Chief Information Officers (CIO)

1
Chief Information Officers (CIO)
2
Module 9

• Information Security

3
Objectives of Module 9

• To present and discuss the basic concepts and
  tools for security of information, data and IT
  infrastructure in the context of the E-Government
  Program of Iraq

4

• Information Security Concept
• Protecting Information Resources and Systems From
• Unauthorized Use and Access
• Unauthorized Disclosure and Modification
• Damage and Destruction

5

• Sources of Likely Threat for Information Systems
  and Resources of the Government
• Insiders for fun or revenge
• Enemies of the Nation
• Faults and Malfunction
• Insiders and Outsiders for Profit
• Acts of God

6

• Possible Impact
• System Not available
• Privacy of Data violated
• Information modified/ misused with consequential
  public and private loss
• Systems /information Damaged and Destroyed
• with consequential private and public loss.

7

• ISO 27001 Code of Practice on Information
  Security Management

• Information Security Policy
• Organization of Information Security
• Asset Management
• Human Resources Security
• Physical and Environmental Security
• Communications Operations Management
• Access Control
• Information Systems Acquisition, Development
  Maintenance
• Incident Management
• Business Continuity Management
• Compliance

8
Information Security Standards ISO27001 PCI
DSS BS 25999 (Business Continuity Management
System) Other Standards
9

• OCTAVE (Operationally Critical Threat, Asset,
  and Vulnerability Evaluations)
• Suite of tools, techniques, and methods for
  risk-based information security strategic
  assessment and planning

10

• Identify Your Adversaries
• Internet Hacker
• Insider
• Thief
• Terrorist
• Industrial Spy

11

• Which are likely targets
• Information Systems
• Networks and IT Infrastructure
• Servers/ Computers/ Devices
• Databases and Information Repositories
• Information Applications
• Websites

12

• Risk Assessment
• The Risk Equation
• Likelihood
• Impact
• Addressing Risk
• Establish Policy
• Implement Countermeasures
• Maintain Vigilance

13

• Vulnerability Driven Analysis
• Search for known vulnerabilities
• Tabulate and estimate severity
• Determine what assets are affected
• Assign impact value
• Consider adversaries and their motivations
• Assign likelihood
• Tabulate and report

14

• Risk Assessment and Management

15

• The Risk Equation
• Impact x Likelihood
  Risk
• Universal Applies to all types of risk
• Uniform Enables comparison
• Objective Track over time

16

• Measures the level of pain to the organization
• Examples
• Financial Loss or cost to repair
• Operational Lost time, production or delivery
• Reputation Loss of customer or consumer
  confidence
• Competitive Reduction of market advantage
• Regulatory Legal liability
• Fiduciary Fiduciary liability

17
Vulnerability Driven Analysis 1.Search for known
vulnerabilities 2.Tabulate and estimate
severity 3.Determine what assets are likely to be
affected 4.Assign impact value 5.Consider
adversaries and their motivations 6.Assign
likelihood 7.Tabulate and report
18

• Network and System Vulnerabilities
• Network
• Unnecessary pathways
• Unsecured data-streams
• System
• Unhardened systems
• Unprotected administrator logon
• Exposed management interfaces

19
Asset Driven Analysis 1.Inventory information
assets 2.Estimate impact 3.Trace information back
to technology 4.Analyze for vulnerabilities 5.Cons
ider adversaries and their motivations 6.Assignlik
elihoods 7.Tabulate and report
20
(No Transcript)
21
Information Security Roadmap

• Initiate Risk Assessment
• Prioritize Security Areas Needing Attention
  Pareto Principle
• Seek Input in Developing and Implementing a
  Campus Unit Security Plan
• Implement Security Plan
• Annually Review Security Plan
• Keep Up to Date with Security News

22

• Security Provisions for BFB IS-3
• Authentication Authorization
• Background Checks
• Control Administrative Accounts
• Data Backup/Retention/Storage and Transit
  Encryption
• Disaster Recovery Plan
• Incident Response/Notification Plan
• Physical Security Controls Media Controls

23

• Policy Statements
• Most corporate policies must be translated to
  concrete statements
• Major elements
• Information Classification
• System Criticality
• Operational Context

24

• Information Classification
• Information classification streamlines policy
  statement and enforcement.
• CAVEAT Over-classification leads to excessive
  cost and added Overhead.
• CAVEAT Some collections of unclassified data
  become sensitive when aggregated.

25
(No Transcript)
26
Criticality Criticality is a quality of
operational systems. It depends upon the
importance of a network system or
application. Criticality motivates reliability
measures.
27
(No Transcript)
28

• Policy
• Policy defines classification and rules for
  access/exchange
• Policy defines criticality.
• Policy hierarchy defines security services and
  quality of mechanisms.

