View
222
Download
0
Category
Preview:
Citation preview
8/2/2019 ISR Kranthi Final
1/18
Information SecurityPlan at ABCLKranthi Kumar 10BM60001
8/2/2019 ISR Kranthi Final
2/18
2
I. Introduction 3a. Importance given to IT in ABCLb. What is the concern
II. Information Security Plan 3
III. Framework 4a. Steps for Frameworkb. Fitting the security components into a frameworkc. Extension MCcuber model with risk assessments
IV. Plan and Organize 7
a. Risk Management
V. Implementation 14b. Security Policy
c. Asset managementd. Human resources managemente. Physical and Environmental Managementf. Communication and Operations Managementg. Access Controlh. Incident Managementi. Disaster Recovery Managementj. Compliance
8/2/2019 ISR Kranthi Final
3/18
3
Introduction
ABCL is a progressive downstream oil company in India over 70 years. It was nationalizedas per the government policy of India.
Importance given to IT in ABCL
It has networked all its locations over 400 and deployed all possible applications to
reap benefits from IT
It transformed into IT Savvu ABCl
It has got implemented all state of art systems such as SAP,SCM,B2B and B2C
Rich intranet apart from apecialized applications
What is the concern With increasing reliance on IT, top management became concerned with Information
security
And also with the increase in the size of the company with 6 SBUs, 3000 dealers &
distributors, 5000 vendors and 5000 retail outlets the complexity is increasing and the
information is crossing the boundaries.
So there is a need for comprehensive security plan for the company ABCL.
Information Security Plan
Information Security Plan (ISP) is designed to protect information and critical resources froma wide range of threats in order to ensure business continuity, minimize business risk, and
maximize return on investments and business opportunities. Information Technology (IT)
security is achieved by implementing a suitable set of controls, including policies, processes,
procedures, organizational structures, and software and hardware functions. These controls
need to be established, implemented, monitored, reviewed and improved, where necessary,
to ensure that the specific security.
This plan governs the privacy, security, and confidentiality of ABCL, especially highly
sensitive data, and the responsibilities of departments and individuals for such data. IT
security measures are intended to protect information assets and preserve the privacy of
ABCL employees, sponsors, suppliers, and other associated entities. Inappropriate use
exposes ABCL to risks including virus attacks, compromise of network systems and
services, and legal issues.
To effectively assess and implement security plan in information technology (IT) systems, it
is vital that a structured, information-centric process is followed
8/2/2019 ISR Kranthi Final
4/18
4
Framework:
This security plan is
Needed to protect the confidentiality, integrity and availability of data and safeguard
information assets and resources. To identify processes and techniques that promotes secure communications and the
appropriate protection of information.
To establish a common information security program framework that is consistent
with business needs.
This framework identifies the twelve key components that should be considered when
implementing, reviewing, or seeking to improve the value of its information security plan.
There are different ways of describing a life cycle of any process
Steps for Framework:
We will use the following steps:
Plan and organize
Risk Management
Implement
security policies
Asset management
Human resource management
Physical and Environmental Management
Communication and Operations Management
Access Control
Incident Management
Disaster Recovery Management
Compliance
8/2/2019 ISR Kranthi Final
5/18
5
Fitting the security components into a framework:
Mccumber cube gives a framework to implement the information security plan. It gives a
multi dimensional view required to implement information assurance program. The three
dimensions are
Security services
Information states
Counter measures
Viewing the cube from different angles provides a a way to consider risk from different
perspectives. The three primary aspects of the cube involve:
Information states These represent the various forms in which information can be found
within a system. Information is the fundamental aspect of what it is that must be protected.
Processing Information held in volatile memory or currently manipulated through the
processor
Storage This generally refers to non-volatile storage such as files on hard drives or backup
media
Transmission Information transiting network media
Countermeasures These are elements which can be used to defend a system from
attack, which can be used to protect information in its various states.
People All individuals associated with a system to include administrators and users
Policies and practices Documented policies and procedures used to guide people
interacting with the system; work f lows, separation of duties, and least privilege
Technology Hardware and software which comprise the system such as operatingsystems, applications, networking devices, and security tools
8/2/2019 ISR Kranthi Final
6/18
6
Security services These are the ultimate security goals of a system. They are not
concrete but intangible.
