This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
3.3.3.3. Change ControlChange ControlChange ControlChange Control
4.4.4.4. Data ClassificationData ClassificationData ClassificationData Classification
5.5.5.5. Data & InformationData & InformationData & InformationData & Information
6.6.6.6. Employment Policy and PracticeEmployment Policy and PracticeEmployment Policy and PracticeEmployment Policy and Practice
7.7.7.7. Policy, Standard, Guideline and procedurePolicy, Standard, Guideline and procedurePolicy, Standard, Guideline and procedurePolicy, Standard, Guideline and procedure
Security management entails the identification of an organizations’ information assets and the development, documentation, and implementation of policies, standards, procedures, and guidelines that ensure confidentiality, Integrity, and availability. Management tools such as data classification, risk assessment, and risk analysis are used to identify the threats, classify assets, and to rate their vulnerabilities so that effective security controls can be implemented.
• Security Management Concepts & Principles• Change Control/Management• Data Classification• Information/Data• Employment policies & Practices• Policies, Standards, Guideline and Procedures• Role & Responsibilities• Security Awareness Training• Security Management Planning
참고참고참고참고: : : : CISSP Study Guide , ISC2CISSP Study Guide , ISC2CISSP Study Guide , ISC2CISSP Study Guide , ISC2
• The planning, organization, and roles of individuals in identifying and securing an organization’s information assets
• The development and use of policies stating management’s views and position on particular topics and the use of guidelines, standards, and procedures, to support the policies
• Security Awareness training• The importance of confidentiality, proprietary and private
information• Employment agreement, hiring, and termination practices• Risk Management practices
참고참고참고참고: : : : CISSP Study Guide , ISC2CISSP Study Guide , ISC2CISSP Study Guide , ISC2CISSP Study Guide , ISC2
- about preventing unauthorized users about preventing unauthorized users about preventing unauthorized users about preventing unauthorized users readingreadingreadingreading information to which information to which information to which information to which they are not entitled.they are not entitled.they are not entitled.they are not entitled.
- Ensuring that information is accessible only to those authorizedEnsuring that information is accessible only to those authorizedEnsuring that information is accessible only to those authorizedEnsuring that information is accessible only to those authorized to to to to have access(BS7799)have access(BS7799)have access(BS7799)have access(BS7799)
• Privacy: protection of Privacy: protection of Privacy: protection of Privacy: protection of personal datapersonal datapersonal datapersonal data
• Secrecy: protection of data belonging to Secrecy: protection of data belonging to Secrecy: protection of data belonging to Secrecy: protection of data belonging to an organizationan organizationan organizationan organization
- Making sure things are as they should be.Making sure things are as they should be.Making sure things are as they should be.Making sure things are as they should be.
- safeguarding the safeguarding the safeguarding the safeguarding the accuracy and completenessaccuracy and completenessaccuracy and completenessaccuracy and completeness of information & of information & of information & of information & processing methods.(BS7799)processing methods.(BS7799)processing methods.(BS7799)processing methods.(BS7799)
- In the context of computing, integrity is about preventing In the context of computing, integrity is about preventing In the context of computing, integrity is about preventing In the context of computing, integrity is about preventing unauthorized users unauthorized users unauthorized users unauthorized users writingwritingwritingwriting information to which they are not entitled.information to which they are not entitled.information to which they are not entitled.information to which they are not entitled.
- In a general system, integrity is about ensuring that system staIn a general system, integrity is about ensuring that system staIn a general system, integrity is about ensuring that system staIn a general system, integrity is about ensuring that system state te te te has not been has not been has not been has not been modified modified modified modified by those not authorized to do so. by those not authorized to do so. by those not authorized to do so. by those not authorized to do so.
- Ensuring that authorized users have access to information & Ensuring that authorized users have access to information & Ensuring that authorized users have access to information & Ensuring that authorized users have access to information & associated assets associated assets associated assets associated assets when requiredwhen requiredwhen requiredwhen required(BS7799)(BS7799)(BS7799)(BS7799)
- About a systemAbout a systemAbout a systemAbout a system’s services being accessible s services being accessible s services being accessible s services being accessible on demandon demandon demandon demand by an by an by an by an
- The property that enables activities on a system to be The property that enables activities on a system to be The property that enables activities on a system to be The property that enables activities on a system to be traced traced traced traced to to to to individuals who may then be held individuals who may then be held individuals who may then be held individuals who may then be held responsible forresponsible forresponsible forresponsible for their actions.their actions.their actions.their actions.
