Information Assurance Professional

About This Presentation

Title:

Information Assurance Professional

Description:

Critical Supporting Process: Cryptology. Cryptology is not a ... Why is cryptology included among the principles? How do policy and infrastructure relate? ... – PowerPoint PPT presentation

Number of Views:156

Avg rating:3.0/5.0

Slides: 154

Provided by: dans158

Category:

more less

Transcript and Presenter's Notes

Title: Information Assurance Professional

1
Information Assurance Professional

National Security Registration Board
Version 2.6

2
Course Goals

This presents the fundamental concepts of
information assurance.
It is designed to foster a mastery level
understanding of the IA process.
The intention is to prepare a trained IA
professional

3
Course Application

You learn how to tailor a practical information
assurance architecture using this BOK.
As well as how to deploy an appropriate set of
flexible countermeasures.

4
Three Assumptions

Three major assumptions underlie this course
Assumption One
Effective Information security requires an
integrated set of business and technological
processes.

5
The Three Assumption

Assumption Two
Effective information security programs must be
deliberately designed and deployed
organization-wide through a strategic planning
process

6
The Three Assumption

Assumption Three
Information security programs are systematic,
That is, they embody an appropriate set of
persistent and interacting controls
These function seamlessly and as an integral
element of day-to-day operation of the business

7
The Importance of Planning

All three of these requirements must be satisfied
for the solution to be correct.
That condition is not arrived at by chance.
It is always derived from a valid set of common
best practices.

8
The IBOK

The IBOK is a compendium, or body-of-knowledge
rather than a standard
It is an integration of three existing models
into a single unified concept
The idea is that, a harmonized set of
recommendations is the most authoritative
statement about best practice.

9
Best Practice Models

There are at least three models that are used to
guide that process,
The Generally Accepted System Security Principles
(GASSP), 1999
ISO 17799 and BS 77992 (2002)
COBIT (2006)

10
Best Practice Models

Each of these embodies a fundamental set of
principles derived from extensive lessons
learned
Each of these provides a useful set of high level
control objectives, which can be tailored, to any
organizational need.
And each has the potential to serve as the basis
of an effective solution.

11
Best Practice Models

This model comprises the Information Security
Body of Knowledge (IBOK).
It also presents a standard implementation
methodology for this BOK.

12
Course Assumptions

Individuals who successfully complete this course
can be assumed to be
Knowledgeable in the best practices for
information assurance
Competent to implement security systems that are
capable of being accredited by the NSRB.

13
Text

The following are required
Information Security Body of Knowledge IBOK
Open Standard 2.2, International Standards
Institution of Governors, 2004
Training Guideline, IBOK, National Standards
Registration Board, 2003

14
Course Description

You will learn how to
Create an information security architecture
Establish detailed control procedures within this
framework

15
Course Description

Systematically identify and monitor areas of
vulnerability
Assess the impact of threats as they are
identified
Deploy appropriate technological and managerial
countermeasures

16
Course Objectives

At the end of this course you will be able to
Deploy an appropriate managerial and technical
control framework
Establish a correct information security control
set within that framework

17
Course Objectives

Conduct a capable threat identification
Formulate a baseline defense in depth
countermeasure set

18
Course Objectives

Be able to valuate assets and justify the
countermeasures based on that valuation
Be able to deploy, assess and continuously
maintain operational countermeasures

19
Course Agenda

300330 Module One Principles of Information
Security
330400 Module Two The Information Assurance
Process
400445 Module Three The Implementation
Process 445-500 Initiate Project
500-530- Prepare Solution
530-545- Report Solution
545-600- Questions and Lessons Learned

20
Module One
The Five Basic Goals of the Information Assurance
Process
21
The Five Basic Goals of IA

Information assurance ensures the
Availability
Confidentiality
Integrity
Authentication
Non-Repudiation of Origin

- Of information
22
Definition Confidentiality

Confidentiality is the condition that insures
that information is not disclosed to unauthorized
persons, processes or devices.
This implies the requirement for such discrete
functions as
information identification and labeling
Need-to-know procedures.

23
Definition Integrity

Integrity is the condition of assuring trust.
Within the information security universe,
integrity is specifically interpreted to mean
that a transmission will arrive at its
destination in exactly the same form as it was
sent..

24
Definition Integrity

That requires ensuring
the logical correctness and reliability of the
operating system
the logical completeness of the hardware and
software entities
the consistency of the data and occurrences of
the stored data.