Confidentiality Protecting information from an unauthorized or unintended disclosure
Integrity A quality which prevents the unauthorized alteration or destruction of information
Availability The ability to retrieve requisite information in a timely manner for an authorized
user
The McCumber Cube can be used by selecting a desired security service and considering
what countermeasures must be implemented to protect the affected information states.
This can be viewed as
Example:
Lets view the model for the service of availability which is one of the security services in the
model.
Network Availability:
AttackInformation
stateCounter
measuresSecuity goal
Attack
: Denial of Service
Information state:
Transmission
Counter measures:
Technolgy: Intrusiondetection
Policy: Monitoring
People: incident
response
Secuity goal:
Availabilty
8/2/2019 ISR Kranthi Final
7/18
7
Extension MCcuber model with risk assessments
This model could also be used in a risk framework to ascertain the level of risk present for
any given situation in a network environment. The perceived risks coupled with their
likelihood with this McCumber Cube extension could be used to evaluate system risk.
Plan and Organize
Risk management:
Risk Management refers to the process of identifying risk, assessing risk, and taking steps to
reduce risk to an acceptable level. A risk management program is an essential management
function and is critical to successfully implement and maintain an acceptable level of
security.
Detailed Outline of the Risk Assessment Process
1.Identify business process:
a. The risk methodology determines risk for a particular business process. It is the business
processes that are the foundation of the companys business and therefore risk should be
defined in regard to these processes.
b. This methodology will tie the business processes to the assets they rely on, to the
architecture that supports the assets, and to the vulnerabilities of the architecture. Together
this will lead to a determination of the risks of the business process.
2. Determine operational concerns:
a. There are three operational concerns to be considered:
i. Confidentiality the privacy and protection of data from unauthorized access or exposure.
ii. Integrity the accuracy of the data or systems used by your organization.
iii. Availability the accessibility of an asset for its intended use at a given point in time.
b. These operational concerns apply to the business process, not to each individual asset.
The operational concerns are defined with regard to the output of the business process.
Threat LikelihoodCounter
measuresRisk
8/2/2019 ISR Kranthi Final
8/18
8
The output after these two steps follows this template
Business Process Operational concern
Marketing planning and execution AvailabilityRefinery operations Confidentiality
3. Identify or define assets:
a. Each business process relies on multiple assets Identify the assets and data items that
are part of this business process.
b. Although the majority of assets that will be identified will be informational, an asset can be
of the following types:
i. Informational most assets that are defined will be informational; they will be data
objects.
ii. Functional for example, an Internet connection can be a functional asset.
iii. Physical any physical component or equipment can be an asset.
4. For each asset determine:
Business role.
Logical data flow.
User population.
Access rights and controls:
i. Physical access.
ii. Logical access.
a. Supporting architecture:
i. System and network hardware.
ii. System and network operating systems.
iii. System and network applications.
iv. Network protocol
v. System connectivity.
vi. Physical environment.
5. Assign asset measurements:
a. Each asset will be rated for sensitivity and criticality with regard to the critical
process in question.
8/2/2019 ISR Kranthi Final
9/18
9
b. The two asset measurements will be rated on a scale of 1 to 5
(1 not important, 5 extremely important):
i. Sensitivity the relative measurement of damage to the business
process if the asset was disclosed to unauthorized users, such as
competitors.
ii. Criticality the relative measurement of how crucial the asset is to
the accomplishment of the business process.
6. Determine importance:
a. Importance is a subjective rating of high, medium, low, or none assigned to each
asset.
b. This rating determines the importance of the asset to the business process.
c. The importance rating is determined from the asset measurements assigned in the
previous step and a subjective analysis of those values.
i. Although the value assigned to each asset measurement will be
independent of the operational concerns of the business process, the
importance rating will have to consider the operational concerns.
A. For example, an asset with a sensitivity value of 4 and a criticality value of 1 may have an
importance rating of high, if sensitivity is more of a concern to the process than criticality. On
the other hand, if sensitivity is of low concern and criticality is of higher concern, then the
importance rating will be low
B. There is no mathematical way to determine the importance rating; the factors above have
to be
combined with an awareness of the organizations business and operations to determine the
rating that makes the most sense.
