chapter 1 security management practices_1

Introduction to

Cyber/Information Security

Module 2: Security Management


Chapter I: Security Management Practices

1. Overview of Security Management

2. Information Classification Process

3. Security Policy

4. Risk Management

5. Security Procedures and Guidelines

6. Business Continuity and Disaster Recovery

7. Ethics and Best Practices


Chapter 2: Security Laws and Standards

1. Security Assurance

2. Security Laws

3. IPR

4. International Standards

5. Security Audit

6. SSE-CMM / COBIT etc

Security Principles

Identification:

To have proper identification of a user.

Authentication:

To authenticate identity of the user

Authorization:

To authorize authenticated user.

Privacy:

User will use the data for authorized purpose.

Non -Repudiation:

User cannot deny doing a particular thing.

Information Security

Information is an integral part of any

business and managing it correctly rests on

three basic pillars(CIA Triangle)

Confidentiality : the information must only

be accessible to its predefined recipients.

Integrity : the information must be correct

and complete.

Availability : the information must be

accessible when it is needed.


Security Management must ensure that

the information is correct and complete,

that it is always available for business

purposes and that it is only used by the

people who are authorized to do so.


Information Security (InfoSec) includes

three components:

Management of Information Security

Network Security

Computer and Data Security

Security Management

The main benefits of proper Security Management are:

Interruptions to service caused by viruses, computers being hacked into, etc. are avoided.

The number of incidents is minimized.

Information is accessible when it is needed and data integrity is preserved.

Data confidentiality, and the privacy of customers and users, is preserved.

Regulations on data protection are complied with.

customers and users will have the quality of service, and their confidence in it, is improved.

Security Management

The main difficulties when implementing Security Management may be summarised as:

There is insufficient commitment to the process from all the members of the IT organisation.

Excessively restrictive security policies are established, with a negative effect on the business.

The tools needed to monitor and guarantee the security of the service (firewalls, antivirus software, etc.) are not available.

Staff are not given adequate training to be able to apply security protocols.

There is a lack of coordination between the different processes, making it impossible to evaluate the risks properly.

Information Security Management

Principles of Information Security

Management

Planning

Policy

Programs

Protection

People

Project Management


Management

Planning

InfoSec planning model includes the activities

essential to support the design, creation and

implementation of InfoSec strategies with the

IT environment.

Various plans-incident response plan,

business continuity plan, disaster recovery

plan, policy plan, personnel plan, risk

management plan, education training

awareness plan.


Management

Policy

It is a set of organizational guidelines that lists

out certain rules of organizational behavior.

Three general categories:

General Program Policy(Enterprise security policy)

Issue specific security policy

System specific policies


Management

Programs

It includes specific entities managed in the

InfoSec domain such as

SETA(security education training & Awareness),

physical security program and

guards program.


Management

Protection

It includes risk management activities such as

risk assessment and control ,

protection mechanisms ,

technologies and tools.


Management

People

People play key role in the organisation and it

is important that managers recognise the key

role that people play.

Includes the information security personnel ,

security of personnel as well as aspects of

SETA program.


Management

Project Management

This is present through out all the phases of

InfoSec program .

It involves identifying and controlling project

resources, measuring success and making

required changes.

Need of ISMS

InfoSec achieved through technical means

is limited.

InfoSec also depends on people, policies,

processes and procedures.

Limited resources

It is an ongoing activity.

Benefits of ISMS

Manages risk to suit the business activity

Manages incident handling activities

Builds a security culture-increases trust

and customer confidence and business

opportunity

Conforms to the requirements of the

standard.

Applications of ISMS

Banks

Insurance companies

Manufacturing companies

Hospitals

Software developments

Information Classification


for suitable treatment.

All organizations government, public, private,

defense need to classify their information.

Reason for classification: not all

data/information have the same level of

importance or same level of relevance/criticality

to an organization.

Eg: trade secrets ,formulae, new product

information loss can create significant loss to the

organization


Benefits of information Classification

information classification is a demonstration toward an organizations commitment to security protections.

