Security Risks Analysistawalbeh/aabfs/iss6753/presentations/Ch02... · 1 11/17/2006 Dr. Awajan...
Transcript of Security Risks Analysistawalbeh/aabfs/iss6753/presentations/Ch02... · 1 11/17/2006 Dr. Awajan...
1
11/17/2006 Dr. Awajan Arafat 1
Security Risks Analysis
Dr. Arafat Awajan2006
11/17/2006 Dr. Awajan Arafat 2
Security Planning
2
11/17/2006 Dr. Awajan Arafat 3
Chapter Objectives
Recognize the importance of planning and describe the principal components of organizational planning.Know and understand the principal components of information security system implementation planning as it functions within the organizational planning scheme.
11/17/2006 Dr. Awajan Arafat 4
IntroductionSuccessful organizations utilize planningGood planning enables an organization to make the most out of the resources at hand.Planning involves:
EmployeesStockholdersPhysical environmentCompetitive environmentTechnological and legal environment
3
11/17/2006 Dr. Awajan Arafat 5
Introduction
Planning:Is creating action steps toward goals, and then controlling themProvides direction for the organization’s future
Top-down method:Organization’s leaders choose the directionPlanning begins with the general and ends with the specific
11/17/2006 Dr. Awajan Arafat 6
Introduction
It is important to Know how the general organizational planning process works, this will help in the information security planning processDeveloping the organizational plan for information security depends upon the same planning process.
4
11/17/2006 Dr. Awajan Arafat 7
Planning Levels
Three levels of planning Strategic PlanningTactical PlanningOperational Planning
11/17/2006 Dr. Awajan Arafat 8
Strategic Planning
Strategic planning includes:Vision statementMission statementValue statementStrategyCoordinated plans for sub units
5
11/17/2006 Dr. Awajan Arafat 9
Components Of Planning
Mission statement:Declares the business of the organization and its intended areas of operationsExplains what the organization does and for whomExample:
Jordan Packing, Inc. designs and manufactures quality packs, associated equipment and supplies for use in modern business environments
CSSD http://technology.pitt.edu/security.html
11/17/2006 Dr. Awajan Arafat 10
Components Of Planning
Vision statement:Expresses what the organization wants to becomeShould be ambitiousExample:
Jordan Packing, Inc will be the preferred manufacturer of choice for every business’s needs.
6
11/17/2006 Dr. Awajan Arafat 11
Components Of Planning
Values Statement makes the organization conduct standards clear
Example: Jordan Packing values: commitment, honesty, integrity and social responsibility among its employees, and is committed to providing its services in harmony with its corporate, social, legal and natural environments.
The mission, vision, and values statements together provide the foundation for planning
11/17/2006 Dr. Awajan Arafat 12
Components Of Planning
StrategyIt is the basis for long-term direction Strategic planning:
Guides organizational effortsFocuses resources on clearly defined goals
“… strategic planning is a disciplined effort to produce fundamental decisions and actions that shape and guide what an organization is, what it does, and why it does it, with a focus on the future.”
7
11/17/2006 Dr. Awajan Arafat 13
Strategic Planning
Organization:Develops a general strategyCreates specific strategic plans for major divisions
Each level of division translates those objectives into more specific objectives for the level below
In order to execute this broad strategy, executives must define individual managerial responsibilities
11/17/2006 Dr. Awajan Arafat 14
Strategic Planning
Strategic goals are then translated into tasks with specific, measurable, achievable, reasonably high and time-bound objectives (SMART)
Strategic planning then begins a transformation from general to specific objectives
8
11/17/2006 Dr. Awajan Arafat 15
Tactical Planning
Shorter focus than strategic planningUsually one to three yearsBreaks applicable strategic goals into a series of incremental objectives
11/17/2006 Dr. Awajan Arafat 16
Operational PlanningUsed by managers and employees to organize the ongoing, day-to-day performance of tasks
Includes clearly identified coordination activities across department boundaries such as:
Communications requirements
Weekly meetings
Summaries
Progress reports
9
11/17/2006 Dr. Awajan Arafat 17
Planning Levels
11/17/2006 Dr. Awajan Arafat 18
Typical Strategic Plan Elements
Introduction by senior executive (President/CEO)Executive SummaryMission Statement and Vision StatementOrganizational Profile and HistoryStrategic Issues and Core ValuesProgram Goals and ObjectivesManagement/Operations Goals and ObjectivesAppendices (optional)
Strengths, weaknesses, opportunities and threats (SWOT) analyses, surveys, budgets &etc
10
11/17/2006 Dr. Awajan Arafat 19
Planning for Information Security Implementation
11/17/2006 Dr. Awajan Arafat 20
The Systems Development Life Cycle (SDLC)
SDLC: methodology for the design and implementation of an information systemSDLC-based projects may be initiated by events or plannedAt the end of each phase, a review occurs when reviewers determine if the project should be continued, discontinued, outsourced, or postponed
11
11/17/2006 Dr. Awajan Arafat 21
Phases of An SDLC
11/17/2006 Dr. Awajan Arafat 22
Investigation
Identifies problem to be solvedBegins with the objectives, constraints, and scope of the projectA preliminary cost/benefit analysis is developed to evaluate the perceived benefits and the appropriate costs for those benefits
12
11/17/2006 Dr. Awajan Arafat 23
Investigation
11/17/2006 Dr. Awajan Arafat 24
Analysis
Begins with information from the Investigation phaseAssesses the organization’s readiness, its current systems status, and its capability to implement and then support the proposed system (s)Analysts determine what the new system is expected to do, and how it will interact with existing systems