- This is typically done by securely identifying users, and keepinThis is typically done by securely identifying users, and keepinThis is typically done by securely identifying users, and keepinThis is typically done by securely identifying users, and keeping an g an g an g an audit trail of securityaudit trail of securityaudit trail of securityaudit trail of security----relevant events.relevant events.relevant events.relevant events.
- Extent to which a computer can be expected to perform Extent to which a computer can be expected to perform Extent to which a computer can be expected to perform Extent to which a computer can be expected to perform its its its its intended functionintended functionintended functionintended function with the required precision on a consistent basis.with the required precision on a consistent basis.with the required precision on a consistent basis.with the required precision on a consistent basis.
- The probability of a given system performing its mission The probability of a given system performing its mission The probability of a given system performing its mission The probability of a given system performing its mission adequately adequately adequately adequately for a specified period of time under the expected operating for a specified period of time under the expected operating for a specified period of time under the expected operating for a specified period of time under the expected operating conditions.conditions.conditions.conditions.
- The process that enablers The process that enablers The process that enablers The process that enablers recognitionrecognitionrecognitionrecognition of an entity(subject or object) of an entity(subject or object) of an entity(subject or object) of an entity(subject or object) by a computer system, generally by use of unique machineby a computer system, generally by use of unique machineby a computer system, generally by use of unique machineby a computer system, generally by use of unique machine----readable user namesreadable user namesreadable user namesreadable user names
- The act of The act of The act of The act of identifying or verifyingidentifying or verifyingidentifying or verifyingidentifying or verifying the eligibility of a workstation, the eligibility of a workstation, the eligibility of a workstation, the eligibility of a workstation, originator, or individual to access specific categories of infororiginator, or individual to access specific categories of infororiginator, or individual to access specific categories of infororiginator, or individual to access specific categories of information. mation. mation. mation. It is providing It is providing It is providing It is providing assurance assurance assurance assurance regarding the identity of a subject or regarding the identity of a subject or regarding the identity of a subject or regarding the identity of a subject or object, for example, object, for example, object, for example, object, for example, ensuringensuringensuringensuring that a particular user is who he that a particular user is who he that a particular user is who he that a particular user is who he claims to be.claims to be.claims to be.claims to be.
- The The The The privilege grantedprivilege grantedprivilege grantedprivilege granted to an individual by management to access to an individual by management to access to an individual by management to access to an individual by management to access information based on the individualinformation based on the individualinformation based on the individualinformation based on the individual’s clearance and needs clearance and needs clearance and needs clearance and need----totototo----know know know know
- An authentication that with An authentication that with An authentication that with An authentication that with high assurancehigh assurancehigh assurancehigh assurance can be asserted to be can be asserted to be can be asserted to be can be asserted to be genuine, and that cannot subsequently be refuted. It is the secugenuine, and that cannot subsequently be refuted. It is the secugenuine, and that cannot subsequently be refuted. It is the secugenuine, and that cannot subsequently be refuted. It is the security rity rity rity service by which the entities involved in communication cannot bservice by which the entities involved in communication cannot bservice by which the entities involved in communication cannot bservice by which the entities involved in communication cannot be e e e deny having participation.deny having participation.deny having participation.deny having participation.
(9) Audit(9) Audit(9) Audit(9) Audit
- An independent review and examinationAn independent review and examinationAn independent review and examinationAn independent review and examination of system records and of system records and of system records and of system records and activities to test for adequacy of system controls, to ensure activities to test for adequacy of system controls, to ensure activities to test for adequacy of system controls, to ensure activities to test for adequacy of system controls, to ensure compliance compliance compliance compliance with established policy and operational procedures, with established policy and operational procedures, with established policy and operational procedures, with established policy and operational procedures, and to recommend any indicated changes in controls, policy, or and to recommend any indicated changes in controls, policy, or and to recommend any indicated changes in controls, policy, or and to recommend any indicated changes in controls, policy, or procedures.procedures.procedures.procedures.
