chapter 1 security management practices_2
DESCRIPTION
Security Management Practices_2TRANSCRIPT
Security Policy, Standard
and Practices
Security Policy
Policy forms the basis of all information
security tasks.
IS policies are the least expensive but
difficult to implement
Policies are set of guidelines that senior
manger enforces on other members
It regulates the activities of organizations
members who make decisions.
Standard and Practices
Standards are more detailed description of
what must be done to comply with policy
guidelines.
Standards consist of specific low level
mandatory controls that help enforce and
support the information security policy.
The policies drives standard and standard
state the practices, procedures and
guidelines.
Standard and Practices
Practice
Guidelines
Guidelines consist of recommended, non-mandatory controls that help support standards or serve as a reference when no applicable standard is in place.
Guidelines should be viewed as best practices that are not usually requirements, but are strongly recommended
For ex, a standard may require passwords to be 8 characters or more and a supporting guideline may state that it is best practice to also ensure the password expires after 30 days
Procedures
Procedures consist of step by step instructions to assist workers in implementing the various policies, standards and guidelines
Explains how to implement policies, guidelines and standard in a step by step fashion.
For ex, a procedure could be written to explain how to install Windows securely, detailing each step that needs to be taken so that it satisfies the applicable policy, standards and guidelines
Example. A policy may state all business information must
be adequately protected when being transferred.
A supporting data transfer standard builds upon this, requiring that all sensitive information be encrypted using a specific encryption type and that all transfers are logged.
A supporting guideline explains the best practices for recording sensitive data transfers and provides templates for the logging of these transfers.
A procedure provides step by step instructions for performing encrypted data transfers and ensures compliance with the associated policy, standards and guidelines.
Standard and Practices
Common Standards
The most common is ‘Information
Technology – code of practice’ (BS7799)
This code was adopted by ISO and IEC
ISO- International organization for
Standardization
IEC- stands for international Electro-technical
commission
Risk Management
Basics
Assets:
Is a resource, process, product, infrastructure anything which any organization considers to be protected.
The loss of asset causes tangible or intangible impacts on the organization.
Threat :
Is a presence of any potential event that could cause an adverse effect on the organization.
It could be initiated by human (attack on your website) or natural (earthquake)
Basics
Safeguard:
Is a control or countermeasure put in a place
to reduce the risk associated with threat.
Vulnerability:
Is the absence or weakness of safeguard
Basics
Threat Agent
Threat
vulnerability
Risk
Asset
Exposure
Safeguard
Gives rise to
Exploits
Leads to
Can damage
causes an
Can be countered by
Risk Management
Risk management
Is an ongoing iterative process that includes
identifying, evaluating and mitigating risk in
an organization.
It is about knowing
• what we have,
• What are the problems areas
• what are the likely threats
• and how well it can be prevented
Risk management
Risk management
Is a targeted, proactive solution to potential
threats and incidents .
Is the skill of handling the identified risks in
the best possible way for the interest of the
organization.
is the process of identifying risk, assessing
risk, and taking steps to reduce risk to an
acceptable level
Risk = threat x vulnerability x asset value
Risk management
Objective:The objective of performing risk
management is to enable the organization to
accomplish its mission(s)
by better securing the IT systems that store,
process, or transmit organizational information;
by enabling management to make well-informed
risk management decisions to justify the
expenditures that are part of an IT budget;
by assisting management in authorizing (or
accrediting) the IT systems on the basis of the
supporting documentation resulting from the
performance of risk management.
Risk Management Process
Information protection
requirements
Evaluate risk
Define Alternatives
Decides on risk counter measures
Implement counter
measures
mission & security
objective
Risk Management Process
Step 1. (mission and objective)
Every management sets a clear policy direction
Step 2. (protection requirements)
by understanding the security risk, the security needs are given.
By considering asset value and exposure factor requirements are specified.
Step 3. (risk evaluation)
Risk evaluation requires keen eyesight.
It provides a baseline that can be used to focus mitigation and improvement activities.
