Professional Documents
Culture Documents
Cyber Security
Lecture 3:
Cyber Security Management Concepts
Learning Objectives
• Discuss the importance, benefits, and desired outcomes of
information security governance and how such a program would be
implemented
• Describe the dominant InfoSec management models, including
international standards-based models
• Explain why access control is an essential element of InfoSec
management
2
Information Security Governance
• Governance is
- “The set of responsibilities and practices exercised by the board and
executive management with the goal of providing strategic direction,
ensuring that objectives are achieved, ascertaining that risks are
managed appropriately, and verifying that the enterprise’s resources
are used responsibly”.
4
The ITGI Approach to Information
Security Governance A recognized authority on governance
in IT and eventually in information
security.
5
The ITGI Approach to Information
Security Governance (Cont.)
• ITGI recommends that boards of directors supervise strategic InfoSec
objectives by:
1. Creating and promoting a culture that recognizes the criticality of
information and InfoSec to the organization.
2. Verifying that management’s investment in InfoSec is properly aligned
with organizational strategies and the organization’s risk environment.
3. Mandating and assuring that a comprehensive InfoSec program is
developed and implemented.
4. Requiring reports from the various layers of management on the Info.
Sec program’s effectiveness and adequacy.
6
Desired Outcomes
Five basic outcomes of InfoSec governance:
7
Benefits of InfoSec Governance
• An increase in share value for organizations.
• Increased predictability and reduced uncertainty of business operations by lowering
information-security-related risks to definable and acceptable levels.
• Protection from the increasing potential for civil or legal liability as a result of
information inaccuracy or the absence of due care
• Optimization of the allocation of limited security resources.
• Assurance of effective InfoSec policy and policy compliance.
• A firm foundation for efficient and effective risk management, process
improvement, and rapid incident response.
• A level of assurance that critical decisions are not based on faulty information
• Accountability for safeguarding information during critical business activities.
8
NCSP Framework for InfoSec Governance
• According to the Corporate Governance Task Force (CGTF), an advisory group
from the National Cyber Security Partnership (NCSP), the organization should
engage in a core set of activities suited to its needs to guide the development and
implementation of the InfoSec governance program:
Conduct an annual InfoSec evaluation, the results of which the CEO should
review with staff and then report to the board of directors.
Conduct periodic risk assessments of information assets as part of a risk
management program.
Implement policies and procedures based on risk assessments to secure
information assets.
Establish a security management structure to assign explicit individual roles,
responsibilities, authority, and accountability
9
NCSP Framework for InfoSec Governance
(Cont.)
Develop plans and initiate actions to provide adequate Info. Sec for networks,
facilities, systems, and information.
Treat Info. Sec as an integral part of the system life cycle.
Provide Info. Sec awareness, training, and education to personnel.
Conduct periodic testing and evaluation of the effectiveness of InfoSec policies
and procedures.
Create and execute a plan for remedial action to address any Info. Sec
deficiencies.
Develop and implement incident response procedures.
Establish plans, procedures, and tests to provide continuity of operations.
Use security best practices guidance, such as the ISO 27000 series, to measure
InfoSec performance.
10
CGTF General Governance Framework
• CGTF framework applies the IDEAL model to InfoSec governance, which has
incredible flexibility and has been adapted to a wide variety of process
improvement methodologies.
I Initiating Lay the groundwork for a successful improvement effort.
D Diagnosing Determine where you are relative to where you want to be.
E Establishing Plan the specifics of how you will reach your destination.
A Acting Do the work according to the plan.
L Learning Learn from the experience and improve your ability to
adopt new improvements in the future.
11
Info. Sec Governance Responsibilities
13
ISO/IEC 27014: Governance of
Information Security (Cont.)
• Provides brief recommendation for the assessment of an InfoSec governance
program.
• Promotes five governance processes, which would be adopted by the organization’s
executive management and its governing board:
Evaluate – review the status of current and project progress toward
organizational objectives.
