1 / 61

Information Security Management CISSP Topic 1

ISA 562 Internet Security Theory & Practice. Information Security Management CISSP Topic 1. Objectives. Roles of and responsibilities of individuals in a security program Security planning in an organization Security awareness in the organization

jbenn
Download Presentation

Information Security Management CISSP Topic 1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ISA 562Internet Security Theory & Practice Information Security Management CISSP Topic 1

  2. Objectives Roles of and responsibilities of individuals in a security program Security planning in an organization Security awareness in the organization Differences between policies, standards, guidelines and procedures as related to security Risk Management practices and tools

  3. Introduction Purpose of information security is to protect an organization's valuable resources, such as information, hardware and software. Should be designed to increase organizational success. Information systems are often critical assets that support the mission of an organization

  4. Information Security TRIAD The Overhanging goals of information security are addressed through the AIC TRIAD.

  5. IT Security Requirements - I Security Solutions should be designed with two main focus areas: Functional Requirements: Defines security behavior of the control measures Selected based on risk Assessment Properties: They should not depend on another control: Why? They should fail safe by marinating security of the system in an event of a failure: Why?

  6. IT Security Requirements -II 2. Assurance Requirements: Provides confidence that security functions is performing as expected. Examples : Internal/External Audit. Threat Risk Assessments Third Party reviews Compliance to best practices 3. Example for Functional vs. Assurance: Functional Requirement: a network Firewall Permits or denies traffic. Assurance requirement: logs are generated and monitored 6

  7. Organizational & Business Requirements Focus on organizational mission: Business driven Depends upon organizational type: Example: Military , government and commercial. Must be sensible and cost effective Solutions must be developed with due consideration of the mission and environment of business

  8. IT Security Governance Integral part of overall corporate governance: Must be fully integrated into the overall risk-based threat analysis, it also Ensures that the IT infrastructure of the company: Meets the AIC requirements. Supports the strategies and objectives of the company. Includes service level agreements when outsourced. 8

  9. Security Governance Major parts Leadership: Security leaders must be fully integrated into the company leadership where they can be heard. Structure: it occurs at many different levels of the organization and is in a layered approach. Processes: by following internationally accepted “best practices”: Job rotation , Separation of duties, least privilege, mandatory vacations …etc. Some Examples for standards : ISO 17799 & ISO 27001:2005

  10. Security Blueprints Provide a structure for organizing requirements and solutions. they are used to ensure that security is considered from a holistic view. Used to identify and design security requirements Infrastructure Security Blueprints

  11. Policy overview Operational environment is a complex web of laws, regulations, requirements, competitors and partners Change frequently and interact with each other , within this environment Management must develop and publish overall security statements addressing Security policies and their supporting elements such as standards , baselines and guidelines.

  12. Policy overview 12

  13. Functions of Security policy - I Provides Management’s Goals and objectives in writing Documents compliance Creates the security culture Anticipates and protects others from surprises Establishes the security activity/function Holds individuals personally responsible/accountable 13

  14. Functions of Security policy-II Address foreseeable conflicts Ensures employees and contractors are aware of organizational policy and changes Mandates an incident response plan Establishes process for exception handling , rewards, discipline 14

  15. Policy Infrastructure High level policies are interpreted into a number of functional policies. Functional polices are derived from overarching policy of the organizations and create the foundation for the procedures, standards, and baselines to accomplish the security objectives Functional polices gain their credibility from senior management’s buy-in. 15

  16. Example Functional Policies Data classification Certification and accreditation Access control Outsourcing Remote access Acceptable Internet usage Privacy Dissemination control Sharing control

  17. Policy Implementation Standards, procedures, baselines, and guidelines turn the objectives and goals established by management in the overarching and functional policies into actionable and enforceable actions for the employees.

  18. Standards and procedure Standards: Adoption of common hardware and software mechanism and products throughout the enterprise. Examples: Desktop, Anti-Virus, Firewall Procedures: required step by step actions which must be followed to accomplish a task. Guidelines: recommendations for security product implementations, procurement and planning, etc. Examples: ISO17799, Common Criteria, ITIL

  19. Baselines Benchmarks used to ensure that a minimum level of security configuration is provided across multiple implementations and systems. They establish consistent implementation of security mechanisms. Platform unique Examples: VPN Setup, IDS Configuration, Password rules 19

  20. Three Levels of security planning Strategic Planning: long term Focuses on the high-level, long-range organizational requirements Examples: overarching security policy Tactical Level Planning: medium-term Focus on events that will affect the entire organization. Examples: functional plans Operational planning: short-term Fighting fires at the keyboard level, this Directly affects the ability of the organization to accomplish its objectives.

  21. Organizational roles and responsibilities Every actor has a role: Entails responsibility: must be clearly communicated and understood by all actors. Duties associated with the role Specific must be assigned Examples: Securing email Reviewing violation reports Attending awareness training

  22. Specific Roles and Responsibilities (duties)- 1 Executive Management: Publish and endorse security policy establishing goals, objectives overall responsibility for asset protection. Information systems security professionals: Security design, implementation, management, Review of the organization security policies. 22

  23. Specific Roles and responsibilities - 2 Owners: information classification set user access conditions decide on business continuality priorities Custodians: Security of the information entrusted to them Information System Auditor Auditing assurance guarantees. Users Compliance with procedures (AIC) and policies

  24. Personal Security: Hiring staff Background checks/Security clearances Check references/ educational records Sign Employment agreement Examples: Non-disclosure agreements Non-compete agreements Low level Checks Consult the Human Resources (H.R.) department Termination procedures

  25. Third party considerations Established procedures to address these groups on an individual basis. Examples of third party are: Vendors/Suppliers Contractors Temporary Employees Customers

  26. Personnel good practices Job description and defended roles and responsibilities Least privilege/Need to know Compliance with need to share Separation of duties Job rotation Mandatory vacations

  27. Security Awareness Awareness training Provides employees with a reminder of their security responsibilities. Motivate personnel to comply with requirements Examples: Videos Newsletters Posters Key-chains, etc. 27

  28. Training and Education Job training Provides skills needed to perform the security functions in their jobs. Focus on security-related job skills Specifically address security requirements of the organization, etc. Professional Education Provides decision-making, and security management skills that are important for the success of an organizations security program.

