1 / 34

Chapter 15

Chapter 15. Human Factors: Ensuring Secure Performance. Objectives. Work with models of the body of knowledge in information assurance Structure the content of awareness, training, and education programs Instill and ensure proper information assurance discipline.

lynch
Download Presentation

Chapter 15

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Chapter 15 Human Factors: Ensuring Secure Performance

  2. Objectives • Work with models of the body of knowledge in information assurance • Structure the content of awareness, training, and education programs • Instill and ensure proper information assurance discipline

  3. Technological Countermeasures • Technological countermeasures are reliable and trustworthy measures if executed properly • Achieve information assurance objectives and execute their preprogrammed instructions reliably • Countermeasures provide safeguards against unpredictable human behavior threats • Essential to make certain that the people who use information and are responsible for its information assurance adopt and follow secure practices

  4. Assurance Hierarchy • Aimed at ensuring the performance of each worker’s information assurance duties

  5. Assuring Reliable Performance • Secure procedures regulate the way people perform assigned duties • Key aspect is the need to ensure that people follow defined procedures • Discipline is required for consistent performance • Procedures have to be executed in a coordinated fashion by all participants at all times • Define and document the disciplined practice as a first step • Motivation is essential – by initiating, directing, and sustaining all forms of interaction • Ensures willingness to execute a task consistently or achieve a goal • Defines the level and persistence of a person’s commitment

  6. Assuring Reliable Performance • Accountability is defined by appropriate use of policies • Employees should know performance expectations and consequences of non-compliance • Policies are monitored for compliance • Organization is responsible for ensuring that its employees are: • Knowledgeable about their assigned duties and associated performance standards • Mechanism to be used is an awareness, training, and education (AT&E) program

  7. Body of Knowledge in IA • AT&E programs are based on a body of knowledge that provides scope, sequence, and content to be taught • Concept of information assurance (IA): • Expands the scope of the responsibilities and accountabilities of information assurance professionals • Incorporates the traditional measures with a new set of proactive approaches, such as “active network defenses” • Traditional defensive measures include • Computer security (COMPSEC) • Communications security (COMSEC) • Information security (INFOSEC)

  8. Body of Knowledge in IA • IA fosters a view of information protection as a seamless process incorporated into the operations of the organization

  9. Latham Model (1987) • Donald Latham, (U.S. Assistant Secretary of Defense for Command Control, Communications, and Intelligence) • Described an integrated six-category concept of information security

  10. NIST 500-172 (1989) • Computer Security Training Guidelines in accordance with PL-100-235, The Information Security Act of 1987 • Approach is called Todd and Guitian model • Establishes four activity levels: • Awareness – need for security is recognized • Policy – policies define response • Implementation – policies are implemented by plan • Performance – security functions are performed

  11. NIST 500-172 (1989) • Todd and Guitian model (cont’d) • Specifies which activities are appropriate for each of the five training areas: • Computer security basics • Security planning and management • Computer security policy and procedure • Contingency planning • Systems life-cycle management • Defines five audience categories: • Executives • Program and functional managers • Information Resource Management security and audit • Automated Data Processing (ADP) management and operations • End users

  12. McCumber Model (1991, 1993) • Developed by John McCumber of the United States Air Force • Defines three dimensions of security: • Model was extended to accommodate the Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) • Distinct domains: functionality and trust

  13. Intermediate Models: eDACUM and NIST 800-16 • Proposed by the International Federation for Information Processing (IFIP) publication • Used during the development of NIST SP 800-16 in 1998 and the CNSS standards • eDACUM stands for electronic Develop a Curriculum • Groups of subject matter experts who cooperatively analyze solutions to issues of importance using electronic tools to support this brainstorming

  14. Intermediate Models: eDACUM and NIST 800-16 • IABK process was defined by Schou and Maconachy (IFIP 1993, IEEE 2004), and partitioned into two major taxonomic categories: • Information systems security topics were divided into: • “Encyclopedic Knowledge” • “Process Knowledge”

  15. Recent Standards Development • The Committee on National Security Systems (CNSS) has also continued the development of government-wide standards derived from additional eDACUM research

  16. Extending the McCumber Model – MSR Model • Maconachy, Schou, and Ragsdale (MSR) • Recommendations for protection of Critical Information Infrastructure (CII) • Importance of three classes of countermeasures: technology, policy/practice, and people

  17. Extending the McCumber Model – MSR Model • It expands the services category by adding non-repudiation and authentication • The model introduces a fourth dimension: time • Introduction of new technology and threats over time requires modifications to other elements to restore a system to a secure state • IA solutions • Now focus on the development of safeguards that offer deterrence and prevention, in addition to simple protection and response

  18. Delivering the Body of Knowledge • AT&E program – three approaches to teaching secure practice: awareness, training, and education • Each of these delivery models represents a different approach to learning • Each has a distinct application • Each is characterized by progressively more rigorous and extensive learning requirements