Risk Management Process
Step 3. (risk evaluation)
In this risk analysis we considers
• What needs to be protected?
• From whom and what must be protected?
• How is it threatened?
• How it could be protected etc
Step 4. (risk response)
Find out the alternatives available
What safeguard could be applied.
Risk Management Process
Step 5. (selection of safeguard)
After finding out the various countermeasures
for protecting the assets we have to choose a
set that matches the threats envisaged.
Some selection measures:
• Accountability features of the safeguard
• Level of manual operation required
• Cost/benefit analysis
• Ability for recovery.
Risk Management Process
Step 6. (implementation of safeguard)
Implementation process is involves
implementation and continuous monitoring to
check whether the countermeasure proved any
beneficial.
Risk Management Process
Risk management encompasses three
processes:
risk assessment,
risk mitigation,
evaluation and assessment.
Risk Assessment
Risk assessment
is the first process in the risk management
methodology.
Organizations use risk assessment to
determine the extent of the potential threat
and the risk associated
The output of this process helps to identify
appropriate controls for reducing or
eliminating risk
Risk Assessment
Step1 : system characterization
define the scope of the effort i.e. boundaries and
resources are identified.
Understand the system processing environment
(hardware, software, data, user etc)
Step2 : identify threat
Identify threat and threat source
Step3: Vulnerability identification
develop a list of system vulnerabilities(flaws or
weaknesses) that could be exploited by the
potential threat-sources
Risk Assessment
Step 4: Control Analysis
analyze the controls that have been
implemented, or are planned for
implementation, to minimize or eliminate the
likelihood (or probability) of a threat.
Step 5 : Likelihood Determination
The likelihood that a potential vulnerability
could be exercised by a given threat-source
can be described as high, medium, or low.
Risk Assessment
Step 6: Impact Analysis
determine the adverse impact resulting from a
successful threat exercise of a vulnerability.
(e.g. loss of availability, confidentiality,
integrity)
Step 7: Risk Determination
assess the level of risk to the system
Risk level (High, Medium, Low)
Risk Assessment
Step 8: Control Recommendation
controls that could eliminate the identified
risks, are provided.
The goal of the recommended controls is to
reduce the level of risk to an acceptable level.
Step 9: Result Documentation
Once the risk assessment has been completed
the results should be documented in an official
report or briefing.
Risk Mitigation
Risk mitigation,
the second process of risk management,
involves prioritizing, evaluating, and
implementing the appropriate risk-reducing
controls recommended from the risk
assessment process.
Address the greatest risks and strive for
sufficient risk mitigation at the lowest cost,
with minimal impact on other mission
capabilities.
Risk Mitigation
Risk mitigation,
Step 1: Prioritize Actions (based on risk levels)
Step 2: Check the feasibility of recommended
Control Options.
Step 3: Conduct Cost-Benefit Analysis
Step 4: Select Control
• On the basis of the results of the cost-benefit
analysis, management determines the most cost-
effective control.
Risk Mitigation
Risk mitigation,
Step 5: Assign Responsibility
• Appropriate persons who have the appropriate
expertise and skill-sets to implement the selected
control are identified, and responsibility is assigned.
Step 6: Develop a Safeguard Implementation
Plan
Step 7: Implement Selected Control(s)
Evaluation & Assessment
System is always bound to change and These
changes mean that new risks will surface and
risks previously mitigated may again become
a concern. Thus, the risk management
process is ongoing and evolving. So :
the awareness and cooperation of members
Apply good security practice by having specific
schedule for assessing and mitigating mission
risks
senior management’s commitment;
evaluation and assessment of the new risks
Business Continuity
and
Disaster Recovery Planning
BCP & DRP
Plans must be made to preserve business
in case of disaster or disruption of service.
There are two types of planning to recover
form such cases:
Business Continuity Plan (BCP)
Disaster Recovery Plan(DRP)
BCP & DRP
BCP DRP
BCP refers the means by which loss of business may be avoided by defining these requirements for continuity of the operations.
DRP deals with restoration of computer system with its software during and after the disaster has occurred.
