340 likes | 533 Views
Security Management. Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu. Theory Practice. Learning by Doing. IST 515. Security Management Framework. Organizational. Security Policy.
E N D
Security Management Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu Theory Practice Learning by Doing IST 515
Security Management Framework Organizational Security Policy Organizational Design Security Management Asset Classification and Control Access Control Compliance Personnel Security Awareness Education Physical and Environmental Security System Development and Maintenance Communications & Operations Mgmt. Business Continuity Management Operational
Objectives This module will familiarize you with the following: • Why securities? • Essential security terminologies. • Core information security principles. • Security management framework. • Information security management governance. • Security policies, procedures, standards, guidelines and baselines • Auditing frameworks for compliance
Readings • NIST, “An Introduction to Computer Security,” SP 800-12 (Oct. 1995). Chapters 2 & 4 (Required). • Tipton, H. and Henry, K. (Eds.), Official (ISC)2 Guide to the CISSP CBK, Auerbach, 2007. Domain 1 (Required). • Bowen, P., Hash, J. and Wilson, M., “Information Security Handbook: A Guide for Managers,” NIST, SP 800-100 (Oct. 2006). Chapter 2. • von Solms, B. and von Solms, R., “The 10 Deadly Sins of Information Security Management,” Computers & Security (2004) 23, 371-376. • Wikipedia, Information Technology Infrastructure Library. http://en.wikipedia.org/wiki/Information_Technology_Infrastructure_Library • Wikipedia, COSO Enterprise risk management, http://en.wikipedia.org/wiki/Enterprise_risk_management#COSO_ERM_framework • Wikipedia, ISO/IEC 27000. http://en.wikipedia.org/wiki/Iso27000
Scenario Stephen used to be the most bullied guy in his circle of friends. Johnson, the neighborhood guy was part of the peer group and foremost in bullying Stephen. Stephen started developing hatred for Johnson. Johnson owned/hosted a personal website where he showcased his website development skills. He passed the IP address of his website to his peer group so that they could comment on it after viewing the pages. Stephen comes across an article on hacking on the Internet. Amazed by the potential of tools showcased in that article, he decides to try it hands on. With the downloaded scanning tools, Stephen started scanning the IP of Johnson’s website. • What kind of information will Stephen be exposed to? • Will the scan performed by Stephen affect Johnson’s Website?
Evolution of technology focused on ease of use Decreasing skill level needed for exploits Why Security? • Increased network environment and network based applications
Why Security? • Direct impact of security breach on corporate asset base and goodwill. • Increasing complexity of computer infrastructure administration and management.
Information Security Principles - CIA • Security rests on confidentiality, authenticity, integrity, and availability: • Confidentiality. Only authorized individuals, processes, or systems have access to information on a need-to-know basis. • Integrity. Information should be protected from intentional, unauthorized, or accidental changes. • Availability. Information and resources are accessible when needed. (DoS, DDoS) • Authenticity. The identification and assurance of the origin of information. (Hash function, MD5)
Confidentiality, Integrity and Availability Confidentiality Security Integrity Availability
Reverse CIA Confidentiality: • Preventing unauthorized subjects from accessing information Integrity: • Preventing unauthorized subjects from modifying information Availability: • Preventing information and resources from being inaccessible when needed.
Trade-off Functionality Moving the ball towards security means moving away from the functionality and ease of use Security Usability
Security/Risk Management Relationships Determine Needs & Assess Risks Central Management Implement Policies & Control Monitor & Evaluate Promote Awareness
10 Deadly Sins of Security Management • Not realizing that information security is a corporate governance responsibility (the buck stops right at the top) • Not realizing that information security is a business issue and not a technical issue • Not realizing the fact that information security governance is a multi-dimensional discipline • Not realizing that an information security plan must be based on identified risks • Not realizing the important role of international bestpractices for information security management
10 Deadly Sins of Security Management • Not realizing that a corporate information security policy is absolutely essential • Not realizing that information security compliance enforcement and monitoring is absolutely essential • Not realizing that a proper information security governance structure is absolutely essential • Not realizing the core importance of information security awareness amongst users • Not empowering information security managers with the infrastructure, tools and supporting mechanisms to properly perform their responsibilities Lessons Learned
Multi-Dimension of Information Security • The Corporate Governance Dimension • The Organizational Dimension • The Policy Dimension • The Best Practice Dimension • The Ethical Dimension • The Certification Dimension • The Legal dimension • The Insurance Dimension • The Personnel/Human Dimension • The Awareness Dimension • The Technical Dimension • The Measurement/Metrics (Compliance monitoring/Real time IT audit) Dimension • The Audit Dimension
Security Management Practice • Security Governance. • Security Policies, Procedures, Standards, Guidelines, and Baselines. • Security Planning. • Security Organization. • Personnel Security. • Security Audit and Control. • Security Awareness, Training and Education. • Risk Assessment and Management. • Professional Ethics.
