Information Assurance Professional - PowerPoint PPT Presentation

1 / 153
About This Presentation
Title:

Information Assurance Professional

Description:

Critical Supporting Process: Cryptology. Cryptology is not a ... Why is cryptology included among the principles? How do policy and infrastructure relate? ... – PowerPoint PPT presentation

Number of Views:156
Avg rating:3.0/5.0
Slides: 154
Provided by: dans158
Category:

less

Transcript and Presenter's Notes

Title: Information Assurance Professional


1
Information Assurance Professional
  • National Security Registration Board
  • Version 2.6

2
Course Goals
  • This presents the fundamental concepts of
    information assurance.
  • It is designed to foster a mastery level
    understanding of the IA process.
  • The intention is to prepare a trained IA
    professional

3
Course Application
  • You learn how to tailor a practical information
    assurance architecture using this BOK.
  • As well as how to deploy an appropriate set of
    flexible countermeasures.

4
Three Assumptions
  • Three major assumptions underlie this course
  • Assumption One
  • Effective Information security requires an
    integrated set of business and technological
    processes.

5
The Three Assumption
  • Assumption Two
  • Effective information security programs must be
    deliberately designed and deployed
    organization-wide through a strategic planning
    process

6
The Three Assumption
  • Assumption Three
  • Information security programs are systematic,
  • That is, they embody an appropriate set of
    persistent and interacting controls
  • These function seamlessly and as an integral
    element of day-to-day operation of the business

7
The Importance of Planning
  • All three of these requirements must be satisfied
    for the solution to be correct.
  • That condition is not arrived at by chance.
  • It is always derived from a valid set of common
    best practices.

8
The IBOK
  • The IBOK is a compendium, or body-of-knowledge
    rather than a standard
  • It is an integration of three existing models
    into a single unified concept
  • The idea is that, a harmonized set of
    recommendations is the most authoritative
    statement about best practice.

9
Best Practice Models
  • There are at least three models that are used to
    guide that process,
  • The Generally Accepted System Security Principles
    (GASSP), 1999
  • ISO 17799 and BS 77992 (2002)
  • COBIT (2006)

10
Best Practice Models
  • Each of these embodies a fundamental set of
    principles derived from extensive lessons
    learned
  • Each of these provides a useful set of high level
    control objectives, which can be tailored, to any
    organizational need.
  • And each has the potential to serve as the basis
    of an effective solution.

11
Best Practice Models
  • This model comprises the Information Security
    Body of Knowledge (IBOK).
  • It also presents a standard implementation
    methodology for this BOK.

12
Course Assumptions
  • Individuals who successfully complete this course
    can be assumed to be
  • Knowledgeable in the best practices for
    information assurance
  • Competent to implement security systems that are
    capable of being accredited by the NSRB.

13
Text
  • The following are required
  • Information Security Body of Knowledge IBOK
    Open Standard 2.2, International Standards
    Institution of Governors, 2004
  • Training Guideline, IBOK, National Standards
    Registration Board, 2003

14
 Course Description
  • You will learn how to
  • Create an information security architecture
  • Establish detailed control procedures within this
    framework

15
 Course Description
  • Systematically identify and monitor areas of
    vulnerability
  • Assess the impact of threats as they are
    identified
  • Deploy appropriate technological and managerial
    countermeasures

16
Course Objectives
  • At the end of this course you will be able to
  • Deploy an appropriate managerial and technical
    control framework
  • Establish a correct information security control
    set within that framework

17
Course Objectives
  • Conduct a capable threat identification
  • Formulate a baseline defense in depth
    countermeasure set

18
Course Objectives
  • Be able to valuate assets and justify the
    countermeasures based on that valuation
  • Be able to deploy, assess and continuously
    maintain operational countermeasures

19
Course Agenda
  • 300330 Module One Principles of Information
    Security
  • 330400 Module Two The Information Assurance
    Process
  • 400445 Module Three The Implementation
    Process 445-500 Initiate Project
  • 500-530- Prepare Solution
  • 530-545- Report Solution
  • 545-600- Questions and Lessons Learned

20
Module One
The Five Basic Goals of the Information Assurance
Process
21
The Five Basic Goals of IA
  • Information assurance ensures the
  • Availability
  • Confidentiality
  • Integrity
  • Authentication
  • Non-Repudiation of Origin

- Of information
22
Definition Confidentiality
  • Confidentiality is the condition that insures
    that information is not disclosed to unauthorized
    persons, processes or devices.
  • This implies the requirement for such discrete
    functions as
  • information identification and labeling
  • Need-to-know procedures.

23
Definition Integrity
  • Integrity is the condition of assuring trust.
  • Within the information security universe,
    integrity is specifically interpreted to mean
  • that a transmission will arrive at its
    destination in exactly the same form as it was
    sent..

24
Definition Integrity
  • That requires ensuring
  • the logical correctness and reliability of the
    operating system
  • the logical completeness of the hardware and
    software entities
  • the consistency of the data and occurrences of
    the stored data.

