Security Management

Practices

Lisa M. True, CISSPNovember 17, 2003

Domain 3

Objectives for this Domain

Concepts of Information Security ManagementRoles & ResponsibilitiesRisk ManagementSecurity Policy ImplementationThe Information Classification ProcessPersonnel Security Issues Security Awareness Training

Security Management

Practices

Concepts of Information Security Management

The C.I.A. TriadConfidentiality

Integrity Availability

Disclosure, Alteration, and Destruction

D.A.D.

Security Definitions

VulnerabilityThe absence or weakness of a risk-reducing safeguard

ThreatAn event, the occurrence of which could have an undesired impact

RiskLikelihood of a threat agent taking advantage of a vulnerability

Exposure Being exposed to losses from a threat agent

SafeguardRisk reducing measure that acts to detect, prevent or minimize loss associated with the occurrence of a specific threat or category of threats

Relationships Between Different Security Components

Threat Agent

Threat

Vulnerability

Risk

Safeguard

Exposure

Asset

Directly Affects

Can be countered by a

And causes an

Can damage

Leads to

Exploits

Gives rise to

Security Definitions

IdentificationThe means in which users claim their identities to a system. Most commonly used for access control, identification is necessary for authentication and authorization

AuthenticationThe testing or reconciliation of evidence of a user’s identity. It establishes the user’s identity and ensures the users are who they say they are

AccountabilityA system’s ability to determine the actions and behavior of a single individual within a system, and to identify that particular individual

Authorization The rights and permissions granted to an individual (or process), which enable access to a computer resource

PrivacyThe level of confidentiality and privacy protection that a user is given in a system.

Security Management

Practices

Roles & Responsibilities

Roles and Responsibilities Clearly communicated and understood

Role DescriptionSenior Management

Has the ultimate responsibility for security

InfoSec Officer

Has the functional responsibility for security

OwnerDetermines the data classification

CustodianPreserves the information's C.I.A.

User/OperatorPerforms IAW the stated policies

Auditor Examines security

Security Management

Practices

Risk Management

Risk Management

Security risks start when the power is turned-on. At that point, security risks commence. The only way to deal with those security risks is via risk managementRisks can be identified & reduced, but never eliminatedNo matter how secure you make a system, it can always be broken into given sufficient resources, time, motivation and moneyPeople are usually cheaper & easier to compromise than advanced technological safeguards

Risk Management

Risk management’s main function is to mitigate risk.

Mitigating risk means to reduce the risk until it reaches a level that is acceptable to an organization.

To identify risk, we categorize into four basic elements:

The actual threatThe possible consequences of the realized threat The probable frequency of the occurrence of a threatThe extent of how confident we are that the threat will happen

Qualitative and Quantitative

There are two different risk management metrics: qualitative and quantitativeQuantitative risk management attempts to assign real numbers to costs of countermeasures and amount of damageQualitative risk management is about assessing risk possibilities and ranking the seriousness of the threats and sensitivity of assets

Risk AssessmentSince you can’t protect yourself if you do not know what you are protecting against, a risk assessment must be performedA risk assessment answers 3 fundamental questions:

Identify assets - What I am trying to protect? Identify threats - What do I need to protect against? Calculating risks - How much time, effort & money am I willing to expend to obtain adequate protection?

After risks are determined, you can then develop the policies & procedures needed to reduce the risks

Risk Analysis Formulas

Concept Derivation Formula

Exposure Factor (EF)% of asset loss caused by threat

Single Loss Expectancy (SLE)

Asset Value x Exposure Factor (EF)

Annualized Rate of Occurrence (ARO)

Frequency of threat occurrence per year

Annualized Loss Expectancy (ALE)

Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO)

Identifying AssetsTangibles

Computers, communications equipment, wiringDataSoftwareAudit records, books, documents

IntangiblesPrivacyEmployee safety & healthPasswordsImage & reputationAvailabilityEmployee morale

Identifying ThreatsEarthquake, flood, hurricane, lighteningStructural failure, asbestosUtility loss, i.e., water, power, telecommunicationsTheft of hardware, software, dataTerrorists, both political and informationSoftware bugs, malicious code, SPAM, mail bombsStrikes, labor & union problemsHackers, internal/externalInflammatory Usenet, Internet & web postingsEmployee illness, death Outbreak, epidemic

Calculating (Quantifying) Risks

This is the hard part. Insurance & historical records may help, but your actuary is your best friend.

How much damage did Kevin Mitnick do? Estimates range from $500,000 to $120,000,000

Review the risksLists should be regularly updatedSmall changes in operations or corporate structure can have significant risk implicationsChanges such as location, vendor, etc., must be included into the risk factor

Risk Analysis Steps

1. Assign value to information and assets.a. What is the value of the asset to the company?b. How much does it cost to maintain it?c. How much does it make in profits for the

company?d. How much would it be worth to the competition?e. How much would it cost to recreate or recover?f. How much did it cost to acquire or develop?

Risk Analysis Steps cont.

