BCS2014

Cyber Security

Lecture 3:
Cyber Security Management Concepts
Learning Objectives
• Discuss the importance, benefits, and desired outcomes of
information security governance and how such a program would be
implemented
• Describe the dominant InfoSec management models, including
international standards-based models
• Explain why access control is an essential element of InfoSec
management

2
Information Security Governance
• Governance is
- “The set of responsibilities and practices exercised by the board and
executive management with the goal of providing strategic direction,
ensuring that objectives are achieved, ascertaining that risks are
managed appropriately, and verifying that the enterprise’s resources
are used responsibly”.

• Information Security Governance is

- a framework of policies, practices, and strategies that align
organizational resources toward protecting information through
cybersecurity measures
3
Information Security Governance (Cont.)
• The governance of InfoSec is a strategic planning responsibility whose
importance has grown in recent years.

• InfoSec objectives must be addressed at the highest levels of an

organization's management team in order to be effective and offer a
sustainable approach.

4
The ITGI Approach to Information
Security Governance A recognized authority on governance
in IT and eventually in information
security.

• According to the Information Technology Governance Institute (ITGI), InfoSec

governance includes all the accountabilities and methods undertaken by the
board of directors and executive management to provide:
 strategic direction,
 establishment of objectives,
 measurement of progress toward those objectives,
 verification that risk management practices are appropriate and
 validation that the organization’s assets are used properly.

5
The ITGI Approach to Information
Security Governance (Cont.)
• ITGI recommends that boards of directors supervise strategic InfoSec
objectives by:
1. Creating and promoting a culture that recognizes the criticality of
information and InfoSec to the organization.
2. Verifying that management’s investment in InfoSec is properly aligned
with organizational strategies and the organization’s risk environment.
3. Mandating and assuring that a comprehensive InfoSec program is
developed and implemented.
4. Requiring reports from the various layers of management on the Info.
Sec program’s effectiveness and adequacy.
6
Desired Outcomes
Five basic outcomes of InfoSec governance:

• Strategic alignment of Info. Sec with business strategy

• Risk management
• Resource management
• Performance measurement
• Value delivery

7
Benefits of InfoSec Governance
• An increase in share value for organizations.
• Increased predictability and reduced uncertainty of business operations by lowering
information-security-related risks to definable and acceptable levels.
• Protection from the increasing potential for civil or legal liability as a result of
information inaccuracy or the absence of due care
• Optimization of the allocation of limited security resources.
• Assurance of effective InfoSec policy and policy compliance.
• A firm foundation for efficient and effective risk management, process
improvement, and rapid incident response.
• A level of assurance that critical decisions are not based on faulty information
• Accountability for safeguarding information during critical business activities.
8
NCSP Framework for InfoSec Governance
• According to the Corporate Governance Task Force (CGTF), an advisory group
from the National Cyber Security Partnership (NCSP), the organization should
engage in a core set of activities suited to its needs to guide the development and
implementation of the InfoSec governance program:
 Conduct an annual InfoSec evaluation, the results of which the CEO should
review with staff and then report to the board of directors.
 Conduct periodic risk assessments of information assets as part of a risk
management program.
 Implement policies and procedures based on risk assessments to secure
information assets.
 Establish a security management structure to assign explicit individual roles,
responsibilities, authority, and accountability
9
NCSP Framework for InfoSec Governance
(Cont.)
 Develop plans and initiate actions to provide adequate Info. Sec for networks,
facilities, systems, and information.
 Treat Info. Sec as an integral part of the system life cycle.
 Provide Info. Sec awareness, training, and education to personnel.
 Conduct periodic testing and evaluation of the effectiveness of InfoSec policies
and procedures.
 Create and execute a plan for remedial action to address any Info. Sec
deficiencies.
 Develop and implement incident response procedures.
 Establish plans, procedures, and tests to provide continuity of operations.
 Use security best practices guidance, such as the ISO 27000 series, to measure
InfoSec performance.
10
CGTF General Governance Framework
• CGTF framework applies the IDEAL model to InfoSec governance, which has
incredible flexibility and has been adapted to a wide variety of process
improvement methodologies.
I Initiating Lay the groundwork for a successful improvement effort.
D Diagnosing Determine where you are relative to where you want to be.
E Establishing Plan the specifics of how you will reach your destination.
A Acting Do the work according to the plan.
L Learning Learn from the experience and improve your ability to
adopt new improvements in the future.