25
Definition Authentication
  • Authentication is a security service designed to
    establish the validity of a transmission,
    message, or originator
  • It is also a means of verifying an individuals
    authorizations to receive specific categories of
    information
  •  

26
Definition Authentication
  • Authentication ensures that the occurrence of
    false identities is eliminated.
  • An individual, an organization, or a computer has
    to be able to prove its identity to be properly
    secured.

27
Definition Authentication
  • This also implies an authorization function.
  • Authorization describes the systems ability to
    regulate access to resources once the identity is
    verified.

28
Definition Availability
  • Availability implies the ability to provide
    authorized users with timely and reliable access
    to data and information services.
  • It is characterized by best practices such as
  • back-up power
  • continuous signal
  • off-site recovery

29
Definition Availability
  • Availability also describes the overall goal of
    security management.
  • Which is to ensure the requisite level of
    trustworthiness in day-to-day operation

30
Definition Availability
  • In reality, availability is a condition, rather
    than a specific security function.
  • It is often traded off against purely security
    related conditions, like confidentiality.
  •  

31
Definition Availability
  • Because availability ensures functioning
  • There might be a time when assuring availability
    outweighs procedures that are necessary to secure
    information.

32
Definition Availability
  • The judgment to sacrifice any of the other
    security services for the sake of enhanced
    availability is a risk mitigation decision
  • Which is usually motivated by threats and
    vulnerabilities in the business case.

33
Definition Non-Repudiation
  • Non-repudiation of origin provides the sender
    with proof of delivery
  • AND
  • It underwrites the identity of the sender to the
    recipient.

34
Definition Non-Repudiation
  • As a result, neither party can later deny that
    the message was legitimately sent and received.
  •  
  • Non-repudiation has ramifications for everything
    from purchases on e-bay, to modern battlefield
    orders.

35
Module One Questions
  • What are the Five Elements of IA?
  • What does integrity ensure?
  • What is often traded off against availability?
  • What is the value of non-repudiation to
    businesses?
  • What does authentication require to work
    properly?
  • What is a risk mitigation decision?
  • What is non-repudiation based on?
  • What is availability characterized by?
  • What does need-to-know support?
  • What basic condition does offsite backup ensure?

36
Module Two
The Information Assurance Process
37
The Information Assurance Process
  • Information assurance is a multifaceted process
    composed of fifteen elements and one critical
    capability
  • Each is a discrete function and each contributes
    differently to the overall purposes of securing
    information.
  • These fifteen elements comprise a lifecycle.

38
The Information Assurance Process
  • All fifteen function within that lifecycle to
    ensure an effective level of security.
  • Each element plays its proper role at a logical
    place within the process.

39
The Information Assurance Process
  • The outcome is adequate protection of all
    information assets

Adequate protection assumes the presence of all
necessary safeguards !
40
Building a Holistic Solution
  • Electronic assurance constitutes just one aspect
    of that protection.
  • Full protection has to incorporate all of the
    organizational functions and human factors
    relevant to security.

41
Building a Holistic Solution
  • The outcome must constitute a holistic response.
  • In essence the response must integrate
  • All of the assurance measures
  • To protect all information
  • At all times

42
The Fifteen Principles
  • The IBOK integrates a common body of knowledge.
  • That BOK itemizes fifteen aspects of security
    (and one critical process).

43
The Fifteen Principles
  • Each must be addressed in order for a security
    solution to be complete.
  • These are arrayed in the lifecycle model
    demonstrated on the next set of slides

44
IA Lifecycle Lifecycle Scope
The Information Resource
Is described by
Asset Identification
AND
Evaluated by a
Risk Assessment
45
IA Lifecycle Management
Security Policy
Which is Shaped by
Defines
Security Discipline
Security Infrastructure
Which Enforces
And
Access Control
Ethical Conduct
Which is Maintained by
Security of Operations
46
IA Lifecycle Countermeasures
Technical Countermeasures
Management Countermeasures
Process Countermeasures
Physical Security
Software Assurance
Continuity
Compliance
Personnel Security
NETSEC
Process Assurance
Crypto
47
Principle One Asset Identification
  • The form of the information resource has to be
    understood in order to properly secure it.
  • Thus, everything that is part of that resource
    has to be identified, labeled and placed in a
    documented asset baseline.
  • It is also necessary to establish a system for
    controlling changes to that baseline.

48
Principle Two Risk Assessment
  • Risk assessment defines the form of the security
    response.
  • Current operations as well as prospective ones
    are systematically evaluated using risk
    assessment
  • The goal is to identify potential threats,
    vulnerabilities and weaknesses within the asset
    base

49
Principle Three Security Policy
  • Then the organization establishes uniform
    policies to guide the assurance process.
  • These policies are the basis for the solution.
  • The outcome is a rational set of guidelines for
    information assurance.

50
Principle Four Infrastructure
  • The procedural infrastructure is a tangible
    realization of security policy
  • The organization has to design and enforce a
    logical and consistent set of procedures
  • These must be directly traceable to the policies
    they implement.

