chapter 1 security management practices_1
DESCRIPTION
Chapter 1 Security Management PracticesTRANSCRIPT
-
Introduction to
Cyber/Information Security
Module 2: Security Management
-
Module 2: Security Management
Chapter I: Security Management Practices
1. Overview of Security Management
2. Information Classification Process
3. Security Policy
4. Risk Management
5. Security Procedures and Guidelines
6. Business Continuity and Disaster Recovery
7. Ethics and Best Practices
-
Module 2: Security Management
Chapter 2: Security Laws and Standards
1. Security Assurance
2. Security Laws
3. IPR
4. International Standards
5. Security Audit
6. SSE-CMM / COBIT etc
-
Security Principles
Identification:
To have proper identification of a user.
Authentication:
To authenticate identity of the user
Authorization:
To authorize authenticated user.
Privacy:
User will use the data for authorized purpose.
Non -Repudiation:
User cannot deny doing a particular thing.
-
Information Security
Information is an integral part of any
business and managing it correctly rests on
three basic pillars(CIA Triangle)
Confidentiality : the information must only
be accessible to its predefined recipients.
Integrity : the information must be correct
and complete.
Availability : the information must be
accessible when it is needed.
-
Information Security
Security Management must ensure that
the information is correct and complete,
that it is always available for business
purposes and that it is only used by the
people who are authorized to do so.
-
Information Security
Information Security (InfoSec) includes
three components:
Management of Information Security
Network Security
Computer and Data Security
-
Security Management
The main benefits of proper Security Management are:
Interruptions to service caused by viruses, computers being hacked into, etc. are avoided.
The number of incidents is minimized.
Information is accessible when it is needed and data integrity is preserved.
Data confidentiality, and the privacy of customers and users, is preserved.
Regulations on data protection are complied with.
customers and users will have the quality of service, and their confidence in it, is improved.
-
Security Management
The main difficulties when implementing Security Management may be summarised as:
There is insufficient commitment to the process from all the members of the IT organisation.
Excessively restrictive security policies are established, with a negative effect on the business.
The tools needed to monitor and guarantee the security of the service (firewalls, antivirus software, etc.) are not available.
Staff are not given adequate training to be able to apply security protocols.
There is a lack of coordination between the different processes, making it impossible to evaluate the risks properly.
-
Information Security Management
Principles of Information Security
Management
Planning
Policy
Programs
Protection
People
Project Management
-
Principles of Information Security
Management
Planning
InfoSec planning model includes the activities
essential to support the design, creation and
implementation of InfoSec strategies with the
IT environment.
Various plans-incident response plan,
business continuity plan, disaster recovery
plan, policy plan, personnel plan, risk
management plan, education training
awareness plan.
-
Principles of Information Security
Management
Policy
It is a set of organizational guidelines that lists
out certain rules of organizational behavior.
Three general categories:
General Program Policy(Enterprise security policy)
Issue specific security policy
System specific policies
-
Principles of Information Security
Management
Programs
It includes specific entities managed in the
InfoSec domain such as
SETA(security education training & Awareness),
physical security program and
guards program.
-
Principles of Information Security
Management
Protection
It includes risk management activities such as
risk assessment and control ,
protection mechanisms ,
technologies and tools.
-
Principles of Information Security
Management
People
People play key role in the organisation and it
is important that managers recognise the key
role that people play.
Includes the information security personnel ,
security of personnel as well as aspects of
SETA program.
-
Principles of Information Security
Management
Project Management
This is present through out all the phases of
InfoSec program .
It involves identifying and controlling project
resources, measuring success and making
required changes.
-
Need of ISMS
InfoSec achieved through technical means
is limited.
InfoSec also depends on people, policies,
processes and procedures.
Limited resources
It is an ongoing activity.
-
Benefits of ISMS
Manages risk to suit the business activity
Manages incident handling activities
Builds a security culture-increases trust
and customer confidence and business
opportunity
Conforms to the requirements of the
standard.
-
Applications of ISMS
Banks
Insurance companies
Manufacturing companies
Hospitals
Software developments
-
Information Classification
-
Information Classification
for suitable treatment.
All organizations government, public, private,
defense need to classify their information.
Reason for classification: not all
data/information have the same level of
importance or same level of relevance/criticality
to an organization.
