Upload
reba
View
56
Download
5
Tags:
Embed Size (px)
DESCRIPTION
SE571 Security in Computing. Chap 8: Administering Security. Security involves. Security is a combination Technical – covered in chap 1 Administrative Physical controls. Administering Security. Security Planning Risk analysis Policy Physical control/security. Security Planning. - PowerPoint PPT Presentation
Citation preview
SE571Security in Computing
Chap 8: Administering Security
SE571 Security in Computing Dr. Ogara2
Security involves.. Security is a combination
• Technical – covered in chap 1• Administrative• Physical controls
SE571 Security in Computing Dr. Ogara3
Administering Security Security Planning Risk analysis Policy Physical control/security
SE571 Security in Computing Dr. Ogara4
Security Planning Effective security planning is
essential for computer organization A Security plan is a document that
describes how an organization will address its security needs:• It is an official record of current security
practices• Blue print for review to improve those
practices
SE571 Security in Computing Dr. Ogara5
Three Aspects of Security Planning
To define and implement a security plan we concentrate on three aspects as follows:1. Contents of security plan/what should be
there?2. Who are involved in security planning?3. How to obtain support for a plan
SE571 Security in Computing Dr. Ogara6
Contents of a Security Plan Security plan should address seven issues
1) Policy – describes the goals and are people involved willing to attain these goals?
2) Current state – the status of security at the time of the plan
3) Requirements – recommends ways to meet the security goals
4) Recommended controls – mapping controls to the vulnerabilities identified in the policy and requirements
5) Accountability – who is responsible for each security activity6) Timetable – when do different security functions take place?7) Continuing attention – specify a structure to periodically
update the security plan
SE571 Security in Computing Dr. Ogara7
OCTAVE Methodology The Software Engineering Institute at
Carnegie Mellon University has created a framework for building a security plan1) Identify enterprise knowledge2) Identify operational area knowledge3) Identify staff knowledge4) Establish security requirements5) Map high priority information assets to
information infrastructure6) Perform an infrastructure vulnerability
evaluation7) Develop a protection strategy
SE571 Security in Computing Dr. Ogara8
Security Plan Requirements
Explain what should be accomplished Are functional or performance
demands placed on a system to ensure a desired level of security
The inputs to a security plan are shown in the diagram
SE571 Security in Computing Dr. Ogara9
Responsibility for Implementation
Plan should identify who are responsible for implementing security requirements
Different groups can be responsible for different security roles, for example,• PC Users: security of own machines• Project leaders: security of data and
computations• Managers: seeing that the people they
supervise implement security measures
SE571 Security in Computing Dr. Ogara10
Responsibility for Implementation
• Database administrators: access to and integrity of data in databases
• Information officers: creation and use of data, retention and proper disposal of data
• Personnel staff members: security involving employees
SE571 Security in Computing Dr. Ogara11
Security Planning Team Members
Membership should relate to different aspects of security
Planning team should respect each of the following groups:• Computer hardware group• System administrators• System programmers• Application programmers• Data entry personnel• Physical security personnel• Representative users
SE571 Security in Computing Dr. Ogara12
Commitment to Security Plan Ensure the security functions will be implemented
and security activities carried out Three groups of people must contribute to making
the plan success• The planning team• Those affected by the security recommendations• Management: using and enforcing security
Organizations can use a “business continuity plan” to deal with situations having two characteristics:• Catastrophic situations: a computing capability is suddenly
unavailable through fire or flood• Long duration
SE571 Security in Computing Dr. Ogara13
Risk Analysis Effective security planning includes
careful risk planning Risks can be distinguished from other
events interms of :• Risk impact associated with an event• The probability (P risk) of an incidence
associated with each risk. 0 =< Prisk <= 1; When Prisk = 1 we say that there is
a problem Risk control – the degree to which an outcome can
be changed
SE571 Security in Computing Dr. Ogara14
Risk Analysis The effects of a risk can be quantified by
multiplying the risk impact by the risk probability, yielding the risk exposure:
Risk Exposure – risk impact * P risk Example: Prisk = 0.40; risk impact $10,000
(cost of cleaning the affected files)Risk Exposure = 0.4*10000 = $ 4,0000
So we can based on the calculation decide an antivirus software worth $400 is worth an investment
SE571 Security in Computing Dr. Ogara15
Risk Analysis Three Strategies for Risk Reduction: Avoiding the risk
• Change security requirements Transferring the risk