(1) Why is change control & change management a security issue?– Many businesses live or die on data integrity– Changes can break a security model– Modifying system breaks warranty
(2) Needed since change requester does not understand the security implications of their request
(3) Security administrator must analyze and assess carefully the impact to the system
3.3.3.3.Change Control & ManagementChange Control & ManagementChange Control & ManagementChange Control & Management
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
• Application and operating systems software– Upgrades– Service packs, patches, fixes– Changes to the firewall rulebase/proxies– Router software
3.3.3.3.Change Control & ManagementChange Control & ManagementChange Control & ManagementChange Control & Management
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
3.4 3.4 3.4 3.4 For workingFor workingFor workingFor working
• For change control & management to work, you must have:– Golden copies of the software, for comparison use or
database generation– Secure infrastructure. Software must be securely
stored on physically protected media. If an intruder can get root, and change the golden copies, then the change control tools will be ineffective.
3.3.3.3.Change Control & ManagementChange Control & ManagementChange Control & ManagementChange Control & Management
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
3.5 3.5 3.5 3.5 PolicyPolicyPolicyPolicy
• Policies, procedures and processes– Develop polices that will stabilize the production
processing environment by controlling all changes made to it
– Formal change control processes will help to ensure that only authorized changes are made, that they are made at the approved time, and that they are made in the approved manner
– Promptly implement security patches, command scripts, & similar from vendors, CERT, CIAC, etc.
– Have procedures for roll-back to prior versions in case of problems, don’t burn your software bridges
3.3.3.3.Change Control & ManagementChange Control & ManagementChange Control & ManagementChange Control & Management
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
• Configuration Management– The management of changes made to a system’s
HW, SW, firmware, documentation, test, and test documentation throughout the development & operational life of the system. : 동작, 변화의 지속적인 관리, 추적, 제어(버전관리, 변경요구추적…)
– Is clearly key to product assurance program.– Can control changes to those baselines and help to
assure system integrity and tracebility throughout the software life cycle by providing a foundation for product and performance measurement.
3.3.3.3.Change Control & ManagementChange Control & ManagementChange Control & ManagementChange Control & Management
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
(2) Information Classification (BS7799)- Objective:To ensure that information assets receive an
appropriate level of protection- Information should be classified to indicate the need, priorities
and degree of protection- Information has varying degrees of sensitivity and criticality.- An information classification system should be used to define
an appropriate set of protection levels, and communicate the need for special handling measures.
- The responsibility for defining and periodically reviewing the classification should rest with the originator or nominated owner of data.
• (4) Top Secret - applies to the most sensitive business information which is intended strictly for use within the organization. Unauthorized disclosure could seriously and adversely impact the company, stockholders, business partners, and/or its customers
• (3) Secret - Applies to less sensitive business information which is intended for use within a company. Unauthorized disclosure could adversely impact the company, its stockholders, its business partners, and/or its customers
• (2) Confidential - Applies to personal information which is intended for use within the company. Unauthorized disclosure could adversely impact the company and/or its employees
• (1) Unclassified - Applies to all other information which does not clearly fit into any of the above three classifications. Unauthorized disclosure isn’t expected to seriously or adversely impact the company
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
4.3 4.3 4.3 4.3 Classification ExampleClassification ExampleClassification ExampleClassification Example
(1) Unclassified - "common sense“, a minimum security level (especially if they are networked)
• Network sniffing software should not be installed. • A virus scanner should be installed (DOS/Windows). • Accounts should only exist for authorised persons and must always
have a password. • Screen locking with password protection should be activated
automatically after 15 minutes idle time. • Write access to network filesystems should be restricted to groups of
(2) Confidential - : Orange book C1 (Discretionary Security Protection). C1 is used for co-operating users working with data of the same sensitivity level.
• Documentation: test, security design philosophy, security features user guide (description of security mechanisms from users point of view), trusted facility manual (i.e. security administration guide).
