stephen s. yau 1cse 465-591, fall 2006 ia management
Post on 20-Dec-2015
216 Views
Preview:
TRANSCRIPT
Stephen S. Yau 1CSE 465-591, Fall 2006
IA ManagementIA Management
Stephen S. Yau 2CSE 465-591, Fall 2006
Why Need IA Why Need IA Management?Management?
IA is an integral part of sound IA is an integral part of sound managementmanagement Many managers tend to overlook or Many managers tend to overlook or
ignore IA since it is not directly related ignore IA since it is not directly related to their revenue in terms of selling to their revenue in terms of selling products (services)products (services)
Two basic factors matter when you can Two basic factors matter when you can compete with your competitors:compete with your competitors: Value of your products (services) to Value of your products (services) to customerscustomers
Cost of making themCost of making them
Stephen S. Yau 3CSE 465-591, Fall 2006
Why Need IA Why Need IA Management Management (cont.)(cont.)
IA is not an end in itself, but it does provide a IA is not an end in itself, but it does provide a critical service and support function for the critical service and support function for the organizationorganization
Try to minimize cost due to information Try to minimize cost due to information lost/misused lost/misused
-- as important as to come up with some brilliant -- as important as to come up with some brilliant ideas in product designideas in product design
IA management staff needs to persuade senior IA management staff needs to persuade senior managers that IA “magic” comes with a price tag, managers that IA “magic” comes with a price tag, but if handled properly, there is certainly a returnbut if handled properly, there is certainly a return
Outsourcing is more and more popular, but needs Outsourcing is more and more popular, but needs to be carried out carefully since it may bring in to be carried out carefully since it may bring in more threats and vulnerabilitiesmore threats and vulnerabilities
Stephen S. Yau 4CSE 465-591, Fall 2006
IA Management IA Management PersonnelPersonnel
Information Systems Security Officer (ISSO)Information Systems Security Officer (ISSO) Responsible to designated approving authority who Responsible to designated approving authority who
ensures that security of an information system is ensures that security of an information system is implemented through its design, development, implemented through its design, development, operation, maintenance, and disposal stages.operation, maintenance, and disposal stages.
Operation Security (OPSEC) ManagerOperation Security (OPSEC) Manager Responsible to ISSO who prevents information from Responsible to ISSO who prevents information from
being available to potential adversaries about the being available to potential adversaries about the organization’s capabilities and/or intentionsorganization’s capabilities and/or intentions
System ManagerSystem Manager Responsible for proper operations and management Responsible for proper operations and management
of classified and unclassified Automated Information of classified and unclassified Automated Information System (AIS). System (AIS).
Supervises system staff in implementing AIS security Supervises system staff in implementing AIS security policies, and provides advice and support to ISSO on policies, and provides advice and support to ISSO on AIS security issues.AIS security issues.
Stephen S. Yau 5CSE 465-591, Fall 2006
IA Management IA Management Personnel Personnel (cont.)(cont.)
Program or Functional ManagerProgram or Functional Manager Responsible for determining, in a coordinated effort Responsible for determining, in a coordinated effort
with system manager, which users have a verified with system manager, which users have a verified need to access their applications. need to access their applications.
Responsible for informing ISSO of any security Responsible for informing ISSO of any security incidents related to the application or the users of incidents related to the application or the users of the application.the application.
Communication Security (COMSEC) CustodianCommunication Security (COMSEC) Custodian Responsible for the receipt, transfer, accounting, Responsible for the receipt, transfer, accounting,
safeguarding and destruction of COMSEC material safeguarding and destruction of COMSEC material assigned to a COMSEC account.assigned to a COMSEC account.
