CMPS 319CMPS 319
Blueprint For SecurityBlueprint For SecurityChapter 6Chapter 6
Begin with the end in mindBegin with the end in mind
-- Stephen Covey -- Stephen Covey
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 22
Learning Objectives:Learning Objectives:
Upon completion of this material you should be able Upon completion of this material you should be able to:to:
Understand management’s responsibilities and role in the Understand management’s responsibilities and role in the development, maintenance, and enforcement of information security development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines.policy, standards, practices, procedures, and guidelines.Understand the differences between the organization’s general Understand the differences between the organization’s general information security policy and the needs and objectives of the various information security policy and the needs and objectives of the various issue-specific and system-specific policies the organization will create.issue-specific and system-specific policies the organization will create.Know what an information security blueprint is and what its major Know what an information security blueprint is and what its major components are.components are.Understand how an organization institutionalizes its policies, standards, Understand how an organization institutionalizes its policies, standards, and practices using education, training and awareness programs. and practices using education, training and awareness programs. Become familiar with what viable information security architecture is, Become familiar with what viable information security architecture is, what it includes, and how it is used.what it includes, and how it is used.
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 33
IntroductionIntroduction
The creation of an information security program The creation of an information security program begins with an information security blueprint, and begins with an information security blueprint, and before we can discuss the creation and before we can discuss the creation and development of a blueprint, it is important to look at development of a blueprint, it is important to look at management’s responsibility in shaping policy. management’s responsibility in shaping policy.
It is prudent for information security professionals to It is prudent for information security professionals to know the information security polices and how these know the information security polices and how these policies contribute to the overall objectives of the policies contribute to the overall objectives of the organization.organization.
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 44
Information Security Policy, Information Security Policy, Standards and PracticesStandards and Practices
Management from all communities of interest must Management from all communities of interest must consider policies as the basis for all information consider policies as the basis for all information security effortssecurity effortsPolicies direct how issues should be addressed and Policies direct how issues should be addressed and technologies usedtechnologies usedSecurity policies are the least expensive control to Security policies are the least expensive control to execute, but the most difficult to implementexecute, but the most difficult to implementShaping policy is difficult because:Shaping policy is difficult because:
Never conflict with lawsNever conflict with lawsStand up in court, if challengedStand up in court, if challengedBe properly administeredBe properly administered
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 55
DefinitionsDefinitions
A policy is A policy is
A plan or course of action, as of a government, political A plan or course of action, as of a government, political party, or business, intended to influence and determine party, or business, intended to influence and determine decisions, actions, and other mattersdecisions, actions, and other matters
Policies are organizational lawsPolicies are organizational laws
Standards, on the other hand, are more detailed statements Standards, on the other hand, are more detailed statements of what must be done to comply with policy of what must be done to comply with policy
Practices, procedures and guidelines effectively explain how Practices, procedures and guidelines effectively explain how to comply with policyto comply with policy
For a policy to be effective it must be properly disseminated, For a policy to be effective it must be properly disseminated, read, understood and agreed to by all members of the read, understood and agreed to by all members of the organizationorganization
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 66
Types of Policy Types of Policy
Management defines three types of security Management defines three types of security policy:policy:
General or security program policyGeneral or security program policy
Issue-specific security policiesIssue-specific security policies
Systems-specific security policiesSystems-specific security policies
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 77
Policies Standards & PracticesPolicies Standards & Practices
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 88
Security Program PolicySecurity Program Policy
A security program policy (SPP) is also A security program policy (SPP) is also known as a general security policy, IT known as a general security policy, IT security policy, or information security policysecurity policy, or information security policySets the strategic direction, scope, and tone Sets the strategic direction, scope, and tone for all security efforts within the organization for all security efforts within the organization An executive-level document, usually drafted An executive-level document, usually drafted by or with, the CIO of the organization and is by or with, the CIO of the organization and is usually 2 to 10 pages longusually 2 to 10 pages long
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 99
Issue-Specific Security Policy (ISSP)Issue-Specific Security Policy (ISSP)
As various technologies and processes are As various technologies and processes are implemented, certain guidelines are needed to use implemented, certain guidelines are needed to use them properlythem properlyThe ISSP:The ISSP:
addresses specific areas of technologyaddresses specific areas of technologyrequires frequent updatesrequires frequent updatescontains an issue statement on the organization’s position contains an issue statement on the organization’s position on an issue on an issue
