chapter004
DESCRIPTION
Information Assurance for the EnterpriseTRANSCRIPT
McGraw-Hill/IrwinMcGraw-Hill/Irwin CopyrightCopyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved.© 2007 by The McGraw-Hill Companies, Inc. All rights reserved.
Information Assurance for the Enterprise: Information Assurance for the Enterprise: A Roadmap to Information SecurityA Roadmap to Information Security, by Schou and Shoemaker, by Schou and Shoemaker
Chapter 4
Building and Documenting an Information Assurance Framework
4-4-22
Objectives
Difference between policies and procedures What is an information assurance structure How to tailor an information assurance structure How to document and information assurance
infrastructure
4-4-33
Control Process
Control process is implemented through a framework of standard proceduresThey need to be coherent, rational, and
understandable They are tailored for efficiency and effectiveness
4-4-44
Difference Between Policy and Procedure
Level of focusThe focus of policies is long-term and strategicThe focus of procedures is short-term and day-
to-day
4-4-55
Procedure A specification of sequence and timing of steps of a
response A description of action to be taken to achieve a goal A definition of actions performed as part of routine
operation A method rather than the outcome A tangible mechanism for evaluating whether the
system has met its intended goals In case of information, procedures:
Specify the set of assurance activities that must be executed to ensure security
Define all information assurance and security actions
4-4-66
Infrastructure
An information assurance infrastructure is an essential part of security as it:Specifies the steps the organization will take to
ensure securityMakes the process tangible so that it is
understood and executed properlyDescribes how all information assurance and
security practices will be established and enforced
Ensures that the information within the infrastructure is overseen and managed
4-4-77
Five Pillars of Assurance Confidentiality – ensures that information is not
disclosed to unauthorized persons, processes, or devices
Integrity – reflects the logical correctness of essential components
Availability – provides authorized users with timely, reliable access to data and information services
Authentication – confirms authorization to acquire specific items of information
Non-repudiation – provides proof of delivery and provides identification
4-4-88
Instituting a Sustainable Security Operation
Two conditions have to be satisfied:A concrete reference point has to be adopted
and documented to guide the processThe organization has to follow all specified
security practices rigorously
4-4-99
Role of Policy in Creating an Infrastructure
Policies state the approach that will be followed to enforce the five pillars of securityThey should be both comprehensive and
coherent• They constitute the framework that dictates the scope
and application of the information assurance process• They must have the right set of procedures to enact it• Procedures are progressively refined, until the desired
level of control is established
Eventual product of this logical decomposition process is the finalized information assurance infrastructure
4-4-1010
Role of Policy in Creating an Infrastructure
Information assurance infrastructure is an array of control behaviors Designed to ensure security and applicable to all levels
Standard approach characteristics: Concrete and can be tailored into specifics of the tasks to
be performed Outcomes can be used to judge whether the information
assurance process is operating properly Outcomes of these tasks can be assessed and specific
responsibility can be assigned Establishes tangible accountability for information
assurance and security performance
4-4-1111
Ensuring a Disciplined Process: Establishing the Culture
Only way to assure security is by demanding disciplined performance of assigned dutiesRequires a high degree of disciplined practice by
people responsible for carrying out the tasks• The managers • The workers
Requires the right level of information assurance and security practice
4-4-1212
Ensuring a Disciplined Process: Establishing the Culture
Effective information assurance process has to ensure that the people within the system are operating in a secure manner
4-4-1313
Ensuring a Disciplined Process: Establishing the Culture
Information assurance safeguards are aimed at:Identifying suspicious or undesirable behavior
• Build a baseline of acceptable, or normal, practices to judge performance
Embedding a comprehensive understanding of information assurance
• Policies• Procedures• Work practices
4-4-1414
Developing An Information Assurance Infrastructure
Nine essential qualities of a correctly functioning system:Suitability AccuracyInteroperabilityComplianceIntegrityMaturityFault toleranceRecoverabilityReplaceability
4-4-1515
Developing An Information Assurance Infrastructure
Refinement process
4-4-1616
Ensuring Common Understanding: Metrics and Security
Tailoring specifics will require derivation from: Policies expressed as a formal specification Perspectives of stakeholders
Outcome should be a substantive set of documented practices Should characterize the information assurance functions
Requirements must be communicated unambiguously Terms and measures used should be integrated into a
single document Need for a deliberate program to develop an
appropriate set of common metrics
4-4-1717
Ensuring Common Understanding: Metrics and Security
Organizational environment determines the metricsNature, rigor, and application will vary based on
the demand of the security situationBasis for decision is the level of control required
to establish an assurable system• Achieved by continuing to break down each measure
into sub-factors• Sub-factors should also be traceable through the
hierarchy of measures
Measurement set must be refined and updated continuously
4-4-1818
Accommodating Human Factors in the Infrastructure
Disciplined performance determines how correctly each procedure will be followedBehavior of humans within the infrastructure is:
• Ensured by the monitoring and enforcing compliance of documented procedures
• Harder to assure since it is governed by perceptions and emotions rather than logical rules
• Challenging, as motivating people to comply requires continuous oversight and strict enforcement
• Feasible with coherent and explicit definition of acceptable behavior
4-4-1919
Documentation: Conveying the Form of the Infrastructure
Every information assurance infrastructure has to be documented completely Documentation should communicate the three
vital elements of the process:• Policies• Procedures• Work instructions
Mechanism that is employed to document these is the Information Assurance Manual