11
Info. Sec Governance Responsibilities

Security Governance Roles and Responsibilities Example

12
ISO/IEC 27014: Governance of
Information Security
• ISO 27014: 2013 is the ISO 27000 series standard for Governance of Information Security.

• The standard specifies six high-level “action-oriented” information security governance

principles:
1. Establish organization-wide information security
2. Adopt a risk-based approach
3. Set the direction of investment decisions
4. Ensure conformance with internal and external requirements
5. Foster a security-positive environment
6. Review performance in relation to business outcomes

13
ISO/IEC 27014: Governance of
Information Security (Cont.)
• Provides brief recommendation for the assessment of an InfoSec governance
program.
• Promotes five governance processes, which would be adopted by the organization’s
executive management and its governing board:
 Evaluate – review the status of current and project progress toward
organizational objectives.
 Direct – provide instruction for developing or implementing changes to the
security program.
 Monitor – the review and assessment of organizational InfoSec performance.
 Communicate – the interaction between the governing body and external
stakeholders.
 Assure – the assessment of organizational efforts by external entities like
certification or accreditation groups etc. 14
ISO/IEC 27014: Governance of
Information Security (Cont.)

Source: Rachel J. Mahncke (2013), The Applicability of ISO/IEC27014:2013 For Use Within
General Medical Practice, Australia eHealth Informatics and Security Conference. 15
Cybersecurity Governance
• The process of managing, directing, controlling, and influencing
organizational decisions, actions, and behaviors
• The Board of Directors is usually responsible for overseeing the policy
development
• Effective security requires a distributed governance model with the
active involvement of stakeholders, decision makers, and users

Copyright 2019 Pearson Education, Inc. 16

Distributed Governance Model
• Chief information security officer (CISO)
• Cybersecurity steering committee
• Compliance officer
• Privacy officer
• Internal audit
• Incident response team
• Data owners
• Data custodians
• Data users
Copyright 2019 Pearson Education, Inc. 17
Characteristics of a Good Governance
Program
• Examines the organization’s environment, operations, culture, and
threat landscape against industry standard frameworks
• Aligns compliance to organization risk
• Incorporates business processes
• Enables companies to measure progress against mandates and
achieve compliance standards

Copyright 2019 Pearson Education, Inc. 18

Introduction to Blueprints, Frameworks
and Security Models
• In information security, blueprint is a framework or security model
customized to an organization, including the implementation details
• Framework is a specification of a model to be followed during the
design, selection and initial and ongoing implementation of all
subsequent security controls.
• These include InfoSec policies, security education and training programs, and
technological controls
• Security model is also known as framework

19
Introduction to Blueprints, Frameworks
and Security Models
• A framework / security model is a generic outline of the more
thorough and organization-specific blueprint.
• The framework/ model describes what the end product should look
like
• The blueprint includes information on how to get there and it
customized to a specific organization

20
Security Management Models
• There are as many security management models as they are
consultants who offer them
• So, organizations may seek management models to use within their
InfoSec Processes
• Among the most accessible places to find a quality security
management model are U.S. federal agencies and international
standard-setting organizations

21
Security Management Models
• The ISO 27000 series: One of the most widely referenced InfoSec
management models is Information Technology – Code of Practice for
Information Security Management
• It was originally published as British Standard BS7799
• In 2000, the Code of Practice was adopted as an international standard
framework for InfoSec by the International Organization for Standardization
(ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC
17799
• The original purpose of ISO/IEC 17799 : to offer guidance for the management
of InfoSec to individuals responsible for their organization’s security programs

22
Security Management Models
• The document was revised in 2005 (ISO 17799:2005) and in 2007 it
was renamed as ISO 27002 to align it with the document ISO 27001.
• ISO/IEC 27002 is focused on a broad overview of the various areas of
security, providing information on 127 controls over 10 areas
• ISO/IEC 27001 provides information on how to implement ISO/IEC
27002 and how to set up an information security management system
(ISMS)

