Professional Documents
Culture Documents
Chapter 1
Chapter 1
InstructorsManual
Chapter1
Chapter1:KnowingWhattoSecure
LearningObjectives
Inthischapter,youbeginbyunderstandingwhatinformationtosecureas
informationisintangibleanddifficulttoputadollarvaluetothatasset.Atthe
endofthischapter,thestudentwillknow:
Whyknowingwhattosecureisthefirststepinthesecurityprocess
Whyinformationhastobecontrolledlikeanyotherorganizationalchart
Whychangehastoberigorouslyplannedforandmanaged
PreparingforClass
InstructorsshouldhaveagoodunderstandingandknowledgeofInformation
AssuranceandSecurityingeneral.Becausethisisanintroductorychapter,itis
beneficialtobeabletodiscussnotjustthebasicsofinformationassurance,but
alsohowitappliestotherealworld.Thequickertheinstructorcanhelpthe
studentsunderstandhowthischapterappliestothempersonallyorprofessionally,
themorelikelythestudentswillbetoactivelyparticipate.
PrerequisitesforClass
Ensurethatthestudentsare
Inacomputerlab,ifpossible,foraccesstotheInternet
Arrangedintheclassroomadvantageouslytoensuremaximumparticipation
Fundamentallysoundwithinformationsecuritybasics
11
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
ClassPreparationNotes
Forthisclassthestudentswillneed
AccesstoaworkingcomputerwithInternetaccess
Ahighlighter(itsnotmandatoryiftheycantakegoodnotes)
GeneralTeachingTips
Thiscoursehasalotofinformationthatislectureoriented.Instructormustbe
creativeinbringingthecurrenteventsthatarerelevanttothechaptersandmakeit
aninteractiveprocessoflearning.
Byengagingthestudentsinthelearningprocess,theclassdiscussionswillbe
livelyandmakethelectureinterestingforthisveryimportanttopicintodays
digitalworld.
DiscussionPointsandTeachingTipswillbeprovidedasnecessaryforevery
chapter.Also,weblinkswillbeaddedasnecessaryforinstructorstoinclude
themintheclassroom.
KeyTerms
AssetBaseItisarepositoryofitemsidentifiedandlabeledforinformation
assurance.
AssetIdentificationItestablishesanaccuraterecordofthepreciseformofthe
itemsintheinformationassetbase.
AssetManagementItassuresthatthedocumentationisaccurateandthatall
securitypoliciesarecorrectlyimplemented.
AssetManagementPlanItenumeratestheactivitiesthatmakeuptheentire
assetmanagementprocess.
12
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
AuthorizedDecisionMakersTheyapprovethedecisiontochangethe
baseline.
BaselineItisacatalogueofrecordedinformationitem.
BaseliningItisaprocessofrecordinganinformationitem.
ChangeControlItassuresthatthedocumentationoftheitemsthatexistwithin
thebaselineisaccurateandthattheirprecisestatusisknownatalltimes.
ChangeManagementItassurescontinuousintegritybycontrollingallchanges
toallformallyestablishedbaselines.
ConcreteArchitectureItisthelowestlevelofthebaselineandrepresentsthe
onlytangibledepictionoftheasset.
ControlledRepositoryThismeansonlyauthorizedpeoplecanmodifythe
repositoryofthebaseline.
CorrectiveActionItisthespecificresponsethatanorganizationdeploysfora
givensituation.
CountermeasureItisacontrolthathasbeendeliberatelysettocounteran
identifiedthreat.
DecisionMakerTheyarepersonswhoareauthorizedtoapprovealterationsto
theformoftheassetbase.
DisasterRecoveryItassurestheabilitytorecoverassetsafteradisaster.
FamilyTreeItisahierarchicalstructureoftheassetbase.
FinancialFactorsItdescribesthereturnoninvestment(ROI)foragiven
countermeasure.
RiskManagementItmaintainstheorganizationsplannedresponsetoall
identifiedthreats.
13
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
StatusAccountingItmaintainsarunningdocumentationofallassetbaselines
andperformstheroutinereportingactivitiesnecessarytotransmitthatknowledge
totheappropriatemanagers.
TimingItispartoftheassetmanagementplanthatrequiresuserstobackup
andpreserveeachbaseline.
UncertaintyItdescribesthepriorityofthethreat.
VersionManagementItkeepseachauthorizedversionoftheassetbaselines
secure,eachinitsownrepository.
WorkPracticeItestablishesaconcretelinkbetweeneachspecificitemof
informationandthecountermeasuresthataresettoprotectit.