25
Definition Authentication

Authentication is a security service designed to
establish the validity of a transmission,
message, or originator
It is also a means of verifying an individuals
authorizations to receive specific categories of
information

26
Definition Authentication

Authentication ensures that the occurrence of
false identities is eliminated.
An individual, an organization, or a computer has
to be able to prove its identity to be properly
secured.

27
Definition Authentication

This also implies an authorization function.
Authorization describes the systems ability to
regulate access to resources once the identity is
verified.

28
Definition Availability

Availability implies the ability to provide
authorized users with timely and reliable access
to data and information services.
It is characterized by best practices such as
back-up power
continuous signal
off-site recovery

29
Definition Availability

Availability also describes the overall goal of
security management.
Which is to ensure the requisite level of
trustworthiness in day-to-day operation

30
Definition Availability

In reality, availability is a condition, rather
than a specific security function.
It is often traded off against purely security
related conditions, like confidentiality.

31
Definition Availability

Because availability ensures functioning
There might be a time when assuring availability
outweighs procedures that are necessary to secure
information.

32
Definition Availability

The judgment to sacrifice any of the other
security services for the sake of enhanced
availability is a risk mitigation decision
Which is usually motivated by threats and
vulnerabilities in the business case.

33
Definition Non-Repudiation

Non-repudiation of origin provides the sender
with proof of delivery
AND
It underwrites the identity of the sender to the
recipient.

34
Definition Non-Repudiation

As a result, neither party can later deny that
the message was legitimately sent and received.
Non-repudiation has ramifications for everything
from purchases on e-bay, to modern battlefield
orders.

35
Module One Questions

What are the Five Elements of IA?
What does integrity ensure?
What is often traded off against availability?
What is the value of non-repudiation to
businesses?
What does authentication require to work
properly?
What is a risk mitigation decision?
What is non-repudiation based on?
What is availability characterized by?
What does need-to-know support?
What basic condition does offsite backup ensure?

36
Module Two
The Information Assurance Process
37
The Information Assurance Process

Information assurance is a multifaceted process
composed of fifteen elements and one critical
capability
Each is a discrete function and each contributes
differently to the overall purposes of securing
information.
These fifteen elements comprise a lifecycle.

38
The Information Assurance Process

All fifteen function within that lifecycle to
ensure an effective level of security.
Each element plays its proper role at a logical
place within the process.

39
The Information Assurance Process

The outcome is adequate protection of all
information assets

Adequate protection assumes the presence of all
necessary safeguards !
40
Building a Holistic Solution

Electronic assurance constitutes just one aspect
of that protection.
Full protection has to incorporate all of the
organizational functions and human factors
relevant to security.

41
Building a Holistic Solution

The outcome must constitute a holistic response.
In essence the response must integrate
All of the assurance measures
To protect all information
At all times

42
The Fifteen Principles

The IBOK integrates a common body of knowledge.
That BOK itemizes fifteen aspects of security
(and one critical process).

43
The Fifteen Principles

Each must be addressed in order for a security
solution to be complete.
These are arrayed in the lifecycle model
demonstrated on the next set of slides

44
IA Lifecycle Lifecycle Scope
The Information Resource
Is described by
Asset Identification
AND
Evaluated by a
Risk Assessment
45
IA Lifecycle Management
Security Policy
Which is Shaped by
Defines
Security Discipline
Security Infrastructure
Which Enforces
And
Access Control
Ethical Conduct
Which is Maintained by
Security of Operations
46
IA Lifecycle Countermeasures
Technical Countermeasures
Management Countermeasures
Process Countermeasures
Physical Security
Software Assurance
Continuity
Compliance
Personnel Security
NETSEC
Process Assurance
Crypto
47
Principle One Asset Identification

The form of the information resource has to be
understood in order to properly secure it.
Thus, everything that is part of that resource
has to be identified, labeled and placed in a
documented asset baseline.
It is also necessary to establish a system for
controlling changes to that baseline.

48
Principle Two Risk Assessment

Risk assessment defines the form of the security
response.
Current operations as well as prospective ones
are systematically evaluated using risk
assessment
The goal is to identify potential threats,
vulnerabilities and weaknesses within the asset
base

49
Principle Three Security Policy

Then the organization establishes uniform
policies to guide the assurance process.
These policies are the basis for the solution.
The outcome is a rational set of guidelines for
information assurance.

