(continued)
- Principle 10. Design and operate an IT system to
limit vulnerability and to be resilient in
response - Principle 11. Minimize the system elements to be
trusted - Principle 12. Implement security through a
combination of measures distributed physically
and logically - Principle 13. Provide assurance that the system
is, and continues to be, resilient in the face of
expected threats - Principle 14. Limit or contain vulnerabilities
33NIST Special Publication 800-14Principles
(continued)
- Principle 15. Formulate security measures to
address multiple overlapping information domains - Principle 16. Isolate public access systems from
mission critical resources - Principle 17. Use boundary mechanisms to separate
computing systems and network infrastructures - Principle 18. Where possible, base security on
open standards for portability and
interoperability - Principle 19. Use common language in developing
security requirements
34NIST Special Publication 800-14Principles
(continued)
- Principle 20. Design and implement audit
mechanisms to detect unauthorized use and to
support incident investigations - Principle 21. Design security to allow for
regular adoption of new technology, including a
secure and logical technology upgrade process - Principle 22. Authenticate users and processes to
ensure appropriate access control decisions both
within and across domains
35NIST Special Publication 800-14Principles
(continued)
- Principle 23. Use unique identities to ensure
accountability - Principle 24. Implement least privilege
- Principle 25. Do not implement unnecessary
security mechanisms - Principle 26. Protect information while being
processed, in transit, and in storage - Principle 27. Strive for operational ease of use
- Principle 28. Develop and exercise contingency or
disaster recovery procedures to ensure
appropriate availability
36NIST Special Publication 800-14Principles
(continued)
- Principle 29. Consider custom products to achieve
adequate security - Principle 30. Ensure proper security in the
shutdown or disposal of a system - Principle 31. Protect against all likely classes
of attacks - Principle 32. Identify and prevent common errors
and vulnerabilities - Principle 33. Ensure that developers are trained
in how to develop secure software
37NIST Special Publication 800-18A Guide for
Developing Security Plans for Information
Technology Systems
- Provides detailed methods for assessing,
designing, and implementing controls and plans
for various-sized applications - Serves as a guide for the activities described in
this chapter, and for the overall information
security planning process - It includes templates for major application
security plans
38NIST Special Publication 800-2617 Areas Defining
the core of the NIST Security Management
Structure
- Management Controls
- Risk Management
- Review of Security Controls
- Life Cycle Maintenance
- Authorization of Processing (Certification and
Accreditation) - System Security Plan
- Operational Controls
- Personnel Security
- Physical Security
- Production, Input/Output Controls
- Contingency Planning
- Hardware and Systems Software
- Data Integrity
- Documentation
- Security Awareness, Training, and Education
- Incident Response Capability
- Technical Controls
- Identification and Authentication
- Logical Access Controls
- Audit Trails
39NIST Special Publication 800-30Risk Management
Guide for Information Technology Systems
- Provides a foundation for the development of an
effective risk management program - Contains both the definitions and the practical
guidance necessary for assessing and mitigating
risks identified within IT systems - Strives to enable organizations to better manage
IT-related risks
40RFC 2196 Site Security Handbook
- The Security Area Working Group within the IETF
has created RFC 2196, the Site Security Handbook
that provides a functional discussion of
important security issues along with development
and implementation details - Covers security policies, security technical
architecture, security services, and security
incident handling - Also includes discussion of the importance of
security policies, and expands into an
examination of services, access controls, and
other relevant areas
41Control Objectives for Information and related
Technology (COBIT)
- Control Objectives for Information and related
Technology (COBIT) also provides advice about the
implementation of sound controls and control
objectives for InfoSec - COBIT was created by the Information Systems
Audit and Control Association (ISACA) and the IT
Governance Institute (ITGI) in 1992
42Control Objectives for Information and related
Technology (COBIT) (continued)
- COBIT presents 34 high-level objectives that
cover 215 control objectives these objectives
are categorized into four domains - Plan and organize
- Acquire and implement
- Deliver and support
- Monitor and evaluate
43Control Objectives for Information and related
Technology (COBIT) (continued)
- Plan and organize
- Makes recommendations for achieving
organizational goals and objectives through the
use of IT - Ten controlling objectives (PO1 PO10)
- Acquire and implement
- Focuses on specification of requirements
- Acquisition of needed components
- Integration of these components into the
organizations systems - Examines ongoing maintenance and change
requirements - Seven controlling objectives (AI1 AI7)
44Control Objectives for Information and related
Technology (COBIT) (continued)
- Delivery and support
- Focuses on the functionality of the system and
its use to the end user - Examines systems applications, including input,
processing, and output components - Examines processes for efficiency and
effectiveness of operations - 13 high-level controlling objectives (DS1 DS13)
45Control Objectives for Information and related
Technology (COBIT) (continued)
- Monitor and evaluate
- Seeks to examine the alignment between IT systems