  19. Awareness Programs • Awareness is the lowest level in the hierarchy • Effective awareness programs ensure employees at every level: • Appreciate the need for, and are capable of executing, disciplined information assurance practice in a coordinated manner • A good awareness program will • Strengthen motivation • Ensure effective focus • Maintain participant interest • Underwrite capable performance • Integrate the content

  20. Training Programs • Training is organized instruction that produces a defined outcome emphasizing job-specific skills • Purpose is to make sure that functions required to ensure a safe and secure environment are performed correctly • Ensures that all participants have the skills necessary to carry out their assignments and that the level of organizational capability is continuously maintained • Prepares individual workers to execute a series of steps without concern for the context or the reasons • Provides a quick and satisfactory outcome if the situation never changes or if adaptation is not required

  21. Training Programs • Most information assurance situations are dynamic and complex, hence training: • Does not provide the overall strategic understanding necessary to establish a lasting information assurance solution • Is too narrow to ensure the security of the entire organization; it is based on skills rather than abstract concepts

  22. Education Programs • Education is oriented toward knowledge • Ensures intelligent responses • Establishes understanding of the principles of information assurance • Establishes critical thinking abilities to cope with a changing and uncertain environment • Aim is to integrate new knowledge and skills into day-to-day information assurance practice • Outcome – the ability of executives, managers, and workers to adapt to new situations

  23. Increasing Organizational Capability through AT&E • Outcome of a well-executed AT&E program is an increased level of organizational capability • Strategic concept is based on the achievement of more capable states of security: • Recognition • Informal Realization • Understanding • Deliberate Control • Continuous Adaptation

  24. Increasing Organizational Capability through AT&E • Information assurance recognition • Majority of the participants are able to recognize the validity and necessity of the program • Achieved by implementing a basic awareness program • Informal realization • Members of the organization become more conscious of information assurance in their day-to-day work • Supported by a more elaborate awareness program which presents • Information assurance issues that have been identified as concerns • Sound practices to address these concerns on an ad hoc or informational basis

  25. Increasing Organizational Capability through AT&E • Information assurance understanding • Organization understands and acts on a commonly accepted knowledge of the need for formal information assurance • Allows implementation of a training program to enforce understanding of practices associated with each role • Deliberate control • Characterized by an institutionalized information assurance response built around a defined set of skills • Execution of information assurance tasks is monitored with quantitative measures of performance, such as intrusion detection • It is enforced by defined accountability

  26. Increasing Organizational Capability through AT&E • Continuous adaptation • Organization executes the practices needed to ensure security that the situation requires, but it continues to evolve as conditions change • Achieved by helping workers master the critical thinking skills needed to identify and solve problems

  27. Building Effective AT&E Programs • Effective information assurance can be achieved only through a systematic AT&E program

  28. Steps to Achieve the Basic Recognition Level • Two conditions to satisfy the learning requirements needed to ensure responsiveness: • Information assurance issues have to be publicized through simple mechanisms such as posters, handouts, or reference cards • Increase the level of community understanding and discourse

  29. Steps to Achieve the Informal Procedural and Realization Level • Two conditions must be met to achieve this level of information assurance: • Analytic work must be done to understand and characterize the risks resident in a particular organizational setting. • Requirement of a sound informal procedural program which is common knowledge and acceptance • Procedural awareness programs • Organizations establish a base level of information assurance with a small commitment of resources • Create the critical mass of consciousness necessary to move to the next level

  30. Steps to Achieve the Planned Procedural and Information Assurance Understanding Level • Frequently established by training programs • Conditions associated with training at this level: • That information assurance requirements of the organization are understood • That information assurance practices are standardized, based on formally acknowledged and commonly accepted best practices implemented by clear procedures

  31. Steps to Achieve the Controlled Level • Three conditions to be met at this stage • Roles for information assurance are assigned and understood among staff and management and that responsibilities are assigned and placed within a management accountability system • Existence of a complete and correct set of best practices and control objectives implemented by procedures • Set of practices and control objectives are accompanied by a valid and objective set of measures and metrics

  32. Steps to Achieve the Controlled Level • Criticism of programs at this stage • They do not anticipate problems • They build a static defence that is effective as long as the threats are known • The ideal would be for the defence to respond to an attack as it is presented • Requires a level of understanding capable of supporting that type of anticipation • That is the role of the final stage

  33. Steps to Achieve the Adaptive Level • Continuous enhancement of capability by increasing the competency of the personnel • Implies a high level of comprehension and systematic operation requiring both total understanding and refined practice • Requires adoption of a mature and highly developed body of knowledge • Relies on the ability to attract, develop, motivate, and retain the individual staff capabilities necessary to meet those goals • To reach this level of function the prior level must be well established

  34. Steps to Achieve the Adaptive Level • Initiation of training process by a review of requirements • Development of a training plan • The plan leads to the training program • Development of a detailed set of training materials • Assessment or rating process to determine learning needs • Modification of the training program in an iterative manner • Modification of materials to make them responsive to change • Incorporating feedback • Efficient allocation of resources • Right people can be hired, or people with the required skills can be moved from other jobs when needed • Constant monitoring and control of the activity • The maturation of the training program is a continuous activity

More Related