Post on 15-Feb-2015
CSE 4482CSE 4482Computer Security Management:Computer Security Management:
Assessment and ForensicsAssessment and Forensics
Instructor: N. Instructor: N. VlajicVlajic, Fall 2010, Fall 2010
Management of Information Security
Required reading:Required reading:
Management of Information Security (MIS), by Whitman & Management of Information Security (MIS), by Whitman & MattordMattord
Chapter 1, pages 1 Chapter 1, pages 1 –– 1414
Chapter 4, all pagesChapter 4, all pages
Chapter 5, pages 163 Chapter 5, pages 163 -- 188188
Learning ObjectivesLearning ObjectivesUpon completion of this material, you should be able to:
• List the key managerial roles and the main types of managerial positions in an organization.
• Describe the POLC project management model.
• List and describe organizational/structural approaches to information security.
• Explain the difference between security policy, standardand procedure.
• Enlist different types of security policy that can be found in an organization.
Management Management -- DefinitionsDefinitions• Management – process of achieving objectives
using a given set of resources
• Manager – person assigned to handle followingroles necessary to complete a desired objective(s)
informational role: collect, process and provide informationthat can affect the completion of the objective
interpersonal role: coordinate and interact with superiors, subordinates, outside stakeholders and other parties thatinfluence or are influenced by the completion of the task
decisional role: select among alternative approaches andand resolve conflicts, dilemmas or challenges
Examples: teacher, student, politician, your mom
Management Management –– DefinitionsDefinitions
Example: 3 (10) managerial roles
http://www.flatworldknowledge.com/node/28989#webhttp://www.flatworldknowledge.com/node/28989#web--2898928989
represent organizationrepresent organizationexternallyexternally
provide leadership toprovide leadership tohis grouphis group
interact with peers interact with peers and people outsideand people outside
receive and collect receive and collect information information
disseminate special disseminate special information into information into organization/grouporganization/group
disseminate disseminate organization’s/group’sorganization’s/group’sinformation outsideinformation outside
initiate the changeinitiate the change
deal with problems anddeal with problems andthreatsthreats
decide where/how decide where/how organization’s/group’s organization’s/group’s resources will be resources will be allocatedallocated
manage organization’s/manage organization’s/group’s main operationgroup’s main operation
Management Management –– DefinitionsDefinitions
Different managerial positions require differentbalance of the 3/10 managerial roles.
At the top-level managerial positions interpersonal roles(e.g. figurehead and leader) are preformed more often.
At the lower-level managerial/supervisory positionsdecisional roles (e.g. disturbance handler and negotiator)are preformed more often.
Basic Management FunctionsBasic Management Functions• Four key managerial functions / responsibilities
include: POLC Model
Strategy Strategy FormulationFormulation
StrategyStrategyImplementationImplementation
1) Planning: deciding what needs to happen in the futureand generating adequate plans for action
strategic planning – occurs at the highest levels of organizationand for a long period of time (5 or more years)tactical planning – focuses on production planning and integratesorganizational resources for an intermediate duration (1 – 5 years)operational planning – focuses on day-to-day operations oflocal resources, and occurs in the present or the short term
Planning process begins with creation of strategic plan forentire organization/group. The resulting plan is then dividedup into planning elements for each sub-unit.
In planning, goals and objectives must be adequately set.goal – ultimate (end) result of a planning processobjective – intermediate point that allows us to measure progresstowards the goal
Basic Management Functions (cont.)Basic Management Functions (cont.)
Basic Management Functions (cont.)Basic Management Functions (cont.)
2) Organizing: (optimum) structuring and using of resourcesto enable successful carrying out of the plan (i.e. successfulaccomplishment of objectives); may include
structuring of departments and their staff
(new) staffing
purchase and storage of raw materials
collection of additional/specialized information
3) Leading / Directing: determining what needs to be doneand getting people to do it; may include
developing direction and motivation for employees
supervising employee behavior, attendance, performance, attitude
Basic Management Functions (cont.)Basic Management Functions (cont.)
4) Monitoring / Controlling: monitoring progress towardsachieving the goal (plan implementation) and makingnecessary adjustments to achieve desired objectives;may include:
making sure sufficient progress is made at each stage
making sure impediments to task completion are resolved
making sure additional resources are acquired, when neccessary
Should the plan be found invalid in light of operationalreality of the organization, the manager should takecorrective actions.