51
Principle Five Access Control
  • One of the chief purposes of any security scheme
    is regulating access.
  • This principle specifies the need for an
    operational structure to enable that.
  • Its aim is to grant access to legitimate users
    while preventing unauthorized persons from
    gaining access to protected information.

52
Principle Six Security of Operation
  • This involves continuous enforcement of routine
    security procedures.
  • At its essence this revolves around the incident
    response capability.
  • It also entails procedures to prevent vital
    information from being used by an adversary
    (called OPSEC).

53
Principle Seven Continuity
  • This details a comprehensive strategy to ensure
    business continuity
  • It defines explicit practices to ensure that the
    business continues to operate if its information
    is lost or harmed
  • It also establishes the explicit disaster
    planning and recovery capability

54
Principle Eight Compliance
  • This principle ensures that a comprehensive
    mechanism is in place to ensure compliance
  • It guarantees that the stipulations of all
    contracts and regulations are obeyed.
  • It ensures that due diligence is exercised in
    meeting all legal requirements.

55
Principle Nine Physical Security
  • The purpose of physical security is to control
    tangible information and IT assets.
  • It establishes an asset management process and a
    realistic physical protection scheme.
  • It involves standard operating practices to
    ensure the integrity of all workspaces and
    physical resources within a secure boundary.

56
Principle Ten Personnel Security
  • This involves comprehensive procedures to assure
    worker compliance with security policy.
  • It is based around employee screening and the
    assignment of roles and responsibilities
  • It also monitors the security activities of all
    employees.

57
Principle Eleven Process Security
  • This focuses on the development lifecycle.
  • It contains methods to ensure security is
    embedded in all development work
  • It makes certain that security functionality is
    baked into all products during development

58
Principle Twelve Network Security
  • This assures network access to electronic assets.
  • It establishes both network access control as
    well as network monitoring.

59
Principle Twelve Network Security
  • This is a classic purpose of information
    assurance
  • It identifies users, authenticates, authorizes
    and controls access.
  • It also includes elements necessary to ensure the
    development of secure network architectures.

60
Principle Thirteen Software Assurance
  • This principle ensures continuing integrity of
    all application and system software.
  • That includes installing software and also
    analyzing and reporting on its performance.
  • It ensures secure operation of all software
    within the operational environment and resolution
    of anomalies and conflicts.

61
Principle Fourteen Security Discipline
  • Discipline is human centered.
  • It ensures that policies and procedures are
    understood and adhered to in a disciplined way.
  • Its purpose is to establish awareness and
    motivation and enforce discipline.

62
Principle Fifteen Ethics
  • This principle delineates a comprehensive code of
    defined ethical practices.
  • This code accurately reflects community norms
    with respect to ethical behavior
  • It serves as a basis for the rules of conduct as
    well as personal accountability.

63
Critical Supporting Process Cryptology
  • Cryptology is not a principle as much as it is
    the basis for secure message transfer
  • It is not a principle because it isnt at the
    same level as the others in the IBOK
  • It is a necessary foundation requirement to
    secure electronic transmission.

64
Critical Supporting Process Cryptology
  • It is a very large topic area because it includes
    so many technical aspects
  • It entails the technical requirements for
    translating plaintext into encrypted
    transmissions.
  • It also dictates the encryption methods and key
    structures that underlie that process.

65
Application of the Principles
  • Each principle acts to secure the specific aspect
    that it is meant to assure
  • The integrated set forms a mutually supporting
    system that provides the desired level of
    assurance.

66
Application of the Principles
  • All information assurance processes embody an
    established collection of common components,
  • Which are designed to work together to produce an
    optimum solution.
  • The overall solution can be understood in terms
    of those components and their logical
    interactions.

67
Application of the Principles
  • Moreover, they also represent an implicit
    structure for the process.
  • This structure has a lifecycle orientation.

68
  • Institutionalization Factors

Establishment
Means
Oversight
Enforcement
69
Overview
  • Institutionalization factors can be used to
    determine if these 15 principles and one critical
    function have been properly established.
  • Processes must meet the following common criteria
    in order to be judged as effectively practiced

70
Establishment
  • The organization must document its commitment to
    each principle. Criteria for judging this are
  • Explicit designation of a manager responsible for
    controlling ongoing operation
  • The placement of the manager in a position of
    authority sufficient to enforce decisions
  • The continuous maintenance of that position in
    the organizational decision making structure

71
Means
  • Qualified employees must be provided Criteria
    for judging this are
  • The necessary staff and resources are
    identifiably designated and deployed
  • It is possible to document, that staff are
    competent to perform their assigned roles
  • The deployment of staff resources is explicitly
    traceable to individual principles.

72
Oversight
  • The organization must provide an objective means
    to monitor the fulfillment of the purposes of
    each principle. Criteria for doing this are
  • Development and use of formal measures of
    performance
  • Use of analytic methods to support decision
    making
  • The designation and adherence to formal reporting
    lines and follow-up procedures.

