UNIT-II

Secure System Planning and administration:

What is security planning?
Security planning is designing, implementing, monitoring, reviewing and continually improving
practices for security risk management. A security plan (see Security plan) specifies the
approach, responsibilities and resources applied to managing protective security risks.
A system security plan is primarily implemented in organizational IT environments. It can be a
proposed plan to protect and control an information system, or a plan that is already in
implementation. It is usually created using the organization/IT environment security policy as
the benchmark.

Security planning approach

Successfully managing entity security risks and protecting people, information and
assets requires an understanding of what needs protecting, what the threat is and how
assets will be protected. Security planning is designing, implementing, monitoring,
reviewing and continually improving practices for security risk management.

A security plan specifies the approach, responsibilities and resources applied to

managing protective security risks. The security plan allows entities to review the degree
of security risk that exists in different areas of operations and take action to mitigate
identified risks.

A security risk management process (see Annex A) manages risks across all areas of
security (governance, information, personnel and physical) to determine sources of
threat and risk (and potential events) that could affect government or entity business.
Security risk management includes:

i. security risk assessments, which are structured and comprehensive processes to

identify, analyse and evaluate security risks and determine practical steps to
minimise the risks
ii. security risk treatments, which are the considered, coordinated and efficient
actions and resources required to mitigate or lessen the likelihood or negative
consequences of risks.

Regardless of an entity's functions or security concerns, the central messages for

managing security risks are:

a. security is everyone's responsibility and risk management is the business of all

personnel (including contractors) in the entity, supported by security awareness
training
b. security is a business enabler that informs decision-making, is part of day-to-day
business and is embedded into an entity's business processes
c. security management is logical, systematic and transparent and is part of the
enterprise risk management process
 d. security processes identify changes in the threat environment and allow for
adjustments to maintain acceptable levels of risk, balancing operational and
security needs.

Security plan – threats, risks and vulnerabilities

When implementing the core requirement to detail threats, risks and vulnerabilities that affect
the protection of people, information and assets, entities:

a. identify the people, information (including ICT) and assets to be safeguarded

b. determine specific risks (including shared risks) to its people, information and
assets in Australia and abroad (risk identification)
c. identify and assess criticality of people, information and assets (criticality
assessment)
d. identify the threats to people, information and assets (threat assessment)
e. assess the degree of susceptibility and resilience to hazards (vulnerability
assessment)
f. assess the likelihood and consequence of each risk occurring (risk analysis)
g. determine adequacy of existing safeguards and whether current risks (or residual
vulnerabilities) are acceptable or not (evaluate risks)
h. implement protective security measures to mitigate or reduce identified risks to
an acceptable level (risk treatments)
i. manage residual risks (treatable and untreatable) and vulnerabilities
j. identify and accept responsibility for risks.

What is a security risk?

A security risk is something that could result in the compromise, loss, unavailability or
damage to information or assets, or cause harm to people. Security risk is the effect of
uncertainty on objectives and is often measured in terms of its likelihood and
consequences. The causes are generally people, systems, processes, procedures, crime,
attacks or natural events. An:

a. effect is a deviation from the expected and may be positive or negative

b. objective has different aspects such as financial, health and safety and
environmental goals, and can apply at multiple levels such as strategic,
organization-wide, project, product and process levels.

Entities are encouraged to consider where security risks intersect with other risks
including fraud, privacy and business continuity. Entities are encouraged to treat risk
holistically across its operations. For example, there may be opportunities to treat
multiple risks with one mitigation control.

Risk is defined as the effect of uncertainty on objectives. An effect is a deviation from the
expected–positive or negative.

Communicate and consult

To ensure that risk management remains relevant and current, it is important to

communicate and consult with stakeholders, contracted service providers and decision-
makers throughout all stages of the process. This approach ensures stakeholders are
properly represented, have their views taken into account in determining risk criteria
and confirms that all participants understand their roles and responsibilities.

It is recommended that the following is documented:

a. audience and stakeholders

b. communication objectives and activities (what are you trying to achieve, how it
will be achieved, delivery method, expectations)
c. monitoring and review processes (noting that communication and consultation
occurs at all stages of the security risk management process).

Establish the context

The security risk management process addresses the strategic, operational and security
risk management contexts. Defining the frame of reference provides the scope for risk
management activities. The security risk management process is used to determine all
applicable sources of risk and potential events that could impact government or entity
business.

Organizational context includes:

a. scope and parameters of activities where risk management is applied

b. resources (or limitations) available or required for risk treatments and activities
c. reputational expectations or objectives
d. logistical or locational challenges
e. outcomes of related internal or external audit reports
f. security risk management processes adopted
g. processes for documenting results of risk assessments and risk treatments.

External context includes:

 a. Regulatory environment, including legislative or policy obligations and responsibilities,
foreign laws or potential jurisdictional access to information
b. political or economic climate
c. community sensitivities or expectations.

Security context

Security context includes:

a. purpose and scope of security in supporting or achieving the entity's business objectives
b. criteria for evaluating the significance of security risks
c. risk appetite and tolerance criteria and threshold levels for the entity (see
section Security plan – tolerance to security risks for information on risk tolerances)
d. threat and risk environment (areas of concern, specific threats identified, known
vulnerabilities)
e. decision-makers (when and by whom)
f. critical asset statement (what are you looking to protect)
g. interdependencies and links to other plans or security procedures
h. details of any shared risk
i. constraints and assumptions.

Security risk assessment

Security risk assessment is the process of risk identification, analysis and evaluation to
understand the risks, their causes, consequences and probabilities. The aim is to
generate a comprehensive list of threats and risks that effect the protection of the
entity's people, information and assets and identify the sources, exposure and potential
consequences of these threats and risks. Consideration is also given to the entity's
prevailing and emerging risk environment.

