1/43

Lecture
3
10-02-2020

Information
Security
Management
Dr. Muhammad Nadeem Sial
muhammad.sial@kcl.ac.uk, nadeem_606@yahoo.com
Course Outline
• Information Security Governance & Risk Management
• Cryptography
• Access Control
• Telecommunication and Network Security
• Software Development Security
• Security Architecture & Design
• Operations Security
• Business Continuity & Disaster Recovery Planning
• Legal, Regulations, Investigations and Compliance
• Physical (Environment) Security 3
Course Outline (CISSP 7Th Edition by James Michael Stewart)
• Info Security Governance & Risk Mgt
• Chapter 1: Security Governance Through Principles and
Policies
• Chapter 2: Personnel Security and Risk Mgt Concepts
• Chapter 5: Protecting Security of Assets
• Cryptography
• Chapter 6: Cryptography and Symmetric Key Algorithms • Operations Security
• Chapter 7: PKI and Cryptographic Applications
• Access Control
• Chapter 13: Managing Identity and Authentication
• Chapter 14: Controlling and Monitoring Access
• Telecommunication and NW Security
• Chapter 11: Secure Network Architecture and Securing
Network Components
• Chapter 12: Secure Comm and Network Attacks
• Software Dev Security
• Chapter 20: Software Dev Security
• Chapter 21 Malicious Code and Application Attacks
• Security Architecture & Design
• Chapter 8: Principles of Security Models, Design &
Capabilities
• Chapter 9: Security Vulnerabilities, Threats and
Countermeasures
• Chapter 15: Security Assessment and Testing
• Chapter 16: Managing Security Operations
• Business Continuity & Disaster Recovery Planning
• Chapter 3 Business Continuity Planning
• Chapter 17 Preventing and Responding to Incidents
• Chapter 18 Disaster Recovery Planning
• Legal, Regulations, Investigations and Compliance
• Chapter 4: Laws, Regulations, and Compliance
• Chapter 19: Incidents and Ethics
• Physical (Environment) Security
• Chapter 10: Physical Security Requirements
4
Course Outline (ISM Standards)
• FIPS-140-2 (Radio Encryptors, Crypto Modules, IP Encryptor, Encryption Boards,
• Operationally Critical Threat Asset Vulnerability Evaluation (OCTAVE)
Secure USB / Token, Secure Gateway)

• Common Criteria (IDS, IPS, OS, Firewall, Router, Trusted computing, Enterprise • Information Technology Infrastructure Library (ITIL) - Best practices
Security Mgmt Access Control, VoIP, IPE, Mobile Devices, Biometric Verification for IT Service Management by UK government
Mechanisms)
• Security Models
• ISO 27001:2013 & 2005
• Special Publication 800-27, Engg Principles for Information Tech
• Security & Audit Frameworks, Methodologies and Architecture Security (EP-ITS), NIST 33 Security Principles
• ISO27001 • ISO/IEC 17799 or BS 7799: Information Technology – Code of Practice
• CoBIT for Information Security Management
• COSO • RFC 2196, Site Security Handbook
• NIST SP 800-53, Minimum Security Controls for Federal IT Systems • SP 800-12, Computer Security Handbook
• SABSA (Zachman Framework)
• SP 800-14, Generally Accepted Security Principles & Practices
• ToGAF
• SP 800-18, Guide for Developing Security Plans
• Risk Assessment Methodologies / Risk Analysis & Management • SP 800-26, Security Self-Assessment Guide-IT Systems
• SP 800-30: Risk Management Guide for Information Technology Systems
• VISA International Security Model
• ISO 27005
• Gold Standard
• ISO 31000 Risk Management
• CCTA Risk Analysis & Management Method (CRAMM) • SP 800-37, Guidelines for the Security Certification and Accreditation
of Federal IT Systems
• NIST SP 800-160 Volume 1 (NIST 800-64), Systems Security Engineering
Considerations for a Multidisciplinary Approach in the Engineering of
Trustworthy Secure Systems 5
6
Common Criteria FIPS-140-2 Phases of System Risk Assessment Security & Audit
• IDS • Radio Encryptors Development Life Methodologies / Frameworks,
• IPS • Crypto Modules Cycle (SDLC) Risk Analysis & Methodologies and
• NIST SP 800-160 Management Architecture
• OS • IP Encryptor Information
• Firewall • Encryption Technology Volume 1 (NIST • SP 800-30 • ISO27001
• Router
Operationally 800-64) • ISO 27005 • CoBIT
Boards Infrastructure
• Trusted computing
Critical Threat • ISO 31000 Risk • COSO
• Secure USB / Library (ITIL) - Best
• Enterprise Security
Asset Vulnerability Management
Token practices for IT • NIST 800-53
Management Access Evaluation
• Secure Gateway Service • CCTA Risk • SABSA (Zachman
Control (OCTAVE)
Management by Analysis & Framework)
• VoIP
UK government Management • ToGAF
• IP Encryptor
• Method (CRAMM)
Mobile Devices
• Biometric
Verification
Mechanisms
Projects & Case Studies
Projects & Case Studies
Topic Proposal & Case Study Project Report Presentation
Approval • Study relevant • Prepare results, • Presentation will
• Submit your documents/ vulnerabilities, be for 15-20
proposed topic standards suggestions and minutes
with objectives/ • Study overall • After
scope / selected organizational IS assessment along presentation
organization / architecture / with there will be 5
system for case system security recommendation mins question &
study architecture • Deadline: 2 answer session
• Select an • Apply selected Weeks after Mid
organization/ standard for Term Exam
system to apply organization/
the selected topic system
for Case Study assessment
• Deadline: 17 Feb, • Weaknesses?
2020 • Suggestions?
• Improvements?

