Security Management Practices Security Management Planning

CISSP All-in-one Exam Guide Shon Harris

1

Security Management PracticesSecurity Management Planning


2

Security Management

• Security Management includes– Risk management– Information security policies– Procedures– Standards– Guidelines– Baselines– Information classification– Security organization– Security eduction


3

Security Policy

• Security Policy– blueprint for a company’s security program– necessary foundation to build upon

• After developing security policy– Develop and implement procedures,

standards and guidelines that support security policy

– Identify security countermeasures


4

Approaches to security program

• Top-down approach– Initiation, support and direction come from top

management, work their way to middle management and then to staff members

– Ideal approach for security program– Makes sure people are responsible for a company’s

assets.

• Bottom-up approach – IT department develops a security program without

proper management support and direction– Less effective, not broad enough, doomed to fail.


5

Security Administration and Supporting Controls

• Company’s Data and assets are protected by– Physical Controls: Facility protection, security guards,

locks, monitoring, environmental controls and intrusion detection.

– Technical controls: Logical access controls, encryption, security devices, identification and authentication. Auditing – log files.

– Administrative controls: Policies, standards, procedures, guidelines, screening personnel, security awareness and training.


6

Due Care

• Legal term and concept used to help determine liability in a court of law

• information owner violates due care if– does not lay out the foundation of data protection and – Does not ensure that the directives are enforced

• If practicing due care– Acting responsibly– Have lower probability of being found negligent and

liable in the event of a security incident

• Due Care – proper insurance on your car


7

AIC Triad

• Security objectives must address– Availability– Integrity– Confidentiality


8

Security Goals• Operational/Daily Goals – Daily Tasks

– Ensures company functions in a smooth and predictable manner

– E.g. update virus definitions, patches etc

• Tactical Goals – Short term– E.g. integrate all workstations and resources into one

domain for central control

• Strategic Goals – Long Term– E.g. Move all branches from dedicated

communication lines to frame relay, implement IPSec VPNs for remote users, integrate wireless technology into the environment.

Security Frameworks

• COBIT framework– IS auditors use COBIT to determine the

efficiency of implemented controls


9


10

ISO 17799• ISO 17799 is a standard and an industry best

practice for developing and implementing a security prorgam

• Derrived for the British standard 7799 (BS 7799)• Internationally recognized Information Security

Management (ISM) standard provides high level, conceptual recommendations for enterprise security.


11

ISO 17799

• Part 1 – Implementation Guide

• Part 2 – Auditing guide


12

ISO 17799

• Domains– Information security policy for the organization– Creation of information security infrastructure– Asset classification and control– Personnel security– Physical and environmental security– Communications and operations management– Access control– Systems development and maintenance– Business continuity management– Compliance


13

Security Management Planning

• When Planning for security management, you must know – Your company's or client's business– What is important to them– Different industries - even different departments -

have different information security priorities

• You must identify costs, risks and benefits– Initial investment– Ongoing costs


14


• What are the benefits – metrics for measurement

- Help desk reduction– Common data locations

- Reduced remote access costs

- Improve business partner access

- Enhanced public perception• What organizations want: reduce cost and increase

productivity.


15


• Management needs to understand what will be impacted• You must identify potential losses if security is not

properly implemented– Trade secrets– Viruses, worms, malicious codes– Confidential information – Personal e-mail– Adverse publicity– Denial of service – Hard drive reformats – Financials– Router reconfigura tions– Hacked web pages – Breach of HR information


16


• Four reasons decision makers procrastinate– Cannot understand or quantify threats and

vulnerabilities – Unable to measure the severity and probability of risk– No direct relationship between risks and the cost of

mitigation.– Believe that solution will interfere with performance or

appearance of product

• Explain in terms of $$$...we invest $100..we will reduce the risk by $1,000


17

Information Risk Management

(IRM)


18

IRM policy

• Subset of the organization’s overall risk management policy.

• Mapped to the organizational security policies

• Provides infrastructure for the organization’s risk management process and procedures

• Addresses all issues of information security.


