SE571 Security in Computing

SE571Security in Computing

Chap 8: Administering Security

SE571 Security in Computing Dr. Ogara2

Security involves.. Security is a combination

• Technical – covered in chap 1• Administrative• Physical controls


Administering Security Security Planning Risk analysis Policy Physical control/security


Security Planning Effective security planning is

essential for computer organization A Security plan is a document that

describes how an organization will address its security needs:• It is an official record of current security

practices• Blue print for review to improve those

practices


Three Aspects of Security Planning

To define and implement a security plan we concentrate on three aspects as follows:1. Contents of security plan/what should be

there?2. Who are involved in security planning?3. How to obtain support for a plan


Contents of a Security Plan Security plan should address seven issues

1) Policy – describes the goals and are people involved willing to attain these goals?

2) Current state – the status of security at the time of the plan

3) Requirements – recommends ways to meet the security goals

4) Recommended controls – mapping controls to the vulnerabilities identified in the policy and requirements

5) Accountability – who is responsible for each security activity6) Timetable – when do different security functions take place?7) Continuing attention – specify a structure to periodically

update the security plan


OCTAVE Methodology The Software Engineering Institute at

Carnegie Mellon University has created a framework for building a security plan1) Identify enterprise knowledge2) Identify operational area knowledge3) Identify staff knowledge4) Establish security requirements5) Map high priority information assets to

information infrastructure6) Perform an infrastructure vulnerability

evaluation7) Develop a protection strategy


Security Plan Requirements

Explain what should be accomplished Are functional or performance

demands placed on a system to ensure a desired level of security

The inputs to a security plan are shown in the diagram


Responsibility for Implementation

Plan should identify who are responsible for implementing security requirements

Different groups can be responsible for different security roles, for example,• PC Users: security of own machines• Project leaders: security of data and

computations• Managers: seeing that the people they

supervise implement security measures


Responsibility for Implementation

• Database administrators: access to and integrity of data in databases

• Information officers: creation and use of data, retention and proper disposal of data

• Personnel staff members: security involving employees


Security Planning Team Members

Membership should relate to different aspects of security

Planning team should respect each of the following groups:• Computer hardware group• System administrators• System programmers• Application programmers• Data entry personnel• Physical security personnel• Representative users


Commitment to Security Plan Ensure the security functions will be implemented

and security activities carried out Three groups of people must contribute to making

the plan success• The planning team• Those affected by the security recommendations• Management: using and enforcing security

Organizations can use a “business continuity plan” to deal with situations having two characteristics:• Catastrophic situations: a computing capability is suddenly

unavailable through fire or flood• Long duration


Risk Analysis Effective security planning includes

careful risk planning Risks can be distinguished from other

events interms of :• Risk impact associated with an event• The probability (P risk) of an incidence

associated with each risk. 0 =< Prisk <= 1; When Prisk = 1 we say that there is

a problem Risk control – the degree to which an outcome can

be changed


Risk Analysis The effects of a risk can be quantified by

multiplying the risk impact by the risk probability, yielding the risk exposure:

Risk Exposure – risk impact * P risk Example: Prisk = 0.40; risk impact $10,000

(cost of cleaning the affected files)Risk Exposure = 0.4*10000 = $ 4,0000

So we can based on the calculation decide an antivirus software worth $400 is worth an investment


Risk Analysis Three Strategies for Risk Reduction: Avoiding the risk

• Change security requirements Transferring the risk

• Allocate the risk to other systems, people, assets

• Buy insurance to cover any financial loss Assuming the risk

• Accept and control it with available resources• Prepare to deal with the loss if it happens


Risk Leverage In addition to impact cost there is

also costs associated with reducing it Risk leverage is the difference in risk

exposure divided by the cost of reducing the risk

Risk leverage = (risk exposure before reduction – risk exposure after reduction)/cost of risk reduction


Risk Leverage So if the leverage value of a proposed action

is not high enough then we need to find a less costly strategy

The parameters in Risk Leverage equation demand the risk analysis process to identify and list all exposures in the computing system

For each exposure we need to identify possible controls and their costs

Finally we need to carry out a cost–benefit analysis


Risk Analysis The basic steps of risk analysis are:

1. Identify the assets2. Determine vulnerabilities3. Estimate likelihood of exploitation4. Compute expected annual loss5. Survey applicable controls and their costs6. Project annual savings of control


Alternative Steps in Risk Analysis

US Army – OPSEC used during Vietnam War

1) Identify critical information to be protected

2) Analyze the threats3) Analyze the vulnerabilities4) Asses the risks5) Apply countermeasures


Alternative Steps in Risk Analysis

US Airforce – Operational Risk Management Procedure (AIROO)1) Identify hazards2) Assess hazards3) Make risk decisions4) Implement controls5) Supervise


Policy Indicating the goals of a computer

security effort and the willingness of the people involved to work to achieve those goals.


Organizational Security Policies

Document to inform users of the objectives and constraints on using a system

Purpose of policy document• Recognize sensitive information assets• Clarify security responsibilities• Promote awareness for existing staff• Provide guidelines to new employees


Organizational Security Policies

A security policy must address the following:• The audience – who can gets access?• Contents – which resources• Characteristics of good security policy –

how?


Organizational Security Policies - Audience

Three groups of audience• Users• Owners• Beneficiaries (e.g. customers, clients)

Audience uses the security policy in important but different ways

For each policy define the degree of confidentiality, integrity, and the continuous availability in the computing resources provided to them


Security Policies: Contents The risk analysis identified the assets

that are to be protected These assets (computers, networks,

data) should be listed in the policy document

The policy should also indicate:• Who should have access to protected resources• How unauthorized people will be denied access• How that access will be ensured


Characteristics of a good security policy

Coverage – should be comprehensive ad general

Durability – survive system’s growth and expansion…applicable to new situations

Realism – realistic/feasible to implement

Usefulness – should be concise, clear and direct


Characteristics of a good security policy

Examples:• Data sensitivity policy• U.S. Government Agency IT Security Policy• Internet Security Policy• The U.S. government Email Policy


Physical Security Describes protection needed outside

the computer system Physical security can be in one of this

forms:• Natural disasters• Power loss• Human vandals

Contingency planning is key to successful recovery:• Backups, offsite backups, network storage, etc


Current State Describing the status of security at

the time of the plan Risk analysis – a careful investigation

of the system, its environment, and the things that might go wrong


Requirements Recommending ways to meet the

security goals Heart of the security plan Organizational needs


Recommended Controls Mapping controls to the

vulnerabilities identified in the policy and requirements


Accountability Describing who is responsible for each security activity

Personal computer Project leaders Managers Database administrators Information officers Personnel staff


Accountability Describing who is responsible for each security activity

Personal computer Project leaders Managers Database administrators Information officers Personnel staff


Time Table Identifying when different security

functions are to be done Show how and when the element of

the plan will be performed


Continuing Attention Specifying a structure for periodically

updating the security plan

Documents

SE571 Security in Computing