Three approaches:Three approaches:Create a number of independent ISSP documentsCreate a number of independent ISSP documentsCreate a single comprehensive ISSP documentCreate a single comprehensive ISSP documentCreate a modular ISSP documentCreate a modular ISSP document
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 1010
Example ISSP StructureExample ISSP Structure
Statement of Policy Statement of Policy
Authorized Access and Usage of EquipmentAuthorized Access and Usage of Equipment
Prohibited Usage of EquipmentProhibited Usage of Equipment
Systems ManagementSystems Management
Violations of PolicyViolations of Policy
Policy Review and ModificationPolicy Review and Modification
Limitations of LiabilityLimitations of Liability
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 1111
Example PolicyExample Policy
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 1212
Systems-Specific PolicySystems-Specific Policy
While issue-specific policies are formalized as While issue-specific policies are formalized as written documents, distributed to users, and agreed written documents, distributed to users, and agreed to in writing, SysSPs are frequently codified as to in writing, SysSPs are frequently codified as standards and procedures used when configuring or standards and procedures used when configuring or maintaining systemsmaintaining systemsSystems-specific policies fall into two groups:Systems-specific policies fall into two groups:
Access control lists (ACLs) consists of the access control Access control lists (ACLs) consists of the access control lists, matrices, and capability tables governing the rights lists, matrices, and capability tables governing the rights and privileges of a particular user to a particular systemand privileges of a particular user to a particular systemConfiguration Rules comprise the specific configuration Configuration Rules comprise the specific configuration codes entered into security systems to guide the codes entered into security systems to guide the execution of the systemexecution of the system
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 1313
ACL PoliciesACL Policies
Both Microsoft Windows NT/2000 and Novell Both Microsoft Windows NT/2000 and Novell Netware 5.x/6.x families of systems translate ACLs Netware 5.x/6.x families of systems translate ACLs into sets of configurations that administrators use to into sets of configurations that administrators use to control access to their respective systems control access to their respective systems ACLs allow configuration to restrict access from ACLs allow configuration to restrict access from anyone and anywhereanyone and anywhereACLs regulate:ACLs regulate:
Who can use the systemWho can use the systemWhat authorized users can accessWhat authorized users can accessWhen authorized users can access the systemWhen authorized users can access the systemWhere authorized users can access the system fromWhere authorized users can access the system fromHow authorized users can access the systemHow authorized users can access the system
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 1414
Figure 6-3 – Novell Example ACLFigure 6-3 – Novell Example ACL
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 1515
Windows Example ACLWindows Example ACL
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 1616
Rule PoliciesRule Policies
Rule policies are more specific to the Rule policies are more specific to the operation of a system than ACLsoperation of a system than ACLs
Many security systems require specific Many security systems require specific configuration scripts telling the systems what configuration scripts telling the systems what actions to perform on each set of information actions to perform on each set of information they processthey process
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 1717
Checkpoint ExampleCheckpoint Example
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 1818
IDS RulesIDS Rules
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 1919
IDS RulesIDS Rules
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 2020
Policy ManagementPolicy Management
Policies are living documents that must be managed Policies are living documents that must be managed and nurtured, and are constantly changing and and nurtured, and are constantly changing and growinggrowingDocuments must be properly managedDocuments must be properly managedSpecial considerations should be made for Special considerations should be made for organizations undergoing mergers, takeovers and organizations undergoing mergers, takeovers and partnershipspartnershipsIn order to remain viable, policies must have: In order to remain viable, policies must have:
an individual responsible for reviewsan individual responsible for reviewsa schedule of reviewsa schedule of reviewsa method for making recommendations for reviewsa method for making recommendations for reviewsan indication of effective and revision datean indication of effective and revision date
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 2121
Automated Policy ManagementAutomated Policy Management
There is an emergence of a new category of There is an emergence of a new category of software for managing information security policiessoftware for managing information security policies
In recent years, this category has emerged in In recent years, this category has emerged in response to needs articulated by information response to needs articulated by information security practitionerssecurity practitioners
While there have been many software products that While there have been many software products that meet specific technical control needs, there is now a meet specific technical control needs, there is now a need for software to automate some of the need for software to automate some of the administration of policyadministration of policy
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 2222
Information ClassificationInformation Classification
The classification of information is an important The classification of information is an important aspect of policyaspect of policyThe same protection scheme created to prevent The same protection scheme created to prevent production data from accidental release to the production data from accidental release to the wrong party should be applied to policies in order to wrong party should be applied to policies in order to keep them freely available, but only within the keep them freely available, but only within the organizationorganizationIn today’s open office environments, it may be In today’s open office environments, it may be beneficial to implement a clean desk policybeneficial to implement a clean desk policyA clean desk policy stipulates that at the end of the A clean desk policy stipulates that at the end of the business day, all classified information must be business day, all classified information must be properly stored and securedproperly stored and secured
