ISA 562 Summer 2008 1 Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice.

ISA 562 Summer 2008 1

Information Security Information Security ManagementManagement

CISSP Topic 1CISSP Topic 1

ISA 562ISA 562Internet Security Theory Internet Security Theory

and Practiceand Practice

ISA 562 Summer 2008 2

Course OutlineCourse OutlineAn introductory course at the graduate An introductory course at the graduate

levellevel

It covers the topics of It covers the topics of The CISSP exam at varying depth

But is NOT a CISSP course

Textbooks:Textbooks: Matt Bishop: Computer Security Art and Science

Official ISC2 Guide to the CISSP CBK

ISA 562 Summer 2008 3

ObjectivesObjectivesRoles and responsibilities of individuals in a Roles and responsibilities of individuals in a

security programsecurity program

Security planning in an organizationSecurity planning in an organization

Security awareness in the organization Security awareness in the organization

Differences between policies, standards, Differences between policies, standards, guidelines and proceduresguidelines and procedures

Risk Management practices and toolsRisk Management practices and tools

ISA 562 Summer 2008

Syllabus of the CourseSyllabus of the Course• Bishop’s book for the first part• Papers for some classes

• IC2 book for the second part

• Cover material relevant to the PhD qualifying examination in security

ISA 562 Summer 2008

IntroductionIntroduction• Purpose of information security:

– to protect an organization's information resources data, hardware, and software.

• To increase organizational success: IS are critical assets supporting its mission

ISA 562 Summer 2008

Information Security TRIADInformation Security TRIAD

• The Overhanging goals of information security are addressed through the AIC TRIAD.

ISA 562 Summer 2008

IT Security Requirements - IIT Security Requirements - ISecurity should be designed for two requirements:1. Functional: Define behavior of the control means

based on risk assessmentProperties:• should not depend on another control:• Why? fail safe by maintaining security during a system failure

2. Assurance: Provide confidence that security functions perform as expected.

• Internal/External Audit.• Third Party reviews• Compliance to best practices

Examples– Functional: a network Firewall to permit or deny traffic.– Assurance: logs are generated, monitored, and reviewed

ISA 562 Summer 2008

Organizational & Business Organizational & Business RequirementsRequirements

• Focus on organizational mission: – Business or goals driven

• Depends on type of organization:– Military , Government, or Commercial.

• Must be sensible and cost effective– Solution considers the mission and

environment Trade-off

ISA 562 Summer 2008

IT Security GovernanceIT Security Governance

Integral part of corporate governance: – Fully integrated into overall risk-based threat

analysis Ensure that IT infrastructure:

– Meets all requirements.– Supports the strategies and objectives of the

company.– Includes service level agreements [if

outsourced].

ISA 562 Summer 2008

Security Governance: Major Security Governance: Major partsparts

1. Leadership: • Security leaders must be part of the company

leadership -- where they can be heard.

2. Structure:• occurs at many levels and should use a layered

approach.

3. Processes: • follow internationally accepted “best practices”:• Job rotation , Separation of duties, least privilege, mandatory

vacations, …etc.• Examples of standards : ISO 17799 & ISO 27001:2005

ISA 562 Summer 2008

Security BlueprintsSecurity Blueprints

Provide a structure for organizing requirements and solutions.– Ensure that security is considered

holistically.

To identify and design security requirements

ISA 562 Summer 2008

Policy Overview Policy Overview 1. Operational environment is a web of laws,

regulations, requirements, and agreements or contracts with partners and competitors

2. Change frequently and interact with each other

3. Management must develop and publish security statements addressing policies and supporting elements, such as standards , baselines, and guidelines.

ISA 562 Summer 2008

Policy overview Policy overview

ISA 562 Summer 2008

Functions of Security policy Functions of Security policy 1. Provide Management Goals and Objectives in

writing2. Ensure Document compliance 3. Create a security culture 4. Anticipate and protect others from surprises 5. Establish the security activity/function6. Hold individuals responsible and accountable7. Address foreseeable conflicts8. Make sure employees and contractors aware of

organizational policy and changes to it9. Require incident response plan10. Establish process for exception handling,

rewards, and discipline

ISA 562 Summer 2008

Policy InfrastructurePolicy Infrastructure1. High level policies interpreted

into functional policies.2. Functional polices derived

from overarching policy and create the foundation for procedures, standards, and baselines to accomplish the objectives

3. Polices gain credibility by top management buy-in.

ISA 562 Summer 2008

Examples of Functional PoliciesExamples of Functional Policies1. Data classification2. Certification and accreditation3. Access control4. Outsourcing 5. Remote access6. Acceptable mail and Internet usage7. Privacy8. Dissemination control9. Sharing control

ISA 562 Summer 2008

Policy Implementation Policy Implementation

• Standards, procedures, baselines, and guidelines turn management objectives and goals [functional policies] into enforceable actions for employees.

ISA 562 Summer 2008

Standards and procedureStandards and procedure1. Standards (local): Adoption of common

hardware and software mechanism and products throughout the enterprise.

Examples: Desktop, Anti-Virus, Firewall

2. Procedures: step by step actions that must be followed to accomplish a task.

3. Guidelines: recommendations for product implementations, procurement and planning, etc.

Examples: ISO17799, Common Criteria, ITIL

ISA 562 Summer 2008

Security BaselinesSecurity Baselines

Benchmarks: to ensure that a minimum level of security configuration is provided across implementations and systems.– establish consistent implementation of

security mechanisms.– Platform unique

Examples: • VPN Setup, • IDS Configuration, • Password rules

ISA 562 Summer 2008

Three Levels of security planningThree Levels of security planning 1. Strategic: long term• Focus on high-level, long-range organizational

requirements – Example: overall security policy

2. Tactical: medium-term• Focus on events that affect all the organization

– Example: functional plans

3. Operational: short-term• Fight fires at the keyboard level, directly affecting

how the organization accomplishes its objectives.

ISA 562 Summer 200821

Organizational roles and Organizational roles and responsibilities responsibilities

• Everyone has a role:– with responsibility clearly communicated

and understood

• Duties associated with the role must be assigned

• Examples: – Securing email– Reviewing violation reports – Attending awareness training

ISA 562 Summer 2008

Specific Roles and Specific Roles and Responsibilities (duties)Responsibilities (duties)

• Executive Management:– Publish and endorse security policy– Establish goals and objectives– State overall responsibility for asset protection.

• IS security professionals:– Security design, implementation, management, – Review of organization security policies.

• Owner:– Information classification – Set user access conditions– Decide on business continuity priorities

• Custodian:– Entrusted with the Security of the information

• IS Auditor:– Audit assurance guarantees.

• User:– Compliance with procedures and policies

ISA 562 Summer 200823

Personnel Security: Hiring staffPersonnel Security: Hiring staff• Background check/Security clearance• Check references/Educational records• Sign Employment agreement

– Non-disclosure agreements– Non-compete agreements

• Low level Checks• Consult with HR Department• Termination/dismissal procedure

ISA 562 Summer 2008

Third party considerationsThird party considerations

Include:– Vendors/Suppliers– Contractors– Temporary Employees– Customers

Must established procedures for these groups.