ITSC Writing an Operational Security Plan E. Jane Powanda FISSEA 2005 Conference March 22, 2005 [email protected] 301 513-0143
Jan 12, 2016
ITSC
Writing an Operational Security Plan
E. Jane Powanda
FISSEA 2005 ConferenceMarch 22, [email protected]
301 513-0143
2
Roadmap for Management and Operations
The Operational Security Plan
3
Why Have a Security Plan
Documents implemented security measures Documents planned security measures Documents security goals based on threats
and risk Documents security roles and responsibilities
for staff Identifies security requirements for inclusion in
formal agreements with partners and other organizations that may provide application services Documents security decisions made by management
4
Security Guiding
Principles(Philosophy)
Personal accountability
Authority
Responsibility
Policy update and review
Management commitment
Security goals
Data sensitivity
Special Features
Procedures Standards/Guidelines
PlansSecurity
Implementation
Security Plan in the Security Framework
5
Writing the Security Plan
Demonstrates due diligence!
Changes with technology
Based on policy
Directives for staff action
Dessert?
Based on our recent risk
assessment
Will justify our security budget
6
Resources NIST SP 800-18 - Guide for Developing
Security Plans for Information Technology Systems, December, 1998.
Other resources at http://csrc.nist.gov ISO 17799 - Information Technology -
Code of practice for information security management
CIO Council – experience of other agencies
7
Writing the Security Plan
Introduction The Application and its
Environment Roles and Responsibilities Operational Security Controls Other Optional Topics Glossary
8
Introduction Scope Purpose Intended audience Plan maintenance Points of contact Relevant policies and guidelines Document organization
The introduction provides the basis for both the plan and the document, and addresses some management aspects of the planning process
9
Scope
Sets the bounds for the plan Is this a new system or an addition to
the current system? Is this for a single application or a
general use system? What is not included in the plan?
10
Purpose
Why the Plan exists Provides a compendium of security
measures currently implemented Documents measures taken by
management to demonstrate due diligence with respect to security
11
Intended Audience Who might be reading this document?
Program management IT management Program operational staff IT staff Program partners Auditors
12
Plan Maintenance
Who updates this plan? How often is it updated? Who reviews and authorizes
updates to the plan?
13
Point of Contact
Name or position of person who can provide more information about the plan
Phone number or e-mail address
14
Relevant Policies and Guidelines
Federal legislation or guidelines on which plan is based
State legislation or guidelines on which plan is based
Internal policies or guidelines
15
Document Organization
Description of each of the sections of the plan
16
The System and its Environment
Functional description of the application or system
Program orgnization Hardware Software Operational environment Data sensitivity Threats to the system Security goals
This section provides information about the system and the environment in which it operates. It sets the stage for the plan.
17
System Functional Description
Hours of operation End user interfaces
Paper Web E-mail IVR
The services provided to users Internal staff External clients
Identify what the system does from a layman’s point of view.
18
Hardware List the hardware elements that belong
to this system Mainframe Servers Storage devices Workstations Firewalls
19
Software
List software elements Operating system Network software if applicable Application software
Language written in Size and complexity of software Architecture or how organized
Mainframe Client / server Web based
20
IT Operational Environment
Describe the infrastructure Firewalls Subnets Connecting networks External interfaces Dial in access
Provide a drawing that shows the different parts of the system on a network diagram
21
Data Sensitivity
Business need for sharing or restricting information
Business impact of failure to protect sensitive data What kind of information is considered sensitive? Are privacy laws and regulations applicable? Describe the different categories or types of
sensitive data Describe implications of sensitivity with respect to
Confidentiality Integrity Availability
22
Threats
Major threats and security concerns Examples
Hacker attacks Insider fraud External fraud Physical attack Employee discontent
23
Security Goals
Discuss security objectives with respect to each of the following Availability of service Confidentiality of client information Accountability of actions Integrity of data operations
Rate the goals in order of importance
24
Security Operational Controls
Assignment of roles and responsibilities
Management controls Operational controls Technical controls
25
Roles and Responsibilities Program organization
Business staff Technical staff Management staff Operational staff
The IT organization Other agency organizations that provide services Data sharing partners Internet application system users Examples of security functional responsibilities
Who does the backups Who does security training Who authorizes system access Who sets policy Who maintains this plan
26
Management Controls
Risk management Incident handling Contingency plans
27
Risk Management Has there ever been a security
assessment performed on the system? When was it done, by whom, how extensive? Generally describe the methods used for
resolving security problems identified What management procedures are in
place to periodically review and contain security risk?
Update the plan when new controls are implemented or planned
Never document security vulnerabilities in the plan
28
Incident Handling What is considered to be a “security
incident”? Identify procedures in place to deal with
a security incident Detection Reporting Resolution
What actions are taken to ensure that staff can recognize and respond to a security incident?
