Business Information Security RequirementsFort Hays State University Fort Hays, KS

Presented by Joshua Morrison

Information Security is…

Tolerating low levels of understood risk

Not just a function of IT department

Focus of Research

Security strategy

Security objective

Security policy Procedures Standards Guidelines baselines

Business Information Security Requirements aid in how high-level security policy is written

The CIA Triad

Confidentiality

Integrity

Availability

Confidentiality

Prevent unauthorized disclosure of information Accomplished with access controls▪ Login / Identity verification▪ File permissions▪ Encryption

Integrity

Authenticity and accuracy of information Guaranteeing accuracy includes

recovering from error / disaster to a recent stable state▪ Data backup▪ Version control

Availability

Information should be accessible to authorized entities at all times

Requires failure recovery planning Hardware, software, or human Minimize downtime of critical systems

Information is Meaningful data

Binary Data - 1/0 interpretation

information

Principle of Least Priviledge “A particular abstraction layer must

be able to access only the information and resources that are necessary for its legitimate purpose”

Greatly reduces potential risk of a security breach whether malicious or unintentional in nature

Provenance Principle

Preserving the original order and context of information

Applies to underlying data structure Ensures that information retains the

properties of being functional and meaningful in multiple contexts

Critical vs non-critical data Some data such as Personally

Identifiable Data (PII) can be categorized as generally critical Mandated by legal and regulatory concerns

Some data become critical within a given context Example – data that has yet to be backed up

in the context of disaster recovery planning Categorization used to prioritize security

planning

Risk Assessment

“the process of understanding and responding to factors that may lead to a failure in the confidentiality, integrity, or availability of an information system”

Measures the likelihood and impact of a particular information security failure

Can be qualitative, quantitative, or both

Some level of risk is assumed by any business

Risk Assessment pitfalls

Often perfunctory Counter by modeling real-world attack

scenarios Based on speculation

Use ongoing investigation / evidence Often not assessed historically and

continuously Develop a cycle for conducting risk

assessment and analyze long-term trends

Security Requirements Analysis Intensive technical vulnerability

analysis Should be done by highly competent

IT professional Concerned with protecting internal

resources from malicious attacks

Holistic approach to security requirements analysis Achieved by taking the perspective

of the threat agent (attacker) Begin with the malicious desires

(anti-goals) of the threat agent Develop a comprehensive attack

pattern repository or CAPEC Select security controls that address

vulnerabilities discovered in the CAPEC

Heartbleed bug Vulnerability – OpenSSL cryptography

library Shellshock

Vulnerability - Unix Bash shell Poodle

Vulnerability SSL v3.0

Examples of attack vectors for the CAPEC from Symantec's annual Internet Security threat report (2015)

Network Security Humans represent significant network

security challenges attacks attempt to get the victim to give

sensitive data or perform unintended actions on behalf of the attacker

Confidence tricks such as misleading authorship of emails are used to gain the trust of the victim▪ Phishing▪ Social engineering

Information security awareness training is the best way to counter these types of attacks

Network Security

Passwords Weak passwords are vulnerable to brute

force attacks or attacks using rainbow tables

Very strong passwords are hard to remember resulting in some users resorting to recording them

Multi-factor authentication is best, pairing the known password with another piece of authenticating evidence such as a fingerprint

Don’t rely too heavily on network security Protect data services within the

network inside virtualized environments virtual data centers (VDC) and

committed application implementations ,Virtual Application Data Centers (VADC)

Provide encapsulation to data services More portable, flexible, and secure

Human-based IS vulnerabilities People present a variety of

challenges to information security planning Stolen/lost laptops and mobile devices

account for many data leaks▪ Encrypt these devices or ensure that they

remain in secure locations Humans are targets for sophisticated

social engineering attacks▪ Workers must remain vigilant and informed

about specific attacks

Information Security Training Should be continuous

New threats are constantly being generated

Should be targeted Should be measurable

Necessary to gauge effectiveness of training

Should promote positive attitudes about information security

Information security positive culture the culture of a company is "a

pattern of shared basic assumptions learned by a group as it solves problems of external adaptation and internal integration, which has worked well enough to be considered valid and, therefore, to be taught to new members as the correct way to perceive, think, and feel in relation to those problems"

Information security positive culture understanding policy alone will not

ensure consistency in compliance with policy perceived cultural norms influence

outcomes Example – how consistently are

security violations being reported? Influenced by social networking and peer

relationships Consistency of reporting increased as

this behavior is perceived as the cultural norm

Information Security and Awareness Approach (ISTAAP)

Information Security Culture Assessment (ISCA) Survey used to benchmark the level of

information security culture in an organization

Empirical evidence supports the value of using ISTAAP to instill an information security-positive culture