73
Enforcement
  • The organization must assure that each principle
    is adhered to. Criteria for judging this
    include
  • Designation of a person accountable for
    enforcement
  • Regularly scheduled internal audit, or review of
    the principle for compliance
  • Defined procedures for corrective action.

74
Module Two Review
  1. Why is cryptology included among the principles?
  2. How do policy and infrastructure relate?
  3. Why does information assurance have a lifecycle?
  4. Why is asset identification the first step?
  5. Why are there three areas of countermeasure?
  6. How do security discipline and operation security
    relate?
  7. What is the role of ethics in policy formulation?
  8. How do continuity and operations security relate?
  9. Why is software assurance important to security?
  10. What is the role of compliance in security?

75
Module Three
Implementing the Security Response
76
Implementation Overview
  • Security involves identifying, prioritizing and
    managing a response to every plausible threat to
    the organizations information assets.
  • This countermeasure deployment function is not a
    one-shot front-end to the establishment of a
    static security solution.
  •  
  • It is a constant and organized probing of the
    environment to sense the presence of and respond
    appropriately to any potential sources of harm to
    the organizations information assets.

77
Implementation Overview
  • As a consequence, the first step in formulating a
    correct security response is threat
    identification
  • That amounts to the identification of ANY threats
    in the organizations technical or operating base
    that might lead to the loss of ANY information,
    of ANY value
  • And then the deployment of an effective set of
    controls to alleviate each vulnerability
    identified.

78
Model of the Implementation Process  
Model Selection and Gap Analysis
Asset Baseline Formulation and Control
Asset Valuation and Resource Tradeoff
Information Gathering and Chartering
Assessment of Control Coverage and Effectiveness
Formulation and Baselining of the Control Set
Refinement and Finalization of Control Set
79
Implementation Overview
  • The activities above the red line are termed the
    Threat Identification and Response phase
  • This part of the process drives the resource
    allocation decisions as well as the development
    and refinement of the optimum set of controls.

80
Implementation Overview
  • The activities below the red line are aimed at
    the definition of the tangible information
    security system.
  • We are going to discuss each of these boxes in
    turn in detail.

81
Threat Identification
  • Threat identification and response is composed of
    four elements
  • Information Gathering and Chartering
  • Asset Baseline Formulation
  • Model Selection and Gap Analysis
  • Asset Valuation and Tradeoff.

82
Threat Identification
  • The aim of these four activities is to achieve an
    understanding of the security response that is
    appropriate to the precise situation
  • And which fits within the constraints of the
    organization.
  •  
  • Properly executed it is conducted in the
    background of day-to-day organizational
    functioning

83
Threat Identification
  • In practice, it employs methods and tools to
    identify, analyze, plan for, and control any
    potentially harmful or undesirable event.
  •  
  • It should be noted that while the overall aim of
    the threat identification and response process is
    to prevent or minimize the impact of security
    losses at the business level of the organization
  • Technical risks are also managed since they often
    constitute the root cause for business breaches,
    or losses.

84
Threat Identification
  • Threat identification and response approaches
    must establish a disciplined environment for
    proactive decision-making.
  • They should regularly assesses what could go
    wrong and then determine the approach and timing
    by which each potential threat will be countered
  • This all takes place within the constraints of
    practical business considerations such as
    resources available and time.

85
Threat Identification
  • The last part of this process is an important
    issue in the implementation of a realistic
    solution since it is highly likely that more
    risks will be identified than can possibly be
    responded to.
  • So it is important to at least address the ones
    that pose the most potential harm to the
    corporation.
  •  

86
Threat Identification
  • Finally, we want to stress that the form of the
    process as well as the scope of the solution is
    dictated by the type of security desired.
  •  
  • Consequently the substance of the identification,
    analysis, planning and control elements and
    activities required is going to vary.
  • As we progress through this guideline it is also
    important to keep in mind that although the form
    of the process is generic, the actual
    considerations vary with the focus and intent of
    the organization.

87
Information Gathering and Chartering
  • Operationally, the right set of organizational
    representatives formulates the requirements of
    the security system into a statement of need,
  • Which is then documented and authorized by the
    appropriate executive decision makers and
    published to the business at-large.

88
Information Gathering and Chartering
  • The only purpose of this phase is to serve as a
    launch pad for the decision-making regarding the
    specific security model utilized next.
  • So logically, this element should generally
    define both the scope and extent of the desired
    solution.

89
Information Gathering and Chartering
  • In practice, this stage is probably the least
    substantive aspect of any implementation project
    in the sense that it does not really touch on any
    of the details of the actual protection scheme.
  • Nonetheless, it might be the single likeliest
    point of failure.
  •  
  • That is because everything that will happen
    downstream originates from this one point.

90
Information Gathering and Chartering
  • As a consequence, it is important for everybody
    who will have anything to do with the system to
    understand and agree on the type and degree of
    protection at the beginning of the process.
  • In effect this agreement should accomplish two
    critical purposes.
  •  
  • From a functional system standpoint it has to
    ensure that the problem is properly targeted.

