Professional Documents
Culture Documents
All rights reserved. No part of this publication may be reproduced, distributed, or transmit-
ted in any form or by any means, including photocopying, recording, or other electronic or
mechanical methods, without the prior written permission of the publisher, except in the
case of brief quotations embodied in critical reviews and certain other noncommercial
uses permitted by copyright law. For permission requests, write to the publisher, ad-
dressed “Attention: Permissions Coordinator,” at the address below.
i
FOREWORD
ii
MODULE 1
“The supreme art of war is
Information Security to subdue the enemy with-
Management out fighting.”
– Tsun Zu
Because this new concept covers a broader range of issues,
Introduction to the Management of In-
from the protection of data to the protection of human re-
formation Security sources, information security is no longer the sole responsi-
bility of a discrete group of people in the company; rather, it
is the responsibility of every employee, and especially man-
Chapter Overview
agers.
Know and understand the definition and key characteristics The information technology community supports the busi-
of information security ness objectives of the organization by supplying and support-
ing information technology appropriate to the business’
Know and understand the definition and key characteristics needs.
of leadership and management
The nontechnical general business community articulates
Recognize the characteristics that differentiate information and communicates organizational policy and objectives and
security management from general management allocates resources to the other groups.
INTRODUCTION
4
Security is often achieved by means of several strategies
usually undertaken simultaneously or used in combination
with one another.
Information security includes the broad areas of information Another weakness of using this model with too limited an
security management, computer and data security, and net- approach is to view it from a single perspective.
work security.
NSTISSC Security Model
At the heart of the study of information security is the con-
cept of policy. Policy, awareness, training, education, and
technology are vital concepts for the protection of informa-
tion and for keeping information systems from danger.
5
Confidentiality Identification
Confidentiality of information ensures that only those with An information system possesses the characteristic of identi-
sufficient privileges may access certain information. When fication when it is able to recognize individual users. Identifi-
unauthorized individuals or systems can access information, cation and authentication are essential to establishing the
confidentiality is breached. To protect the confidentiality of level of access or authorization that an individual is granted.
information, a number of measures are used:
Authentication
Information classification
Authentication occurs when a control provides proof that a
Secure document storage user possesses the identity that he or she claims.
Education of information custodians and end users After the identity of a user is authenticated, a process called
authorization provides assurance that the user (whether a
Integrity person or a computer) has been specifically and explicitly
authorized by the proper authority to access, update, or de-
Integrity is the quality or state of being whole, complete, and lete the contents of an information asset.
uncorrupted. The integrity of information is threatened when
it is exposed to corruption, damage, destruction, or other Accountability
disruption of its authentic state. Corruption can occur while
information is being compiled, stored, or transmitted. The characteristic of accountability exists when a control pro-
vides assurance that every activity undertaken can be attrib-
Availability uted to a named person or automated process. For example,
audit logs that track user activity on an information system
Availability is the characteristic of information that enables provide accountability.
user access to information without interference or obstruc-
tion and in a required format. A user in this definition may be WHAT IS MANAGEMENT?
either a person or another computer system. Availability
does not imply that the information is accessible to any user; Management is the process of achieving objectives using a
rather, it means availability to authorized users. given set of resources.
6
Interpersonal role: Interacting with superiors, subordinates, Integrity – being of sound moral fiber and good ethical worth
outside stakeholders, and other parties that influence or are
influenced by the completion of the task Judgment – using sound personal decision making to deter-
mine effective and appropriate solutions
Decisional role: Selecting from among alternative ap-
proaches, and resolving conflicts, dilemmas, or challenges. Justice – being impartial and fair in exercising authority
The Difference between Leadership and Management Knowledge – possessing a base of information gained
through experience or education
The distinction between a leader and a manager arises in the
execution of organizational tasks. The leader influences em- Loyalty – expressing open support and faithfulness to one’s
ployees so that they are willing to accomplish objectives. He organization and fellow employees
or she is expected to lead by example and demonstrate per-
sonal traits that instill a desire in others to follow. In other Tact – dealing with a situation without undue personal bias
words, leadership provides purpose, direction, and motiva- or creating offense
tion to those that follow.
Unselfishness – performing duties by placing the welfare of
By comparison, a manager administers the resources of the others and the accomplishment of the mission first
organization.
Action plan for improvement of leadership abilities:
Dependability – performing and completing tasks in a reli- Develop a sense of responsibility in your subordinates.
able and predictable manner
Ensure the task is understood, supervised, and accom-
Endurance – withstanding mental, physical, and emotional plished.
hardship
Build the team.
Enthusiasm – displaying sincere interest in and exuberance
for the accomplishment of tasks Employ your [team] in accordance with its capabilities.
7
As a leader you must BE a person of strong and honorable
character; committed to professional ethics; an example of
individual values; and able to resolve complex ethical dilem-
mas. You must KNOW the details of your situation, the stan-
dards to which you work, yourself, human nature, and your
team. You must DO by providing purpose, direction, and mo-
tivation to your teams.
8
Planning Control Tools
The general approach to planning begins with the creation of There are four categories of control tools:
strategic plans for the entire organization.
Information control tools.
To better understand the planning process, an organization
must thoroughly define its goals and objectives. Financial control tools.
Organization
Leadership
Control
9
Feasibility Analyses: sary to support the design, creation, and implementation of
information security strategies, as they exist within the IT
To review economic feasibility, you compare the costs and planning environment
benefits of possible solutions.
Several types of InfoSec plans exist:
To review technological feasibility, you address the organiza-
tion’s ability to acquire the technology needed to implement incident response planning,
a candidate solution.
business continuity planning,
To review behavioral feasibility, you assess a candidate solu-
tion according to the likelihood that subordinates will adopt disaster recovery planning,
and support a solution, rather than resisting it.
policy planning,
To review operational feasibility, you assess the organiza-
tion’s ability to integrate a candidate solution into its current personnel planning,
business processes.
technology rollout planning,
Principles of Information Security Management
risk management planning, and
Because information security management is charged with
taking responsibility for a specialized program, certain char- security program planning including education, training and
acteristics of its management are unique to this community awareness.
of interest.
Policy
The extended characteristics of information security are
known as the six Ps. The set of organizational guidelines that dictates certain be-
havior within the organization is called policy.
Planning
In InfoSec, there are three general categories of policy:
Policy
General program policy (Enterprise Security Policy)
Programs
An issue-specific security policy (ISSP)
Protection
System-specific policies (SSSPs)
People
Programs
Project Management
Specific entities managed in the information security do-
main.
10
Protection Discussion Topics
The protection function is executed via a set of risk manage- What is the defining difference between computer security
ment activities, including risk assessment and control, as and information security?
well as protection mechanisms, technologies, and tools.
People
People are the most critical link in the information security Why can we argue that information security is really an appli-
program. As discussed in the Viewpoint section, it is impera- cation of social science?
tive that managers continuously recognize the crucial role
that people play in the information security program.
This aspect of InfoSec includes security personnel and the ANSWER: It relies on altering human behavior and making
security of personnel, as well as aspects of the SETA pro- members of the organization aware of the new expected be-
gram mentioned earlier. haviors.
Project Management
11
Key Terms Manager
Authentication Objective
Availability Organization
Confidentiality Planning
Control Policy
Decisional role
File hashing
Goal
Hash value
Identification
Informational role
Integrity
Interpersonal role
Leadership
Management
12
MODULE 2
“Appear weak when you are
Security Planning strong, and strong when
you are weak”
– Tsun Zu
Planning for Security
Chapter Overview
Chapter Objectives
14
Random Widget Works will be the preferred manufacturer of
choice for every business’s widget equipment needs, with an
RWW widget in every machine they use.
Components of Organizational Planning
Values
Mission
Vision
15
Strategy
16
Planning Levels
17
Planning and the CISO Make the process continuous.
The first priority of the CISO and information security man- Provide meaning.
ager should be the structure of a strategic plan.
Be yourself.
While each organization may have its own format for the de-
sign and distribution of a strategic plan, the fundamental ele- Lighten up and have some fun.
ments of planning are the same.
Executive Summary
Deploy a draft high level plan early, and ask for input from
stakeholders in the organization.
Be persistent.
18
Planning for Information Security Implementa-
tion
19
Such an initiative must have a champion—ideally, an execu- It identifies the problem that the system being developed is
tive with sufficient influence to move the project forward, en- to solve.
sure that it is properly managed, and push for acceptance
throughout the organization. Beginning with an examination of the event or plan that initi-
ates the process, the objectives, constraints, and scope of
Involvement and support of the end users is also critical to the project are specified.
the success of this type of effort.
A preliminary cost/benefit analysis is developed to evaluate
Introduction to the Systems Development Life Cycle the perceived benefits and the appropriate costs for those
benefits.
The general systems development life cycle (SDLC) is a
methodology for the design and implementation of an infor-
mation system in an organization widely used in IT organiza-
tions.
20
Physical Design
Implementation
Maintenance
Frequently, this phase begins with the affirmation or creation
of security policies on which the security program of the or-
This phase consists of the tasks necessary to support and
ganization is or will be founded.
modify the system for the remainder of its useful life cycle.
21
This phase also includes an analysis of relevant legal issues It is accomplished by a threat agent that damages or steals
that could affect the design of the security solution. an organization’s information or physical asset.
The risk management task also begins in this stage. An exploit is a technique or mechanism used to compromise
a system.
Risk Management
A vulnerability is an identified weakness of a controlled sys-
Risk management is the process of identifying, assessing, tem in which necessary controls are not present or are no
and evaluating the levels of risk facing the organization, spe- longer effective.
cifically the threats to the organization’s security and to the
information stored and processed by the organization. An attack is the use of an exploit to achieve the compromise
of a controlled system.
“If you know the enemy and know yourself, you need not
fear the result of a hundred battles. If you know yourself but Common attacks include:
not the enemy, for every victory gained you will also suffer a
defeat. If you know neither the enemy nor yourself, you will Malicious code.
succumb in every battle.”
Hoaxes .
To better understand the analysis phase of the SecSDLC,
you should know something about the kinds of threats fac- Back doors.
ing organizations in the modern, connected world of informa-
tion technology (or IT). Password crack.
Spoofing.
Man-in-the-middle
Spam.
Mail bombing.
Sniffer.
Social engineering.
Buffer overflow
22
In the logical design phase, team members create and de-
velop the blueprint for security, and examine and implement
key policies that influence later decisions.
The last step in knowing the enemy is to find some method
of prioritizing the risk posed by each category of threat and
In the physical design phase, team members evaluate the
its related methods of attack.
technology needed to support the security blueprint, gener-
ate alternative solutions, and agree upon a final design.
This can be done by adopting threat levels from an existing
study of threats, or by creating your own categorization of
Between the of logical and physical design phases, a secu-
threats for your environment based on scenario analyses.
rity manager may seek to use established security models to
guide the design process.
To manage risk, you must identify and assess the value of
your information assets.
Security models provide frameworks for ensuring that all ar-
eas of security are addressed; organizations can adapt or
This iterative process must include a classification and cate-
adopt a framework to meet their own information security
gorization of all of the elements of an organization’s systems:
needs.
people, procedures, data and information, software, hard-
ware and networking elements.
One of the design elements of the information security pro-
gram is the information security policy of the organization.
The next challenge in the analysis phase is to review each
information asset for each threat it faces and create a list of
Management must define three types of security policy:
the vulnerabilities.
Design in the SecSDLC developing skills and knowledge so computer users can per-
form their jobs more securely and
The design phase actually consists of two distinct phases,
the logical design and the physical design. building in-depth knowledge, as needed, to design, imple-
ment, or operate security programs for organizations and sys-
tems.”
23
As the design phase continues, attention turns to the design Physical resources include people, hardware, and the sup-
of the controls and safeguards used to protect information porting system elements and resources associated with the
from attacks by threats. management of information in all its states, transmission,
storage, and processing.
There are three categories of controls:
Implementation in the SecSDLC
Managerial controls address the design and implementation
of the security planning process and security program man- The security solutions are acquired, tested, implemented,
agement. Management controls also addresses risk manage- and tested again.
ment and security controls reviews.
