Title: Information Assurance Professional
1Information Assurance Professional
- National Security Registration Board
- Version 2.6
2Course Goals
- This presents the fundamental concepts of
information assurance. - It is designed to foster a mastery level
understanding of the IA process. - The intention is to prepare a trained IA
professional
3Course Application
- You learn how to tailor a practical information
assurance architecture using this BOK. - As well as how to deploy an appropriate set of
flexible countermeasures.
4Three Assumptions
- Three major assumptions underlie this course
- Assumption One
- Effective Information security requires an
integrated set of business and technological
processes.
5The Three Assumption
- Assumption Two
- Effective information security programs must be
deliberately designed and deployed
organization-wide through a strategic planning
process
6The Three Assumption
- Assumption Three
- Information security programs are systematic,
- That is, they embody an appropriate set of
persistent and interacting controls - These function seamlessly and as an integral
element of day-to-day operation of the business
7The Importance of Planning
- All three of these requirements must be satisfied
for the solution to be correct. - That condition is not arrived at by chance.
- It is always derived from a valid set of common
best practices.
8The IBOK
- The IBOK is a compendium, or body-of-knowledge
rather than a standard - It is an integration of three existing models
into a single unified concept - The idea is that, a harmonized set of
recommendations is the most authoritative
statement about best practice.
9Best Practice Models
- There are at least three models that are used to
guide that process, - The Generally Accepted System Security Principles
(GASSP), 1999 - ISO 17799 and BS 77992 (2002)
- COBIT (2006)
10Best Practice Models
- Each of these embodies a fundamental set of
principles derived from extensive lessons
learned - Each of these provides a useful set of high level
control objectives, which can be tailored, to any
organizational need. - And each has the potential to serve as the basis
of an effective solution.
11Best Practice Models
- This model comprises the Information Security
Body of Knowledge (IBOK). - It also presents a standard implementation
methodology for this BOK.
12Course Assumptions
- Individuals who successfully complete this course
can be assumed to be - Knowledgeable in the best practices for
information assurance - Competent to implement security systems that are
capable of being accredited by the NSRB.
13Text
- The following are required
- Information Security Body of Knowledge IBOK
Open Standard 2.2, International Standards
Institution of Governors, 2004 - Training Guideline, IBOK, National Standards
Registration Board, 2003
14 Course Description
- You will learn how to
- Create an information security architecture
- Establish detailed control procedures within this
framework
15 Course Description
- Systematically identify and monitor areas of
vulnerability - Assess the impact of threats as they are
identified - Deploy appropriate technological and managerial
countermeasures
16Course Objectives
- At the end of this course you will be able to
- Deploy an appropriate managerial and technical
control framework - Establish a correct information security control
set within that framework
17Course Objectives
- Conduct a capable threat identification
- Formulate a baseline defense in depth
countermeasure set
18Course Objectives
- Be able to valuate assets and justify the
countermeasures based on that valuation - Be able to deploy, assess and continuously
maintain operational countermeasures
19Course Agenda
- 300330 Module One Principles of Information
Security - 330400 Module Two The Information Assurance
Process - 400445 Module Three The Implementation
Process 445-500 Initiate Project - 500-530- Prepare Solution
- 530-545- Report Solution
- 545-600- Questions and Lessons Learned
20Module One
The Five Basic Goals of the Information Assurance
Process
21The Five Basic Goals of IA
- Information assurance ensures the
- Availability
- Confidentiality
- Integrity
- Authentication
- Non-Repudiation of Origin
- Of information
22Definition Confidentiality
- Confidentiality is the condition that insures
that information is not disclosed to unauthorized
persons, processes or devices. - This implies the requirement for such discrete
functions as - information identification and labeling
- Need-to-know procedures.
23Definition Integrity
- Integrity is the condition of assuring trust.
-
- Within the information security universe,
integrity is specifically interpreted to mean - that a transmission will arrive at its
destination in exactly the same form as it was
sent..
24Definition Integrity
- That requires ensuring
- the logical correctness and reliability of the
operating system - the logical completeness of the hardware and
software entities - the consistency of the data and occurrences of
the stored data.
25Definition Authentication
- Authentication is a security service designed to
establish the validity of a transmission,
message, or originator - It is also a means of verifying an individuals
authorizations to receive specific categories of
information -
26Definition Authentication
- Authentication ensures that the occurrence of
false identities is eliminated. -
- An individual, an organization, or a computer has
to be able to prove its identity to be properly
secured.