50
Principle Four Infrastructure

The procedural infrastructure is a tangible
realization of security policy
The organization has to design and enforce a
logical and consistent set of procedures
These must be directly traceable to the policies
they implement.

51
Principle Five Access Control

One of the chief purposes of any security scheme
is regulating access.
This principle specifies the need for an
operational structure to enable that.
Its aim is to grant access to legitimate users
while preventing unauthorized persons from
gaining access to protected information.

52
Principle Six Security of Operation

This involves continuous enforcement of routine
security procedures.
At its essence this revolves around the incident
response capability.
It also entails procedures to prevent vital
information from being used by an adversary
(called OPSEC).

53
Principle Seven Continuity

This details a comprehensive strategy to ensure
business continuity
It defines explicit practices to ensure that the
business continues to operate if its information
is lost or harmed
It also establishes the explicit disaster
planning and recovery capability

54
Principle Eight Compliance

This principle ensures that a comprehensive
mechanism is in place to ensure compliance
It guarantees that the stipulations of all
contracts and regulations are obeyed.
It ensures that due diligence is exercised in
meeting all legal requirements.

55
Principle Nine Physical Security

The purpose of physical security is to control
tangible information and IT assets.
It establishes an asset management process and a
realistic physical protection scheme.
It involves standard operating practices to
ensure the integrity of all workspaces and
physical resources within a secure boundary.

56
Principle Ten Personnel Security

This involves comprehensive procedures to assure
worker compliance with security policy.
It is based around employee screening and the
assignment of roles and responsibilities
It also monitors the security activities of all
employees.

57
Principle Eleven Process Security

This focuses on the development lifecycle.
It contains methods to ensure security is
embedded in all development work
It makes certain that security functionality is
baked into all products during development

58
Principle Twelve Network Security

This assures network access to electronic assets.
It establishes both network access control as
well as network monitoring.

59
Principle Twelve Network Security

This is a classic purpose of information
assurance
It identifies users, authenticates, authorizes
and controls access.
It also includes elements necessary to ensure the
development of secure network architectures.

60
Principle Thirteen Software Assurance

This principle ensures continuing integrity of
all application and system software.
That includes installing software and also
analyzing and reporting on its performance.
It ensures secure operation of all software
within the operational environment and resolution
of anomalies and conflicts.

61
Principle Fourteen Security Discipline

Discipline is human centered.
It ensures that policies and procedures are
understood and adhered to in a disciplined way.
Its purpose is to establish awareness and
motivation and enforce discipline.

62
Principle Fifteen Ethics

This principle delineates a comprehensive code of
defined ethical practices.
This code accurately reflects community norms
with respect to ethical behavior
It serves as a basis for the rules of conduct as
well as personal accountability.

63
Critical Supporting Process Cryptology

Cryptology is not a principle as much as it is
the basis for secure message transfer
It is not a principle because it isnt at the
same level as the others in the IBOK
It is a necessary foundation requirement to
secure electronic transmission.

64
Critical Supporting Process Cryptology

It is a very large topic area because it includes
so many technical aspects
It entails the technical requirements for
translating plaintext into encrypted
transmissions.
It also dictates the encryption methods and key
structures that underlie that process.

65
Application of the Principles

Each principle acts to secure the specific aspect
that it is meant to assure
The integrated set forms a mutually supporting
system that provides the desired level of
assurance.

66
Application of the Principles

All information assurance processes embody an
established collection of common components,
Which are designed to work together to produce an
optimum solution.
The overall solution can be understood in terms
of those components and their logical
interactions.

67
Application of the Principles

Moreover, they also represent an implicit
structure for the process.
This structure has a lifecycle orientation.

Institutionalization Factors

Establishment
Means
Oversight
Enforcement
69
Overview

Institutionalization factors can be used to
determine if these 15 principles and one critical
function have been properly established.
Processes must meet the following common criteria
in order to be judged as effectively practiced

70
Establishment

The organization must document its commitment to
each principle. Criteria for judging this are
Explicit designation of a manager responsible for
controlling ongoing operation
The placement of the manager in a position of
authority sufficient to enforce decisions
The continuous maintenance of that position in
the organizational decision making structure

71
Means

Qualified employees must be provided Criteria
for judging this are
The necessary staff and resources are
identifiably designated and deployed
It is possible to document, that staff are
competent to perform their assigned roles
The deployment of staff resources is explicitly
traceable to individual principles.