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 2323
Not A Clean DeskNot A Clean Desk
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 2424
Systems DesignSystems Design
At this point in the Security SDLC, the analysis phase At this point in the Security SDLC, the analysis phase is complete and the design phase begins – many is complete and the design phase begins – many work products have been created work products have been created
Designing a plan for security begins by creating or Designing a plan for security begins by creating or validating a security blueprintvalidating a security blueprint
Then use the blueprint to plan the tasks to be Then use the blueprint to plan the tasks to be accomplished and the order in which to proceedaccomplished and the order in which to proceed
Setting priorities can follow the recommendations of Setting priorities can follow the recommendations of published sources, or from published standards published sources, or from published standards provided by government agencies, or private provided by government agencies, or private consultantsconsultants
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 2525
The SecSDLCThe SecSDLC
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 2626
Information Security BlueprintsInformation Security Blueprints
One approach is to adapt or adopt a published One approach is to adapt or adopt a published model or framework for information securitymodel or framework for information securityA framework is the basic skeletal structure A framework is the basic skeletal structure within which additional detailed planning of the within which additional detailed planning of the blueprint can be placed as it is developed of blueprint can be placed as it is developed of refinedrefinedExperience teaches us that what works well for Experience teaches us that what works well for one organization may not precisely fit anotherone organization may not precisely fit another
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 2727
ISO 17799/BS 7799ISO 17799/BS 7799
One of the most widely referenced and often One of the most widely referenced and often discussed security models is the Information discussed security models is the Information Technology – Code of Practice for Information Technology – Code of Practice for Information Security Management, which was originally Security Management, which was originally published as British Standard 7799published as British Standard 7799
This Code of Practice was adopted as an This Code of Practice was adopted as an international standard by the International international standard by the International Organization for Standardization (ISO) and the Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as International Electrotechnical Commission (IEC) as ISO/IEC 17799 in 2000 as a framework for ISO/IEC 17799 in 2000 as a framework for information securityinformation security
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 2828
BS7799-2BS7799-2
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 2929
ISO 17799 / BS 7799ISO 17799 / BS 7799
Several countries have not adopted 17799 claiming Several countries have not adopted 17799 claiming there are fundamental problems:there are fundamental problems:
The global information security community has not The global information security community has not defined any justification for a code of practice as identified defined any justification for a code of practice as identified in the ISO/IEC 17799in the ISO/IEC 1779917799 lacks “the necessary measurement precision of a 17799 lacks “the necessary measurement precision of a technical standard”technical standard”There is no reason to believe that 17799 is more useful There is no reason to believe that 17799 is more useful than any other approach currently available.than any other approach currently available.17799 is not as complete as other frameworks available17799 is not as complete as other frameworks available17799 is perceived to have been hurriedly prepared given 17799 is perceived to have been hurriedly prepared given the tremendous impact its adoption could have on the tremendous impact its adoption could have on industry information security controlsindustry information security controls
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 3030
ISO/IEC 17799 ISO/IEC 17799 Organizational Security Policy is needed to provide Organizational Security Policy is needed to provide management direction and supportmanagement direction and support
Objectives:Objectives:Operational Security PolicyOperational Security PolicyOrganizational Security InfrastructureOrganizational Security InfrastructureAsset Classification and ControlAsset Classification and ControlPersonnel SecurityPersonnel SecurityPhysical and Environmental Security Physical and Environmental Security Communications and Operations Management Communications and Operations Management System Access Control System Access Control System Development and MaintenanceSystem Development and MaintenanceBusiness Continuity Planning Business Continuity Planning ComplianceCompliance
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 3131
NIST Security ModelsNIST Security Models
Another approach available is described in the Another approach available is described in the many documents available from the Computer many documents available from the Computer Security Resource Center of the National Institute Security Resource Center of the National Institute for Standards and Technology (csrc.nist.gov) – for Standards and Technology (csrc.nist.gov) – Including:Including:
NIST SP 800-12NIST SP 800-12 - The Computer Security Handbook - The Computer Security Handbook
NIST SP 800-14NIST SP 800-14 - Generally Accepted Principles and - Generally Accepted Principles and Practices for Securing IT Systems Practices for Securing IT Systems
NIST SP 800-18NIST SP 800-18 - The Guide for Developing Security - The Guide for Developing Security Plans for IT Systems Plans for IT Systems
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 3232
NIST SP 800-14NIST SP 800-14