Personnel issues are evaluated and specific training and edu-
Operational Controls cover management functions and lower cation programs conducted.
level planning, such as disaster recovery and incident re-
sponse planning. Operational controls also address person- Perhaps the most important element of the implementation
nel security, physical security and the protection of produc- phase is the management of the project plan.
tion inputs and outputs.
The major steps in executing the project plan are
Technical Controls address those tactical and technical is-
sues related to designing and implementing security in the planning the project,
organization. Here the technologies necessary to protect in-
formation are examined and selected. supervising the tasks and action steps within the project
plan, and
Another element of the design phase is the creation of essen-
tial preparedness documents. wrapping up the project plan.
Contingency planning (CP) is the entire planning conducted Information security is a field with a vast array of technical
by the organization to prepare for, react to and recover from and non-technical requirements.
events that threaten the security of information and informa-
tion assets in the organization, and the subsequent restora- The project team should consist of a number of individuals
tion to normal business operations. who are experienced in one or multiple requirements of both
the technical and non-technical areas.
Incident response planning (IRP) is the planning process as-
sociated with the identification, classification, response, and The champion
recovery from an incident.
The team leader
Disaster recovery planning (DRP) is the planning process as-
sociated with the preparation for and recovery from a disas- Security policy developers
ter, whether natural or man-made.
Risk assessment specialists
Business continuity planning (BCP) is the planning process
associated with ensuring that critical business functions con- Security professionals
tinue if a catastrophic incident or disaster occurs.
Systems administrators
As the design phase progresses, attention now focuses on
physical security, which addresses the design, implementa- End users.
tion, and maintenance of countermeasures that protect the
physical resources of an organization.
24
Just as each potential employee and potential employer look GIAC
for the best fit, each organization should examine the op-
tions possible for staffing of the information security func- SCP
tion.
ICSA
First, the entire organization must decide how to position
and name the security function within the organization. Security +
Many organizations seek professional certification so that One of the maintenance issues that must be planned in the
they can more easily identify the proficiency of job appli- SecSDLC is the systems management model that will be
cants: used. The ISO management model is a five-area approach
that provides structure to the administration and manage-
CISSP ment of networks and systems. These five areas are:
25
Configuration and name management used but difficult to determine who is using them, at which
point, accounting management begins to overlap with per-
Accounting management formance management, which is addressed in the next sec-
tion. With accounting management you begin to determine
Performance management optimal points of systems use as indicators for upgrade and
improvement. Auditing is the process of reviewing the use of
Security management a system, not to determine its performance, but to determine
if misuse or malfeasance has occurred.
26
Comparing the SDLC and the SecSDLC
Table 2-2:
27
Key Terms Joint Application Development (JAD)
Maintenance phase
Analysis phase
Managerial controls
Attack
Methodology
Bottom-up approach
Mission statement
Business continuity planning (BCP)
Operational controls
Champion
Penetration testing
Chief Information Officer (CIO)
Physical security
Contingency planning (CP)
Plan-driven
Control
Red teams
Data custodians
Risk analysis
Data owners
Risk assessment
Data users
Risk management
Disaster recovery planning (DRP)
Safeguard
Ethical hackers
Security Managers
Exploit
Security technicians
Implementation phase
Strategy
Incident response planning (IRP)
Structured review
Information security policy
Technical controls
28
Threat
Threat agent
Tiger teams
Top-down approach
Values statement
Vision statement
Vulnerability
White-hat hackers
29
MODULE 3 “Supreme excellence con-
Contingency Planning sists of breaking the en-
emy's resistance without
fighting”
– Tsun Zu
Planning for Contingencies What Is Contingency Planning?
CP Components
Chapter Objectives
Incident response plan (IRP) focuses on immediate response
When you complete this chapter, you will be able to:
to an incident.
Introduction
Identify the mission- or business-critical functions.
This chapter focuses on planning for the unexpected event, Identify the resources that support the critical functions.
when the use of technology is disrupted and business opera-
tions come close to a standstill. Anticipate potential contingencies or disasters.
“Procedures are required that will permit the organization to Select contingency planning strategies.
continue essential functions if information technology sup-
port is interrupted.” Implement selected strategy.
On average, over 40% of businesses that don't have a disas- Test and revise contingency plans.
ter plan go out of business after a major loss.
31
ganization—with little or no disruption to business opera-
tions.
The CP team
It is directed against information assets
32
Planning for an incident and the responses to it requires a Unusual system crashes.
detailed understanding of the information systems and the
threats they face. Probable indicators:
The IR planning team seeks to develop a series of pre- Activities at unexpected times.
defined responses which will guide the team and information
security staff through the steps needed for responding to an Presence of new accounts.
incident.
Reported attacks.
Pre-defining incident responses enables the organization to
react quickly and effectively to the detected incident without Notification from IDS.
confusion or wasted time and effort.
Definite indicators:
The IR team consists of professionals capable of handling
the information systems and functional areas affected by an Use of dormant accounts.
incident.
Changes to logs.
Each member of the IR team must know his or her specific
role, work in concert with each other, and execute the objec- Presence of hacker tools.
tives of the IRP.
Notifications by partner or peer.
Incident Detection
Notification by hacker.
The challenge for every IR team is determining whether an
event is the product of routine systems use or an actual inci- Occurrences of Actual Incidents:
dent.
Loss of availability.
Incident classification is the process of examining a possible
incident, or incident candidate, and determining whether or Loss of integrity.
not it constitutes an actual incident.
Loss of confidentiality.
Initial reports from end users, intrusion detection systems,
host- and network-based virus detection software, and sys- Violation of policy.
tems administrators are all ways to track and detect incident
candidates. Violation of law.
Possible indicators:
33
Once an actual incident has been confirmed and properly Documenting an Incident
classified, the IR team moves from the detection phase to
the reaction phase. As soon as an incident has been confirmed and the notifica-
tion process is underway, the team should begin to docu-
In the incident response phase, a number of action steps ment it.
taken by the IR team and others must occur quickly and may
occur concurrently. The documentation should record the who, what, when,
where, why and how of each action taken while the incident
These steps include notification of key personnel, the assign- is occurring.
ment of tasks, and documentation of the incident.
This documentation serves as a case study after the fact to
Notification of Key Personnel determine if the right actions were taken, and if they were
effective.
As soon as the IR team determines that an incident is in pro-
gress, the right people must be immediately notified in the It can also prove the organization did everything possible to
right order. deter the spread of the incident.
During this phase, other key personnel not on the alert ros- Dynamically apply filtering rules to limit certain types of net-
ter, such as general management, must be notified of the inci- work access.
dent.
Disabling compromised user accounts
This notification should occur only after the incident has
been confirmed, but before media or other external sources Reconfiguring firewalls to block the problem traffic
learn of it.
Temporarily disabling the compromised process or service
It is up to the IR planners to determine in advance whom to
notify and when, and to offer guidance about additional notifi- Taking down the conduit application or server
cation steps to take.
Stopping all computers and network devices
34
Incident Escalation Restore the services and processes in use. Compromised
(and interrupted) services and processes must be examined,
At some point in time the incident may increase in scope or cleaned, and then restored.
severity to the point that the IRP cannot adequately handle
the event. Continuously monitor the system.
Each organization will have to determine, during the busi- Restore the confidence of the members of the organization’s
ness impact analysis, the point at which the incident be- communities of interest.
comes a disaster.
After Action Review
The organization must also document when to involve out-
side response, as discussed in other sections. Before returning to routine duties, the IR team must conduct
an after-action review, or AAR.
Incident Recovery
The after-action review is a detailed examination of the
Once the incident has been contained, and system control events that occurred from first detection to final recovery.
regained, incident recovery can begin.
All team members review their actions during the incident
The IR team must assess the full extent of the damage in or- and identify areas where the IR plan worked, didn’t work, or
der to determine what must be done to restore the systems. should improve.
The immediate determination of the scope of the breach of Law Enforcement Involvement
confidentiality, integrity, and availability of information and
information assets is called incident damage assessment. When an incident violates civil or criminal law, it is the organi-
zation’s responsibility to notify the proper authorities.
Those who document the damage must be trained to collect
and preserve evidence, in case the incident is part of a crime Selecting the appropriate law enforcement agency depends
or results in a civil action. on the type of crime committed.
Once the extent of the damage has been determined, the Federal
recovery process begins:
State
Identify the vulnerabilities that allowed the incident to occur
and spread. Resolve them. Local
Address the safeguards that failed to stop or limit the inci- Involving law enforcement agencies has both advantages
dent, or were missing from the system in the first place. In- and disadvantages.
stall, replace or upgrade them.
Law enforcement agencies are usually much better equipped
Evaluate monitoring capabilities (if present). Improve detec- at processing evidence, obtaining statements from wit-
tion and reporting methods, or install new monitoring capa- nesses, and building legal cases.
bilities.
However, involving law enforcement can result in loss of con-
Restore the data from backups. trol of the chain of events following an incident, including the
collection of information and evidence, and the prosecution
of suspects.
35
Disaster Recovery Clear delegation of roles and responsibilities.
Disaster recovery planning (DRP) is the preparation for and Execution of the alert roster and notification of key person-
recovery from a disaster, whether natural or man made. nel.
the organization is unable to contain or control the impact of Documentation of the disaster.
an incident, or
Inclusion of action steps to mitigate the impact of the disas-
the level of damage or destruction from an incident is so se- ter on the operations of the organization.
vere the organization is unable to quickly recover.
Inclusion of alternative implementations for the various sys-
The key role of a DRP is defining how to reestablish opera- tems components, should primary versions be unavailable.
tions at the location where the organization is usually lo-
cated. Crisis Management
Disaster Classifications Crisis management is a set of focused steps that deal primar-
ily with the people involved taken during and after a disaster.
A DRP can classify disasters in a number of ways.
The DR team works closely with the crisis management team
The most common method is to separate natural disasters, to assure complete and timely communication during a disas-
from man-made disasters. ter.
Another way of classifying disasters is by speed of develop- The crisis management team “is responsible for managing
ment. the event from an enterprise perspective and covers the fol-
lowing major activities:
Rapid onset disasters
Supporting personnel and their loved ones during the crisis
Slow onset disasters
Determining the event's impact on normal business opera-
Planning for Disaster tions and, if necessary, making a disaster declaration
To plan for disaster, the CP team engages in scenario devel- Keeping the public informed about the event and the actions
opment and impact analysis, and thus categorizes the level being taken to ensure the recovery of personnel and the en-
of threat each potential disaster poses. terprise
When generating a disaster recovery scenario, start first with Communicating with major customers, suppliers, partners,
the most important asset – people. regulatory agencies, industry organizations, the media, and
other interested parties.”
Do you have the human resources with the appropriate or-
ganizational knowledge to restore business operations? Two key tasks of the crisis management team are:
The DRP must be tested regularly so that the DR team can Verifying personnel status.
lead the recovery effort efficiently.
Activating the alert roster.
The key points the CP team must build into the DRP include:
36
Responding to the Disaster The determining factor is usually cost.
When a disaster strikes and the DRP is activated, actual In general there are three exclusive-use options:
events can at times outstrip even the best of plans.
hot sites,
To be prepared, the CP team should incorporate a degree of
flexibility into the DRP. warm sites, and
If the physical facilities are intact, the DR team should begin cold sites,
the restoration of systems and data to work toward full opera-
tional capability. and three shared-use options:
Continuity Strategies
37
Shared Use Options Putting a Contingency Plan Together
Timeshares: Operates like an exclusive use site, but is The CP team should include:
leased with a business partner or other organization.
Champion.
Service Bureaus: A service agency that, for a fee, provides
physical facilities during a disaster. Project manager.
Off-Site Disaster Data Storage The Business impact analysis (BIA) provides the CP team
with information about systems and the threats they face,
To get any of these sites up and running quickly, the organiza- and is the first phase in the CP process.
tion must be able to move data into the new site’s systems.
The BIA is a crucial component of the initial planning stages,
Options include: as it provides detailed scenarios of the impact each potential
attack can have on the organization.