Each risk is described as comprehensively as possible, so that decision-makers can fully

understand the position. This may be in the style of a formal assessment undertaken by
competent personnel, or a contracted service provider.

Identify security risks

Identifying security risks generates a clear, comprehensive and concise list of potential
sources of risk and threats (referred to as a risk register, see example below) that could
impact government, entity operations or continuous delivery of services. This is achieved
by mapping the sources of risk (threat assessment), determining the importance of
organisational assets (criticality of assets) and the manner in which these elements may
facilitate or inhibit this interaction (vulnerability).
In preparing a list of security risks, consider questions like:

a. What could happen? (potential event or incident and resulting outcomes or

consequences)
b. What is the likely outcome and impact of the risk eventuating?
c. When could it happen? (how frequently)
d. Where could it happen? (physical location and assets affected)
e. How could it happen? (sources, potential threats, catalysts, triggers)
f. How reliable is the information that the risk assessment is based upon?
g. Why could it happen? (causes, underlying factors, vulnerabilities or inadequacies
in protective security controls or mitigations)
h. Who could be involved or effected? (individuals or groups, stakeholders or
service providers)
i. Do entity mitigation measures or activities create risk to clients or the public?

nnex A Table 1 Risk register example

Item Description
Description describe the risk (consider the questions above)
Category people, information, property, reputation, financial, business
operations
Event occurrence or change of a particular set of circumstances
Source threat or hazard that is the source of the risk
Cause why the threat or hazard is a risk
Consequences level of impact the risk will have on the entity
Risk criteria determined tolerability against consequence and likelihood
tables
Priority comparing the level of risk (magnitude of risk = consequence +
likelihood) with the risk criteria
Controls adequacy of existing controls in place, or the known controls for
the risk
Current risk rating what is the current risk rating status
Risk decision does the risk need treatment
Treatments what action needs to be taken, by whom, with what resources
and by when
 nnex A Table 1 Risk register example
Item Description
Residual risk rating once treatments have been implemented, what will be the
residual risk rating
Stakeholders who else is impacted by the risk (other entities, contractors,
service providers etc)
Previous risk information on any previous risk, threat or vulnerability
information assessments

Criticality assessment

Criticality assessment identifies and assigns importance to all resources (something that
has value to the entity including personnel, information and physical assets or processes
that support them) that are critical to the ongoing operation of the entity or to the
national interest. Asset identification and security risk management documents can form
part of the security plan or be standalone and inform the security plan.

The criticality assessment will be different depending on the entity's purpose, business
objectives and risk environment. Criticality assessments include:

a. criticality ratings – the scale of the resources' importance to the entity (eg a
numerical scale 1-5 or importance value scale such as catastrophic, significant,
moderate, low, insignificant). Alternatively, a business impact level can be applied
by assessing the impact on the entity if the integrity or availability of the resource
was compromised (applying a business impact level to the confidentiality of an
resource means applying a security classification. See the PSPF policy: Sensitive
and classified information)
b. consequence of loss, compromise or harm – a description of what the
consequence is
c. category – consequences can also be expressed across categories such as
people, information, property, reputation, financial, business operations or
services.

Threat assessment

A threat assessment identifies the source of harm and is used to inform the entity's risk
assessment. Threats are assessed by determining the intent to cause harm, damage or
disruption and the capability (the potential that exists to actually cause harm or carry
out intentions) of the threat source.

Vulnerability assessment

Vulnerability assessment identifies the degree of susceptibility and resilience of an entity

to hazards. To understand the potential of risks, it is recommended that entities assess
the possible vulnerabilities to each risk to gauge the consequence and likelihood of
these risks. This process of understanding possible vulnerabilities helps entities to
prioritise the risks and guides the allocation of resources in mitigating their effects.

Analyse security risks

Risk analysis involves assessing the likelihood and potential consequence of each
identified risk, determining the level of risk rating and assessing whether additional
controls are required.

Aims of risk analysis:

Determine control effectiveness – whether the existing control measures are adequate
or effective in managing identified risks.

Define the likelihood and consequence of the event. This is achieved by considering the:

a. likelihood – the chance or probability of the event occurring,4 probability or frequency

of the event (an occurrence or change in a particular set of circumstances, it can be one
or more occurrences and can have several causes) occurring
b. consequence – the outcome affecting objectives if the event occurs4 (consequences can
be expressed qualitatively or quantitatively and can be certain or uncertain and have
positive or negative effects on objectives). There may be a number of possible outcomes
associated with an event.

Assign the level of risk rating based on the likelihood and consequence risk matrix. The
overall risk rating is determined by combining the likelihood and consequence
estimations. Risk rating allows the security risk to be prioritised in order of decreasing
risk levels. This helps with deciding the tolerability of risk in the evaluation step. The
Attorney-General's Department recommends adopting a risk-rating-matrix approach for
determining the levels of risk.

Prioritise risks for subsequent evaluation of tolerance or the need for further treatment.
Provide an improved understanding of the vulnerability of critical assets to identified
risks.

Evaluate security risks

Risk evaluation involves making decisions based on the outcomes of risk analysis about
whether risks are:

a. acceptable (tolerable) with existing controls or further treatment (risks identified

as acceptable or tolerable with no further treatment still need to be documented,
monitored and periodically reviewed to ensure they remain acceptable)
b. unacceptable (intolerable) and need treatments (consideration is given to the
criteria for determining tolerability).