Security Supports the Mission of the OrganizationSecurity Supports the Mission of the Organization
Security is an Integral Element of Sound MgmtSecurity is an Integral Element of Sound Mgmt
Security Should Be Cost-EffectiveSecurity Should Be Cost-Effective
Systems Owners Have Security Responsibilities Outside Systems Owners Have Security Responsibilities Outside Their Own OrganizationsTheir Own Organizations
Security Responsibilities and Accountability Should Be Made Security Responsibilities and Accountability Should Be Made ExplicitExplicit
Security Requires a Comprehensive and Integrated ApproachSecurity Requires a Comprehensive and Integrated Approach
Security Should Be Periodically ReassessedSecurity Should Be Periodically Reassessed
Security is Constrained by Societal FactorsSecurity is Constrained by Societal Factors
33 Principles enumerated33 Principles enumerated
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 3333
IETF Security Architecture IETF Security Architecture
While no specific architecture is promoted through While no specific architecture is promoted through the Internet Engineering Task Force, the Security the Internet Engineering Task Force, the Security Area Working Group acts as an advisory board for Area Working Group acts as an advisory board for the protocols and areas developed and promoted the protocols and areas developed and promoted through the Internet Societythrough the Internet SocietyRFC 2196: Site Security Handbook provides an RFC 2196: Site Security Handbook provides an overview of five basic areas of security with detailed overview of five basic areas of security with detailed discussions on development and implementationdiscussions on development and implementationThere are chapters on such important topics as There are chapters on such important topics as security policies, security technical architecture, security policies, security technical architecture, security services, and security incident handlingsecurity services, and security incident handling
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 3434
Visa Model Visa Model
Visa International promotes strong security measures Visa International promotes strong security measures and has security guidelines and has security guidelines Developed two important documents that improve Developed two important documents that improve and regulate its information systemsand regulate its information systems
““Security Assessment Process”Security Assessment Process”““Agreed Upon Procedures” Agreed Upon Procedures”
Using the two documents, a security team can Using the two documents, a security team can develop a sound strategy for the design of good develop a sound strategy for the design of good security architecturesecurity architectureThe only down side to this approach is the very The only down side to this approach is the very specific focus on systems that can or do integrate specific focus on systems that can or do integrate with VISA’s systemswith VISA’s systems
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 3535
Baselining and Best PracticesBaselining and Best Practices
Baselining and best practices are solid methods for Baselining and best practices are solid methods for collecting security practices, but can have the collecting security practices, but can have the drawback of providing less detail than would a drawback of providing less detail than would a complete methodologycomplete methodology
It is possible to gain information by baselining and It is possible to gain information by baselining and using best practices and thus work backwards to an using best practices and thus work backwards to an effective design effective design
The Federal Agency Security Practices Site The Federal Agency Security Practices Site (fasp.csrc.nist.gov) is designed to provide best (fasp.csrc.nist.gov) is designed to provide best practices for public agencies and adapted easily to practices for public agencies and adapted easily to private organizationsprivate organizations
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 3636
Professional MembershipProfessional Membership
It may be worth the information security It may be worth the information security professional’s time and money to join professional professional’s time and money to join professional societies with information on best practices for its societies with information on best practices for its membersmembers
Many organizations have seminars and classes on Many organizations have seminars and classes on best practices for implementing securitybest practices for implementing security
Finding information on security design is the easy Finding information on security design is the easy part, sorting through the collected mass of part, sorting through the collected mass of information, documents, and publications can take a information, documents, and publications can take a substantial investment in time and human resourcessubstantial investment in time and human resources
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 3737
Hybrid FrameworkHybrid Framework
The framework proposed here is the result of The framework proposed here is the result of a detailed analysis of the components of all a detailed analysis of the components of all the documents, standards, and Web-based the documents, standards, and Web-based information described in the previous information described in the previous sectionssections
It is offered to the student as a balanced It is offered to the student as a balanced introductory blueprint for learning the introductory blueprint for learning the blueprint development processblueprint development process
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 3838
NIST SP 800-26NIST SP 800-26Management ControlsManagement Controls
Risk Management Risk Management Review of Security Controls Review of Security Controls Life Cycle MaintenanceLife Cycle MaintenanceAuthorization of Processing Authorization of Processing (Certification and Accreditation)(Certification and Accreditation)
System Security Plan System Security Plan Operational ControlsOperational Controls
Personnel Security Personnel Security Physical SecurityPhysical SecurityProduction, Input/Output Controls Production, Input/Output Controls Contingency PlanningContingency PlanningHardware and Systems SoftwareHardware and Systems SoftwareData IntegrityData IntegrityDocumentationDocumentationSecurity Awareness, Training, and EducationSecurity Awareness, Training, and EducationIncident Response CapabilityIncident Response Capability