Eg: trade secrets ,formulae, new product
information loss can create significant loss to the
organization
-
Information Classification
Benefits of information Classification
information classification is a demonstration toward an organizations commitment to security protections.
It helps identify which information is most sensitive or vital to an organization.
It supports the tenets of CIA as it pertains to data.
it helps identify which protections apply to which information.
It fulfils statutory requirements towards regulatory, compliance or legal mandates.
-
Information Classification
The information produced or processed by
an organization must be classified
according to organizations sensitivity to its
loss or disclosure.
The data owners are responsible for
defining the sensitivity level of data.
Enables security controls to be properly
implemented as per the classification.
-
Terms for information
Classification
The following definitions describe several
schemes used for levels of
data/information classification
Unclassified
Sensitive but unclassified(SBU)
Confidential
Secret
Top Secret
-
Unclassified: information is neither sensitive not classified. The public release of this information does not violate confidentiality.
Sensitive but unclassified(SBU): information designated as minor secret, but may not create serious damage if disclosed. Eg: health care, answers to tests.
Confidential: information is designated to be of a confidential nature. The unauthorised disclosure of this information could cause some damage to security. Eg: teacher feedback
Information Classification
-
Secret: Information that is designated to
be of a secret nature. The unauthorized
disclosure of this nature could cause
serious damage to the security. Eg:
contract
Top Secret: this the highest level of
information classification. (eg: normally in
defense organisations) any unauthorised
disclosure of top secret information will
cause exceptionally grave damage to
security
Information Classification
-
Information Classification
It is not a good practice to deal with too much data or to provide employees /other business entities with all the data.
Organizations make data available to
basis.
Following classification is also prevalent in most private organizations.
Public
Sensitive
Private
-
Information Classification
Public: information similar to unclassified information. All of organizations information
considered to be public. This information probably should not be discussed. But even if it is disclosed it is not expected to seriously or adversely impact the organization/
Sensitive: information that requires higher level of classification than normal data. This information is protected from a loss of confidentiality as well as loss of integrity owing to an unauthorized alteration.
-
Information Classification
Private: this information is considered as
personal nature and is intended for
company use only. Its disclosure can
adversely affect the company or its
employees. Eg: salary levels, medical
information.
-
Criteria for classification of data
and information
Classification of an Information Object Value: Most common criteria for classifying data in private sector. If information is valuable to its organization or its competitors than it need to be classified.
Age: the classification of information may be lowered if information value decreases over time.
Useful Life: If the information has become obsolete owing to new information, substantial changes in the company, the information can be declassified.
Personal Association: If information is personally associated with specific individuals or addressed by privacy law ,it may be classified.
-
How do organizations classify
data and information
Primary procedural steps
Identify owner/administrator/custodian for
data information which are considered to be
important.
Specify criteria for information to be classified
and labeled.
Classify data by owner
Specify and document any exceptions to the
classification policy.
-
How do organizations classify
data and information
Primary procedural steps
Depending on its classification specify who is
authorized to access the data/information.
Specify the termination procedures for
declassifying the information.
Create an enterprise awareness program about
the data/information classification controls.
-
Information classification: Roles
The roles and responsibilities of all the
participants in the information
classification program must be clearly
defined.
Owner
Custodian
User
-
Information classification: Roles
Owner:
responsible for information asset that must be protected
Making original decision about the level of classification of information based on the business need.
Reviewing the classification assignment periodically and making alterations if required.
Delegating the responsibility of protection.
-
Information classification: Roles
Custodian
Running regular backups and
routinely testing for validity.
Performing data restoration from
backups
Maintaining the retained records in
accordance with legal requirements.
-
Information classification: Roles
User:
Its is mandatory for users to follow
the operating procedures that are
policy.
Take necessary care to maintain
-
Data Obfuscation
It is one of solution for data theft.
Data obfuscation is that data which is
rendered unusable by some means but is
not considered as serious form of
encryption.
It is not very difficult to decipher
obfuscation scheme given enough data.
Effective method involves chopping text
into segments, re-arranging as well as
obfuscating it.
-
Business Classification Systems
Critical : functions supported by systems
cannot be performed unless replaced by
identical capabilities. Tolerance to
interruption is low. Cost of interruption is
high.
E.g. Entry to High security vault using Finger
print reader. If reader gets damaged,
functionality halts.