• Three common groups of managers:
Information Security Managers – protect organization’sinformation assets from many threats they face
IT Managers – support organization’s business objectivesby supplying and supporting appropriate IT
Non-technical General Business Managers – articulateand communicate organizational policy and objectives
Information Security ManagementInformation Security Management
Information Security Management (cont.)Information Security Management (cont.)
Information Security management operates like all other management units, through common management(POLC) functions.
However, specific goals and objectives of Info. Sec. management differ from those of IT and generalmanagement.
Certain characteristics of Info. Sec. management are unique to this community!
Information Security Management (cont.)Information Security Management (cont.)
• Goals of Info. Sec. vs. Goals of IT – not always incomplete alignment; sometimes in conflict
IT professionals focus on:cost of system creation & operation [ freeware vs. paid-softw. ]timelines of system creating [ web-server with no DMZ ]ease of system use for end-user [ no encryption ]quality of system performance (speed, delay, …) [ no firewall ]
Info. Sec. professionals focus on:protection of organization’s information systems and stored information
Example: placing Information Security within an organization – Option 1
Information Security Management (cont.)Information Security Management (cont.)
Example: placing Information Security within an organization – Option 1 (cont.)
Information Security Management (cont.)Information Security Management (cont.)
Most common organizational structure: Info. Sec. under IT.Info. Sec. reports to (and shares budget with) IT department.
pros:to whomever Info. Sec. manager reports to, understandstechnological issues
security staff and IT staff collaborate on day-to-day basis
there is only ‘one person’ between Info. Sec. manager and CEO
cons:CEO are likely to discriminate against Info. Sec. function, asother IT objectives (e.g. computer performance ⇒ time to market)often take precedence
Information Security Management (cont.)Information Security Management (cont.)
Example: placing Information Security within an organization – Option 2
Example: placing Information Security within an organization – Option 2
Information Security Management (cont.)Information Security Management (cont.)
Info. Sec. reports to Administrative Services Dep. – performs services for workers throughout the organization, much like HR.
pros:acknowledges that info. and info. systems are found everywhere throughout the organization – all employees are expected to‘work with’ Info. Sec. department
supports efforts to secure information no matter its form (paper,verbal, etc.) rather than viewing info. sec. function as strictlycomputer- & network- related issues
cons:Administrative Services VP often does not know much about ITand Info. Sec. – may not be effective in communicating with CEO
often subject to cost-cutting measures
Information Security Management (cont.)Information Security Management (cont.)
Example: placing Information Security within an organization – Option 3
Information Security Management (cont.)Information Security Management (cont.)
Example: placing Information Security within an organization – Option 3
Info. Sec. reports to Insurance & Risk Management Department.This approach typically involves assessing the extent/likelihoodof potential losses in case of weakened info. Sec. function.
pros:brings greater resources and management attention to Info. Sec.
Chief Risk Manager (CRM) is likely to be prevention oriented andadopt a longer-term viewpoint
cons:CRM are often not familiar with information system technology
may over-emphasize strategic issues, and overlook operationaland administrative aspects of info. sec. (e.g. change of access privileges when people change jobs)
Information Security Management (cont.)Information Security Management (cont.)
Example: Info. Sec. in different companies
Which of the three discussed organizational models would you deploy in which of the three companies?
Research/UniversityResearch/University HospitalHospital BankBank
Info. Sec.Info. Sec.within ITwithin IT
Info. Sec.Info. Sec.within Risk within Risk
ManagementManagement
Info. Sec.Info. Sec.within Admin. within Admin.
ServicesServicesshould be employed when should be employed when
companycompany’’s revenues critically s revenues critically depend on CIA of information depend on CIA of information –– if if information CIA gets jeopardized, information CIA gets jeopardized,
company looses moneycompany looses money
should be employed in companies should be employed in companies that are not highly that are not highly ‘‘technology technology
intensiveintensive’’ –– may not worry about may not worry about using the latest technology, but using the latest technology, but rather about properly securing rather about properly securing
existing data and whatever existing data and whatever technology (info. infrastructure) is technology (info. infrastructure) is
currently in placecurrently in place
should be employed in companies should be employed in companies where it is critical to obtain/use where it is critical to obtain/use latest technology, and bulk of latest technology, and bulk of
work done by Info. Sec. work done by Info. Sec. department is related to that department is related to that
(new) technology (new) technology
Policy
Structure
Protection Mechanisms
Standards and Legislation
Risk Analysis
Standards and Legislation
Risk Analysis
input forinput for
Information Security ModelInformation Security Model• Components of Information Security System
OrganizationOrganization
Security Organization
IS Organization / Structure / ProgramIS Organization / Structure / Program
• Factors Impacting Info. Sec. Organization:
Organization Culture:if upper management & staff believe that info. sec. is wasteof time and resources, the info. sec. program will remain small, poorly supported and have difficulty operating
Organization Size (and Budget):large organizations tend to have large(r) information securityprograms; smaller organizations may have a single securityadministrator
Although the size of an organization determines the Although the size of an organization determines the makeup of its information security program, certainmakeup of its information security program, certain
basic functions should be found in every organization.basic functions should be found in every organization.
