1 / 48

Writing an Operational Security Plan

Writing an Operational Security Plan. E. Jane Powanda FISSEA 2005 Conference March 22, 2005 jpowanda@itsc.org 301 513-0143. The Operational Security Plan. Roadmap for Management and Operations. Why Have a Security Plan. Documents implemented security measures

rgullickson
Download Presentation

Writing an Operational Security Plan

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Writing an Operational Security Plan E. Jane Powanda FISSEA 2005 Conference March 22, 2005 jpowanda@itsc.org 301 513-0143

  2. The Operational Security Plan Roadmap for Management and Operations

  3. Why Have a Security Plan • Documents implemented security measures • Documents planned security measures • Documents security goals based on threats and risk • Documents security roles and responsibilities for staff • Identifies security requirements for inclusion in formal agreements with partners and other organizations that may provide application services Documents security decisions made by management

  4. Personal accountability Authority Responsibility Policy update and review Management commitment Security goals Data sensitivity Security Guiding Principles (Philosophy) Security Plan in the Security Framework Plans Special Features Security Implementation Procedures Standards/Guidelines

  5. Directives for staff action Based on our recent risk assessment Writing the Security Plan Will justify our security budget Changes with technology Dessert? Demonstrates due diligence! Based on policy

  6. Resources • NIST SP 800-18 - Guide for Developing Security Plans for Information Technology Systems, December, 1998. • Other resources at http://csrc.nist.gov • ISO 17799 - Information Technology - Code of practice for information security management • CIO Council – experience of other agencies

  7. Writing the Security Plan • Introduction • The Application and its Environment • Roles and Responsibilities • Operational Security Controls • Other Optional Topics • Glossary

  8. Introduction • Scope • Purpose • Intended audience • Plan maintenance • Points of contact • Relevant policies and guidelines • Document organization The introduction provides the basis for both the plan and the document, and addresses some management aspects of the planning process

  9. Scope • Sets the bounds for the plan • Is this a new system or an addition to the current system? • Is this for a single application or a general use system? • What is not included in the plan?

  10. Purpose • Why the Plan exists • Provides a compendium of security measures currently implemented • Documents measures taken by management to demonstrate due diligence with respect to security

  11. Intended Audience • Who might be reading this document? • Program management • IT management • Program operational staff • IT staff • Program partners • Auditors

  12. Plan Maintenance • Who updates this plan? • How often is it updated? • Who reviews and authorizes updates to the plan?

  13. Point of Contact • Name or position of person who can provide more information about the plan • Phone number or e-mail address

  14. Relevant Policies and Guidelines • Federal legislation or guidelines on which plan is based • State legislation or guidelines on which plan is based • Internal policies or guidelines

  15. Document Organization • Description of each of the sections of the plan

  16. The System and its Environment • Functional description of the application or system • Program orgnization • Hardware • Software • Operational environment • Data sensitivity • Threats to the system • Security goals This section provides information about the system and the environment in which it operates. It sets the stage for the plan.

  17. System Functional Description • Hours of operation • End user interfaces • Paper • Web • E-mail • IVR • The services provided to users • Internal staff • External clients Identify what the system does from a layman’s point of view.

  18. Hardware • List the hardware elements that belong to this system • Mainframe • Servers • Storage devices • Workstations • Firewalls

  19. Software • List software elements • Operating system • Network software if applicable • Application software • Language written in • Size and complexity of software • Architecture or how organized • Mainframe • Client / server • Web based

  20. IT Operational Environment • Describe the infrastructure • Firewalls • Subnets • Connecting networks • External interfaces • Dial in access • Provide a drawing that shows the different parts of the system on a network diagram

  21. Data Sensitivity • Business need for sharing or restricting information • Business impact of failure to protect sensitive data • What kind of information is considered sensitive? • Are privacy laws and regulations applicable? • Describe the different categories or types of sensitive data • Describe implications of sensitivity with respect to • Confidentiality • Integrity • Availability

  22. Threats • Major threats and security concerns • Examples • Hacker attacks • Insider fraud • External fraud • Physical attack • Employee discontent

  23. Security Goals • Discuss security objectives with respect to each of the following • Availability of service • Confidentiality of client information • Accountability of actions • Integrity of data operations • Rate the goals in order of importance

  24. Security Operational Controls • Assignment of roles and responsibilities • Management controls • Operational controls • Technical controls

  25. Roles and Responsibilities • Program organization • Business staff • Technical staff • Management staff • Operational staff • The IT organization • Other agency organizations that provide services • Data sharing partners • Internet application system users • Examples of security functional responsibilities • Who does the backups • Who does security training • Who authorizes system access • Who sets policy • Who maintains this plan

  26. Management Controls • Risk management • Incident handling • Contingency plans

  27. Risk Management • Has there ever been a security assessment performed on the system? • When was it done, by whom, how extensive? • Generally describe the methods used for resolving security problems identified • What management procedures are in place to periodically review and contain security risk? • Update the plan when new controls are implemented or planned Never document security vulnerabilities in the plan

  28. Incident Handling • What is considered to be a “security incident”? • Identify procedures in place to deal with a security incident • Detection • Reporting • Resolution • What actions are taken to ensure that staff can recognize and respond to a security incident?

