790 likes | 1.31k Views
MANAGEMENT of INFORMATION SECURITY Second Edition. Learning Objectives. Upon completion of this chapter, you should be able to: Select from the dominant information security management models, including U.S. government sanctioned models, and customize them for your organization’s needs
E N D
MANAGEMENT of INFORMATION SECURITY Second Edition
Learning Objectives • Upon completion of this chapter, you should be able to: • Select from the dominant information security management models, including U.S. government sanctioned models, and customize them for your organization’s needs • Implement the fundamental elements of key information security management practices • Follow emerging trends in the certification and accreditation of U. S. Federal IT systems Management of Information Security - Chapter 6
Introduction • To create or maintain a secure environment, one must design a working security plan and then implement a management model to execute and maintain the plan • This may begin with the creation or validation of a security framework, followed by an information security blueprint that describes existing controls and identifies other necessary security controls • A framework is the outline of the more thorough blueprint, which is the basis for the design, selection, and implementation of all subsequent security controls • Most organizations draw from established security models and practices to develop a blueprint or methodology Management of Information Security - Chapter 6
ISO/IEC 17799:2005 • One of the most widely referenced and often discussed security models is Information Technology – Code of Practice for Information Security Management, which was originally published as British Standard BS 7799 • The purpose is to establish “guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization” Management of Information Security, 2nd Edition
ISO/IEC 17799:2005 (continued) • “ISO/IEC 17799:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities” • ISO/IEC 17799:2005 replaced BS7799:1 Management of Information Security, 2nd Edition
ISO/IEC 17799:2005 (continued) • ISO/IEC 17799:2005 has 133 possible controls, not all of which must be used; part of the process is to identify which are relevant • Each section includes four categories of information: • One or more objectives • Controls relevant to the achievement of the objectives • Implementation guidance • Other information Management of Information Security, 2nd Edition
ISO/IEC 17799:2005 (continued) • Many countries, including the U.S., Germany, and Japan, have not adopted the model, claiming it is fundamentally flawed: • The global InfoSec community has not defined any justification for the code of practice identified • The model lacks “the necessary measurement precision of a technical standard” • There is no reason to believe the model is more useful than any other approach • It is not as complete as other frameworks • It is perceived as being hurriedly prepared, given the tremendous impact that its adoption could have on industry information security controls Management of Information Security, 2nd Edition
Figure 6-1 17799:2005 Usability Management of Information Security, 2nd Edition
SANS SCORE and ISO/IEC 17799 • One way to determine how closely an organization is complying with ISO 17799 is to use the SANS SCORE Audit Checklist • The checklist provides insight into eleven sections of ISO/IEC 17799 Management of Information Security, 2nd Edition
The Eleven Sections Of ISO/IEC 17799 • Security Policy – focusing mainly on InfoSec policy • Organization of InfoSec – for both the internal organization and external parties • Asset Management – including responsibility for assets and information classification • Human Resources Security – ranging from controls prior to employment, during employment, to termination or change of employment • Physical and Environmental Security – including secure areas and equipment security Management of Information Security, 2nd Edition
The Eleven Sections Of ISO/IEC 17799 (continued) 6. Communications and Operations Management • Incorporating operational procedures and responsibilities • Third-party service delivery management • System planning and acceptance • Protection against malicious and mobile code • Backup • Network security management • Media handling • Exchange of information • Electronic commerce services and monitoring Management of Information Security, 2nd Edition
The Eleven Sections Of ISO/IEC 17799 (continued) 7. Access Control • Business requirement for access control • User access management • User responsibilities • Network access control • Operating system access control • Application and information access control • Mobile computing and teleworking Management of Information Security, 2nd Edition
The Eleven Sections Of ISO/IEC 17799 (continued) 8. Information Systems Acquisition, Development, and Maintenance • Security requirements of information systems • Correct processing in applications • Cryptographic controls • Security of system files • Security in development and support processes and technical vulnerability management Management of Information Security, 2nd Edition