19

Risk Analysis

• A tool for risk management• Identifying, assessing, and mitigating risks• 4 main goals

– Identify assets and their values– Identify vulnerabilities and threats– Quantify the probability and business impact of

potential threats. – Provide an economic balance between the impact of

the threat and the cost of countermeasure


20

Risk Analysis

• Identifies threat agent exploits• Provides a cost/benefit comparison

– Comparison of the annualized cost of safeguard to the potential cost of safeguard

– Safeguard should not be implemented unless the cost of loss exceeds the annualized cost of safeguard

• Project sizing – carried out before an assessment and analysis is started– To understand what assets and threats are to be

evaluated


21

Risk Analysis

• Risk analysis team– Include individuals from many or all departments

• Ensures that all threats are identified and addresses

– Must include people who understand the processes that are a part of their department

– Individuals must be at the right level

• Valuation of information and assets– Important to protect them– Senior management reviews and approves the list to

make them a part of the scope of the IRM


22

Economic Capital

• Amount of money a company needs to protect itself against unexpected losses

• Resources your organization can spend for protecting your organization.


23

Costs That Make Up the Value

• Actual value of asset - Determined by costs to acquire, develop, and maintain

• Value of data - Determined by the value it has to its – owners, – authorized users– unauthorized users– E.g. Stolen credit card database has a lot of value to

the thief.• Assets can be

– tangible (computer, facilities, supplies, personnel)– Intangible (reputation, data, intellectual property,

employee knowledge)


24

Costs That Make Up the Value

• Consider-– Cost to acquire or develop– Cost to maintain and protect– Value of assets to owners and users– Value of assets to adversaries– Value of intellectual property– Price others are willing to pay– cost to replace the asset if lost– Operational and production activities that are affected

if the asset is unavailable– Liability issues if the asset is compromised– Usefulness and role of the asset in the organization


25

Identifying Threats• What to be afraid of –

– Man made• backdoors

– Natural– Technical

• Virus, spyware

• Loss potential• Delayed loss

• Loss anywhere from 15 minutes to years after exploitation

• Litigations


26

Quantitative Risk Analysis

• Assign real numbers– Safeguard costs– asset value– Business impact– Threat frequency– Safeguard effectiveness– Exploitation probabilities

• Provides concrete probability percentages for determining likelihood

• Purely quantitative risk analysis is not possible


27

Automated Risk Analysis Methods

• Collecting and interpreting can be overwhelming• Automated tools make the process accurate –

good option for Risk Assessment• Advantages

– Data can be reused– Reduces time required to perform analysis– Accurate analysis– Reports and graphs to be presented to management– Provides risk for different scenarios


28

Risk Analysis Steps

• Assign value to information assets

• Estimate potential loss per threat - SLE

• Perform threat analysis - ARO

• Derive the overall loss potential per risk - ALE

• Choose remedial measures

• Reduce, assign, or accept the risk


29

Evaluating Risk• Formula for risk avaluation

Asset Value(AV)X Exposure Factor (EF)

Single Loss Expectancy (SLE)

Exposure Factor - Percentage of asset loss caused by identified threat

Single Loss Expectancy (SLE)X Annualized Rate of Occurrence (ARO)Annualized Loss Expectancy (ALE)

Annualized Rate of Occurrence = Estimated frequency a threat will occur within a year.


30

ARO

• Represents the estimated frequency of a specific threat taking place with a one-year time frame

• Range can be anywhere from 0.0 (never) to 1.0 (at least one year) to greater than one (several times a year)

• E.g. probability of a flood taking place in Mesa, Arizona is once in 1000 years – ARO = 0.001


31

Results of Risk Analysis

• Risk is measured by assigning a value to information and assets – ALE

• Results– Monetary value assigned to assets– List of all possible threats– Probability of the occurrence of each threat– Loss potential for the company over a 12-

month period– Recommended safeguards, countermeasures


32

Qualitative Risk Analysis

• Walkthrough and rank seriousness of threat• Techniques

– Judgment– Intuition– Experience

• Examples– Delphi – Group discussion.– Brainstorming– Storyboarding – Focus groups– Surveys– Questionnaires– Checklists– One-on-one meetings– Interviews

• Rank risk as– high, medium or low or– Scale of 1-5 or 1-10


33

Delphi Techniques

• Group discussion method• Ensures that each member gives an

opinion• Each member writes down opinion• Comments are written anonymously• Consensus formed• Very effective


34

Protection Mechanisms

• Identify current security mechanisms

• Evaluate effectiveness

• Identify assets to protect (Risk analysis)


35

Countermeasure Selection

• Product costs• Design / planning costs• Implementation costs• Environment modifications• Compatibility with other countermeasures• Maintenance requirements• Testing requirements• Repair / replace / update costs• Operating support costs• Effects on productivity


36

Value of Safeguard

• Cost/benefit analysis

• ALE before implementation

– ALE after implementation

– Annual cost of safeguard

= Value of safeguard to the company


37

Total Risk vs. Residual Risk

ThreatsX VulnerabilityX Asset Value

Total RiskTotal Risk X Control Gap (protection the control cannot provide)Residual Risk (Amount of risk remaining after implementing risk control measures).