7
Information Security
Governance & Risk
Management
8
Information Security Governance & Risk Management

Understand organization's security program, with a focus on protecting

information technology (IT) assets

Understand organization's goals, mission, and objectives to develop

security policies, standards, and procedures for supporting mission of
organization

Risk management is an ongoing process that identifies asset values

and then attempts to identify and prioritize risks to these assets

Develop risk management program to address security triad principles

either directly or indirectly
Info Sec Governance & Risk Mgmt: Definition

Security governance is the collection of practices related to supporting, defining,

and directing the security efforts of an organization

Security governance is closely related to corporate and IT governance

Common goal of organizational governance is to

• Ensure that the organization will continue to exist and will grow or expand
over time
• Maintain business processes while striving toward growth and resiliency
Info Sec Governance & Risk Mgmt: Aspects of Governance

Legislative and
regulatory
compliance
needs

Auditing and
validation (Govt Industry
regulations or guidelines or
industry best license reqs
practices)
Info Sec Governance & Risk Mgmt: Summary

Security
Security needs to
governance is
be managed &
implementation Security is an
Security is a governed
of a security organizational
business throughout
solution & mgmt process, not just
operational issue organization, not
method that are IT administration
just in IT
tightly
department
interconnected

12
Info Sec Governance & Risk Mgmt: Objectives

Align Security Function Concepts of

Develop & Implement
To Goals, Mission & Security Governance confidentiality, integrity
Security Policy
Objectives and availability

Manage The Manage Third-party Manage Personnel

Risk Management
Information Lifecycle Governance Security

Develop and manage

Manage Security
security education,
Function
training & Awareness
Align Security Function
to Goals, Mission &
Objectives of
Organization
Information Security Governance & Risk Management

14
Align Security Function to Goals, Mission & Objectives of Organization

Alignment with the organization's goals, mission and objectives is

necessary

Security controls are implemented to protect the organization's assets

with vision of executive management

Primary consideration when evaluating threats and vulnerabilities

against an organization is to safeguard assets

Different organizations view risks differently

Assets owned and valued by one organization might not be valued by

another organization
15
Align Security Function to Goals, Mission & Objectives of Organization

A primary goal of any information security program is to protect

confidentiality, integrity and availability of an organization's assets

Preventing the loss of confidentiality, integrity and availability are to

be reflected in an organization's security policy

Technology alone cannot provide security by itself

People within organization implement security through effective

processes and supporting technology
16
Align Security Function: Methods to Protect CIA

People
Technology
Processes

17
18
Standards,
Procedures
&
Guidelines
Security Policy
Security Program
Align Security Function: Documents
Align Security Function: Summary
A security program's primary
goal is to reduce risk to an
organization's assets
National Institute of Standards
A security policy (s) is
Members of the organization and Technology (NIST) Special
approved by management and
then use the security policy to Publication 800-30, "Risk
should include their vision
develop standards, procedures Mgmt Guide for IT Systems,"
related to the goals, mission
and guidelines provides excellent coverage of
and objectives of organization
many risk management topics
19
Security
Governance
Information Security Governance & Risk Management

20
Info Sec Governance & Risk Mgmt: Objectives

Align Security Function Concepts of

Develop & Implement
To Goals, Mission & Security Governance confidentiality, integrity
Security Policy
Objectives and availability

Manage The Manage Third-party Manage Personnel

Risk Management
Information Lifecycle Governance Security

Develop and manage

Manage Security
security education,
Function
training & Awareness
Understand & Apply Security Governance

Security governance refers to the different elements

used to control and manage overall security within an
organization through processes, personnel and tools