Security Management Governance Security Governance is the organizational processes and relationships to guarantee that the appropriate information security activities are being performed to ensure that the risks are appropriately reduced, the information security investments are appropriated directed, and the executive management has visibility into the program and is asking the appropriate questions to determine the effectiveness of the program. • Policies, Procedures, Standards, Guidelines, Baselines • Organizational Structures • Roles and Responsibilities
Policies, Standards, Procedures, Baselines, & Guidelines Laws, Regulations, Requirements, Organizational Goals & Objectives Procedures, standards, and guidelines are used to describe how these policies will be implemented within an organization. General Organizational Policies Management’s Security Statement Functional Implementing Policies Management’s Security Directives Standards Procedures Baselines Guidelines Specific Hardware & Software Step-by-Step Instructions Consistent Level of Security Recommendations
Audit Frameworks for Compliance • COSO – The Committee of Sponsoring Organization of the Treadway Commission (1985). • ITIL – The IT Infrastructure Library (1989-1992). • ISO 17799/BS 7799 (1995) • ISO/IE 27000 (2005) • COBIT – Control Objectives for Information and Related Technology.
COSO Integrated Framework Internal Environment Monitoring Objective Setting Enterprise Risk Management Information & Communication Risk Identification Control Activities Risk Assessment Risk Response
ITIL Service Management Processes (http://www.securityfocus.com/print/infocus/1815)
ITIL Framework (http://iwi.uibk.ac.at/wikiwi/index.php?title=Image:Itil.jpg)
ITIL V3 Processes and Functions Service Strategy Service Design Service Transition Service Operation Continual Service Improvement Demand Mgmt. Service Level Mgmt. Knowledge Mgmt. Service Desk Service Measurement F Financial Mgmt. Change Mgmt. Event Mgmt. Capacity Mgmt. Service Reporting Strategic Generation Asset and Configuration Mgmt. Incident Mgmt. Availability Mgmt. Service Improvement Request Fulfillment Service Portfolio Mgmt. IT Service Continuity Mgmt. Release and Deployment Mgmt. Return on Investment Problem Mgmt. Information Security Mgmt. Transition Planning and Support Access Mgmt. Business Questions Supplier Mgmt. IT Operations Mgmt. F Service Catalogue Mgmt. Service Validation and Testing F Applications Mgmt. F are functions Evaluation Technical Mgmt. F (http://krpm.wordpress.com/reports/)
ISO 17799 Standards • Information security policy. • Organizing information security. • Asset management. • Human resources security. • Physical and environmental security. • Communications and operations management. • Access control. • Information systems acquisition, development and maintenance. • Information security incident management. • Business continuity management. • Compliance
Business Objectives Governance Objectives COBIT Information • Effectiveness • Efficiency • Confidentiality • Integrity • Availability • Compliance • Reliability Monitor & Evaluate Plan & Organize IT Resources Deliver & Support Acquire & Implement • Application • Information • Infrastructure • People
Summary of Audit Frameworks • COSO – The Committee of Sponsoring Organization of the Treadway Commission (1985). • ITIL – The IT Infrastructure Library (1989-1992). • ISO 17799/BS 7799 (1995) • ISO/IE 27000 (2005) • COBIT – Control Objectives for Information and Related Technology.
Possible Projects • Develop a security audit plan. • Compliance testing according to a standard (e.g., HIPAA, ISO 27000, COBIT, etc.). • Awareness education for HIPAA, ISO 27000, COBIT compliance. • A comparative analysis of different security compliance frameworks.