Template for Asset classification
Asset Type(inforantional/physical,logical)
Businessrole
Accesscontrols
Supportingarchitecture
Sensitivity(1 to5)
Criticality(1 to5)
Importance(high,medium,low)
8/2/2019 ISR Kranthi Final
10/18
10
Identify Threats and Vulnerabilities
First, identify threats that could exploit system vulnerabilities. Identify all possible
environmental, physical, human, natural, and technical threats. Consider the systems
connections, dependencies with other systems, inherited risks and controls, risks from
software faults and staff errors and malicious intent, and such factors as proximity to the
Internet, incorrect file permissions, risks from maintenance procedures and personnel
changes.
Next, consider the potential vulnerabilities associated with each threat, to produce a pair. A
vulnerability can be associated with one or more threats. Collect input from previous risk
assessments, audits, system deficiency reports, security advisories, scanning tools, security
test results, system development testing, industry and government listings
Describe Risks
Describe how each vulnerability creates a risk to the system in terms of confidentiality,
integrity, availability, accountability elements that may result in a compromise of the system.
Identify Existing Controls
Identify existing controls that reduce the likelihood or probability of a threat exploiting a
system vulnerability, and/or reduce the magnitude of impact of the exploited vulnerability on
the system. Existing controls may be management, operational or technical controls
depending on the threat / vulnerability and the risk to the system.
Determine Likelihood of Occurrence
Estimate the likelihood that a threat will exploit a vulnerability. Likelihood of occurrence is
based on a number of factors that include system architecture, system environment,information system access and existing controls; the presence, motivation, tenacity, strength
and nature of the threat; the presence of vulnerabilities; and the effectiveness of existing
controls.
Refer to this table to when estimating the likelihood that the threat will be realized and exploit
the vulnerability on the system.
Likelihood of Occurrence Levels
Likelihood Description
Negligible Unlikely ever to occur
Very Low Likely to occur two/three times every five years
Low Likely to occur once every year or less
Medium Likely to occur once every six months or less
High Likely to occur once per month or less
Very High Likely to occur multiple times per month
8/2/2019 ISR Kranthi Final
11/18
11
Likelihood of Occurrence Levels
Likelihood Description
Extreme Likely to occur multiple times per day
Determine Severity of Impact
Determine the magnitude or severity of impact on the systems operational capabilities and
the information it handles, if the threat is realized and exploits the associated vulnerability.
Determine the severity of impact for each threat / vulnerability pair by evaluating the potential
loss in each security category (confidentiality, integrity, availability, auditability,
accountability)
Impact Severity LevelsInsignificant Little or no impact
Minor Minimal effort to repair, restore or reconfigure
Significant Small but tangible harm, maybe noticeable by a limited audience, some
embarrassment, some effort to repair
Damaging Damage to reputation, loss of confidence, significant effort to repair
Serious Considerable system outage, loss of connected customers, business
confidence, compromise of large amount information
Critical Extended outage, permanent loss of resource, triggering business
continuity procedures, complete compromise of information
Determine Risk Levels
Risk level is the likelihood of occurrence multiplied by the severity of impact. The final value
is subject to the system business and technical owners discretion.
Risk determination
For each threat / vulnerability pair, assess the following:
- Likelihood of the threat attempting to exercise the vulnerability;- Magnitude of impact if the threat / vulnerability exploit is successful;- Adequacy of planned or existing security controls for reducing or eliminating risk;
Note: The project team must decide whether to use only currently implementedcontrols for this analysis, or to include controls that are budgeted and scheduledfor installation, and document that decision in the Report.
- Resulting risk to the information on the system from the threat and vulnerability.
8/2/2019 ISR Kranthi Final
12/18
8/2/2019 ISR Kranthi Final
13/18
13
Recommend Controls and Safeguards
Identify controls and safeguards to reduce the risk presented by each threat / vulnerability
pair with a moderate or high risk level as identified in the Risk Determination Phase. When
identifying a control or safeguard, consider:
1. Security area where it belongs, such as management, operational, technical.2. Method it employs to reduce the opportunity for the threat to exploit the vulnerability.3. Its effectiveness in mitigating the risk to information.4. Policy and architectural parameters required for its implementation in the
environment.5. Information security category (confidentiality, integrity, availability, access control,
audit, etc.) to which the safeguard applies.
