Upload
idona-martinez
View
73
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Security Management Practices Security Management Planning. Security Management. Security Management includes Risk management Information security policies Procedures Standards Guidelines Baselines Information classification Security organization Security eduction. Security Policy. - PowerPoint PPT Presentation
Citation preview
CISSP All-in-one Exam Guide Shon Harris
1
Security Management PracticesSecurity Management Planning
CISSP All-in-one Exam Guide Shon Harris
2
Security Management
• Security Management includes– Risk management– Information security policies– Procedures– Standards– Guidelines– Baselines– Information classification– Security organization– Security eduction
CISSP All-in-one Exam Guide Shon Harris
3
Security Policy
• Security Policy– blueprint for a company’s security program– necessary foundation to build upon
• After developing security policy– Develop and implement procedures,
standards and guidelines that support security policy
– Identify security countermeasures
CISSP All-in-one Exam Guide Shon Harris
4
Approaches to security program
• Top-down approach– Initiation, support and direction come from top
management, work their way to middle management and then to staff members
– Ideal approach for security program– Makes sure people are responsible for a company’s
assets.
• Bottom-up approach – IT department develops a security program without
proper management support and direction– Less effective, not broad enough, doomed to fail.
CISSP All-in-one Exam Guide Shon Harris
5
Security Administration and Supporting Controls
• Company’s Data and assets are protected by– Physical Controls: Facility protection, security guards,
locks, monitoring, environmental controls and intrusion detection.
– Technical controls: Logical access controls, encryption, security devices, identification and authentication. Auditing – log files.
– Administrative controls: Policies, standards, procedures, guidelines, screening personnel, security awareness and training.
CISSP All-in-one Exam Guide Shon Harris
6
Due Care
• Legal term and concept used to help determine liability in a court of law
• information owner violates due care if– does not lay out the foundation of data protection and – Does not ensure that the directives are enforced
• If practicing due care– Acting responsibly– Have lower probability of being found negligent and
liable in the event of a security incident
• Due Care – proper insurance on your car
CISSP All-in-one Exam Guide Shon Harris
7
AIC Triad
• Security objectives must address– Availability– Integrity– Confidentiality
CISSP All-in-one Exam Guide Shon Harris
8
Security Goals• Operational/Daily Goals – Daily Tasks
– Ensures company functions in a smooth and predictable manner
– E.g. update virus definitions, patches etc
• Tactical Goals – Short term– E.g. integrate all workstations and resources into one
domain for central control
• Strategic Goals – Long Term– E.g. Move all branches from dedicated
communication lines to frame relay, implement IPSec VPNs for remote users, integrate wireless technology into the environment.
Security Frameworks
• COBIT framework– IS auditors use COBIT to determine the
efficiency of implemented controls
CISSP All-in-one Exam Guide Shon Harris
9
CISSP All-in-one Exam Guide Shon Harris
10
ISO 17799• ISO 17799 is a standard and an industry best
practice for developing and implementing a security prorgam
• Derrived for the British standard 7799 (BS 7799)• Internationally recognized Information Security
Management (ISM) standard provides high level, conceptual recommendations for enterprise security.
CISSP All-in-one Exam Guide Shon Harris
11
ISO 17799
• Part 1 – Implementation Guide
• Part 2 – Auditing guide
CISSP All-in-one Exam Guide Shon Harris
12
ISO 17799
• Domains– Information security policy for the organization– Creation of information security infrastructure– Asset classification and control– Personnel security– Physical and environmental security– Communications and operations management– Access control– Systems development and maintenance– Business continuity management– Compliance
CISSP All-in-one Exam Guide Shon Harris
13
Security Management Planning
• When Planning for security management, you must know – Your company's or client's business– What is important to them– Different industries - even different departments -
have different information security priorities
• You must identify costs, risks and benefits– Initial investment– Ongoing costs
CISSP All-in-one Exam Guide Shon Harris
14
Security Management Planning
• What are the benefits – metrics for measurement
- Help desk reduction– Common data locations
- Reduced remote access costs
- Improve business partner access
- Enhanced public perception• What organizations want: reduce cost and increase
productivity.