-
Business Classification Systems
Vital : functions can be performed
manually but only for a brief period of
time. Higher tolerance to interruption than
critical systems. Cost of interruption is
low. (if restoration is within time limit)
E.g. In case of failure of List in 30 floored
building, one can use staircase for time being
-
Business Classification Systems
Sensitive : functions can be performed
manually at a tolerable cost for an
extended period of time.
E.g. Due to non-functioning of in-house
printing machine, Paper printing is
outsourced.
Non -critical : functions may be
interrupted for an extended period of time,
at little or no cost to the company.
E.g. non-functioning of Coffee machine
-
Event Classification
Events that can result in damage to Information Systems are typically classified as:
Disaster: an event that causes permanent and substantial damage or destruction to the property, equipment, information, staff or services of the business. E.g. natural disasters
Crisis: an abnormal situation the presents some extraordinary risks to a business and that will develop into a disaster. E.g. server getting hacked
Catastrophe: major disruptions resulting from the destruction of critical equipment in processing. E.g. Hard disk crash
-
Security Policy
-
Policy (in general)
A policy is a principle or protocol to guide
decisions and achieve rational outcomes.
It is a statement of intent, and is
implemented as a procedure or protocol.
Policies are generally adopted by senior
management.
Policies can assist in both subjective and
objective decision making.
-
Policy (in general)
During subjective decision making, policy
assists mgmt to consider the relative
merits of a number of factors before
making decision. E.g. work life balance
policy
Objective decision making are usually
operational in nature and can be
objectively tested. e.g. password policy
-
Types of Policies (in general)
In general, Policy can be following types
Regulatory Policy
Advisory Policy
Informative Policy
-
Regulatory Policy
These kind of policies are must for an
organization owing to compliance,
regulation or other legal requirements as
environment.
E.g. Staff teaching for PG course must have
certain qualification
These are very detailed and specific to
the industry in which the business
organization operates.
-
Regulatory Policy
Purposes of the regulatory policy are
Ensuring that an organization follows the
standard procedure or base practices of an
operation in its specific industry
Giving an organization the confidence that it is
following the standard and accepted industry
policy.
-
Advisory Policy (good to follow)
These are not the mandatory but are
strongly recommended
Normally consequences of not following
them are defined.
E.g. Business Conduct guidelines policy, if not
followed may result into job termination
Organizations expects employees to treat
these as mandatory policies.
Many policies fall under this broad
category.
-
Informative policy
These are simply to inform reader.
There are no implied or specified
requirements.
Audience can be internal entity or external
party
-
Information Security Policy
-
Need of the Policy
A quality information security program, is
all about having good policies in place i.e.
from start to end.
Policies contribute to the success of
organization.
Policies form an important reference
documents for
Conducting internal audits
Resolving legal disputes about the
management
-
Information Security Policy
A security policy is a preventative mechanism for protecting important company data and processes .
It communicates a coherent (logical) security standard to users, management and technical staff.
A policy can be used to measure the relative security of current systems.
A policy is important for defining interfaces to external partners.
There are mandatory legal requirements as regards protection of customer and employee data .
A policy is a prerequisite to quality control (ISO 900x).
-
Information Security Policy
ISP sets the strategic direction and scope
for all the organization's security efforts.
It assigns responsibilities for information
security such as
maintenance of information security policies
practices and
responsibilities of other users.
ISP states the importance of InfoSec to
objectives.
-
Information Security Policy
A good ISP must include
Statement of purpose:
Outlines scope and applicability
i.e. what is the purpose of this Policy and who is
responsible for implementation.
Security elements
Need for information Security
Roles and Responsibilities
Reference to Other Standards and Guidelines
-
Information Security Policy
Success of Information Security program
lies in policy development.
i.e. depending on how policies are defined and
how they are implemented.
What is Policy??
Policies are statements of managements
intentions and their goals.
Policy is a plan or course of action intended to
influence and determine decisions, actions and
other matters.
-
Information Security Policy
1. Email-Policy coverage: Confidentiality of information disclosed through e-mail communication.
-mails
Disclosure of sensitive information such as password, PIN and credit card.
2. Appropriate use of e-mails: Employees working for the organization should use the email facility for business purpose only
No Obscene or profane message should be sent through emails.
Size of the attachment should be restricted within approved limit
-
Information Security Policy
1.
The management reserves the rights to
monitor the use of email.