Treat security risks

strategies for risk treatment. This includes a six-step process where entities:

a. prioritise intolerable risks

 b. establish treatment options
c. identify and develop treatment options
d. evaluate treatment options
e. detail design and review of chosen options, including the management of
residual risks
f. communicate and implement.

Treatment plans:

a. prioritise the risks to be treated

b. assess current risk; the actual risk once all treatments have been implemented
c. identify gaps and residual risks that remain or require further treatment
d. capture decisions about treatments and actions to be taken to address or treat identified
security risks
e. determine appropriate timeframes to implement treatment or when further
consideration of mitigations is required be considered
f. identify resources, budget allocations, timeframes (defined and measurable) and
responsibilities to achieve required treatment outcomes
g. establish monitoring and reviewing processes.

Risk treatment strategies (examples):

Accept the risk, where:

a. based on judgment or informed decision, the risk is considered to be tolerable (either

before or after treatment)
b. the only option is to retain the risk and continue to monitor it until the circumstances
change and action can be taken
c. taking on increased risk in order to pursue an opportunity where the benefit outweighs
the risk
d. the risk may be considered intolerable but due to capability, resources or exceptional
circumstances may be accepted.

Avoid the risk 5, by:

i. deciding not to start an activity that gives rise to the risk

ii. removing or reducing the activities or personnel, including contractors, that
create the exposure.

Exploit the risk, by taking or increasing the risk in order to realise the benefit that an
opportunity affords by ensuring the event occurs.

Reduce the risk, by changing the likelihood or consequence (or both) by:
 i. implementing new treatments or controls to reduce, deter, delay or detect the
threat or event
ii. improving business processes, training or practices
iii. establishing or improving audit and compliance arrangements, contractual
arrangements, communication channels etc.

Share the risk, where:

i. the risk has no single owner but is shared with another party or parties (eg
through shared services, entities co-located in the same building, inter-entity
taskforce, partnership or joint venture)
ii. the risk may have no apparent owner.

Implementation

Implementation involves deciding on the resources required and who is responsible for
implementing the risk treatments. In addition, implementation details the ongoing
resources needed to maintain the required level of protective security and identifies
resources that may be needed to take additional precautions if the threat level
increases.

Monitoring and review performance

Security risk management requires monitoring to ensure the entity is able to adapt or
respond to incidents and changes in their threat or risk environment, prevent further
exposure to hazards, maintain a positive risk culture and deliver against the PSPF.

Making decisions and implementing risk treatments is not the end of risk management.
The security planning cycle is continuous. Reviewing the external and internal
environments and reconsidering the context allows the entity to determine how
effectively their protective security controls and measures are performing and how they
are achieving the objectives.

Monitoring and reviewing security performance

Key questions to ask when monitoring and reviewing risk may include:

a. Are the controls (and respective implementation strategies) effective in

minimising the risks; how might improvements be made?
b. Are the controls comparatively efficient and cost-effective?
c. Are the assumptions made about the context/environment still valid?
d. Do controls comply with policy requirements, legal obligations and entity
procedures?
e. Is the entity's security planning approach effective in managing security risks and
achieving objectives

Introduction to the orange book

What is Orange Book in cyber security?

The TCSEC was used to evaluate, classify, and select computer systems being
considered for the processing, storage, and retrieval of sensitive or classified
information. The TCSEC, frequently referred to as the Orange Book, is the centerpiece
of the DoD Rainbow Series publications.

Management of Risk – Principles and Concepts

In successful organizations, risk management enhances strategic planning and prioritization,

assists in achieving objectives and strengthens the ability to be agile to respond to the
challenges faced. If we are serious about meeting objectives successfully, improving service
delivery and achieving value for money, risk management must be an essential and integral part
of planning and decision-making. While risk practices have improved over time across
government, the volatility, complexity and ambiguity of our operating environment has
increased, as have demands for greater transparency and accountability for managing the
impact of risks.

Risk Management Principles

Risk Management Framework

For the risk management framework to be considered effective, the following principles shall be
applied:

A. Risk management shall be an essential part of governance and leadership, and fundamental
to how the organisation is directed, managed and controlled at all levels.

B. Risk management shall be an integral part of all organisational activities to support decision-
making in achieving objectives.

C. Risk management shall be collaborative and informed by the best available information and
expertise.

D. Risk management processes shall be structured to include:

a. risk identification and assessment to determine and prioritise how the risks should be
managed;
b. the selection, design and implementation of risk treatment options that support achievement
of intended outcomes and manage risks to an acceptable level;

c. the design and operation of integrated, insightful and informative risk monitoring; and d.
timely, accurate and useful risk reporting to enhance the quality of decision-making and to
support management and oversight bodies in meeting their responsibilities.

E. Risk management shall be continually improved through learning and experience.

Governance and Leadership

Risk management shall be an essential part of governance and leadership, and fundamental to
how the organization is directed, managed and controlled at all levels.
Supporting Principles for Governance and Leadership

1.Each public sector organization should establish governance arrangements appropriate to its
business, scale and culture. Human behavior and culture significantly influence all aspects of risk
management at each level and stage. To support the appropriate risk culture, the accounting
officer should ensure that expected values and behaviors are communicated and embedded at
all levels.

2.The accounting officer, supported by the board, should periodically assess whether the
leadership style, opportunities for debate and human resource policies support the desired risk
culture, incentivize expected behaviors and sanction inappropriate behaviors. Where they are
not satisfied, they should direct and manage corrective actions and seek assurances that the
desired risk culture and behaviors are promoted.