2. Estimate potential loss per risk.a. What physical damage can take place and how

much would that cost?b. How much productivity can be lost and how much

would that cost?c. What’s the value lost if confidential information is

disclosed?d. What is the cost of recovering from a virus attack?e. What is the cost of recovering from a hacker

attack?f. How much would it cost if critical devices failed?g. Calculate the single loss expectancy (SLE) for each

risk and scenario.

Risk Analysis Steps cont.3. Perform a threat analysis.

a. Gather information about the likelihood of each risk taking place from people in each department, past records, and official security resources that provide this type of data.

b. Calculate the probability of occurrence for each risk identified.

c. Calculate the annualized rate of occurrence, which is how many times each risk could happen in a year.

4. Derive the overall loss potential per risk.a. Combine potential loss and probabilityb. Calculate the annualized loss expectancy (ALE) per

risk by using the information calculated in the first three steps.

Risk Analysis Steps cont.

5. Choose remedial measures to counteract each risk.

6. Reduce, assign, or accept the risk.a. Risk reduction methods.

i. Install security controls and components.ii. Improve procedures.iii. Alter Environment.iv. Provide early detection methods to catch the risk as it’s happening

and reduce the possible damage it can cause.v. Produce a contingency plan of how business can continue if a

specific risk takes place, reducing extending damages at risk.vi. Erect barriers to the risk.

b. Risk assignment.i. Buy insurance to transfer some or all of the risk.

c. Risk acceptance or rejection.i. Live with the risks and spend no money towards protection.

Qualitative Scenario Procedures

A scenario is written that addresses each major threat.The scenario is reviewed by business unit managers for a reality check.The RA team recommends and evaluates the various safeguards for each threat.The RA team works through each finalized scenario using a threat, asset, and safeguard.The team prepares their findings and submits them to management.

Qualitative Risk Analysis

Rating LevelExposure Percentage

Blank or 0 No measurable loss

1 20% loss

2 40% loss

3 60% loss

4 80% loss

5 100% loss

Quantitative vs. Qualitative RA

Property Quantitative QualitativeCost/benefit analysis

Yes No

Financial hard costs Yes No

Can be automated Yes No

Guesswork involved Low High

Complex calculations

Yes No

Volume of information required

High Low

Time/work involved High Low

Ease of communication

High Low

Cost/Benefit Analysis

Cost of a lossOften hard to determine accurately

Cost of preventionLong term/short term

Adding up the numbersOutput of an Excel spreadsheet listing assets, risks & possible lossesFor each loss, know its probability, predicted loss & amount of money needed to defend against the loss

Safeguard Selection Criteria

Cost/Benefit Analysis(ALE before safeguard)-(ALE after safeguard)-(annual safeguard cost)=value of safeguard to organization

Level of Manual OperationsAmount of manual intervention required to operate the safe guard - Automation increases reliability

Auditability and Accountability FeaturesRecovery Ability

No asset destruction during activation or resetNo covert channel access to or through the control during resetNo security loss or increase in exposure after activation or resetDefaults to a state that does not enable any operator access or rights until the controls are fully operational

Vendor RelationsOpen source, no back doors, past performance

Security Management

Practices

Security Policy Implementation

Information Security Policies

Policy is perhaps the most crucial element in a corporate information security infrastructureMarcus Ranum defines a firewall as “the implementation of your Internet security policy. If you haven’t got a security policy, you haven’t got a firewall. Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do”Corporate computing is a complex operation. Effective policies can rectify many of the weaknesses and faults

Senior Management Commitment

Fundamentally important to any security program’s success is the senior management’s high-level statement of commitment to the information security policy process, and a senior managements understanding of how important security controls and protections are to the enterprise’s continuity. Senior management must be aware of the importance of security implementation to preserve the organization’s viability (and for their own “Due Care” protection), and must publicly support that process throughout the enterprise.

Policy Types

RegulatoryEnsures standards set by a specific industry, regulated by law

AdvisoryWritten to strongly suggest certain types of behaviors which should take place

InformativeNon-enforceable, written to inform of certain topics

Information Security Policies

Benefits:Ensure systems are utilized in the manner intended forEnsure users understand their roles & responsibilitiesControl legal liability

Information Security Policies

Components of an effective policy:TitlePurposeAuthorizing individualAuthor/sponsorReference to other policiesScopeMeasurement expectationsException processAccountabilityEffective/expiration datesDefinitions

Information Security Policies

How to ensure that policies are understood:Jargon free/non-technical languageRather then, “when creating software authentication codes, users must endeavor to use codes that do not facilitate nor submit the company to vulnerabilities in the event that external operatives break such codes”, use “passwords that are guessable should not be used”.

FocusedJob position independentNo procedures, techniques or methods

Policy is the approach. The specific details & implementations should be in another document

Responsibility for adherenceUsers must understand the magnitude & significance of the policy. “I thought this policy didn’t apply to me” should never be heard.