27Definition Authentication
- This also implies an authorization function.
- Authorization describes the systems ability to
regulate access to resources once the identity is
verified.
28Definition Availability
- Availability implies the ability to provide
authorized users with timely and reliable access
to data and information services. - It is characterized by best practices such as
- back-up power
- continuous signal
- off-site recovery
29Definition Availability
- Availability also describes the overall goal of
security management. - Which is to ensure the requisite level of
trustworthiness in day-to-day operation
30Definition Availability
- In reality, availability is a condition, rather
than a specific security function. - It is often traded off against purely security
related conditions, like confidentiality. -
31Definition Availability
- Because availability ensures functioning
- There might be a time when assuring availability
outweighs procedures that are necessary to secure
information.
32Definition Availability
- The judgment to sacrifice any of the other
security services for the sake of enhanced
availability is a risk mitigation decision - Which is usually motivated by threats and
vulnerabilities in the business case.
33Definition Non-Repudiation
- Non-repudiation of origin provides the sender
with proof of delivery - AND
- It underwrites the identity of the sender to the
recipient.
34Definition Non-Repudiation
- As a result, neither party can later deny that
the message was legitimately sent and received. -
- Non-repudiation has ramifications for everything
from purchases on e-bay, to modern battlefield
orders.
35Module One Questions
- What are the Five Elements of IA?
- What does integrity ensure?
- What is often traded off against availability?
- What is the value of non-repudiation to
businesses? - What does authentication require to work
properly? - What is a risk mitigation decision?
- What is non-repudiation based on?
- What is availability characterized by?
- What does need-to-know support?
- What basic condition does offsite backup ensure?
36Module Two
The Information Assurance Process
37The Information Assurance Process
- Information assurance is a multifaceted process
composed of fifteen elements and one critical
capability - Each is a discrete function and each contributes
differently to the overall purposes of securing
information. - These fifteen elements comprise a lifecycle.
38The Information Assurance Process
- All fifteen function within that lifecycle to
ensure an effective level of security. - Each element plays its proper role at a logical
place within the process.
39The Information Assurance Process
- The outcome is adequate protection of all
information assets
Adequate protection assumes the presence of all
necessary safeguards !
40Building a Holistic Solution
- Electronic assurance constitutes just one aspect
of that protection. - Full protection has to incorporate all of the
organizational functions and human factors
relevant to security.
41Building a Holistic Solution
- The outcome must constitute a holistic response.
- In essence the response must integrate
- All of the assurance measures
- To protect all information
- At all times
42The Fifteen Principles
- The IBOK integrates a common body of knowledge.
- That BOK itemizes fifteen aspects of security
(and one critical process).
43The Fifteen Principles
- Each must be addressed in order for a security
solution to be complete. - These are arrayed in the lifecycle model
demonstrated on the next set of slides
44IA Lifecycle Lifecycle Scope
The Information Resource
Is described by
Asset Identification
AND
Evaluated by a
Risk Assessment
45IA Lifecycle Management
Security Policy
Which is Shaped by
Defines
Security Discipline
Security Infrastructure
Which Enforces
And
Access Control
Ethical Conduct
Which is Maintained by
Security of Operations
46IA Lifecycle Countermeasures
Technical Countermeasures
Management Countermeasures
Process Countermeasures
Physical Security
Software Assurance
Continuity
Compliance
Personnel Security
NETSEC
Process Assurance
Crypto
47Principle One Asset Identification
- The form of the information resource has to be
understood in order to properly secure it. - Thus, everything that is part of that resource
has to be identified, labeled and placed in a
documented asset baseline. - It is also necessary to establish a system for
controlling changes to that baseline.
48Principle Two Risk Assessment
- Risk assessment defines the form of the security
response. - Current operations as well as prospective ones
are systematically evaluated using risk
assessment - The goal is to identify potential threats,
vulnerabilities and weaknesses within the asset
base
49Principle Three Security Policy
- Then the organization establishes uniform
policies to guide the assurance process. - These policies are the basis for the solution.
- The outcome is a rational set of guidelines for
information assurance.
50Principle Four Infrastructure
- The procedural infrastructure is a tangible
realization of security policy - The organization has to design and enforce a
logical and consistent set of procedures - These must be directly traceable to the policies
they implement.
51Principle Five Access Control
- One of the chief purposes of any security scheme
is regulating access. - This principle specifies the need for an
operational structure to enable that. - Its aim is to grant access to legitimate users
while preventing unauthorized persons from
gaining access to protected information.