IS Organization / Structure / Program (cont.)IS Organization / Structure / Program (cont.)
• Functions Related to Info. Sec. Program:
software software testingtesting
IS Organization / Structure / Program (cont.)IS Organization / Structure / Program (cont.)
• Functions Related to Info. Sec. Program (cont.):
http://ciso.washington.edu/abouthttp://ciso.washington.edu/about--us/informationus/information--securitysecurity--program/program/
IS Organization / Structure / Program (cont.)IS Organization / Structure / Program (cont.)
IS Organization / Structure / Program (cont.)IS Organization / Structure / Program (cont.)
• Security in Large Organizations – with morethan 1000 devices requiring security management
functions performed by non-technology business units:legaltraining
functions performed by IT groups outside Info. Sec. depart.:systems security administrationnetwork security administrationcentralized authentication
functions performed by Info. Sec. department - technical:risk managementsystems testingincident responseplanningmeasurementvulnerability assessment
IS Organization / Structure / Program (cont.)IS Organization / Structure / Program (cont.)
functions performed by Info. Sec. department – complianceenforcement obligation:
policycompliance / auditrisk assessment
performed by different people performed by different people to avoid ‘conflict of interest’ !!!to avoid ‘conflict of interest’ !!!
IS Organization / Structure / Program (cont.)IS Organization / Structure / Program (cont.)
• Security in Mid- to Small- size Organizations –under 1000 devices
some of identified functions are ignored, and multiplefunctions are assigned to the same group/person
More on different specific security roles More on different specific security roles later …later …
http://academy.delmar.edu/Courses/ITSY2430/Labs/SecurityPolicyQuhttp://academy.delmar.edu/Courses/ITSY2430/Labs/SecurityPolicyQuiz.htmliz.html
Example: General knowledge of security system …
IS Organization / Structure / Program (cont.)IS Organization / Structure / Program (cont.)
Security Policy
Policy, Standard, GuidelinePolicy, Standard, Guideline
http://mindfulsecurity.com/2009/02/03/policieshttp://mindfulsecurity.com/2009/02/03/policies--standardsstandards--andand--guidelines/guidelines/
Why?Why?
What?What?
How?How?
• Security Policy – foundation of an effective information security system
broad statements of vision that expresses company’s keysecurity values and principles
usually very concise – 1-2 paragraphs – cannot givedetails as environment and technology keep changing
intended to guide lower/user level activities
although least expensive security protection, policiesare often most difficult to implement
Policy, Standard, Guideline (cont.)Policy, Standard, Guideline (cont.)
Failure to comply with a PolicyFailure to comply with a Policy(should) imply disciplinary action.(should) imply disciplinary action.
Policy, Standard, Guideline (cont.)Policy, Standard, Guideline (cont.)
Example: Organization without policy
Consider scenario:An employee behaves inappropriately at the work place, by viewing unsuitable Web pages or reading another employee’s email.Another employee is aggrieved by this behavior andsues the company. The company does not have policythat prohibits the behavior, hence no legal action against offender cannot be taken …What happens next?
Policy is not just a management tool to Policy is not just a management tool to accomplish security function.accomplish security function.
It is necessary to protect organization It is necessary to protect organization and the jobs of its employees.and the jobs of its employees.
Policy, Standard, Guideline (cont.)Policy, Standard, Guideline (cont.)
• Security Standard – more specific directives that are mandatory
designed to support and conform to a policy
example:require centrally managed antivirus program on all employeehome/mobile computers that access the firm’s internal network
it is important to audit adherence to standards to ensuretheir implementation
• Security Procedure – specify actual steps of what needs to be done to comply with a standard
example:specific instructions on how to download and install centrallymanaged antivirus software
Policy, Standard, Guideline (cont.)Policy, Standard, Guideline (cont.)
