Information Security

Governance
&
Risk Management
Fundamentals of Information Security
Information Security Management System
(ISMS) 1
 Life Cycle (SDLC) Management
(Feasibility) May not apply
Project initiation Senior Management
Direction
Functional Requirements Business Unit Needs
(assurance requirements)
System Design Architect a solution
Develop/Acquire SMEs “Verification”
Installation/Implementation Testing, UAT, “Validation”
C&A
Operation/Maintenance Monitoring, Audits,
Retirement/Disposal Data Retention / Leakage
 ISC2 Code of Ethics
• Code of Ethics Preamble:
– Safety of the commonwealth, duty to our principals,
and to each other requires that we adhere, and be
seen to adhere, to the highest ethical standards of
behavior.
• Code of Ethics Canons:
– Protect society, the commonwealth, and the
infrastructure
– Act honorably, honestly, justly, responsibly, and
legally
– Provide diligent and competent service to principals
– Advance and protect the profession
 Ethics & The Internet
(RFC-1087)
• Characterized as unethical and unacceptable
any activity which purposely:
– (a) seeks to gain unauthorized access to the
resources of the Internet
– (b) disrupts the intended use of the Internet
– (c) wastes resources (people, capacity,
computer) through such actions
– (d) destroys the integrity of computer-based
information and/or
– (e) compromises the privacy of users
http://tools.ietf.org/html/rfc1087
Joe Lewis Fighting Systems
Code of Ethics
 “To Advantage All
Without Disadvantaging Any”
Buckminster Fuller (1895-1983)
 IT Governance Objectives

• Understanding the Enterprise

• Organizational Governance Roles
• Security Fundamentals
• Risk Management
• Compliance
• HR Security
• Training, Awareness & Education

7
 Gap Analysis

• Determine desired position

– Business objectives
– Laws and regulations
• Determining current position
– Internal audits
• Close the Gap
– Prioritize based on business and risk

8
 Types of Laws

• Civil law
– Tort
– Contract
– Property
• Criminal law
• Administrative (regulatory or business) law

9
Intellectual Property Laws

• Trade Secret
• Trademark
• Copyright
• Patent

10
WIPO
WTO
OECD
 ISO/IEC 27001:2005
(updated 27001:2013)

• Two kinds of information security

requirements:
– Methodological (Section 4-8): how to develop
and manage an ISMS
• 4 Establish ISMS
• 5 Management responsibility
• 6 Internal ISMS audits
• 7 Management review of the ISMS
• 8 ISMS improvement
– Security Controls (Annex A): pinpoint controls
that ought to make up an ISMS
 Time Management
• What is Time?
– Part of the fundamental structure of the
universe, a dimension in which events occur
in sequence
– Part of the fundamental intellectual structure
(together with space and number) within
which we sequence events
• What is Time Management?
– Is commonly defined as the management of
time in order to make the most out of it.

http://en.wikipedia.org/wiki 15
Managing the Fourth Dimension

• Time Management Processes

• Planning Horizons
– Operational
• Day to day
– Tactical
• Mid term
– Strategic
• Long term

16
 Process Management

• Main Entry: pro·cess

• Etymology: Middle English proces, from
Anglo-French procés, from Latin
processus, from procedere
– 1 a : PROGRESS, ADVANCE <in the process
of time> b : something going on :
PROCEEDING

http://www.m-w.com/dictionary/process 17
 Quality Management

• Walter Andrew Shewhart

– Western Electric Company
– Improve reliability of transmission systems
– Reducing frequency of failures and repairs
– Reducing variation in a process
• William Edwards Deming
– US Department of Agriculture
– Japanese Union of Scientists and Engineers
– Collaborated with Shewart to create PDSA

18
18
 Quality Management

• Walter Andrew Shewhart

– Western Electric Company
– Improve reliability of transmission systems
– Reducing frequency of failures and repairs
– Reducing variation in a process
• William Edwards Deming
– US Department of Agriculture
– Japanese Union of Scientists and Engineers
– Collaborated with Shewart to create PDSA

19
19
 Models

• Plan Do Check Act (PDCA)

• Observe, Orient Decide and Act (OODA)
• Capability Maturity Model Integration
(CMMI)
• Six Sigma
• CobiT and COSO
Plan Do Check Act

W. Edwards Deming

21
 The OODA Loop
• Originated by military strategist Col. John
Boyd of the United States Air Force.
• Defines four overlapping and interacting
processes
• Adopted by business and public for continuity
planning.

