View
219
Download
1
Category
Tags:
Preview:
Citation preview
Chief Information Officers Chief Information Officers (CIO) (CIO)
Information SecurityModule 9
Objectives of Module 9
To present and discuss the basic concepts and tools for security of information, data and IT infrastructure in the context of the E-Government Program of Iraq
Information Security Concept
Protecting Information Resources and Systems From
•Unauthorized Use and Access•Unauthorized Disclosure and Modification•Damage and Destruction
Sources of Likely Threat for Information Systems and Resources of the Government • Insiders for fun or revenge• Enemies of the Nation• Faults and Malfunction• Insiders and Outsiders for Profit• Acts of God
Possible Impact • System Not available• Privacy of Data violated• Information modified/ misused with consequential public and private loss• Systems /information Damaged and Destroyed • with consequential private and public loss.
ISO 27001 Code of Practice on Information Security Management•Information Security Policy•Organization of Information Security•Asset Management•Human Resources Security•Physical and Environmental Security•Communications & Operations Management•Access Control•Information Systems Acquisition, Development & Maintenance•Incident Management•Business Continuity Management•Compliance
Information Security Standards ISO27001PCI DSSBS 25999 (Business Continuity Management System)Other Standards
OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability
Evaluations)
Suite of tools, techniques, and methods for risk-based information security strategic assessment and planning
Identify Your Adversaries
•Internet Hacker•Insider•Thief•Terrorist•Industrial Spy
Which are likely targets•Information Systems•Networks and IT Infrastructure•Servers/ Computers/ Devices•Databases and Information Repositories•Information Applications• Websites
Risk Assessment• The “Risk Equation”• Likelihood• Impact
Addressing Risk• Establish Policy• Implement Countermeasures• Maintain Vigilance
Vulnerability Driven Analysis•Search for known vulnerabilities•Tabulate and estimate severity•Determine what assets are affected•Assign impact value•Consider adversaries and their motivations•Assign likelihood•Tabulate and report
Risk Assessment and Management
The Risk Equation Impact x Likelihood= Risk
•Universal: Applies to all types of risk•Uniform: Enables comparison•Objective: Track over time
Measures the level of “pain” to the organization
Examples:•Financial: Loss or cost to repair•Operational: Lost time, production or delivery•Reputation: Loss of customer or consumer confidence• Competitive: Reduction of market advantage•Regulatory: Legal liability•Fiduciary: Fiduciary liability
Vulnerability Driven Analysis
1.Search for known vulnerabilities2.Tabulate and estimate severity3.Determine what assets are likely to be affected4.Assign impact value5.Consider adversaries and their motivations6.Assign likelihood7.Tabulate and report
Network and System VulnerabilitiesNetwork:• Unnecessary pathways• Unsecured data-streams
System:• Unhardened systems• Unprotected administrator logon• Exposed management interfaces
Asset Driven Analysis1.Inventory information assets2.Estimate impact3.Trace information back to technology4.Analyze for vulnerabilities5.Consider adversaries and their motivations6.Assignlikelihoods7.Tabulate and report
• Initiate Risk Assessment• Prioritize Security Areas Needing Attention – Pareto
Principle• Seek Input in Developing and Implementing a Campus
Unit Security Plan• Implement Security Plan• Annually Review Security Plan• Keep Up to Date with Security News
Information Security Roadmap
Security Provisions for BFB IS-3•Authentication & Authorization•Background Checks•Control Administrative Accounts•Data Backup/Retention/Storage and Transit Encryption•Disaster Recovery Plan•Incident Response/Notification Plan•Physical Security Controls & Media Controls
Policy Statements Most corporate policies must be translated to concrete statements
Major elements:•Information Classification•System Criticality•Operational Context
Information Classification
• Information classification streamlines policy statement and enforcement.
• CAVEAT: Over-classification leads to excessive cost and added Overhead.
• CAVEAT: Some collections of unclassified data become sensitive when aggregated.
Criticality
Criticality is a quality of operational systems.It depends upon the importance of a network system or application.Criticality motivates reliability measures.
Policy•Policy defines classification and rules for access/exchange
• Policy defines criticality.
•Policy hierarchy defines security services and quality of mechanisms.
Implement Countermeasures
Cost vs Risk
Level of Vigilance Vs Frequency of Attacks
Balance Security Activities
Security Plan Consider:• Future business needs• Changing threat -scape• Tolerance to residual risk
• Establish policy• Design security infrastructure• Develop security procedures
Execute Plan
• Implement according to design• Operate according to procedures• Continually improve
AppraiseAppraise the plan:• Does it meet the expected threats?• Will it protect business interests?• Are there flaws in the design?• Is policy adequate or overly burdensome?Appraise the execution:• Is the design implemented correctly?• Has the configuration changed?• Do procedures cover all events?• Are operators alert?