3.The board should make a strategic choice about the style, shape and quality of risk
management and should lead the assessment and management of opportunity and risk. The
board should determine and continuously assess the nature and extent of the principal risks3
that the organization is exposed to and is willing to take to achieve its objectives - its risk
appetite – and ensure that planning and decision-making reflectsthis assessment. Effective risk
management should support informed decision-making in line with this risk appetite, ensure
confidence in the response to risks and ensure transparency over the principal risks faced and
how these are managed.

4.The board should ensure that roles and responsibilities for risk management are clear, to
support effective governance and decision-making at each level with appropriate escalation,
aggregation and delegation.

5.The board should agree the frequency and scope of its discussions to review how
management is responding to the principal risks and how this is integrated with other matters,
including planning and performance management processes.

6.Regular reports to the board should provide a balanced assessment of the principal risks and
the effectiveness of risk management. The accounting officer, supported by the Audit and Risk
Assurance Committee, should monitor the quality of the information they receive and ensure
that it is sufficient to allow effective decision-making

7.The accounting officer, supported by the Audit and Risk Assurance Committee, should
establish the organization’s overall approach to risk management.

8.The accounting officer should designate an individual to be responsible for leading the
organization’s overall approach to risk management, who should be of sufficient seniority and
should report to a level within the organization that allows them to influence effective decision-
making.
9.The accounting officer should ensure the allocation of appropriate resources for risk
management, which can include, but is not limited to, people, skills, experience and
competence.

10.The accounting officer, supported by senior management, must demonstrate leadership and
articulate their continual commitment to, and the value of, risk management through
developing and communicating a policy or statement to the organization and other
stakeholders, which should be periodically reviewed.

Integration
Risk management shall be an integral part of all organisational activities to support decision-
making in achieving objectives.

Supporting Principles

1.The assessment and management of opportunity and risk should be an embedded part of, and
not separate from:

• setting strategy and plans;

• evaluating options and delivering programmes, projects or policy initiatives;

• prioritizing resources;

• supporting efficient and effective operations;

• managing performance;

• managing tangible and intangible assets;and

• delivering improved outcomes. The accounting officer, supported by senior management,

should ensure that risks are transparent and considered as an integral part of appraising
options, evaluating alternatives and making informed decisions.

2.Effective appraisal supports the assessment of the costs, benefits and risks of alternative ways
to meet objectives.

3.Delivery confidence should be supported through the transparent identification of the

principal risks faced and how those risks will be managed within business and financial plans.

4.The board, and those setting strategy and policy, should use horizon scanning and scenario
planning collectively and collaboratively to identify and consider the nature of emerging risks,
threats and trends. The Government Office for Science ensures that government policies and
decisions are informed by the best scientific evidence and strategic long-term thinking.[7] Some
other common horizon scanning issues are informed by the Civil Contingencies Secretariat
through the National Risk Assessment (NRA).

5.Government has an inherent role in protecting and assuring the public, which includes taking
cost-effective action to reduce risk to a tolerable level and providing accurate and timely
information about risks to the public.[9] Policy leads should take explicit steps to involve the
public, understand what they are concerned about and why and communicate good information
about risk that is targeted to the needs of the audiences involved. Government will:

• be open and transparent about its understanding of the nature of risks to the public and about
the process it is following in handling them;

• seek wide involvement of those concerned in decision-making processes;

• act proportionately and consistently in dealing with risks to the public;

• base decisions for intervention on relevant evidence, including expert risk assessment; and

• place responsibility for managing risks to those best able to control them.

Collaboration and Best Information

Risk management shall be collaborative and informed by the best available information and
expertise.

Supporting Principles

1.The accounting officer, supported by the Audit and Risk Assurance Committee, should
establish risk management activities that cover all types and source of risk . There may be many
different, but aligned, risk management processes that are applied at different levels within an
organization and across those involved in the end to end delivery of public services.
2.Informative and transparent management information should enable departments and arm’s
length bodies to promote transparency and understanding in achieving the effective
management of risks, including the timely escalation of risks, as necessary, based on agreed
criteria.

3.Risk management processes should be conducted systematically, iteratively and

collaboratively, drawing on the knowledge and views of experts and stakeholders. Information
and perspectives should be supplemented by further enquiry as necessary, should reflect
changes over time and should be appropriately evidenced. Expert risk assessment
methodologies may be highly specialized and may vary depending on the context.

4.Those assessing and managing risks should consult with appropriate external and internal
stakeholders to facilitate the factual, timely, relevant, accurate and understandable exchange of
information and evidence, while considering the confidentiality and integrity of this information.

5.Communication and consultation should also assist relevant stakeholders in understanding the
risks faced, the basis on which decisions are made and the reasons why particular actions are
required and taken.
Communication and consultation should:

• bring together different functions and areas of professional expertise in the management of
risks;

• ensure that different views are appropriately considered when defining risk criteria and when
analyzing risks (see Section D);

• provide sufficient information and evidence to facilitate risk oversight and decision making;
and • build a sense of inclusiveness and ownership among those affected by risk.

6.Functions within and across organizations should play an integral part in identifying, assessing
and managing the range of risks than can arise and threaten successful delivery against
objectives.

Function leads should provide expert judgement to advise the accounting officer to: • set
feasible and affordable strategies and plans;

• evaluate and develop realistic programs, projects and policy initiatives;

• prioritize and direct resources and the development of capabilities;

• identify and assess risks that can arise and impact the successful achievement of objectives;

• determine the nature and extent of the risks that the organization is willing to take to achieve
its objectives;

• design and operate internal controls in line with good practice; and

• drive innovation and incremental improvements.