Information Security and Awareness Approach (ISTAAP)

ISTAAP is cyclical with 4 main phases Planning and Objectives (PO) Develop Training and Awareness (DTA) Targeted Implementation (TI) Evaluate Effectiveness (EE)

ISTAAP phases PO and DTA

The Planning and Objectives phase derives training objectives from the company's security strategy, security policy, and regulatory requirements

DTA - Develop Training and Awareness techniques include everything from hands-on training sessions to web-based training and email

ISTAAP phase TI and EE

TI - Groups of stakeholders receive training on key concepts via their preferred method of delivery

EE - taking the ISCA to determine the effect of the training on security culture as well as the effectiveness of the specific training actions. Identify future training opportunities

Standards Based Information Security Models Benefits of adopting IS standard

Comprehensive and systematic approach

Battle tested Can employ certified professionals to

implement Can effectively report level of

compliance with a standard Can purchase software to facilitate

standard implementation

ISO/EIC 27001 Joint publication by the International

Organization for Standardization (ISO) and the International Electrotechnical Commission (EIC)

Controls-oriented information security standard

Uses plan-do-check-act cycle International standard used in business and

government Has high level support for policy Defines risk assessment procedure

ISO/EIC 27002

Separate document used with ISO/EIC 27001

Repository of security related best practices

Comprehensive Non IS topic – fire safety IS topic – removable media policy

guidelines Compatible with other high level

standards besides ISO/EIC 27001 Recommend referring to this document

even with an in-house security strategy

Information security auditing Evaluate the effectiveness of

controls gather information about how a unit

operates identify points at which errors are

possible Identify system controls designed to

prevent or detect such occurrences (countermeasures)

Auditing concludes with testing and evaluating how well IS controls function

Regulatory / Legal concerns in IS Business should seek to exceed

minimum standards set by state and federal regulations HIPPA, OSHA etc.

The legal field of information security regulation is relatively young Case law is constantly being established

As information crosses state and national boundaries, more restrictive regulation may apply

Ethical concerns in IS

obligations to stakeholders should be considered when writing IS policy Communicate to stakeholders how their

personal information is used by the company

Combine ethical concerns with regulatory concerns when considering changes to IS policy

Disaster recovery planning Ensure the continued operation of

critical workflow functions despite the loss of support systems

Disasters come from many sources Natural disaster Inadvertent action Deliberate action

A Six-Stage Business Continuity and Disaster Recovery Planning Cycle - Cook

1. Emergency Operations2. Insurance – Insurance plan3. Communication Plan4. IT/SCM Infrastructure5. Employee Relations 6. Legal and Regulatory

Data Breach Planning

1. Investigation of the incident2. Identify and execute corrective

measures3. Identify applicable law4. Determine if notifications are

required5. Notification and communication

plan

Cloud Data Service (CSP) Providers Offers low cost high performance

Ideal for big data CSP security practices not

transparent CSP security not auditable by the

client

Care must be taken to analyze contracts and policy of CSP partners Must trust them with sensitive

information

Economic Factors

Business goals and IS goals in turn are prioritized by budgetary concerns accurate valuation of threat in risk

assessment is very important Human motivation aspects of

economic theory should be considered in IS policy Incentives liability

Writing IS Policy

Policies are high level Documents that support policies are

more granular Procedures Standards Guidelines Baselines

Conclusion

As predicted, it was possible to create a list of best practices regarding Business Information Security Requirements

Further research may yield more requirements or add additional scope to existing requirements

Business Information Security Requirements (1) All 3 aspects of the Confidentiality,

Integrity, and Accessibility (CIA) triad should be upheld

The Principle of Least privilege and the Provenance Principle should be upheld

It should be an easily understood document that is used as a reference point

It should be reviewed and modified as a company changes

Business Information Security Requirements (2) Each iteration of the policy should be

dated and archived All persons who are subject to the

policy must have easy access to it It should support proper

management of liability and incentives as they relate to IS

Determine if the proposed policy would require changes to the risk assessment or auditing cycles

Business Information Security Requirements (3) Determine if the proposed policy

would require changes to security requirements analysis . ex. adding a new attack pattern to the CAPEC

Determine if the proposed policy would comply with existing legal and regulatory restrictions

Determine if the proposed policy could negatively affect stakeholders

Business Information Security Requirements (4) Determine if the proposed policy would circumvent

current network security status Determine if the policy is in compliance with all

adopted security standards Determine if the policy affects disaster recovery or

data breach response planning Determine if the policy requires any new security

awareness training Determine how the policy will impact information

security culture Determine if extraordinary security measures are

required eg. assessing the security practices of a new cloud data provider