1 / 153

Information Assurance Professional

Information Assurance Professional. National Security Registration Board Version 2.6. Course Goals. This presents the fundamental concepts of information assurance . It is designed to foster a mastery level understanding of the IA process .

alpha
Download Presentation

Information Assurance Professional

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Information Assurance Professional National Security Registration Board Version 2.6

  2. Course Goals • This presents the fundamental concepts of information assurance. • It is designed to foster a mastery level understanding of the IA process. • The intention is to prepare a trained IA professional

  3. Course Application • You learn how to tailor a practical information assurance architecture using this BOK. • As well as how to deploy an appropriate set of flexible countermeasures.

  4. Three Assumptions • Three major assumptions underlie this course: • Assumption One • Effective Information security requires an integrated set of business and technological processes.

  5. The Three Assumption • Assumption Two • Effective information security programs must be deliberately designed and deployed organization-wide through a strategic planning process

  6. The Three Assumption • Assumption Three • Information security programs are systematic, • That is, they embody anappropriate set of persistent and interacting controls • These function seamlessly and as an integral element of day-to-day operation of the business

  7. The Importance of Planning • All three of these requirements must be satisfied for the solution to be correct. • That condition is not arrived at by chance. • It is always derived from a valid set of common best practices.

  8. The IBOK • The IBOK is a compendium, or body-of-knowledge rather than a standard • It is an integration of three existing models into a single unified concept • The idea is that, a harmonized set of recommendations is the most authoritative statement about best practice.

  9. Best Practice Models • There are at least threemodelsthat are used to guide that process, • The Generally Accepted System Security Principles (GASSP), 1999 • ISO 17799 and BS 7799:2 (2002) • COBIT (2006)

  10. Best Practice Models • Each of these embodies a fundamental set of principles derived from extensive “lessons learned” • Each of these provides a useful set of high level control objectives, which can be tailored, to any organizational need. • And each has the potential to serve as the basis of an effective solution.

  11. Best Practice Models • This model comprises the Information Security Body of Knowledge (IBOK). • It also presents a standard implementation methodology for this BOK.

  12. Course Assumptions • Individuals who successfully complete this course can be assumed to be: • Knowledgeable in the best practices for information assurance • Competent to implement security systems that are capable of being accredited by the NSRB.

  13. Text • The following are required • Information Security Body of Knowledge – IBOK Open Standard 2.2, International Standards Institution of Governors, 2004 • Training Guideline, IBOK, National Standards Registration Board, 2003

  14. Course Description • You will learn how to • Create an information security architecture • Establish detailed control procedures within this framework

  15. Course Description • Systematically identify and monitor areas of vulnerability • Assess the impact of threats as they are identified • Deploy appropriate technological and managerial countermeasures

  16. Course Objectives • At the end of this course you will be able to • Deploy an appropriate managerial and technical control framework • Establish a correct information security control set within that framework

  17. Course Objectives • Conduct a capable threat identification • Formulate a baseline defense in depth countermeasure set

  18. Course Objectives • Be able to valuate assets and justify the countermeasures based on that valuation • Be able to deploy, assess and continuously maintain operational countermeasures

  19. Course Agenda 3:00–3:30– Module One: Principles of Information Security 3:30–4:00– Module Two: The Information Assurance Process 4:00–4:45– Module Three: The Implementation Process 4:45-5:00– Initiate Project 5:00-5:30- Prepare Solution 5:30-5:45- Report Solution 5:45-6:00- Questions and Lessons Learned

  20. Module One The Five Basic Goals of the Information Assurance Process

  21. The Five Basic Goals of IA • Information assurance ensures the • Availability • Confidentiality • Integrity • Authentication • Non-Repudiation of Origin - Of information

  22. Definition: Confidentiality • Confidentiality is the condition that insures that information is not disclosed to unauthorized persons, processes or devices. • This implies the requirement for such discrete functions as • information identification and labeling • Need-to-know procedures.

  23. Definition: Integrity • Integrity is the condition of assuring trust. • Within the information security universe, integrity is specifically interpreted to mean: • that a transmission will arrive at its destination in exactly the same form as it was sent..

  24. Definition: Integrity • That requires ensuring: • the logical correctness and reliability of the operating system • the logical completeness of the hardware and software entities • the consistency of the data and occurrences of the stored data.