It helps identify which information is most sensitive or vital to an organization.

It supports the tenets of CIA as it pertains to data.

it helps identify which protections apply to which information.

It fulfils statutory requirements towards regulatory, compliance or legal mandates.


The information produced or processed by

an organization must be classified

according to organizations sensitivity to its

loss or disclosure.

The data owners are responsible for

defining the sensitivity level of data.

Enables security controls to be properly

implemented as per the classification.

Terms for information

Classification

The following definitions describe several

schemes used for levels of

data/information classification

Unclassified

Sensitive but unclassified(SBU)

Confidential

Secret

Top Secret

Unclassified: information is neither sensitive not classified. The public release of this information does not violate confidentiality.

Sensitive but unclassified(SBU): information designated as minor secret, but may not create serious damage if disclosed. Eg: health care, answers to tests.

Confidential: information is designated to be of a confidential nature. The unauthorised disclosure of this information could cause some damage to security. Eg: teacher feedback


Secret: Information that is designated to

be of a secret nature. The unauthorized

disclosure of this nature could cause

serious damage to the security. Eg:

contract

Top Secret: this the highest level of

information classification. (eg: normally in

defense organisations) any unauthorised

disclosure of top secret information will

cause exceptionally grave damage to

security



It is not a good practice to deal with too much data or to provide employees /other business entities with all the data.

Organizations make data available to

basis.

Following classification is also prevalent in most private organizations.

Public

Sensitive

Private


Public: information similar to unclassified information. All of organizations information

considered to be public. This information probably should not be discussed. But even if it is disclosed it is not expected to seriously or adversely impact the organization/

Sensitive: information that requires higher level of classification than normal data. This information is protected from a loss of confidentiality as well as loss of integrity owing to an unauthorized alteration.


Private: this information is considered as

personal nature and is intended for

company use only. Its disclosure can

adversely affect the company or its

employees. Eg: salary levels, medical

information.

Criteria for classification of data

and information

Classification of an Information Object Value: Most common criteria for classifying data in private sector. If information is valuable to its organization or its competitors than it need to be classified.

Age: the classification of information may be lowered if information value decreases over time.

Useful Life: If the information has become obsolete owing to new information, substantial changes in the company, the information can be declassified.

Personal Association: If information is personally associated with specific individuals or addressed by privacy law ,it may be classified.

How do organizations classify

data and information

Primary procedural steps

Identify owner/administrator/custodian for

data information which are considered to be

important.

Specify criteria for information to be classified

and labeled.

Classify data by owner

Specify and document any exceptions to the

classification policy.

How do organizations classify

data and information

Primary procedural steps

Depending on its classification specify who is

authorized to access the data/information.

Specify the termination procedures for

declassifying the information.

Create an enterprise awareness program about

the data/information classification controls.

Information classification: Roles

The roles and responsibilities of all the

participants in the information

classification program must be clearly

defined.

Owner

Custodian

User


Owner:

responsible for information asset that must be protected

Making original decision about the level of classification of information based on the business need.

Reviewing the classification assignment periodically and making alterations if required.

Delegating the responsibility of protection.


Custodian

Running regular backups and

routinely testing for validity.

Performing data restoration from

backups

Maintaining the retained records in

accordance with legal requirements.


User:

Its is mandatory for users to follow

the operating procedures that are

policy.

Take necessary care to maintain

Data Obfuscation

It is one of solution for data theft.

Data obfuscation is that data which is

rendered unusable by some means but is

not considered as serious form of

encryption.

It is not very difficult to decipher

obfuscation scheme given enough data.

Effective method involves chopping text

into segments, re-arranging as well as

obfuscating it.

Business Classification Systems

Critical : functions supported by systems

cannot be performed unless replaced by

identical capabilities. Tolerance to

interruption is low. Cost of interruption is

high.

E.g. Entry to High security vault using Finger

print reader. If reader gets damaged,

functionality halts.