Risk Management Processes

Risk management processes shall be structured to include:

a. risk identification and assessment to determine and prioritize how the risks should be
managed;

b. the selection, design and implementation of risk treatment options that support achievement
of intended outcomes and manage risks to an acceptable level;

c. the design and operation of integrated, insightful and informative risk monitoring; and d.
timely, accurate and useful risk reporting to enhance the quality of decision-making and to
support management and oversight bodies in meeting their responsibilities.
Supporting Principles
1.The accounting officer, supported by their nominated individual responsible for leading the
organization’s overall approach to risk management, should ensure the adequate design and
systematic implementation of policies, procedures and practices for risk identification and
assessment, treatment, monitoring and reporting.

2.Risk identification and assessment

Risk identification activities should produce an integrated and holistic view of risks, often
organized by taxonomies or categories of risk.

tangible and intangible sources of risk;

• changes in the external and internal context;

• uncertainties and assumptions within options, strategies, plans, etc;

• indicators of emerging risks;

• limitations of knowledge and reliability of information; and

• any potential biases and beliefs of those involved.

3.While each risk identified may be important, some form of measurement is necessary to
evaluate their significance to support decision-making. Without a standard for comparison, it is
not possible to compare and aggregate risks across the organization and its extended enterprise.
This prioritization is supported by risk assessment, which incorporates risk analysis and risk
evaluation.

4.The purpose of risk analysis is to support a detailed consideration of the nature and level of
risk. The risk analysis process should use a common set of risk criteria to foster consistent
interpretation and application in defining the level of risk, based on the assessment of the
likelihood of the risk occurring and the consequences should the event happen.

5.Risk analysis can be undertaken with varying degrees of detail and complexity, depending on
the purpose of the analysis, the availability and reliability of evidence and the resources
available.

6.Risk evaluation should involve comparing the results of the risk analysis with the nature and
extent of risks that the organization is willing to take - its risk appetite - to determine where and
what additional action is required.

avoiding the risk, if feasible, by deciding not to start or continue with the activity that gives rise
to the risk; Options may involve one or more of the following:

• taking or increasing the risk in order to pursue an opportunity;

• retaining the risk by informed decision;

• changing the likelihood, where possible;

• changing the consequences, including planning contingency activities;

• sharing the risk (e.g. through commercial contracts.

Risk treatment

1.Selecting the most appropriate risk treatment option(s) involves balancing the potential
benefits derived in enhancing the achievement of objectives against the costs, efforts or
disadvantages of proposed actions. Justification for the design of risk treatments and the
operation of internal control is broader than solely economic considerations and should take
into account all of the organisation’s obligations, commitments and stakeholder views.

As part of the selection and development of risk treatments, the organisation should specify
how the chosen option(s) will be implemented, so that arrangements are understood by those
involved and effectiveness can be monitored. This should include:

The rationale for selection of the option(s), including the expected benefits to be gained;

the proposed actions;

• those accountable and responsible for approving and implementing the option(s);

• the resources required, including contingencies;

• the key performance measures and control indicators, including early warning indicators;

• the constraints; • when action(s) are expected to be undertaken and completed; and

• the basis for routine reporting and monitoring.

9.Where appropriate, contingency, containment, crisis, incident and continuity management

arrangements should be developed and communicated to support resilience and recovery if
risks crystallize.

Risk monitoring
10.Monitoring should play a role before, during and after implementation of risk treatment.
Ongoing and continuous monitoring should support understanding of whether and how the risk
profile is changing and the extent to which internal controls are operating as intended to
provide reasonable assurance over the management of risks to an acceptable level in the
achievement of organizational objectives.

11.The results of monitoring and review should be incorporated throughout the organisation’s
wider performance management, measurement and reporting activities. Recording and
reporting aims to:

transparently communicate risk management activities and outcomes across the organisation;

• provide information for decision-making;

improve risk management activities; and

• assist interaction with stakeholders, including those with responsibility and accountability for
risk management activities.

12.The “three lines of defence” model sets out how these aspects should operate in an
integrated way to manage risks, design and implement internal control and provide assurance
through ongoing, regular, periodic and ad-hoc monitoring and review.

Risk reporting
13.The board, supported by the Audit and Risk Assurance Committee, should specify the nature,
source, format and frequency of the information that it requires. It should ensure that the
assumptions and models underlying this information are clear so that they can be understood
and, if necessary, challenged. Factors to consider for reporting include, but are not limited to:

• differing stakeholders and their specific information needs and requirements;

• cost, frequency and timeliness of reporting;

• method of reporting; and

• relevance of information to organisational objectives and decision-making.

14.The information should support the board to assess whether decisions are being made within
its risk appetite to successfully achieve objectives, to review the adequacy and effectiveness of
internal controls, and to decide whether any changes are required to re-assess strategy and
objectives, revisit or change policies, reprioritise resources, improve controls, and/or alter their
risk appetite.

15.Clear, informative and useful reports or dashboards should promote key information for each
principal risk to provide visibility over the risk, compare results against key performance/risk
indicators, indicate whether these are within risk appetite, assess the effectiveness of key
management actions and summarize the assurance information available.

16.Principal risks should be subject to “deep dive” reviews by the board and Audit and Risk
Assurance Committee, with those responsible for the management of risks and with appropriate
expertise present at an appropriate frequency depending on the nature of the risk and the
performance reported.

Continual Improvement
Risk management shall be continually improved through learning and experience

Supporting Principles

1.The organisation should continually monitor and adapt the risk management framework to
address external and internal changes. The organisation should also continually improve the
suitability, adequacy and effectiveness of the risk management framework. This should be
supported by the consideration of lessons based on experience and, at least annually, review of
the risk management framework and the performance outcomes achieved. Annex 3 contains
questions that may assist in assessing the efficient and effective operation of the risk
management framework.