Electronic vaulting - The bulk batch-transfer of data to an
off-site facility. One of the fundamental differences between a BIA and the
risk management process is that risk management focuses
Remote Journaling - The transfer of live transactions to an on identifying the threats, vulnerabilities, and attacks to deter-
off-site facility. mine what controls can protect the information.
Database shadowing - The storage of duplicate online The BIA assumes that these controls have been bypassed,
transaction data, along with the duplication of the databases have failed, or are otherwise ineffective, and that the attack
at the remote site to a redundant server. was successful.
38
Threat Attack Identification and Prioritization a related plan must be developed or identified from among
existing plans already in place.
An organization that has followed the risk management proc-
ess will have already identified and prioritized threats facing Each attack scenario end case is categorized as disastrous
it. or not.
For the BIA, these organizations need only update the threat Attack end cases that are disastrous find members of the
list and add one additional piece of information, the attack organization waiting out the attack, and planning to recover
profile. after it is over.
An attack profile is a detailed description of the activities that Combining the DRP and the BCP
occur during an attack.
Because the DRP and BCP are closely related, most organi-
Business Unit Analysis zations prepare them concurrently, and may combine them
into a single document.
The second major BIA task is the analysis and prioritization
of business functions within the organization. Such a comprehensive plan must be able to support the rees-
tablishment of operations at two different locations; one im-
Attack Success Scenario Development mediately at an alternate site, and one eventually back at the
primary site.
Next the BIA team must create a series of scenarios depict-
ing the impact of an occurrence of each threat on each func- Therefore, although a single planning team can develop the
tional area. combined DRP/BRP, execution requires separate teams.
Attack profiles should include scenarios depicting a typical A Sample Disaster Recovery Plan
attack, including its methodology, the indicators of attack,
and the broad consequences. Name of agency.
Then attack success scenarios with more detail are added to Date of completion or update of the plan and test date.
the attack profile, including alternate outcomes—best, worst,
and most likely. Agency staff to be called in the event of a disaster:
Potential Damage Assessment Emergency services to be called (if needed) in event of a dis-
aster
From these detailed scenarios, the BIA planning team must
estimate the cost of the best, worst, and most likely out- Locations of in-house emergency equipment and supplies.
comes by preparing an attack scenario end case.
Sources of off-site equipment and supplies.
This will allow you to identify what must be done to recover
from each possible case. Salvage Priority List.
Once the potential damage has been assessed, and each Follow-up Assessment
scenario and attack scenario end case has been evaluated,
39
Testing Contingency Plans
There are five testing strategies that can be used to test con-
tingency plans:
Desk Check
Structured walkthrough
Simulation
Parallel testing
Full interruption
Continuous Improvement
40
Key Terms Parallel testing
Project manager
Rapid-onset disasters
After-action review
Remote journaling
Alert message
Scenarios
Alert roster
Sequential roster
Attack profile
Service bureau
Attack scenario end case
Simulation
Business continuity planning (BCP)
Slow-onset disaster
Business Impact Analysis (BIA)
Structured walk-through
Champion
Team members
Cold site
Timeshare
Contingency planning (CP)
Warm site
Crisis management
Database shadowing
Desk check
Electronic vaulting
Full-interruption
Hierarchical roster
Hot site
Incident candidate
Incident classification
Mutual agreement
41
MODULE 4
“Victorious warriors win
Security Policy first and then go to war,
while defeated warriors go
to war first and then seek
to win”
– Tsun Zu
Chapter Overview Your primary responsibility is to set the information resource
security policy for the organization with the objectives of re-
duced risk, compliance with laws and regulations and assur-
In this chapter, readers will learn to define information secu-
ance of operational continuity, information integrity, and confi-
rity policy and understand its central role in a successful in-
dentiality.”
formation security program. Research has shown that there
are three major types of information security policy and the
chapter will explain what goes into each type as the reader Why Policy?
learns how to develop, implement, and maintain various
types of information security policies. A quality information security program begins and ends with
policy.
Chapter Objectives
Properly developed and implemented policies enable the in-
formation security program to function almost seamlessly
When you complete this chapter, you will be able to:
within the workplace.
how to write it, Management must ensure the adequate sharing of responsi-
bility for proper use of information systems.
how to implement it, and
End users of information systems should be involved in the
how to maintain it. steps of policy formulation.”
43
Systems—includes computers used as servers, desktop
computers, and systems used for process control and manu-
facturing systems
44
Enterprise Information Security Policy Reference to Other Information Technology Standards and
Guidelines - Outlines lists of other standards that influence
…sets the strategic direction, scope, and tone for all of an and are influenced by this policy document.
organization’s security efforts.
Example EISP - CCW
… assigns responsibilities for the various areas of informa-
tion security. Protection of Information: Information must be protected in a
manner commensurate with its sensitivity, value, and critical-
… guides the development, implementation, and manage- ity.
ment requirements of the information security program.
Use of Information: Company X information must be used
EISP Elements only for the business purposes expressly authorized by man-
agement.
Most EISP documents should provide:
Information Handling, Access, and And Usage: Information is
An overview of the corporate philosophy on security a vital asset and all accesses to, uses of, and processing of,
Company X information must be consistent with policies and
Information on the structure of the information security or- standards.
ganization and individuals that fulfill the information security
role Data and Program Damage Disclaimers: Company X dis-
claims any responsibility for loss or damage to data or soft-
Fully articulated responsibilities for security that are shared ware that results from its efforts to protect the confidentiality,
by all members of the organization integrity, and availability of the information handled by com-
puters and communications systems.
Fully articulated responsibilities for security that are unique
to each role within the organization Legal Conflicts: Company X information security policies
were drafted to meet or exceed the protections found in ex-
Components of the EISP isting laws and regulations, and any Company X information
security policy believed to be in conflict with existing laws or
Statement of Purpose - Answers the question “What is this regulations must be promptly reported to Information Secu-
policy for?” Provides a framework for the helps the reader to rity management.
understand the intent of the document.
Exceptions to Policies: Exceptions to information security
Information Technology Security Elements - Defines informa- policies exist in rare instances where a risk assessment ex-
tion security. amining the implications of being out of compliance has
been performed, where a standard risk acceptance form has
Need for Information Technology Security - Provides informa- been prepared by the data Owner or management, and
tion on the importance of information security in the organiza- where this form has been approved by both Information Se-
tion and the obligation (legal and ethical) to protect critical curity management and Internal Audit management.
information whether regarding customers, employees, or
markets. Policy Non-Enforcement: Management's non-enforcement
of any policy requirement does not constitute its consent.
Information Technology Security Responsibilities and Roles -
Defines the organizational structure designed to support in- Violation of Law: Company X management must seriously
formation security within the organization. consider prosecution for all known violations of the law.
45
Revocation of Access Privileges: Company X reserves the Address specific technology-based systems
right to revoke a user's information technology privileges at
any time. Require frequent updates
Industry-Specific Information Security Standards: Company Contain an issue statement on the organization’s position on
X information systems must employ industry-specific infor- an issue.
mation security standards.
ISSP topics could include:
Use of Information Security Policies and Procedures: All
Company X information security documentation including, Electronic mail
but not limited to, policies, standards, and procedures, must
be classified as “Internal Use Only,” unless expressly created Use of the Internet and the World Wide Web
for external business processes or partners.
Specific minimum configurations of computers to defend
Security Controls Enforceability: All information systems se- against worms and viruses
curity controls must be enforceable prior to being adopted
as a part of standard operating procedure. Prohibitions against hacking or testing organization security
controls
A sound issue-specific security policy provides detailed, tar- Use of telecommunications technologies
geted guidance to instruct all members of the organization in
the use of technology based systems. Use of photocopy equipment
The ISSP should begin with an introduction of the fundamen- Components of the ISSP
tal technological philosophy of the organization.
Statement of Purpose
This serves to protect both the employee and the organiza-
tion from inefficiency and ambiguity. Scope and Applicability
46
Prohibited Usage of Equipment
Criminal Use
Other Restrictions
Systems Management
Employer Monitoring
Virus Protection
Implementing ISSP
Physical Security
Common approaches for creating and managing ISSPs in-
Encryption clude:
Policy Review and Modification Create a modular ISSP document that unifies policy creation
and administration, while maintaining each specific issue’s
Scheduled Review of Policy requirements.
Limitations of Liability
Statements of Liability
Other Disclaimers
47
of people in the organization in ways that support the secu-
rity of information.
Access control lists (ACLs) include the user access lists, ma-
trices, and capability tables that govern the rights and privi-
leges of users.
48
The level of detail and specificity (often called granularity)
may vary from system to system, but in general ACLs enable
administrations to restrict access according to user, com-
puter, time, duration, or even a particular file.
Restricting what users can access, e.g. printers, files, com- In some systems, capability tables are called user profiles or
munications, and applications. user policies.
Copy
49
Guidelines for Policy Development
The first project designs and develops the policy (or redes-
igns and rewrites an outdated policy), and the second estab-
lishes management processes to perpetuate the policy
within the organization.
Investigation Phase
It is not uncommon for an organization to create a single Support and active involvement of IT management, specifi-
document that combines elements of both the Management cally the CIO.
Guidance and the Technical Specifications SysSPs.
The clear articulation of goals
While this can be somewhat confusing to those who will use
the policies, it is very practical to have the guidance from The participation of the correct individuals from the communi-
both perspectives in a single place. ties of interest affected by the recommended policies.
Care should be taken to articulate the required actions care- The team must include representatives from Legal, Human
fully as the procedures are presented. Resources and end-users of the various IT systems covered
by the policies.
50
The team will also need a capable project manager to see Professional consultants.
the project through to completion.
Make certain the policies are enforceable.
A detailed outline of the scope of the policy development pro-
ject, and sound estimates for the cost and scheduling of the Policy distribution is not always as straightforward as you
project. might think.
Design Phase
A design and plan for how the policies will be distributed and
how verification of the distribution to members of the organi-
zation will be accomplished.
Implementation Phase
The Web
Government sites
Maintenance Phase
Professional literature.
Peer networks.
51
ensure that it remains effective as a tool to meet changing Convince management that it is advisable to have docu-
threats. mented information security policies.
The policy should have a built-in mechanism via which users Identify the top management staff who will be approving the
can report problems with the policy, preferably anonymously. final information security document and all influential review-
ers.
The Information Security Policy Made Easy Approach
(ISPME) Collect and read all existing internal information security
awareness material and make a list of the included bottom-
Gathering Key Reference Materials line messages.
Defining A Framework For Policies Conduct a brief internal survey to gather ideas that stake-
holders believe should be included in a new or updated infor-
Preparing A Coverage Matrix mation security policy.
Making Critical Systems Design Decisions Using ideas from the risk assessment, prepare a list of abso-
lutely essential policy messages that must be communi-
Structuring Review, Approval, And Enforcement Processes cated.
ISPME Checklist If there is more than one audience, match the audiences with
the bottom-line messages to be communicated through a
Perform a risk assessment or information technology audit to coverage matrix. […]
determine your organization's unique information security
needs. Determine how the policy material will be disseminated, not-
ing the constraints and implications of each medium of com-
Clarify what the word “policy” means within your organiza- munication.
tion so that you are not preparing a “standard,” “procedure,”
or some other related material. Review the compliance checking process, disciplinary proc-
ess, and enforcement process to ensure that they all can
Ensure that roles and responsibilities related to information work smoothly with the new policy document.
security are clarified, including responsibility for issuing and
maintaining policies.
52
Determine whether the number of messages is too large to Develop Tests To Determine If Workers Understand Policies
be handled all at one time, and if so, identify different catego-
ries of material that will be issued at different times. Assign Information Security Coordinators
Have an outline of topics to be included in the first document Train Information Security Coordinators
reviewed by several stakeholders.
Prepare And Deliver A Basic Information Security Training
Based on comments from the stakeholders, revise the initial Course
outline and prepare a first draft […]
Develop Application Specific Information Security Policies
Have the first draft document reviewed by the stakeholders
for initial reactions, presentation suggestions, and implemen- Develop A Conceptual Hierarchy Of Information Security Re-
tation ideas. quirements
Revise the draft in response to comments from stakeholders. Assign Information Ownership And Custodianship
Request top management approval on the policy. Establish An Information Security Management Committee
Prepare extracts of the policy document for selected pur- Develop An Information Security Architecture Document
poses.