Exercise due
Ensure compliance diligence to
Formal control
to all applicable discover risks and
frameworks
laws & regulations due care to protect
against known risks
22
Understand & Apply Security Governance: Organizational Processes

Core set of principles for effective ISG Program

• CEO should conduct annual information security evaluation, review the results with staff and report on
performance to the board of directors
• Organizations should conduct periodic risk assessments of info assets as part of risk mgmt program
• Organizations should implement policies & procedures based on risk assessments to secure info assets
• Organization should establish a security management structure to assign explicit individual roles,
responsibilities, authority and accountability
• Organizations should develop plans and initiate actions to provide adequate info security for networks
• Treat Information Security as Integral part of the system life cycle
• Create Awareness and training and education to all personnel
• Periodic testing, evaluation of effectiveness of policies and procedures
• Create and execute a plan for remedial actions to counter any deficiency
• Develop and maintain cyber response mechanism
• Ensure continuity of operations
• Follow good security practices guidelines e.g. ISO/IEC 27002 23
Understand & Apply Security Governance: Objectives
Organizational Processes
(acquisitions, governance
committees)
• Security steering committee?

Security roles and

Due Diligence responsibilities
• What is the relationship of • Role of senior management?
due diligence with due care?
• Responsibilities of data owners?

Legislative and regulatory

Due Care compliance
• How is negligence related • Relation between a security
to due care? policy and local laws &
regulations?

Control Frameworks Privacy Requirements compliance

• What is COBIT? • What is personally identifiable
information (PII) and organization's
• What is COSO?
responsibility related to it?
24
Understand & Apply Security Governance: Organizational Processes

Effective Security Governance Program

• Ensures that security concerns are addressed in all organizational processes
• System or product is secure before it is implemented than to try to secure it afterwards
• Developed security governance programs by organization shall balance risk & cost
• Goal is to purchase & implement security controls that limit risk and support organization's overall
mission

Steering Committee
• Makes decisions on strategic and tactical issues for an organization
• Security steering committee makes security-based decisions to help define acceptable levels of
risk for the organization
• Security-based steering committee includes input from multiple individuals throughout
organization
• They meet regularly to review changes to the security policies and programs
25
Understand & Apply Security Governance: Organizational Processes

An organization might have multiple governance committees

• A steering committee includes several executives and provides overall direction for the
organization
• An oversight or audit committee provides oversight for internal functions
• These committees will typically report to the board of directors

An audit committee is used to validate an organization's internal controls

• An audit committee can gather data from either internal or external entities
• Goal is to evaluate the integrity of financial data, security controls, auditor performance and
compliance with applicable laws & regulations
• Provide input to top level mgmt, including chief executive officer (CEO) and board of directors
26
Understand & Apply Security Governance: Objectives
Organizational Processes
(acquisitions, governance
committees)
• Security steering committee?

Security roles and

Due Diligence responsibilities
• What is the relationship of • Role of senior management?
due diligence with due care?
• Responsibilities of data owners?

Legislative and regulatory

Due Care compliance
• How is negligence related • Relation between a security
to due care? policy and local laws &
regulations?

Control Frameworks Privacy Requirements compliance

• What is COBIT? • What is personally identifiable
information (PII) and organization's
• What is COSO?
responsibility related to it?
27
Understand & Apply Security Governance: Security Roles & Responsibilities

• Security responsibilities are shared among multiple roles within an

organization
• Senior Management
• Senior personnel typically have broad overall responsibility for assets
• Provides definitions for data and data owners then ensure that data is managed
based on the sensitivity or value of the data
• Senior mgmt has multiple roles well beyond assigning a security manager
• Roles that report to senior personnel are assigned more specific
responsibilities based on assets
• Data Owners
• Responsible for properly labeling, marking, and protecting their data
• Labels and marks (such as secret or confidential) are based on the definitions used28
Understand & Apply Security Governance: Security Roles & Responsibilities

Providing public Identifying/approving

support for security definitions for data
policy classifications

Security policy
accurately reflects an
Identifying data
organization's goals,
owners
mission and
objectives Senior
Management
Roles

29
30
• Access data during day-to-day tasks Users
• Responsible for following procedures for accessing and using data
Data
Custodians
• IT personnel who are responsible for maintaining and protecting the data
Data Owners
• Mgmt personnel having overall responsibility for protecting their data, proper labeling and marking
• Overall responsibility for all data under their purview Senior
Management
• Overall responsibility and accountability for all security
• Can delegate their authority to lower roles to manage responsibility but cannot delegate responsibility
Understand & Apply Security Governance: Security Roles & Responsibilities
 Information Security Governance
Typical Organization Chart
President
(Board of Directors/ Trustees)

CIO

Security Director

Project Security Enterprise Security

Security Analyst System Auditor
Architect Architect
31
Understand & Apply Security Governance: Security Roles & Responsibilities

