1 / 28

Need of Enterprise-Wide Information Assurance Planning

Need of Enterprise-Wide Information Assurance Planning. COEN 250 Fall 2007 T. Schwarz, S.J. First Perspective: Reactive / Intruder Based. Long term attack trends: Amount of time for new attacks to emerge is declining Melissa (1999) took days to spread

laurenhill
Download Presentation

Need of Enterprise-Wide Information Assurance Planning

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Need of Enterprise-Wide Information Assurance Planning COEN 250 Fall 2007 T. Schwarz, S.J.

  2. First Perspective:Reactive / Intruder Based • Long term attack trends: • Amount of time for new attacks to emerge is declining • Melissa (1999) took days to spread • Love letter (2000), Code Red (2001), Nimda (2001), hours • Slammer (2003), Blaster (2003), minutes

  3. First Perspective:Reactive / Intruder Based CERT Cataloged Vulnerabilities

  4. First Perspective:Reactive / Intruder Based

  5. First Perspective:Reactive / Intruder Based • Long term attack trends: • Increase in the number of detected vulnerabilities • Increased sophistication of attackers

  6. First Perspective:Reactive / Intruder Based • Reactive Security • Patch systems after vulnerability arises • Only feasible if • attacks would be rare • ample warning be given • patches can be simply installed

  7. Second Perspective:Holistic Security • Security is hard to measure • Absence of incidents can be • result of good security • inability to see incidents • No accepted metrics for characterizing security

  8. Second Perspective:Holistic Security • Security is expensive • Added costs • Diminished performance • Inconvenience • Benefits of security are cost avoidance • Question: Was Y2K just hype or did the effort pay off?

  9. Second Perspective:Holistic Security • Security Incidents are not the main cause of system unavailability • “Who Needs Hackers?” NY Times 9/12/07 • Complex systems break causing spectacular failures • Customs computer failure LAX, August 2007 • Skype restart login deluge on MS patch day August 16, 2007 • IDC 2001Downtime Analysis • Malicious Events 3% • Environmental Issues 19% • Operator and application errors 78%

  10. Second Perspective:Holistic Security • Organizations need • framework, model, yardstick, roadmap … • to place and measure themselves (current state) • compare with others (future state) • to decide their desired security state or condition • improvement approaches and a path to reach their desired state • coherent, organized community of practitioners and artifacts to help guide their work

  11. Second Perspective:Holistic Security • Current / pending legislation affecting organizatorial infrastructure management and protection of information • Family Educational Rights Privacy Amendment • Federal Information Systems Management Act • Health Insurance Portability and Accountability Act • Gramm-Leach-Bliley Act (financial institutions) • Sarbanes Oxley (publicly traded institutions) • Child Online Privacy Protection Act • Basel II Capital Accord (financial institutions) • California’s Database Security Breach Notification Act

  12. Second Perspective:Holistic Security Desired State Security • Vulnerability Management • Reactive • Tool driven • Focused on Technology • Localized decision making, unconnected to business drivers • Vulnerabilities change daily • Risk Management • A link to business drivers • Focus on critical assets and threats to assets • Risk identification and prioritization based on threats to assets, vulnerabilities, and impacts • Enterprise Security Management • Select, execute, improve activities to reliably achieve and sustain a desired security state • NOT focused on symptoms instead of root causes • encompasses all organizational practices relevant to security Vul Man Risk Man ESM Time / Complexity

  13. Second Perspective:Holistic Security • www.cert.org/octave • Operationally Critical Threat, Asset, and Vulnerability Evaluation • focuses on organizational risks and strategy • Federal Agencies

  14. Information Security Governance • Federal Information Security Practices are governed by laws, regulations, and directives • U.S. Congress • Office of Management and Budget (OMB) • Standards and Implementation Guidelines through • National Institute of Standards and Technology • Government Accountability Office (GAO)

  15. Information Security Governance • Federal Agency Governance Requirements • Government Performance and Results Act (GPRA), 1993 • Paperwork Reduction Act (PRA) of 1995 • Federal Financial Management Improvement Act (FFMIA) of 1996 • Federal Managers Financial Integrity Act (FMFIA) of 1982 • Clinger-Cohen Act of 1996 • Disciplined capital planning and investment control to acquire, use, maintain, and dispose of IT resources • Establishes role of Chief Information Officer (CIO) • E-Government Act of 2002 • Federal Information Security Management (FISMA) Act • OMB Circular A-130, Management of Federal Information Resources, Appendix III, Security of Federal Automated Information Resources • Homeland Security Presidential Directive 12 (HSPD-12)

  16. Information Security Governance Key Legislative, Regulatory, and Oversight Roles

  17. Information Security Governance Components • Agencies need to integrate INFOSEC with overall agency structure and activities • Strategic planning • organization design and development • establishment of roles and responsibilities • integration with enterprise architecture • documentation of security objectives in policies and guidance

  18. Information Security Governance Components

  19. INFO SEC Strategic Planning • GPRA (Government Performance and Results Act) requires federal agencies to • strategic plan for program activities • prepare an annual performance plan covering each program activity set forth in the budget of such agency • INFO SEC strategy should be integrated and provide • Clear and comprehensive mission, vision, goals, and objectives and how they relate to agency mission; • High-level plan for achieving information security goals and objectives • short- and mid-term objectives and performance targets • specific for each goal and objective • used throughout the life of this plan to manage progress toward successfully fulfilling the identified objectives; and • Performance measures to continuously monitor accomplishment of identified goals and objectives and their progress toward stated targets.

  20. Information Security Governance Structures • Centralized • Decentralized

  21. Security Activities within the Systems Design Life Cycle • Initiation Phase • Needs Determination • Security Categorization • NIST SP 800-60, FIPS 199 • Initial description of basic security needs of the system • Threat environment determination

  22. Security Activities within the Systems Design Life Cycle • Development / Acquisition Phase • In-depth study of need • Develop / incorporate security requirements into specifications • Analyze functional requirements including security functional requirements • Conduct formal risk assessment

  23. Security Activities within the Systems Design Life Cycle • Development / Acquisition Phase • Determine costs of information security over life cycle of the system • Security Planning • Document agreed-upon security controls • Develop system security plan • Develop necessary documentation • Develop awareness and training requirements • Security Control Development • Security Tests and Evaluation

  24. Security Activities within the Systems Design Life Cycle • Implementation Phase • Security Test and Evaluation • Develop test data • Test unit, subsystem, and entire system • Ensure system undergoes technical evaluation • Inspection and Acceptance • System Integration / Installation • Security Certification

  25. Security Activities within the Systems Design Life Cycle • System Implementation • Security Accreditation • Authorization granted by senior organization official • Based on verified effectiveness of security control

  26. Security Activities within the Systems Design Life Cycle • Operations / Maintenance Phase • Configuration Management and Control • Adequate consideration of potential security impacts due to changes to system or environment • Develop Configuration Management Plan • Establish baselines • Identify configuration • Describe configuration control process • Identify schedule for configuration audits

  27. Security Activities within the Systems Design Life Cycle • Continuous Monitoring • Monitor security controls • Perform security audits or other assessments • automated tools • internal control audits • security checklists • penetration testing • Monitor system and/or users • review system logs • review change management • monitor external sources • perform periodic reaccreditation

  28. Security Activities within the Systems Design Life Cycle • Disposal Phase • Information Preservation • Determine archive, discard, or destroy information • Based on legal requirements / federal records requ. • Beware of obsolete technology • Ensure long-term storage of cryptographic keys for encrypted data • Media Sanitization • Hardware and Software Disposal

More Related