The management could store email for
retrieval at a later date for legal purpose
-
Password policy
The policy on password can define multiple
attributes like
1. Whether user ID and password can match
2. Maximum occurrences of consecutive
characters
3. Maximum Lifetime of the password
4. Minimum length of password
5.
used.
-
Policy Mapping
Laws, Regulations, Requirements, Organizational goals, Objectives
Functional Policies
General Organizational Policies
Procedures Standards Guidelines Baselines
Policies include procedures, standards, guidelines, baselines
-
Policy Mapping
Procedures are the detailed steps required to perform a specific task.
Standards describe the uniform use of specific technologies throughout the organization.
E.g. Use of OS, router configuration, application
Guidelines are recommended methods (not compulsory) to perform specific task.
E.g. Using Malware, Antivirus software on all machines
Baselines, similar to standards but give an in details description about diff. OS and versions.
E.g. Windows 2007, Windows 2008, Red HAT Enterprise Linux 5.
-
Security Policy Life Cycle
Investigate
Analyze
Implement
Maintain
Design blueprint for security
Design planning for continuity
-
Security Policy Life Cycle
Investigation Phase
It has the support from senior management
Has Support and active involvement of IT
management
Defines clear articulation of goals
Includes the participation of the affected
communities of interest.
Defines detailed outline of the scope of the
policy development project
-
Security Policy Life Cycle
Analysis phase produces following: A new Risk assessment or
IT audit document specifying the Info. Security needs
Key reference materials that includes existing policies
Design Phase It contains initial design framework, after refinement it turns into blueprint.
Users or organization members acknowledge what they have received by making signature and date on a form
-
Security Policy Life Cycle
Implementation Phase
Policy development team writes policies by using various resources:
The Web
Government sites such as NIST
Professional literature
Peer networks
Professional consultants
Maintenance phase
Policy development team is responsible for monitoring, maintaining and modifying the policy.
-
Types of Information Security
Policies
Management defines three types of policies
1. General or Security program policies
2. Issue-specific security policies
3. System-specific security policies
-
Types of Information Security
Policies
General or Security Program policy (SPP)
SPP is used to set the strategic direction, scope
and tone for all security tasks within
organization.
The Chief Inspection Officer (CIO) has the
responsibility of drafting the executive-level
document.
Normally 2 to 10 pages long
-
Types of Information Security
Policies
Issue-specific security policies (ISSP)
This contains the issue statement on the
It addresses specific areas of technology and
requires frequent updates.
ISSP ensures a common understanding about
the purposes for which as employee can and
can not use a technology.
-
Types of Information Security
Policies
Issue-specific security policies (ISSP)
Protects both employee and organization from
facing the inefficiency and ambiguity.
It motivates the use of technology- based
systems.
It protects the organization against liability for
E.g. Non Disclosure Agreement
-
Types of Information Security
Policies
Three approaches for creating/managing
ISSP are:
Create number of independent issue specific
documents tailored for specific issues.
Create single comprehensive document
covering all issues.
Create a modular document unifying overall
policy creation/ management while addressing
specific details with respect to individual
issues.
-
Components of ISSP
Policy Statement this outlines the scope and applicability i.e. what is the purpose and who is responsible for implementation.
It also defines technologies used.
Authorized access and usage of Equipment It states user has no particular rights of use apart from the specified in the policy.
Specifies who can use the technology mentioned in policy and for what purpose it can be used. E.g.
personal usage.
Users have no general rights to use other than for organization's purpose.
-
Components of ISSP
Prohibited usage of Equipment
Specifies common prohibitions such as for
criminal use, personal use, disruptive use of
computer, use of copy righted licensed data
Systems Management
Defines the responsibilities of users and
administrators
This includes management of stored material,
managing employees, virus protection,
encryption of data, physical security
-
Components of ISSP
Policy violations
Specifies penalties for each kind of policy
violation
Also mentions procedures for reporting policy
violation
Policy Review and Modification
Specifies procedures and timetable for policy
review i.e. how frequently it should be
modified.
-
Components of ISSP
Limitations of Liability
It includes statement of liability or disclaimers
E.g. employee is caught doing illegal activities
with organizations data or any other assets, he
will not be protected by the organization for
violating the company policy.
-
System-specific security policies
While ISP are known for writing
documents and making users aware of
them, SysSP specify the standards and
procedures used for configuring and
maintaining system.