  25. Definition: Authentication • Authentication is a security service designed to establish the validity of a transmission, message, or originator • It is also a means of verifying an individual’s authorizations to receive specific categories of information

  26. Definition: Authentication • Authentication ensures that the occurrence of false identities is eliminated. • An individual, an organization, or a computer has to be able to prove its identity to be properly secured.

  27. Definition: Authentication • This also implies an authorization function. • Authorization describes the system’s ability to regulate access to resources once the identity is verified.

  28. Definition: Availability • Availability implies the ability to provide authorized users with timely and reliable access to data and information services. • It is characterized by best practices such as: • back-up power • continuous signal • off-site recovery

  29. Definition: Availability • Availability also describes the overall goal of security management. • Which is to ensure the requisite level of trustworthiness in day-to-day operation

  30. Definition: Availability • In reality, availability is a condition, rather than a specific security function. • It is often traded off against purely security related conditions, like confidentiality.

  31. Definition: Availability • Because availability ensures functioning… • There might be a time when assuring availability outweighs procedures that are necessary to secure information.

  32. Definition: Availability • The judgment to sacrifice any of the other security services for the sake of enhanced availability is a risk mitigation decision • Which is usually motivated by threats and vulnerabilities in the business case.

  33. Definition: Non-Repudiation • Non-repudiation of origin provides the sender with proof of delivery • AND • It underwrites the identity of the sender to the recipient.

  34. Definition: Non-Repudiation • As a result, neither party can later deny that the message was legitimately sent and received. • Non-repudiation has ramifications for everything from purchases on e-bay, to modern battlefield orders.

  35. Module One: Questions • What are the Five Elements of IA? • What does integrity ensure? • What is often traded off against availability? • What is the value of non-repudiation to businesses? • What does authentication require to work properly? • What is a risk mitigation decision? • What is non-repudiation based on? • What is availability characterized by? • What does need-to-know support? • What basic condition does offsite backup ensure?

  36. Module Two The Information Assurance Process

  37. The Information Assurance Process • Information assurance is a multifaceted process composed of fifteen elements and one critical capability • Each is a discrete function and each contributes differently to the overall purposes of securing information. • These fifteen elements comprise a lifecycle.

  38. The Information Assurance Process • All fifteen function within that lifecycle to ensure an effective level of security. • Each element plays its proper role at a logical place within the process.

  39. The Information Assurance Process • The outcome is adequate protection of all information assets Adequate protection assumes the presence of all necessary safeguards !

  40. Building a Holistic Solution • Electronic assurance constitutes just one aspect of that protection. • Full protection has to incorporate all of the organizational functions and human factors relevant to security.

  41. Building a Holistic Solution • The outcome must constitute a holistic response. • In essence the response must integrate: • All of the assurance measures • To protect all information • At all times

  42. The Fifteen Principles • The IBOK integrates a common body of knowledge. • That BOK itemizes fifteen aspectsof security (and one critical process).

  43. The Fifteen Principles • Each must be addressed in order for a security solution to be complete. • These are arrayed in the lifecycle model demonstrated on the next set of slides

  44. IA Lifecycle – Lifecycle Scope The Information Resource Is described by Asset Identification AND Evaluated by a Risk Assessment

  45. IA Lifecycle – Management Security Policy Which is Shaped by Defines Security Discipline Security Infrastructure Which Enforces And Access Control Ethical Conduct Which is Maintained by Security of Operations

  46. IA Lifecycle – Countermeasures Process Countermeasures Management Countermeasures Technical Countermeasures Physical Security Software Assurance Continuity Compliance Personnel Security NETSEC Process Assurance Crypto

  47. Principle One: Asset Identification • The form of the information resource has to be understood in order to properly secure it. • Thus, everything that is part of that resource has to be identified, labeled and placed in a documented asset baseline. • It is also necessary to establish a system for controlling changes to that baseline.

  48. Principle Two: Risk Assessment • Risk assessment defines the form of the security response. • Current operations as well as prospective ones are systematically evaluated using risk assessment • The goal is to identify potential threats, vulnerabilities and weaknesses within the asset base

  49. Principle Three: Security Policy • Then the organization establishes uniform policies to guide the assurance process. • These policies are the basis for the solution. • The outcome is a rational set of guidelines for information assurance.

  50. Principle Four: Infrastructure • The procedural infrastructure is a tangible realization of security policy • The organization has to design and enforce a logical and consistent set of procedures • These must be directly traceable to the policies they implement.

More Related