91
Information Gathering and Chartering
  • More importantly, it should also support the
    education and buy-in of the people who are
    actually going to be actively involved in
    formulating the system.
  • That is because it is well documented that the
    long-term success of any solution is directly
    dependent on the level of support for the
    process.
  • This not an inconsequential exercise and it can
    be resources intensive.

92
Information Gathering and Chartering
  • The execution of this process is generally based
    on the generic systems analysis approaches that
    have populated the organizational development
    body of knowledge for the past fifty years.
  • There are numerous recognized ways of actually
    conducting this.
  •  
  • However there is only one absolute requirement,
    which is that the eventual outcome has to be
    sponsored at the highest levels of the company

93
Information Gathering and Chartering
  • There have been a number of studies to support
    the idea that the ownership security should be at
    the level of the Board of Directors or CEO (the
    best of these are summarized in DTI, 2002).
  • Notwithstanding that, the literature is unanimous
    in stressing that effective information assurance
    solutions have to be thoroughly embedded in the
    organization and that requires across-the-board
    acceptance,
  • which can only be enforced through executive
    sponsorship.

94
Information Gathering and Chartering
  • One final point also must be stressed, which is
    that the information gathering function should
    not degenerate into a detailed technical problem
    solving process.
  • The only objective of this first stage is to
    define the general form of the problem for the
    purpose of determining an explicit strategic
    direction.

95
Information Gathering and Chartering
  • There are many reasons why a complete framework
    solution may not be appropriate, ranging from a
    lack of resources all the way to knowledge of a
    specific targeted need.
  • These must all be identified, brought forward and
    agreed on in order to choose a proper scope and
    appropriate model for the eventual response.

96
Information Gathering and Chartering
  • Since the players are usually busy executives,
    they are never interested in the details only in
    the assurance that the correct target will be
    hit.
  • As such the first phase has to be conducted with
    that single goal in mind.
  • Once the direction is chosen the form of the rest
    of the process is dependent on the model selected
    and that activity constitutes the rest of this
    stage.

97
Information Gathering and Chartering
  • The selection of an appropriate model is crucial.
  • Since the only way that the protection scheme
    will work is if the model it is based on fits the
    organizations security needs
  • The final point that we need to make before we
    leave this section however, is that there is no
    one model for information protection.

98
Information Gathering and Chartering
  • The only rule is that whatever is selected should
    fit the exact requirements of the situation.
  • This is both an intelligent design process as
    well as a political one.
  •  
  • As such the outcomes of the, information
    gathering process, must be rigorously adhered to
    in order to guide that decision-making process
  •  

99
Information Gathering and Chartering
  • And the eventual model selected should always
    meet the requirements that have been bought
    into by the whole organization through the
    chartering process.
  • Since the next phase of the process starts the
    tactical implementation of the security solution
    this initial stage is the point where the
    strategy is set.

100
Asset Baseline Formulation
  • This second stage is probably the least commonly
    understood in that with most protection schemes
    the form of the assets to be protected is known.
  • As the user knows, in the case of information
    security the asset base is an abstract construct,
    which could legitimately have many forms.
  •  
  • As such, before protection schemes can be devised
    the boundaries and material form of the asset
    must be characterized.

101
Asset Baseline Formulation
  • That involves gathering all of the pertinent
    information necessary to define the complete form
    of the assets that will be protected.
  • Which involves the meticulous identification and
    labeling of every item under control of the
    security system.
  • This is not a trivial exercise.
  •  
  • It is a prerequisite for subsequent assessment of
    risk because it establishes the "day one" state
    of the organizations total set of information
    assets.

102
Asset Baseline Formulation
  • In practice, the aggregate set of assets is
    termed a baseline.
  • The individual components that constitute this
    baseline must be explicitly identified and
    labeled as part of the asset identification
    process.
  •  
  • A precisely defined information asset baseline is
    an absolute prerequisite for the conduct of the
    rest of the process, since it is this explicit
    configuration that is maintained by the security
    system.

103
Asset Baseline Formulation
  • And because it is a tangible structure, the
    classification and tagging of the asset elements
    that constitute it is usually based on their
    logical interrelationships with each other.
  • This is maintained as a hierarchy of elements
    that ranges from a view of the information asset
    as a single entity down to the explicit items
    that constitute that resource.
  • The baseline scheme that emerges at the lowest
    level of decomposition represents the concrete
    architecture of the target information asset.

104
Asset Baseline Formulation
  • The decisions that determine what this asset base
    looks like are normally made using the input of a
    number of different participants.
  • That could range from the technical staff all the
    way up to executive owners of a given information
    item.
  •  
  • The items defined at any level in the hierarchy
    are given unique and appropriate labels that are
    explicitly associated with the overall
    organization of the information asset itself.