Direct – provide instruction for developing or implementing changes to the
security program.
Monitor – the review and assessment of organizational InfoSec performance.
Communicate – the interaction between the governing body and external
stakeholders.
Assure – the assessment of organizational efforts by external entities like
certification or accreditation groups etc. 14
ISO/IEC 27014: Governance of
Information Security (Cont.)
Source: Rachel J. Mahncke (2013), The Applicability of ISO/IEC27014:2013 For Use Within
General Medical Practice, Australia eHealth Informatics and Security Conference. 15
Cybersecurity Governance
• The process of managing, directing, controlling, and influencing
organizational decisions, actions, and behaviors
• The Board of Directors is usually responsible for overseeing the policy
development
• Effective security requires a distributed governance model with the
active involvement of stakeholders, decision makers, and users
19
Introduction to Blueprints, Frameworks
and Security Models
• A framework / security model is a generic outline of the more
thorough and organization-specific blueprint.
• The framework/ model describes what the end product should look
like
• The blueprint includes information on how to get there and it
customized to a specific organization
20
Security Management Models
• There are as many security management models as they are
consultants who offer them
• So, organizations may seek management models to use within their
InfoSec Processes
• Among the most accessible places to find a quality security
management model are U.S. federal agencies and international
standard-setting organizations
21
Security Management Models
• The ISO 27000 series: One of the most widely referenced InfoSec
management models is Information Technology – Code of Practice for
Information Security Management
• It was originally published as British Standard BS7799
• In 2000, the Code of Practice was adopted as an international standard
framework for InfoSec by the International Organization for Standardization
(ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC
17799
• The original purpose of ISO/IEC 17799 : to offer guidance for the management
of InfoSec to individuals responsible for their organization’s security programs
22
Security Management Models
• The document was revised in 2005 (ISO 17799:2005) and in 2007 it
was renamed as ISO 27002 to align it with the document ISO 27001.
• ISO/IEC 27002 is focused on a broad overview of the various areas of
security, providing information on 127 controls over 10 areas
• ISO/IEC 27001 provides information on how to implement ISO/IEC
27002 and how to set up an information security management system
(ISMS)
23
Security Management Models
• ISO/IEC 27002:2013 is a board overview of the various areas of
security
• It provides information on 14 security control clauses
• Also addresses 35 control objectives and more than 110 individual
controls
• The details of ISO/IEC 27002: 2013 (the most recent version) are only
available to those who purchase the standard. Its structure and
general organization are well known
24
Security Management Models
25
ISO 27000 series current and planned standards
26
ISO 27000 series current and planned standards
27
ISO 27000 series current and planned standards
28
Security Architecture Models
• Security architecture models illustrate InfoSec implementations
help organizations quickly make improvements through adaptation
• Formal models form the basic approach that an implementation uses;
do not usually find their way directly into usable implementations.
• Models are implemented into/ as/ focus on
• Computer hardware and software
• Policies and practices
• In both
• The integrity of the information
29
Security Architecture Models:
TCSEC and the trusted computing base (TCB)
31
Access Control Models
authenticatio
identification
n
Types of access
control process
accountability authorization
32
Access Control Models
• The general application of access control comprises 4
processes:
• Identification – obtaining the identity of the entity requesting
access to a logical or physical area
• Authentication – confirming the identity of the entity seeking
access to a logical or physical area
• Authorization – determining which actions an authenticated entity
can perform in that physical or logical area
• Accountability – documenting the activities of the authorized
individual and system
33
Access Control Models
• Access control is built on the following principles:
• Least privilege – a principle by which members of the organization can access
the minimum amount of information for the minimum amount of time
necessary to perform their required duties
34
Access Control Models
• Access control is built on the following principles:
• Separation of duties – a principle that requires that significant tasks be split
up in such a way that more than one individual is responsible for their
completion.