2.All strategies, policies, programmes and projects should be subject to comprehensive but
proportionate evaluation where practicable to do so. Learning from experience helps to avoid
repeating the same mistakes and helps spread improved practices to benefit current and future
work, outputs and outcomes.

3.Process/capability maturity models or continuum may be used to support a structured

assessment of how well the behaviors, practices and processes of an organization can reliably
and sustainably produce required outcomes. These models may be used as a benchmark for
comparison and to inform improvement opportunities and priorities.
 4.As relevant gaps or improvement opportunities are identified, the organisation should develop
plans and tasks and assign them to those accountable for implementation.

Security policy requirements

What are security policy requirements?

A security policy comprises a set of objectives for the company, rules of behavior for users and
administrators, and requirements for system and management that collectively ensure
the security of network and computer systems in an organization. ... It should specify the
mechanisms that you need to meet these requirements.

What is information security policy?

An information security policy (ISP) is a set of rules, policies and procedures designed to
ensure all users and networks within an organization meet minimum IT security and data
protection security requirements.

Security Policies
Security policies are a formal set of rules which is issued by an organization to ensure
that the user who are authorized to access company technology and information assets
comply with rules and guidelines related to the security of information. It is a written
document in the organization which is responsible for how to protect the organizations
from threats and how to handles them when they will occur. A security policy also
considered to be a "living document" which means that the document is never finished,
but it is continuously updated as requirements of the technology and employee
changes.

Need of Security policies-

1) It increases efficiency.
The best thing about having a policy is being able to increase the level of consistency
which saves time, money and resources. The policy should inform the employees about
their individual duties, and telling them what they can do and what they cannot do with
the organization sensitive information.

2) It upholds discipline and accountability

When any human mistake will occur, and system security is compromised, then the
security policy of the organization will back up any disciplinary action and also
supporting a case in a court of law. The organization policies act as a contract which
proves that an organization has taken steps to protect its intellectual property, as well
as its customers and clients.
3) It can make or break a business deal
It is not necessary for companies to provide a copy of their information security policy
to other vendors during a business deal that involves the transference of their sensitive
information. It is true in a case of bigger businesses which ensures their own security
interests are protected when dealing with smaller businesses which have less high-end
security systems in place.

4) It helps to educate employees on security literacy

A well-written security policy can also be seen as an educational document which
informs the readers about their importance of responsibility in protecting the
organization sensitive data. It involves on choosing the right passwords, to providing
guidelines for file transfers and data storage which increases employee's overall
awareness of security and how it can be strengthened.

We use security policies to manage our network security. Most types of security policies
are automatically created during the installation. We can also customize policies to suit
our specific environment. There are some important cybersecurity policies
recommendations describe below-

1. Virus and Spyware Protection policy

This policy provides the following protection:

o It helps to detect, removes, and repairs the side effects of viruses and security
risks by using signatures.

o It helps to detect the threats in the files which the users try to download by
using reputation data from Download Insight.

o It helps to detect the applications that exhibit suspicious behaviour by using

SONAR heuristics and reputation data.

2. Firewall Policy

This policy provides the following protection:

o It blocks the unauthorized users from accessing the systems and networks that
connect to the Internet.

o It detects the attacks by cybercriminals.

o It removes the unwanted sources of network traffic.

3. Intrusion Prevention policy

This policy automatically detects and blocks the network attacks and browser attacks. It
also protects applications from vulnerabilities. It checks the contents of one or more
data packages and detects malware which is coming through legal ways.

4. LiveUpdate policy

This policy can be categorized into two types one is LiveUpdate Content policy, and
another is LiveUpdate Setting Policy. The LiveUpdate policy contains the setting which
determines when and how client computers download the content updates from
LiveUpdate. We can define the computer that clients contact to check for updates and
schedule when and how often clients computer check for updates.

5. Application and Device Control

This policy protects a system's resources from applications and manages the peripheral
devices that can attach to a system. The device control policy applies to both Windows
and Mac computers whereas application control policy can be applied only to Windows
clients.

6. Exceptions policy

This policy provides the ability to exclude applications and processes from detection by
the virus and spyware scans.

7. Host Integrity policy

This policy provides the ability to define, enforce, and restore the security of client
computers to keep enterprise networks and data secure. We use this policy to ensure
that the client's computers who access our network are protected and compliant with
companies? securities policies. This policy requires that the client system must have
installed antivirus.

ACCOUNTABILITY

What is meant by Accountability – means that it should be possible to trace

actions of an entity uniquely to that entity. For example as we discussed in
Integrity section Not every employee should be allowed to do changes in other
employees data. For this there is a separate department in an organization that
is responsible for making such changes and when they receive request for a
change then that letter must be signed by higher authority for example Director
of college and person that is allotted that change will be able to do change after
verifying his bio metrics, thus timestamp with the user(doing changes) details
get recorded. Thus we can say if a change goes like this then it will be possible
to trace the actions uniquely to an entity.

At the core of Information Security is Information Assurance, which means the

act of maintaining CIA of information, ensuring that information is not
compromised in any way when critical issues arise. These issues are not limited
to natural disasters, computer/server malfunctions etc.
Thus, the field of information security has grown and evolved significantly in
recent years. It offers many areas for specialization, including securing
networks and allied infrastructure, securing applications and databases,
security testing, information systems auditing, business continuity planning etc.

THE NEED FOR ACCOUNTABILITY:

Even though we allowed a party to access a resource, we need to ensure that they behave in accordance
with rules set.

DATA SECURITY
ACCOUNTABILITY:

Provides the means to trace activities in our environment back to their source.

• Depends on identification, authentication, and access control being present so that one can know
who a given transaction is associated with and what permissions were used to allow them to carry it
out.