SP 800-18: Guide for Developing Security Plans
Develop an awareness plan that uses the policy document
as a source of ideas and requirements. The NIST Special Publication 800-18 offers another ap-
proach to policy management.
Create a working papers memo indicating the disposition of
all comments received from reviewers, even if no changes Because policies are living documents that constantly
were made. change and grow.
Write a memo about the project, what you learned, and what These documents must be properly disseminated (distrib-
needs to be fixed so that the next version of the policy docu- uted, read, understood and agreed to), and managed.
ment can be prepared more efficiently, better received by the
readers, and more responsive to the unique circumstances Good management practices for policy development and
facing your organization. maintenance make for a more resilient organization.
Prepare a list of next steps that will be required to implement In order to remain current and viable, policies must have:
the requirements specified in the policy document.
an individual responsible for reviews,
ISPME Next Steps
a schedule of reviews,
Post Polices To Intranet Or Equivalent
a method for making recommendations for reviews, and
Develop A Self-Assessment Questionnaire
an indication of policy and revision date.
Develop Revised user ID Issuance Form
A Final Note on Policy
Develop Agreement To Comply With Information Security
Policies Form
53
Lest you believe that the only reason to have policies is to Discussion Topics
avoid litigation, it is important to emphasize the preventative
nature of policy. Have students perform research on the Internet about Char-
les Cresson Wood. How many books are available from him
Policies exist first, and foremost, to inform employees of and what are their titles? Are they current (when were they
what is and is not acceptable behavior in the organization. published) and do other experts agree that he is an authority
on information security policy?
This is an effort to improve employee productivity, and pre-
vent potentially embarrassing situations. Find the EISP for the state government in which you reside.
How is it the same or different from the EISP recommended
If the organization could not verify that the employee was in by this textbook?
fact properly educated on the policy, as described earlier in
the chapter, the employee could sue the organization for
wrongful termination.
54
Key Terms
Practice
Procedure
Guideline
Standard
Policy
Due diligence
55
MODULE 5
“All warfare is based on de-
Developing Security ception”
Programs – Tsun Zu
Chapter Overview dents have not had the opportunity to read the material in
advance (in some settings, the textbooks are not made avail-
able until the first class meeting), it may be prudent to have a
Chapter 5 will explore the various organizational approaches
general discussion of the topic, with detailed lecture to fol-
to information security and provide an explanation of the
low at the next class meeting. The subject matter can be cov-
functional components of the information security program.
ered in 1.25 to 2.5 hours.
Readers will learn how to plan and staff an organization’s in-
formation security program based on its size and other fac-
tors as well as how to evaluate the internal and external fac-
tors that influence the activities and organization of an infor-
mation security program. As the topic of organizing the infor-
mation security function is expanded upon, the reader will
learn how to identify and describe the typical job titles and
functions performed in the information security program. The
chapter concludes with an exploration of the components of
a security education, training, and awareness program and
describes how organizations create and manage these pro-
grams.
Chapter Objectives
List and describe the typical job titles and functions per-
formed in the information security program
Set-up Notes
57
Lecture Notes and Teaching Tips with
Quick Quizzes
Introduction
58
Functions performed by IT groups outside of the information
security area of management control, such as:
Centralized authentication
Risk assessment
“Where small orgs spend more than $5,000 per user on secu-
rity, very large organizations spend about 1/18th of that, Systems testing
roughly $300 per user” originating from 6 percent of the total
IT budget. Incident response
Does a better job in the policy and resource mgmt areas, al- Planning
though “only 1/3 of organizations handled incidents accord-
ing to an IR plan.” Measurement
Compliance
Risk management
59
The medium sized organization - 100-1,000 computers - Spends disproportionately more on security, almost 20 per-
cent of the total IT budget.
Has a smaller budget (about 11% of the IT budget)
The typical security staff in this organization is usually only
Has about the same sized security staff as the small org, but one person.
a larger need.
“Considering their size, the number of incidents they recog- Such organizations frequently have little in the way of formal
nize is skyrocketing. policy, planning, or security measures, and they commonly
outsource their Web presence or electronic commerce opera-
“Some 70 percent of them had damages from security tions.
breaches, a 48 percent increase over small organizations.”
Because resources in smaller organizations are often limited,
These organizations may still be large enough to implement the security admin may use freeware or ‘hackerware’ to
the multi-tiered approach to security described previously for lower the costs of assessing and implementing security.
large organizations, though perhaps with fewer dedicated
groups and more functions assigned to each group. Security training and awareness is commonly conducted on
a 1-on-1 basis, with the security admin providing advice to
Medium-sized organizations tend to ignore some security users as needed.
functions—in particular, when the information security depart-
ment cannot staff a certain function and the IT or other de- Any policies are likely to be issue-specific policies.
partment is not encouraged or required to perform that func-
tion in its stead. Formal planning is usually part of the IT planning conducted
by the CIO.
Security in Small Organizations
To their advantage, small organizations avoid some threats
The small organization - 10-100 computers precisely because of their size.
Has a simple, centralized IT organizational model. Threats from insiders are also less likely in an environment
where every employee knows every other employee.
60
Quick Quiz “The manager’s organizational unit will also need a credible
day-to-day relationship with, or a strategic tie-in with, the
What are the variables that determine how to structure an information security function.”
information security program? ANSWER: organizational cul-
ture, size, security personnel budget, security capital budget.
Because the goals and objectives of the CIO and the CISO
may come in conflict, it is not difficult to understand the cur-
rent movement to separate information security from the IT
division.
61
Wood’s
Other Options:
Quick Quiz
62
Quick Quiz
Teaching Tip If you have access to the …Made Easy series of
books from Charles Cresson Wood, they make What two documents should be used by the CIO and CISO
excellent classroom examples both here and in
to formulate the mission statement for an InfoSec program?
the chapter that follows on policy. If available,
bring them to class and hand them around as an ANSWER: They should use the vision and missions state-
example. ments of the org’s strategic plans.
63
Information Security Roles and Titles An important part of the information security team is the help
desk, which enhances the security team’s ability to identify
”Then you have the builders. They’re the real techies, who potential problems.
create and install security solutions.
When a user calls the help desk with a complaint about his
“Finally, you have the people who operate and administrate or her computer, the network, or an Internet connection, the
the security tools, the security monitoring function, and the user’s problem may turn out to be related to a bigger prob-
people who continuously improve the processes.” lem, such as a hacker, denial-of-service attack, or a virus.
A typical organization has a number of individuals with infor- Because help desk technicians perform a specialized role in
mation security responsibilities. information security, they have a need for specialized train-
ing.
Quick Quiz
While the titles used may be different, most of the job func-
tions fit into one of the following:
Security staffer
64
Implementing Security Education, Training, and found that the majority of those granting degrees (bachelor’s
or master’s) were in reality, providing computer science or
Awareness Programs
information systems degrees that included a course or two
in information security.
Once the InfoSec program’s place in the organization is es-
tablished, planning for security education, training, and
Developing Information Security Curricula
awareness (SETA) programs begins.
65
Because many institutions have no frame of reference for There are two methods for customizing training for users.
which skills and knowledge are required for a particular job The first is by functional background:
area, frequently they refer to the certifications offered in that
field. General user
Once the knowledge areas are identified, common knowl- Managerial user
edge areas are aggregated into teaching domains, from
which individual courses can be created. Technical user who can be further divided by
Courses should be designed so that the student can obtain Job category
the required knowledge and skills upon completion of the
program. Job function
The final step is to identify the prerequisite knowledge for Technology product
each class.
The second is by skill level:
Novice
Intermediate
Advanced
Training Techniques
66
Delivery Methods Step 5: Administer the program.
Selection of the training delivery method is not always based Step 6: Maintain the program.
on the best outcome for the trainee. Often other factors —
budget, scheduling, and needs of the organization —come Step 7: Evaluate the program.
first.
Security Awareness
One-on-One
One of the least frequently implemented, but most effective
Formal Class security methods is the security awareness program.
Computer-Based Training (CBT) Security awareness programs: (1) set the stage for training
by changing organizational attitudes to realize the impor-
Distance Learning/Web Seminars tance of security and the adverse consequences of its fail-
ure; and (2) remind users of the procedures to be followed.
User Support Group
When developing an awareness program, there are certain
On-the-Job Training important ideas to keep in mind:
Self-Study (Noncomputerized) Focus on people both as part of the problem and as part of
the solution.
Selecting the Training Staff
Refrain from using technical jargon; speak the language the
To provide employee training, an organization can use a local users understand.
training program, a continuing education department, or an-
other external training agency. Use every available venue to access all users.
Alternatively, it can hire a professional trainer, a consultant, Define at least one key learning objective, state it clearly, and
or someone from an accredited institution to conduct on-site provide sufficient detail and coverage to reinforce the learn-
training. ing of it.
It can also organize and conduct training in-house using its Keep things light; refrain from “preaching” to users.
own employees.
Don’t overload the users with too much detail or too great a
Implementing Training volume of information.
While each organization develops its own strategy based on Help users understand their roles in InfoSec and how a
the techniques discussed above, the following seven-step breach in security can affect their jobs.
methodology generally applies:
Take advantage of in-house communications media to de-
Step 1: Identify program scope, goals, and objectives. liver messages.
Step 2: Identify training staff. Make the awareness program formal; plan and document all
actions.
Step 3: Identify target audiences.
Provide good information early, rather than perfect informa-
Step 4: Motivate management and employees. tion late.
67
The Ten Commandments of InfoSec Awareness Training Awareness can take on different forms for particular audi-
ences.
Information security is a people, rather than a technical, is-
sue. A security awareness program can use many methods to de-
liver its message.
If you want them to understand, speak their language.
Effective security awareness programs need to be designed
If they cannot see it, they will not learn it. with the recognition that people tend to practice a tuning out
process (acclimation).
Make your point so that you can identify it and so can they.
For this reason, awareness techniques should be creative
Never lose your sense of humor. and frequently changed.
Make your point, support it, and conclude it. Developing Security Awareness Components
Always let the recipients know how the behavior that you re- Many security awareness components are available at little
quest will affect them. or no cost. Others can be very expensive if purchased exter-
nally.
Ride the tame horses.
Security awareness components include the following items:
Formalize your training methodology.
Videos
Always be timely, even if it means slipping schedules to in-
clude urgent information. Posters and banners
Security training and awareness activities can be under- Brochures and flyers
mined, however, if management does not set a good exam-
ple. Trinkets (coffee cups, pens, pencils, T-shirts)
Awareness Techniques
68
The Security Newsletter A security poster series can be a simple and inexpensive
way to keep security on people’s minds.
A security newsletter is the most cost-effective way to dis-
seminate security information. Professional posters can be quite expensive, so in-house
development may be the best solution.
Newsletters can be in the form of hard copy, e-mail, or
intranet-based.
How-To’s
Mouse pads
69
Plastic cups Spend time promoting your site.
Quick Quiz
Plan ahead.
Discussion Topics
Seek feedback.
70
Collectively write job descriptions for one or a few of the Key Terms
roles on an information security program for your institution.
Security newsletter
Security poster
Trinket program
71
MODULE 6
“Let your plans be dark and
Security Management impenetrable as night, and
Models & Practices when you move, fall like a
thunderbolt”
– Tsun Zu
Chapter Overview
Chapter Objectives
Set-up Notes
73
Lecture Notes and Teaching Tips with It is intended to provide a common basis for developing or-
ganizational security standards and effective security man-
Quick Quizzes agement practice and to provide confidence in inter-
organizational dealings.”
Introduction
Volume 2 provides information on how to implement Volume
To create or maintain a secure environment, one must design 1 (17799) and how to set up an Information Security Manage-
a working security plan and then implement a management ment Structure (ISMS).
model to execute and maintain the plan.
Introduction
74
ISO/IEC 17799 is perceived to have been hurriedly prepared, Communications and Operations Management objectives
given the tremendous impact its adoption could have on in- are:
dustry information security controls
Ensure the correct and secure operation of information proc-
The Ten Sections of ISO/IEC 17799/27001 essing facilities
Organizational Security Policy is needed to provide manage- Minimize the risk of systems failures
ment direction and support for information security.
