500 likes | 601 Views
Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2012. Information Security Governance and Risk Management. Domain Agenda. Information Security Management System ISMS) Business drivers Governance Roles and responsibilities Security planning Security administration
E N D
Dr. Bhavani ThuraisinghamThe University of Texas at Dallas (UTD)June 2012 Information Security Governance and Risk Management
Domain Agenda • Information Security Management System ISMS) • Business drivers • Governance • Roles and responsibilities • Security planning • Security administration • Risk management • Ethics
C. I.A. • Confidentiality: Preventing from unauthorized disclosure • Integrity: Preventing from unauthorized modification • Availability: Preventing denial of service
Domain Agenda • Information Security Management System ISMS) • Business drivers • Governance • Roles and responsibilities • Security planning • Security administration • Risk management • Ethics
Security Best Practices • Job Rotation • Separation of Duty • Security Awareness training • Information Classification • Risk Analysis • Ethics Education
Roles and Responsibilities • Specific • General • Communicated at hiring • Verified capabilities and limitations • 3rd party considerations • Good practices • Reinforced via training
Internal Roles • Executive Management • Information Systems Security Professionals • Owners • Custodians • Operations Staff • Security Staff • Data and System Owners • Users • Operations Staff • Security Staff • Data and System Owners • Users
External Roles • Vendors/Suppliers • Contractors • Temporary Employees • Customers • Business Partners • Outsourced Relationships • Outsourced Security
Human Resources and Related Issues • Human Resources • Employee development • Employee management • Hiring and Termination • Consult the Human Resources Department • Low-level checks • Termination Procedures • Hiring New Staff • Background checks/security clearances • Verify references and educational records • Signed Employment Agreements • Acceptable use • Non-disclosure • Non-compete • Ethics
Personnel andSecurity AwraenessTraining / Good Pratices • Personnel • Job descriptions / Defined roles and responsibilities • Least privilege • Need to know • Separation of duties • Job rotation • Mandatory vacations • Security Awareness training • Job training • Professional education • Good Practices • Be relevant • Scope properly • Address the audience
Domain Agenda • Information Security Management System ISMS) • Business drivers • Governance • Roles and responsibilities • Security planning • Security administration • Risk management • Ethics
Security Blueprints and Single Point of Failure • Documnted Security Program • Focus on the mission • Organizations are different • Cost-effective • Blueprints • Identify and design security requirements • Infrastructure security blueprints • Holistic • Single Point of Failure • Identify processes • Identify risks to the plan • Be prepared
ISO/IEC 27000 Series = ISMS Blueprints • 27000 – Glossary of terms • 27001:2005 - Attainment certification • 27002:2005/Cor1:2007 – Code of practice • 27003 – ISMS Implementation guidance under development as of Sept 08 • 27004 – Information security measurement • 27005-2008 – Information security – Risk management • 27006:2007 – Certification vendor process • 27799:2008 – Information Security for Health Care Organizations
Domain Agenda • Information Security Management System ISMS) • Business drivers • Governance • Roles and responsibilities • Security planning • Security administration • Risk management • Ethics
Security Management, Administration and Governance • Information security (ISec) describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly managing these risks. • The risks to these assets can be calculated by analysis of the following issues: • Threats to your assets. These are unwanted events that could cause the deliberate or accidental loss, damage or misuse of the assets • Vulnerabilities. How susceptible your assets are to attack • Impact. The magnitude of the potential loss or the seriousness of the event.
Security Management, Administration and Governance • Standards that are available to assist organizations implement the appropriate programs and controls to mitigate these risks are for example BS7799/ISO 17799, Information Technology Infrastructure Library and COBIT. • Information Security Governance, Information Security Governance or ISG, is a subset discipline of Corporate Governance focused on information Security systems and their performance and risk management. • Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations
Security Management, Administration and Governance • Develop the information security strategy in support of business strategy and direction. • Obtain senior management commitment and support • Ensure that definitions of roles and responsibilities throughout the enterprise include information security governance activities. • Establish reporting and communication channels that support information security governance activities. • Identify current and potential legal and regulatory issues affecting information security and assess their impact on the enterprise. • Establish and maintain information security policies that support business goals and objectives. • Ensure the development of procedures and guidelines that support information security policies. • Develop business case for information security program investments.
Management’s Security Policy • Management’s goals and objectives in writing • Documents compliance • Creates security culture
Define the following Area IV Buddy System Policy THIS AREA IV COMMANDER HAS DICTATED THAT ALL MILITARY SERVICE MEMBERS WILL USE THE “BUDDY SYSTEM” AT ALL TIMES, WITH THE EXCEPTION BELOW WHEN OFF A MILITARY INSTALLATION. ALL PERSONNEL WILL CARRY S.O.F.A. AND AN EMERGENCY TELEPHONE NUMBER CARD AST ALL TIMES. LOCAL COMMANDERS MAY ENACT MORE STRINGENT MEASURES. BY ORDER OF THE AREA IV COMMANDER
Policies, Standards, Guidelines and Procedures • Policies are the top tier of formalized security documents. These high-level documents offer a general statement about the organization’s assets and what level of protection they should have. • Well-written policies should spell out who’s responsible for security, what needs to be protected, and what is an acceptable level of risk.. • Standards are much more specific than policies. Standards are tactical documents because they lay out specific steps or processes required to meet a certain requirement. As an example, a standard might set a mandatory requirement that all email communication be encrypted. So although it does specify a certain standard, it doesn’t spell out how it is to be done. That is left for the procedure.