• Security Guideline – discretionary set of directionsdesigned to achieve a policy/security objectives
needed in complex & uncertain situations for which rigidstandards cannot be specifiedexamples:
company might have a guideline that each new employee shouldhave a background checkhowever, in an emergency, department head might be allowed tohire a person before a background check is completed
• Security Best Practices – descriptions of what bestfirms in the industry are doing about security
• Security Recommended Practices – set of policies /standards / procedures /guidelines recommendedby trade associations and government agencies
Security PoliciesSecurity Policies
• For policies to be effective, they must be:A. Developed using industry-accepted practices.
B. Formally agreed to by act or affirmation.
C. Distributed and disseminated to all employees using all appropriate means.
D. Uniformly applied and enforced.
• Important rule to follow when shaping a policy:Policy should never conflict with law.
Properly defined and enforced policies function in an organizationthe same way as laws - complete with penalties and sanctions.
Thus, policies must be carefully crafted so as not to conflict withthe ‘outside’ (actual) laws.
Security Policies (cont.)Security Policies (cont.)
A. Development of Security Policy: 5 stage process
Investigation Phase.
Assemble the right policy design team consisting of properrepresentatives from groups that will be affected by the newpolicy (e.g. representatives from the legal department, HR,end users of various IT systems covered by the policy)
Make an outline of the scope and goals of the policy,as well as the cost and scheduling of its implementation.
Obtain general support from senior management. Withoutenough attention, any policy has a reduced chance of success –mid-management and users not likely to implement it.
Analysis Phase.Obtain all recent & relevant information (risk assessment,IT audits), as well as other references (e.g. past law suits)concerning negative outcome of similar policies.
Security Policies (cont.)Security Policies (cont.)
Why is Analysis Phase performedWhy is Analysis Phase performedafter Investigation Phase?after Investigation Phase?
WouldnWouldn’’t it be beneficial to approach the t it be beneficial to approach the management with already gatheredmanagement with already gatheredlegal/audit (reference) information?legal/audit (reference) information?
Sometimes policy documents that affect information Sometimes policy documents that affect information security is housed in the HR department, as well as security is housed in the HR department, as well as
accounting, finances, legal, or corporate accounting, finances, legal, or corporate security departments.security departments.
Security Policies (cont.)Security Policies (cont.)
A. Development of Security Policy: 5 stage process (cont.)
Design (Distribution Planning) Phase.Create a plan on how to distribute and verify the distributionof the policy (e.g. by a written hard-copy consent or a bannerscreen with a warning).
Implementation Phase.Design team actually writes the policy.Can rely on existing policies found on the Web, Government Sites, Professional Literature.Policy has to be written in a way to be understood by everybodyin the company: with minimal technical jargon and managementterminology, and if required in more than one language.
Maintenance Phase.Monitor, maintain, and modify the policy to ensure that it remains effective as a tool against ever changing threats.
Security Policies (cont.)Security Policies (cont.)
Example: Policy templates
http://http://www.sans.orgwww.sans.org/security/security--resources/policies/resources/policies/
Security Policies (cont.)Security Policies (cont.)
B. Policy Compliance
Failure to agree to or follow a policy may jeopardize organization’s interests and, thus, be sufficient to decideon termination.
However, the legal system may not support suchdecision.
Organization can incorporate ‘policy confirmation’statement into employment contract or annual evaluation.
Security Policies (cont.)Security Policies (cont.)
C. Policy Distribution
Getting the policy document into the hands of allemployees may require a substantial effort / investment.
Techniques of distribution:hard-copy distributionbulletin-board distributiondistribution via emaildistribution via intranet (in html or PDF form)
Organization must be able to prove distribution of thepolicy document, e.g. via auditing log in case of electronicdistribution.
Example: Importance of policy distribution (i.e.employee education)
Assume an employee is fired for failure to comply with apolicy.
If the organization cannot verify that the employee wasin fact properly educate on the policy, the employee couldsue the organization for wrongful termination.
Security Policies (cont.)Security Policies (cont.)
Security Policies (cont.)Security Policies (cont.)
D. Policy Enforcement
Because of potential scrutiny during legal proceedings, organizations must establish high standards of policyimplementation.
example: if policy mandates that all employees wear ID badgesin a clearly visible location, and some management membersdecide not to follow this policy, any action taken against otheremployees will not withstand legal challenges
Security Policies (cont.)Security Policies (cont.)
• Information Security Responsibilities
• Three types of security policies found in most organizations:
1) Enterprise Information Security Policy (EISP)
2) Issue-specific Security Policy (ISSP)
3) System-specific Security Policy (SysSP)
Security Policies (cont.)Security Policies (cont.)