LectureOutline
I. AssuranceProcess
A. Inventory
1. Identifyandlabeleveryusefulbitofinformation
2. Everyinformationitemiscatalogued
3. Avalueisassignedtoeachinformationitem
4. Recodingprocessisknownasbaselining
5. Baseline
i.
Catalogueofinformationitems
ii.
Startingpointforthesecurityresponse
iii.
Itcontainsitemsthatarevaluable
iv.
Itdocumentstheinformationresourcebase
14
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
v.
Itshouldbemaintainedasalivingentitythroughoutthe
informationassuranceprocess
vi.
Itassuresanaccuratepictureoftheinformationbase
vii.
Disciplinedprocessisnecessaryforcontrolandchangesto
thebaseline
B. EnsuringContinuousKnowledge
1. AssetManagement
i.
Itestablishesandmaintainsaprecisedescriptionofthe
assetbase
ii.
Itassuresapermanentaccurateaccounting
iii.
Itenablesthestatusoftheassetbase
2. ProcessImplementation
i.
Aplanmustbeestablishedforapersistentorganizational
process
ii.
Theplanshouldpreciselyspecifytheprocessforinventory
control
iii.
Theplanmuststatethestatusoftheinformationasset
iv.
Theplanmusthavevalidbaseline
v.
Theplanmusthavelistofauthorizeddecisionmakers
vi.
Theplanmustidentifytheriskmanagementfunction
vii.
DisasterRecoveryPlanassuresabilitytorecoverassets
afterdisaster
viii.
Theplanmustdefinetimingandtheexecutionsteps
requiredtobackupandpreserveeachbaseline
15
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
ix.
Thestepstorecoverassetsmustbesequencedand
scheduled
3. AssetIdentification
i.
Itestablishesanaccuraterecordofthepreciseformofthe
itemsintheinformationassetbase
ii.
Itisbasedonaformalidentificationscheme
iii.
Everythingworthprotectingshouldbeidentifiedand
labeledproperly
iv.
Theidentificationschemeisguidedbythebusinesscase
v.
Inthelabelingprocess,thefirstpassshouldbeall
encompassing
vi.
Thesecondpassdetailseachofthelargecomponents
vii.
RefertoFigure11(Page5)forHierarchyof
documentationbaselines
viii.
Hierarchicalisthemostcommonmodelforrepresenting
thecomponentsofabaseline
ix.
RefertoFigure12(Page6)forIncreasinglevelsof
assurancecontrols
x.
ConcreteArchitecturerepresentsonlytangibledepictionof
theasset
4. ControlofChange
i.
Changeisacontinuousprocess
ii.
Controlofchangemeansmanagingthenaturalevolutionof
anentitywhilepreservingitsoverallintegrity
16
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
iii.
Changestothebaselinechangetheprotectionrequirements
5. StatusAccounting
i.
Itmaintainsrunningdocumentationofallassetbaselines
ii.
Itperformsroutinereportingactivities
iii.
Normally,informationresourcemanagerisresponsiblefor
statusaccounting
iv.
Themanagerisalsoreferredtoasbaselinemanager
6. AssetEvaluation
i.
Itassurestheoperationalintegrityoftheassetbaseitself
ii.
Itinvolvesaformalinspectionofadesignatedbaseline
iii.
Evaluationsareconductedroutinely,onascheduledbasis
iv.
Evaluationsassessthedegreeofcorrectnessofthebaseline
v.
Resultsoftheevaluationsarecommunicatedappropriately
7. VersionManagement
i.
Itmaintainsrecordsofallcurrentversions
ii.
Allpreviousversionsarearchivedseparately
iii.
Archivesprovidearollbackcapabilityincaseofdisaster
C. MaintainingIntegrity
1. EstablishingtheCheckpoint
i.
Integrityofinformationisacriticalqualityforassurance
ii.
RefertoFigure14(Page10)forGenericAssetbaseline
changemanagementprocess
17
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
iii.
Asingleidentifiedcheckpointintheorganizationmustbe
establishedforchangecoordination
iv.
Singlecheckpointassuresthattheresponsibleparty
approvestherequiredchangestoasecuredbaseline
2. DocumentingtheDecision
i.
Documentationformatmustbestandardized
ii.
Anychangerequestmustbeclearlyappliedthroughoutthe
organization
3. AssigningAuthority
i.
Responsiblepartymakesthedecision
ii.
Itassuresaccountability
iii.
Decisionmakingauthorityhastoassignedformally
iv.
Baselinechangescanonlybeapprovedbytheauthorized
decisionmaker
v.
Toassureintegrity,thedecisionmakerempoweredto
approvechangesmustalsobeauthorizedtoenforcethe
decisions
4. ImplementingtheChange
i.