6. Whether the cost of the safeguard is commensurate with its reduction in risk.
If more than one safeguard is identified for the same threat / vulnerability pair, list them in
this column in separate rows and continue with the analysis steps. The residual risk level
must be evaluated during this phase of the assessment and may be further evaluated in risk
management activities outside the scope of this project.
If the recommended safeguard cannot be completely implemented in the environment due to
cost, management, operational or technical constraints, document the circumstances and
continue with the analysis.
Consider control elements implemented as policies and procedures, training, and improved
policy enforcement.
Determine Residual Likelihood of Occurrence
Follow the directions in section 2.4 of the Risk Determination phase, while assuming the
selected safeguard has been implemented.
Determine Residual Severity of Impact
Follow the directions of the Risk Determination phase while assuming the selected
safeguard has been implemented.
Determine Residual Risk Levels
Determine the residual risk level for the threat/vulnerability pair and its associated risk once
the recommended safeguard is implemented. The residual risk level is determined by
examining the likelihood of occurrence of the threat exploiting the vulnerability and the
impact severity factors in categories of Confidentiality, Integrity and Availability.
Follow the directions in of the Risk Determination phase to determine the residual risk level
once the recommended safeguard is implemented.
Depending on the nature and circumstances of threats and vulnerabilities, a recommendedsafeguard may reduce the risk level to Low .
8/2/2019 ISR Kranthi Final
14/18
14
For new systems, the next steps would include creating a sensitivity assessment, system
security requirements, risk assessment report, and system security plan in the SDLC.
The following Risk register template shows all the threats, vulnerabilities and its risk level
and corresponding strategies.
Implementation:
Security Policy
The objective of information security policy is to provide management direction and support
for information security in accordance with business requirements and governing laws and
regulations. Information security policies will be approved by management, and published
and communicated to all employees and relevant external parties. These policies will set out
approach to managing information security and will align with relevant statewide policies.
Information security policies will be reviewed at planned intervals or if significant changes
occur to ensure their continuing suitability, adequacy, and effectiveness. Each policy will
have an owner who has approved management responsibility for the development, review,
and evaluation of the policy. Reviews will include assessing opportunities for improvement of
information security policies and approach to managing information security in response to
changes to companies environment, new threats and risks, business circumstances, legal
and policy implications, and technical environment.
The following are some of the security policies implemented to control the information
security
Information Security Compliance Policy
8/2/2019 ISR Kranthi Final
15/18
15
Acceptable Use of Information Technology Resources
Confidentiality Agreement
Information Security Roles & Responsibilities
Data Classification & Handling Policy
Identity and Access Management Policy
Password Standards Backup & Recovery Guidelines
Data Sanitization Guidelines
Media Destruction Procedure
Asset management
Information assets:
It is a requirement of Information Standard 44, Information asset custodianship (IS44) that
company identify their information assets establish and maintain an information asset
register. company may wish to use this register or establish a separate one, to record theinformation security classification of its information assets. For information assets that are
public records, their retention and disposal must be managed in accordance with a retention
and disposal schedule approved by the state archivist
Control of technology devices
It is a requirement of Information Security Policy Mandatory Clauses that Company
identify their ICT assets, document them and assign owners for the maintenance of
information security controls. ICT assets must be assigned information security controls
commensurate with the highest level of security classification applied to the information
assets contained within or transmitted via the ICT asset.
Human resources management
Pre-employment
Depending on the nature of the business, consideration should be given as to whether:
specific information security clauses should be included in terms and conditions of
employment (eg. responsibilities and disciplinary processes)
additional scrutiny is required during the recruitment and selection phase for
positions involving exposure to classified or sensitive information or where relevantlegislation is in place (eg. security assessments and criminal history checks).
During employment
Induction, training and awareness programs
The information security induction, training and awareness program should:
address all levels of staff and all areas of the agency
cover the following:
general employee responsibilities
information security responsibilities concerned with particular
the correct operation of information systems and ICT facilities and devices
8/2/2019 ISR Kranthi Final
16/18
16
reporting of information security events, weaknesses and incidents
Information security related responsibilities within the agency code of
conduct and the disciplinary penalties for breaches.