• Allocate the risk to other systems, people, assets
• Buy insurance to cover any financial loss Assuming the risk
• Accept and control it with available resources• Prepare to deal with the loss if it happens
SE571 Security in Computing Dr. Ogara16
Risk Leverage In addition to impact cost there is
also costs associated with reducing it Risk leverage is the difference in risk
exposure divided by the cost of reducing the risk
Risk leverage = (risk exposure before reduction – risk exposure after reduction)/cost of risk reduction
SE571 Security in Computing Dr. Ogara17
Risk Leverage So if the leverage value of a proposed action
is not high enough then we need to find a less costly strategy
The parameters in Risk Leverage equation demand the risk analysis process to identify and list all exposures in the computing system
For each exposure we need to identify possible controls and their costs
Finally we need to carry out a cost–benefit analysis
SE571 Security in Computing Dr. Ogara18
Risk Analysis The basic steps of risk analysis are:
1. Identify the assets2. Determine vulnerabilities3. Estimate likelihood of exploitation4. Compute expected annual loss5. Survey applicable controls and their costs6. Project annual savings of control
SE571 Security in Computing Dr. Ogara19
Alternative Steps in Risk Analysis
US Army – OPSEC used during Vietnam War
1) Identify critical information to be protected
2) Analyze the threats3) Analyze the vulnerabilities4) Asses the risks5) Apply countermeasures
SE571 Security in Computing Dr. Ogara20
Alternative Steps in Risk Analysis
US Airforce – Operational Risk Management Procedure (AIROO)1) Identify hazards2) Assess hazards3) Make risk decisions4) Implement controls5) Supervise
SE571 Security in Computing Dr. Ogara21
Policy Indicating the goals of a computer
security effort and the willingness of the people involved to work to achieve those goals.
SE571 Security in Computing Dr. Ogara22
Organizational Security Policies
Document to inform users of the objectives and constraints on using a system
Purpose of policy document• Recognize sensitive information assets• Clarify security responsibilities• Promote awareness for existing staff• Provide guidelines to new employees
SE571 Security in Computing Dr. Ogara23
Organizational Security Policies
A security policy must address the following:• The audience – who can gets access?• Contents – which resources• Characteristics of good security policy –
how?
SE571 Security in Computing Dr. Ogara24
Organizational Security Policies - Audience
Three groups of audience• Users• Owners• Beneficiaries (e.g. customers, clients)
Audience uses the security policy in important but different ways
For each policy define the degree of confidentiality, integrity, and the continuous availability in the computing resources provided to them
SE571 Security in Computing Dr. Ogara25
Security Policies: Contents The risk analysis identified the assets
that are to be protected These assets (computers, networks,
data) should be listed in the policy document
The policy should also indicate:• Who should have access to protected resources• How unauthorized people will be denied access• How that access will be ensured
SE571 Security in Computing Dr. Ogara26
Characteristics of a good security policy
Coverage – should be comprehensive ad general
Durability – survive system’s growth and expansion…applicable to new situations
Realism – realistic/feasible to implement
Usefulness – should be concise, clear and direct
SE571 Security in Computing Dr. Ogara27
Characteristics of a good security policy
Examples:• Data sensitivity policy• U.S. Government Agency IT Security Policy• Internet Security Policy• The U.S. government Email Policy
SE571 Security in Computing Dr. Ogara28
Physical Security Describes protection needed outside
the computer system Physical security can be in one of this
forms:• Natural disasters• Power loss• Human vandals
Contingency planning is key to successful recovery:• Backups, offsite backups, network storage, etc
SE571 Security in Computing Dr. Ogara29
Current State Describing the status of security at
the time of the plan Risk analysis – a careful investigation
of the system, its environment, and the things that might go wrong
SE571 Security in Computing Dr. Ogara30
Requirements Recommending ways to meet the
security goals Heart of the security plan Organizational needs
SE571 Security in Computing Dr. Ogara31
Recommended Controls Mapping controls to the
vulnerabilities identified in the policy and requirements
SE571 Security in Computing Dr. Ogara32
Accountability Describing who is responsible for each security activity
Personal computer Project leaders Managers Database administrators Information officers Personnel staff
SE571 Security in Computing Dr. Ogara33
Accountability Describing who is responsible for each security activity
Personal computer Project leaders Managers Database administrators Information officers Personnel staff
SE571 Security in Computing Dr. Ogara34
Time Table Identifying when different security
functions are to be done Show how and when the element of
the plan will be performed
SE571 Security in Computing Dr. Ogara35
Continuing Attention Specifying a structure for periodically
updating the security plan