CISSP All-in-one Exam Guide Shon Harris
15
Security Management Planning
• Management needs to understand what will be impacted• You must identify potential losses if security is not
properly implemented– Trade secrets– Viruses, worms, malicious codes– Confidential information – Personal e-mail– Adverse publicity– Denial of service – Hard drive reformats – Financials– Router reconfigura tions– Hacked web pages – Breach of HR information
CISSP All-in-one Exam Guide Shon Harris
16
Security Management Planning
• Four reasons decision makers procrastinate– Cannot understand or quantify threats and
vulnerabilities – Unable to measure the severity and probability of risk– No direct relationship between risks and the cost of
mitigation.– Believe that solution will interfere with performance or
appearance of product
• Explain in terms of $$$...we invest $100..we will reduce the risk by $1,000
CISSP All-in-one Exam Guide Shon Harris
17
Information Risk Management
(IRM)
CISSP All-in-one Exam Guide Shon Harris
18
IRM policy
• Subset of the organization’s overall risk management policy.
• Mapped to the organizational security policies
• Provides infrastructure for the organization’s risk management process and procedures
• Addresses all issues of information security.
CISSP All-in-one Exam Guide Shon Harris
19
Risk Analysis
• A tool for risk management• Identifying, assessing, and mitigating risks• 4 main goals
– Identify assets and their values– Identify vulnerabilities and threats– Quantify the probability and business impact of
potential threats. – Provide an economic balance between the impact of
the threat and the cost of countermeasure
CISSP All-in-one Exam Guide Shon Harris
20
Risk Analysis
• Identifies threat agent exploits• Provides a cost/benefit comparison
– Comparison of the annualized cost of safeguard to the potential cost of safeguard
– Safeguard should not be implemented unless the cost of loss exceeds the annualized cost of safeguard
• Project sizing – carried out before an assessment and analysis is started– To understand what assets and threats are to be
evaluated
CISSP All-in-one Exam Guide Shon Harris
21
Risk Analysis
• Risk analysis team– Include individuals from many or all departments
• Ensures that all threats are identified and addresses
– Must include people who understand the processes that are a part of their department
– Individuals must be at the right level
• Valuation of information and assets– Important to protect them– Senior management reviews and approves the list to
make them a part of the scope of the IRM
CISSP All-in-one Exam Guide Shon Harris
22
Economic Capital
• Amount of money a company needs to protect itself against unexpected losses
• Resources your organization can spend for protecting your organization.
CISSP All-in-one Exam Guide Shon Harris
23
Costs That Make Up the Value
• Actual value of asset - Determined by costs to acquire, develop, and maintain
• Value of data - Determined by the value it has to its – owners, – authorized users– unauthorized users– E.g. Stolen credit card database has a lot of value to
the thief.• Assets can be
– tangible (computer, facilities, supplies, personnel)– Intangible (reputation, data, intellectual property,
employee knowledge)
CISSP All-in-one Exam Guide Shon Harris
24
Costs That Make Up the Value
• Consider-– Cost to acquire or develop– Cost to maintain and protect– Value of assets to owners and users– Value of assets to adversaries– Value of intellectual property– Price others are willing to pay– cost to replace the asset if lost– Operational and production activities that are affected
if the asset is unavailable– Liability issues if the asset is compromised– Usefulness and role of the asset in the organization
CISSP All-in-one Exam Guide Shon Harris
25
Identifying Threats• What to be afraid of –
– Man made• backdoors
– Natural– Technical
• Virus, spyware
• Loss potential• Delayed loss
• Loss anywhere from 15 minutes to years after exploitation
• Litigations
CISSP All-in-one Exam Guide Shon Harris
26
Quantitative Risk Analysis
• Assign real numbers– Safeguard costs– asset value– Business impact– Threat frequency– Safeguard effectiveness– Exploitation probabilities
• Provides concrete probability percentages for determining likelihood
• Purely quantitative risk analysis is not possible
CISSP All-in-one Exam Guide Shon Harris
27
Automated Risk Analysis Methods
• Collecting and interpreting can be overwhelming• Automated tools make the process accurate –
good option for Risk Assessment• Advantages
– Data can be reused– Reduces time required to perform analysis– Accurate analysis– Reports and graphs to be presented to management– Provides risk for different scenarios
CISSP All-in-one Exam Guide Shon Harris
28
Risk Analysis Steps
• Assign value to information assets
• Estimate potential loss per threat - SLE
• Perform threat analysis - ARO
• Derive the overall loss potential per risk - ALE
• Choose remedial measures
• Reduce, assign, or accept the risk
CISSP All-in-one Exam Guide Shon Harris
29
Evaluating Risk• Formula for risk avaluation
Asset Value(AV)X Exposure Factor (EF)
Single Loss Expectancy (SLE)
Exposure Factor - Percentage of asset loss caused by identified threat
Single Loss Expectancy (SLE)X Annualized Rate of Occurrence (ARO)Annualized Loss Expectancy (ALE)
Annualized Rate of Occurrence = Estimated frequency a threat will occur within a year.