105
Asset Baseline Formulation
  • That is, these labels designate and relate the
    position of any given item in the overall "family
    tree" of the asset base.
  • Once established, the formal information asset
    baseline is kept in a ledger, which is fully
    accounted for and maintained throughout the
    lifecycle of the security system.
  • Since, security systems are evolutionary formal
    procedures also have to be put in place to
    systematically manage the inevitable changes to
    the form of the information asset baseline.

106
Asset Baseline Formulation
  • In the real-world most corporate information
    asset baselines are maintained in an electronic
    ledger, which is generically termed a Baseline
    Management Ledger, or BML.
  • Changes at any level in the basic structure of
    the information asset baseline are maintained at
    all relevant levels in that ledger and must
    correctly and accurately reflect the changed
    status of the actual information item.

107
Generic Change Management
Notification/ Request for Change
Information Asset Baseline Manager
Authorization by Appropriate Decision Maker
Implementation of Change
Verification of Change
Baseline Management Ledger
108
Asset Baseline Formulation
  • If this is not done in a systematic and
    disciplined fashion the painfully constructed
    understanding of the form of the information
    asset will move out of the organizations grasp
  • Leaving it securing things that dont exist and
    not securing things that do.
  •  
  • Baseline management would be a time consuming
    task if it were not for commercial utilities that
    do this record keeping automatically.  

109
Model Selection and Risk Assessment
  • Once the asset baseline is established the next
    step is usually termed risk assessment.
  • It is in reality a gap analysis conducted against
    a model of correct practice and the literature is
    full of methodologies for carrying out that task.
  • These can be divided into two types, those that
    are based on a commonly accepted standard model
    and those that are based on a set of unique
    criteria.

110
Model Selection and Risk Assessment
  • Whatever the approach the actual execution always
    starts at the model, which implies the importance
    of selecting an appropriate standard as the
    benchmark.
  • Thus the first step in the gap analysis is to
    gather enough information about the situation to
    select the right model.
  •  
  • By necessity this activity must be guided by and
    referenced to the project charter obtained in the
    first phase of this process.

111
Model Selection and Risk Assessment
  • The other essential piece is the asset baseline
    definitions formulated in the prior phase.
  • Using these two factors for guidance, it should
    be possible to find the appropriate model.
  • Essentially the participants in the selection
    process decide what must be protected and what
    type of solution is appropriate to those implicit
    requirements.

112
Model Selection and Risk Assessment
  • The requirement for a gap analysis is common
    across all models of information security.
  • That is, a gap analysis is always done the same
    way for the same purpose no matter what .
  •  
  • In professional settings the gap analysis is
    usually called a risk assessment.
  •  
  • That is because the point of the activity is to
    identify RISKS created by gaps in operating
    procedures.

113
Model Selection and Risk Assessment
  • This risk assessment activity is arguably the
    most important element in formulation of a proper
    security response because it
  • identifies the potential threats
  • assesses the harm that might ensue from each
  • analyzes and categorizes options for response.
  • Operationally this process is carried out by
    comparing the form of the current operation to
    the comprehensive set of ideal best practice
    requirements specified in the framework model.

114
Model Selection and Risk Assessment
  • This is done to identify the gaps that exist.
  • These gaps represent the vulnerabilities and
    weaknesses that must be addressed by new
    procedures.
  •  
  • Since a particular threat may not necessarily
    have much impact for a given situation, once the
    risk exposures are all identified they are
    assessed to distinguish only those that would
    create specific and undesirable vulnerabilities.

115
Model Selection and Risk Assessment
  • Next, these vulnerabilities are carefully
    analyzed with respect to the particular
    organizational situation in order to identify the
    specific weaknesses that the security system
    needs to target directly.
  • These weaknesses are prioritized so that the ones
    with the most critical impacts are dealt with
    first.

116
Model Selection and Risk Assessment
  • The process can best be described by looking at
    it from the standpoint of the documentation that
    is utilized to carry it out.
  • In fact the tangible documentation set is so
    important that it is generally the only thing
    that an auditor uses to verify that a selected
    model has been implemented properly.

117
Elements of the Gap Analysis
  IBOK Control Objectives
Explicit Set of Identified Vulnerabilities and
Weaknesses
Outcomes - Degree of Conformance to Control
Objectives
Operational Charter for Security System
118
Model Selection and Risk Assessment
  • The first of these are the inputs to the
    assessment process.
  • These inputs represent the set of ideal best
    practices that are itemized in the IBOK and their
    concomitant controls.
  • That ideal is used as the point of reference for
    the ensuing assessment.
  • The organization describes its degree of
    conformance with the relevant benchmark criteria
    selected from the IBOK model to document this.

119
Model Selection and Risk Assessment
  • The box in the center represents the detailed
    assessment outcomes that the organization will
    obtain as a consequence of this comparison.
  • As we said earlier the point is to explicitly
    characterize the level of compliance between a
    particular operation and the ideal specified in
    the IBOK.  

120
Model Selection and Risk Assessment
  • Finally, the documentation produced is a precise
    statement of the vulnerabilities that the
    identified areas of non-compliance represent.
  • This documentation will drive the activity in
    subsequent stages where the organization will
    make decisions about the actions that must be
    taken to address each identified weakness
  •  
  • As well as how it will document the security
    system for the purposes of management oversight
    and audit.