Telecommunications OfficerTelecommunications Officer Responsible for receipt, transfer, accounting, Responsible for receipt, transfer, accounting,
safeguarding telecommunication processes in safeguarding telecommunication processes in organizationorganization
Stephen S. Yau 6CSE 465-591, Fall 2006
Challenges for IA Challenges for IA ManagementManagement
Increasing complexity of systems, Increasing complexity of systems, networks, and interconnectivitynetworks, and interconnectivity
Profound reliance on information and Profound reliance on information and information systemsinformation systems
Ever-changing internal and external Ever-changing internal and external threatsthreats
Competing demandsCompeting demands Unavailable resourcesUnavailable resources Decreasing assetsDecreasing assets Lack of experienceLack of experience Lack of available trainingLack of available training Lukewarm support from managementLukewarm support from management
Stephen S. Yau 7CSE 465-591, Fall 2006
IA Management TasksIA Management Tasks IA managers and staff responsible forIA managers and staff responsible for
Managing resourcesManaging resources: Security business is : Security business is dynamic, IA manager must effectively use time dynamic, IA manager must effectively use time and manpowerand manpower
CoordinationCoordination: Communication is critical for IA : Communication is critical for IA manager to successfully manage an IA program. manager to successfully manage an IA program. IA manager must be effective communicator to IA manager must be effective communicator to facilitate coordination among various offices, facilitate coordination among various offices, departments and personnel within organizationdepartments and personnel within organization
BudgetingBudgeting: Ideally, IA manager will have a line : Ideally, IA manager will have a line item within organization’s annual budget in order item within organization’s annual budget in order to plan and execute IA programto plan and execute IA program
Outsourcing is more and more popular, but need to be Outsourcing is more and more popular, but need to be evaluated carefully before making any decision.evaluated carefully before making any decision.
Stephen S. Yau 8CSE 465-591, Fall 2006
IA Management Tasks IA Management Tasks (cont.)(cont.)
Selling the needSelling the need: Senior management often views IA : Senior management often views IA as overhead expense. IA manager needs to convey as overhead expense. IA manager needs to convey the idea “security comes with a price tag” and sell the idea “security comes with a price tag” and sell senior managers on the merits of any resources senior managers on the merits of any resources invested in IAinvested in IA
Dispensing technical guidanceDispensing technical guidance: A written regulation : A written regulation or directive or policy can ensure consistency between or directive or policy can ensure consistency between process and standard operating procedure process and standard operating procedure itit implementsimplements
Dealing with legal issuesDealing with legal issues: IA manager should be : IA manager should be familiar with applicable legal issues in order to know familiar with applicable legal issues in order to know when it is appropriate and necessary to contact a law when it is appropriate and necessary to contact a law enforcement agency in the event of security incident.enforcement agency in the event of security incident.
Stephen S. Yau 9CSE 465-591, Fall 2006
Life-cycle ManagementLife-cycle Management IA is involved in each stage of the system’s life-IA is involved in each stage of the system’s life-
cycle:cycle: InitiationInitiation: To determine how a required operational : To determine how a required operational
function can be accomplished in a secure mannerfunction can be accomplished in a secure manner DefinitionDefinition: The function of the system will determine : The function of the system will determine
the security requirementsthe security requirements DesignDesign: Security requirements, including risk, cost, : Security requirements, including risk, cost,
operations, must be integrated in the system designoperations, must be integrated in the system design AcquisitionAcquisition: IA manager must ensure only reliable : IA manager must ensure only reliable
sources are used for software procurementsources are used for software procurement DevelopmentDevelopment: Security controls are built into the : Security controls are built into the
systemsystem
Stephen S. Yau 10CSE 465-591, Fall 2006
Life-cycle Management Life-cycle Management (cont.)(cont.)
ImplementationImplementation: Following tasks need to be done:: Following tasks need to be done: Risk ManagementRisk Management C&A process: Certification and AccreditationC&A process: Certification and Accreditation Approval to operate (ATO): Upon successful security Approval to operate (ATO): Upon successful security
evaluation of the system, IA manager recommends to the evaluation of the system, IA manager recommends to the appropriate designated accreditation authority (DAA) that appropriate designated accreditation authority (DAA) that ATO or Interim approval to operate (IATO) should be ATO or Interim approval to operate (IATO) should be granted. IATO is a temporary approval pending an granted. IATO is a temporary approval pending an accreditation decision. accreditation decision.
Operation and MaintenanceOperation and Maintenance: Once the system has : Once the system has been turned on for operation, security of the been turned on for operation, security of the system must be scrutinized to verify that it system must be scrutinized to verify that it continues to meet requirementscontinues to meet requirements
Destruction and DisposalDestruction and Disposal: IA manager must ensure : IA manager must ensure that information processed and stored in the that information processed and stored in the system is not inadvertently compromised because system is not inadvertently compromised because of improper destruction and disposal.of improper destruction and disposal.
Stephen S. Yau 11CSE 465-591, Fall 2006
Security Review and Testing
Security review and testing should be conducted throughout the system life-cycle: Incident, threat, and vulnerability data
collection and review Testing of infrastructure, externally and
internally Baseline establishments for future
review
Stephen S. Yau 12CSE 465-591, Fall 2006
Security Review and Testing (cont.)
