Security Models

What to Learn
The types of security models available to IT security managers

Standards in use by certain industries

A range of established security models

Some academic security models that can be used to verify aspects of

security

A closer look at some data classification models

“Everything that can be invented, has been invented”

(Punch Magazine, 1899) (Crouch, n.d.)

 Don’t reinvent the wheel
Yep, we’re saying it again!

Formal models provide standard or accepted way

of doing things.
– Developed or ratified by governing bodies,
professional groups, standards bodies, government
agencies.

If you use a good model, all you need to do is justify

WHY you chose that model
– No need to justify every minor decision
Image: CC0 via pixabay.com
 A broad range of models
Models, standards and practices can cover a wide variety of industries,
technologies, scenarios and situations.
Security models can be used to guide business practices, for example:
‒ Australian Cyber Security Centre’s Information Security Manual
‒ ISO 27000
Some models may be very specific to certain security requirements:
‒ access control model
‒ document classification model
‒ secure computing architecture
‒ “secure boot” model
Some industry group also use standards to check compliance.
– The Payment Card Industry Data Security Standard (PCI DSS)
 Formal security management models
InfoSec models are standards that are used for reference or
comparison and often serve as the stepping-off point for emulation
and adoption

One way to select a methodology is to adapt or adopt an existing

security management model or set of practices

Because each InfoSec environment is unique, you may need to modify

or adapt portions of several frameworks; what works well for one
organization may not precisely fit another
Source: Management of Information Security, 5th Edition - © Cengage Learning
 Blueprints, frameworks and security models
The communities of interest accountable for the security of an organization’s
information assets must design a working security plan and then implement a
management model to execute and maintain that plan
This may begin with the creation or validation of a security framework, followed by an
InfoSec blueprint that describes existing controls and identifies other necessary
security controls
A framework or security model is the outline of the more thorough and organization-
specific blueprint
These documents form the basis for the design, selection, and initial and ongoing
implementation of all subsequent security controls, including policy, SETA and
technologies
Adapted from: Management of Information Security, 5th Edition - © Cengage Learning
 Blueprints, frameworks and security models
To generate a usable security blueprint, most organizations draw on
established security frameworks, models, and practices
Another way to create a blueprint is to look at the paths taken by other
organizations
In this kind of benchmarking, you follow the recommended practices or
industry standards
Benchmarking can help to determine which controls should be
considered, but it cannot determine how those controls should be
implemented in your organization
Adapted from: Management of Information Security, 5th Edition - © Cengage Learning
Established models help support your decisions
 From models to practice
Remember:
‒ models are standards or ideals for imitation.
‒ practices are the customs and procedures of your organisation.

If you decide to develop your own models, you need to also prove your
models are secure and your decisions reasonable. (How?)

Building your practices on well established, well tested and trusted

models means you can focus on the job of implementing models.
 Benchmarking
Benchmarking can be used as an internal tool to compare
current performance against past performance and to
look for trends of improvement or areas that need
additional work
In information security, two categories of benchmarks are
used
‒ Standards of due care and due diligence
‒ Recommended practices or best security practices
Best practices include a sub-category of practices—called
the gold standard—that are general regarded as “the (National InstituteMass Standards
of Standards and Technology)
best of the best”
Source: Management of Information Security, 5th Edition - © Cengage Learning
 Standards of due care/due diligence
For legal reasons, certain organizations may be compelled to adopt a stipulated
minimum level of security, as to establish a future legal defense they may
need to verify that they have done what any prudent organization would do
in similar circumstances; this is known as a standard of due care
Due diligence requires that an organization ensure that the implemented
standards continue to provide the required level of protection
Organizations must make sure that they have met a reasonable level of security
in all areas and that they have adequately protected all information assets
before making efforts to improve individual areas to meet the highest
standards
Source: Management of Information Security, 5th Edition - © Cengage Learning
 Selecting recommended practices
Industries that are regulated by laws and standards and are
subject to government or industry oversight are required
to meet the regulatory or industry guidelines in their
security practices