38

Handling Risk

• Once a company has determined -– The amount of risk it has– Where the risk is located ...

... it must decided how to deal with this risk


39

Handling Risk

• Transfer –Insurance policy– monetary cost

• Reduce – Countermeasures– E.g. Firewalls

• Reject - Ignored; not advisable

• Accept - Acknowledged; cost to mitigate risk outweighs loss from risk.


40

Policies, Standards, Baselines Guidelines and Procedures


41

Security Policy

• General or formal statement produced by senior management (or board or committee)

• Provides scope and direction for all security activities• Organizational Security Policy

– Establishes how a security program will be set up– Defines program goals– Assigns responsibilities– Shows strategic and tactical value of security– Outlines enforcement

• Security Policy addresses– Laws– Regulations– Liabilities


42

Security Policy• Issue-specific

• Functional implementation policy• Addresses a specific security issue• Provides detailed explanation and attention • Ensures all employees understand how to comply with a specific

issue• E.g. e-mail policy• Modular policy – multiples modules in a policy• Modular ISSP very effective

• System-specific• Management's decisions that are specific to actual computers,

networks and applications• E.g. approved software lists, applications installed on an

individual workstation, how databases are used, how firewalls, IDS and scanners are empolyed.


43

Types of Policies

• Regulatory – Industry specific– Ensures the organization follows standards set by a specific

industry or regulatory body e.g. Nuclear power regulatory policy.• Encryption policy for confidential information

• Advisory – Expectations, ramifications– Strongly suggests that employees follow certain types of behavior.

E.g. no internet access during work hours.– Policy violations have consequences

• Informative – FYI, not enforced– Informs employees of certain topics – Not for enforcement but for teachinge.g. Remind employees to lock cars before exiting the company

parking lot


44

Security Policy

• Policies are broad and cover many subjects

• Procedures, Standards and Guidelines provide granularity needed to support the actual policy

• Policy provides foundation

• Procedures, standards and Guidelines provide the security framework.


45

Standards• Mandatory activities, actions, rules or

regulations• Provide support to a policy and reinforcement in

direction• Could be internal or externally mandated (laws

and regulations)• Implemented uniformly across the organization.• E.g. Specify how hardware and software

products are to be used, • specify that all employees have their

identification badges at all times.


46

Baselines

• Baselines– Specify a bare minimum level of performance – Provides a consistent reference point– Baselines can be defined per system type to

indicate• the necessary system settings• Level of protection provided

– E.g. all accounting systems must meet a baseline of EAL 4


47

Guidelines and Procedures

• Guidelines – Recommend actions and operational guides when

standards do not exist– Address the grey areas– General approaches that provide the necessary

flexibility

• Procedures– Outline step-by-step instructions to help someone

achieve a certain task• E.g. detailed steps to set up firewall, configure a router


48

Implementation

• Awareness training• Manuals• Presentations• Newsletters• Legal banners – Very effective

– Warning: Computer use for company business only. – Legal banners in e-mail

• Due care and due diligence


49

Data Classification


50

Data Classification

• Part of a mandatory access control (MAC) model– Access according to security clearance/labels

• Ensures that sensitive data is properly controlled and secured

• DoD multi-level security policy has four classifications– Top secret– Secret– Confidential– Sensitive but unclassified– Unclassified


51

Data Classification

Data classification for commercial business– Confidential– Private– Sensitive– Public


52

Data Classification

• Benefits– Improved

• Confidentiality• Integrity• Availability

– Protection mechanisms are maximized


53

Data Classification

• Benefits– A process exists to review the value of data

for the business– Increased data quality– Increased decision quality

• Data is tagged in importance• Sorting of data


54

Data Classification for Business

• Confidential– Highest level– The most sensitive business information– Intended strictly for use within the organization– Unauthorized disclosure could seriously and

adversely impact • Company• Stockholders• Business partners• Customers


55

Data Classification for Business

• Private– Less sensitive business information– Intended for use within a company– Unauthorized disclosure could adversely

impact -• Company• Stockholders• Business partners• Customers


56

Data Classification

• Sensitive– Personal information

• HR data, salary information

– Intended for use within the company– Applied to specific data and intended for specific

people– Unauthorized disclosure could adversely impact -

• Company• Employees


57

Data Classification

• Public– Unauthorized disclosure shouldn't seriously or

adversely impact the company


58

Sensitivity of Data• Parameters an organization may use

– Usefulness of data– Value of data– Age of data– Level of damage caused if disclosed– Level of damage caused if data was modified– Legal, regulatory or contractual responsibilities to protect the data– Effect the data has on national security– Who should be able to access the data– Who should maintain the data– Where should the data be kept– Who should be able to reproduce the data– What data requires labels and special marking– Whether encryption is required for the data– Whether separation of duties is required.