23
Security Management Models
• ISO/IEC 27002:2013 is a board overview of the various areas of
security
• It provides information on 14 security control clauses
• Also addresses 35 control objectives and more than 110 individual
controls
• The details of ISO/IEC 27002: 2013 (the most recent version) are only
available to those who purchase the standard. Its structure and
general organization are well known

24
Security Management Models

Source: Whitman, M. E., &

Mattford, H. J. (2019). Management
of Information Security (6th ed.).
Cengage Learning. ISBN:
9781337671545

25
ISO 27000 series current and planned standards

Source: Whitman, M. E., &

Mattford, H. J. (2019). Management
of Information Security (6th ed.).
Cengage Learning. ISBN:
9781337671545

26
ISO 27000 series current and planned standards

Source: Whitman, M. E., &

Mattford, H. J. (2019). Management
of Information Security (6th ed.).
Cengage Learning. ISBN:
9781337671545

27
ISO 27000 series current and planned standards

Source: Whitman, M. E., &

Mattford, H. J. (2019). Management
of Information Security (6th ed.).
Cengage Learning. ISBN:
9781337671545

28
Security Architecture Models
• Security architecture models illustrate InfoSec implementations 
help organizations quickly make improvements through adaptation
• Formal models form the basic approach that an implementation uses;
do not usually find their way directly into usable implementations.
• Models are implemented into/ as/ focus on
• Computer hardware and software
• Policies and practices
• In both
• The integrity of the information

29
Security Architecture Models:
TCSEC and the trusted computing base (TCB)

• The Trusted Computer System Evaluation Criteria (TCSEC) was an older

DoD standard that defined the criteria for assessing the access controls
in a computer system
• This standard was part of a larger series of standards collectively
referred to ask the “Rainbow Series”
• TCSEC also known as the “Orange Book”
• TCSEC defined a trusted computing base (TCB) as the combination of all
hardware, firmware and software responsible for enforcing the security
policy
• Security policy – rules of configuration for a system, rather than a managerial
guidance document
30
Access Control Models
• Access control is the selective method by which systems specify who
may use a particular resource and how they may use it.
• It regulates the admission of users into trusted areas of the
organization – both logical access to information systems and physical
access to the organization’s facilities
• It is maintained by means of a collection of policies, programs to carry
out those policies, and technologies that enforce policies

31
Access Control Models
authenticatio
identification
n

Types of access
control process

accountability authorization

32
Access Control Models
• The general application of access control comprises 4
processes:
• Identification – obtaining the identity of the entity requesting
access to a logical or physical area
• Authentication – confirming the identity of the entity seeking
access to a logical or physical area
• Authorization – determining which actions an authenticated entity
can perform in that physical or logical area
• Accountability – documenting the activities of the authorized
individual and system
33
Access Control Models
• Access control is built on the following principles:
• Least privilege – a principle by which members of the organization can access
the minimum amount of information for the minimum amount of time
necessary to perform their required duties

• Need-to-know – a principle that limits a user’s access to only the specific

information required to perform the currently assigned task, and not only to
the category of data required for a general work function
• This principle is most frequently associated with data classification

34
Access Control Models
• Access control is built on the following principles:
• Separation of duties – a principle that requires that significant tasks be split
up in such a way that more than one individual is responsible for their
completion.
• Separation of duties reduces the chance of an individual violating InfoSec policy and
breaching the confidentiality, integrity and availability of the information

35
Access Control Models
• Based on the inherent characteristics, one approach
classifies/ categories access controls as:
1. Directive – employs administrative controls such as policy and
training designed to proscribe certain user behavior in the
organization
• E.g.: personal use of company assets?
2. Deterrent – discourages or deters an incipient incident
• E.g.: signs that indicate video monitoring
3. Preventative – helps an organization avoid an incident
• E.g.: requirement for strong authentication in access controls