For other organizations, government and industry guidelines

can serve as excellent sources of information about what
is required to control InfoSec risks
Source: Management of Information Security, 5th Edition - © Cengage Learning
 Selecting recommended practices
When choosing from among recommended practices for your
organization, consider the following:
Does your organization resemble the identified target organization of the
recommended practice?
Are you in a similar industry as the target?
Do you face similar challenges as the target?
Is your organizational structure similar to the target?
Are the resources you can expend similar to those called for by the
recommended practice?
Are you in a similar threat environment as the one assumed by the
recommended practice?
Source: Management of Information Security, 5th Edition - © Cengage Learning
 Limitations to benchmarking and
recommended practices
Barrier to benchmarking in information is secrecy (a successful attack is
viewed as an organizational failure, and is kept secret)
Another barrier to benchmarking is that no two organizations are identical
Organizations that offer products or services in the same market may differ
dramatically in size, composition, management philosophy, organizational
culture, technological infrastructure, and planned expenditures for security
A third problem with benchmarking is that recommended practices are a
moving target
Knowing what happened a few years ago, which is typical in benchmarking,
does not necessarily tell you what to do next

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

 Let’s get this party started

Waahooo!

Up next: some existing security management models and frameworks

 Existing security models and frameworks
Many security models and frameworks have been freely
published by government departments, standards groups,
and private organisations.
Some organisations may choose an existing framework based
on their clients, for example:
– a company that develops products for the Australian Department of
Defence may try be compliant with Australian Information Security Manual
(ISM)
– a point-of-sale system manufacturer may need to demonstrate compliance
with the PCI DSS (Payment Card Industry Data Security Standard).
 Australian Government
Information Security Manual (ISM)

Published by Australian Cyber Security Centre

Dozens of guidelines for

– physical security
– communications systems
– software development
– ICT equipment management
– personnel security
(and much more)
 Australian Government
Information Security Manual (ISM)

“...assist organisations in using their risk management framework to

protect their information and systems from cyber threats”

“...based on the experience of the Australian Cyber Security Centre

(ACSC) and the Australian Signals Directorate (ASD)”

“discusses both governance and technical concepts in order to support

the protection of organisations’ information and systems”
 NIST security models and frameworks
NIST documents have two notable advantages:
they are publicly available at no charge
they have been available for some time and thus have been broadly reviewed
(and updated) by government and industry professionals
– SP 800-12, Computer Security Handbook
– SP 800-14, Generally Accepted Security Principles & Practices
– SP 800-18, Rev. 1, Guide for Developing Security Plans for Federal Information Systems
– SP 800-30, Rev. 1, Guide for Conducting Risk Assessments
– SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and
Organizations
– SP 800-53A, Rev. 4, Assessing Security and Privacy Controls in Federal Information
Systems and Organizations: Building Effective Assessment Plans

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

 PCI DSS
(Payment Card Industry Data Security Standard)

A set of practices defined and administered by the Payment

Card Industry Security Standards Council (PCI SSC)

PCI SSC established by the major credit card companies: Visa,

MasterCard, American Express, JCB international and
Discover.
 PCI DSS
(Payment Card Industry Data Security Standard)

The PCI SSC:

...maintains, evolves, and promotes the Payment Card Industry
Security Standards. It also provides critical tools needed for
implementation of the standards such as assessment and scanning
qualifications, self-assessment questionnaires, training and
education, and product certification programs. (PCI Security
Standards Council, n.d.)
 PCI DSS
(Payment Card Industry Data Security Standard)
Area 1: Build and maintain a secure network and systems
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters

Area 2: Protect cardholder data

3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks

Area 3: Maintain a vulnerability management program

5. Protect all systems against malware and regularly update antivirus software or programs
6. Develop and maintain secure systems and applications

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

 PCI DSS
(Payment Card Industry Data Security Standard)
Area 4: Implement strong access control measures
7. Restrict access to cardholder data by a business’s need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data

Area 5: Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes

Area 6: Maintain an information security policy

12. Maintain a policy that addresses information security for all personnel

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

 The ISO 27000 series

ISO/IEC 27002:2013 provides information on 14 security control clauses

and addresses 35 control objectives and more than 110 individual
controls

Its companion document, ISO/IEC 27001:2013, provides information for

how to implement ISO/IEC 27002 and set up an Information Security
Management System (ISMS)

