McGraw-Hill/IrwinMcGraw-Hill/Irwin CopyrightCopyright © 2007 by The McGraw-Hill Companies, Inc. All rights reserved.© 2007 by The McGraw-Hill Companies, Inc. All rights reserved.

Information Assurance for the Enterprise: Information Assurance for the Enterprise: A Roadmap to Information SecurityA Roadmap to Information Security, by Schou and Shoemaker, by Schou and Shoemaker

Chapter 4

Building and Documenting an Information Assurance Framework

4-4-22

Objectives

Difference between policies and procedures What is an information assurance structure How to tailor an information assurance structure How to document and information assurance

infrastructure

4-4-33

Control Process

Control process is implemented through a framework of standard proceduresThey need to be coherent, rational, and

understandable They are tailored for efficiency and effectiveness

4-4-44

Difference Between Policy and Procedure

Level of focusThe focus of policies is long-term and strategicThe focus of procedures is short-term and day-

to-day

4-4-55

Procedure A specification of sequence and timing of steps of a

response A description of action to be taken to achieve a goal A definition of actions performed as part of routine

operation A method rather than the outcome A tangible mechanism for evaluating whether the

system has met its intended goals In case of information, procedures:

Specify the set of assurance activities that must be executed to ensure security

Define all information assurance and security actions

4-4-66

Infrastructure

An information assurance infrastructure is an essential part of security as it:Specifies the steps the organization will take to

ensure securityMakes the process tangible so that it is

understood and executed properlyDescribes how all information assurance and

security practices will be established and enforced

Ensures that the information within the infrastructure is overseen and managed

4-4-77

Five Pillars of Assurance Confidentiality – ensures that information is not

disclosed to unauthorized persons, processes, or devices

Integrity – reflects the logical correctness of essential components

Availability – provides authorized users with timely, reliable access to data and information services

Authentication – confirms authorization to acquire specific items of information

Non-repudiation – provides proof of delivery and provides identification

4-4-88

Instituting a Sustainable Security Operation

Two conditions have to be satisfied:A concrete reference point has to be adopted

and documented to guide the processThe organization has to follow all specified

security practices rigorously

4-4-99

Role of Policy in Creating an Infrastructure

Policies state the approach that will be followed to enforce the five pillars of securityThey should be both comprehensive and

coherent• They constitute the framework that dictates the scope

and application of the information assurance process• They must have the right set of procedures to enact it• Procedures are progressively refined, until the desired

level of control is established

Eventual product of this logical decomposition process is the finalized information assurance infrastructure

4-4-1010

Role of Policy in Creating an Infrastructure

Information assurance infrastructure is an array of control behaviors Designed to ensure security and applicable to all levels

Standard approach characteristics: Concrete and can be tailored into specifics of the tasks to

be performed Outcomes can be used to judge whether the information

assurance process is operating properly Outcomes of these tasks can be assessed and specific

responsibility can be assigned Establishes tangible accountability for information

assurance and security performance

4-4-1111

Ensuring a Disciplined Process: Establishing the Culture

Only way to assure security is by demanding disciplined performance of assigned dutiesRequires a high degree of disciplined practice by

people responsible for carrying out the tasks• The managers • The workers

Requires the right level of information assurance and security practice

4-4-1212

Ensuring a Disciplined Process: Establishing the Culture

Effective information assurance process has to ensure that the people within the system are operating in a secure manner

4-4-1313

Ensuring a Disciplined Process: Establishing the Culture

Information assurance safeguards are aimed at:Identifying suspicious or undesirable behavior

• Build a baseline of acceptable, or normal, practices to judge performance

Embedding a comprehensive understanding of information assurance

• Policies• Procedures• Work practices

4-4-1414

Developing An Information Assurance Infrastructure

Nine essential qualities of a correctly functioning system:Suitability AccuracyInteroperabilityComplianceIntegrityMaturityFault toleranceRecoverabilityReplaceability

4-4-1515

Developing An Information Assurance Infrastructure

Refinement process

4-4-1616

Ensuring Common Understanding: Metrics and Security

Tailoring specifics will require derivation from: Policies expressed as a formal specification Perspectives of stakeholders

Outcome should be a substantive set of documented practices Should characterize the information assurance functions

Requirements must be communicated unambiguously Terms and measures used should be integrated into a

single document Need for a deliberate program to develop an

appropriate set of common metrics

4-4-1717

Ensuring Common Understanding: Metrics and Security

Organizational environment determines the metricsNature, rigor, and application will vary based on

the demand of the security situationBasis for decision is the level of control required

to establish an assurable system• Achieved by continuing to break down each measure

into sub-factors• Sub-factors should also be traceable through the

hierarchy of measures

Measurement set must be refined and updated continuously

4-4-1818

Accommodating Human Factors in the Infrastructure

Disciplined performance determines how correctly each procedure will be followedBehavior of humans within the infrastructure is:

• Ensured by the monitoring and enforcing compliance of documented procedures

• Harder to assure since it is governed by perceptions and emotions rather than logical rules

• Challenging, as motivating people to comply requires continuous oversight and strict enforcement