usage and organizational strategy - Identifies the regulatory requirements for which
controls are needed - Monitors the effectiveness and efficiency of IT
systems against the organizational control
processes in the delivery and support domain - Four high-level controlling objectives (ME1 ME4)
46Committee of Sponsoring Organizations of the
Treadway Commission (COSO)
- COSO is a U.S. private-sector initiative formed
in 1985 - Its major objective is to identify the factors
that cause fraudulent financial reporting and to
make recommendations to reduce its incidence - COSO has established a common definition of
internal controls, standards and criteria, and
helps organizations comply with critical
regulations like Sarbanes-Oxley
47Committee of Sponsoring Organizations of the
Treadway Commission (COSO) (continued)
- COSO is built on five interrelated components
- Control environment
- Risk assessment
- Control activities
- Information and communication
- Monitoring
48Security Management Practices
- In information security, two categories of
benchmarks are used - Standards of due care/due diligence
- Best practices
- Best practices include a subcategory of
practicescalled the gold standardthat are
general regarded as the best of the best
49Standards of Due Care/Due Diligence
- When organizations adopt minimum levels of
security for a legal defense, they may need to
show that they have done what any prudent
organization would do in similar circumstances
this is known as a standard of due care - Implementing controls at this minimum standard,
and maintaining them, demonstrates that an
organization has performed due diligence
50Standards of Due Care/Due Diligence (continued)
- Due diligence requires that an organization
ensure that the implemented standards continue to
provide the required level of protection - Failure to support a standard of due care or due
diligence can expose an organization to legal
liability, provided it can be shown that the
organization was negligent in its application or
lack of application of information protection
51Best Security Practices
- Security efforts that seek to provide a superior
level of performance in the protection of
information are referred to as best business
practices or simply best practices - Some organizations refer to these as recommended
practices - Security efforts that are among the best in the
industry are referred to as best security
practices
52Best Security Practices (continued)
- These practices balance the need for information
access with the need for adequate protection
best practices seek to provide as much security
as possible for information and information
systems, while demonstrating fiscal
responsibility and ensuring information access - Companies with best practices may not be the best
in every area they may only have established an
extremely high quality or successful security
effort in one area
53The Gold Standard
- Best business practices are not sufficient for
organizations that prefer to set the standard by
implementing the most protective, supportive, and
yet fiscally responsible standards they can - They strive toward the gold standard, a model
level of performance that demonstrates industrial
leadership, quality, and concern for the
protection of information - The implementation of gold standard security
requires a great deal of support, both in
financial and personnel resources
54Selecting Best Practices
- Choosing which recommended practices to implement
can pose a challenge for some organizations - In industries that are regulated by governmental
agencies, government guidelines are often
requirements - For other organizations, government guidelines
are excellent sources of information and can
inform their selection of best practices
55Selecting Best Practices (continued)
- When considering best practices for your
organization, consider the following - Does your organization resemble the identified
target organization of the best practice? - Are you in a similar industry as the target?
- Do you face similar challenges as the target?
- Is your organizational structure similar to the
target? - Are the resources you can expend similar to those
called for by the best practice? - Are you in a similar threat environment as the
one assumed by the best practice?
56Best Practices
- Microsoft has published a set of best practices
in security at its Web site - Use antivirus software
- Use strong passwords
- Verify your software security settings
- Update product security
- Build personal firewalls
- Back up early and often
- Protect against power surges and loss
57Benchmarking and Best Practices Limitations
- The biggest problem with benchmarking in
information security is that organizations dont
talk to each other a successful attack is viewed
as an organizational failure, and is kept secret,
insofar as possible - However, more and more security administrators
are joining professional associations and
societies like ISSA and sharing their stories and
lessons learned - An alternative to this direct dialogue is the
publication of lessons learned
58Baselining
- A baseline is a value or profile of a
performance metric against which changes in the
performance metric can be usefully compared - Baselining is the process of measuring against
established standards - In InfoSec, baselining is the comparison of
security activities and events against the
organizations future performance - Baselining can provide the foundation for
internal benchmarking, as information gathered
for an organizations first risk assessment
becomes the baseline for future comparisons
59Baselining Example
- The Gartner group offers twelve questions as a
self assessment for best security practices - People
- Do you perform background checks on all employees
with access to sensitive data, areas, or access
points? - Would the average employee recognize a security
issue? - Would they choose to report it?
- Would they know how to report it to the right
people?