36
Access Control Models
• Categories of access controls:
4. Detective – detects or identifies an incident or threat when it occurs
• E.g.: anti-malware software
5. Corrective – remedies a circumstance or mitigates damage done during an
incident
• E.g.: changes to a firewall to block the recurrence of a diagnosed attack
6. Recovery – restores operating conditions back to normal
7. Compensating – resolves shortcomings, such as requiring the use of
encryption for transmission of classified data over unsecured networks
• E.g.: FTP versus SFTP/ FYPS

37
Access Control Models
• Based on the operational impact on the organization, NIST Special
Publication series categorizes access controls as:

1. Managerial-controls that cover security processes designed by strategic

planners, integrated into the organization's management practices, and
routinely used by security administrators to design, implement and monitor
other control systems
• E.g.: having periodic violation report reviews to detect any possible threats

2. Operational (or administrative)-controls that deal with the operational

functions of security that have been integrated into the repeatable
processes of the organization
• E.g.: having CCTC for surveillance purposes

38
Access Control Models
• Based on the operational impact on the organization, NIST Special
Publication series categorizes access controls as:

3. Technical-controls that support the tactical portion of a security program

• Also include those controls that have been implemented as reactive mechanisms to deal
with the immediate needs of the organization as it responds to the realities of the
technical environment
• E.g.: login systems/ Kerberos to prevent authorized access

39
Access Control Models
• Another approach describes the degree of authority under which the
controls are applied. They can be
1. Mandatory
2. Nondiscretionary
3. Discretionary

• Each of these categories of controls regulates access to a particular

type or collection of information.

40
Access Control Models
1. Mandatory access controls (MAC)
• A MAC is required and is structured and coordinated within a data classification
scheme that rates each collection of information as well as each user
• These ratings are often referred to as sensitivity or classification levels
• When MACs are implemented, users and data owners have limited control
over access to information recourses
• applied: in data classification model of national government and military
 Top secret – expected to cause exceptionally grave damage
 Secret – expected to cause serious damage
 Confidential – expected to cause damage
 another component: security clearance structure – each user of an information asset is
assigned an authorization level that identifies the level of classified information he can
access
41
Access Control Models
1. Mandatory access controls (MAC)
2. Nondiscretionary controls
• Are determined by a central authority in the organization and can be based
on the roles (called role-based access controls); or on a specified set of tasks
(called task-based controls)
• These 2 controls make it easier to maintain controls and restrictions,
especially if the person performing the role or task changes often
• the administrator can easily remove the person’s associations with roles and tasks,
thereby revoking their access

42
Access Control Models
1. Mandatory access controls (MAC)
2. Nondiscretionary controls
3. Discretionary access controls (DAC)
• Are implemented at the discretion (choice) or option of the data user
• The ability to share resources in a peer-to-peer configuration allows
 Users to control access and possibly provide access to information or resources at their
disposal
 Users can allow general, unrestricted access, or they can allow specific individuals or
groups, to access the resources

43
Access Control Models
• In summary:
• Mandatory access controls (MACs) are usually applied to a system that
operates within a data classification and personnel clearance scheme

• Nondiscretionary controls are determined by a central authority and can be

based on roles or tasks basis

• Discretionary access controls (DACs) are implemented at the option of the

data user

44
Other forms of Access Control
• Access control is an area that is developing rapidly in both its
principles and technologies
• Other models of access control include:
1. Content-dependent access controls
 this is the access to a specific set of information, may be dependent on its content
 E.g.: the marketing department needs access to marketing data ; the accounting
department needs access to accounting data
2. Constrained user interfaces
 some systems are designed specifically to restrict what information an individual user
can access
 Example: ATM restricts authorized users (customers) to simple account queries,
transfers, deposits and withdrawals.

45
Other forms of Access Control
• Other models of access control include:
1. Content-dependent access controls
2. Constrained user interfaces

3. Temporal isolation
 it is also known as time-based isolation
 The access to information is limited by a time-of-day constraint.
 Example: a time-release safe in the convenience stores -> the safe can only be opened
during a specific time frame, even by the store manager

46
• InfoSec governance is the process of creating and maintaining the
organizational structures that manage the InfoSec function within an
enterprise.

47