• Feasible with coherent and explicit definition of acceptable behavior

4-4-1919

Documentation: Conveying the Form of the Infrastructure

Every information assurance infrastructure has to be documented completely Documentation should communicate the three

vital elements of the process:• Policies• Procedures• Work instructions

Mechanism that is employed to document these is the Information Assurance Manual

4-4-2020

Information Assurance Manual

Communicates the organization’s specific approach to information assurance and security

Serves as a reference point for developing standard operating procedures

Integrates all required procedures and work practices for each policy into a statement of purpose

4-4-2121

Information Assurance Manual

Advantages: Implements and ensures continuous

performance of processes Valuable tool for communicating to stakeholders Advertises new initiatives and accomplishments Itemizes every procedure the organization will

follow to comply with each stated policyFacilitates the day-to-day assignment of specific

employee responsibility Key mechanism for demonstrating due diligence

in performance of information assurance

4-4-2222

Ensuring Sustainability: Documentation Set

Documentation set – procedures, work practices, and information assurance manualA complete set of operating procedures are

written to implement each policyOperating procedure defines what will be done

on a day-to-day basisWork practices are developed for each

procedure• Itemizes the behaviors designated to accomplish each

procedure

4-4-2323

Implementation: Achieving the Right Level of Detail

At the minimum every documented procedure states:Steps to be taken, their measurement, and their

evaluation criteriaExpected output, the measurement, and

evaluation criteriaInterrelationship with other proceduresQualifications and skills of people performing the

procedureTools, rules, practices, methodologies, and

conventions employed

4-4-2424

Implementation: Achieving the Right Level of Detail

Ten areas of information assurance should be itemized using this policy/procedure/work instruction model: Physical security practices Personnel security practices Operational security practices Network security practices Software security practices Development process security practices Transmission security/encryption practices Business continuity practices Legal and regulatory compliance practices Ethical practices

4-4-2525

Walking the Talk – the Role of Detailed Work Practices

Specifications communicate the steps chosen to ensure an end-to-end information assurance process Specification of management practices

• Lays out the details of the management oversight and control function

Specification of operations practices• Roadmap for the execution and maintenance of the

specific processSpecification of assurance and accountability

practices• Verification and validation of the execution of

assurance functions

4-4-2626

Tailoring a Concrete Information Assurance System

Effective information assurance and security depends on establishing the right set of policies, procedures, and work practices, tailored into a concrete infrastructureIt is necessary to satisfy at least five generic

requirements: • Understand the resource• Maintain the resource• Develop the resource• Use the resource• Manage the resource

4-4-2727

Tailoring a Concrete Information Assurance System

Tailoring processEnsures that it is correctly aligned with the

environmental, sensitivity, and information assurance requirements of the situation

Involves the preparation of a relevant response to six areas discussed further:

• Context• Scope• System operation• General purpose• Environment• Sensitivity

4-4-2828

Tailoring a Concrete Information Assurance System

Context - understand the context in which the system operatesDetermines the assurance approach

Scope - must be defined Unique and meaningful boundaries have to be

established Logical interrelationships have to be made

explicit

4-4-2929

Tailoring a Concrete Information Assurance System

System operation - components should be categorized in terms of their role Designate specific purpose of each assetProtection has to be aligned with purposeAnalyze, understand, and address threats

General purpose - function of each componentSimple description that satisfies two goals:

• Allows users to make informed assignments of priorities for the protected components

• Allows users to coordinate the implementation and management of the functions assigned to them

4-4-3030

Tailoring a Concrete Information Assurance System

Environmental considerations – technical and environmental factors that might impact the assurance process

Sensitivity requirements - specify the sensitivity of each item Characterized based on risk category:

• High risk – comprises of information characterized as critical and would result in significant losses

• Medium risk – would be an important concern but not necessarily critical

• Low risk – some minimal level of risk; not vital

4-4-3131

Types of Controls

Information assurance control procedures fall into four categories:

4-4-3232

Types of Controls

In addition to application it is important:To understand the operational status of the

controlIn the designing process

• Some controls will exist while others will need to be established

To have a complete understanding of:• Where procedures have been implemented already• Where it must be developed

4-4-3333

Types of Controls

Classification is based on a decision about whether each necessary control item is:In place – a measure must be both operational

and judged to be effectivePlanned – includes specific control functions

planned, but not actually operationalIn place and planned – have part of the control in

place while other parts are still missingNot feasible – control measures would be

desirable but not cost effective nor feasible

4-4-3434

Management Controls

These controls are behavioral Implement information assurance policies and

proceduresRegulate access to protected information through

proceduresDeployed based on the assessed impact of the

threats they are designed to address

4-4-3535

Development and Implementation Process Controls

These controls ensure that information assurance protection is designed into the system from inceptionUsed primarily during the system development

phaseEnsures that appropriate technical, physical,

administrative, and personnel security requirements are satisfied

Based on the verification and validation review process

4-4-3636

Operational Controls

The day-to-day procedures that protect the operation from a wide variety of threats

Operational controls fall into six categories:Physical and environmental protectionProduction and input/output controlContingency planningInstallation and update controlsConfiguration management controlDocumentation control

4-4-3737

Technical Controls

Technical controls include:Automated access controls – control accessAuthorization controls – provide the appropriate

level of access to each entity • Detect unauthorized activities

Integrity control procedures – protect data from accidental or malicious alteration or destruction