Protect the integrity of software and information
Organizational Security Infrastructure objectives include:
Maintain the integrity and availability of information process-
Manage information security within the company ing and communication
Maintain the security of organizational information process- Ensure the safeguarding of information in networks and the
ing facilities and information assets accessed by third parties protection of the supporting infrastructure
Maintain the security of information when the responsibility Prevent damage to assets and interruptions to business ac-
for information processing has been outsourced to another tivities
organization
Prevent loss, modification or misuse of information ex-
Asset Classification and Control is needed to maintain appro- changed between organizations
priate protection of corporate assets and to ensure that infor-
mation assets receive an appropriate level of protection.
Personnel Security objectives are: System Access Control objectives in this area include:
Reduce risks of human error, theft, fraud or misuse of Control access to information
facilities
Prevent unauthorized access to information systems
Ensure that users are aware of information security
threats and concerns, and are equipped to support Ensure the protection of networked services
the corporate security policy in the course of their nor-
mal work Prevent unauthorized computer access
Minimize the damage from security incidents and mal- Detect unauthorized activities
functions and learn from such incidents
Ensure information security when using mobile computing
Physical and Environmental Security objectives include: and telecommunication networks
Prevent unauthorized access, damage and interference to System Development and Maintenance objectives include:
business premises and information
Ensure security is built into operational systems
Prevent loss, damage or compromise of assets and interrup-
tion to business activities Prevent loss, modification or misuse of user data in applica-
tion systems
Prevent compromise or theft of information and information
processing facilities
75
Protect the confidentiality, authenticity and integrity of infor-
mation
Part 2 of BS 7799 provides implementation details using a The SMI asks 35 questions over the 10 domains of the ISO
Plan-Do-Check-Act cycle. standard.
76
The Human Firewall Council recommends: SP 800-14, Generally Accepted Security Principles &
Practices
Familiarize yourself with the 10 categories of security man-
agement. SP 800-18, Guide for Developing Security Plans
Benchmark your organization’s security management prac- SP 800-26, Security Self-Assessment Guide-IT Systems
tices by taking the survey.
SP 800-30, Risk Management for Information Technology
Evaluate your results in each category to identify strengths
Systems
and weaknesses.
NIST SP 800-12
Examine the suggestions for improvement in each category
in this report.
SP 800-12 is entitled The Computer Security Handbook, and
is an excellent reference and guide for the routine manage-
Use your SMI results to gain support for improving security.
ment of information security.
77
It also describes the philosophical principles that the security Principle 7. Implement layered security (Ensure no single
team should integrate into the entire information security point of vulnerability).
process, expanding upon the components of SP 800-12.
Principle 8. Implement tailored system security measures to
The more significant points made in NIST SP 800-14 are meet organizational security goals.
as follows:
Principle 9. Strive for simplicity.
Security Supports the Mission of the Organization.
Principle 10. Design and operate an IT system to limit vulner-
Security is an Integral Element of Sound Management. ability and to be resilient in response.
Security Should Be Cost-Effective Principle 11. Minimize the system elements to be trusted.
Systems Owners Have Security Responsibilities Outside Principle 12. Implement security through a combination of
Their Own Organizations. measures distributed physically and logically.
Security Responsibilities and Accountability Should Be Made Principle 13. Provide assurance that the system is, and con-
Explicit. tinues to be, resilient in the face of expected threats.
Security Requires a Comprehensive and Integrated Ap- Principle 14. Limit or contain vulnerabilities.
proach.
Principle 15. Formulate security measures to address multi-
Security Should Be Periodically Reassessed. ple overlapping information domains.
Security is Constrained by Societal Factors. Principle 16. Isolate public access systems from mission criti-
cal resources.
It enumerates 33 principles for Securing Information Technol-
ogy Systems: Principle 17. Use boundary mechanisms to separate comput-
ing systems and network infrastructures.
Principle 1. Establish a sound security policy as the “founda-
tion” for design. Principle 18. Where possible, base security on open stan-
dards for portability and interoperability.
Principle 2. Treat security as an integral part of the overall
system design. Principle 19. Use common language in developing security
requirements.
Principle 3. Clearly delineate the physical and logical security
boundaries governed by associated security policies. Principle 20. Design and implement audit mechanisms to de-
tect unauthorized use and to support incident investigations.
Principle 4. Reduce risk to an acceptable level.
Principle 21. Design security to allow for regular adoption of
Principle 5. Assume that external systems are insecure. new technology, including a secure and logical technology
upgrade process.
Principle 6. Identify potential trade-offs between reducing
risk and increased costs and decrease in other aspects of Principle 22. Authenticate users and processes to ensure ap-
operational effectiveness. propriate access control decisions both within and across
domains.
78
Principle 23. Use unique identities to ensure accountability. NIST Special Publication 800-26
Principle 27. Strive for operational ease of use. 4. Authorization of Processing (Certification and Accredita-
tion)
Principle 28. Develop and exercise contingency or disaster
recovery procedures to ensure appropriate availability. 5. System Security Plan
Principle 31. Protect against all likely classes of “attacks.” 8. Production, Input/Output Controls
Principle 32. Identify and prevent common errors and vulner- 9. Contingency Planning
abilities.
10. Hardware and Systems Software
Principle 33. Ensure that developers are trained in how to
develop secure software. 11. Data Integrity
NIST SP 800-18 - A Guide for Developing Security Plans for 13. Security Awareness, Training, and Education
Information Technology Systems, provides detailed methods
for assessing, designing, and implementing controls and 14. Incident Response Capability
plans for various sized applications.
Technical Controls
SP 800-18 serves as a guide for the activities described in
this chapter, and for the overall information security planning 15. Identification and Authentication
process.
16. Logical Access Controls
It includes templates for major application security plans.
17. Audit Trails
79
NIST SP 800-26 - Security Self-Assessment Guide for Infor-
mation Technology Systems describes seventeen areas that
span managerial, operational and technical controls.
The 17 areas listed are the core of the NIST security manage-
ment structure.
Quick Quiz
80
Security Management Practices information systems while demonstrating fiscal responsibility
and ensuring information access.
In information security, two categories of benchmarks are
used: standards of due care/due diligence, and best prac- Companies with best practices may not be the best in every
tices. area; they may only have established an extremely high qual-
ity or successful security effort in one area.
Best practices include a sub-category of practices—called
the gold standard—that are general regarded as “the best of VISA International Security Model
the best.”
Another example of best practices is the VISA International
Standards of Due Care/Due Diligence Security Model.
When organizations adopt minimum levels of security for a VISA has developed two important documents that improve
legal defense, they may need to show that they have done and regulate its information systems:
what any prudent organization would do in similar circum-
stances; this is known as a standard of due care. The “Security Assessment Process” document contains a
series of recommendations for the detailed examination of
Implementing controls at this minimum standard, and main- an organization’s systems with the eventual goal of integra-
taining them, demonstrates that an organization has per- tion into the VISA systems.
formed due diligence.
The “Agreed Upon Procedures” document outlines the poli-
Due diligence requires that an organization ensure that the cies and technologies used to safeguard security systems
implemented standards continue to provide the required that carry the sensitive cardholder information to and from
level of protection. VISA systems.
Failure to support a standard of due care or due diligence The Gold Standard
can expose an organization to legal liability, provided it can
be shown that the organization was negligent in its applica- Best business practices are not sufficient for organizations
tion or lack of application of information protection. that prefer to set the standard by implementing the most pro-
tective, supportive, and yet fiscally responsible standards
Best Security Practices they can. They strive toward the gold standard, a model level
of performance that demonstrates industrial leadership, qual-
Security efforts that seek to provide a superior level of per- ity, and concern for the protection of information.
formance in the protection of information are referred to as
best business practices or simply best practices. The implementation of gold standard security requires a
great deal of support, both in financial and personnel re-
Some organizations refer to these as recommended prac- sources.
tices.
Selecting Best Practices
Security efforts that are among the best in the industry are
referred to as best security practices Choosing which recommended practices to implement can
pose a challenge for some organizations.
These practices balance the need for information access
with the need for adequate protection. Best practices seek In industries that are regulated by governmental agencies,
to provide as much security as possible for information and government guidelines are often requirements.
81
For other organizations, government guidelines are excellent ful attack is viewed as an organizational failure, and is kept
sources of information about what other organizations are secret, insofar as possible.
required to do to control information security risks, and can
inform their selection of best practices. However, more and more security administrators are joining
professional associations and societies like ISSA and sharing
Selecting Best Practices their stories and lessons learned.
When considering best practices for your organization, con- An alternative to this direct dialogue is the publication of les-
sider the following: sons learned.
Microsoft has published a set of best practices in security at The Gartner group offers twelve questions as a self assess-
its Web site: ment for best security practices.
Use strong passwords 1) “Do you perform background checks on all employ-
ees with access to sensitive data, areas, or access points?
Verify your software security settings
2) “Would the average employee recognize a security
Update product security issue?
Back up early and often 4) “Would they know how to report it to the right people?
Benchmarking and Best Practices Limitations 5) “Are enterprise security policies updated on at least
an annual basis, employees educated on changes, and con-
The biggest problem with benchmarking in information secu- sistently enforced?
rity is that organizations don’t talk to each other; a success-
82
6) “Does your enterprise follow a patch/update manage- Quick Quiz
ment and evaluation process to prioritize and mediate new
security vulnerabilities? What are the two important documents VISA developed that
improve and regulate its information systems ? ANSWER: The
7) “Are the user accounts of former employees immedi- “Security Assessment Process” and the “Agreed Upon Pro-
ately removed on termination? cedures.”
Technology:
83
Emerging Trends in Certification and Accredita- More complete, reliable, information for authorizing offi-
cials—leading to better understanding of complex IT sys-
tion
tems and associated risks and vulnerabilities—and therefore,
more informed decisions by management officials
In security management, accreditation is the authorization of
an IT system to process, store, or transmit information.
Greater availability of competent security evaluation and as-
sessment services
It is issued by a management official and serves as a means
of assuring that systems are of adequate quality.
More secure IT systems within the federal government”
84
800-37 focuses on a three-step security controls selection As in earlier NIST documents, especially SP 800-18, security
process: controls are broken into the three familiar general classes of
security controls - management, operational, and technical.
Step 1: Characterize the System
New to the certification and accreditation criteria is the con-
Step 2: Select the Appropriate Minimum Security Controls cept of critical elements, initially defined in SP 800-26.
for the System
Critical elements represent “important security-related focus
Step 3: Adjust Security Controls Based On System Exposure areas for the system with each critical element addressed by
and Risk Decision one or more security controls.”
Systems Are Certified To One of Three Levels As technology evolves so will the set of security controls, re-
quiring additional control mechanisms.
“Security Certification Level 1 - The Entry-Level Certification
Appropriate For Low Priority (Concern) Systems.
85
Key Terms
Accreditation
Baseline
Benchmark
Blueprint
Certification
Due diligence
Framework
Gold standard
Management controls
Operational controls
Recommended practice
Security model
Technical controls
86
MODULE 7
“Strategy without tactics is
Risk Management the slowest route to vic-
tory. Tactics without strat-
egy is the noise before de-
feat”
– Tsun Zuj
Chapter Overview
Chapter Objectives
Set-up Notes
88
Lecture Notes and Teaching Tips with This means identifying, examining, and understanding the
threats facing the organization’s information assets.
Quick Quizzes
Managers must be prepared to fully identify those threats
Introduction that pose risks to the organization and the security of its in-
formation assets.
Information security departments are created primarily to
manage IT risk. Risk management is the process of assessing the risks to an
organization’s information and determining how those risks
Managing risk is one of the key responsibilities of every man- can be controlled or mitigated.
ager within the organization.
Accountability for Risk Management
In any well-developed risk management program, two formal
processes are at work: All communities of interest must work together to:
“If you know the enemy and know yourself, you need not Overseeing processes to ensure that the controls remain ef-
fear the result of a hundred battles. fective
“If you know yourself but not the enemy, for every victory Identifying risks, which includes:
gained you will also suffer a defeat.