121
Asset Valuation and Tradeoff
  • The product of this phase is a concrete security
    strategy.
  • The input is derived from the outcomes of the
    prior three stages.
  • The boundary setting element is particularly
    important to this consideration since there is a
    direct relationship between resources required to
    establish a security level specified and the
    extent of the territory that must be secured.

122
Asset Valuation and Tradeoff
  • Operational factors that enter into the
    development of this strategy include
  • What is the level of criticality of each
    particular information asset that falls into the
    asset baseline
  • What is the specific degree of resource
    commitment required to assure it?
  •  
  • Thus the most important aspect of this might lie
    in the simple valuation of the assets themselves.

123
Asset Valuation and Tradeoff
  • This is the case because in the real world there
    are never enough resources to absolutely secure
    every element of the information asset baseline.
  • And since that baseline is overwhelmingly
    composed of abstract entities, the value of that
    asset base is also abstract, meaning not known.
  • Therefore it is essential for each organization
    to adopt a uniform methodology to systematically
    value and prioritize its information assets so
    that the most important assets are targeted
    first.

124
Asset Valuation and Tradeoff
  • As a consequence it is our assumption that the
    critical success factors are defined at the
    business level
  • And any form of operational asset valuation must
    be rooted in and reflect the vision, strategies
    and purposes of that part of the organization.
  •  
  • There are numerous ways of going about asset
    valuation.

125
Asset Valuation and Tradeoff
  • The training manual uses the Balanced Scorecard
    approach simply because it is arguably one of the
    easiest and most popular of these.
  • Using a tailored scorecard the organization can
    assign a quantitative value for each of the
    identified items entered in the security
    baseline.
  • And it can confidently allocate a security
    priority to it based on its relative value, as
    determined by the data obtained through one (or
    all) of these relevant categories.

126
Asset Valuation and Tradeoff
  • The benefit of this approach is that the
    organization will know with certainty which item
    to secure and in what order
  • In addition it will have demonstrates that due
    diligence was done in making that determination.
  • The best part of this approach is that as data is
    collected and refined over time the organization
    is able to increase its valuation effectiveness,
    and thus sharpen its control over its asset base.

127
Asset Valuation and Tradeoff
  • The process that ensues is a political one,
    however it is necessary.
  • That is the actual tradeoff process that is the
    fundamental element of strategic planning.
  • This is not a scientific activity although with
    precisely targeted information decision makers
    can move ahead with some assurance that they are
    basing their strategies on the realities of the
    situation.

128
Asset Valuation and Tradeoff
  • The assumption is that the actual deployment of
    the security function will meet the requirements
    of the organizations security charter.
  • That decision-making is based on
  • knowledge of the financial, equipment and
    personnel resources available to implement the
    desired level of security
  • the pressing business concerns and the relative
    value of the asset.

129
Asset Valuation and Tradeoff
  • It is driven by the model that will be used to
    implement the actual security solution
  • However the point is to have a clear fix on the
    asset base so that the particulars of the
    deployment can be planned with precision.
  • This should be both tangibly documented and
    publicized to the organization at large.
  •  
  • This also effectively concludes the threat
    identification and response phase of the formal
    information security protection process.

130
Control Selection
  • The next step in this process is the actual
    selection and validation of the control set.
  •  
  • Since this is model specific we are going to
    focus the discussion in terms of the generic
    steps required.
  •  

131
Control Selection
  • This phase involves tailoring, deploying and
    validating an appropriate control set.
  • This is almost always based on some sort of
    standard model of correct practice.
  • And that is 99.9 of the time the same model
    employed to do the gap analysis
  • Although not absolutely the required

132
Control Selection
  • The outcome is unique in the sense that the
    deployment is determined by the situation.
  • However there are elements that must be carried
    out no matter which model is selected
  • Assignment of controls to a security baseline
  • Assessment of the effectiveness of those controls
  • The formulation of the final control set into a
    security system.

133
Formulating the Control Set
  • The necessary security controls are deployed once
    the information asset baseline has been
    established and prioritized.
  • This requires an item-by-item assessment of the
    information resource baseline in order to design
    and formalize the appropriate control set.
  • Nonetheless in order to devise the appropriate
    and correct set of control procedures it is
    necessary to return to the risk analysis to
    better understand the nature of the threat.

134
Formulating the Control Set
  • Basically threats can be characterized as
    physical, or logical, from internal, or external
    sources.
  • Thus the analysis considers the safeguards or
    controls that are necessary to suitably address
    any and all anticipated threats.

135
Formulating the Control Set
  • That includes steps to detect a threat as close
    to the time that it occurs (threat response)
  • And a procedure to ensure that it will be either
    attended to by subsequent corrective action, or
    that the loss that may arise from it will be
    effectively contained.