52Principle Six Security of Operation
- This involves continuous enforcement of routine
security procedures. - At its essence this revolves around the incident
response capability. - It also entails procedures to prevent vital
information from being used by an adversary
(called OPSEC).
53Principle Seven Continuity
- This details a comprehensive strategy to ensure
business continuity - It defines explicit practices to ensure that the
business continues to operate if its information
is lost or harmed - It also establishes the explicit disaster
planning and recovery capability
54Principle Eight Compliance
- This principle ensures that a comprehensive
mechanism is in place to ensure compliance - It guarantees that the stipulations of all
contracts and regulations are obeyed. - It ensures that due diligence is exercised in
meeting all legal requirements.
55Principle Nine Physical Security
- The purpose of physical security is to control
tangible information and IT assets. - It establishes an asset management process and a
realistic physical protection scheme. - It involves standard operating practices to
ensure the integrity of all workspaces and
physical resources within a secure boundary.
56Principle Ten Personnel Security
- This involves comprehensive procedures to assure
worker compliance with security policy. - It is based around employee screening and the
assignment of roles and responsibilities - It also monitors the security activities of all
employees.
57Principle Eleven Process Security
- This focuses on the development lifecycle.
- It contains methods to ensure security is
embedded in all development work - It makes certain that security functionality is
baked into all products during development
58Principle Twelve Network Security
- This assures network access to electronic assets.
- It establishes both network access control as
well as network monitoring.
59Principle Twelve Network Security
- This is a classic purpose of information
assurance - It identifies users, authenticates, authorizes
and controls access. - It also includes elements necessary to ensure the
development of secure network architectures.
60Principle Thirteen Software Assurance
- This principle ensures continuing integrity of
all application and system software. - That includes installing software and also
analyzing and reporting on its performance. - It ensures secure operation of all software
within the operational environment and resolution
of anomalies and conflicts.
61Principle Fourteen Security Discipline
- Discipline is human centered.
- It ensures that policies and procedures are
understood and adhered to in a disciplined way. - Its purpose is to establish awareness and
motivation and enforce discipline.
62Principle Fifteen Ethics
- This principle delineates a comprehensive code of
defined ethical practices. - This code accurately reflects community norms
with respect to ethical behavior - It serves as a basis for the rules of conduct as
well as personal accountability.
63Critical Supporting Process Cryptology
- Cryptology is not a principle as much as it is
the basis for secure message transfer - It is not a principle because it isnt at the
same level as the others in the IBOK - It is a necessary foundation requirement to
secure electronic transmission.
64Critical Supporting Process Cryptology
- It is a very large topic area because it includes
so many technical aspects - It entails the technical requirements for
translating plaintext into encrypted
transmissions. - It also dictates the encryption methods and key
structures that underlie that process.
65Application of the Principles
- Each principle acts to secure the specific aspect
that it is meant to assure - The integrated set forms a mutually supporting
system that provides the desired level of
assurance.
66Application of the Principles
- All information assurance processes embody an
established collection of common components, - Which are designed to work together to produce an
optimum solution. - The overall solution can be understood in terms
of those components and their logical
interactions.
67Application of the Principles
- Moreover, they also represent an implicit
structure for the process. - This structure has a lifecycle orientation.
68- Institutionalization Factors
Establishment
Means
Oversight
Enforcement
69Overview
- Institutionalization factors can be used to
determine if these 15 principles and one critical
function have been properly established. - Processes must meet the following common criteria
in order to be judged as effectively practiced
70Establishment
- The organization must document its commitment to
each principle. Criteria for judging this are - Explicit designation of a manager responsible for
controlling ongoing operation - The placement of the manager in a position of
authority sufficient to enforce decisions - The continuous maintenance of that position in
the organizational decision making structure
71Means
- Qualified employees must be provided Criteria
for judging this are - The necessary staff and resources are
identifiably designated and deployed - It is possible to document, that staff are
competent to perform their assigned roles - The deployment of staff resources is explicitly
traceable to individual principles.
72Oversight
- The organization must provide an objective means
to monitor the fulfillment of the purposes of
each principle. Criteria for doing this are - Development and use of formal measures of
performance - Use of analytic methods to support decision
making - The designation and adherence to formal reporting
lines and follow-up procedures.
73Enforcement
- The organization must assure that each principle
is adhered to. Criteria for judging this
include - Designation of a person accountable for
enforcement - Regularly scheduled internal audit, or review of
the principle for compliance - Defined procedures for corrective action.