• Providing sufficient controls in place to deter or prevent those that would break the rules and abuse
the resources they have access to

SECURITY BENEFITS OF ACCOUNTABILITY

• NONREPUDIATION

Refers to a situation in which sufficient evidence exists to prevent an individual from successfully
denying that he or she has made a statement, or taken an action.

• Example : system or network logs.

SECURITY BENEFITS OF ACCOUNTABILITY:

DETERRENCE

If those monitored are aware that they are monitored and has been communicated to them that there
will be penalties for acting against the rules, these individuals may think twice before straying outside
the lines.

INTRUSION DETECTION AND PREVENTION

Example implementation of alerts based on unusual activities in our environment and check
information we have logged on a regular basis.

ADMISSIBILITY OF RECORDS:

It is often much easier to prove admissibility when records are produced from a regulated and
consistent tracking system. This means the organization can provide a solid and documented chain of
custody for said evidence such as showing where evidence was at all times, how exactly it passed from
one person to another, how it was protected while it was stored and so on.

AUDITING:

• A methodological examination and review of resources

• Provides with data which can be implemented for accountability.

WHAT DO WE AUDIT

Password

• Policies must be implemented to dictate how passwords are constructed and use

Software Licensing

• Systems owned by the organization that all software used is appropriately licensed

Internet Usage

• Use of instant messaging, e-mails, file transfers, or other transactions.

LOGGING:

Gives history of the activities that have taken place in the environment being logged.

• Logging mechanisms can be setup to log anything from solely critical events to every action carried out
by the system or software such as :

• Software error logs

• Hardware failures

• Users logging in and out

• Resource access

• Tasks requiring increased privileges in most logs.

LOGGING:

Available to administrators for review and are usually not modifiable by the users of the system.

• Logs must be regularly reviewed in order to catch anything unusual in their contents.

• Logs may be asked to be analyze in relation to a particular incident or situation.

MONITORING:

Subset of auditing and tends to focus on observing about the environment being monitored in order to
discover undesirable conditions such as failures, resource shortages, security issues, and trends that
might signal the arrival of such conditions.
Typically watching specific items of data collected such as :

• Resource usage on computers

• Network latency

• Attacks occurring repeatedly against servers with network interfaces exposed to the Internet

• Traffic passing through physical access controls at unusual times of day

• CLIPPING LEVEL – activities are occurring levels above what is normally expected

ASSESSMENTS:

A more active route of determining whether everything is as it should be and compliant with relevant
laws, regulations, policies by examining the environment for vulnerabilities.

• APPROACHES

• Vulnerability Assessment

• Penetration Testing

VULNERABILITY ASSESSMENT:

Involves use of vulnerability scanning tools in order to locate a vulnerability.

• NESSUS

• Vulnerability scanning tool checking target systems to discover which ports are open and then
interrogating each open port to find out exactly which service is listening on the port in question. • With
the information collected, it checks its database of vulnerability information to determine whether any
vulnerability may be presernt.

PENETRATION TESTING:

Mimicking the techniques an actual attacker may use to penetrate a system.

ASSURANCE AND DOCUMENTATION REQUIREMENTS:

5 ATTRIBUTES OF INFORMATION ASSURANCE REQUIREMENTS

Confidentiality, integrity and availability, also known as the CIA triad, is a

model designed to guide policies for information security within an
organization. The model is also sometimes referred to as the AIC triad
(availability, integrity and confidentiality) to avoid confusion with the Central
Intelligence Agency. Although elements of the triad are three of the most
foundational and crucial cybersecurity needs, experts believe the CIA
triad needs an upgrade to stay effective.

Confidentiality, integrity, availability

The following is a breakdown of the three key concepts that form the CIA
triad:
 Confidentiality is roughly equivalent to Confidentiality measures are
designed to prevent sensitive information from unauthorized access
attempts. It is common for data to be categorized according to the amount
and type of damage that could be done if it fell into the wrong hands. More
or less stringent measures can then be implemented according to those
categories.

 Integrity involves maintaining the consistency, accuracy and

trustworthiness of data over its entire lifecycle. Data must not be changed
in transit, and steps must be taken to ensure data cannot be altered by
unauthorized people (for example, in a breach of confidentiality).

 Availability means information should be consistently and readily

accessible for authorized parties. This involves properly maintaining
hardware and technical infrastructure and systems that hold and display
the information.

DOCUMENTATION REQUIREMENTS

Document security, defined in literal terms, is the maintenance of all of the

essential documents stored, filed, backed up, processed, delivered, and eventually disposed of
when no longer needed. ... If the documents are lost, your document storage platform should
have the ability to retrieve them quickly.

Introduction to document Security

Document Security: The protection of documents against the deliberate or accidental access of
unauthorized persons.

Main reason why organization need to address the security of electronically shared documents:

Regulatory requirements

◦ Return on investment (ROI)

◦ Information security

Regulatory requirements

Many companies are directly or indirectly affected by government mandates and regulations
for providing consumer privacy.
Return on investment (ROI):

 Significant ROI can be achieved by migrating to electronic business processes

 ◦ Automated workflows allow prospects, customers, partners, and suppliers to participate,
enabling organizations to reap significant cost savings while improving customer satisfaction and
loyalty.

Information security

Thefts of proprietary information are increasing, which can jeopardize revenue, competitive advantage,
and customer relationships; generate negative publicity; and result in significant penalties and fines for
failure to comply with privacy laws.

How to provide document security:

The following criteria define persistent document security:

Confidentiality—Who should have access to the document? –

Authorization—What permissions does the user have for working with the document? –

Accountability—What has the recipient done with the document?