BCP ensures that you can continue your business function and keep making money, even after a disaster.
DR is the process of resuming the business after a disruptive event .
Its a pre-emptive process used in preparation for handling the disaster.
DRP address the procedure to be followed during and after the loss.
BCP is a management issue carried out by management
Its technical issue carried out by IT people,
BCP & DRP
Business Continuity Planning
Risk avoidance
Manual Process
Recovery Process
Normal Process
Disaster Recovery No Business Activity
IT Risk Avoidance
BCP
BCP is a holistic process that encompasses
planning for potential disaster,
crafting a plan for data backup, hardware and other resources
Managing the plan in dynamic fashion
And practice the plan. E.g. Mock Fire drills
BCP allows preparation, testing and maintenance of specific actions to recover normal data processing.
BCP ensure the continuation of business function even after disaster destroys the data processing capabilities.
BCP
BCP process has following key phases 1. Scope and plan initiation
2. Business Impact Analysis(BIA)
3. Development of Business continuity plan
4. Approval to the business continuity plan and implementation
BCP Process
1. Scope and plan initiation
This phase covers the organisation’s initial response to a disaster.
The process in this phase are • Establish the requirement for continuity of operations
• Get management support
• Establish teams – functional, technical, Business continuity coordinator
• Create work plan
• Submit initial report to management
• Obtain approval
BCP Process
2. Business Impact Analysis (BIA)
It is a process used to help business units understand the impact of disruptive event.
When performing BIA the goals are Prioritization of criticality :
• Identify every critical business process unit
• Prioritize it
• Evaluate the impact of disruption
Estimation of downtime • Estimate maximum tolerable downtime (MTD)
• MTD is the time that the business process can remain interrupted before reaching a position of no recovery.
BCP Process
2. Business Impact Analysis (BIA)
BIA goals
Identification of resources • The resources required for critical process are
identified
• The most time sensitive process receives maximum resource allocation.
BCP Process
2. Business Impact Analysis (BIA)
Process in BIA Select appropriate information gathering tools
• surveys, interviews, software tools
Select the interviewees, design the questionnaires
Analyse the gathered information
Identify time critical business function
Assign MTDs
Rank the critical business function by MTDs
Report recovery options
Obtain management’s approaval
BCP Process
2. Business Impact Analysis (BIA)
Example BIA
Suppose company’s central database stop functioning then key personnel should ask • Who are the key customers? What will be the
impact on them?
• What are our internal/external suppliers? What happens if they fail to deliver support ?
• What are the key processes required to execute daily, weekly, monthly to support the business request and overall deliverables?
BCP Process
3. Development of Business Continuity Plan
Decides a recovery strategy which includes
Recovering business operations
Facilities and supplies
Users
Network and data centers
Decide the scope of recovery
Plan methods for recovering data
Taking backups of data and applications
Using on site storage of media etc.
BCP Process
4. Approval to the business continuity plan and implementation
Take the approval from the management
Test the plan and fix it if any problems found.
Build the plan into organisation
Awareness and training must be given.
DRP
DRP Goals
Provide for smooth and rapid restoration of services
Clearly document the DR requirement
establish the alternative means of operation in advance
Train the personnel in recovery procedure
Validate the processes, data required for recovery of services
DRP
DRP steps
1. define business goals Identify the systems and processes and their
impact on overall business goals.
Document the areas to be recover and amount of loss acceptable.
2. Identify key Personnel
find right person to declare the disaster
Name and role of persons with contact no is maintained.
DRP
DRP steps
3. Identify single point of failure • The goal is to mitigate the risk
• Impact of failure, probability of failure, estimated incidents, expected loss and the expected cost of mitigation is included
4. Create a DR team
5. Develop a DRP addressing the functional • Recovery
• Restoring/ sustaining business operation
• Transferring data back to machine
as well as technical areas. • Hardware issue, software issue, network issue.