• Separation of duties reduces the chance of an individual violating InfoSec policy and
breaching the confidentiality, integrity and availability of the information
35
Access Control Models
• Based on the inherent characteristics, one approach
classifies/ categories access controls as:
1. Directive – employs administrative controls such as policy and
training designed to proscribe certain user behavior in the
organization
• E.g.: personal use of company assets?
2. Deterrent – discourages or deters an incipient incident
• E.g.: signs that indicate video monitoring
3. Preventative – helps an organization avoid an incident
• E.g.: requirement for strong authentication in access controls
36
Access Control Models
• Categories of access controls:
4. Detective – detects or identifies an incident or threat when it occurs
• E.g.: anti-malware software
5. Corrective – remedies a circumstance or mitigates damage done during an
incident
• E.g.: changes to a firewall to block the recurrence of a diagnosed attack
6. Recovery – restores operating conditions back to normal
7. Compensating – resolves shortcomings, such as requiring the use of
encryption for transmission of classified data over unsecured networks
• E.g.: FTP versus SFTP/ FYPS
37
Access Control Models
• Based on the operational impact on the organization, NIST Special
Publication series categorizes access controls as:
38
Access Control Models
• Based on the operational impact on the organization, NIST Special
Publication series categorizes access controls as:
39
Access Control Models
• Another approach describes the degree of authority under which the
controls are applied. They can be
1. Mandatory
2. Nondiscretionary
3. Discretionary
40
Access Control Models
1. Mandatory access controls (MAC)
• A MAC is required and is structured and coordinated within a data classification
scheme that rates each collection of information as well as each user
• These ratings are often referred to as sensitivity or classification levels
• When MACs are implemented, users and data owners have limited control
over access to information recourses
• applied: in data classification model of national government and military
Top secret – expected to cause exceptionally grave damage
Secret – expected to cause serious damage
Confidential – expected to cause damage
another component: security clearance structure – each user of an information asset is
assigned an authorization level that identifies the level of classified information he can
access
41
Access Control Models
1. Mandatory access controls (MAC)
2. Nondiscretionary controls
• Are determined by a central authority in the organization and can be based
on the roles (called role-based access controls); or on a specified set of tasks
(called task-based controls)
• These 2 controls make it easier to maintain controls and restrictions,
especially if the person performing the role or task changes often
• the administrator can easily remove the person’s associations with roles and tasks,
thereby revoking their access
42
Access Control Models
1. Mandatory access controls (MAC)
2. Nondiscretionary controls
3. Discretionary access controls (DAC)
• Are implemented at the discretion (choice) or option of the data user
• The ability to share resources in a peer-to-peer configuration allows
Users to control access and possibly provide access to information or resources at their
disposal
Users can allow general, unrestricted access, or they can allow specific individuals or
groups, to access the resources
43
Access Control Models
• In summary:
• Mandatory access controls (MACs) are usually applied to a system that
operates within a data classification and personnel clearance scheme
44
Other forms of Access Control
• Access control is an area that is developing rapidly in both its
principles and technologies
• Other models of access control include:
1. Content-dependent access controls
this is the access to a specific set of information, may be dependent on its content
E.g.: the marketing department needs access to marketing data ; the accounting
department needs access to accounting data
2. Constrained user interfaces
some systems are designed specifically to restrict what information an individual user
can access
Example: ATM restricts authorized users (customers) to simple account queries,
transfers, deposits and withdrawals.
45
Other forms of Access Control
• Other models of access control include:
1. Content-dependent access controls
2. Constrained user interfaces
3. Temporal isolation
it is also known as time-based isolation
The access to information is limited by a time-of-day constraint.
Example: a time-release safe in the convenience stores -> the safe can only be opened
during a specific time frame, even by the store manager
46
• InfoSec governance is the process of creating and maintaining the
organizational structures that manage the InfoSec function within an
enterprise.
47