The Eleven Sections Of ISO/IEC 17799 (continued) 9. Information Security Incident Management addressing reporting InfoSec events and weaknesses and management of InfoSec incidents and improvements • Business Continuity Management – InfoSec aspects of BCM • Compliance • With legal standards • With security policies and standards • Technical compliance with information systems audit considerations Management of Information Security, 2nd Edition
ISO/IEC 27001:2005 – The InfoSec Management System • BS7799:2 is the companion to BS7799:1, and provides implementation details using a Plan-Do-Check-Act cycle Management of Information Security, 2nd Edition
Figure 6-3BS7799:2 – Plan-Do-Check-Act Management of Information Security - Chapter 6
ISO/IEC 27001:2005 – The InfoSec Management System (continued) • Plan • Define the scope of the ISMS • Define an ISMS policy • Define the approach to risk assessment • Identify the risks • Assess the risks • Identify and evaluate options for the treatment of risk • Select control objectives and controls • Prepare a Statement of Applicability(SOA) Management of Information Security, 2nd Edition
ISO/IEC 27001:2005 – The InfoSec Management System (continued) • Do • Formulate a Risk Treatment Plan • Implement the Risk Treatment Plan • Implement controls • Implement training and awareness programs • Manage operations • Manage resources • Implement procedures to detect and respond to security incidents Management of Information Security, 2nd Edition
ISO/IEC 27001:2005 – The InfoSec Management System (continued) • Check • Execute monitoring procedures • Undertake regular reviews of ISMS effectiveness • Review the level of residual and acceptable risk • Conduct internal ISMS audits • Undertake regular management review of the ISMS • Record actions and events that impact an ISMS Management of Information Security, 2nd Edition
ISO/IEC 27001:2005 – The InfoSec Management System (continued) • Act • Implement identified improvements • Take corrective or preventive action • Apply lessons learned • Communicate results to interested parties • Ensure improvements achieve objectives Management of Information Security, 2nd Edition
ISO/IEC 27001:2005 – The InfoSec Management System (continued) • In 2005, BS 7799:2 was updated and codified as ISO/IEC 27001:2005, and is the foundation for third-party certification • Its major sections include: • Introduction • Scope • Terms and definitions • ISMS • Management responsibility • Management review • ISMS improvement Management of Information Security, 2nd Edition
ISO/IEC 27001:2005 – The InfoSec Management System (continued) • Proposed use of 27001:2005 • Use within organizations to formulate security requirements and objectives • Use within organizations as a way to ensure that security risks are cost-effectively managed • Use within organizations to ensure compliance with laws and regulations • Use within organizations as a process framework for the implementation and management of controls to ensure that the specific security objectives of an organization are met Management of Information Security, 2nd Edition
ISO/IEC 27001:2005 – The InfoSec Management System (continued) • Proposed use of 27001:2005 (continued) • Definition of new InfoSec management processes • Identification and clarification of existing InfoSec management processes • Used by the management of organizations to determine the status of InfoSec management activities • Used by the internal and external auditors of organizations to determine the degree of compliance with the policies, directives, and standards adopted by an organization Management of Information Security, 2nd Edition
ISO/IEC 27001:2005 – The InfoSec Management System (continued) • Proposed use of 27001:2005 (continued) • Used by organizations to provide relevant information about InfoSec policies, directives, standards, and procedures to trading partners and other organizations with whom they interact for operational or commercial reasons • Implementation of business-enabling InfoSec • Used by organizations to provide relevant information about InfoSec to customers Management of Information Security, 2nd Edition
NIST Security Models • NIST documents have two notable advantages: • They are publicly available at no charge • They have been available for some time and thus have been broadly reviewed by government and industry professionals • SP 800-12, Computer Security Handbook • SP 800-14, Generally Accepted Security Principles & Practices • SP 800-18, Guide for Developing Security Plans • SP 800-26, Security Self-Assessment Guide-IT Systems • SP 800-30, Risk Management for Information Technology Systems Management of Information Security - Chapter 6
NIST SP 800-12 The Computer Security Handbook • Excellent reference and guide for the routine management of information security • Little provided on design and implementation of new security systems; use as supplement to gain a deeper understanding of background and terminology Management of Information Security - Chapter 6
NIST SP 800-12 The Computer Security Handbook (continued) • Lays out the NIST philosophy on security management by identifying 17 controls organized into three categories: • The Management Controls section addresses security topics that can be characterized as managerial • The Operational Controls section addresses security controls that focus on controls that are, broadly speaking, implemented and executed by people (as opposed to systems) • The Technical Controls section focuses on security controls that the computer system executes Management of Information Security - Chapter 6