Vital : functions can be performed

manually but only for a brief period of

time. Higher tolerance to interruption than

critical systems. Cost of interruption is

low. (if restoration is within time limit)

E.g. In case of failure of List in 30 floored

building, one can use staircase for time being


Sensitive : functions can be performed

manually at a tolerable cost for an

extended period of time.

E.g. Due to non-functioning of in-house

printing machine, Paper printing is

outsourced.

Non -critical : functions may be

interrupted for an extended period of time,

at little or no cost to the company.

E.g. non-functioning of Coffee machine

Event Classification

Events that can result in damage to Information Systems are typically classified as:

Disaster: an event that causes permanent and substantial damage or destruction to the property, equipment, information, staff or services of the business. E.g. natural disasters

Crisis: an abnormal situation the presents some extraordinary risks to a business and that will develop into a disaster. E.g. server getting hacked

Catastrophe: major disruptions resulting from the destruction of critical equipment in processing. E.g. Hard disk crash

Security Policy

Policy (in general)

A policy is a principle or protocol to guide

decisions and achieve rational outcomes.

It is a statement of intent, and is

implemented as a procedure or protocol.

Policies are generally adopted by senior

management.

Policies can assist in both subjective and

objective decision making.

Policy (in general)

During subjective decision making, policy

assists mgmt to consider the relative

merits of a number of factors before

making decision. E.g. work life balance

policy

Objective decision making are usually

operational in nature and can be

objectively tested. e.g. password policy

Types of Policies (in general)

In general, Policy can be following types

Regulatory Policy

Advisory Policy

Informative Policy

Regulatory Policy

These kind of policies are must for an

organization owing to compliance,

regulation or other legal requirements as

environment.

E.g. Staff teaching for PG course must have

certain qualification

These are very detailed and specific to

the industry in which the business

organization operates.

Regulatory Policy

Purposes of the regulatory policy are

Ensuring that an organization follows the

standard procedure or base practices of an

operation in its specific industry

Giving an organization the confidence that it is

following the standard and accepted industry

policy.

Advisory Policy (good to follow)

These are not the mandatory but are

strongly recommended

Normally consequences of not following

them are defined.

E.g. Business Conduct guidelines policy, if not

followed may result into job termination

Organizations expects employees to treat

these as mandatory policies.

Many policies fall under this broad

category.

Informative policy

These are simply to inform reader.

There are no implied or specified

requirements.

Audience can be internal entity or external

party

Information Security Policy

Need of the Policy

A quality information security program, is

all about having good policies in place i.e.

from start to end.

Policies contribute to the success of

organization.

Policies form an important reference

documents for

Conducting internal audits

Resolving legal disputes about the

management


A security policy is a preventative mechanism for protecting important company data and processes .

It communicates a coherent (logical) security standard to users, management and technical staff.

A policy can be used to measure the relative security of current systems.

A policy is important for defining interfaces to external partners.

There are mandatory legal requirements as regards protection of customer and employee data .

A policy is a prerequisite to quality control (ISO 900x).


ISP sets the strategic direction and scope

for all the organization's security efforts.

It assigns responsibilities for information

security such as

maintenance of information security policies

practices and

responsibilities of other users.

ISP states the importance of InfoSec to

objectives.


A good ISP must include

Statement of purpose:

Outlines scope and applicability

i.e. what is the purpose of this Policy and who is

responsible for implementation.

Security elements

Need for information Security

Roles and Responsibilities

Reference to Other Standards and Guidelines


Success of Information Security program

lies in policy development.

i.e. depending on how policies are defined and

how they are implemented.

What is Policy??

Policies are statements of managements

intentions and their goals.

Policy is a plan or course of action intended to

influence and determine decisions, actions and

other matters.


1. Email-Policy coverage: Confidentiality of information disclosed through e-mail communication.

-mails

Disclosure of sensitive information such as password, PIN and credit card.

2. Appropriate use of e-mails: Employees working for the organization should use the email facility for business purpose only

No Obscene or profane message should be sent through emails.

Size of the attachment should be restricted within approved limit


1.

The management reserves the rights to

monitor the use of email.