• Assurance: System Architecture: does the TCB run in protected mode?. Functions should exist for checking hardware & firmware integrity. Have the security mechanisms been successfully tested?
• User identification and authorisation is required, along with protection of authorisation data.
• Discretionary access control: access is controlled between namedusers (or user groups) and named objects.
* * * * D: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & Verified ied ied ied –TCSEC DOD Orange book TCSEC DOD Orange book TCSEC DOD Orange book TCSEC DOD Orange book
4.3 4.3 4.3 4.3 Classification ExampleClassification ExampleClassification ExampleClassification Example
(3) Secret -Orange book C2 + secure data transmission. • C2 (Controlled Access Protection): - As C1 plus additional requirements for: trusted facility manual (describe C2
mechanisms), identification & authorisation (no group accounts may exist), discretionary access control (control assignment of privileges) and security testing (test C2 mechanisms).
• User accountability: Users are accountable for their actions. Audit trails should be available with monitoring and alert functions. Audit logs should be protected.
• Object Re-use: Objects used by a subject should be reinitialised before use by an other subject. i.e. should not be possible to compromise security by reuse of objects.
• Secure data transmission : When sending messages or when programs communicate with each other, privacy and completeness (i.e. confidentiality and integrity) must be maintained. For certain applications it may also be necessary that the receiver be absolutely sure that the information comes from the sender and not someone else. This is called non repudiation of origin. It may also be required that the sender must be sure that the message was received by the intended receiver - non repudiation of receipt.
4.3 4.3 4.3 4.3 Classification ExampleClassification ExampleClassification ExampleClassification Example
* * * * D: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & Verified ied ied ied –TCSEC DOD Orange book TCSEC DOD Orange book TCSEC DOD Orange book TCSEC DOD Orange book
(4) Top Secret -Orange book B1 + secure data transmission. • B1 (Labelled Security Protection): - As in C2 plus additional requirements for identification & authentication (maintain security
compartment information), trusted facility manual (B1 mechanisms & how to change security compartment), design manual (description of the security model & mechanisms), assurance (system architecture: process isolation, integrity checking, security testing: try penetration attacks & remove flaws) and auditing (log security levels of objects).
• Labels : Maintain sensitivity labels under control of the TCB, Input/output of labelled information, label integrity (linked to objects), label human readable output, single & multi-level I/O.
• Verification of specification & design: Does the system behave according to the Design Manual? • Exporting of labelled information, exporting to multilevel and single level devices. • Mandatory access control: access control for objects & subjects is specified by the TCB (i.e. not
the user). • Not part of B1 is Covert channels and trusted path analysis. They may be necessary for some
systems. Class B2 includes these an other further requirements. • Secure data transmission: as (3) .
4.3 4.3 4.3 4.3 Classification ExampleClassification ExampleClassification ExampleClassification Example
* * * * D: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & VerifD: minimal, C: Discretionary, B: Mandatory, A: Mandatory & Verified ied ied ied –TCSEC DOD Orange book TCSEC DOD Orange book TCSEC DOD Orange book TCSEC DOD Orange book
Test documentationTest documentationTest documentationTest documentationDesign documentation,Design documentation,Design documentation,Design documentation,Security features user manual, Security features user manual, Security features user manual, Security features user manual, Trusted facility manual Trusted facility manual Trusted facility manual Trusted facility manual
++++ ++++ ++++
AssuranceAssuranceAssuranceAssuranceSystem architecture verificationSystem architecture verificationSystem architecture verificationSystem architecture verificationHardware/firmware integrity checkingHardware/firmware integrity checkingHardware/firmware integrity checkingHardware/firmware integrity checkingSecurity testing (test for loopholes) Security testing (test for loopholes) Security testing (test for loopholes) Security testing (test for loopholes)
Access control Access control Access control Access control Discretionary access control Discretionary access control Discretionary access control Discretionary access control ++++ ++++
Object reuse :Object reuse :Object reuse :Object reuse :ReinitialisationReinitialisationReinitialisationReinitialisation of objects. of objects. of objects. of objects. ++++ ====
LabelsLabelsLabelsLabels Labels, integrity, human readable output. Labels, integrity, human readable output. Labels, integrity, human readable output. Labels, integrity, human readable output. ++++
VerificationVerificationVerificationVerification Specification and design verification Specification and design verification Specification and design verification Specification and design verification ++++
ExportingExportingExportingExporting ofofofof labelledlabelledlabelledlabelled information to multilevel & single level devices. information to multilevel & single level devices. information to multilevel & single level devices. information to multilevel & single level devices. ++++