NIST Special Publication 800-14Generally Accepted Principles and Practices for Securing Information Technology Systems • Describes best practices useful in the development of a security blueprint • Describes principles that should be integrated into information security processes • Documents 8 points and 33 principles Management of Information Security - Chapter 6
NIST Special Publication 800-14Key Points • The more significant points made in NIST SP 800-14 are: • Security supports the mission of the organization • Security is an integral element of sound management • Security should be cost-effective • Systems owners have security responsibilities outside their own organizations • Security responsibilities and accountability should be made explicit • Security requires a comprehensive and integrated approach • Security should be periodically reassessed • Security is constrained by societal factors Management of Information Security - Chapter 6
NIST Special Publication 800-14Principles Principle 1. Establish a sound security policy as the “foundation” for design Principle 2. Treat security as an integral part of the overall system design Principle 3. Clearly delineate the physical and logical security boundaries governed by associated security policies Principle 4. Reduce risk to an acceptable level Principle 5. Assume that external systems are insecure Management of Information Security, 2nd Edition
NIST Special Publication 800-14Principles (continued) Principle 6. Identify potential trade-offs between reducing risk and increased costs and decreases in other aspects of operational effectiveness Principle 7. Implement layered security (Ensure no single point of vulnerability) Principle 8. Implement tailored system security measures to meet organizational security goals Principle 9. Strive for simplicity Management of Information Security - Chapter 6
NIST Special Publication 800-14Principles (continued) Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in response Principle 11. Minimize the system elements to be trusted Principle 12. Implement security through a combination of measures distributed physically and logically Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of expected threats Principle 14. Limit or contain vulnerabilities Management of Information Security, 2nd Edition
NIST Special Publication 800-14Principles (continued) Principle 15. Formulate security measures to address multiple overlapping information domains Principle 16. Isolate public access systems from mission critical resources Principle 17. Use boundary mechanisms to separate computing systems and network infrastructures Principle 18. Where possible, base security on open standards for portability and interoperability Principle 19. Use common language in developing security requirements Management of Information Security - Chapter 6
NIST Special Publication 800-14Principles (continued) Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support incident investigations Principle 21. Design security to allow for regular adoption of new technology, including a secure and logical technology upgrade process Principle 22. Authenticate users and processes to ensure appropriate access control decisions both within and across domains Management of Information Security - Chapter 6
NIST Special Publication 800-14Principles (continued) Principle 23. Use unique identities to ensure accountability Principle 24. Implement least privilege Principle 25. Do not implement unnecessary security mechanisms Principle 26. Protect information while being processed, in transit, and in storage Principle 27. Strive for operational ease of use Principle 28. Develop and exercise contingency or disaster recovery procedures to ensure appropriate availability Management of Information Security, 2nd Edition
NIST Special Publication 800-14Principles (continued) Principle 29. Consider custom products to achieve adequate security Principle 30. Ensure proper security in the shutdown or disposal of a system Principle 31. Protect against all likely classes of “attacks” Principle 32. Identify and prevent common errors and vulnerabilities Principle 33. Ensure that developers are trained in how to develop secure software Management of Information Security, 2nd Edition
NIST Special Publication 800-18A Guide for Developing Security Plans for Information Technology Systems • Provides detailed methods for assessing, designing, and implementing controls and plans for various-sized applications • Serves as a guide for the activities described in this chapter, and for the overall information security planning process • It includes templates for major application security plans Management of Information Security - Chapter 6
NIST Special Publication 800-2617 Areas Defining the core of the NIST Security Management Structure • Management Controls • Risk Management • Review of Security Controls • Life Cycle Maintenance • Authorization of Processing (Certification and Accreditation) • System Security Plan • Operational Controls • Personnel Security • Physical Security • Production, Input/Output Controls • Contingency Planning • Hardware and Systems Software • Data Integrity • Documentation • Security Awareness, Training, and Education • Incident Response Capability • Technical Controls • Identification and Authentication • Logical Access Controls • Audit Trails Management of Information Security - Chapter 6