136
Formulating the Control Set
  • Since adverse impacts of threats also inevitably
    fall into the financial arena it is important to
    consider the applicable ROI issues.
  • One obvious example, is that it ought to be known
    whether the cost of the control (on an annual
    basis) would be less than any anticipated
    (dollar) losses.

137
Formulating the Control Set
  • Another consideration is the frequency with which
    the threat occurs.
  • If the historical rate of occurrence is high than
    even a low ROI (per incident) item could prove to
    be a good investment.

138
Formulating the Control Set
  • The other issue is the PROBABILITY that a threat
    might occur.
  • Probability should never be confused with
    frequency.
  • In essence the question has to be asked what the
    probabilities are that harm might ensue if it
    DOES occur.

139
Formulating the Control Set
  • For instance, burglars might very infrequently
    visit your house but when they DO the likelihood
    is high that they will take something.
  • Thus these two related factors have to be
    balanced with each other when doing a threat
    assessment.

140
Formulating the Control Set
  • In essence the question that has to be answered
    for a particular control is how likely is it that
    a given occurrence will produce mischief.
  • That is because in reality, some threats may
    occur many times within the period of a years
    time, especially those associated with
    unintentional actions of users or employees.

141
Formulating the Control Set
  • Finally, it must be recognized that there is
    always an uncertainty in all of these cases that
    dictates that baseline control formulation should
    always be an iterative function.
  • Basically uncertainty can be estimated as a level
    of confidence, from zero to 100 percent on any
    control.

142
Formulating the Control Set
  • What this expresses is the necessity, or
    usefulness of the associated control (e.g., this
    should be considered to be 91 necessary).
  •  
  • It should be noted that the failure to integrate
    uncertainty factors into the risk analysis will
    reduce the overall level of trust in the
    effectiveness of the resultant control baseline.

143
Assessment of Control Coverage
  • It is necessary to validate the selected control
    set in order to assure the effectiveness as well
    as confirm the accuracy of the defensive scheme.
  • This always takes place after it is operationally
    deployed.
  • That is, it is formulated into an active baseline
    and placed under effective baseline control.
  •  

144
Assessment of Control Coverage
  • From an IT management standpoint this activity is
    a standard beta test function
  •  
  • in the sense that the essence of the process is
    the ongoing comparison of expected performance
    with the actual result of executing the process.

145
Assessment of Control Coverage
  • The assessment process is planned, implemented
    and monitored in the same fashion as any other
    testing activity.
  •  
  • It normally embodies the criteria and factors
    considered during the threat analysis and
    baseline formulation process, but operational
    issues can be added at this point as well.
  •  
  • The intention is to be able to say with assurance
    that the aggregate control set is effective given
    the aims of the protection scheme.

146
Assessment of Control Coverage
  • Operationally, this should be done within a
    specified time-frame as well as a defined
    reporting and decision making structure.
  • Because the overall purpose of this step is to
    produce a finalized baseline the organization
    must treat it exactly like a project
  •  
  • In the sense that the outcome of the process is a
    fully functioning security control set.
  •  

147
Assessment of Control Coverage
  • Once the project purposes and timelines are set,
    generally speaking each control must have a set
    of performance assessment criteria assigned.
  • The purpose of this is to underwrite precise
    monitoring of the effectiveness of each component
    of the security baseline.
  • Therefore these criteria must be both measurable
    and able to be recorded.
  •  

148
Assessment of Control Coverage
  • Then on execution of the process the outcomes
    associated with each control are recorded.
  • The organization uses the ongoing outcomes of the
    operational use of the control, to assess its
    effectiveness.
  •  
  • This assessment is based on the performance
    criteria set for that particular control as well
    as the assumptions about cost and occurrence that
    were part of the baseline formulation process.

149
Control Objective Beta Test Process
Performance Criteria
Control Objective Performance in Operational
Environment
Assessment of Control Effectiveness
Recorded Outcomes
Baseline Formulation Assumptions
Aggregation of control objective test results
Assessment of Baseline Effectiveness
Final Implementation of Control Baseline
150
Assessment of Control Coverage
  • Then, once the testing step is complete the
    aggregate set of results for the control baseline
    is assessed for the purposes of formalizing a
    finalized set of security control objectives.
  • These controls represent the operational
    realization of the security system and their
    baseline representation is maintained under
    strict change control by the configuration
    management system.

151
Assessment of Control Coverage
  • The released version of this baseline is managed
    by that function in the same manner as a software
    release
  • That is, no changes are allowed without
    authorization and subsequent verification of the
    correctness and effectiveness of the change.

152
Module Three Review
  • Why are two baselines needed?
  • What is the reason for tradeoffs?
  • What is the reason for top-down sponsorship?
  • What are the criteria for determining
    feasibility?
  • What is the purpose of the beta test of controls?
  • Why are the final baselines strictly controlled?
  • Why is buy-in a success factor?
  • What is the role of risk assessment?
  • What is the purpose of asset valuation?
  • Why must system boundaries be decided?

153
End of Personal Instruction
Write a Comment
User Comments (0)
About PowerShow.com