  29. Contingency Plans • Business continuity plan • How will the business continue to operate in spite of disaster? • Who is responsible the plan and its execution? • When was the last time it was updated and tested? • When will it be tested again? • Disaster recovery plan • How will IT operations be brought back to normal? • Who is responsible for the plan? • When was the last time it was updated and tested? • When will it be tested again?

  30. Operational Controls • Application maintenance • Access to system and privileges • Authentication of users • Audits • Backup and recovery • Disposal of information and equipment • Security training • Integrity controls • Physical security • Personnel security

  31. Application Maintenance • Software maintenance • Describe the change management process • Who writes code, tests it, approves it, installs it on the production system? • Is security testing performed? • How is configuration control maintained? • Source code • Executable code • Hardware maintenance • How much downtime can be tolerated? • What measures are taken to ensure hardware availability?

  32. Access to System and Privileges • Identify who authorizes access to systems and software • Describe how new access authorizations get implemented • Identify who makes the changes on the system • What procedures are in place to terminate access for those that no longer need it?

  33. Audit Data • What activities will be audited? • Selected staff actions • All administrator actions • Partner access and/or modification of data • Customer actions • How long is audit data kept? Is it stored in a safe place? • How is it protected from viewing and modification? • Is enough buffer space allocated for audit data to prevent overwrite? • Is someone assigned to review audit data on a regular basis?

  34. Backup and Recovery • Enterprise data backup • Identify what data is backed up by the system and considered recoverable • Identify how often data is backed up • Discuss existence of offsite backup and how long it would take to retrieve it in the event of an emergency • What is the tape rotation schedule – how many tapes or other media are used? • Personal backup • What backup responsibilities do users have? • Restoration • How will data be restored and how long will it take? • When was the last time a successful recovery from a backup was demonstrated?

  35. Handling of Information & Equipment • Security markings on information and equipment • Equipment disposal • Computers • Workstations • Storage media • Equipment Maintenance • Outside repair • In-house repair • Information disposal • What information must be disposed of securely? • Procedures for destroying information on paper with sensitive information • Procedures for destroying floppy disks or CDs containing sensitive information

  36. Security Training • How is security awareness conveyed to staff? • Annual security awareness training • Monthly security bulletins • Security posters • How is security training provided for IT staff and programmers? • Prevent web coding flaws • Firewalls and network architecture • How is security training provided to administrators • Locking down servers • Reviewing audit information • Performing vulnerability scans including wireless • Patch management • Other specific role or job based security training

  37. Integrity Controls • Identify features implemented to ensure that the system has not been modified without authorization • Software checksums or signatures • Other security software • Identify the virus software and vulnerability scans used on the system, how often they run, and how often they are updated • Patch management documented plan • Who monitors for new patch releases and installs them? • How often are patches installed? • Number of vendors to monitor

  38. Physical Security • Facility security • Describe the personnel entry system and how access rules are enforced for building access, building protections • Computer room security • Describe the personnel entry system and possible contingency entry in event of emergency • Communications room security • Describe the personnel entry system and possible contingency entry in event of emergency • Other locked areas (storage of software, blank checks, etc.) • Describe the personnel entry system and possible contingency entry in event of emergency • Workstation Security • Use of UPS to prevent damage during power interruption • Preventing laptop theft • Computer room environmental controls

  39. Personnel Security • Staff background checks • Staff security requirements • Badges • Reporting suspicious activity • Visitor control • Sign in log • Escort requirements • Maintenance staff • After hours activity – preventing theft and disclosure of sensitive information • Confidentiality agreements • Expected behavior agreements

  40. Technical Controls • Identification and Authentication • Access Control • Audit • Encryption Addresses technology used to implement these controls

  41. Identification & Authentication • User IDs • Describe how staff are authenticated • Biometrics – fingerprint • Password • Tokens • Describe how authorized non-staff are authenticated for both web access and direct system access • Describe how customers/clients are authenticated when accessing the system over the web

  42. Logical Access Controls • Mainframe access controls • Client server access controls • Web transaction access controls

  43. Audit • What automated audit features are provided? • Operating system based • Application based • Other • What automated analysis tools are used?

  44. Encryption • Usage • Network transmissions • Web transactions • Database • Passwords • Algorithms used • Products used within the organization

  45. Other Optional Topics • Personnel Safety • Rules of Behavior • Others?

  46. Personnel Safety • Evacuation plan in event of emergency • Evacuating and accounting for personnel in building • After hours activity • Identify special measures for after hours activity in work areas including escorts to parking lot • Protection of personal property • Who to notify for suspected theft • Fire extinguishers • Location and plan to ensure readiness • Emergency phone numbers • Both during and after work hours • Medical emergency • Phone numbers and identification of trained medical professionals in building

  47. Security Plan Closing Thoughts • It is not necessary, or even desirable, to actually have all the topics fully covered in the plan (300 pound books are difficult to carry around). A reference to the information documented elsewhere is sufficient. • The list of topics presented here is not all-inclusive, definitive or mandatory. • If a topic not covered here is important – Add it • If a topic covered here is irrelevant – Drop it • Build a plan to fit YOUR needs. • Keep it brief

  48. Contact Information: Jane Powanda jpowanda@mitretek.org jpowanda@itsc.org 301 513-0143

More Related