29
Contingency Plans Business continuity plan
How will the business continue to operate in spite of disaster?
Who is responsible the plan and its execution? When was the last time it was updated and tested? When will it be tested again?
Disaster recovery plan How will IT operations be brought back to normal? Who is responsible for the plan? When was the last time it was updated and tested? When will it be tested again?
30
Operational Controls
Application maintenance Access to system and privileges Authentication of users Audits Backup and recovery Disposal of information and equipment Security training Integrity controls Physical security Personnel security
31
Application Maintenance
Software maintenance Describe the change management process Who writes code, tests it, approves it, installs it on
the production system? Is security testing performed? How is configuration control maintained?
Source code Executable code
Hardware maintenance How much downtime can be tolerated? What measures are taken to ensure hardware
availability?
32
Access to System and Privileges
Identify who authorizes access to systems and software
Describe how new access authorizations get implemented Identify who makes the changes on the
system What procedures are in place to terminate
access for those that no longer need it?
33
Audit Data
What activities will be audited? Selected staff actions All administrator actions Partner access and/or modification of data Customer actions
How long is audit data kept? Is it stored in a safe place?
How is it protected from viewing and modification? Is enough buffer space allocated for audit data to
prevent overwrite? Is someone assigned to review audit data on a
regular basis?
34
Backup and Recovery Enterprise data backup
Identify what data is backed up by the system and considered recoverable
Identify how often data is backed up Discuss existence of offsite backup and how long it would
take to retrieve it in the event of an emergency What is the tape rotation schedule – how many tapes or
other media are used? Personal backup
What backup responsibilities do users have? Restoration
How will data be restored and how long will it take? When was the last time a successful recovery from a
backup was demonstrated?
35
Handling of Information & Equipment Security markings on information and equipment Equipment disposal
Computers Workstations Storage media
Equipment Maintenance Outside repair In-house repair
Information disposal What information must be disposed of securely? Procedures for destroying information on paper with sensitive
information Procedures for destroying floppy disks or CDs containing
sensitive information
36
Security Training How is security awareness conveyed to staff?
Annual security awareness training Monthly security bulletins Security posters
How is security training provided for IT staff and programmers?
Prevent web coding flaws Firewalls and network architecture
How is security training provided to administrators Locking down servers Reviewing audit information Performing vulnerability scans including wireless Patch management
Other specific role or job based security training
37
Integrity Controls
Identify features implemented to ensure that the system has not been modified without authorization
Software checksums or signatures Other security software
Identify the virus software and vulnerability scans used on the system, how often they run, and how often they are updated
Patch management documented plan Who monitors for new patch releases and installs them? How often are patches installed? Number of vendors to monitor
38
Physical Security Facility security
Describe the personnel entry system and how access rules are enforced for building access, building protections
Computer room security Describe the personnel entry system and possible contingency entry
in event of emergency Communications room security
Describe the personnel entry system and possible contingency entry in event of emergency
Other locked areas (storage of software, blank checks, etc.) Describe the personnel entry system and possible contingency entry
in event of emergency Workstation Security
Use of UPS to prevent damage during power interruption Preventing laptop theft
Computer room environmental controls
39
Personnel Security Staff background checks Staff security requirements
Badges Reporting suspicious activity
Visitor control Sign in log Escort requirements
Maintenance staff After hours activity – preventing theft and disclosure
of sensitive information Confidentiality agreements Expected behavior agreements
40
Technical Controls
Identification and Authentication Access Control Audit Encryption
Addresses technology used to implement these controls
41
Identification & Authentication
User IDs Describe how staff are authenticated
Biometrics – fingerprint Password Tokens
Describe how authorized non-staff are authenticated for both web access and direct system access
Describe how customers/clients are authenticated when accessing the system over the web
42
Logical Access Controls
Mainframe access controls Client server access controls Web transaction access controls
43
Audit
What automated audit features are provided? Operating system based Application based Other
What automated analysis tools are used?
44
Encryption
Usage Network transmissions Web transactions Database Passwords
Algorithms used Products used within the organization
45
Other Optional Topics
Personnel Safety Rules of Behavior Others?
46
Personnel Safety Evacuation plan in event of emergency
Evacuating and accounting for personnel in building After hours activity
Identify special measures for after hours activity in work areas including escorts to parking lot
Protection of personal property Who to notify for suspected theft
Fire extinguishers Location and plan to ensure readiness
Emergency phone numbers Both during and after work hours
Medical emergency Phone numbers and identification of trained medical professionals in
building
47
Security Plan Closing Thoughts
It is not necessary, or even desirable, to actually have all the topics fully covered in the plan (300 pound books are difficult to carry around). A reference to the information documented elsewhere is sufficient.
The list of topics presented here is not all-inclusive, definitive or mandatory.
If a topic not covered here is important – Add it If a topic covered here is irrelevant – Drop it
Build a plan to fit YOUR needs. Keep it brief