59

Data Classification Procedures

• Define classification levels• Specify criteria• Data owner specifies classification• Identify data custodian• Indicate security controls• Document exceptions• Determine methods to transfer ownership• Procedures for reviewing classification and

ownership.• Procedures for declassification• Security awareness training


60

Layers of Responsibilities• Senior management

– Responsible to stakeholders for security• Data owner

– Put the access control label on data• Data custodian

– Systems Admin, Network Admin. Responsible for services that store and process the data.

• Security professional/analyst– Responsible for controls

• User– Only uses data

• Auditor– Audits policies and plans of security professionals (controls)– Checks if the controls meet Compliance


61

Layers of Responsibility

• Senior manager

• Security professional

• Data owner

• Data custodian

• User

• Auditor


62


• Senior manager - Is ultimately responsiblefor security of the organization

• Security professional– Is functionally responsibility for security – Carries out day-to-day directives of senior

manager

• Data owner - Determines dataclassifications for information fallingwithin his / her scope of responsibility


63


• Data custodian– Maintains data– Preserves its Confidentiality, Integrity, and

Availability

• User - Uses data for day-to-day operations• Auditor - Examines security practices and

mechanisms within the organization


64

Data and security management


65

Structure

• Good Security policy– Defines responsibilities– Details lines of authority– Lists results of non-compliance


66

Structure

• Separation of duties – Makes sure that one individual cannot

complete a critical task by himself/herself– Collusion must take place to commit fraud

when separation of duties is enforced

• Dual control – Integrity– Reduces errors


67

HiringPractices

• Background checks

• Nondisclosure agreements (NDA)

• References

• Termination friendly vs. unfriendly


68

Employment Policies and Practices

• Background checks / security clearances– Use public records– Prevent -

• Lawsuits from terminated employees• Lawsuits from third parties or the customer for

negligent hiring (depends on the business)• Unqualified employees• Lost business and profits


69


• Background checks / security clearances– Prevent -

• Time wasted recruiting, hiring, and training• Theft, embezzlement, or property damage• Money lost to recruiters fees, signing bonuses• Decrease in employee moral• Workplace violence / sexual harassment suits

• Background checks /security clearances – for all sensitive positions


70


• Background checks / security clearances - What should be checked?– SSN searches– Workers compensation reports– Criminal records– Motor vehicle report– Education verification– Credential confirmation– Reference checks– Prior employer verification


71

Employment Agreements

• Agreement when an employee signs a employment contract– Non-compete– Non-disclosure– Restrictions on dissemination of corporate

information


72

Hiring and Termination

• Policies and procedures should -– Come down from HR– Address -

• Handling employee departures• Shutting down accounts• Forwarding e-mail and voice-mail• Lock and combination changes• System password changes• Disable VPN

– Follow a checklist– Common Sense applies.


73

Employee Controls

• Rotation of duties– No one person remains in one position for a long period of time– Too much control over one segment by one person can result in

fraud, data modification and misuse of resources.• Mandatory vacations

– Employees in sensitive areas are forced to take their vacations.– Fraud detected when: discovery of an activity from a persons

user account when they are on vacation or specific problem stopped while someone not active on a network

• Split Knowledge and Dual control– Two or more individuals are authorized or required to perform a

duty or task– E.g. Changing code while in production. Programmer tests and

submits code, software librarian verifies and changes code.


74

Security Awareness Training

• Should flow from the top of the organization

• Should be seen as important by management and employees


75

Security Awareness

Communication for – Management

• How security affects stakeholders

– Staff• General security awareness

– Technical staff• Detailed in terms of IT deployment


76

Security Awareness

• Reward good security behavior

• Needed to protect against social engineering


77

Security Awareness

• Security awareness training– Employees must be trained in good

security practices– Give employees the tools for security. E.g. If

you give them a laptop, give them a cable to secure it.

– Train employees to use the tools


78

Other Security Training Topics

• Physical security

• Computer security

• Email security – Don't click that link

• Virus control

• Acceptable use policies

Documents

Security Management Practices Security Management Planning