74Module Two Review
- Why is cryptology included among the principles?
- How do policy and infrastructure relate?
- Why does information assurance have a lifecycle?
- Why is asset identification the first step?
- Why are there three areas of countermeasure?
- How do security discipline and operation security
relate? - What is the role of ethics in policy formulation?
- How do continuity and operations security relate?
- Why is software assurance important to security?
- What is the role of compliance in security?
75Module Three
Implementing the Security Response
76Implementation Overview
- Security involves identifying, prioritizing and
managing a response to every plausible threat to
the organizations information assets. - This countermeasure deployment function is not a
one-shot front-end to the establishment of a
static security solution. -
- It is a constant and organized probing of the
environment to sense the presence of and respond
appropriately to any potential sources of harm to
the organizations information assets.
77Implementation Overview
- As a consequence, the first step in formulating a
correct security response is threat
identification - That amounts to the identification of ANY threats
in the organizations technical or operating base
that might lead to the loss of ANY information,
of ANY value - And then the deployment of an effective set of
controls to alleviate each vulnerability
identified.
78Model of the Implementation Process
Model Selection and Gap Analysis
Asset Baseline Formulation and Control
Asset Valuation and Resource Tradeoff
Information Gathering and Chartering
Assessment of Control Coverage and Effectiveness
Formulation and Baselining of the Control Set
Refinement and Finalization of Control Set
79Implementation Overview
- The activities above the red line are termed the
Threat Identification and Response phase - This part of the process drives the resource
allocation decisions as well as the development
and refinement of the optimum set of controls.
80Implementation Overview
- The activities below the red line are aimed at
the definition of the tangible information
security system. - We are going to discuss each of these boxes in
turn in detail.
81Threat Identification
- Threat identification and response is composed of
four elements - Information Gathering and Chartering
- Asset Baseline Formulation
- Model Selection and Gap Analysis
- Asset Valuation and Tradeoff.
82Threat Identification
- The aim of these four activities is to achieve an
understanding of the security response that is
appropriate to the precise situation - And which fits within the constraints of the
organization. -
- Properly executed it is conducted in the
background of day-to-day organizational
functioning
83Threat Identification
- In practice, it employs methods and tools to
identify, analyze, plan for, and control any
potentially harmful or undesirable event. -
- It should be noted that while the overall aim of
the threat identification and response process is
to prevent or minimize the impact of security
losses at the business level of the organization - Technical risks are also managed since they often
constitute the root cause for business breaches,
or losses.
84Threat Identification
- Threat identification and response approaches
must establish a disciplined environment for
proactive decision-making. - They should regularly assesses what could go
wrong and then determine the approach and timing
by which each potential threat will be countered - This all takes place within the constraints of
practical business considerations such as
resources available and time.
85Threat Identification
- The last part of this process is an important
issue in the implementation of a realistic
solution since it is highly likely that more
risks will be identified than can possibly be
responded to. - So it is important to at least address the ones
that pose the most potential harm to the
corporation. -
86Threat Identification
- Finally, we want to stress that the form of the
process as well as the scope of the solution is
dictated by the type of security desired. -
- Consequently the substance of the identification,
analysis, planning and control elements and
activities required is going to vary. - As we progress through this guideline it is also
important to keep in mind that although the form
of the process is generic, the actual
considerations vary with the focus and intent of
the organization.
87Information Gathering and Chartering
- Operationally, the right set of organizational
representatives formulates the requirements of
the security system into a statement of need, - Which is then documented and authorized by the
appropriate executive decision makers and
published to the business at-large.
88Information Gathering and Chartering
- The only purpose of this phase is to serve as a
launch pad for the decision-making regarding the
specific security model utilized next. - So logically, this element should generally
define both the scope and extent of the desired
solution.
89Information Gathering and Chartering
- In practice, this stage is probably the least
substantive aspect of any implementation project
in the sense that it does not really touch on any
of the details of the actual protection scheme. - Nonetheless, it might be the single likeliest
point of failure. -
- That is because everything that will happen
downstream originates from this one point.
90Information Gathering and Chartering
- As a consequence, it is important for everybody
who will have anything to do with the system to
understand and agree on the type and degree of
protection at the beginning of the process. - In effect this agreement should accomplish two
critical purposes. -
- From a functional system standpoint it has to
ensure that the problem is properly targeted.
91Information Gathering and Chartering
- More importantly, it should also support the
education and buy-in of the people who are
actually going to be actively involved in
formulating the system. - That is because it is well documented that the
long-term success of any solution is directly
dependent on the level of support for the
process. - This not an inconsequential exercise and it can
be resources intensive.