  29. Good training practices Address the audience Management Data Owner and custodian Operations personnel User Support personnel

  30. Risk from NIST SP 800-30 Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization (SP800-30) 30

  31. Definitions Related to Risk Threat: the Potential for a mal-actor to exercise a specific vulnerability. Vulnerability: A Flaw or weakness in system security procedures, design, implementation or internal controls that could be exercised and could result in a security breach or violation of systems security policy. Likelihood: the probability that a potential vulnerability may be exercised within the threat environment. Countermeasures: A risk reduction control maybe technical, operational or management controls or a combination of these type

  32. Risk Management concept flow

  33. Risk Management Definitions Asset: Something that is valued by the organization to accomplish its goals and objectives Threat: Any potential danger to information or an information systems. Examples: Unauthorized access, Hardware failure, Loss of key personnel Threat Agent: Anything that has the potential of causing a threat. Exposure: An opportunity for a threat to cause loss. Vulnerability: Is a weakness that could be exploited. Attack: An Intentional action trying to cause harm. Countermeasures and safeguards: Are those measures and actions that are taken to protect systems. Risk: The probability that some unwanted event could occur Residual Risk: The amount of risk remaining after countermeasures and safeguards are applied

  34. Risk Management The purpose of risk management is to identify potential problems Before they occur So that risk-handling activities may be planned and invoked as needed Across the life of the product or project

  35. The Risk Equation

  36. Risk Factors The Risk arises when threat-agent attack assets and vulnerabilities are present Residual Risk happens when threat-agent attack assets and countermeasuresare in place but are not sufficient

  37. Risk Management Risk Management identifies and reduces total risks ( threats, vulnerabilities, & asset value) Mitigating controls: Safeguards & Countermeasures reduce risk Residual Risk should be set to an acceptable level

  38. Purpose of risk Analysis Identifies and justifies risk mitigation efforts Identifies the threats to business processes and information systems Justifies the implementation of specific countermeasures to mitigate risk Describes current security posture Conducted based on risk to the organization's objectives/mission

  39. Benefits of Risk Analysis Focuses policy and resources Identifies areas with specific risk requirements Part of good IT Governance Supports Business continuity process Insurance and liability decisions Legitimizes security awareness programs

  40. Emerging threats factors Risk Assessment must also address emerging threats New technology Change in culture of the organization or environment Unauthorized use of technology, etc. Can come from many different areas May be discovered by periodic risk assessments

  41. Sources to identity threats Users Systems administrators Security officers Auditors Operations Facility records Community and government records Vendor/security provider alerts Other types of threats : Natural disasters – flood, tornado, etc. Environment-overcrowding or poor moral Facility -physical security or location of building

  42. Risk analysis key factors Obtain senior management support Establish the risk assessment team Define and approve the purpose and scope of the risk assessment team Select team members State the official authority and responsibility of the team Have management review findings and recommendations Risk team members Some of the areas which should be included: Information System Security, IT & Operations Management, Internal Audit, Physical security, etc

  43. Use of automated tools for risk management Objectives is to minimize manual effort Can be time consuming to setup Perform calculations quickly Estimate future expected losses Determine the benefit of security measures

  44. Preliminary security evaluation Identify vulnerabilities Review existing security measures Document findings Obtain management review and approval

  45. Risk analysis types Two types of Risk analysis Quantitative Risk analysis Qualitative Risk analysis Both provide valuable metrics Both are often required to get a full picture

  46. Quantitative risk analysis Assign independently objective numeric monetary values Fully quantitative if all elements of the risk analysis are quantified difficult to achieve Requires substantial time and personnel resources

  47. Determining asset value Cost to acquire, develop, and maintain Value to owners, custodians, or users Liability for protection Recognize cost and value in the real world Price others are willing to pay Value of intellectual property Convertibility/negotiability

  48. Quantitative analysis steps Estimate potential losses SLE – Single Loss Expectancy SLE = Asset Value ($) X Exposure Factor (%) Exposure Factor=% of asset loss when threat is successful Types of loss to consider Physical destruction/theft, Loss data, etc Conduct threat analysis ARO-Annual Rate of Occurrence Expected number of exposures/incidents per year Likelihood of an unwanted event happening Determine Annual Loss Expectancy (ALE) Combine potential loss and rate/year Magnitude of risk = Annual Loss Expectancy Purpose of ALE Justify security countermeasures ALE=SLE * ARO

  49. Qualitative Risk analysis Scenario oriented Does not attempt to assign absolute numeric values to risk components Purely qualitative risk analysis is possible Qualitative risk analysis factors Rank seriousness of the threats and sensitivity of assets Perform a carefully reasoned risk assessment

  50. Other risk analysis methods Failure modes and effects analysis Potential failures of each part or module Examine effects of failure at three levels Immediate level (part or module) Intermediate level (process or package) System-wide Fault tree analysis Sometimes called “spanning tree analysis” Create a “tree” of all possible threats to, or faults of the system “Branches” are general categories such as network threats, physical threats, component failures, etc. Prune “branches” that do not apply Concentrate on remaining threats.

More Related