Disaster Management &
Business Continuity
What is a Disaster?
Any unplanned event that requires immediate redeployment of limited resources
Any unplanned event that requires immediate redeployment of limited resources
Natural Forces• Fire• Environmental Hazards• Flood / Water Damage• Extreme Weather
Technical Failure• Power Outage• Equipment Failure• Network Failure• Software Failure
Human Interference• Criminal Act• Human Error• Loss of Users• Explosions
Sample Disasters
What is a Disaster Recovery Plan?
A management document for how and when to utilize resources needed to maintain selected functions when disrupted by agreed upon incidents
A management document for how and when to utilize resources needed to maintain selected functions when disrupted by agreed upon incidents
• Business Continuity Plan• Contingency Plans• Continuity Plans• Emergency Response Plans• Business Recovery Plans• Recovery Plans
Other names commonly used:
AssessDamage
RestorePrimary
Site
PrepareNew Site
ConfirmResponseStrategy
ExecuteRequiredFunctions
Transfer &Execute atNew Site
Transfer toAlternateLocation
Incident
Return to Normal Operations
Transfer &Execute at
Primary Site
GenerateChange
Requests
Assess DRPEffectiveness
When an incident occurs, the Disaster Recovery response activities are likely to be the following (at a high level)
Disaster Recovery Response
• Regional Area• Local Area• Within 3 Blocks• To The Building• Within 3 Floors• On The Floor• Within The Room
What is the magnitude of an incident?
Depending upon the magnitude of an incident, possible alternative sites include:
• Within The Room• Within the Building• Within the Region• Outside the Region
Avoidance Strategy• Redundant configuration
to avoid incidents• Site harden facilities to r
esist incidents• Redundant utilities and
hardware• Automated operation re
covery plan
Mitigation Strategy• Early warning detection• Contractual agreements
with vendors• Mirrored data and docu
ments• Detailed migration recov
ery plan
Recovery Strategy• High level recovery plan• Off-site data storage• Very responsive vendor
relationships• Very knowledgeable em
ployees
Types of Strategy Options• Hot site• Cold site• Self Backup• Service Bureau• Reciprocal Agreement
Types of Strategies
What is a Critical Business Function? A specific entity management has decided is so significant to the business mission, that without it, the organization cannot successful
ly operate after an identified time period
A specific entity management has decided is so significant to the business mission, that without it, the organization cannot successful
ly operate after an identified time period
Financial Loss• Lost Revenue• Lost Sales• Lost Market Share• Lost Opportunity
Extra Expense• Labor Cost
—Recreate Lost Business
—Recreate Lost Data—Use Manual Process
• Equipment Cost—Hardware / softwar
e—Telephones
• Money Cost—Delayed Receivable—Delayed Orders—New Interest—New Investments
Human Interference• Management Control• Employee Relations• Stockholder Relations • Public Image• Legal Exposure• Contractual Liability• Competitive Advantage
Types of ImpactTypes of Impact
Timing Requirements• Minutes• Hours• Days• Weeks• Quarters• Special Situations
Interdependencies• Inputs and Outputs
Criteria for a Critical Business Function
Cost of Impact $
Impact
Cost
Cost of Control $
Cost of Control vs. Impact
PlanningThe primary objective for the Planning Phase is to gain management consensus on the focus areas and scope of a Disaster Recovery Plan that will address major business risks
Implementation
Scoping & Risk
Assessment
Planning
Recovery Strategy
Development
Disaster Recovery
PlanApproval
Training&
Testing
Implementation
The primary objective for the Implementation Phase is to develop, test, and rollout a Disaster Recovery plan. The implementation phase could be longer or shorter, depending upon scope, approach, and staffing defined during the Scoping and Risk Assessment phase
Disaster Recovery Approach
An Example of Disaster Recovery Team
AdministrativeSupport
Customer Liaison
System Softwareand Database
Administration
ComputerOperation andOff-site Storage
Network Delivery
ApplicationSupport
Services
Delivery
ProductionApplication
Disaster Recovery
CoordinatorSite Restoration
Disaster Recovery Director
DRP Management Team
DR Team Organization
Security
Example: Disaster Recovery ServicesEducation Classes
Creating a base of common knowledge for the business continuity/disaster recovery planning industry through education, assistance, and the promotion of international standards
On-Site Recovery Facilities
Manage the mobilization of an on-call response team, prepare pre-designated site, erect temporary pre-engineered structures, install mechanical and electrical systems and coordinate move-in activities
Recommended