Technical ControlsTechnical ControlsIdentification and AuthenticationIdentification and AuthenticationLogical Access Controls Logical Access Controls Audit TrailsAudit Trails
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 3939
Spheres of SecuritySpheres of Security
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 4040
Sphere of UseSphere of UseGenerally speaking, the concept of the sphere is Generally speaking, the concept of the sphere is to represent the 360 degrees of security to represent the 360 degrees of security necessary to protect information at all timesnecessary to protect information at all timesThe first component is the “sphere of use” The first component is the “sphere of use” Information, at the core of the sphere, is Information, at the core of the sphere, is available for access by members of the available for access by members of the organization and other computer-based systems:organization and other computer-based systems:
To gain access to the computer systems, one must To gain access to the computer systems, one must either directly access the computer systems or go either directly access the computer systems or go through a network connectionthrough a network connectionTo gain access to the network, one must either directly To gain access to the network, one must either directly access the network or go through an Internet access the network or go through an Internet connectionconnection
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 4141
Sphere of ProtectionSphere of Protection
The “sphere of protection” overlays each of the The “sphere of protection” overlays each of the levels of the “sphere of use” with a layer of security, levels of the “sphere of use” with a layer of security, protecting that layer from direct or indirect use protecting that layer from direct or indirect use through the next layerthrough the next layerThe people must become a layer of security, a The people must become a layer of security, a human firewall that protects the information from human firewall that protects the information from unauthorized access and useunauthorized access and useInformation security is therefore designed and Information security is therefore designed and implemented in three layersimplemented in three layers
policiespoliciespeople (education, training and awareness programs)people (education, training and awareness programs)technologytechnology
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 4242
ControlsControls
Management Controls cover security processes that Management Controls cover security processes that are designed by the strategic planners and are designed by the strategic planners and performed by security administration of the performed by security administration of the organizationorganizationOperational Controls deal with the operational Operational Controls deal with the operational functionality of security in the organizationfunctionality of security in the organizationOperational controls also address personnel Operational controls also address personnel security, physical security and the protection of security, physical security and the protection of production inputs and outputsproduction inputs and outputsTechnical Controls address those tactical and Technical Controls address those tactical and technical issues related to designing and technical issues related to designing and implementing security in the organizationimplementing security in the organization
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 4343
The Framework The Framework
Management ControlsManagement ControlsProgram Management Program Management System Security PlanSystem Security PlanLife Cycle Maintenance Life Cycle Maintenance Risk ManagementRisk ManagementReview of Security ControlsReview of Security ControlsLegal ComplianceLegal Compliance
Operational ControlsOperational ControlsContingency PlanningContingency PlanningSecurity ETASecurity ETAPersonnel SecurityPersonnel SecurityPhysical SecurityPhysical SecurityProduction Inputs and OutputsProduction Inputs and OutputsHardware & Software Systems Hardware & Software Systems MaintenanceMaintenanceData IntegrityData Integrity
Technical ControlsTechnical ControlsLogical Access ControlsLogical Access Controls
Identification, Authentication, Identification, Authentication, Authorization and AccountabilityAuthorization and Accountability
Audit TrailsAudit Trails
Asset Classification and ControlAsset Classification and Control
CryptographyCryptography
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 4444
SETASETA
As soon as the policies exist, policies to implement As soon as the policies exist, policies to implement security education, training and awareness (SETA) security education, training and awareness (SETA) should followshould followSETA is a control measure designed to reduce SETA is a control measure designed to reduce accidental security breachesaccidental security breachesSupplement the general education and training Supplement the general education and training programs in place to educate staff on information programs in place to educate staff on information security. security. Security education and training builds on the Security education and training builds on the general knowledge the employees must possess to general knowledge the employees must possess to do their jobs, familiarizing them with the way to do do their jobs, familiarizing them with the way to do their jobs securelytheir jobs securely
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 4545
SETA ElementsSETA Elements
The SETA program consists of three elementsThe SETA program consists of three elementssecurity educationsecurity educationsecurity trainingsecurity trainingand security awarenessand security awareness
The organization may not be capable or willing to undertake The organization may not be capable or willing to undertake all three of these elements but may outsource themall three of these elements but may outsource themThe purpose of SETA is to enhance security by:The purpose of SETA is to enhance security by:
Improving awareness of the need to protect system Improving awareness of the need to protect system resourcesresourcesDeveloping skills and knowledge so computer users can Developing skills and knowledge so computer users can perform their jobs more securelyperform their jobs more securelyBuilding in-depth knowledge, as needed, to design, Building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations implement, or operate security programs for organizations and systems.and systems.