CISSP All-in-one Exam Guide Shon Harris
30
ARO
• Represents the estimated frequency of a specific threat taking place with a one-year time frame
• Range can be anywhere from 0.0 (never) to 1.0 (at least one year) to greater than one (several times a year)
• E.g. probability of a flood taking place in Mesa, Arizona is once in 1000 years – ARO = 0.001
CISSP All-in-one Exam Guide Shon Harris
31
Results of Risk Analysis
• Risk is measured by assigning a value to information and assets – ALE
• Results– Monetary value assigned to assets– List of all possible threats– Probability of the occurrence of each threat– Loss potential for the company over a 12-
month period– Recommended safeguards, countermeasures
CISSP All-in-one Exam Guide Shon Harris
32
Qualitative Risk Analysis
• Walkthrough and rank seriousness of threat• Techniques
– Judgment– Intuition– Experience
• Examples– Delphi – Group discussion.– Brainstorming– Storyboarding – Focus groups– Surveys– Questionnaires– Checklists– One-on-one meetings– Interviews
• Rank risk as– high, medium or low or– Scale of 1-5 or 1-10
CISSP All-in-one Exam Guide Shon Harris
33
Delphi Techniques
• Group discussion method• Ensures that each member gives an
opinion• Each member writes down opinion• Comments are written anonymously• Consensus formed• Very effective
CISSP All-in-one Exam Guide Shon Harris
34
Protection Mechanisms
• Identify current security mechanisms
• Evaluate effectiveness
• Identify assets to protect (Risk analysis)
CISSP All-in-one Exam Guide Shon Harris
35
Countermeasure Selection
• Product costs• Design / planning costs• Implementation costs• Environment modifications• Compatibility with other countermeasures• Maintenance requirements• Testing requirements• Repair / replace / update costs• Operating support costs• Effects on productivity
CISSP All-in-one Exam Guide Shon Harris
36
Value of Safeguard
• Cost/benefit analysis
• ALE before implementation
– ALE after implementation
– Annual cost of safeguard
= Value of safeguard to the company
CISSP All-in-one Exam Guide Shon Harris
37
Total Risk vs. Residual Risk
ThreatsX VulnerabilityX Asset Value
Total RiskTotal Risk X Control Gap (protection the control cannot provide)Residual Risk (Amount of risk remaining after implementing risk control measures).
CISSP All-in-one Exam Guide Shon Harris
38
Handling Risk
• Once a company has determined -– The amount of risk it has– Where the risk is located ...
... it must decided how to deal with this risk
CISSP All-in-one Exam Guide Shon Harris
39
Handling Risk
• Transfer –Insurance policy– monetary cost
• Reduce – Countermeasures– E.g. Firewalls
• Reject - Ignored; not advisable
• Accept - Acknowledged; cost to mitigate risk outweighs loss from risk.
CISSP All-in-one Exam Guide Shon Harris
40
Policies, Standards, Baselines Guidelines and Procedures
CISSP All-in-one Exam Guide Shon Harris
41
Security Policy
• General or formal statement produced by senior management (or board or committee)
• Provides scope and direction for all security activities• Organizational Security Policy
– Establishes how a security program will be set up– Defines program goals– Assigns responsibilities– Shows strategic and tactical value of security– Outlines enforcement
• Security Policy addresses– Laws– Regulations– Liabilities
CISSP All-in-one Exam Guide Shon Harris
42
Security Policy• Issue-specific
• Functional implementation policy• Addresses a specific security issue• Provides detailed explanation and attention • Ensures all employees understand how to comply with a specific
issue• E.g. e-mail policy• Modular policy – multiples modules in a policy• Modular ISSP very effective
• System-specific• Management's decisions that are specific to actual computers,
networks and applications• E.g. approved software lists, applications installed on an
individual workstation, how databases are used, how firewalls, IDS and scanners are empolyed.
CISSP All-in-one Exam Guide Shon Harris
43
Types of Policies
• Regulatory – Industry specific– Ensures the organization follows standards set by a specific
industry or regulatory body e.g. Nuclear power regulatory policy.• Encryption policy for confidential information
• Advisory – Expectations, ramifications– Strongly suggests that employees follow certain types of behavior.