92Information Gathering and Chartering
- The execution of this process is generally based
on the generic systems analysis approaches that
have populated the organizational development
body of knowledge for the past fifty years. - There are numerous recognized ways of actually
conducting this. -
- However there is only one absolute requirement,
which is that the eventual outcome has to be
sponsored at the highest levels of the company
93Information Gathering and Chartering
- There have been a number of studies to support
the idea that the ownership security should be at
the level of the Board of Directors or CEO (the
best of these are summarized in DTI, 2002). - Notwithstanding that, the literature is unanimous
in stressing that effective information assurance
solutions have to be thoroughly embedded in the
organization and that requires across-the-board
acceptance, - which can only be enforced through executive
sponsorship.
94Information Gathering and Chartering
- One final point also must be stressed, which is
that the information gathering function should
not degenerate into a detailed technical problem
solving process. - The only objective of this first stage is to
define the general form of the problem for the
purpose of determining an explicit strategic
direction.
95Information Gathering and Chartering
- There are many reasons why a complete framework
solution may not be appropriate, ranging from a
lack of resources all the way to knowledge of a
specific targeted need. - These must all be identified, brought forward and
agreed on in order to choose a proper scope and
appropriate model for the eventual response.
96Information Gathering and Chartering
- Since the players are usually busy executives,
they are never interested in the details only in
the assurance that the correct target will be
hit. - As such the first phase has to be conducted with
that single goal in mind. - Once the direction is chosen the form of the rest
of the process is dependent on the model selected
and that activity constitutes the rest of this
stage.
97Information Gathering and Chartering
- The selection of an appropriate model is crucial.
- Since the only way that the protection scheme
will work is if the model it is based on fits the
organizations security needs - The final point that we need to make before we
leave this section however, is that there is no
one model for information protection.
98Information Gathering and Chartering
- The only rule is that whatever is selected should
fit the exact requirements of the situation. - This is both an intelligent design process as
well as a political one. -
- As such the outcomes of the, information
gathering process, must be rigorously adhered to
in order to guide that decision-making process -
99Information Gathering and Chartering
- And the eventual model selected should always
meet the requirements that have been bought
into by the whole organization through the
chartering process. - Since the next phase of the process starts the
tactical implementation of the security solution
this initial stage is the point where the
strategy is set.
100Asset Baseline Formulation
- This second stage is probably the least commonly
understood in that with most protection schemes
the form of the assets to be protected is known.
- As the user knows, in the case of information
security the asset base is an abstract construct,
which could legitimately have many forms. -
- As such, before protection schemes can be devised
the boundaries and material form of the asset
must be characterized.
101Asset Baseline Formulation
- That involves gathering all of the pertinent
information necessary to define the complete form
of the assets that will be protected. - Which involves the meticulous identification and
labeling of every item under control of the
security system. - This is not a trivial exercise.
-
- It is a prerequisite for subsequent assessment of
risk because it establishes the "day one" state
of the organizations total set of information
assets.
102Asset Baseline Formulation
- In practice, the aggregate set of assets is
termed a baseline. - The individual components that constitute this
baseline must be explicitly identified and
labeled as part of the asset identification
process. -
- A precisely defined information asset baseline is
an absolute prerequisite for the conduct of the
rest of the process, since it is this explicit
configuration that is maintained by the security
system.
103Asset Baseline Formulation
- And because it is a tangible structure, the
classification and tagging of the asset elements
that constitute it is usually based on their
logical interrelationships with each other. - This is maintained as a hierarchy of elements
that ranges from a view of the information asset
as a single entity down to the explicit items
that constitute that resource. - The baseline scheme that emerges at the lowest
level of decomposition represents the concrete
architecture of the target information asset.
104Asset Baseline Formulation
- The decisions that determine what this asset base
looks like are normally made using the input of a
number of different participants. - That could range from the technical staff all the
way up to executive owners of a given information
item. -
- The items defined at any level in the hierarchy
are given unique and appropriate labels that are
explicitly associated with the overall
organization of the information asset itself.
105Asset Baseline Formulation
- That is, these labels designate and relate the
position of any given item in the overall "family
tree" of the asset base. - Once established, the formal information asset
baseline is kept in a ledger, which is fully
accounted for and maintained throughout the
lifecycle of the security system. - Since, security systems are evolutionary formal
procedures also have to be put in place to
systematically manage the inevitable changes to
the form of the information asset baseline.