72
Oversight

The organization must provide an objective means
to monitor the fulfillment of the purposes of
each principle. Criteria for doing this are
Development and use of formal measures of
performance
Use of analytic methods to support decision
making
The designation and adherence to formal reporting
lines and follow-up procedures.

73
Enforcement

The organization must assure that each principle
is adhered to. Criteria for judging this
include
Designation of a person accountable for
enforcement
Regularly scheduled internal audit, or review of
the principle for compliance
Defined procedures for corrective action.

74
Module Two Review

Why is cryptology included among the principles?
How do policy and infrastructure relate?
Why does information assurance have a lifecycle?
Why is asset identification the first step?
Why are there three areas of countermeasure?
How do security discipline and operation security
relate?
What is the role of ethics in policy formulation?
How do continuity and operations security relate?
Why is software assurance important to security?
What is the role of compliance in security?

75
Module Three
Implementing the Security Response
76
Implementation Overview

Security involves identifying, prioritizing and
managing a response to every plausible threat to
the organizations information assets.
This countermeasure deployment function is not a
one-shot front-end to the establishment of a
static security solution.
It is a constant and organized probing of the
environment to sense the presence of and respond
appropriately to any potential sources of harm to
the organizations information assets.

77
Implementation Overview

As a consequence, the first step in formulating a
correct security response is threat
identification
That amounts to the identification of ANY threats
in the organizations technical or operating base
that might lead to the loss of ANY information,
of ANY value
And then the deployment of an effective set of
controls to alleviate each vulnerability
identified.

78
Model of the Implementation Process
Model Selection and Gap Analysis
Asset Baseline Formulation and Control
Asset Valuation and Resource Tradeoff
Information Gathering and Chartering
Assessment of Control Coverage and Effectiveness
Formulation and Baselining of the Control Set
Refinement and Finalization of Control Set
79
Implementation Overview

The activities above the red line are termed the
Threat Identification and Response phase
This part of the process drives the resource
allocation decisions as well as the development
and refinement of the optimum set of controls.

80
Implementation Overview

The activities below the red line are aimed at
the definition of the tangible information
security system.
We are going to discuss each of these boxes in
turn in detail.

81
Threat Identification

Threat identification and response is composed of
four elements
Information Gathering and Chartering
Asset Baseline Formulation
Model Selection and Gap Analysis
Asset Valuation and Tradeoff.

82
Threat Identification

The aim of these four activities is to achieve an
understanding of the security response that is
appropriate to the precise situation
And which fits within the constraints of the
organization.
Properly executed it is conducted in the
background of day-to-day organizational
functioning

83
Threat Identification

In practice, it employs methods and tools to
identify, analyze, plan for, and control any
potentially harmful or undesirable event.
It should be noted that while the overall aim of
the threat identification and response process is
to prevent or minimize the impact of security
losses at the business level of the organization
Technical risks are also managed since they often
constitute the root cause for business breaches,
or losses.

84
Threat Identification

Threat identification and response approaches
must establish a disciplined environment for
proactive decision-making.
They should regularly assesses what could go
wrong and then determine the approach and timing
by which each potential threat will be countered
This all takes place within the constraints of
practical business considerations such as
resources available and time.

85
Threat Identification

The last part of this process is an important
issue in the implementation of a realistic
solution since it is highly likely that more
risks will be identified than can possibly be
responded to.
So it is important to at least address the ones
that pose the most potential harm to the
corporation.

86
Threat Identification

Finally, we want to stress that the form of the
process as well as the scope of the solution is
dictated by the type of security desired.
Consequently the substance of the identification,
analysis, planning and control elements and
activities required is going to vary.
As we progress through this guideline it is also
important to keep in mind that although the form
of the process is generic, the actual
considerations vary with the focus and intent of
the organization.

87
Information Gathering and Chartering

Operationally, the right set of organizational
representatives formulates the requirements of
the security system into a statement of need,
Which is then documented and authorized by the
appropriate executive decision makers and
published to the business at-large.

88
Information Gathering and Chartering

The only purpose of this phase is to serve as a
launch pad for the decision-making regarding the
specific security model utilized next.
So logically, this element should generally
define both the scope and extent of the desired
solution.

89
Information Gathering and Chartering

In practice, this stage is probably the least
substantive aspect of any implementation project
in the sense that it does not really touch on any
of the details of the actual protection scheme.
Nonetheless, it might be the single likeliest
point of failure.
That is because everything that will happen
downstream originates from this one point.