Highimpactchangeapprovalmightcomefroman
executivedecision
ii.
Changeismadeonceauthorizationisreceived
iii.
Toassureintegrity,thechangeisinspectedandverified
iv.
Foramajorchange,entirebaselineshouldbeauditedto
verifythatintegrityhasbeenmaintained
18
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
v.
Thelabelingismodifiedtoreflecttheformofthenew
baseline
5. AccountingforInformation
i.
Formalorganizationalaccountingfunctionassurestheasset
basecontentsareaccurateandknown
ii.
Itallowsuserstodocumentandrecordalltransactionsfor
theaffectedbaseline
6. OtherConsiderations
i.
Keeptrackoftheindividualrequestingchanges
ii.
Itallowssecuritymanagerstovalidatesensitivity
iii.
Forcomplexsituations,assetbaselinesmustevolvethrough
asingleintegratedandcoordinatedfunction
iv.
Uncontrolledchangesarethreatstoinformationintegrity
II. EstablishingtheAssuranceFunction
A. BasingtheResponseontheRisks
1. Acontrolsettocounteranidentifiedthreatisacountermeasure
2. Inventoryofrisksandassociatedcountermeasuresmustbe
identified
3. Riskassessmentrequiresaccurateunderstandingoftheprecise
threatcountermeasurerelationshipfactorsasfollows:
i.
TimingRequirementsCorrectiveactiondependsonthe
abilitytodeliverinsufficienttime
ii.
CorrectiveActionRequirementsItisaspecificresponse
thatanorganizationdeploysforagivensituation
19
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
iii.
FinancialFactorsItdescribestheReturnonInvestment
(ROI)foragivencountermeasure
iv.
LikelihoodThefrequencyofthethreatoccurrenceand
theextentoftheharmthatmightresult
B. HopingfortheBestandPlanningfortheWorst
1. Uncertaintyfactormustbeconsideredinathreatassessment
2. Uncertaintyisexpressedasalevelofconfidence
3. Threatassessmentisnotanexactscience,thusitmustbe
understoodtobuildresponse
C. DocumentingtheCountermeasures
1. Riskanalysisidentifieswhatinformationassetsanorganization
holds
2. Organizationalsoknowsthethreatlevelstoeveryiteminthe
baseline
3. RefertoFigure15(Page16)forrelationshipbetweentheasset
baselineandthecontrolbaseline
III. DocumentingtheAssuranceSolution
A. SequenceandTiming
1. Countermeasuresarenotappliedatthesametime
2. Countermeasuresmustbesequencedproperly
3. Sequencemustbedeterminedinthedesignprocessfor
countermeasures
B. Monitoring
110
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
1. Itassuresthattherelationshipbetweentheinformationandits
countermeasureswillbesupervised
2. Itallowstheorganizationtocontinuouslyevolvethe
countermeasuresitneedsasthreatsrise
C. Accountabilities
1. Individualsupervisoryrolesandresponsibilitiesmustbedefined
foreachcountermeasure
D. DocumentationandReporting
1. Informationtobecapturedandrecordedmustbeidentified
2. Managementreportstobeproducedmustbeidentified
E. ProblemResolution
1. Problemsresolutionmustbestated
2. Theproblemresolutionprocessmustbeidentified
IV. KeepingtheSystemAligned
A. Thebaselinemustbeproperlyalignedwiththeevolutionoftheoperating
infrastructureoftheorganization
B. Continuousmonitoring,adjustment,andupdatingofthebaselineis
important
C. Feedbacksystemisimportantasitgeneratesahighdegreeof
organizationalbuyin
TeachingTip
Thischaptergivesanoverviewoftheinformationitemsthatneedstobesecured.
InstructorscanbringincurrenteventssuchashowinformationwaslostwhenHurricane
KatrinahittheGulfCoastRegion.CompaniesthatdidnothaveanyDisasterRecovery
111
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
planwherestrugglingafterthefloodsinNewOrleans.Youcanaskstudentstogive
examplesofwhatneedstobesecuredinahouseandwhatnotasariskmanagement
plan.Instructorcangroupstudentsandaskthemtoidentifyitemsthatneedstobe
securedandprioritize.
Discussionpoint
TherearemanydiscussionquestionsfortheclassundertheCrossChecksectioninthis
chapter.Instructorscanutilizethesequestionstoprovidesomecriticalthinking
discussionsintheclassroom.
KeyTermsQuiz
UsethetermsfromtheKeyTermslisttocompletethesentencesthatfollow.
Dontusethesametermmorethanonce.Notalltermswillbeused.