13
11/17/2006 Dr. Awajan Arafat 25
Logical Design
Information obtained from analysis phase is used to create a proposed solution for the problemA system and/or application is selected based on the business needThe logical design is the implementation independent blueprint for the desired solution
11/17/2006 Dr. Awajan Arafat 26
Physical Design
During the physical design phase, the team selects specific technologies The selected components are evaluated further as a make-or-buy decisionA final design is chosen that optimally integrates required components
14
11/17/2006 Dr. Awajan Arafat 27
ImplementationDevelop any software that is not purchased, and create integration capabilityCustomized elements are tested and documentedUsers are trained and supporting documentation is createdOnce all components have been tested individually, they are installed and tested as a whole
11/17/2006 Dr. Awajan Arafat 28
Maintenance
Tasks necessary to support and modify the system for the remainder of its useful lifeSystem is tested periodically for compliance with specificationsFeasibility of continuance versus discontinuance is evaluated
15
11/17/2006 Dr. Awajan Arafat 29
Maintenance
Upgrades, updates, and patches are managed When current system can no longer support the mission of the organization, it is terminated and a new systems development project is undertaken
11/17/2006 Dr. Awajan Arafat 30
The Security SDLCMay differ in several specifics, but overall methodology is similar to the SDLCSecSDLC process involves:
Identification of specific threats and the risks that they representSubsequent design and implementation of specific controls to counter those threats and assist in the management of the risk those threats pose to the organization
16
11/17/2006 Dr. Awajan Arafat 31
Investigation in the SecSDLCBegins as directive from management specifying the process, outcomes, and goals of the project and its budget Begins with the affirmation or creation of security policiesTeams assembled to analyze problems, define scope, specify goals and identify constraints Feasibility analysis determines whether the organization has resources and commitment to conduct a successful security analysis and design
11/17/2006 Dr. Awajan Arafat 32
Analysis in the SecSDLC
A preliminary analysis of existing security policies or programs is prepared along with known threats and current controlsIncludes an analysis of relevant legal issues that could affect the design of the security solution Risk management begins in this stage
17
11/17/2006 Dr. Awajan Arafat 33
Design in the SecSDLC
Design phase actually consists of two distinct phases:
Logical design phase: team members create and develop a blueprint for security, and examine and implement key policies Physical design phase: team members evaluate the technology needed to support the security blueprint, generate alternative solutions, and agree upon a final design
11/17/2006 Dr. Awajan Arafat 34
Design in the SecSDLC
Attention turns to the design of the controls and safeguards used to protect information from attacks by threatsThree categories of controls:
ManagerialOperationalTechnical
18
11/17/2006 Dr. Awajan Arafat 35
Managerial Controls
Address design/implementation of the security planning process and security program management
Management controls also address:Risk managementSecurity control reviews
11/17/2006 Dr. Awajan Arafat 36
Operational Controls
Cover management functions and lower level planning including:
Disaster recoveryIncident response planning
Operational controls also address:Personnel securityPhysical securityProtection of production inputs and outputs
19
11/17/2006 Dr. Awajan Arafat 37
Technical Controls
Address the technical issues related to designing and implementing security in the organizationTechnologies necessary to protect information are examined and selected.
11/17/2006 Dr. Awajan Arafat 38
Implementation in the SecSDLC
Security solutions are acquired, tested, implemented, and tested Personnel issues are evaluated and specific training and education programs conductedPerhaps most important element of implementation phase is management of project plan:
Planning the projectSupervising tasks and action steps within the projectWrapping up the project
20
11/17/2006 Dr. Awajan Arafat 39
InfoSec Project Team
Should consist of individuals experienced in one or multiple technical and non-technical areas including:
Team leaderSecurity policy developers Risk assessment specialistsSecurity professionals Systems administratorsEnd users
11/17/2006 Dr. Awajan Arafat 40
Staffing the InfoSec FunctionEach organization should examine the options for staffing of the information security function
Decide how to position and name the security functionPlan for proper staffing of information security functionUnderstand impact of information security Integrate solid information security concepts into personnel management practices of the organization
21
11/17/2006 Dr. Awajan Arafat 41
InfoSec ProfessionalsIt takes a wide range of professionals to support a diverse information security program:
Chief Information Officer (CIO)Chief Information Security Officer (CISO)Security ManagersSecurity TechniciansData OwnersData Users
11/17/2006 Dr. Awajan Arafat 42
Maintenance and Change in the SecSDLC
Once information security program is implemented,
it must be properly operated, managed, and kept up to date by means of established procedures
If the program is not adjusting adequately to the changes in the internal or external environment, it may be necessary to begin the cycle again
22
11/17/2006 Dr. Awajan Arafat 43
Maintenance Model
While a systems management model is designed to manage and operate systems, a maintenance model is intended to focus organizational effort on system maintenance:
External monitoringInternal monitoringPlanning and risk assessmentVulnerability assessment and remediationReadiness and review
11/17/2006 Dr. Awajan Arafat 44