4-4-2020
Information Assurance Manual
Communicates the organization’s specific approach to information assurance and security
Serves as a reference point for developing standard operating procedures
Integrates all required procedures and work practices for each policy into a statement of purpose
4-4-2121
Information Assurance Manual
Advantages: Implements and ensures continuous
performance of processes Valuable tool for communicating to stakeholders Advertises new initiatives and accomplishments Itemizes every procedure the organization will
follow to comply with each stated policyFacilitates the day-to-day assignment of specific
employee responsibility Key mechanism for demonstrating due diligence
in performance of information assurance
4-4-2222
Ensuring Sustainability: Documentation Set
Documentation set – procedures, work practices, and information assurance manualA complete set of operating procedures are
written to implement each policyOperating procedure defines what will be done
on a day-to-day basisWork practices are developed for each
procedure• Itemizes the behaviors designated to accomplish each
procedure
4-4-2323
Implementation: Achieving the Right Level of Detail
At the minimum every documented procedure states:Steps to be taken, their measurement, and their
evaluation criteriaExpected output, the measurement, and
evaluation criteriaInterrelationship with other proceduresQualifications and skills of people performing the
procedureTools, rules, practices, methodologies, and
conventions employed
4-4-2424
Implementation: Achieving the Right Level of Detail
Ten areas of information assurance should be itemized using this policy/procedure/work instruction model: Physical security practices Personnel security practices Operational security practices Network security practices Software security practices Development process security practices Transmission security/encryption practices Business continuity practices Legal and regulatory compliance practices Ethical practices
4-4-2525
Walking the Talk – the Role of Detailed Work Practices
Specifications communicate the steps chosen to ensure an end-to-end information assurance process Specification of management practices
• Lays out the details of the management oversight and control function
Specification of operations practices• Roadmap for the execution and maintenance of the
specific processSpecification of assurance and accountability
practices• Verification and validation of the execution of
assurance functions
4-4-2626
Tailoring a Concrete Information Assurance System
Effective information assurance and security depends on establishing the right set of policies, procedures, and work practices, tailored into a concrete infrastructureIt is necessary to satisfy at least five generic
requirements: • Understand the resource• Maintain the resource• Develop the resource• Use the resource• Manage the resource
4-4-2727
Tailoring a Concrete Information Assurance System
Tailoring processEnsures that it is correctly aligned with the
environmental, sensitivity, and information assurance requirements of the situation
Involves the preparation of a relevant response to six areas discussed further:
• Context• Scope• System operation• General purpose• Environment• Sensitivity
4-4-2828
Tailoring a Concrete Information Assurance System
Context - understand the context in which the system operatesDetermines the assurance approach
Scope - must be defined Unique and meaningful boundaries have to be
established Logical interrelationships have to be made
explicit
4-4-2929
Tailoring a Concrete Information Assurance System
System operation - components should be categorized in terms of their role Designate specific purpose of each assetProtection has to be aligned with purposeAnalyze, understand, and address threats
General purpose - function of each componentSimple description that satisfies two goals:
• Allows users to make informed assignments of priorities for the protected components
• Allows users to coordinate the implementation and management of the functions assigned to them
4-4-3030
Tailoring a Concrete Information Assurance System
Environmental considerations – technical and environmental factors that might impact the assurance process
Sensitivity requirements - specify the sensitivity of each item Characterized based on risk category:
• High risk – comprises of information characterized as critical and would result in significant losses
• Medium risk – would be an important concern but not necessarily critical
• Low risk – some minimal level of risk; not vital
4-4-3131
Types of Controls
Information assurance control procedures fall into four categories:
4-4-3232
Types of Controls
In addition to application it is important:To understand the operational status of the
controlIn the designing process
• Some controls will exist while others will need to be established
To have a complete understanding of:• Where procedures have been implemented already• Where it must be developed
4-4-3333
Types of Controls
Classification is based on a decision about whether each necessary control item is:In place – a measure must be both operational
and judged to be effectivePlanned – includes specific control functions
planned, but not actually operationalIn place and planned – have part of the control in
place while other parts are still missingNot feasible – control measures would be
desirable but not cost effective nor feasible
4-4-3434
Management Controls
These controls are behavioral Implement information assurance policies and
proceduresRegulate access to protected information through
proceduresDeployed based on the assessed impact of the
threats they are designed to address
4-4-3535
Development and Implementation Process Controls
These controls ensure that information assurance protection is designed into the system from inceptionUsed primarily during the system development
phaseEnsures that appropriate technical, physical,
administrative, and personnel security requirements are satisfied
Based on the verification and validation review process
4-4-3636
Operational Controls
The day-to-day procedures that protect the operation from a wide variety of threats
Operational controls fall into six categories:Physical and environmental protectionProduction and input/output controlContingency planningInstallation and update controlsConfiguration management controlDocumentation control
4-4-3737
Technical Controls
Technical controls include:Automated access controls – control accessAuthorization controls – provide the appropriate
level of access to each entity • Detect unauthorized activities
Integrity control procedures – protect data from accidental or malicious alteration or destruction