Requirements in addition to the Orange book: Requirements in addition to the Orange book: Requirements in addition to the Orange book: Requirements in addition to the Orange book:
Secure data exchange Secure data exchange Secure data exchange Secure data exchange Peer entity authentication Peer entity authentication Peer entity authentication Peer entity authentication ++++ ++++ ====
Data integrity Data integrity Data integrity Data integrity ++++ ====
Data confidentiality Data confidentiality Data confidentiality Data confidentiality ++++ ====
Data origin authentication / Non repudiation of origin Data origin authentication / Non repudiation of origin Data origin authentication / Non repudiation of origin Data origin authentication / Non repudiation of origin ++++ ++++
Non repudiation of receipt Non repudiation of receipt Non repudiation of receipt Non repudiation of receipt ++++ ++++
Access control Access control Access control Access control ++++
Legend:+ means as previous class with additional requirements.= means same requirements as previous class.
Security Management Practices
신수정신수정신수정신수정
4.3 4.3 4.3 4.3 Classification ExampleClassification ExampleClassification ExampleClassification Example
• In MAC systems, every subject and object in a system has a sensitivity label and a set of categories:– classification [category]– Top Secret [CEO, CFO, Board Members]– Confidential [Internal employees, auditors]
• The function of categories is that even someone with the highest classification isn’t automatically cleared to see all information at that level. This support the concept of need to know
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
• In a commercial setting, responsibility for assigning data classification labels is on the person who created or updated the information
• With the exception of general business correspondence, all externally-provided information which is not public in nature must have a data classification system label.
• All tape reels, floppy disks and other computer storage media containing secret, confidential, or private information must be externally labelled with the appropriate sensitivity classification
• Holders of sensitive information must take appropriate steps to ensure that these materials are not available to unauthorized persons.
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
5.1 5.1 5.1 5.1 Data vs. InformationData vs. InformationData vs. InformationData vs. Information
• Data are physical phenomena chosen by convention to represent certain aspect of our conceptual and real world. The meanings we assign to data are called information. Data is used to transmit and store information and to derive new information by manipulating the data according to formal rules
• Controlling access to information can be elusive and may have to be replaced by controlling access to data.
• If there is a close link between Information and corresponding data, the two approaches may give very similar results. However, this is not always the case.
* * * * From From From From SungkwonSungkwonSungkwonSungkwon’ssss materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
5.2 5.2 5.2 5.2 Data/Information ProblemData/Information ProblemData/Information ProblemData/Information Problem
What does a background check prevent potentially prevent against:– lawsuits from terminated employees– lawsuits from 3rd-parties or customers for negligent hiring– unqualified employees– lost business and profits– time wasted recruiting, hiring and training– theft, embezzlement or property damage– money lost (to recruiters fees, signing bonus)– negligent hiring lawsuit– decrease in employee moral– workplace violence, or sexual harassment suits
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
• Who should be checked? Employee background checks should be performed for all sensitive positions. Information security staff in sensitive positions include those responsible for:– firewall administration– e-commerce management– Kerberos administrator– SecurID & Password usage– PKI and certificate management– router administrator
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
• The principle of separating of duties is that an organization should carefully separate duties, so that people involved in checking for inappropriate use are not also capable of make such inappropriate use
• No person should be responsible for completing a task involving sensitive, valuable or critical information from beginning to end. Likewise, a single person must not be responsible for approving their own work
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
Security Management Practices
신수정신수정신수정신수정
6.5 6.5 6.5 6.5 Separation of dutySeparation of dutySeparation of dutySeparation of duty
• Policy is perhaps the most crucial element in a corporate information security infrastructure
• Marcus Ranum defines a firewall as “the implementation of your Internet security policy. If you haven’t got a security policy, you haven’t got a firewall. Instead, you’ve got a thing that’s sort of doing something, but you don’t know what it’s trying to do because no one has told you what it should do”
• Corporate computing is a complex operation. Effective policies can rectify many of the weaknesses and faults
* * * * From From From From RothkeRothkeRothkeRothke’s s s s materialmaterialmaterialmaterial
• How to ensure that policies are understood:– Jargon free/non-technical language– Rather then, “when creating software authentication codes, users
must endeavor to use codes that do not facilitate nor submit thecompany to vulnerabilities in the event that external operativesbreak such codes”, use “passwords that are guessable should not be used”.