1. Testingtorefinethecontrolsetinitsoperationalenvironmentiscalled______.
2. Eachinformationitemisidentifiedbyauniqueandappropriate______.
3. Essentially,______typesofbaselinesareinvolvedinassetmanagement.
4. Thebaselinethatprovidesthespecificassurancefunctioniscalledthe______.
5. Thegoalofauthorizationistoassurethatthedesignated______authorizesall
changestoinformationandcontrol______.
6. Implementingworkpracticesinvolvesconsiderationoftheir______.
7. Threatstoinformationareidentifiedbymeansofa______.
8. ______isnecessarybecauseanorganizationsinformationcanlegitimatelybein
morethanoneform,taxrecordsforinstance.
9. Measurestoresolveproblemsarecalled______.
10. ______maintainsanuptodaterecordoftheformoftheasset.
112
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
Answers
1. Testingtorefinethecontrolsetinitsoperationalenvironmentiscalledchange
control.
2. Eachinformationitemisidentifiedbyauniqueandappropriateasset
identification.
3. Essentially,familytreetypesofbaselinesareinvolvedinassetmanagement.
4. Thebaselinethatprovidesthespecificassurancefunctioniscalledthechange
management.
5. Thegoalofauthorizationistoassurethatthedesignateddecisionmaker
authorizesallchangestoinformationandcontrolbaseline.
6. Implementingworkpracticesinvolvesconsiderationoftheircountermeasures.
7. Threatstoinformationareidentifiedbymeansofariskmanagement.
8. Versionmanagementisnecessarybecauseanorganizationsinformationcan
legitimatelybeinmorethanoneform,taxrecordsforinstance.
9. Measurestoresolveproblemsarecalledcorrectiveaction.
10. StatusAccountingmaintainsanuptodaterecordoftheformoftheasset.
113
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
MultipleChoiceQuiz
1. Informationassetmanagement:
A.isirrelevanttoinformationassurance
B.implementspolicy
C.involvesAT&E
D.isunnecessary
2. Baselines:
A.areabstract
B.areintangible
C.arehierarchical
D.mustbeprogrammed
3. Theprocessofformulatingthecontrolsetshouldbebasedon:
A.bestguess
B.confidence
C.iteration
D.asenseofhumor
4.Todoitsworkproperly,thestatusaccountingfunctionreliesontheuseof:
A.codereviews
B.repositories
C.controls
D.verifications
114
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
5.Informationassetmanagementisalwaysbasedon:
A.aplan
B.ananalysis
C.bestguess
D.bestpractice
6.Versionmanagementisnecessarybecause:
A.thereareoftenmultipleexamplesofthesameinformation
B.softwarecomesinmultipleversions
C.theremightbetwoorganizationsinvolved
D.versionsaredifficulttoidentify
7.Adisciplinedchangeprocessisnecessarybecause:
A.disciplineisimportant
B.theprotectionschememustbecontinuouslyalignedtothebusinesscase
C.itemsthatareleftoutoftheprotectionschemewillstillbeprotected
D.changeneverhappens
8.Documentedbaselinesserveas:
A.awarningagainstthreats
B.themodelforgoodsecuritypractice
C.thebasisforaccesscontrol
D.aproxyfortheinformationassetitself
115
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
Answers
1. B
2. C
3. B
4. B
5. A
6. A
7. B
8. B
EssayQuiz
1. Whyisitimportanttocontrolchangestoassetbaselines?
2. Whyisthelabelingprocessapproachedhierarchically?
3. Differentiateassetbaselinesfromcontrolbaselines.
4. Howdotheassetmanagementproceduresrelatetooverallinformationassurance
policy?
5. Whatistheroleofriskassessmentwhenitcomestobaselineformulation?
6. Whyisorganizationalbuyinsoimportanttogoodassetmanagement?
7. Whatisthepurposeofversionmanagement,whyisitnecessary,whatarethe
outcomesifitisnotpracticed?
8. Whyisitlogicaltobegintheinformationassuranceprocesswithaninformation
identificationstep?
9. Whymustlabelsbeunique,whatpurposedoesuniquelabelingserveinthereal
world?
116
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
10. Whyisassignmentofaccountabilityimportant?Whatwouldbetheconsequence
ofnothavingit?
Answers
1. Whyisitimportanttocontrolchangestoassetbaselines?
Itassurestheintegrityandcorrectnessofabaseline.Also,itallowsforthe
maintenanceofcontinuousknowledgeaboutstatus.