NIST Special Publication 800-30Risk Management Guide for Information Technology Systems • Provides a foundation for the development of an effective risk management program • Contains both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems • Strives to enable organizations to better manage IT-related risks Management of Information Security - Chapter 6
RFC 2196 Site Security Handbook • The Security Area Working Group within the IETF has created RFC 2196, the Site Security Handbook that provides a functional discussion of important security issues along with development and implementation details • Covers security policies, security technical architecture, security services, and security incident handling • Also includes discussion of the importance of security policies, and expands into an examination of services, access controls, and other relevant areas Management of Information Security - Chapter 6
Control Objectives for Information and related Technology (COBIT) • Control Objectives for Information and related Technology (COBIT) also provides advice about the implementation of sound controls and control objectives for InfoSec • COBIT was created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992 Management of Information Security, 2nd Edition
Control Objectives for Information and related Technology (COBIT) (continued) • COBIT presents 34 high-level objectives that cover 215 control objectives; these objectives are categorized into four domains: • Plan and organize • Acquire and implement • Deliver and support • Monitor and evaluate Management of Information Security, 2nd Edition
Control Objectives for Information and related Technology (COBIT) (continued) • Plan and organize • Makes recommendations for achieving organizational goals and objectives through the use of IT • Ten controlling objectives (PO1 – PO10) • Acquire and implement • Focuses on specification of requirements • Acquisition of needed components • Integration of these components into the organization’s systems • Examines ongoing maintenance and change requirements • Seven controlling objectives (AI1 – AI7) Management of Information Security, 2nd Edition
Control Objectives for Information and related Technology (COBIT) (continued) • Delivery and support • Focuses on the functionality of the system and its use to the end user • Examines systems applications, including input, processing, and output components • Examines processes for efficiency and effectiveness of operations • 13 high-level controlling objectives (DS1 – DS13) Management of Information Security, 2nd Edition
Control Objectives for Information and related Technology (COBIT) (continued) • Monitor and evaluate • Seeks to examine the alignment between IT systems usage and organizational strategy • Identifies the regulatory requirements for which controls are needed • Monitors the effectiveness and efficiency of IT systems against the organizational control processes in the delivery and support domain • Four high-level controlling objectives (ME1 – ME4) Management of Information Security, 2nd Edition
Committee of Sponsoring Organizations of the Treadway Commission (COSO) • COSO is a U.S. private-sector initiative formed in 1985 • Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence • COSO has established a common definition of internal controls, standards and criteria, and helps organizations comply with critical regulations like Sarbanes-Oxley Management of Information Security, 2nd Edition
Committee of Sponsoring Organizations of the Treadway Commission (COSO) (continued) • COSO is built on five interrelated components: • Control environment • Risk assessment • Control activities • Information and communication • Monitoring Management of Information Security, 2nd Edition
Security Management Practices • In information security, two categories of benchmarks are used • Standards of due care/due diligence • Best practices • Best practices include a subcategory of practices—called the gold standard—that are general regarded as “the best of the best” Management of Information Security - Chapter 6
Standards of Due Care/Due Diligence • When organizations adopt minimum levels of security for a legal defense, they may need to show that they have done what any prudent organization would do in similar circumstances; this is known as a standard of due care • Implementing controls at this minimum standard, and maintaining them, demonstrates that an organization has performed due diligence Management of Information Security - Chapter 6
Standards of Due Care/Due Diligence (continued) • Due diligence requires that an organization ensure that the implemented standards continue to provide the required level of protection • Failure to support a standard of due care or due diligence can expose an organization to legal liability, provided it can be shown that the organization was negligent in its application or lack of application of information protection Management of Information Security - Chapter 6