Inventory information assets
“If you know neither the enemy nor yourself, you will suc-
cumb in every battle.” Classifying/organizing assets
This means identifying, examining and understanding the in- Pinpointing vulnerable assets by tying specific threats to spe-
formation and how it is processed, stored, and transmitted. cific assets
Armed with this knowledge, they can then initiate an in- Assessing risks, which includes:
depth risk management program.
Determining likelihood of attacks on vulnerable systems by
Risk management is a process, which means the safeguards specific threats
and controls that are devised and implemented are not
install-and-forget devices. Assessing relative risk facing information assets, so risk man-
agement and control activities can prioritize
Knowing the Enemy
Calculating the risks to which assets are exposed in their cur-
rent setting
89
Reviewing controls for identified vulnerabilities and says to
control the risks that the assets face
Quick Quiz
90
Risk Identification Identifying Hardware, Software, and Network Assets
Risk identification begins with the process of self- Whether automated or manual, the inventory process re-
examination. quires a certain amount of planning.
At this stage, managers identify the organization’s informa- Most importantly, you must determine which attributes of
tion assets, classify them into useful groups, and prioritize each of these information assets should be tracked.
them by their overall importance.
That determination will depend on the needs of the organiza-
Creating an Inventory of Information Assets tion and its risk management efforts, as well as the prefer-
ences and needs of the information security and information
The risk identification process begins with the identification technology communities.
of information assets, including people, procedures, data
and information, software, hardware, and networking ele- When deciding which attributes to track for each information
ments. asset, consider the following list of potential attributes:
MAC address
Asset type
Serial number
Manufacturer name
Physical location
Logical location
Controlling entity
91
As these assets are identified, they should be recorded via a Classifying and Categorizing Assets
reliable data-handling process like the one used for hard-
ware and software. Once the initial inventory is assembled, you must determine
whether its asset categories are meaningful to the organiza-
People tion’s risk management program.
Position name/number/ID The inventory should also reflect the sensitivity and security
priority assigned to each information asset.
Supervisor name/number/ID
A classification scheme should be developed that catego-
Security clearance level rizes these information assets based on their sensitivity and
security needs, i.e. confidential, internal, and public.
Special skills
Each of these classification categories designates the level
Procedures of protection needed for a particular information asset.
Software/hardware/networking elements to which it is tied Classification categories must be comprehensive and mutu-
ally exclusive.
Location where it is stored for reference
Assessing Values for Information Assets
Location where it is stored for update purposes
As each information asset is identified, categorized, and clas-
Data sified, a relative value must also be assigned to it.
Size of data structure Which information asset is the most critical to the success of
the organization?
Data structure used
Which information asset generates the most revenue?
Online or offline
Which information asset generates the highest profitability?
Location
Which information asset is the most expensive to replace?
Backup procedures
Which information asset is the most expensive to protect?
92
As you might expect, the U.S. military classification scheme
relies on a more complex categorization system than the
schemes of most corporations.
Unclassified Data:
Confidential Data:
Secret Data:
For Example:
Public
Security Clearances
For official use only
The other part of the data classification scheme is the per-
Sensitive sonnel security clearance structure, in which each user of an
information asset is assigned an authorization level that indi-
Classified
93
cates the level of information classification he or she can ac- If you assume that every threat can and will attack every in-
cess. formation asset, then the project scope becomes too com-
plex.
Most organizations have developed a set of roles and corre-
sponding security clearances, so that individuals are as- To make the process less unwieldy, each step in the threat
signed authorization levels that correlate with the classifica- identification and vulnerability identification processes is
tions of the of information assets. managed separately and then coordinated at the end.
Beyond a simple reliance on the security clearance of the Identify and Prioritize Threats and Threat Agents
individual is the need-to-know principle.
Each of these threats presents a unique challenge to informa-
Regardless of one’s security clearance, an individual is not tion security and must be handled with specific controls that
allowed to view data simply because it falls within that indi- directly address the particular threat and the threat agent’s
vidual’s level of clearance. attack strategy.
That is, after an individual is granted a security clearance but Before threats can be assessed in the risk identification proc-
before he or she is allowed access to a specific set of data, ess, however, each threat must be further examined to deter-
that person must also meet the need-to-know requirement. mine its potential to affect the targeted information asset.
Management of the Classified Information Asset In general, this process is referred to as a threat assessment.
Vulnerability Assessment
Military Data Classification Cover Sheets
94
This review leads to the creation of a list of vulnerabilities
that remain potential risks to the organization.
This list serves as the starting point for the next step in the
risk management process—risk assessment.
Quick Quiz
95
Risk Assessment How much would it cost to recover from a successful at-
tack?
Risk is the likelihood of the occurrence of a vulnerability
Which threats would require the greatest expenditure to pre-
Multiplied by vent?
The value of the information asset Which of the aforementioned questions is the most impor-
tant to the protection of information from threats within this
Minus organization?
The percentage of risk mitigated by current controls Percentage of Risk Mitigated by Current Controls
Uncertainty
Using the information documented during the risk identifica- For the purpose of relative risk assessment, risk equals likeli-
tion process, you can assign weighted scores based on the hood of vulnerability occurrence times value (or impact) mi-
value of each information asset, i.e. 1-100, low-med-high, nus percentage risk already controlled plus an element of
etc. uncertainty.
Assessing Potential Loss Asset A has a value of 50 and has one vulnerability, which
has a likelihood of 1.0 with no current controls. Your
To be effective, the values must be assigned by asking: assumptions/data are 90% accurate.
Which threats present a danger to this organization’s assets Asset B has a value of 100 and has two vulnerabilities: Vul
in the given environment? #2 has a likelihood of 0.5 with a current control that ad-
dresses 50% of its risk; vul # 3 has a likelihood of 0.1 with no
Which threats represent the most danger to the organiza- current controls. Your assumptions and data are 80% accu-
tion’s information? rate.
96
The resulting ranked list of risk ratings for the three vulner- Types of Access Controls
abilities is as follows:
In lattice-based access controls, users are assigned a matrix
Asset A: Vulnerability 1 rated as 55 = (50 × 1.0) – 0% + 10%. of authorizations for particular areas of access.
Asset B: Vulnerability 2 rated as 35 = (100 × 0.5) – 50% + The matrix contains subjects and objects, and the bounda-
20%. ries associated with each subject/object pair are clearly de-
marcated.
Asset B: Vulnerability 3 rated as 12 = (100 × 0.1) – 0 % +
20%. With this type of control, the column of attributes associated
with a particular object is called an access control list (ACL).
Identify Possible Controls
The row of attributes associated with a particular subject is a
For each threat and its associated vulnerabilities that have capabilities table.
residual risk, create a preliminary list of control ideas.
Non discretionary controls are determined by a central
Three general categories of controls exist: policies, pro- authority in the organization and can be based on roles—
grams, and technical controls. called role-based controls—or on a specified set of tasks—
called task-based controls.
Access Controls
Task-based controls can, in turn, be based on lists main-
Access controls specifically address admission of a user into tained on subjects or objects.
a trusted area of the organization.
Role-based controls are tied to the role that a particular user
These areas can include information systems, physically re- performs in an organization, whereas task-based controls
stricted areas such as computer rooms, and even the organi- are tied to a particular assignment or responsibility.
zation in its entirety.
Discretionary Access Controls (DACs) are implemented at
Access controls usually consist of a combination of policies, the discretion or option of the data user.
programs, and technologies.
The ability to share resources in a peer-to-peer configuration
Types of Access Controls allows users to control and possibly provide access to infor-
mation or resources at their disposal.
Mandatory Access Controls (MACs) are required and are
structured and coordinated with a data classification The users can allow general, unrestricted access, or they
scheme. can allow specific individuals or sets of individuals to access
these resources.
When MACs are implemented, users and data owners have
limited control over their access to information resources.
97
Quick Quiz
98
Documenting the Results of Risk Assessment
What are the deliverables from this stage of the risk manage-
ment project?
Quick Quiz
99
Key Terms
capabilities table
dumpster diving
need-to-know
Programs
Risk management
role-based controls
task-based controls
threat identification
100
MODULE 8
“When the enemy is relaxed,
Risk Mitigation make them toil. When full,
starve them. When settled,
make them move”
– Tsun Zu
Chapter Overview
Chapter Objectives
Set-up Notes
102
Lecture Notes and Teaching Tips with
Quick Quizzes
Introduction
Quick Quiz
103
Risk Control Strategies Mitigation
An organization must choose one of four basic strategies to Mitigation is the control approach that attempts to reduce,
control risks: by means of planning and preparation, the damage caused
by the exploitation of vulnerability.
Avoidance: applying safeguards that eliminate or reduce the
remaining uncontrolled risks for the vulnerability This approach includes three types of plans:
Transference: shifting the risk to other areas or to outside the disaster recovery plan (DRP),
entities
incident response plan (IRP), and
Avoidance
Application of policy
Countering threats
Transference Acceptance
Transference is the control approach that attempts to shift As described above, mitigation is a control approach that
the risk to other assets, other processes, or other organiza- attempts to reduce the impact of an exploited vulnerability.
tions.
In contrast, acceptance of risk is the choice to do nothing to
This may be accomplished by rethinking how services are protect an information asset and to accept the outcome from
offered, revising deployment models, outsourcing to other any resulting exploitation.
organizations, purchasing insurance, or by implementing
service contracts with providers. This control, or lack of control, assumes that it may be a pru-
dent business decision to examine the alternatives and con-
clude that the cost of protecting an asset does not justify the
security expenditure.
104
The only valid use of the acceptance strategy occurs when Risk Control Strategy Selection
the organization has:
Risk control involves selecting one of the four risk control
Determined the level of risk to the information asset strategies for the vulnerabilities present within the organiza-
tion.
Assessed the probability of attack and the likelihood of a suc-
cessful exploitation of a vulnerability If the loss is within the range of losses the organization can
absorb, or if the attacker’s gain is less than expected costs
Approximated the ARO of the exploit of the attack, the organization may choose to accept the
risk.
Estimated the potential loss from attacks
Otherwise, one of the other control strategies will have to be
Performed a thorough cost benefit analysis selected.
Decided that the particular asset did not justify the cost of
protection
Quick Quiz
105
Evaluation, Assessment, and Maintenance of Risk Controls Categories of Controls
Once a control strategy has been selected and implemented, Controlling risk by means of avoidance, mitigation, or trans-
the effectiveness of controls should be monitored and meas- ference may be accomplished by implementing controls or
ured on an ongoing basis to determine its effectiveness and safeguards. Controls can be placed into one of four catego-
the accuracy of the estimate of the risk that will remain after ries:
all planned controls are in place.
Control function
Architectural layer
Strategy layer
Quick Quiz
106
Control Function Risk controls operate within one or more of the com-
monly accepted information security principles:
Controls designed to defend a vulnerable system are either
preventive or detective. Confidentiality
Organizational policy
Quick Quiz
External networks
What are the names of the categories in which controls can
Extranets be placed? ANSWER: Control function, Architectural layer,
Strategy layer, Information security principle.
Demilitarized zones
Intranets
Systems
Applications
Strategy Layer
107
Feasibility Studies and Cost Benefit Analysis Cost of maintenance
The primary means is to determine the value of the informa- This is expressed as the annualized loss expectancy (ALE).
tion assets that it is designed to protect.
Asset Valuation
Cost Benefit Analysis (CBA)
Asset valuation is the process of assigning financial value or
The criterion most commonly used when evaluating a project worth to each information asset.
that implements information security controls and safe-
guards is economic feasibility. The value of information differs within organizations and be-
tween organizations, based on the characteristics of informa-
Organizations are urged to begin a cost benefit analysis by tion and the perceived value of that information.
evaluating the worth of the information assets to be pro-
tected and the loss in value if those information assets are The valuation of assets involves estimation of real and per-
compromised by the exploitation of a specific vulnerability. ceived costs associated with the design, development, instal-
lation, maintenance, protection, recovery, and defense
This decision-making process is called a cost benefit analy- against loss and litigation.
sis or an economic feasibility study.