SysSPs are mostly technical.
It provides guidance and states procedures
for configuring some specific system,
technologies and application.
-
System-specific security policies
System configuration includes
Intrusion detection systems configuration
Firewall configuration
Workstation configuration
-
System-specific security policies
SysSPs can be categorized into two groups:
Access Control List (ACLs)
This consists of Access control lists, matrices
and capability tables controlling the rights and
privileges of a particular user to a particular
system
-
Access Control List
-
Access Control List
-
System-specific security policies
2. Configuration Rules:
This consists of specific configuration codes
entered into security systems, which govern
the system execution.
Configuration rules are more specific to the
system operation than ACLs
These rules define specific configuration
scripts, which guides Operating System for
what actions to perform on each set of
information they process.
-
Policy Infrastructure
Foundations for information Security is
The major information security functions
are:
1. Information protection
2. Control the access to information
3. Administer (monitor) the users
-
Policy Infrastructure
Information Security Policies and Standards
Manage Security
Control access
Information Protection
Administer Users
-
Policy Design Life Cycle
First, identify the information security
goals and Cabinet goals. Then form the
policy.
Policy should include standards,
procedures and guidelines.
Make users aware of all these so that they
can do their job securely.
only complete Information Security can be
achieved.
-
Policy Design Life Cycle
IS Goal
Policy
Cabinet Goal
Standards Guidelines Procedures
Awareness
Action
InfoSec
-
Design Processes
Policy life cycle can be designed by using
10 -step approach, each step allows the
designing of policy.
-
Policy Design Processes
Policy life cycle can be designed by using 10 -step approach, each step allows the designing of policy.
1. Collect Background Information
2. Perform Risk Assessment
3. Create a Policy Review Board
4. Develop the Information Security Plan
5. Develop IS Policies, Standards and guidelines
6. Implement Policies and Standards
7. Awareness and Training
8. Monitor for Compliance
9. Evaluate policy Effectiveness
10. Modify the Policy
-
Policy Design 10 step approach
1. Collect Background Information
Based on existing policy, Identify what
procedures and guidelines to be included in
the new policy.
Determine different levels of control which
will need access to the confidential
information.
Decide who should design the policy e.g.
top management or anyone related to law.
-
Policy Design 10 step approach
2. Perform Risk Assessment
Validate the policy against any possible risks.
Indentify the risky and complex functions
Identify the difficult processes
Identify the confidential data and possible
risks associated with it.
Analyze the possible vulnerabilities .
-
Policy Design - 10 step approach
3. Create a Policy Review Board
Determine the policy Development Process
Write the
Comments and Suggestions
Resolve the issues (if any) face to face.
Submit the
Cabinet for approval
-
Policy Design - 10 step approach
4. Develop Information Security Plan
Determine the organizational goals
Define the various Roles and
Responsibilities
Notify users of Information about the
directions specified in the policy.
Establish a foundation for compliance, risk
assessment and audit of information security.
-
Policy Design - 10 step approach
5. Develop IS policies , Standard and Guidelines
Policies
These are high level statemen t written by Board of Directors that notifies workers about who are responsible to make any type of decision .
Standard
These are requirement statement that depicts specific technical specifications .
Guidelines
These are recommendations which can be included in policy
-
Policy Design - 10 step approach
6. Implement Policies and Standards Notify and distribute the policy amongst users
Make an agreement with a policy before accessing the confidential system.
Enforce the control to meet the policy.
7. Awareness and Training Make the system user aware of their expected behavior
Train user about how and when
Training will help to minimize the information loss and theft
It also reduces the need of strict controls
-
Policy Design - 10 step approach
8. Monitor for compliance
Security management is required for
establishing controls on information
Security management must review the status
of control regularly
Implement the user contracts (i.e. code of
conduct)
Establish effective authorization approval
Conduct internal review process
Conduct internal audit reviews
-
Policy Design - 10 step approach
9. Evaluate Policy Effectiveness Evaluate the policy if any problems
Document the policy regularly
Report it to management
10. Modify the Policy Modifications are necessary to incorporate the changes like
Upcoming technology
New threats
New goals or modified existing goals
Changes in the standard
Changes in law
Un success in existing policy
-
Sample Policy
Sample Policy
Sample Antivirus Policy.pdf