90
Information Gathering and Chartering

As a consequence, it is important for everybody
who will have anything to do with the system to
understand and agree on the type and degree of
protection at the beginning of the process.
In effect this agreement should accomplish two
critical purposes.
From a functional system standpoint it has to
ensure that the problem is properly targeted.

91
Information Gathering and Chartering

More importantly, it should also support the
education and buy-in of the people who are
actually going to be actively involved in
formulating the system.
That is because it is well documented that the
long-term success of any solution is directly
dependent on the level of support for the
process.
This not an inconsequential exercise and it can
be resources intensive.

92
Information Gathering and Chartering

The execution of this process is generally based
on the generic systems analysis approaches that
have populated the organizational development
body of knowledge for the past fifty years.
There are numerous recognized ways of actually
conducting this.
However there is only one absolute requirement,
which is that the eventual outcome has to be
sponsored at the highest levels of the company

93
Information Gathering and Chartering

There have been a number of studies to support
the idea that the ownership security should be at
the level of the Board of Directors or CEO (the
best of these are summarized in DTI, 2002).
Notwithstanding that, the literature is unanimous
in stressing that effective information assurance
solutions have to be thoroughly embedded in the
organization and that requires across-the-board
acceptance,
which can only be enforced through executive
sponsorship.

94
Information Gathering and Chartering

One final point also must be stressed, which is
that the information gathering function should
not degenerate into a detailed technical problem
solving process.
The only objective of this first stage is to
define the general form of the problem for the
purpose of determining an explicit strategic
direction.

95
Information Gathering and Chartering

There are many reasons why a complete framework
solution may not be appropriate, ranging from a
lack of resources all the way to knowledge of a
specific targeted need.
These must all be identified, brought forward and
agreed on in order to choose a proper scope and
appropriate model for the eventual response.

96
Information Gathering and Chartering

Since the players are usually busy executives,
they are never interested in the details only in
the assurance that the correct target will be
hit.
As such the first phase has to be conducted with
that single goal in mind.
Once the direction is chosen the form of the rest
of the process is dependent on the model selected
and that activity constitutes the rest of this
stage.

97
Information Gathering and Chartering

The selection of an appropriate model is crucial.
Since the only way that the protection scheme
will work is if the model it is based on fits the
organizations security needs
The final point that we need to make before we
leave this section however, is that there is no
one model for information protection.

98
Information Gathering and Chartering

The only rule is that whatever is selected should
fit the exact requirements of the situation.
This is both an intelligent design process as
well as a political one.
As such the outcomes of the, information
gathering process, must be rigorously adhered to
in order to guide that decision-making process

99
Information Gathering and Chartering

And the eventual model selected should always
meet the requirements that have been bought
into by the whole organization through the
chartering process.
Since the next phase of the process starts the
tactical implementation of the security solution
this initial stage is the point where the
strategy is set.

100
Asset Baseline Formulation

This second stage is probably the least commonly
understood in that with most protection schemes
the form of the assets to be protected is known.
As the user knows, in the case of information
security the asset base is an abstract construct,
which could legitimately have many forms.
As such, before protection schemes can be devised
the boundaries and material form of the asset
must be characterized.

101
Asset Baseline Formulation

That involves gathering all of the pertinent
information necessary to define the complete form
of the assets that will be protected.
Which involves the meticulous identification and
labeling of every item under control of the
security system.
This is not a trivial exercise.
It is a prerequisite for subsequent assessment of
risk because it establishes the "day one" state
of the organizations total set of information
assets.

102
Asset Baseline Formulation

In practice, the aggregate set of assets is
termed a baseline.
The individual components that constitute this
baseline must be explicitly identified and
labeled as part of the asset identification
process.
A precisely defined information asset baseline is
an absolute prerequisite for the conduct of the
rest of the process, since it is this explicit
configuration that is maintained by the security
system.

103
Asset Baseline Formulation

And because it is a tangible structure, the
classification and tagging of the asset elements
that constitute it is usually based on their
logical interrelationships with each other.
This is maintained as a hierarchy of elements
that ranges from a view of the information asset
as a single entity down to the explicit items
that constitute that resource.
The baseline scheme that emerges at the lowest
level of decomposition represents the concrete
architecture of the target information asset.

104
Asset Baseline Formulation

The decisions that determine what this asset base
looks like are normally made using the input of a
number of different participants.
That could range from the technical staff all the
way up to executive owners of a given information
item.
The items defined at any level in the hierarchy
are given unique and appropriate labels that are
explicitly associated with the overall
organization of the information asset itself.