Some of the components of asset valuation include:
Cost
Value retained from the cost of creating the information asset
Just as it is difficult to determine the value of information, it
is difficult to determine the cost of safeguarding it. Value retained from past maintenance of the information as-
set
Some of the items that affect the cost of a control or safe-
guard include: Value implied by the cost of replacing the information
Cost of development or acquisition of hardware, software, Value from providing the information
and services
Value acquired from the cost of protecting the information
Training fees
Value to owners
Cost of implementation
Value of intellectual property
Service costs
Value to adversaries
108
Loss of productivity while the information assets are unavail- This information is usually estimated.
able
In most cases, the probability of a threat occurring is usually
Loss of revenue while information assets are unavailable a loosely derived table indicating the probability of an attack
from each threat type within a given time frame.
An organization must be able to place a dollar value on each
collection of information and the information assets it owns, This value is commonly referred to as the ARO, or annualized
based on: rate of occurrence.
How much did it cost to create or acquire this information? In order to standardize calculations, you convert the rate to a
yearly (annualized) value.
How much would it cost to recreate or recover this informa-
tion? This is expressed as the probability of a threat occurrence.
How much does it cost to maintain this information? Once each asset’s worth is known, the next step is to ascer-
tain how much loss is expected from a single attack, and
How much is this information worth to the organization? how often these attacks occur.
How much is this information worth to the competition? Once those values are determined, the equation can be com-
pleted to determine the overall lost potential per risk.
Next the organization examines the potential loss that could
occur from the exploitation of vulnerability or a threat occur- This is usually determined via an annualized loss expec-
rence. tancy, or ALE, using the values for the ARO and SLE from
previous sections.
This process results in the estimate of potential loss per risk.
ALE = SLE x ARO
The questions that must be asked here include:
The Cost Benefit Analysis (CBA) Formula
What damage could occur, and what financial impact would
it have? CBA determines whether or not a control alternative is worth
its associated cost.
What would it cost to recover from the attack, in addition to
the financial impact of damage? CBAs may be calculated before a control or safeguard is im-
plemented, to determine if the control is worth implementing,
What is the single loss expectancy for each risk? or calculated after controls have been implemented and
have been functioning for a time.
A single loss expectancy, or SLE, is the calculation of the
value associated with the most likely loss from an attack. CBA = ALE(prior) – ALE(post) – ACS
It is a calculation based on the value of the asset and the ex- ALE(prior to control) is the annualized loss expectancy of the
pected percentage of loss that would occur from a particular risk before the implementation of the control.
attack:
ALE(post control) is the ALE examined after the control has
SLE = asset value (AV) x exposure factor (EF) been in place for a period of time.
Where EF = the percentage loss that would occur from a ACS is the annual cost of the safeguard.
given vulnerability being exploited.
109
Other Feasibility Studies Numbers of successful attacks
In the previous sections the concepts of economic feasibility Staff hours spent on systems protection
or using baselines or benchmarks were used to justify pro-
posals for information security controls. Dollars spent on protection
The next step in measuring how ready an organization is for Numbers of security personnel
these controls is determining the proposal’s organizational,
operational, technical, and political feasibility. Estimated value in dollars of the information lost in success-
ful attacks
Organizational feasibility analysis examines how well the pro-
posed information security alternatives will contribute to the Loss in productivity hours associated with successful at-
operation of an organization. tacks
Operational feasibility addresses user acceptance and sup- Process-based measures are generally less focused on num-
port, management acceptance and support, and the overall bers and are more strategic.
requirements of the organization’s stakeholders.
For each of the areas the organization is interested in bench-
Technical feasibility examines whether or not the organiza- marking, process based measures enable the companies to
tion has or can acquire the technology to implement and sup- examine the activities an individual company performs in pur-
port the alternatives. suit of its goal, rather than the specifics of how goals are at-
tained.
Political feasibility defines what can and cannot occur based
on the consensus and relationships between the communi- The primary focus is the method the organization uses to ac-
ties of interest. complish a particular process, rather than the outcome.
The organization then measures the difference in the way it Due Care and Due Diligence
conducts business and the way the other organizations con-
duct business. For legal reasons, an organization may be forced to adopt a
certain minimum level of security.
When benchmarking, an organization typically uses one of
two measures to compare practices: metrics-based meas- When organizations adopt levels of security for a legal de-
ures or process-based measures. fense, they may need to show that they have done what any
prudent organization would do in similar circumstances. This
Metrics-based measures are comparisons based on numeri- is referred to as a standard of due care.
cal standards, such as:
110
Due diligence is the demonstration that the organization is Can your organization expend resources that are in line with
persistent in ensuring that the implemented standards con- the requirements of the best practice?
tinue to provide the required level of protection.
Is your organization in a similar threat environment as the
Best Business Practices. one cited in the best practice?
Security efforts that seek to provide a superior level of per- Problems with Benchmarking and Best Practices
formance are referred to as best business practices.
Organizations don’t talk to each other.
Best security practices are those that are among the best in
the industry, balancing access to information with adequate No two organizations are identical.
protection, while maintaining a solid degree of fiscal responsi-
bility. Best practices are a moving target.
Companies with best practices may not be the best in every Simply knowing what was going on a few years ago, doesn’t
area, but may simply have established an extremely high necessarily indicate what to do next.
quality or successful security effort in one or more area.
Baselining
The Gold Standard
Baselining is the analysis of measures against established
Even the best business practices are not sufficient for some standards.
organizations. These organizations aspire to set the standard
by implementing the most protective, supportive, and yet In information security, baselining is the comparison of secu-
fiscally responsible standards they can. rity activities and events against the organization’s future per-
formance.
The gold standard is a defining level of performance that
demonstrates a company’s industrial leadership, quality, and The information gathered for an organization’s first risk as-
concern for the protection of information. sessment becomes the baseline for future comparisons.
Seeking the gold standard is a method of striving for excel- Quick Quiz
lence.
What is cost benefit analysis? ANSWER: The criterion most
Applying Best Practices commonly used when evaluating a project that implements
information security controls and safeguards is economic
When considering best practices for adoption, address the feasibility.
following questions:
111
Risk Management Discussion Points The goal of information security is not to bring residual risk
to zero, but to bring it in line with an organization’s risk appe-
Risk Appetite tite.
Risk appetite defines the quantity and nature of risk that or- If decision makers have been informed of uncontrolled risks
ganizations are willing to accept, as they evaluate the trade- and the proper authority groups within the communities of
offs between perfect security and unlimited accessibility. interest decide to leave residual risk in place, then the infor-
mation security program has accomplished its primary goal.
The reasoned approach to risk is one that balances the ex-
pense against the possible losses if exploited. Documenting Results
Qualitative Measures
Quick Quiz
112
The OCTAVE Method The OCTAVE Method is self directed.
The Operationally Critical Threat, Asset, and Vulnerability The OCTAVE Method requires an analysis team to conduct
Evaluation the evaluation and to analyze the information. The basic
tasks of the team are:
(OCTAVE) Method defines the essential components of a
to facilitate the knowledge elicitation workshops of
comprehensive, systematic, context-driven, self-directed
Phase 1
information security risk evaluation.
113
Process 4: Create Threat Profiles Quick Quiz
Phase 2: Identify Infrastructure Vulnerabilities What are the three phases of the OCTAVE method? AN-
SWER: Phase 1: Build Asset-Based Threat Profiles, Phase 2:
Process 5: Identify Key Components Identify Infrastructure Vulnerabilities, Phase 3: Develop Secu-
rity Strategy and Plans.
Process 6: Evaluate Selected Components
Select participants.
Coordinate logistics.
114
Key Terms Qualitative assessment
Benefit Transference
Competitive disadvantage
Cost avoidance
Cyberactivism
Delphi technique
Detective controls
Hacktivism
Mitigation
OCTAVE method
Operational feasibility
Organizational feasibility
Political feasibility
Preventive controls
115
MODULE 9
“Move swift as the Wind
Laws & Ethics and closely-formed as the
Wood. Attack like the Fire
and be still as the Moun-
tain”
– Tsun Zu
Chapter Overview
Chapter Objectives
Set-up Notes
117
Lecture Notes and Teaching Tips with relatively fixed moral attitudes or customs of a societal
group.
Quick Quizzes
Introduction
The key difference between law and ethics is that law carries
the sanction of a governing authority and ethics do not.
Quick Quiz
What are the major differences between law and ethics? AN-
SWER: The law carries the sanction of a governing authority
and ethics do not. Ethics are also based on cultural mores:
118
The Legal Environment
Types of Law
The Computer Fraud and Abuse Act of 1986 (CFA Act) is the
cornerstone of many computer-related federal laws and en-
forcement efforts.
119
The CFA Act was further modified by the USA Patriot Act of The Computer Security Act of 1987 also amended the Fed-
2001—the abbreviated name for “Uniting and Strengthening eral Property and Administrative Services Act of 1949, requir-
America Act by Providing Appropriate Tools Required to Inter- ing the National Bureau of Standards to distribute standards
cept and Obstruct Terrorism Act of 2001,” which provides and guidelines pertaining to federal computer systems, mak-
law enforcement agencies with broader latitude to combat ing such standards compulsory and binding to the extent to
terrorism-related activities. Some of the laws modified by the which the secretary determines necessary to improve the
Patriot Act date from the earliest laws created to deal with efficiency of operation or security and privacy of federal com-
electronic technology. puter systems.
The Communication Act of 1934 was revised by the Telecom- Another provision of the Computer Security Act requires man-
munications Deregulation and Competition Act of 1996, datory periodic training in computer security awareness and
which attempts to modernize the archaic terminology of the accepted computer security practice for all employees who
older act. are involved with the management, use, or operation of each
federal computer system.
The Computer Security Act of 1987 was one of the first at-
tempts to protect federal computer systems by establishing Privacy Laws
minimum acceptable security practices.
Many organizations collect, trade, and sell personal informa-
The Computer Security Act of 1987 charged the National Bu- tion as a commodity, and many individuals are becoming
reau of Standards, in cooperation with the National Security aware of these practices and looking to the governments to
Agency, with the following tasks: protect their privacy.
Developing standards, guidelines, and associated methods In the past it was not possible to create databases that con-
and techniques for computer systems tained personal information collected from multiple sources.
Developing uniform standards and guidelines for most fed- Today, the aggregation of data from multiple sources per-
eral computer systems mits unethical organizations to build databases with alarming
quantities of personal information.
Developing technical, management, physical, and administra-
tive standards and guidelines for the cost-effective security The Privacy of Customer Information Section of the section
and privacy of sensitive information in federal computer sys- of regulations covering common carriers specifies that any
tems proprietary information shall be used explicitly for providing
services, and not for any marketing purposes.
Developing guidelines for use by operators of federal com-
puter systems that contain sensitive information in training The Federal Privacy Act of 1974 regulates the government’s
their employees in security awareness and accepted security use of private information. The Federal Privacy Act was cre-
practice ated to ensure that government agencies protect the privacy
of individuals’ and businesses’ information, and holds those
Developing validation procedures for, and evaluate the effec- agencies responsible if any portion of this information is re-
tiveness of, standards and guidelines through research and leased without permission.
liaison with other government and private agencies
The Electronic Communications Privacy Act of 1986 is a col-
The Computer Security Act also established a Computer Sys- lection of statutes that regulates the interception of wire, elec-
tem Security and Privacy Advisory Board within the Depart- tronic, and oral communications.
ment of Commerce.
120
These statutes work in cooperation with the Fourth Amend- Export and Espionage Laws
ment of the U.S. Constitution, which prohibits search and
seizure without a warrant. In an attempt to protect intellectual property and competitive
advantage, Congress passed the Economic Espionage Act
The Health Insurance Portability & Accountability Act Of (EEA) in 1996.
1996 (HIPPA), also known as the Kennedy-Kassebaum Act,
is an attempt to protect the confidentiality and security of This law attempts to protect trade secrets “from the foreign
health care data by establishing and enforcing standards government that uses its classic espionage apparatus to spy
and by standardizing electronic data interchange. on a company, to the two American companies that are at-
tempting to uncover each other's bid proposals, or to the
HIPPA requires organizations that retain health care informa- disgruntled former employee who walks out of his former
tion to use information security mechanisms to protect this company with a computer diskette full of engineering sche-
information, as well as policies and procedures to maintain matics.”
them, and also requires a comprehensive assessment of the
organization's information security systems, policies, and
procedures. HIPPA provides guidelines for the use of elec-
tronic signatures based on security standards ensuring mes-
sage integrity, user authentication, and nonrepudiation.