29
Implement Countermeasures
30
Cost vs Risk
31
Level of Vigilance Vs Frequency of Attacks
32
Balance Security Activities
33

• Security Plan
• Consider
• Future business needs
• Changing threat -scape
• Tolerance to residual risk
• Establish policy
• Design security infrastructure
• Develop security procedures

34

• Execute Plan
• Implement according to design
• Operate according to procedures
• Continually improve

35

• Appraise
• Appraise the plan
• Does it meet the expected threats?
• Will it protect business interests?
• Are there flaws in the design?
• Is policy adequate or overly burdensome?
• Appraise the execution
• Is the design implemented correctly?
• Has the configuration changed?
• Do procedures cover all events?
• Are operators alert?

36
Disaster Management Business Continuity
37
What is a Disaster?
Any unplanned event that requires immediate
redeployment of limited resources
Sample Disasters

• Natural Forces
• Fire
• Environmental Hazards
• Flood / Water Damage
• Extreme Weather

• Technical Failure
• Power Outage
• Equipment Failure
• Network Failure
• Software Failure

• Human Interference
• Criminal Act
• Human Error
• Loss of Users
• Explosions

38
What is a Disaster Recovery Plan?
A management document for how and when to utilize
resources needed to maintain selected functions
when disrupted by agreed upon incidents
Other names commonly used

• Business Continuity Plan
• Contingency Plans
• Continuity Plans
• Emergency Response Plans
• Business Recovery Plans
• Recovery Plans

39
Disaster Recovery Response
When an incident occurs, the Disaster Recovery
response activities are likely to be the
following (at a high level)
Confirm Response Strategy
Execute Required Functions
Transfer to Alternate Location
Incident
Assess Damage
Transfer Execute at New Site
Prepare New Site
Restore Primary Site
Transfer Execute at Primary Site
Return to Normal Operations
Generate Change Requests
Assess DRP Effectiveness
40
What is the magnitude of an incident?

• Regional Area
• Local Area
• Within 3 Blocks
• To The Building
• Within 3 Floors
• On The Floor
• Within The Room

Depending upon the magnitude of an incident,
possible alternative sites include

• Within The Room
• Within the Building
• Within the Region
• Outside the Region

41
Types of Strategies

• Avoidance Strategy
• Redundant configuration to avoid incidents
• Site harden facilities to resist incidents
• Redundant utilities and hardware
• Automated operation recovery plan

• Mitigation Strategy
• Early warning detection
• Contractual agreements with vendors
• Mirrored data and documents
• Detailed migration recovery plan

• Recovery Strategy
• High level recovery plan
• Off-site data storage
• Very responsive vendor relationships
• Very knowledgeable employees

• Types of Strategy Options
• Hot site
• Cold site
• Self Backup
• Service Bureau
• Reciprocal Agreement

42
What is a Critical Business Function?
A specific entity management has decided is so
significant to the business mission, that without
it, the organization cannot successfully operate
after an identified time period
Types of Impact

• Extra Expense
• Labor Cost
• Recreate Lost Business
• Recreate Lost Data
• Use Manual Process
• Equipment Cost
• Hardware / software
• Telephones
• Money Cost
• Delayed Receivable
• Delayed Orders
• New Interest
• New Investments

• Financial Loss
• Lost Revenue
• Lost Sales
• Lost Market Share
• Lost Opportunity

• Human Interference
• Management Control
• Employee Relations
• Stockholder Relations
• Public Image
• Legal Exposure
• Contractual Liability
• Competitive Advantage

43
Criteria for a Critical Business Function

• Timing Requirements
• Minutes
• Hours
• Days
• Weeks
• Quarters
• Special Situations

Cost of Control vs. Impact
Cost of Impact
Cost of Control
Impact

• Interdependencies
• Inputs and Outputs

Cost
44
Disaster Recovery Approach
Planning The primary objective for the Planning
Phase is to gain management consensus on the
focus areas and scope of a Disaster Recovery Plan
that will address major business risks

• Implementation
• The primary objective for the Implementation
  Phase is to develop, test, and rollout a Disaster
  Recovery plan. The implementation phase could be
  longer or shorter, depending upon scope,
  approach, and staffing defined during the Scoping
  and Risk Assessment phase

45
DR Team Organization
An Example of Disaster Recovery Team
DRP Management Team
Disaster Recovery
Director
Disaster Recovery
Customer
Production Application
Site Restoration
Liaison
Coordinator
System Software
Security
and Database
Administration
Computer
Services
Operation and
Off-site Storage
Delivery
Network Delivery
Application
Support
46
Example Disaster Recovery Services
Education Classes Creating a base of common
knowledge for the business continuity/disaster
recovery planning industry through education,
assistance, and the promotion of international
standards On-Site Recovery Facilities Manage the
mobilization of an on-call response team, prepare
pre-designated site, erect temporary
pre-engineered structures, install mechanical and
electrical systems and coordinate move-in
activities