22
 Capability Maturity Model
Integration ®
• Carnegie-Mellon Software Engineering
Institute (SEI)
• A process improvement maturity model for
development of products and services
• Maturity Levels
– 0 - Incomplete
– 1 - Initial
– 2 - Repeatable
– 3 - Defined
– 4 - Quantitatively Managed
– 5 - Optimized
23
 Plan Do Check Act

• Define ISMS Requirements

• Describe present state
• Inventory alternatives
• Design preferred state
• Develop evaluation criteria
• Develop strategies
• Document process

24
 Governance “Steering”

• Provide “Top Down” management:

– Direction and Policy
– Resources
– Strategic representation “oversight”
• Identify
– Assets
– Risks
– Countermeasures

25
 Directive Documentation

• Generally What:
– Policies
• Goals
• Specifically How:
– Standards – Specifications for techniques and
technologies “Shall”
– Procedures – Step by step instructions
– Baselines – Reference points of unacceptable
risk
– Guidelines – Suggestions “Should”
 Threats
• Malicious attacks
• Accidents
• Natural Disasters
• Fatigue
• Legal liabilities
• Cost to quality

27
Fundamental Security Goals

• Security Objectives:
– Availability
– Integrity
– Confidentiality

28
Roles and Responsibilities

• Senior Management
• Functional Management
• CIO
• CSSO
• Users
• Independent Auditors
– Internal
– External
29
 RACI Charts

• Responsible
– "The Doer"
• Accountable
– "The Buck Stops Here"
• Consult
– "Prior to making a decision"
• Inform
– "After decision is made"

30
 NIST SDLC
• Initiation
– Sensitivity assessment
• Development / acquisition
– Determine security requirements & risk
assessment
– Incorporate requirements into specifications
– Obtain the system (build/buy) & related
activities
• Implementation
– Install and turn on
– Testing / certification / accreditation
31
 NIST SDLC

• Operation / maintenance
– Security operations & administration
– Operational assurance (monitor/audit)
– Change management
– Periodic re-accreditation
• Disposal

32
NIST SDLC (SP800-100)

33
 Certification

• Document providing official evidence:

an official document that gives proof
and details of something, for example,
personal status, educational
achievements, ownership, or
authenticity

• [15th century. From, ultimately, medieval Latin certificatum , from the past
participle of late Latin certificare “to certify” (see certify). The underlying idea is
of a document that makes something certain.]
• Microsoft® Encarta® Reference Library 2004. © 1993-2003 Microsoft
Corporation. All rights reserved.

34
 Accreditation

• Give authority: to give somebody the

authority to perform a function (usually
passive)
• [Early 17th century. From French accréditer “to believe (firmly),” from crédit
(see credit).]
• Microsoft® Encarta® Reference Library 2004. © 1993-2003 Microsoft
Corporation. All rights reserved.

35
SP800-12 Accreditation

36
SP800-12 SDLC

37
ISO/IEC 27001 Section 4.2

• Establishing and managing the ISMS

– 4.2.1 Establish the ISMS
– 4.2.2 Implement and operate the ISMS
– 4.2.3 Monitor and review the ISMS
– 4.2.4 Maintain and improve the ISMS

38
 Risk* Management
Preventing, Detecting & Responding to unforeseen dangers
*From the Greek “ Rhiza” = cliffs under water.

• Due Diligence (think before you act)

– Risk Assessment/Analysis
– Identifying and assessing methods of reducing risks
• Due Care (take actions)
– Risk Mitigation / Handling (also Treatment)
– Selection & management of cost-effective security
controls

39
 Quantitative Analysis
• “You can only speak matter of factually
about what you can measure”*
• Objective numeric metrics:
– Real numbers
– Concrete percentages
– Monetary values
• Certification
• Insufficient data

40
*Robert Anton Wilson
 Qualitative Analysis

• Subjective rankings
– Experience
– Intuition
– Feelings
• Accreditation
• Brainstorming
• The Delphi technique

41
 Important Terminologies!!!
• Assets – Anything of Value
– Ownership, valuation, classification, entitlements
• Threats – Things that can cause Loss of Value
– Threat Agent – Source of a threat
• Vulnerability – Weakness/limitation of the asset
• Exposure – Vulnerability is accessible to threat
source