The management could store email for

retrieval at a later date for legal purpose

Password policy

The policy on password can define multiple

attributes like

1. Whether user ID and password can match

2. Maximum occurrences of consecutive

characters

3. Maximum Lifetime of the password

4. Minimum length of password

5.

used.

Policy Mapping

Laws, Regulations, Requirements, Organizational goals, Objectives

Functional Policies

General Organizational Policies

Procedures Standards Guidelines Baselines

Policies include procedures, standards, guidelines, baselines

Policy Mapping

Procedures are the detailed steps required to perform a specific task.

Standards describe the uniform use of specific technologies throughout the organization.

E.g. Use of OS, router configuration, application

Guidelines are recommended methods (not compulsory) to perform specific task.

E.g. Using Malware, Antivirus software on all machines

Baselines, similar to standards but give an in details description about diff. OS and versions.

E.g. Windows 2007, Windows 2008, Red HAT Enterprise Linux 5.

Security Policy Life Cycle

Investigate

Analyze

Implement

Maintain

Design blueprint for security

Design planning for continuity


Investigation Phase

It has the support from senior management

Has Support and active involvement of IT

management

Defines clear articulation of goals

Includes the participation of the affected

communities of interest.

Defines detailed outline of the scope of the

policy development project


Analysis phase produces following: A new Risk assessment or

IT audit document specifying the Info. Security needs

Key reference materials that includes existing policies

Design Phase It contains initial design framework, after refinement it turns into blueprint.

Users or organization members acknowledge what they have received by making signature and date on a form


Implementation Phase

Policy development team writes policies by using various resources:

The Web

Government sites such as NIST

Professional literature

Peer networks

Professional consultants

Maintenance phase

Policy development team is responsible for monitoring, maintaining and modifying the policy.

Types of Information Security

Policies

Management defines three types of policies

1. General or Security program policies

2. Issue-specific security policies

3. System-specific security policies


Policies

General or Security Program policy (SPP)

SPP is used to set the strategic direction, scope

and tone for all security tasks within

organization.

The Chief Inspection Officer (CIO) has the

responsibility of drafting the executive-level

document.

Normally 2 to 10 pages long


Policies

Issue-specific security policies (ISSP)

This contains the issue statement on the

It addresses specific areas of technology and

requires frequent updates.

ISSP ensures a common understanding about

the purposes for which as employee can and

can not use a technology.


Policies

Issue-specific security policies (ISSP)

Protects both employee and organization from

facing the inefficiency and ambiguity.

It motivates the use of technology- based

systems.

It protects the organization against liability for

E.g. Non Disclosure Agreement


Policies

Three approaches for creating/managing

ISSP are:

Create number of independent issue specific

documents tailored for specific issues.

Create single comprehensive document

covering all issues.

Create a modular document unifying overall

policy creation/ management while addressing

specific details with respect to individual

issues.

Components of ISSP

Policy Statement this outlines the scope and applicability i.e. what is the purpose and who is responsible for implementation.

It also defines technologies used.

Authorized access and usage of Equipment It states user has no particular rights of use apart from the specified in the policy.

Specifies who can use the technology mentioned in policy and for what purpose it can be used. E.g.

personal usage.

Users have no general rights to use other than for organization's purpose.

Components of ISSP

Prohibited usage of Equipment

Specifies common prohibitions such as for

criminal use, personal use, disruptive use of

computer, use of copy righted licensed data

Systems Management

Defines the responsibilities of users and

administrators

This includes management of stored material,

managing employees, virus protection,

encryption of data, physical security

Components of ISSP

Policy violations

Specifies penalties for each kind of policy

violation

Also mentions procedures for reporting policy

violation

Policy Review and Modification

Specifies procedures and timetable for policy

review i.e. how frequently it should be

modified.

Components of ISSP

Limitations of Liability

It includes statement of liability or disclaimers

E.g. employee is caught doing illegal activities

with organizations data or any other assets, he

will not be protected by the organization for

violating the company policy.

System-specific security policies

While ISP are known for writing

documents and making users aware of

them, SysSP specify the standards and

procedures used for configuring and

maintaining system.