Policies, Standards, Guidelines and Procedures • A baseline is a minimum level of security that a system, network, or device must adhere to. Baselines are usually mapped to industry standards. As an example, an organization might specify that all computer systems comply with a minimum Trusted Computer System Evaluation Criteria (TCSEC) C2 standard. • A guideline points to a statement in a policy or procedure by which to determine a course of action. It’s a recommendation or suggestion of how things should be done. It is meant to be flexible so it can be customized for individual situations. • A procedure is the most specific of security documents. A procedure is a detailed, in-depth, step-by-step document that details exactly what is to be done. • A security model is a scheme for specifying and enforcing security policies. Examples include: Bell and LaPadula, Biba, Access control lists
Information Classification • It is essential to classify information according to its actual value and level of sensitivity in order to deploy the appropriate level of security. • A system of classification should ideally be: • simple to understand and to administer • effective in order to determine the level of protection the information is given. • applied uniformly throughout the whole organization (note: when in any doubt, the higher, more secure classification should be employed).
Information Classification • With the exception of information that is already in the public domain, information should not be divulged to anyone who is not authorized to access it or is not specifically authorized by the information owner. • Violations of the Information Classification Policy should result in disciplinary proceedings against the individual. • Number of information classification levels in an organization should be a manageable number as having too many makes maintenance and compliance difficult.
Information Classification • Top Secret: Highly sensitive internal documents and data. For example, impending mergers or acquisitions, investment strategies, plans or designs that could seriously damage the organization if lost or made public. Information classified as Top Secret has very restricted distribution indeed, and must be protected at all times. Security at this level is the highest possible. • Highly Confidential: Information which is considered critical to the organization’s ongoing operations and could seriously impede or disrupt them if made shared internally or made public. Such information includes accounting information, business plans, sensitive information of customers of banks (etc), patients' medical records, and similar highly sensitive data. Such information should not be copied or removed from the organization’s operational control without specific authority. Security should be very high.
Information Classification • Proprietary: Procedures, project plans, operational work routines, designs and specifications that define the way in which the organization operates. Such information is usually for proprietary use by authorized personnel only. Security at this level is high. • Internal Use Only: Information not approved for general circulation outside the organization, where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility/reputation. Examples include: internal memos, internal project reports, minutes of meetings. Security at this level is controlled but normal. • Public Documents: Information in the public domain: press statements, annual reports, etc. which have been approved for public use or distribution. Security at this level is minimal.
Domain Agenda • Information Security Management System ISMS) • Business drivers • Governance • Roles and responsibilities • Security planning • Security administration • Risk management • Ethics
Roles and Responsibilities • Internal Roles • Executive Management; Information System Security Professionals; Owners: Data and System Owners; Custodians • Operational Staff; Users; Legal, Compliance and Privacy Officers; Internal Auditors; Physical Security Officers • External Roles • Vendors and Supplies; Contractors; Temporary Employees; Customers; Business Partners; Outsourced Relationships; Outsourced Security • Human Resources • Employee development and management; Hiring and termination; Signed employee agreements; Education
Risk Management and Analysis • Risk is the likelihood that something bad will happen that causes harm to an informational asset (or the loss of the asset). A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset. A threat is anything (man made or act of nature) that has the potential to cause harm. • The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to inflict harm, it has an impact. In the context of information security, the impact is a loss of availability, integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of real property). It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all risk. The remaining risk is called residual risk.
Risk Managementg and Analysis • A risk assessment is carried out by a team of people who have knowledge of specific areas of the business. Membership of the team may vary over time as different parts of the business are assessed. • The assessment may use a subjective qualitative analysis based on informed opinion (scenarios), or where reliable dollar figures and historical information is available, the analysis may use quantitative analysis • For any given risk, Executive Management can choose to accept the risk based upon the relative low value of the asset, the relative low frequency of occurrence, and the relative low impact on the business. Or, leadership may choose to mitigate the risk by selecting and implementing appropriate control measures to reduce the risk. In some cases, the risk can be transferred to another business by buying insurance or out-sourcing to another business.
Risk Management and Analysis • Identification of assets and estimating their value. Include: people, buildings, hardware, software, data supplies. • Conduct a threat assessment. Include: Acts of nature, accidents, malicious acts originating from inside or outside the organization. • Conduct a vulnerability assessment, and for each vulnerability, calculate the probability that it will be exploited. Evaluate policies, procedures, standards, training, physical security, - - - • Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis. • Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset. • Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity.