105
Asset Baseline Formulation

That is, these labels designate and relate the
position of any given item in the overall "family
tree" of the asset base.
Once established, the formal information asset
baseline is kept in a ledger, which is fully
accounted for and maintained throughout the
lifecycle of the security system.
Since, security systems are evolutionary formal
procedures also have to be put in place to
systematically manage the inevitable changes to
the form of the information asset baseline.

106
Asset Baseline Formulation

In the real-world most corporate information
asset baselines are maintained in an electronic
ledger, which is generically termed a Baseline
Management Ledger, or BML.
Changes at any level in the basic structure of
the information asset baseline are maintained at
all relevant levels in that ledger and must
correctly and accurately reflect the changed
status of the actual information item.

107
Generic Change Management
Notification/ Request for Change
Information Asset Baseline Manager
Authorization by Appropriate Decision Maker
Implementation of Change
Verification of Change
Baseline Management Ledger
108
Asset Baseline Formulation

If this is not done in a systematic and
disciplined fashion the painfully constructed
understanding of the form of the information
asset will move out of the organizations grasp
Leaving it securing things that dont exist and
not securing things that do.
Baseline management would be a time consuming
task if it were not for commercial utilities that
do this record keeping automatically.

109
Model Selection and Risk Assessment

Once the asset baseline is established the next
step is usually termed risk assessment.
It is in reality a gap analysis conducted against
a model of correct practice and the literature is
full of methodologies for carrying out that task.
These can be divided into two types, those that
are based on a commonly accepted standard model
and those that are based on a set of unique
criteria.

110
Model Selection and Risk Assessment

Whatever the approach the actual execution always
starts at the model, which implies the importance
of selecting an appropriate standard as the
benchmark.
Thus the first step in the gap analysis is to
gather enough information about the situation to
select the right model.
By necessity this activity must be guided by and
referenced to the project charter obtained in the
first phase of this process.

111
Model Selection and Risk Assessment

The other essential piece is the asset baseline
definitions formulated in the prior phase.
Using these two factors for guidance, it should
be possible to find the appropriate model.
Essentially the participants in the selection
process decide what must be protected and what
type of solution is appropriate to those implicit
requirements.

112
Model Selection and Risk Assessment

The requirement for a gap analysis is common
across all models of information security.
That is, a gap analysis is always done the same
way for the same purpose no matter what .
In professional settings the gap analysis is
usually called a risk assessment.
That is because the point of the activity is to
identify RISKS created by gaps in operating
procedures.

113
Model Selection and Risk Assessment

This risk assessment activity is arguably the
most important element in formulation of a proper
security response because it
identifies the potential threats
assesses the harm that might ensue from each
analyzes and categorizes options for response.
Operationally this process is carried out by
comparing the form of the current operation to
the comprehensive set of ideal best practice
requirements specified in the framework model.

114
Model Selection and Risk Assessment

This is done to identify the gaps that exist.
These gaps represent the vulnerabilities and
weaknesses that must be addressed by new
procedures.
Since a particular threat may not necessarily
have much impact for a given situation, once the
risk exposures are all identified they are
assessed to distinguish only those that would
create specific and undesirable vulnerabilities.

115
Model Selection and Risk Assessment

Next, these vulnerabilities are carefully
analyzed with respect to the particular
organizational situation in order to identify the
specific weaknesses that the security system
needs to target directly.
These weaknesses are prioritized so that the ones
with the most critical impacts are dealt with
first.

116
Model Selection and Risk Assessment

The process can best be described by looking at
it from the standpoint of the documentation that
is utilized to carry it out.
In fact the tangible documentation set is so
important that it is generally the only thing
that an auditor uses to verify that a selected
model has been implemented properly.

117
Elements of the Gap Analysis
IBOK Control Objectives
Explicit Set of Identified Vulnerabilities and
Weaknesses
Outcomes - Degree of Conformance to Control
Objectives
Operational Charter for Security System
118
Model Selection and Risk Assessment

The first of these are the inputs to the
assessment process.
These inputs represent the set of ideal best
practices that are itemized in the IBOK and their
concomitant controls.
That ideal is used as the point of reference for
the ensuing assessment.
The organization describes its degree of
conformance with the relevant benchmark criteria
selected from the IBOK model to document this.

119
Model Selection and Risk Assessment

The box in the center represents the detailed
assessment outcomes that the organization will
obtain as a consequence of this comparison.
As we said earlier the point is to explicitly
characterize the level of compliance between a
particular operation and the ideal specified in
the IBOK.