• Focused• Job position independent• No procedures, techniques or methods
– Policy is the approach. The specific details & implementations should be in another document
• Responsibility for adherence– Users must understand the magnitude & significance of the
policy. “I thought this policy didn’t apply to me” should never be heard.
• How should policies be disseminated?– New hires should get hard copies at orientation– Rehires should go through orientation– Hard copies– Web/corporate intranet– Brochures– Videos– Posters– e-mail/voice-mail
• ISO/IEC TR 13335-1: Concepts and models for IT security – for IT 보안책임자
• ISO/IEC TR 13335-2: Managing and planning IT security –for IT와 관련 있는 책임을 가진 manager
• ISO/IEC TR 13335-3: Techniques for the management of IT security
• ISO/IEC TR 13335-4: Selection of safeguards• ISO/IEC TR 13335-5: Application of IT security services &
mechanism : provides guidance in determining the security safeguards for external network connection
• GMIT(Guidelines for the Management of IT Security)• ISO(the International Organization for Standardization)• IEC(the International Electrotechnical Commission)• JTC(Joint Technical committee)• Type 3 : when a technical committee has collected data of a different kind from that which is normally
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
Objective: what is to be achievedStrategy: How to achieve the objectivePolicy: the rule for achieving the objective
Security Management Practices
신수정신수정신수정신수정
Corporate Business objectives & Strategies
CorporateMarketing.. Policy
Policy Relationship(NSW Government Agency) Policy Relationship(NSW Government Agency) Policy Relationship(NSW Government Agency) Policy Relationship(NSW Government Agency)
• Corporate IT security policy element- IT security requirement(in terms of confidentiality, integrity,
availability, accountability, authenticity and reliability)- Assignment of responsibilities- Security in development & procurement- Directives and procedures- Information classification- Risk management strategies- Contingency planning and incident handling- Personnel issues including awareness and training - Legal & regulatory obligations- Outsourcing management
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
• IT security forum- Advise the IT steering committee regarding strategic security planning- Formulate a corporate IT security policy in support of the IT strategy and obtain
approval from the IT steering committee- Translate the corporate IT security policy into an IT security program- Monitor the implementation of the IT security program- Review the effectiveness of the corporate IT security policy - Promote the awareness of IT security issues- Advise on resources needed to support the planning process and IT security program
• Corporate IT security officer- Act as the focus of all IT security aspects within the organization- Oversight of the implementation of the IT security program- Liaison with & reporting to the IT security forum & the corporate security officer- Maintaining the corporate IT security policy & directives- Coordinating incident investigations- Managing corporate-wide awareness program- Determining the terms of reference for IT project & system security officer
• IT project and IT system security officer- May not be a full time role- Liaison with & reporting to the corporate IT security manager- Issuing & Maintaining the IT project or system security policy - Developing & implementing if the security plan- Day-to-day monitoring of implementation & use of the IT safeguards- Initiating & assisting in incident investigation
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
• IT system security policy - Should be based on the corporate and departmental security policy- Comprise a set of principles and rules for the protection of systems
and services- The policies must be implemented by the application of appropriate
safeguards to the system and services to ensure that as adequatelevel of protection is achieved
- Key issues- definition of the considered IT system and its boundary- definition of the business objectives to be achieved with the system- potential adverse business impacts - level of investment in IT- significant threat, vulnerability, security safeguard- cost of safeguard
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
• IT system security plan- A document which defines the coordinated actions to be undertaken
to implement an IT system security policy- Should contain the primary actions to be undertaken within short,
medium and long range, and the associated costs, and an implementation time schedule
- Contents- an overall security architecture and design- a short review of IT system- an identification of the safeguards and confidence of the safeguards- Identification and definition of actions to implement the safeguards- a detailed work plan for the implementation of the safeguards- project control activity- the security awareness and training requirement- requirements for the development of security operating procedures
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
• Implementation of safeguards- Responsibility: IT system Security officer- Ensure : the cost of safeguards within the approved range,
correctly implemented, operating as required by the IT plan- Need Operational and administrative procedures- Security Training and awareness- Approval process(accreditation): the formal process of
approving the implementation of the safeguards specified in the IT system security plan. Approval -> authorization for the IT system or service to be put into operation.