106Asset Baseline Formulation
- In the real-world most corporate information
asset baselines are maintained in an electronic
ledger, which is generically termed a Baseline
Management Ledger, or BML. - Changes at any level in the basic structure of
the information asset baseline are maintained at
all relevant levels in that ledger and must
correctly and accurately reflect the changed
status of the actual information item.
107Generic Change Management
Notification/ Request for Change
Information Asset Baseline Manager
Authorization by Appropriate Decision Maker
Implementation of Change
Verification of Change
Baseline Management Ledger
108Asset Baseline Formulation
- If this is not done in a systematic and
disciplined fashion the painfully constructed
understanding of the form of the information
asset will move out of the organizations grasp - Leaving it securing things that dont exist and
not securing things that do. -
- Baseline management would be a time consuming
task if it were not for commercial utilities that
do this record keeping automatically.
109Model Selection and Risk Assessment
- Once the asset baseline is established the next
step is usually termed risk assessment. - It is in reality a gap analysis conducted against
a model of correct practice and the literature is
full of methodologies for carrying out that task.
- These can be divided into two types, those that
are based on a commonly accepted standard model
and those that are based on a set of unique
criteria.
110Model Selection and Risk Assessment
- Whatever the approach the actual execution always
starts at the model, which implies the importance
of selecting an appropriate standard as the
benchmark. - Thus the first step in the gap analysis is to
gather enough information about the situation to
select the right model. -
- By necessity this activity must be guided by and
referenced to the project charter obtained in the
first phase of this process.
111Model Selection and Risk Assessment
- The other essential piece is the asset baseline
definitions formulated in the prior phase. - Using these two factors for guidance, it should
be possible to find the appropriate model. - Essentially the participants in the selection
process decide what must be protected and what
type of solution is appropriate to those implicit
requirements.
112Model Selection and Risk Assessment
- The requirement for a gap analysis is common
across all models of information security. - That is, a gap analysis is always done the same
way for the same purpose no matter what . -
- In professional settings the gap analysis is
usually called a risk assessment. -
- That is because the point of the activity is to
identify RISKS created by gaps in operating
procedures.
113Model Selection and Risk Assessment
- This risk assessment activity is arguably the
most important element in formulation of a proper
security response because it - identifies the potential threats
- assesses the harm that might ensue from each
- analyzes and categorizes options for response.
- Operationally this process is carried out by
comparing the form of the current operation to
the comprehensive set of ideal best practice
requirements specified in the framework model.
114Model Selection and Risk Assessment
- This is done to identify the gaps that exist.
- These gaps represent the vulnerabilities and
weaknesses that must be addressed by new
procedures. -
- Since a particular threat may not necessarily
have much impact for a given situation, once the
risk exposures are all identified they are
assessed to distinguish only those that would
create specific and undesirable vulnerabilities.
115Model Selection and Risk Assessment
- Next, these vulnerabilities are carefully
analyzed with respect to the particular
organizational situation in order to identify the
specific weaknesses that the security system
needs to target directly. - These weaknesses are prioritized so that the ones
with the most critical impacts are dealt with
first.
116Model Selection and Risk Assessment
- The process can best be described by looking at
it from the standpoint of the documentation that
is utilized to carry it out. - In fact the tangible documentation set is so
important that it is generally the only thing
that an auditor uses to verify that a selected
model has been implemented properly.
117Elements of the Gap Analysis
IBOK Control Objectives
Explicit Set of Identified Vulnerabilities and
Weaknesses
Outcomes - Degree of Conformance to Control
Objectives
Operational Charter for Security System
118Model Selection and Risk Assessment
- The first of these are the inputs to the
assessment process. - These inputs represent the set of ideal best
practices that are itemized in the IBOK and their
concomitant controls. - That ideal is used as the point of reference for
the ensuing assessment. - The organization describes its degree of
conformance with the relevant benchmark criteria
selected from the IBOK model to document this.
119Model Selection and Risk Assessment
- The box in the center represents the detailed
assessment outcomes that the organization will
obtain as a consequence of this comparison. - As we said earlier the point is to explicitly
characterize the level of compliance between a
particular operation and the ideal specified in
the IBOK.
120Model Selection and Risk Assessment
- Finally, the documentation produced is a precise
statement of the vulnerabilities that the
identified areas of non-compliance represent. - This documentation will drive the activity in
subsequent stages where the organization will
make decisions about the actions that must be
taken to address each identified weakness -
- As well as how it will document the security
system for the purposes of management oversight
and audit.