120
Model Selection and Risk Assessment

Finally, the documentation produced is a precise
statement of the vulnerabilities that the
identified areas of non-compliance represent.
This documentation will drive the activity in
subsequent stages where the organization will
make decisions about the actions that must be
taken to address each identified weakness
As well as how it will document the security
system for the purposes of management oversight
and audit.

121
Asset Valuation and Tradeoff

The product of this phase is a concrete security
strategy.
The input is derived from the outcomes of the
prior three stages.
The boundary setting element is particularly
important to this consideration since there is a
direct relationship between resources required to
establish a security level specified and the
extent of the territory that must be secured.

122
Asset Valuation and Tradeoff

Operational factors that enter into the
development of this strategy include
What is the level of criticality of each
particular information asset that falls into the
asset baseline
What is the specific degree of resource
commitment required to assure it?
Thus the most important aspect of this might lie
in the simple valuation of the assets themselves.

123
Asset Valuation and Tradeoff

This is the case because in the real world there
are never enough resources to absolutely secure
every element of the information asset baseline.
And since that baseline is overwhelmingly
composed of abstract entities, the value of that
asset base is also abstract, meaning not known.
Therefore it is essential for each organization
to adopt a uniform methodology to systematically
value and prioritize its information assets so
that the most important assets are targeted
first.

124
Asset Valuation and Tradeoff

As a consequence it is our assumption that the
critical success factors are defined at the
business level
And any form of operational asset valuation must
be rooted in and reflect the vision, strategies
and purposes of that part of the organization.
There are numerous ways of going about asset
valuation.

125
Asset Valuation and Tradeoff

The training manual uses the Balanced Scorecard
approach simply because it is arguably one of the
easiest and most popular of these.
Using a tailored scorecard the organization can
assign a quantitative value for each of the
identified items entered in the security
baseline.
And it can confidently allocate a security
priority to it based on its relative value, as
determined by the data obtained through one (or
all) of these relevant categories.

126
Asset Valuation and Tradeoff

The benefit of this approach is that the
organization will know with certainty which item
to secure and in what order
In addition it will have demonstrates that due
diligence was done in making that determination.
The best part of this approach is that as data is
collected and refined over time the organization
is able to increase its valuation effectiveness,
and thus sharpen its control over its asset base.

127
Asset Valuation and Tradeoff

The process that ensues is a political one,
however it is necessary.
That is the actual tradeoff process that is the
fundamental element of strategic planning.
This is not a scientific activity although with
precisely targeted information decision makers
can move ahead with some assurance that they are
basing their strategies on the realities of the
situation.

128
Asset Valuation and Tradeoff

The assumption is that the actual deployment of
the security function will meet the requirements
of the organizations security charter.
That decision-making is based on
knowledge of the financial, equipment and
personnel resources available to implement the
desired level of security
the pressing business concerns and the relative
value of the asset.

129
Asset Valuation and Tradeoff

It is driven by the model that will be used to
implement the actual security solution
However the point is to have a clear fix on the
asset base so that the particulars of the
deployment can be planned with precision.
This should be both tangibly documented and
publicized to the organization at large.
This also effectively concludes the threat
identification and response phase of the formal
information security protection process.

130
Control Selection

The next step in this process is the actual
selection and validation of the control set.
Since this is model specific we are going to
focus the discussion in terms of the generic
steps required.

131
Control Selection

This phase involves tailoring, deploying and
validating an appropriate control set.
This is almost always based on some sort of
standard model of correct practice.
And that is 99.9 of the time the same model
employed to do the gap analysis
Although not absolutely the required

132
Control Selection

The outcome is unique in the sense that the
deployment is determined by the situation.
However there are elements that must be carried
out no matter which model is selected
Assignment of controls to a security baseline
Assessment of the effectiveness of those controls
The formulation of the final control set into a
security system.

133
Formulating the Control Set

The necessary security controls are deployed once
the information asset baseline has been
established and prioritized.
This requires an item-by-item assessment of the
information resource baseline in order to design
and formalize the appropriate control set.
Nonetheless in order to devise the appropriate
and correct set of control procedures it is
necessary to return to the risk analysis to
better understand the nature of the threat.

134
Formulating the Control Set

Basically threats can be characterized as
physical, or logical, from internal, or external
sources.
Thus the analysis considers the safeguards or
controls that are necessary to suitably address
any and all anticipated threats.