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 4646
SETASETA
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 4747
Security EducationSecurity Education
Everyone in an organization needs to be trained Everyone in an organization needs to be trained and aware of information security, but not every and aware of information security, but not every member of the organization needs a formal degree member of the organization needs a formal degree or certificate in information securityor certificate in information securityWhen formal education for appropriate individuals in When formal education for appropriate individuals in security is needed an employee can identify security is needed an employee can identify curriculum available from local institutions of higher curriculum available from local institutions of higher learning or continuing educationlearning or continuing educationA number of universities have formal coursework in A number of universities have formal coursework in information securityinformation security(See for example http://infosec.kennesaw.edu).(See for example http://infosec.kennesaw.edu).
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 4848
Security TrainingSecurity Training
Security training involves providing members Security training involves providing members of the organization with detailed information of the organization with detailed information and hands-on instruction designed to prepare and hands-on instruction designed to prepare them to perform their duties securelythem to perform their duties securely
Management of information security can Management of information security can develop customized in-house training or develop customized in-house training or outsource the training programoutsource the training program
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 4949
Security AwarenessSecurity Awareness
One of the least frequently implemented, but One of the least frequently implemented, but the most beneficial programs is the security the most beneficial programs is the security awareness programawareness programDesigned to keep information security at the Designed to keep information security at the forefront of the users’ minds forefront of the users’ minds Need not be complicated or expensiveNeed not be complicated or expensiveIf the program is not actively implemented, If the program is not actively implemented, employees begin to ‘tune out’, and the risk of employees begin to ‘tune out’, and the risk of employee accidents and failures increasesemployee accidents and failures increases
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 5050
Awareness at KSUAwareness at KSU
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 5151
CommentsComments
Defense in DepthDefense in DepthOne of the foundations of security architectures is the One of the foundations of security architectures is the requirement to implement security in layersrequirement to implement security in layersDefense in depth requires that the organization establish Defense in depth requires that the organization establish sufficient security controls and safeguards, so that an sufficient security controls and safeguards, so that an intruder faces multiple layers of controlsintruder faces multiple layers of controls
Security PerimeterSecurity PerimeterThe point at which an organization’s security protection The point at which an organization’s security protection ends, and the outside world beginsends, and the outside world beginsReferred to as the security perimeterReferred to as the security perimeterUnfortunately the perimeter does not apply to internal Unfortunately the perimeter does not apply to internal attacks from employee threats, or on-site physical threatsattacks from employee threats, or on-site physical threats
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 5252
Defense in DepthDefense in Depth
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 5353
Perimeters and DomainsPerimeters and Domains
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 5454
Key Technology Components Key Technology Components
Other key technology components Other key technology components A firewall is a device that selectively discriminates against A firewall is a device that selectively discriminates against information flowing into or out of the organization information flowing into or out of the organization
The DMZ (demilitarized zone) is a no-man’s land, The DMZ (demilitarized zone) is a no-man’s land, between the inside and outside networks, where some between the inside and outside networks, where some organizations place Web servers organizations place Web servers
In an effort to detect unauthorized activity within the inner In an effort to detect unauthorized activity within the inner network, or on individual machines, an organization may network, or on individual machines, an organization may wish to implement Intrusion Detection Systems or IDSwish to implement Intrusion Detection Systems or IDS
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 5555
Key ComponentsKey Components
Principles of Information Security - Chapter 6Principles of Information Security - Chapter 6 Slide # Slide # 5656
IDSIDS