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

 ISO/IEC 27001 - major process steps

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

 Control Objectives for Information and related
Technology (COBIT)
Control Objectives for Information and related Technology (COBIT) also provides advice
about the implementation of sound controls an control objectives for InfoSec
COBIT was created by the Information Systems Audit and Control Association (ISACA)
and the IT Governance Institute (ITGI) in 1992
COBIT 5 provides five principles focused on the governance and management of IT in an
organization:
– Principle 1: Meeting Stakeholder Needs
– Principle 2: Covering the Enterprise End-to- End
– Principle 3: Applying a Single, Integrated Framework
– Principle 4: Enabling a Holistic Approach
– Principle 5: Separating Governance From Management

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

 Information Technology Infrastructure Library (ITIL)
The Information Technology Infrastructure Library (ITIL) is a collection
of methods and practices useful for managing the development and
operation of information technology infrastructures

The ITIL has been produced as a series of books, each of which covers
an IT management topic

Since it includes a detailed description of a many significant IT-related

practices it can be tailored to many IT organizations

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

 Information Security Governance Framework

The Information Security Governance Framework is a managerial model

which provides guidance in the development and implementation of
an organizational information security governance structure

The core of the Information Security Governance Framework includes

recommendations for the responsibilities of members of an
organization

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

 ZZzzzzzzz.....______

Wake up, I think they’re talking about us!

Up next... Using technical models to manage security

 Function specific security models

Similar to organisational security models,

function specific security models exist to
formalise and analyse security components such
as:
Access control
Data classification schemes
Security architecture

Image: CC0 via pixabay.com

 Access control models
Access controls regulate the admission of users into trusted
areas of the organization—both the logical access to the
information systems, or the physical access to the
organization’s facilities

Access control is maintained by means of a collection of

policies, programs to carry out those policies, and
technologies that enforce policies
Source: Management of Information Security, 5th Edition - © Cengage Learning
 Access control models
The general application of access control comprises four
processes:
obtaining the identity of the entity requesting access to a logical or
physical area (identification)
confirming the identity of the entity seeking access to a logical or
physical area (authentication)
determining which actions an authenticated entity can perform in
that physical or logical area (authorization)
and finally, documenting the activities of the authorized individual
and systems (accountability)
Source: Management of Information Security, 5th Edition - © Cengage Learning
 Access control models
Access control is built on several key principles:
Least privilege: The principle by which members of the organization
can access the minimum amount of information for the minimum
amount of time necessary to perform their required duties
Need to Know: Limits a user’s access to the specific information
required to perform the currently assigned task, and not merely to
the category of data required for a general work function
Separation of Duties: A control requiring that significant tasks be split
up in such a way that more than one individual is responsible for
their completion
Source: Management of Information Security, 5th Edition - © Cengage Learning
 Categories of access controls and examples

Source: Management of Information Security, 5th Edition - © Cengage Learning

 NIST control categories
Management — Controls that cover security processes that are designed by
strategic planners, integrated into the organization’s management practices,
and routinely used by security administrators to design, implement, and
monitor other control systems
Operational (or Administrative) — Controls that deal with the operational
functions of security that have been integrated into the repeatable
processes of the organization
Technical — Controls that support the tactical portion of a security program and
that have been implemented as reactive mechanisms to deal with the
immediate needs of the organization as it responds to the realities of the
technical environment

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Mandatory Access Controls (MACs)
A Mandatory Access Control (MAC) is required and is structured and
coordinated within a data classification scheme that rates each
collection of information as well as each user

These ratings are often referred to as sensitivity levels or classification

levels

When MACs are implemented, users and data owners have limited
control over access to information resources

Source: Management of Information Security, 5th Edition - © Cengage Learning

 Shhh.. It’s a secret!

“... shut up!”

