ISA 562

1. Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice

An introductory course at the graduate level

It covers the topics of

The CISSP exam at varying depth

But is NOT a CISSP course

Textbooks:

Matt Bishop: Computer Security Art and Science

Official ISC 2Guide to the CISSP CBK

Bishops book for the first part

Papers for some classes

IC 2book for the second part

Cover material relevant to the PhD qualifying examination in security

Purpose of information security:

to protect an organization's informationresources data, hardware, and software.

To increase organizational success: IS arecritical assetssupporting its mission

The Overhanging goals of information security are addressed through the AIC TRIAD.

Security should be designed for two requirements:

Functional :Definebehaviorof the control meansbased on risk assessment

Properties :

should not depend on another control:

Why? fail safe by maintaining security during asystemfailure

Assurance:Provideconfidencethat security functions perform as expected.

Internal/External Audit.

Third Party reviews

Compliance to best practices

Examples

Functional: a network Firewall to permit or deny traffic.

Assurance: logs are generated, monitored, and reviewed

Focus on organizational mission:

Business or goals driven

Depends on type of organization:

Military , Government, or Commercial.

Must be sensible and cost effective

Solution considers the mission and environmentTrade-off

Integral part of corporate governance:

Fully integrated into overall risk-based threat analysis

Ensure that IT infrastructure:

Meets all requirements.

Supports the strategies and objectives of the company.

Includes service level agreements [if outsourced].

Leadership:

Security leaders must be part of the company leadership -- where they can be heard.

Structure:

occurs at many levels and should use a layered approach.

Processes:

follow internationally accepted best practices :

Job rotation , Separation of duties, least privilege, mandatory vacations, etc.

Examples of standards : ISO 17799 & ISO 27001:2005

Provide a structure for organizing requirements and solutions.

Ensure that security is considered holistically.

To identify and design security requirements

Operational environment is a web of laws, regulations, requirements, and agreements or contracts with partners and competitors

Change frequently and interact with each other

Management must develop and publish security statements addressing policies and supporting elements, such as standards , baselines, and guidelines.

Provide Management Goals and Objectives in writing

Ensure Document compliance

Create a security culture

Anticipate and protect others from surprises

Establish the security activity/function

Hold individuals responsible and accountable

Address foreseeable conflicts

Make sure employees and contractors aware of organizational policy and changes to it

Require incident response plan

Establish process for exception handling, rewards, and discipline

High level policies interpreted into functional policies.

Functional polices derived from overarching policy and create the foundation for procedures, standards, and baselines to accomplish the objectives

Polices gain credibility by top management buy-in.

Data classification

Certification and accreditation

Access control

Outsourcing

Remote access

Acceptable mail and Internet usage

Privacy

Dissemination control

Sharing control

Standards, procedures, baselines, and guidelines turn management objectives and goals [functional policies] into enforceable actions for employees.

Standards (local): Adoption of common hardware and software mechanism and products throughout the enterprise.

Examples: Desktop, Anti-Virus, Firewall

Procedures: step by step actions thatmustbe followed to accomplish a task.

Guidelines: recommendations for product implementations, procurement and planning, etc.

Examples: ISO17799, Common Criteria, ITIL

Benchmarks: to ensure that a minimum level of security configuration is provided across implementations and systems.

establish consistent implementation of security mechanisms.

Platform unique

Examples:

VPN Setup,

IDS Configuration,

Password rules

Strategic: long term

Focus on high-level, long-range organizational requirements

Example: overall security policy

2. Tactical: medium-term

Focus on events that affect all the organization

Example: functional plans

3. Operational: short-term

Fight fires at the keyboard level, directly affecting how the organization accomplishes its objectives.

Everyone has a role:

with responsibility clearly communicated and understood

Duties associated with the role must be assigned

Examples:

Securing email

Reviewing violation reports

Attending awareness training

Executive Management:

Publish and endorse security policy

Establish goals and objectives

State overall responsibility for asset protection.

IS security professionals:

Security design, implementation, management,

Review of organization security policies.

Owner:

Information classification

Set user access conditions

Decide on business continuity priorities

Custodian:

Entrusted with the Security of the information

IS Auditor:

Audit assurance guarantees.

Compliance with procedures and policies

Background check/Security clearance

Check references/Educational records

Sign Employment agreement

Non-disclosure agreements

Non-compete agreements

Low level Checks

Consult with HR Department

Termination/dismissal procedure

Include:

Vendors/Suppliers

Contractors

Temporary Employees

Customers

Must established procedures for these groups.

ISA 562

Documents

security activityfunction

security leaders

security culture

security statements

security blueprints

overall security policy

functions of security

design security requirements