121Asset Valuation and Tradeoff
- The product of this phase is a concrete security
strategy. - The input is derived from the outcomes of the
prior three stages. - The boundary setting element is particularly
important to this consideration since there is a
direct relationship between resources required to
establish a security level specified and the
extent of the territory that must be secured.
122Asset Valuation and Tradeoff
- Operational factors that enter into the
development of this strategy include - What is the level of criticality of each
particular information asset that falls into the
asset baseline - What is the specific degree of resource
commitment required to assure it? -
- Thus the most important aspect of this might lie
in the simple valuation of the assets themselves.
123Asset Valuation and Tradeoff
- This is the case because in the real world there
are never enough resources to absolutely secure
every element of the information asset baseline. - And since that baseline is overwhelmingly
composed of abstract entities, the value of that
asset base is also abstract, meaning not known. - Therefore it is essential for each organization
to adopt a uniform methodology to systematically
value and prioritize its information assets so
that the most important assets are targeted
first.
124Asset Valuation and Tradeoff
- As a consequence it is our assumption that the
critical success factors are defined at the
business level - And any form of operational asset valuation must
be rooted in and reflect the vision, strategies
and purposes of that part of the organization. -
- There are numerous ways of going about asset
valuation.
125Asset Valuation and Tradeoff
- The training manual uses the Balanced Scorecard
approach simply because it is arguably one of the
easiest and most popular of these. - Using a tailored scorecard the organization can
assign a quantitative value for each of the
identified items entered in the security
baseline. - And it can confidently allocate a security
priority to it based on its relative value, as
determined by the data obtained through one (or
all) of these relevant categories.
126Asset Valuation and Tradeoff
- The benefit of this approach is that the
organization will know with certainty which item
to secure and in what order - In addition it will have demonstrates that due
diligence was done in making that determination. - The best part of this approach is that as data is
collected and refined over time the organization
is able to increase its valuation effectiveness,
and thus sharpen its control over its asset base.
127Asset Valuation and Tradeoff
- The process that ensues is a political one,
however it is necessary. - That is the actual tradeoff process that is the
fundamental element of strategic planning. - This is not a scientific activity although with
precisely targeted information decision makers
can move ahead with some assurance that they are
basing their strategies on the realities of the
situation.
128Asset Valuation and Tradeoff
- The assumption is that the actual deployment of
the security function will meet the requirements
of the organizations security charter. - That decision-making is based on
- knowledge of the financial, equipment and
personnel resources available to implement the
desired level of security - the pressing business concerns and the relative
value of the asset.
129Asset Valuation and Tradeoff
- It is driven by the model that will be used to
implement the actual security solution - However the point is to have a clear fix on the
asset base so that the particulars of the
deployment can be planned with precision. - This should be both tangibly documented and
publicized to the organization at large. -
- This also effectively concludes the threat
identification and response phase of the formal
information security protection process.
130Control Selection
- The next step in this process is the actual
selection and validation of the control set. -
- Since this is model specific we are going to
focus the discussion in terms of the generic
steps required. -
131Control Selection
- This phase involves tailoring, deploying and
validating an appropriate control set. - This is almost always based on some sort of
standard model of correct practice. - And that is 99.9 of the time the same model
employed to do the gap analysis - Although not absolutely the required
132Control Selection
- The outcome is unique in the sense that the
deployment is determined by the situation. - However there are elements that must be carried
out no matter which model is selected - Assignment of controls to a security baseline
- Assessment of the effectiveness of those controls
- The formulation of the final control set into a
security system.
133Formulating the Control Set
- The necessary security controls are deployed once
the information asset baseline has been
established and prioritized. - This requires an item-by-item assessment of the
information resource baseline in order to design
and formalize the appropriate control set. - Nonetheless in order to devise the appropriate
and correct set of control procedures it is
necessary to return to the risk analysis to
better understand the nature of the threat.
134Formulating the Control Set
- Basically threats can be characterized as
physical, or logical, from internal, or external
sources. - Thus the analysis considers the safeguards or
controls that are necessary to suitably address
any and all anticipated threats.
135Formulating the Control Set
- That includes steps to detect a threat as close
to the time that it occurs (threat response) - And a procedure to ensure that it will be either
attended to by subsequent corrective action, or
that the loss that may arise from it will be
effectively contained.