• Security Awareness- Should be implemented at all levels of the organization- Should pass the knowledge of the corporate IT security policy
and assure a complete understanding of the security guidelines and the appropriate actions
- Should cover the objectives of the corporate security plan- Should be repeated periodically - The aim of an awareness program: Significant IT System Risk
ISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT securityISO: Overview of the planning & management of IT security
• Maintenance of safeguards- Resource allocation for Maintenance- Periodic re-validation - Upgrade- Responsibility- HW, SW change -> exiting safeguard- Advance in technology
• Security Compliance(security audit, security review)- External or internal personnel- Use of checklists relating to the IT projects or system security policy- Spot check
• Techniques for- Assessing the IT security objectives, strategy, and
policies- Deciding on the corporate risk analysis options- Carrying out the combined approach- Implementing the IT security plan - Carrying out the follow-up procedures
• Baseline security- The minimum level if security defined by the
organization for a set of IT systems. This level of baseline security is achieved by implementing a minimum set of safeguards known as baseline controls
- Selection of safeguards for one or more IT systems according to safeguards catalogues
- “baseline” for the whole organization: a minimum level(always fulfilled), a medium level(deviation upwards or downwards possible)
8.5 8.5 8.5 8.5 ISO/IEC TR 13335-4(Selection of safeguards)
Identification of environmental conditionsAssessment of existing safeguard
ISO: Selection of baseline safeguards for an IT system ISO: Selection of baseline safeguards for an IT system ISO: Selection of baseline safeguards for an IT system ISO: Selection of baseline safeguards for an IT system
• Qualitative Pros- Calculations are simple and readily understood and execute- Not necessary to determine quantitative threat frequency & impact data- Not necessary to estimate the cost of recommended risk mitigation measures
& calculate cost/benefit- A general indication of significant areas of risk that should be addressed is
provided
• Qualitative Con- Risk assessment & results are essentially subjective in both process & metrics.
Use of independently objective metrics is eschewed.- No effort is made to develop an objective monetary basis for the value of
targeted information assets- No basis is provided for cost/benefit analysis of risk mitigation measures. Only
subjective indication of a problem- It is not possible to track risk management performance objectively when all
• Quantitative Pros– Assessment & results are based substantially on independently objective
processes & metrics. Thus, meaningful statistical analysis is supported– The value of information (availability, confidentiality & integrity) as
expressed in monetary terms with supporting rationale, is betterunderstood. Thus, the basis for expected loss is better understood.
– A credible basis for cost/benefit assessment of risk mitigation measures is provided. Thus, information security budget decision-making is supported
• Quantitative Cons– Calculations are complex. If they are not understood or effectively
explained, management may mistrust the results of black-box testing– A substantial amount of information about the target information & its IT
environment must be gathered– There is not yet a standard, independently developed & maintained threat
population & frequency knowledge base. Thus, users must rely on the credibility of the vendors who develop & support the automated tools or do perform the research.
• Should be done for each asset(or group)• Represents the importance of the assets• Give a value each for confidentiality, integrity, and availability• Qualitative, Quantitative• Method- Delphi method- Scale (1-10) rank- Logarithm scale(100$-2, 1백만$-6)- negligible-low-medium-high-very high
• Appropriate topics for security awareness training– Policy, procedure and standard– Error, accident and omission– Physical and environmental hazards– Information warfare– Malicious code/logic– Intrusion