1 / 22

Current Standardization Topics in Information Security Management by Prof. Jungduk Kim

Explore the paradigm shift, functions, processes, and critical success factors in Information Security Management, including standardization topics like ISO, NIST, and others. Discover a phased approach to certification, incident cost analysis, and the return on security investment. Learn about institutionalization, infosec management functions, and processes in InfoSec. Understand the pros and cons of BS 7799 standard.

jhuerta
Download Presentation

Current Standardization Topics in Information Security Management by Prof. Jungduk Kim

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Future Standardization Topics of InfoSec Management Prof. Jungduk Kim Department of Information Systems Chung-Ang University

  2. Agenda • Paradigm Shift ofInfoSec • InfoSec Mgmt Functions and CSF • Functions/Processes • Critical Success Factors • Standardization Topics on InfoSec Mgmt • ISO • NIST and Others • InfoSec Mgmt Issues to be addressed • Phased Approach to InfoSec Certification • InfoSec Metric Mgmt • Incident Cost Analysis & Modeling • Return on Security Investment ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  3. Information Security Paradigm • First Wave – Technical • Early 80’s. • Focused on technical solutions • Access control list, user-id & password, etc. • Second Wave – Managerial • Middle 90’s • Distributed computing, Internet, WWW, e-business • Top Mgmt involved, ISO, organizational structure ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  4. Third Wave – Institutionalization • InfoSec Standardization • “How do I know I am not missing something?” syndrome • Int’l InfoSec Certification • “How can I prove my infosec preparedness to an E-commerce partner?” syndrome • Cultivating an InfoSec Culture right throughout a Company • “My own users may be my biggest enemy?” syndrome • Implementing Metrics to Continuously and Dynamically Measure InfoSec Aspects in a Company • “How do I know how well our infosec policies, procedures, etc are complied with?” syndrome ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  5. Institutionalization • Procedural and technical infosec infrastructure, • A corporate infosec culture, • in such a way that infosec becomes a natural aspect of the day to day activities of all employees of the company • Macro level • Internationally accepted reference framework is used • Micro level • Physical measurements can be made ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  6. InfoSec Mgmt Functions • Determining organizational IT security objectives, strategies and policies • Determining organizational IT security requirements • Development of an IT security policy • Identifying roles and responsibilities in the organization • Risk management • Reviewing and monitoring the implementation and operation of safeguards • Developing and implementing a security awareness program • Configuration management & Change management • Business continuity management • Security audit and Incident handling. ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  7. InfoSec Mgmt Processes Combined Approach High Level Risk Analysis Requirements Analysis Assessment of Risks Implementation of IT security policy Cost benefits analysis, Selection of safeguards IT Security Policy, Requirements Detailed Risk Analysis Baseline Approach IT System Security Policy Implementation of Safeguards Follow-up Security Architecture Compliance Checking Monitoring Implementation of IT security plan HW, SW, management Maintenance Education, Training Change Management Incident Handling IT Security Plan ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  8. InfoSec Mgmt: CSF • Appropriate Organizational Structure • Roles and responsibilities • Reporting relationships • Source and level of financial support • Budgeting • Raising the Level of Mgmt Awareness • Providing proper feedback • Highlighting the incomplete or exposed • Evaluating the organization’s InfoSec level • Senior Managers Commitment • Return on Security Investment ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  9. Standardization Topics on InfoSec Management • ISO • GMITS • ISO 17799 • Intrusion Detection Framework • Incident Management • NIST 800 Series • Risk Management Guide • Security Self-Assessment Guide • Security Assurance and Acquisition/Use of Tested/Evaluated Products • Guide for Developing Security Plans • IT Security Training Requirements ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  10. Standardization Issues • Int’l InfoSec Certification • Phased InfoSec Certification • InfoSec Culture throughout a Company • Incident Cost and Modeling • Return on Security Investment • InfoSec Management thru Measurement • Metric Management ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  11. BS 7799 Part 1, 2 • BS 7799: 1 • Code of Practice for infosec Mgmt • Published in 1995, revised in 1999 • Int’l Standard in 2000 as ISO/IEC 17799 • 10 sections, 127 high-level controls • Best practice guidance • BS 7799: 2 • Specification for ISMS • Certification standard • Revising in 2002 • Statement of Applicability ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  12. Pros & Cons of 7799 • Strengths • Adopted as a mgmt std by ISO • Widely recognized frame of reference • Scalability and technological neutrality • Implementation Issues • Subjectivity • Target and scope of audit determined by client • Lack of uniform requirements • Lack of standardized validation methods • Costs • Obsolescence • Length of certification cycle ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  13. Incremental InfoSec Certification • BS 7799’s Certification Scheme • ‘All-or-nothing’ design • Comprehensive and time-intensive effort • One of major reasons why the uptake had been slow • Phased Approach to Certification • ISIZA(InfoSec Institute of S. Africa, 2000) • 5 Levels ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  14. InfoSec Incident Cost Analysis and Modeling • Rational for standardization • Impacts of InfoSec incidents is increasing • No standardized method to estimate the magnitude of InfoSec incidents • Inconsistent InfoSec incidents loss reporting among countries ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  15. Issues to be addressed • InfoSec incident categories • Granularity • Universality • Framework for incident costing • Factors influencing incident occurrence • Factors influencing costs of incidents • Methods to compute incident costs • Quantitative • Qualitative • Templates to gather incident data • Investigation template • Cost data template ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  16. Return on Security Investment • Rational for standardization • “If you wish to justify it, you must be able to value it.” • CEOs & CFOs want quantifiable proof of an ROI before investment • Soft ROSI, FUD(fear, uncertainty, doubt) tactics are not enough ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  17. Some examples • University of Idaho’s Research • (R – E) + T = ALE • R: cost per yr to recover • E: dollar savings by stopping intrusions • T: cost of the intrusion detection tool • ALE: annual loss expectancy • R – ALE = ROSI • CMU’s “Survivability of Network Systems” • MIT, Stanford, @Stake’s Research • Design : 21% • Implementation: 15% • Testing: 12% ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  18. InfoSec MetricsManagement • Rational for standardization • Traditional periodic security audit is not acceptable any more – too high risk • InfoSec Mgmt is moving toward the model of NW Mgmt • Dynamic measurement of the situation • Management Security Information Base ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  19. Issues to be addressed • Identify InfoSec functions • Determine what drives that function • Identify procedural and technical factors • Establish a metrics collection process • 5 W(Why,What, When, Who, Where) • 1 H(How) ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  20. Dynamic InfoSec Management thru Measurement(DISSM) methodology • Developed ESKOM in S. Africa ISO/IEC 17799 (BS7799) InfoSec SLA InfoSec Awareness InfoSec Policies/ Procedures InfoSec HR InfoSec Competency InfoSec Org. Structure DISMM Measurement Engine InfoSec Job responsibility InfoSec Incident Hding Incoming Measurement ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  21. DISMM Website DISMM DB DISMM Processing Engine Incoming Measurement ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

  22. Any Questions or Comments??? , ITU-T Workshop on Security - Seoul(Korea), 13-14May 2002

More Related