E.g. no internet access during work hours.– Policy violations have consequences
• Informative – FYI, not enforced– Informs employees of certain topics – Not for enforcement but for teachinge.g. Remind employees to lock cars before exiting the company
parking lot
CISSP All-in-one Exam Guide Shon Harris
44
Security Policy
• Policies are broad and cover many subjects
• Procedures, Standards and Guidelines provide granularity needed to support the actual policy
• Policy provides foundation
• Procedures, standards and Guidelines provide the security framework.
CISSP All-in-one Exam Guide Shon Harris
45
Standards• Mandatory activities, actions, rules or
regulations• Provide support to a policy and reinforcement in
direction• Could be internal or externally mandated (laws
and regulations)• Implemented uniformly across the organization.• E.g. Specify how hardware and software
products are to be used, • specify that all employees have their
identification badges at all times.
CISSP All-in-one Exam Guide Shon Harris
46
Baselines
• Baselines– Specify a bare minimum level of performance – Provides a consistent reference point– Baselines can be defined per system type to
indicate• the necessary system settings• Level of protection provided
– E.g. all accounting systems must meet a baseline of EAL 4
CISSP All-in-one Exam Guide Shon Harris
47
Guidelines and Procedures
• Guidelines – Recommend actions and operational guides when
standards do not exist– Address the grey areas– General approaches that provide the necessary
flexibility
• Procedures– Outline step-by-step instructions to help someone
achieve a certain task• E.g. detailed steps to set up firewall, configure a router
CISSP All-in-one Exam Guide Shon Harris
48
Implementation
• Awareness training• Manuals• Presentations• Newsletters• Legal banners – Very effective
– Warning: Computer use for company business only. – Legal banners in e-mail
• Due care and due diligence
CISSP All-in-one Exam Guide Shon Harris
49
Data Classification
CISSP All-in-one Exam Guide Shon Harris
50
Data Classification
• Part of a mandatory access control (MAC) model– Access according to security clearance/labels
• Ensures that sensitive data is properly controlled and secured
• DoD multi-level security policy has four classifications– Top secret– Secret– Confidential– Sensitive but unclassified– Unclassified
CISSP All-in-one Exam Guide Shon Harris
51
Data Classification
Data classification for commercial business– Confidential– Private– Sensitive– Public
CISSP All-in-one Exam Guide Shon Harris
52
Data Classification
• Benefits– Improved
• Confidentiality• Integrity• Availability
– Protection mechanisms are maximized
CISSP All-in-one Exam Guide Shon Harris
53
Data Classification
• Benefits– A process exists to review the value of data
for the business– Increased data quality– Increased decision quality
• Data is tagged in importance• Sorting of data
CISSP All-in-one Exam Guide Shon Harris
54
Data Classification for Business
• Confidential– Highest level– The most sensitive business information– Intended strictly for use within the organization– Unauthorized disclosure could seriously and
adversely impact • Company• Stockholders• Business partners• Customers
CISSP All-in-one Exam Guide Shon Harris
55
Data Classification for Business
• Private– Less sensitive business information– Intended for use within a company– Unauthorized disclosure could adversely
impact -• Company• Stockholders• Business partners• Customers
CISSP All-in-one Exam Guide Shon Harris
56
Data Classification
• Sensitive– Personal information
• HR data, salary information
– Intended for use within the company– Applied to specific data and intended for specific
people– Unauthorized disclosure could adversely impact -
• Company• Employees
CISSP All-in-one Exam Guide Shon Harris
57
Data Classification
• Public– Unauthorized disclosure shouldn't seriously or
adversely impact the company
CISSP All-in-one Exam Guide Shon Harris
58
Sensitivity of Data• Parameters an organization may use
– Usefulness of data– Value of data– Age of data– Level of damage caused if disclosed– Level of damage caused if data was modified– Legal, regulatory or contractual responsibilities to protect the data– Effect the data has on national security– Who should be able to access the data– Who should maintain the data– Where should the data be kept– Who should be able to reproduce the data– What data requires labels and special marking– Whether encryption is required for the data– Whether separation of duties is required.
CISSP All-in-one Exam Guide Shon Harris
59
Data Classification Procedures
• Define classification levels• Specify criteria• Data owner specifies classification• Identify data custodian• Indicate security controls• Document exceptions• Determine methods to transfer ownership• Procedures for reviewing classification and
ownership.• Procedures for declassification• Security awareness training
CISSP All-in-one Exam Guide Shon Harris
60
Layers of Responsibilities• Senior management
– Responsible to stakeholders for security• Data owner
– Put the access control label on data• Data custodian
– Systems Admin, Network Admin. Responsible for services that store and process the data.