Security of health information The Security and Freedom through Encryption Act of 1997
provides guidance on the use of encryption, and institutes
The Financial Services Modernization Act or Gramm-Leach- measures of public protection from government intervention.
Bliley Act of 1999 contains a number of provisions that affect Specifically, the Act reinforces an individual’s right to use or
banks, securities firms, and insurance companies. sell encryption algorithms, without concern for the impact of
other regulations requiring some form of key registration and
This act requires all financial institutions to disclose their pri- prohibits the federal government from requiring the use of
vacy policies, describing how they share nonpublic personal encryption for contracts, grants, and other official docu-
information, and describing how customers can request that ments, and correspondence.
their information not be shared with third parties.
U.S. Copyright Law
The act also ensures that the privacy policies in effect in an
organization are fully disclosed when a customer initiates a U.S. copyright law extends protection to intellectual prop-
business relationship, and distributed at least annually for erty, which includes words published in electronic formats.
the duration of the professional association.
121
The doctrine of fair use allows material to be quoted for the European Council Cyber-Crime Convention
purpose of news reporting, teaching, scholarship, and a num-
ber of other related activities, so long as the purpose is edu- Recently the Council of Europe drafted the European Council
cational and not for profit, and the usage is not excessive. Cyber-Crime Convention, which empowers an international
task force to oversee a range of Internet security functions,
Proper acknowledgement must be provided to the author and to standardize technology laws across international bor-
and/or copyright holder of such works, including a descrip- ders.
tion of the location of source materials by using a recognized
form of citation. It also attempts to improve the effectiveness of international
investigations into breaches of technology law.
Freedom of Information Act of 1966 (FOIA)
The overall goal of the convention is to simplify the acquisi-
All federal agencies are required under the Freedom of Infor- tion of information for law enforcement agents in certain
mation Act (FOIA) to disclose records requested in writing by types of international crimes, as well as the extradition proc-
any person. ess.
The FOIA applies only to federal agencies and does not cre- Digital Millennium Copyright Act (DMCA)
ate a right of access to records held by Congress, the
courts, or by state or local government agencies. The Digital Millennium Copyright Act (DMCA) is a U.S.-based
international effort to reduce the impact of copyright, trade-
Sarbanes-Oxley Act of 2002 mark, and privacy infringement especially via the removal of
technological copyright protection measures.
The U.S. Congress enacted the Sarbanes-Oxley Act of 2002
to enforce accountability for the financial record keeping and The European Union also put forward Directive 95/46/EC of
reporting at publicly traded corporations. the European Parliament and of the Council of 24 October
1995 that increases individual rights to process and freely
The law requires that the CEO and chief financial officer move personal data.
(CFO) assume direct and personal accountability for the com-
pleteness and accuracy of a publicly traded organization’s The United Kingdom has already implemented a version of
financial reporting and record-keeping systems. this directive called the Database Right.
As these executives attempt to ensure that the systems used State and Local Regulations
to record and report are sound—often relying upon the exper-
tise of CIOs and CISOs to do so—the related areas of avail- It is the responsibility of information security professionals to
ability and confidentiality are also emphasized. understand state laws and regulations and ensure that their
organization’s security policies and procedures comply with
INTERNATIONAL LAWS AND LEGAL BODIES the laws and regulations.
Many domestic laws and customs do not apply to interna- For example, the State of Georgia recently passed the Geor-
tional trade, which is governed by international treaties and gia Computer Systems Protection Act, which has various
trade agreements. computer security provisions, and establishes specific penal-
ties for use of information technology to attack or exploit in-
Because of the political complexities of the relationships formation systems in organizations.
among nations and cultural differences, there are currently
few international laws relating to privacy and information se- The Georgia legislature also passed the Georgia Identity
curity. Theft Law in 1998, which requires that a business may not
122
discard a record containing personal information unless it,
shreds, erases, modifies or otherwise makes the information
irretrievable.
Quick Quiz
What is the Federal Privacy Act? ANSWER: The Federal Privacy Act
of 1974 regulates the government’s use of private informa-
tion. The Federal Privacy Act was created to ensure that gov-
ernment agencies protect the privacy of individuals’ and busi-
nesses’ information, and holds those agencies responsible if
any portion of this information is released without permis-
sion.
123
Ethical Concepts in Information Security Differences in Ethical Concepts
The student of information security is not expected to study Studies reveal that individuals of different nationalities have
the topic of ethics in a vacuum, but within a larger ethical different perspectives on the ethics of computer use.
framework.
Difficulties arise when one nationality’s ethical behavior does
However, those employed in the area of information security not correspond to that of another national group.
may be expected to be more articulate about the topic than
others in the organization, and often must withstand a higher Ethics and Education
degree of scrutiny.
Differences in computer use ethics are not exclusively cul-
The Ten Commandments of Computer Ethics tural.
—from The Computer Ethics Institute Differences are found among individuals within the same
country, within the same social class, and within the same
Thou shalt not use a computer to harm other people. company.
Thou shalt not interfere with other people's computer work. Key studies reveal that the overriding factor in leveling the
ethical perceptions within a small population is education.
Thou shalt not snoop around in other people's computer
files. Employees must be trained and kept up to date on informa-
tion security topics, including the expected behaviors of an
Thou shalt not use a computer to steal. ethical employee.
Thou shalt not use a computer to bear false witness. Deterring Unethical and Illegal Behavior
Thou shalt not copy or use proprietary software for which It is the responsibility of information security personnel to do
you have not paid. everything in their power to deter unethical and illegal acts,
using policy, education and training, and technology as con-
Thou shalt not use other people's computer resources with- trols or safeguards to protect the information and systems.
out authorization or proper compensation.
Many security professionals understand technological
Thou shalt not appropriate other people's intellectual output. means of protection, but many underestimate the value of
policy.
Thou shalt think about the social consequences of the pro-
gram you are writing or the system you are designing. There are three general categories of unethical behavior that
organizations and society should seek to eliminate:
Thou shalt always use a computer in ways that ensure con-
sideration and respect for your fellow humans. Ignorance
Accident
Intent
124
examples of deterrents. However, it is generally agreed that Certifications and Professional Organizations
laws and policies and their associated penalties only deter if
three conditions are present: A number of professional organizations have established
codes of conduct and/or codes of ethics that members are
Fear of penalty: expected to follow.
Probability of being caught:. Codes of ethics can have a positive effect on an individual’s
judgment regarding computer use.
Probability of penalty being administered
Unfortunately, many employers do not encourage their em-
ployees to join these professional organizations.
How can the information security professional deter unethical and illegal
dures of their employers, their professional organizations,
behavior of an employee? ANSWER: Information security person- and the laws of society.
nel should do everything in their power to deter unethical
and illegal acts, using policy, education and training, and Association of Computing Machinery (ACM)
technology as controls or safeguards to protect the informa-
tion and systems. The ACM (www.acm.org) is a respected professional society,
originally established in 1947, as “the world's first educa-
tional and scientific computing society.” It is one of the few
organizations that strongly promotes education, and pro-
vides discounted membership for students.
125
Protect society, the commonwealth, and the infrastructure Information Systems Security Association
Act honorably, honestly, justly, responsibly, and legally The Information Systems Security Association (ISSA)
(www.issa.org) is a nonprofit society of information security
Provide diligent and competent service to principals professionals.
Advance and protect the profession. As a professional association, its primary mission is to bring
together qualified practitioners of information security for in-
System Administration, Networking, and Security Institute formation exchange and educational development. ISSA pro-
(SANS) vides conferences, meetings, publications, and information
resources to promote information security awareness and
Founded in 1989, SANS is a professional research and edu- education.
cation cooperative organization with currently over 156,000
security professionals, auditors, system administrators, and ISSA also promotes a code of ethics, similar to those of
network administrators. (ISC)2, ISACA, and the ACM, “promoting management prac-
tices that will ensure the confidentiality, integrity, and avail-
SANS certifications can be pursued independently or com- ability of organizational information resources.”
bined to earn the comprehensive certification called the
GIAC Security Engineer (GSE). The newest GIAC certifica- Other Security Organizations
tion, the Information Security Officer (GISO), is an overview
certification that combines basic technical knowledge with The Internet Society or ISOC (www.isoc.org) is a nonprofit,
understanding of threats, risks, and best practices. nongovernmental, international professional organization. It
promotes the development and implementation of educa-
Information Systems Audit and Control Association tion, standards, policy, and education and training to pro-
(ISACA) mote the Internet.
The Information Systems Audit and Control Association, or The Internet Engineering Task Force (IETF) consists of indi-
ISACA (www.isaca.org), is a professional association with a viduals from the computing, networking, and telecommunica-
focus on auditing, control, and security. tions industries, and is responsible for developing the Inter-
net’s technical foundations.
The membership comprises both technical and managerial
professionals. Standards developed by the IETF are then reviewed by the
Internet Engineering Steering Group (IESG), with appeal to
The ISACA also has a code of ethics for its professionals. the Internet Architecture Board, and promulgated by the
Internet Society as international standards.
It requires many of the same high standards for ethical per-
formance as the other organizations and certifications. The Computer Security Division (CSD) of the National Insti-
tute for Standards and Technology (NIST) runs the Computer
CSI - Computer Security Institute (CSI) Security Resource Center (CSRC)—an essential resource for
any current or aspiring information security professional.
The Computer Security Institute (www.gocsi.com) provides
information and certification to support the computer, net- This Web site (csrc.nist.gov) houses one of the most compre-
working, and information security professional. hensive sets of publicly available information on the entire
suite of information security topics.
CSI also publishes a newsletter and threat advisory, and is
well known for its annual computer crime survey of threats The CSD is involved in five major research areas related to
developed in cooperation with the FBI. information security:
126
Cryptographic standards and applications Quick Quiz
127
Key U.S. Federal Agencies protect key members of the U.S. government, the Secret
Service is also charged with the detection and arrest of any
There are a number of key U.S. federal agencies charged person committing a U.S. federal offense relating to com-
with the protection of U.S. information resources, and the puter fraud, as well as false identification crimes.
investigation of threats to, or attacks on, these resources.
The Patriot Act (Public Law 107-56) increased the Secret
The Federal Bureau of Investigation’s National Infrastructure Service's role in investigating fraud and related activity in
Protection Center (NIPC) (www.nipc.gov) was established in connection with computers.
1998 and serves as the U.S. government's focal point for
threat assessment and the warning, investigation, and re- The Department of Homeland Security is established with
sponse to threats or attacks against critical U.S. infrastruc- the passage of Public Law 107-296 which in part, transfers
tures. the United States Secret Service from the Department of the
Treasury, to the new department effective March 1, 2003.
A key part of the NIPC’s efforts to educate, train, inform, and
involve the business and public sector in information security
is the National InfraGard Program.
Quick Quiz
Every FBI field office has established an InfraGard chapter
and collaborates with public and private organizations and
What important information does the NSA’s Information Assurance Direc-
the academic community to share information about attacks, torate provide? ANSWER: It provides the information security pro-
vulnerabilities, and threats. fessional with “solutions including the technologies, specifi-
cations and criteria, products, product configurations, tools,
InfraGard’s dominant contribution is the free exchange of in- standards, operational doctrine and support activities
formation to and from the private sector in the subject areas needed to implement the protect, detect and report, and re-
of threats and attacks on information resources. spond elements of cyber defense.”
128
Organizational Liability and the Need for Counsel
Quick Quiz
129
Privacy
Private law
Key Terms
Public law
CERT Coordination Center (CERT/CC)
Restitution
Civil law
Tort law
Computer Professional for Social Responsibility (CPSR)
Criminal law
Cultural mores
Deterrence
Due Care
Due Diligence
Ethics
Jurisdiction
Laws
Liability
Long-arm jurisdiction
130