Up next... Models for classifying data

 Data classification models
Data owners must classify the information assets for which they are responsible and
review the classifications periodically
Australian Government Attorney-General’s Department defines a multi purpose,
multi level classification scheme
‒ Divides information in to official and unofficial categories.
‒ Official information can be classified as sensitive, protected, secret or top-secret.
The U.S. military classification scheme four-level classification scheme as defined in
Executive Order 13526 (2009). Similar to Australian scheme.
Simple scheme for other organizations:
‒ Public
‒ For official (or internal) use only
‒ Confidential (or Sensitive)

Adapted from: Management of Information Security, 5th Edition - © Cengage Learning

The AGD Protective Security Policy Framework

Published by the Australian Government Attorney-General’s Departmen

t (AGD).

“details how entities correctly classify their information and adopt

handling arrangements that guard against information compromise”

Framework to identify information assets, in order to develop

protective security controls.
 Security clearance to access classified information
In a security clearance structure, each user of an information asset is
assigned an authorization level that indicates the highest level of
information classification they may access

Most organizations have developed roles and corresponding security

clearances so individuals are assigned into authorization levels
correlating with the classifications of the information assets

In the need-to-know principle, regardless of one’s security clearance, an

individual is not allowed to view data simply because it falls within that
individual’s level of clearance
Source: Management of Information Security, 5th Edition - © Cengage Learning
 AGD - Protective Security Policy Framework

Source: Australian Government Attorney-General’s Department, 2018

 AGD - Protective Security Policy Framework

Source: Australian Government Attorney-General’s Department, 2018

 AGD - Protective Security Policy Framework

Source: Australian Government Attorney-General’s Department, 2018

Marking classified documents with cover sheets

But.. Who on earth prints documents these days?

Consider: how do you mark digital documents?
 Summary
“Everything that can be invented, has been invented”

Security models, standards and practices exist because

organisations have developed them to address their security
risks

Standards provide a “reference or comparison and often serve as

the stepping-off point for emulation and adoption”

A framework or security model is the outline of the more

thorough and organization-specific blueprint
 Summary (cont.)

Benchmarking can be used as an internal tool to compare current

performance against past performance.

InfoSec uses two types of standards and benchmarks:

– Standards of due care and due diligence
– Recommended practices or best security practices
 Summary (cont.)
Security models and frameworks provide a reference list of
security items that must be addressed.
Some models include prescriptive information about how to
address particular concerns.
Security models and standards have been published by many
organisations for example: The Australian Cyber Security
Centre (ACSC); The Australian Attorney Generals’ Department
(AGD); The US based National Institute of Standards and
Technology (NIST); The International Standards Organisation
(ISO).
 Summary (cont.)

Security models can be organisational, or function specific.

Organisational security models can advise on industry best

practice for an organisation’s operations.

Function specific security models focus on particular

requirements such as access controls, information
classification or hardware security.
 References
Australian Cyber Security Centre. (2019, January). Australian Government Information Security Manual. Retrieved
from
https://cyber.gov.au/business/publications/australian-government-information-security-manual-ism/pdf/Australian_G
overnment_Information_Security_Manual.pdf
Australian Government Attorney-General’s Department. (2018). Protective Security Policy Framework. Retrieved
from
https://www.protectivesecurity.gov.au/information/sensitive-classified-information/Documents/pspf-infosec-08-sensiti
ve-classified-information.pdf
Crouch, D. (2011). Tracing the Quote: Everything that can be Invented has been Invented. Retrieved 10 February
2019, from
https://patentlyo.com/patent/2011/01/tracing-the-quote-everything-that-can-be-invented-has-been-invented.html
Hubbard, D. W., & Seiersen, R. (2016). How to Measure Anything in Cybersecurity Risk. Hoboken, NJ, USA: John
Wiley & Sons, Inc. https://doi.org/10.1002/9781119162315
Macquarie dictionary : Australia’s national dictionary online. (2003). [North Ryde, N.S.W.]: Macquarie Library.
PCI Security Standards Council. (n.d.). Official PCI Security Standards Council Site - Verify PCI Compliance,
Download Data Security and Credit Card Security Standards. Retrieved 10 February 2019, from
https://www.pcisecuritystandards.org/about_us/
Punch Magazine. (1899). Joke: The Coming Century.
Whitman, M. E., & Mattord, H. J. (2016). Management of Information Security. Mason, OH,, UNITED STATES:
Cengage Learning. Retrieved from http://ebookcentral.proquest.com/lib/ecu/detail.action?docID=5231253