42
 Important Terminologies!!!
• Impact – Amount of loss
• Likelihood – Frequency of threat
• Exploit – An incident of an actual loss event
• Controls – Safeguards/Measures/Countermeasures
– Control Failure Policies

43
 Value versus Cost

• Value – Assets
– Subjective
– Qualitative
• Cost – Controls
– Objective
– Quantitative (TCO)
• Cost Benefit Analysis
 Asset Valuation Factors

• Price others are willing to pay

– Example – real estate
• “Replacement Costs”

45
 Loss Criteria
• Life
• Branding / Reputation
• Initial loss versus delayed loss
• Aggregate Losses:
– Asset
– Productivity
– Opportunity (how to quantify?)

46
 Threat Analysis
• Threat Taxonomy:
– Man made
• Accidental (most common!!!)
• Intentional
– Natural
– (Technical)

47
SP800-100 Risk Assessment

48
 Control Analysis

• Development / Acquisition costs

• Design/planning costs
• Implementation costs
• Environment modifications
• Compatibility with other countermeasures
• Maintenance / Testing
• Operating support costs
• Effects on productivity

49
Control Categories

Preventive

Detective

Responsive
•Correct
•Recover 50
 Control Gap
• A “gap” in coverage
• Percentage of asset not protected by
control. For example, if insurance
covers 80% of loss, then the Control
Gap = 20%
Residual Risk (SP800-30)

52
 Cost Benefit Analysis

• Single Loss Expectancy (SLE)

– Asset Value (AV) x Exposure Factor (EF)
• Annualized Loss Expectancy (ALE)
– SLE x Annualized Rate of Occurrence (ARO)
• Risk x Control Gap = Residual Risk

53
 Example
Over the last 10 years a company had 4 outages.
The quantifiable impact for each event is the
following:
Cost of recovery: $50,000
Loss of productivity: $30,000
TOTAL IMPACT: $80,000

What’s the ALE for the companies loses?

a) $3,200
b) $32,000
c) $160,000
54
d) $1,600
Risk Handling / Treatment)

• Avoid / Termination
• Reduce
– Planning
– Technologies
– Training
• Transfer
• Accept “risk appetite”
• Reject – Negligence!
55
Accepted Risk Business Continuity

• Risk Appetite
– Qualitative risk culture of an organization
– How much is one willing to eat?
• Risk Tolerance
– Quantitative metrics to monitor compliance
– Allows organization to detect and respond
appropriately to changes in risk
• Business Continuity Management
– Policies, plans and procedures to respond to
accepted risk
Accepted Risk Business Continuity

• Risk Appetite
– Qualitative risk culture of an organization
– How much is one willing to eat?
• Risk Tolerance
– Quantitative metrics to monitor compliance
– Allows organization to detect and respond
appropriately to changes in risk
• Business Continuity Management
– Policies, plans and procedures to respond to
accepted risk
SP800-100 Risk Mitigation

58
 Plan Do Check Act
(SP800-50)

• Implement / Operate ISMS

• Awareness
– Everyone
• Training
– Administrators
• Education
– Management

59
 ISO/IEC 27001 Section 5

• Management responsibilities
– Commitment
– Provision of resources
• People
• Funding
• Time
• Location

60
 Plan Do Check Act

• Reviewing the ISMS

• Audits and Auditing
• Monitoring

61
 ISO/IEC 27001 Section 6

• Internal Audit of control objectives,

controls, processes and procedures of
its ISMS:
– A) Conform to the requirements of this
International Standard and relevant legislation
or regulations
– B) Conform to the identified information
security requirements
– C) Are effectively implemented and
maintained
– D) Perform as expected. 62
 ISO/IEC 27001 Section 7

• Management Review
• General
– Defining review policy
– Schedule
• At least once a year
• Inputs
– Audits
– Other stakeholder feedback
• Outputs
– Improvement plans
– Other remediation

63
 Plan Do Check Act

• ISO/IEC Section 8
• Maintain & improve ISMS
• Make adjustments
• Promote change
• Publicize successes

64
 Summary

• ISMS
• Security Mindset
• IT Governance
• Risk management
• Knowledge Transfer
• Continual improvement

65