Information Security Policies

How should policies be disseminated?New hires should get hard copies at orientationRehires should go through orientationPeriodic awareness trainingHard copiesWeb/corporate intranetBrochuresVideosPosterse-mail/voice-mail

Policy HierarchySenior Management Statement of Policy

General Organizational Policies

Functional Policies

Mandatory Standards

Recommended Guidelines

Detailed Procedures

Baselines

General Overviews

Specs. of hardware and software

Recommended actions and operational guides

Step by step actions

Strategic

Tactical

Security Management

Practices

The Information Classification Process

Information Classification Benefits

Demonstrates an organization's commitment to security protectionsHelps identify which information is the most sensitive or vital to an organizationSupports the tenets of confidentiality, integrity, and availability as it pertains to dataHelps identify which protections apply to which informationMay be required for regulatory, compliance, or legal reasons

Information Classification Procedures

1. Identify the administrator/custodian.2. Specify the criteria of how the information will

be classified and labeled.3. Classify the data by its owner, who is subject

to review by a supervisor.4. Specify and document any exceptions to the

classification policy.5. Specify the controls that will be applied to

each classification level.6. Specify the termination procedures for

declassifying the information or for transferring custody of the information to another entity.

7. Create an enterprise awareness program about the classification controls.

Classification Criteria

ValueNumber one commonly used criteria in private sector

AgeClassification may be lowered if value decreases over time

Useful LifeInformation made obsolete due to new information

Personal Association If information is personally associated with specific individuals or is addressed by a privacy law, it may need to be classified

Military Data Classification

Classification Definition Example

Top Secret Cause grave damage Espionage data, weapon blueprints

Secret Cause serious damage Troop plans, nuclear facilities

Confidential Serious effects Secrets

Sensitive (BU) Minor secret, May not cause serious

effect

Medical data, test scores

Unclassified Not sensitive or classified

Recruiting info

Private Sector Data Classification

Classification

Definition Example

SensitiveProtect from

modificationFinancial, project

Confidential Company onlyTrade secrets, health care,

code

Private Personal infoWork history, HR info, Medical

info

ProprietaryCould reduce competitive edge

Technical specs

Public Everything else Upcoming projects

Other Data Classification Points

With the exception of general business correspondence, all externally-provided information which is not public in nature must have a data classification system labelAll tape reels, floppy disks and other computer storage media containing secret, confidential, or private information must be externally labeled with the appropriate sensitivity classificationHolders of sensitive information must take appropriate steps to ensure that these materials are not available to unauthorized persons (“open view”)“Need-to-know”

Distribution of Classified Information

Court Order

Government Contracts

Senior-level ApprovalMay need confidentiality agreement

Security Management

Practices

Personnel Security Issues

Personnel Security TermsSeparation of duties

Security is enhanced through the division of responsibilities

CollusionMore than one person is needed to to cause some type of fraud

Job rotationDo not keep people in one position forever

Employment Policies & Practices

Background checks/security clearancesChecking public records provides critical information needed to make the best hiring decision. Conducting these often simple checks verifies the information provided on the application is current and true, and gives the employer an immediate measurement of an applicant’s integrity.

Background Checks

What does a background check prevent potentially prevent against:

lawsuits from terminated employeeslawsuits from 3rd-parties or customers for negligent hiringunqualified employeeslost business and profitstime wasted recruiting, hiring and trainingtheft, embezzlement or property damagemoney lost (to recruiters fees, signing bonus)negligent hiring lawsuitdecrease in employee moralworkplace violence, or sexual harassment suits

Background ChecksWho should be checked? Employee background checks should be performed for all sensitive positions. Information security staff in sensitive positions include those responsible for:

firewall administratione-commerce managementKerberos administratorSecurID & Password usagePKI and certificate managementrouter administrator

Background Checks

What can be checked for an applicant:

Credit Report SSN searches Workers Compensation Reports Criminal Records Motor Vehicle Report Education Verification & Credential Confirmation Reference ChecksPrior Employer Verification

Military Security ClearanceOf the most meticulous background checks is those requiring a DoD security clearance. A defense security clearance is generally only requested for individuals in the following categories whose employment involves access to sensitive government assets:

Members of the militaryCivilian employees working for the Department of Defense or other government agenciesEmployees of government contractors

Military Security Clearance

A DoD review, more correctly known as a personnel security investigation is comprised of the following:

a search of investigative files and other records held by federal agencies, including the FBI and, if appropriate, overseas countriesa financial checkfield interviews of references (in writing, by telephone, or in person), to include coworkers, employers, personal friends, educators, neighbors, and other individuals, as appropriatea personal interview with the applicant conducted by an Investigator

Employment Agreement

Non-competeNon-disclosureRestrictions on dissemination of corporate information, i.e., press, analysts, law enforcement

Hiring & Termination

Policies and procedures should come down from HRDrug screening, personality testsShould address:

how to handle employee’s departureshutting down accountsforwarding e-mail and voice-maillock and combination changessystem password changesCollect keys, badges, …

Security Management

Practices

Security Awareness Training

Security AwarenessAwareness

Live/Interactive PresentationsPublishing/DistributionIncentivesReminders

Training and EducationSecurity-related job training for operators and specific usersAwareness training for specific departments or personnel groups with security-sensitive positionsTechnical security training for IT support personnel and system administratorsAdvanced InfoSec training for security practitioners and information systems auditorsSecurity training for senior managers, functional managers, and business unit managers.

Thanks !!!!!

Any Questions ????