Roles & Responsibilities Of Senior Management:

Board of Directors/ Senior Management
• Approving policy and appropriate monitoring and metrics coupled with reporting and trend analysis

• Knowledge of organization’s information assets and their criticality to ongoing business operations

• Validate/ ratify the key assets they want to protect and their protection levels and priorities

• Endorse essential security requirements so that security culture prevails at all levels of the
enterprise

• Provide a level of oversight of the activities of information security

32
Understand & Apply Security Governance: Security Roles & Responsibilities

Roles & Responsibilities Of Senior Management:

Executive Management

• Support security governance by pursuing the security objectives of an organization

• Alignment of information security activities in support of business objectives with a balance

between performance, cost and security

• Integration and Cooperation between business process owners

• Ensure that needed organizational functions, resources and supporting infrastructure are
available and properly utilized to fulfill the information-security related directives of the
board, regulatory compliance and other demands
33
Understand & Apply Security Governance: Security Roles & Responsibilities

Roles & Responsibilities Of Senior Management:

Steering Committee

• Comprised of senior representatives of relevant groups/ departments

• Achieve consensus on priorities and tradeoffs among stake holders

• Serve as effective communication channel to ensure alignment of security program

with business objectives

• Modification of behaviors – more security conscious

34
Understand & Apply Security Governance: Security Roles & Responsibilities

Roles & Responsibilities of CISO

• Could be the CIO, CEO, CFO, CSO
• Designating a senior information security officer
• Developing and maintaining an agency-wide information security program
• Developing and maintaining information security policies, procedures, and control
techniques to address all applicable requirements
• Ensuring compliance with applicable information security requirements
• Reporting periodically, in coordination with the other senior agency officials, to the
agency head on the effectiveness of the agency information security program,
including progress of remedial actions
• Obtaining Senior Level Management Commitment & Establishing Reporting and
Communication Channels
35
Understand & Apply Security Governance: Security Roles & Responsibilities

Obtaining Senior Management Commitment

• Aligning security objectives with business objectives, enabling senior management
to understand and apply the security policies and procedures
• Identifying potential consequences of failing to achieve certain security related
objectives and regulatory compliance
• Identifying budget items so that senior management can quantify the costs of
security program
• Utilizing commonly accepted project risk/ benefit of financial models, such as total
cost of ownership (TCO) or return on investments (ROI), to quantify the benefits
and cost of program
• Defining the monitoring and auditing measures that will be included in the security
program

36
Understand & Apply Security Governance: Security Roles & Responsibilities

An adequate level of support for IS by senior management is evident by:-

• Clear approval and support for formal security strategies and policies
• Monitoring and measuring organizational performance in implementing security policies
• Supporting security awareness and training for all staff throughout the organization
• Adequate resources and sufficient authority to implement and maintain security
activities
• Treating IS as a critical business issue and creating security-positive environment
• Demonstrating to third parties that the organization deals with IS in a professional
manner
• Providing high-level insight and control
• Periodically reviewing IS effectiveness
• Setting an example by adhering to the organization’s security policies and procedures 37
Understand & Apply Security Governance: Security Roles & Responsibilities

Establishing Communication
• Senior Management
• Attend business strategy meetings to become more aware and understand the
updated business strategies and objectives
• Periodic one-to-one meetings held with senior management to understand the
business objectives from their perspective
• Business Process Owners
• Join operation review meetings to realize the challenges and requirements of daily
operations and their dependencies
• Initiate monthly one-to-one meetings held with different process owners to gain
continued support in the implementation of information security governance and
address current individual security related issues
38
Understand & Apply Security Governance: Security Roles & Responsibilities

Establishing Communication
• Other Management
• Line managers, supervisors and department heads charged with various security and risk
management-related functions, including ensuring adequate security requirement awareness and
policy compliance, must be informed of their responsibilities.
• Employees
• Timely training and education programs
• Centralized on-board training program for new hires
• Organizational education material on updated strategies and policies
• Personnel instructed to access the intranet or e-mail-based notifications for periodic reminders or
ad hoc adaptations
• Support senior management and business process owners by assigning an information security
governance coordinator within each functional unit to obtain accurate feedback of daily practices in
a timely manner

39
 Information Security Governance
Security Oriented Organization
President
(Board of Directors/ Trustees)

CIO

IT Audit Manager Security Director

Enterprise Security Project Security

System Auditor Security Analyst
Architect Architect
40
 Information Security Governance
Security Oriented Organization
President
(Board of Directors/ Trustees)
Audit Committee

Internal Audit CIO

IT Audit Manager Security Director

Enterprise Security Project Security

System Auditor Security Analyst
Architect Architect
41
Q&A

42