Risk Management and Analysis • Step 1: Estimate Potential Loss • SLE = AV ($) x EF (%) • SLE: Single Loss Expectancy, AV: Asset Value. EF: Exposure Factor (percentage of asset value) • Step 2: Conduct Threat Likelihood Analysis • ARO Annual Rate of Occurrence • Number of times per year that an incident is likely to occur • Step 3: Calculate ALE • ALE: Annual Loss Expectancy • ALE = SLE x ARO
Risk Management • Identifying and reducing total risks • Choosing mitigation strategies • Setting residual risk at an acceptable level • Integrating risk management processes into the organization
Risk Management • The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform its mission, including but not limited to its IT assets. • Risk is a function of the likelihood of a given threat-source’s exercising a particular vulnerability, and the resulting impact of that adverse event on the organization.
Risk Management Benefits • Focuses policy and resources • Identifies areas with specific risk requirements • Directs budget • Supports • Business continuity process • Insurance and liability decisions • Legitimizes security awareness programs
Risk Management Definitions • Assets • Threat-source/agent • Threat • Exposure • Vulnerability • Likelihood • Attack • Controls • Countermeasures • Safeguards • Total risk • Residual risk
Risk Assessment / Analysis Steps: SP 800-30 • System Characterization • Threat Identification • Vulnerability Identification • Control Analysis • Likelihood Determination • Impact Analysis • Risk Determination • Control Recommendations • Results Documentation
Information Valuation Considerations • Exclusive possession • Utility • Cost to acquire or create • Liability • Convertibility • Operational impact • Timing • Methods • Modified – Delphi • Facilitated sessions • Survey • Interview • Checklist
Quantitative Risk Analysis • Assign monetary values • Labor and time intensive • Difficult to achieve • Steps • Estimate potential losses • Conduct a threat likelihood analysis • Calculate annual loss expectancy
Step One: Estimate Potential Losses SINGLE LOSS EXPECTANCY SLE = AV ($) x EF (%) AV (Asset Value) EF (Exposure Factor)
Step Two: Conduct ThreatLikelihood Analysis ARO - Annual Rate of Occurrence • Number of exposures or incidents that can be expected in a given year • Likelihood of an unwanted event occurring
Step Three: Calculate ALE ALE –Annual Loss Expectancy ALE = SLE x ARO • Magnitude of risk = ALE • Purpose: Justify security countermeasures
Quantitative and Hybrid Risk Analysis • Quantitative • Scenario-oriented • No $ values • Rank seriousness of threats and sensitivity of assets • Perform a carefully reasoned risk assessment • Hybrid • Quantitative • Qualitative • FMEA (Failure Modes and Effect Analysis) • FTA (Fault Tree Analysis)
Risk Mitigation and Assurance • Risk Mitigation • Acceptance = Absorb the effect of an incident • Reduction = Implement controls • Transference = Insurance • Avoidance = Stop it • Risk Assurance • Cyclical nature • Liability
Countermeasure Selection Principles • Cost/benefit analysis • Accountability • Absence of design secrecy • Audit capability • Vendor trustworthiness • Independence of control and subject • Universal application • Compartmentalization • Defense in depth • Isolation, economy and least common mechanism • Acceptance and tolerance by personnel • Minimum human intervention • Sustainability • Reaction and recovery • Override and fail-safe defaults • Residuals and reset
Domain Agenda • Information Security Management System ISMS) • Business drivers • Governance • Roles and responsibilities • Security planning • Security administration • Risk management • Ethics
Ethical Environments and Reponsibilities • Ethics are difficult to define • Begin with senior management • “Set the example” • Encourage adoption of ethical guidelines and standards • Inform users about ethical responsibilities through security awareness training • Responsibilities • Global responsibility • National • Organizational • Personal
Basis and Origin of Ethics • Religion • Law • National interest • Individual rights • Common good/interest • Enlightened self-interest • Professional ethics/practices • Standards of good practice • Tradition/culture • Formal Ethical Theories • Teleology • Ethics in terms of goals, purposes or ends • Deontology • Ethical behavior is a duty
Relevant Professional Codes of Ethics • (ISC)2 • RFC 1087 • Access and use of the Internet is a PRIVILEGE and should be treated as such by all users • RFC 1087 refers to “Negligence in the conduct of Internet-wide experiments” as “irresponsible and unacceptable”, but does not specifically label such conduct as “unethical”. • Internet Architecture Board • ISC2 Code of Ethics and Cannons • “Safety of the commonwealth, duty to our principals and to each other requires that we adhere and be seen to adhere, to the highest ethical standards of behavior” • “Therefore, strict adherence to this code is a condition of certification”. • “Protect society, the commonwealth and the infrastructure” • “Act honorably, honestly, justly, responsibly and legally” • “Provide diligent and competent service to principals” • “Advance and protect the profession”
Internet Architecture Board (IAB) Any activity is unethical and unacceptable that purposely: • Seeks to gain unauthorized access to Internet resources • Disrupts the intended use of the Internet • Waste resources (people, capacity, computer) through such actions • Destroys the integrity of computer-based information • Compromises the privacy of users • Involves negligence in the conduct of Internet-wide experiments
Domain Summary • Information Security Management System ISMS) • Business drivers • Governance • Roles and responsibilities • Security planning • Security administration • Risk management • Ethics