Integrity—How do you know if the document has been altered?

Non-repudiation—Can the signatory deny signing the document? –

Authenticity—How do you know where the document came from?

Security Techniques

Document control

Digital signatures
Document Control

1.Encryption is the process of transforming information (plaintext) into an incomprehensible form

(ciphertext). Encryption is an effective technique for managing document access.

2.Decryption is the reverse process that transforms ciphertext back to the original plaintext.

3.Cryptography refers to the two processes S of encryption and decryption and its implementation is
referred to as a cryptosystem.

Digital signatures:

When enterprises distribute documents electronically, it is often important that recipients can verify:

◦ That the content has not been altered (integrity)

◦ That the document is coming from the actual person who sent it (authenticity)

◦ That an individual who has signed the document cannot deny the signature(non-repudiation).
SIGNATURE PROCESS:

Data is converted to pdf document

• A unique hash key is computed for pdf document

• User supplied key is used to encrypt the hash key

• The encrypted hash key is attached to the pdf document

• Document is digitally signed.

Network Security:

Define Network:

A Network is a series of points or nodes interconnected by communication paths. Interconnect with

other networksand contain sub networks.

Define Security:

Security is “Freedom from risk or danger.“ The ability of a system to protect information and system
resources with respect toconfidentialityand integrity.
Network security:

Any activities designed to protect your network

Target- variety of threats and stops them from entering or spreading on your network.

Handled by a network administrator.

Why do we need security?
 Protect vital information while still allowing
access to those who need it
– Trade secrets, medical records, etc.
 Provide authentication and access control for
resources
– Ex: AFS
 Guarantee availability of resources
– Ex: 5 9’s (99.999% reliability)

15-441 Networks Fall 2002 8

 Who is vulnerable?
 Financial institutions and banks
 Internet service providers
 Pharmaceutical companies
 Government and defense agencies
 Contractors to various government agencies
 Multinational corporations
 ANYONE ON THE NETWORK

15-441 Networks Fall 2002 9

Common security attacks and their countermeasures:

 Finding a way into the network

– Firewalls
 Exploiting software bugs, buffer overflows
– Intrusion Detection Systems
 Denial of Service
– Ingress filtering, IDS
 TCP hijacking
– IPSec
 Packet sniffing
– Encryption (SSH, SSL, HTTPS)
 Social problems
– Education

Firewalls:

 Basic problem – many network applications and protocols have security problems
that are fixed over time
– Difficult for users to keep up with changes and keep host secure
– Solution
• Administrators limit access to end hosts by using a firewall
• Firewall is kept up-to-date by administrators
 A firewall is like a castle with a drawbridge
– Only one point of access into the network
– This can be good or bad
 Can be hardware or software
– Ex. Some routers come with firewall functionality
– ipfw, ipchains, pf on Unix systems, Windows XP and Mac OS X have built in
firewalls

 Used to filter packets based on a combination of features

– These are called packet filtering firewalls
• There are other types too, but they will not be discussed
– Ex. Drop packets with destination port of 23 (Telnet)
– Can use any combination of IP/UDP/TCP header information

Intrusion Detection:

Used to monitor for “suspicious activity” on a network

Can protect against known software exploits, like buffer overflows

Open Source IDS: Snort, www.snort.org.

Uses “intrusion signatures”

 Well known patterns of behavior

Ping sweeps, port scanning, web server indexing, OS fingerprinting, DoS

attempts, etc.

Dictionary Attack:

 We can run a dictionary attack on the passwords

– The passwords in /etc/passwd are encrypted with the crypt(3) function
(one-way hash)
– Can take a dictionary of words, crypt() them all, and compare with the
hashed passwords
 This is why your passwords should be meaningless random junk!
– For example, “sdfo839f” is a good password
• That is not my andrew password
• Please don’t try it either

Denial of Service:

 Purpose: Make a network service unusable, usually by overloading the server or

network
 Many different kinds of DoS attacks
– SYN flooding
– SMURF
– Distributed attacks

Mini Case Study: Code-Red.

 SYN flooding attack

 Send SYN packets with bogus source address
– Why?
 Server responds with SYN ACK and keeps state about TCP half-open connection
– Eventually, server memory is exhausted with this state
 Solution: use “SYN cookies”
– In response to a SYN, create a special “cookie” for the connection, and
forget everything else
– Then, can recreate the forgotten information when the ACK comes in from
a legitimate connection
 TCP Attacks:

 Recall how IP works…

– End hosts create IP packets and routers process them purely based on
destination address alone
 Problem: End hosts may lie about other fields which do not affect delivery
– Source address – host may trick destination into believing that the packet
is from a trusted source
• Especially applications which use IP addresses as a simple
authentication method
• Solution – use better authentication methods
 TCP connections have associated state
– Starting sequence numbers, port numbers
 Problem – what if an attacker learns these values?
– Port numbers are sometimes well known to begin with (ex. HTTP uses port
80)
– Sequence numbers are sometimes chosen in very predictable ways

Packet Sniffing:

 Recall how Ethernet works …

 When someone wants to send a packet to some else …
 They put the bits on the wire with the destination MAC address …
 And remember that other hosts are listening on the wire to detect for collisions …
 It couldn’t get any easier to figure out what data is being transmitted over the
network!
 This works for wireless too!
 In fact, it works for any broadcast-based medium

Social Problems:

 People can be just as dangerous as unprotected computer systems

– People can be lied to, manipulated, bribed, threatened, harmed, tortured,
etc. to give up valuable information
– Most humans will breakdown once they are at the “harmed” stage, unless
they have been specially trained
• Think government here…