135
Formulating the Control Set

That includes steps to detect a threat as close
to the time that it occurs (threat response)
And a procedure to ensure that it will be either
attended to by subsequent corrective action, or
that the loss that may arise from it will be
effectively contained.

136
Formulating the Control Set

Since adverse impacts of threats also inevitably
fall into the financial arena it is important to
consider the applicable ROI issues.
One obvious example, is that it ought to be known
whether the cost of the control (on an annual
basis) would be less than any anticipated
(dollar) losses.

137
Formulating the Control Set

Another consideration is the frequency with which
the threat occurs.
If the historical rate of occurrence is high than
even a low ROI (per incident) item could prove to
be a good investment.

138
Formulating the Control Set

The other issue is the PROBABILITY that a threat
might occur.
Probability should never be confused with
frequency.
In essence the question has to be asked what the
probabilities are that harm might ensue if it
DOES occur.

139
Formulating the Control Set

For instance, burglars might very infrequently
visit your house but when they DO the likelihood
is high that they will take something.
Thus these two related factors have to be
balanced with each other when doing a threat
assessment.

140
Formulating the Control Set

In essence the question that has to be answered
for a particular control is how likely is it that
a given occurrence will produce mischief.
That is because in reality, some threats may
occur many times within the period of a years
time, especially those associated with
unintentional actions of users or employees.

141
Formulating the Control Set

Finally, it must be recognized that there is
always an uncertainty in all of these cases that
dictates that baseline control formulation should
always be an iterative function.
Basically uncertainty can be estimated as a level
of confidence, from zero to 100 percent on any
control.

142
Formulating the Control Set

What this expresses is the necessity, or
usefulness of the associated control (e.g., this
should be considered to be 91 necessary).
It should be noted that the failure to integrate
uncertainty factors into the risk analysis will
reduce the overall level of trust in the
effectiveness of the resultant control baseline.

143
Assessment of Control Coverage

It is necessary to validate the selected control
set in order to assure the effectiveness as well
as confirm the accuracy of the defensive scheme.
This always takes place after it is operationally
deployed.
That is, it is formulated into an active baseline
and placed under effective baseline control.

144
Assessment of Control Coverage

From an IT management standpoint this activity is
a standard beta test function
in the sense that the essence of the process is
the ongoing comparison of expected performance
with the actual result of executing the process.

145
Assessment of Control Coverage

The assessment process is planned, implemented
and monitored in the same fashion as any other
testing activity.
It normally embodies the criteria and factors
considered during the threat analysis and
baseline formulation process, but operational
issues can be added at this point as well.
The intention is to be able to say with assurance
that the aggregate control set is effective given
the aims of the protection scheme.

146
Assessment of Control Coverage

Operationally, this should be done within a
specified time-frame as well as a defined
reporting and decision making structure.
Because the overall purpose of this step is to
produce a finalized baseline the organization
must treat it exactly like a project
In the sense that the outcome of the process is a
fully functioning security control set.

147
Assessment of Control Coverage

Once the project purposes and timelines are set,
generally speaking each control must have a set
of performance assessment criteria assigned.
The purpose of this is to underwrite precise
monitoring of the effectiveness of each component
of the security baseline.
Therefore these criteria must be both measurable
and able to be recorded.

148
Assessment of Control Coverage

Then on execution of the process the outcomes
associated with each control are recorded.
The organization uses the ongoing outcomes of the
operational use of the control, to assess its
effectiveness.
This assessment is based on the performance
criteria set for that particular control as well
as the assumptions about cost and occurrence that
were part of the baseline formulation process.

149
Control Objective Beta Test Process
Performance Criteria
Control Objective Performance in Operational
Environment
Assessment of Control Effectiveness
Recorded Outcomes
Baseline Formulation Assumptions
Aggregation of control objective test results
Assessment of Baseline Effectiveness
Final Implementation of Control Baseline
150
Assessment of Control Coverage

Then, once the testing step is complete the
aggregate set of results for the control baseline
is assessed for the purposes of formalizing a
finalized set of security control objectives.
These controls represent the operational
realization of the security system and their
baseline representation is maintained under
strict change control by the configuration
management system.

151
Assessment of Control Coverage

The released version of this baseline is managed
by that function in the same manner as a software
release
That is, no changes are allowed without
authorization and subsequent verification of the
correctness and effectiveness of the change.

152
Module Three Review