Common steps: Review policies Develop security matrix summarizing threats
and protected assets Review security documentation Review audit capability and use Review security patches and updates Run analysis tools Correlate all information Develop report Make recommendation to correct problems
Stephen S. Yau 13CSE 465-591, Fall 2006
Identify Weaknesses in a System
Vulnerability scanning: Scan for unused ports, uncontrolled, unauthorized software
Discovery scanning: Inventory and classification about information on OS and available ports, identify running applications to determine device function
Workstation scanning: Make sure standard software configuration is current with latest security patches, locate uncontrolled or unauthorized software
Server scanning: Make sure the software stored on server are updated with latest security patches, locate uncontrolled or unauthorized software
Port scanning: Scan various active ports used for communication (TCP/UDP) Stealth scans: also called spoofed scans
Stephen S. Yau 14CSE 465-591, Fall 2006
Identify Weaknesses in a System (cont.)
Issues with vulnerability testing False positives: legitimate software using
ports registered to other software Heavy traffic: adverse affect on WAN links,
even disable slow links False negatives: exhaust resources on
scanning machine, not properly identifying vulnerabilities
System crash Unregistered port numbers: port numbers
in use are not registered, unable to identify those software
Stephen S. Yau 15CSE 465-591, Fall 2006
Security Awareness and Education
Understand how actions can greatly affect overall security position of the organization
Computer security awareness and education enhance security through the following: Make users aware of their security
responsibilities and teaching them correct practices, help change behaviour
Develop skills and knowledge Build in-depth knowledge to design,
implement, or operate security programs
Stephen S. Yau 16CSE 465-591, Fall 2006
Security Awareness & Education (cont.)
Often overlooked by proactive or reactive administration of security practices
Effective program requires proper planning, implementation, maintenance, and periodic evaluation. Identify program scope, goals, and objectives Identify training staff Identify target audience Motivate management and employees Administer the program Maintain the program Evaluate the program
Stephen S. Yau 17CSE 465-591, Fall 2006
Methods to Promote Awareness
Management commitment necessary Integrating awareness
Periodic awareness sessions to orient new employees and refresh senior employees which are direct, simple and clear
Live/interactive presentations thorough lectures, videos
Publishing/distribution posters, company newsletters
Incentives: awards and recognition for security-related achievement
Reminders
Stephen S. Yau 18CSE 465-591, Fall 2006
TrainingTraining Training is different from awareness which is
often held in specific classroom or through one-on-one training
InfoSec example: Security-related job training for operators and
specific users Awareness training for specific departments or
personnel groups with security-sensitive positions Technical security training for IT support personnel
and system administrators Advanced InfoSec training for security practitioners
and AIS auditors Security training for senior managers, functional
managers
Stephen S. Yau 19CSE 465-591, Fall 2006
SummarySummary IA Management within an organization IA Management within an organization
should:should: Ensure that security is planned and developed into Ensure that security is planned and developed into
any prospective new systemany prospective new system Certify that security features are performing Certify that security features are performing
properly before allowing the system to operateproperly before allowing the system to operate Approve and track configuration changes to IA Approve and track configuration changes to IA
baseline, verifying that changes do not affect the baseline, verifying that changes do not affect the terms of the system’s accreditation.terms of the system’s accreditation.
Assess the status of security features and system Assess the status of security features and system vulnerabilities through manual and automated vulnerabilities through manual and automated reviewsreviews
Destroy and dispose of hardcopy printouts and Destroy and dispose of hardcopy printouts and nonvolatile storage media in a way that eliminates nonvolatile storage media in a way that eliminates possible compromise of sensitive or classified datapossible compromise of sensitive or classified data
Stephen S. Yau 20CSE 465-591, Fall 2006
Summary Summary (cont.)(cont.)
Keep system documentation current, Keep system documentation current, reflecting patches, version upgrades, reflecting patches, version upgrades, and other baseline changesand other baseline changes
Track hardware and software changes Track hardware and software changes through a process that ensures changes through a process that ensures changes are approved and tested before are approved and tested before installation and operation; ensure that installation and operation; ensure that IA manager or representative is part of IA manager or representative is part of approval processapproval process
Control privileges and authority for Control privileges and authority for modifying software.modifying software.
Stephen S. Yau 21CSE 465-591, Fall 2006
ReferencesReferences
J. G. Boyce, D. W. Jennings, J. G. Boyce, D. W. Jennings, Information Assurance: Managing Information Assurance: Managing Organizational IT Security RisksOrganizational IT Security Risks. . Butterworth Heineman, 2002, ISBN Butterworth Heineman, 2002, ISBN 0-7506-7327-30-7506-7327-3
top related