60Baselining Example (continued)
- Processes
- Are enterprise security policies updated on at
least an annual basis, employees educated on
changes, and policies consistently enforced? - Does your enterprise follow a patch/update
management and evaluation process to prioritize
and mediate new security vulnerabilities? - Are the user accounts of former employees
immediately removed on termination? - Are security group representatives involved in
all stages of the project life cycle for new
projects?
61Baselining Example (continued)
- Technology
- Is every possible route to the Internet protected
by a properly configured firewall? - Is sensitive data on laptops and remote systems
encrypted? - Do you regularly scan your systems and networks,
using a vulnerability analysis tool, for security
exposures? - Are malicious software scanning tools deployed on
all workstations and servers?
62Metrics in InfoSec Management
- When an organization applies statistical and
quantitative approaches of mathematical analysis
to the process of measuring the activities and
outcomes of the InfoSec program, it is using
InfoSec metrics - InfoSec metrics enable organizations to measure
the level of effort required to meet the stated
objectives of the InfoSec program
63Metrics in InfoSec Management (continued)
- Specifying InfoSec metrics requires the
assessment and quantification of what will be
measured - Collecting InfoSec metrics is daunting to some
organizations, and requires thoughtful
consideration of the intent of the metric, along
with a thorough knowledge of how production
services are delivered
64Metrics in InfoSec Management (continued)
- Interpreting InfoSec metrics requires both raw
data as well as the context - Decisions also need to be made regarding
presentation of correlated metrics, as well as
color use to denote specific results - Disseminating InfoSec metrics requires the CISO
to consider who gets them, as well as method of
delivery
65Emerging Trends In Certification and
Accreditation
- In security management, accreditation is the
authorization of an IT system to process, store,
or transmit information - It is issued by a management official and serves
as a means of assuring that systems are of
adequate quality - It also challenges managers and technical staff
to find the best methods to assure security,
given technical constraints, operational
constraints, and mission requirements
66Emerging Trends In Certification and
Accreditation (continued)
- Certification is the comprehensive evaluation of
the technical and nontechnical security controls
of an IT system to support the accreditation
process that establishes the extent to which a
particular design and implementation meets a set
of specified security requirements - Organizations pursue accreditation or
certification to gain a competitive advantage, or
to provide assurance or confidence to customers
67SP 800-37 Guidelines for Security C A of
Federal IT Systems
- Develops standard guidelines and procedures for
certifying and accrediting federal IT systems
including the critical infrastructure of the
United States - Defines essential minimum security controls for
federal IT systems - Promotes the development of public and private
sector assessment organizations and certification
of individuals capable of providing cost
effective, high-quality security certifications
based on standard guidelines and procedures
68SP 800-37 Guidelines for Security C A of
Federal IT Systems (continued)
- The specific benefits of the security
certification and accreditation (CA) initiative
include - More consistent, comparable, and repeatable
certifications of IT systems - More complete, reliable, information for
authorizing officialsleading to better
understanding of complex IT systems and
associated risks and vulnerabilitiesand
therefore, more informed decisions by management
officials - Greater availability of competent security
evaluation and assessment services - More secure IT systems within the federal
government
69Figure 6-4SpecialPublicationsSupportingSP
800-37
70SP 800-37 Guidelines for Security C A of
Federal IT Systems (continued)
- 800-37 focuses on a three-step security controls
selection process - Step 1 Characterize the system
- Step 2 Select the appropriate minimum security
controls for the system - Step 3 Adjust security controls based on system
exposure and risk decision
71Planned Federal System Certifications
- Systems are to be certified to one of three
levels - Security Certification Level 1 - The entry-level
certification appropriate for low priority
(concern) systems - Security Certification Level 2 - The mid-level
certification appropriate for moderate priority
(concern) systems - Security Certification Level 3 - The top-level
certification appropriate for high priority
(concern) systems
72SP 800-53 Minimum Security Controls for Federal
IT Systems
- SP 800-53 is part two of the Certification and
Accreditation project - Its purpose is to establish a set of
standardized, minimum security controls for IT
systems addressing low, moderate, and high levels
of concern for confidentiality, integrity, and
availability - Controls are broken into the three familiar
general classes of security controls management,
operational, and technical
73SP 800-53 Minimum Security Controls for Federal
IT Systems (continued)
- Critical elements represent important
security-related focus areas for the system, with
each critical element addressed by one or more
security controls - As technology evolves, so will the set of
security controls, requiring additional control
mechanisms
74Figure 6-5Participants in the CA Process
75Summary
- Introduction
- Security Management Models
- Security Management Practices
- Emerging Trends in Certification and
Accreditation