Post-employment
It is recommended that company also ensure that procedures are in place for termination of
employment.
To meet this requirement, it is suggested that agencies implement:
exit interviews that ensure the employee understands their continuing responsibilities
for maintaining information confidentiality and
separation checklists that confirm:
Exit interview has been conducted
All has been returned (eg. access cards/keys, credit cards, mobile phones)
The employees user ID has been disabled and access rights revoked.
Physical and Environmental Management
Building controls and secure areas
The level of building and secure area controls to be implemented would depend on the
classification of information assets stored
Equipment security
The level of controls to be applied to agency equipment would depend on the classification
of the information assets the equipment stores. The company should provide some guidance
with regard to the following controls:
preparation and handling
removal from workplace and monitoring
discussing classified information (including telephone and video conference)
copying and storage
electronic transmission
archive and disposal
Communication and Operations Management
Responsibilities and procedures for the management and operation of all information
processing facilities will be established. As a matter of policy, segregation of duties will be
implemented, where appropriate, to reduce the risk of negligent of deliberate system or
information misuse. Precautions will be used to prevent and detect the introduction of
malicious code and unauthorized mobile code to protect the integrity of software and
information. To prevent unauthorized disclosure, modification, removal or destruction of
information assets, and interruption to business activities, media will be controlled and
physically protected. Procedures for handling and storing information will be established andcommunicated to protect information from unauthorized disclosure or misuse. Exchange of
8/2/2019 ISR Kranthi Final
17/18
17
sensitive information and software with other agencies and organizations will be based on a
formal exchange policy. Media containing information will be protected against unauthorized
access, misuse or corruption during transportation beyond companys physical boundaries.
Company should mange
Application integrity
Backup procedures
Network security
Media handling
Information exchange
eCommerce
Access Control
Access to information, information systems, information processing facilities, and business
processes will be controlled on the basis of business and security requirements. Formal
procedures will be developed and implemented to control access rights to information,
information systems, and services to prevent unauthorized access. Users will be made
aware of their responsibilities for maintaining effective access controls, particularly regarding
the use of passwords. Users will be made aware of their responsibilities to ensure
unattended equipment has appropriate protection. A clear desk policy for papers and
removable storage devices and a clear screen policy will be implemented, especially in work
areas accessible by the public. Steps will be taken to restrict access to operating systems to
authorized users. Protection will be required commensurate with the risks when using mobile
computing and teleworking facilities.
Company should incorporate some of the following to manage the access control
Access control policy
Authentication
User access
User responsibilities
Network access
Operating system access
Application and information access
Incident Management
Information security incidents will be communicated in a manner allowing timely corrective
action to be taken. Formal incident reporting and escalation procedures will be established
and communicated to all users. Responsibilities and procedures will be established to
handle information security incidents once they have been reported.
Event/weakness reporting
Companies should develop their policies and/or procedures for information securityevent and weakness reporting
8/2/2019 ISR Kranthi Final
18/18
18
Incident procedures
Companies should develop their procedures to manage information security incidents
Disaster Recovery Management
The objective of business continuity management is to counteract interruptions to business
activities and to protect critical business processes from the effects of major failures of
information systems or disasters and to ensure their timely resumption. A business continuity
management process will be established to minimize the impact on company and recover
from loss of information assets to an acceptable level through a combination of preventive
and recovery controls. A managed process will be developed and maintained for business
continuity throughout the agency that addresses the information security requirements
needed for company business continuity
Compliance
Legal requirements
Company should manage information security related legal requirements is included
.However, this is no replacement for agencies seeking legal advice on the specific legal
requirements that apply to them from their internal legal section.
Policy requirements
Information security policies, procedures and compliance should be reviewed and reported
on to appropriate management at least annually to ensure the reliability and overalleffectiveness of the security controls for all information systems, networks infrastructures
and applications.
Audit requirements
Company should ensure that appropriately qualified personnel are assigned to audit the
compliance of the information environment against companys policies, processes and
industry technical standards to ensure appropriate security levels are maintained. These
personnel should, where practical, not be involved in the operational information or systems
environment of the company.
Recommended