117
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
2. Whyisthelabelingprocessapproachedhierarchically?
Themostcommonmodelforrepresentingthecomponentsofabaselineis
hierarchical.Thelabelingemployedtocharacterizetherelationshipofeach
individualcomponenttoallothercomponentsisbasedonandreflectsthe
hierarchicalstructure.Thelabelsmustbeuniqueandshoulddesignateand
describethepositionoftheitemintheoverallfamilytreeoftheassetbase.
3. Differentiateassetbaselinesfromcontrolbaselines.
Assetbaselinedescribesthecomponentsofthebaselineatahighlevelof
functioning.Itfocusesoncommunicatingthegeneralformoftheassetbaseto
managersandusers.Ontheotherhand,controlbaselinesareatthelowerlevelof
hierarchicalcomponentsandaredetailedinnature.
4. Howdotheassetmanagementproceduresrelatetooverallinformationassurance
policy?
Assetmanagementestablishesandmaintainsaprecisedescriptionofthe
informationassetbase,itsconstituentelements,andtheirinterrelationship.It
assuresthatthedocumentationisaccurateandthatallsecuritypoliciesare
correctlyimplemented.Assetmanagementprocessiscomposedofsix
interdependentactivitiesProcessImplementation,AssetIdentification,Control
ofChange,StatusAccounting,AssetEvaluationandVersionManagement.
5. Whatistheroleofriskassessmentwhenitcomestobaselineformulation?
Theriskassessmentproducesaninitialcharacterizationofthetypeandoriginof
allreasonablethreatstoaparticularinformationitem.Foreveryidentifiedthreat,
apotentialcountermeasureisdetermined.Countermeasuresarebasedonthe
118
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
fourfactorsTimingrequirements,Correctiveactionrequirements,Financial
factorsandLikelihood.
6. Whyisorganizationalbuyinsoimportanttogoodassetmanagement?
Sincegeneratingabaselineforallinformationassetstobesecuredisthefirststep
inhavingagoodsecurepolicy,thebuyinfromalllevelsoforganizationisvery
important.
7. Whatisthepurposeofversionmanagement,whyisitnecessary,whatarethe
outcomesifitisnotpracticed?
VersionManagementisnecessaryasthereareusuallysimultaneous
representationsofthesameassetbaseline.Allversionsarearchivedseparately
andthuscanprovidearollbackcapabilityinthecaseofdisaster,aswellasserve
asasourceoftimeseriesdataforrootcauseanalysis.Ifversionmanagementis
notpracticedthenitwillbedifficulttorecoverafteradisaster.
8. Whyisitlogicaltobegintheinformationassuranceprocesswithaninformation
identificationstep?
Informationidentificationisacriticalstepastheorganizationdoesnotknowwhat
tosecurethenhowcananassuranceprocessbedeveloped?So,allcritical
informationassetshouldbeidentifiedthatneedstobeprotected.
9. Whymustlabelsbeunique,whatpurposedoesuniquelabelingserveinthereal
world?
Labelsmustbeuniqueasitidentifiestheitem,nameofthebaselineandversion
designation.Labelsprovidealogicalframeworkbasedontheirinterrelationships
119
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
andinterdependencies.Thus,thestructureofthehierarchicalprocesscanbe
identifiedclearly.
120
InformationAssurancefortheEnterprise
InstructorsManual
Chapter1
10. Whyisassignmentofaccountabilityimportant?Whatwouldbetheconsequence
ofnothavingit?
Itisimportantthatapersonisidentifiedfortheresponsibilitiesandaccountability
forthespecificbaselineitems.Ifthereisnoaccountabilitythentherewillbeno
integrityoftheprocess.
CaseExercise
Completethefollowingcaseexerciseasdirectedbyyourinstructor:
RefertotheHeavyMetalTechnologyCaseinAppendixA.Youhavebeen
assignedthebaselinemanagementresponsibilityfortheprojecttoupgradethe
targetacquisitionanddisplay(TADS)fortheAH64DApacheLongbowattack
helicopter.Tostarttheprocess,youknowyoumustfirstidentifyandarraya
completeandcoherentbaselineofhighleveldocumentationitems.Usingthe
projectmaterialsoutlinedinthecase(andothersyouwanttoaddbecauseyoufeel
theyareappropriate),performthefollowingtasks:
Identifyalldistincttypesofdocumentation.
Relatethesedocumentationitemstoeachother.Ifthereareimplied
relationships,whatarethey?
Provideuniquelabelsforeachitemthatreflectstheirrelationshiptoeach
otherandthroughwhichanotherreadercouldeasilyseethatrelationship.
Formulatetheseitemsintoacoherentbaseline.
Defineachangecontrolsystemtoassurethattheintegrityofeachofthese
itemswillbepreservedovertime
Justifytheeffectivenessofthatcontrolscheme.
121