136Formulating the Control Set
- Since adverse impacts of threats also inevitably
fall into the financial arena it is important to
consider the applicable ROI issues. - One obvious example, is that it ought to be known
whether the cost of the control (on an annual
basis) would be less than any anticipated
(dollar) losses.
137Formulating the Control Set
- Another consideration is the frequency with which
the threat occurs. - If the historical rate of occurrence is high than
even a low ROI (per incident) item could prove to
be a good investment.
138Formulating the Control Set
- The other issue is the PROBABILITY that a threat
might occur. - Probability should never be confused with
frequency. - In essence the question has to be asked what the
probabilities are that harm might ensue if it
DOES occur.
139Formulating the Control Set
- For instance, burglars might very infrequently
visit your house but when they DO the likelihood
is high that they will take something. - Thus these two related factors have to be
balanced with each other when doing a threat
assessment.
140Formulating the Control Set
- In essence the question that has to be answered
for a particular control is how likely is it that
a given occurrence will produce mischief. - That is because in reality, some threats may
occur many times within the period of a years
time, especially those associated with
unintentional actions of users or employees.
141Formulating the Control Set
- Finally, it must be recognized that there is
always an uncertainty in all of these cases that
dictates that baseline control formulation should
always be an iterative function. - Basically uncertainty can be estimated as a level
of confidence, from zero to 100 percent on any
control.
142Formulating the Control Set
- What this expresses is the necessity, or
usefulness of the associated control (e.g., this
should be considered to be 91 necessary). -
- It should be noted that the failure to integrate
uncertainty factors into the risk analysis will
reduce the overall level of trust in the
effectiveness of the resultant control baseline.
143Assessment of Control Coverage
- It is necessary to validate the selected control
set in order to assure the effectiveness as well
as confirm the accuracy of the defensive scheme. - This always takes place after it is operationally
deployed. - That is, it is formulated into an active baseline
and placed under effective baseline control. -
144Assessment of Control Coverage
- From an IT management standpoint this activity is
a standard beta test function -
- in the sense that the essence of the process is
the ongoing comparison of expected performance
with the actual result of executing the process.
145Assessment of Control Coverage
- The assessment process is planned, implemented
and monitored in the same fashion as any other
testing activity. -
- It normally embodies the criteria and factors
considered during the threat analysis and
baseline formulation process, but operational
issues can be added at this point as well. -
- The intention is to be able to say with assurance
that the aggregate control set is effective given
the aims of the protection scheme.
146Assessment of Control Coverage
- Operationally, this should be done within a
specified time-frame as well as a defined
reporting and decision making structure. - Because the overall purpose of this step is to
produce a finalized baseline the organization
must treat it exactly like a project -
- In the sense that the outcome of the process is a
fully functioning security control set. -
147Assessment of Control Coverage
- Once the project purposes and timelines are set,
generally speaking each control must have a set
of performance assessment criteria assigned. - The purpose of this is to underwrite precise
monitoring of the effectiveness of each component
of the security baseline. - Therefore these criteria must be both measurable
and able to be recorded. -
148Assessment of Control Coverage
- Then on execution of the process the outcomes
associated with each control are recorded. - The organization uses the ongoing outcomes of the
operational use of the control, to assess its
effectiveness. -
- This assessment is based on the performance
criteria set for that particular control as well
as the assumptions about cost and occurrence that
were part of the baseline formulation process.
149Control Objective Beta Test Process
Performance Criteria
Control Objective Performance in Operational
Environment
Assessment of Control Effectiveness
Recorded Outcomes
Baseline Formulation Assumptions
Aggregation of control objective test results
Assessment of Baseline Effectiveness
Final Implementation of Control Baseline
150Assessment of Control Coverage
- Then, once the testing step is complete the
aggregate set of results for the control baseline
is assessed for the purposes of formalizing a
finalized set of security control objectives. - These controls represent the operational
realization of the security system and their
baseline representation is maintained under
strict change control by the configuration
management system.
151Assessment of Control Coverage
- The released version of this baseline is managed
by that function in the same manner as a software
release - That is, no changes are allowed without
authorization and subsequent verification of the
correctness and effectiveness of the change.
152Module Three Review
- Why are two baselines needed?
- What is the reason for tradeoffs?
- What is the reason for top-down sponsorship?
- What are the criteria for determining
feasibility? - What is the purpose of the beta test of controls?
- Why are the final baselines strictly controlled?
- Why is buy-in a success factor?
- What is the role of risk assessment?
- What is the purpose of asset valuation?
- Why must system boundaries be decided?
153End of Personal Instruction