SysSPs are mostly technical.

It provides guidance and states procedures

for configuring some specific system,

technologies and application.


System configuration includes

Intrusion detection systems configuration

Firewall configuration

Workstation configuration


SysSPs can be categorized into two groups:

Access Control List (ACLs)

This consists of Access control lists, matrices

and capability tables controlling the rights and

privileges of a particular user to a particular

system

Access Control List


2. Configuration Rules:

This consists of specific configuration codes

entered into security systems, which govern

the system execution.

Configuration rules are more specific to the

system operation than ACLs

These rules define specific configuration

scripts, which guides Operating System for

what actions to perform on each set of

information they process.

Policy Infrastructure

Foundations for information Security is

The major information security functions

are:

1. Information protection

2. Control the access to information

3. Administer (monitor) the users

Policy Infrastructure

Information Security Policies and Standards

Manage Security

Control access

Information Protection

Administer Users

Policy Design Life Cycle

First, identify the information security

goals and Cabinet goals. Then form the

policy.

Policy should include standards,

procedures and guidelines.

Make users aware of all these so that they

can do their job securely.

only complete Information Security can be

achieved.

Policy Design Life Cycle

IS Goal

Policy

Cabinet Goal

Standards Guidelines Procedures

Awareness

Action

InfoSec

Design Processes

Policy life cycle can be designed by using

10 -step approach, each step allows the

designing of policy.

Policy Design Processes

Policy life cycle can be designed by using 10 -step approach, each step allows the designing of policy.

1. Collect Background Information

2. Perform Risk Assessment

3. Create a Policy Review Board

4. Develop the Information Security Plan

5. Develop IS Policies, Standards and guidelines

6. Implement Policies and Standards

7. Awareness and Training

8. Monitor for Compliance

9. Evaluate policy Effectiveness

10. Modify the Policy

Policy Design 10 step approach

1. Collect Background Information

Based on existing policy, Identify what

procedures and guidelines to be included in

the new policy.

Determine different levels of control which

will need access to the confidential

information.

Decide who should design the policy e.g.

top management or anyone related to law.

Policy Design 10 step approach

2. Perform Risk Assessment

Validate the policy against any possible risks.

Indentify the risky and complex functions

Identify the difficult processes

Identify the confidential data and possible

risks associated with it.

Analyze the possible vulnerabilities .

Policy Design - 10 step approach

3. Create a Policy Review Board

Determine the policy Development Process

Write the

Comments and Suggestions

Resolve the issues (if any) face to face.

Submit the

Cabinet for approval


4. Develop Information Security Plan

Determine the organizational goals

Define the various Roles and

Responsibilities

Notify users of Information about the

directions specified in the policy.

Establish a foundation for compliance, risk

assessment and audit of information security.


5. Develop IS policies , Standard and Guidelines

Policies

These are high level statemen t written by Board of Directors that notifies workers about who are responsible to make any type of decision .

Standard

These are requirement statement that depicts specific technical specifications .

Guidelines

These are recommendations which can be included in policy


6. Implement Policies and Standards Notify and distribute the policy amongst users

Make an agreement with a policy before accessing the confidential system.

Enforce the control to meet the policy.

7. Awareness and Training Make the system user aware of their expected behavior

Train user about how and when

Training will help to minimize the information loss and theft

It also reduces the need of strict controls


8. Monitor for compliance

Security management is required for

establishing controls on information

Security management must review the status

of control regularly

Implement the user contracts (i.e. code of

conduct)

Establish effective authorization approval

Conduct internal review process

Conduct internal audit reviews


9. Evaluate Policy Effectiveness Evaluate the policy if any problems

Document the policy regularly

Report it to management

10. Modify the Policy Modifications are necessary to incorporate the changes like

Upcoming technology

New threats

New goals or modified existing goals

Changes in the standard

Changes in law

Un success in existing policy

Sample Policy

Sample Policy
Sample Antivirus Policy.pdf

chapter 1 security management practices_1

Documents