Security Policies: EISPSecurity Policies: EISP1) Enterprise Information Security Policy (EISP)
Aka as general security policy – sets strategic direction,scope, and tone for all security matters and efforts.
Short (2 – 10 page) executive-level document usuallydrafted by chief IT officer of the organization.
Common components of a good EISP:
Statement of purpose – explains the intent of the document.
States info. sec. philosophy for the given enterprise.
Explains the importance of info. sec. for the enterprise.
Defines the info. sec. organization/structure of the enterprise.
Lists other standards that influence and are influenced by thisdocument.
Security Policies: EISP (cont.)Security Policies: EISP (cont.)
2) Issue-Specific Security Policy (ISSP)
Provides detailed, targeted guidance concerning the useof a particular process, technology or a system.
ISSP may cover one or more of the following:
use of electronic mail
use of the Internet and WWW
use of company-owned computer equipment
use of personal equipment on company networks
specific minimum configuration of computers to defend againstworms and viruses
prohibitions against hacking or testing organization security control
Security Policies: ISSPSecurity Policies: ISSP
2) Issue-Specific Security Policy (ISSP) (cont.)
Components of a typical ISSP :
1) Statement of Purposewhat is the scope of the policywhat technology and issue it addresseswho is responsible and accountable for policy implementation
2) Authorized Access and Usagewho can use the technology governed by the policywhat the technology can be used forwhat constitutes ‘fair and responsible’ use of technology andit may impact ‘personal information and privacy’
3) Prohibitive Use of Equipment - unless a particular use is clearlyprohibited, the company cannot penalize its employees for misuse
what constitutes disruptive use, misuse, criminal usewhat other possible restrictions may apply
Security Policies: ISSP (cont.)Security Policies: ISSP (cont.)
Security Policies: ISSP (cont.)Security Policies: ISSP (cont.)
2) Issue-Specific Security Policy (ISSP) (cont.)
Components of a typical ISSP :
4) Systems Managementwhat / which kind of authorized employer monitoring is involved(e.g. electronic scrutiny of email and other electronic documents)
5) Violation of Policywhat specific penalties, for each category of violation, will applyhow to report observed or suspected violations – openly oranonymously
6) Policy Review and Modificationshow is the review and modification of the policy performed, soas to keep as ‘current’ as possible
7) Limitation of Liability – company does not want to be liable if anemployee is caught conducting illegal activity with company’s asset
how is liable if an employee violates a company policy or any law
Security Policies: ISSP (cont.)Security Policies: ISSP (cont.)
Example: ISSP examples
Kennesaw State University: http://its.kennesaw.edu/infosec/issp.php
York University:http://www.cse.yorku.ca/prism/policies.htmlhttp://www.cse.yorku.ca/prism/policy/yorkPolicy.html
3) System-Specific Security Policy (SysSP)
Both EISP and ISSP are formalized as written documentsreadily identifiable as policy.
SysSP, however, has a look of a standard or a procedureto be used when configuring / maintaining a system,for example:
how to select, configure, or operate a firewall
access control list that defines levels of access for each authorized user
Two general types of SysSPs
Managerial Guidance SysSP
Technical Specifications SysSP
Security Policies: Security Policies: SysSPSysSP
Security Policies: Security Policies: SysSPSysSP (cont.)(cont.)
3) System-Specific Security Policy (SysSP)
Managerial Guidance SysSP – created by management to guide implementation / configuration of technology aswell as to address people behavior in ways to supportsecurity.
An organization’s ISSP may not allow employees to have access to the Internet via organization’s network. In that case, firewallwould have to be implemented accordingly – following managerialguideline.
Technical Specification SysSP – in some cases systemadministrators need to create / implement their own policy in order to enforce Managerial Guidance SysSP. Implementation tools:
Access Control Lists (User / Group Policy)
Security Policies: Security Policies: SysSPSysSP (cont.)(cont.)
Example: implementation of ACL in WindowsXP
More on firewall configuration later …More on firewall configuration later …
Security Policies: Security Policies: SysSPSysSP (cont.)(cont.)
Example: Firewall Configuration Rules
More on access control later …More on access control later …
Final Note on PolicyFinal Note on Policy
• Policy Administrator – must ensure that policydocuments and its subsequent revisions are appropriately distributed
a three-ring binder sitting on a manager’s book casenot likely to achieve the goal
• Policy Review – to remain relevant and effectivesecurity policies should be reviewed annually
input from all affected parties should be sought
policy, and its revisions, should always be dated!