• Security professional/analyst– Responsible for controls
• User– Only uses data
• Auditor– Audits policies and plans of security professionals (controls)– Checks if the controls meet Compliance
CISSP All-in-one Exam Guide Shon Harris
61
Layers of Responsibility
• Senior manager
• Security professional
• Data owner
• Data custodian
• User
• Auditor
CISSP All-in-one Exam Guide Shon Harris
62
Layers of Responsibility
• Senior manager - Is ultimately responsiblefor security of the organization
• Security professional– Is functionally responsibility for security – Carries out day-to-day directives of senior
manager
• Data owner - Determines dataclassifications for information fallingwithin his / her scope of responsibility
CISSP All-in-one Exam Guide Shon Harris
63
Layers of Responsibility
• Data custodian– Maintains data– Preserves its Confidentiality, Integrity, and
Availability
• User - Uses data for day-to-day operations• Auditor - Examines security practices and
mechanisms within the organization
CISSP All-in-one Exam Guide Shon Harris
64
Data and security management
CISSP All-in-one Exam Guide Shon Harris
65
Structure
• Good Security policy– Defines responsibilities– Details lines of authority– Lists results of non-compliance
CISSP All-in-one Exam Guide Shon Harris
66
Structure
• Separation of duties – Makes sure that one individual cannot
complete a critical task by himself/herself– Collusion must take place to commit fraud
when separation of duties is enforced
• Dual control – Integrity– Reduces errors
CISSP All-in-one Exam Guide Shon Harris
67
HiringPractices
• Background checks
• Nondisclosure agreements (NDA)
• References
• Termination friendly vs. unfriendly
CISSP All-in-one Exam Guide Shon Harris
68
Employment Policies and Practices
• Background checks / security clearances– Use public records– Prevent -
• Lawsuits from terminated employees• Lawsuits from third parties or the customer for
negligent hiring (depends on the business)• Unqualified employees• Lost business and profits
CISSP All-in-one Exam Guide Shon Harris
69
Employment Policies and Practices
• Background checks / security clearances– Prevent -
• Time wasted recruiting, hiring, and training• Theft, embezzlement, or property damage• Money lost to recruiters fees, signing bonuses• Decrease in employee moral• Workplace violence / sexual harassment suits
• Background checks /security clearances – for all sensitive positions
CISSP All-in-one Exam Guide Shon Harris
70
Employment Policies and Practices
• Background checks / security clearances - What should be checked?– SSN searches– Workers compensation reports– Criminal records– Motor vehicle report– Education verification– Credential confirmation– Reference checks– Prior employer verification
CISSP All-in-one Exam Guide Shon Harris
71
Employment Agreements
• Agreement when an employee signs a employment contract– Non-compete– Non-disclosure– Restrictions on dissemination of corporate
information
CISSP All-in-one Exam Guide Shon Harris
72
Hiring and Termination
• Policies and procedures should -– Come down from HR– Address -
• Handling employee departures• Shutting down accounts• Forwarding e-mail and voice-mail• Lock and combination changes• System password changes• Disable VPN
– Follow a checklist– Common Sense applies.
CISSP All-in-one Exam Guide Shon Harris
73
Employee Controls
• Rotation of duties– No one person remains in one position for a long period of time– Too much control over one segment by one person can result in
fraud, data modification and misuse of resources.• Mandatory vacations
– Employees in sensitive areas are forced to take their vacations.– Fraud detected when: discovery of an activity from a persons
user account when they are on vacation or specific problem stopped while someone not active on a network
• Split Knowledge and Dual control– Two or more individuals are authorized or required to perform a
duty or task– E.g. Changing code while in production. Programmer tests and
submits code, software librarian verifies and changes code.
CISSP All-in-one Exam Guide Shon Harris
74
Security Awareness Training
• Should flow from the top of the organization
• Should be seen as important by management and employees
CISSP All-in-one Exam Guide Shon Harris
75
Security Awareness
Communication for – Management
• How security affects stakeholders
– Staff• General security awareness
– Technical staff• Detailed in terms of IT deployment
CISSP All-in-one Exam Guide Shon Harris
76
Security Awareness
• Reward good security behavior
• Needed to protect against social engineering
CISSP All-in-one Exam Guide Shon Harris
77
Security Awareness
• Security awareness training– Employees must be trained in good
security practices– Give employees the tools for security. E.g. If
you give them a laptop, give them a cable to secure it.
– Train employees to use the tools
CISSP All-in-one Exam Guide Shon Harris
78
Other Security Training Topics
• Physical security
• Computer security
• Email security – Don't click that link
• Virus control
• Acceptable use policies