DRP
DRP steps
6. Create procedure that support DR plan
7. Test and redefine DRP
DRP
DR plan
Plan • Define the affected area (scope)
• Team members (along with contact no)
• Report format
Operational analysis • Review physical security
• Self assessment through data access audit
• Review of critical services, process and functions
Risk analysis • Technical and non-technical risk analysis
• BIA
DRP
DR plan
Documentation • Vendor list
• Remote locations
• Critical Phone numbers
• Critical software system
Downtime tolerance and recovery priorities • Business unit list
• Tolerance for downtime
• Components of recovery
DRP
Alternate sites : is a location, other than normal facility, used to process data and/or conduct critical business function in the event of a disaster.
Cold site • These are offsite pre-configured facility that has the
necessary utilities.
• Cold site only have basic environment (electric wiring, air conditioning, flooring etc), they do not offer any components at the site in advance.
• Activation of the site may takes several weeks. So low access cost versus time.
DRP
Alternate sites :
Warm site
• These are partially configured, usually with network connections and selected peripheral equipment, such as disk drive and controllers but without main computing equipment or a low grade CPU.
• It is called warm because the computing equipment can be obtained quickly for emergency installation and the site is ready within several hours.
DRP
Alternate sites :
Hot site
• This is stationary or mobile facility containing all the backup support of a cold site plus a similar computer to the one at the primary site.
• These are fully configured and ready to use.
• The only additional needs are staff, programs and data files.
• The cost associated with third party hot site are usually high.
• The hot site is intended for emergency operation for limited time period and not for prolonged duration.
DRP
Alternate sites :
Reciprocal arrangements
• This is an arrangement between two or more organisation that possess similar information process facility.
• Both parties promise each other to provide computer time in event of emergency.
Duplicate IPF
• These are dedicated, self developed recovery sites that can back up critical applications.
• They can work as stand by hot site or reciprocal arrangement with another organisation’s IPF installation.
DRP test types
Checklist test
The copies of DR plan is distributed to each business unit head.
Then it reviewed to ensure that it address all procedures and critical areas of the organisation.
It’s a priliminary test and Not a satisfactory test.
DRP test types
Structured walk through test Business management representative hold a
meeting to walk through the plan.
The goal is to ensure that plan accurately reflects the orgnaisation’s ability to recover from a disaster.
Faults in the plan are picked up
Simulation test All the operational and support personnel are
expected to perform in practice session.
The goal is test the ability of personnel to respond to simulated disaster
DRP test types
Parallel test Full test of recovery plan, utilizing all personnel
The test processing runs parallel to the real processing without stopping the business and then the results are compared.
The goal is to ensure the critical systems will run at the alternate processing backup site.
Full interruption test
Here disaster is replicated even to point of ceasing normal operations as if it real disaster.
It is very scary form of test but shows in absolute way whether the plan works or not.
Ethics and Best practices
Ethics
Laws: rules that mandate or prohibit
certain societal behavior
Ethics: define socially acceptable behavior
Importance of Ethics to Security
Information Security professionals are entrusted with the crown jewels of an organization.
Ethical behavior, both on and off-the-job, is the assurance that we are worthy of that trust.
IS sets and upholds a standard
Promote uniform adherence to policy through example
Ethics Overview
Ethics is about the way we should conduct ourselves when providing our services within the IT Security profession.
The purpose of Ethics in Information Security is not just philosophically important, it can mean the survival of a business or an industry.
Ethics and Information Security
Ethical Challenges in InfoSec
Misrepresentation of certifications, skills
Abuse of privileges
Inappropriate monitoring
Withholding information
Divulging information inappropriately
Overstating issues
Conflicts of interest
Management / employee / client issues
Ethical Challenges – Snake Oil
“Consultants" who profess to offer information security consulting, but offer profoundly bad advice
"Educators", both individuals and companies, that offer to teach information security, but provide misinformation (generally through ignorance, not intent)
Ethical Challenges – Snake Oil
"Security Vendors", who oversell the security of their products
"Analysts", who oversimplify security challenges, and try to upsell additional services to naïve clients
"Legislators", who push through "from-the-hip" regulations, without thoughtful consideration of their long-term impact
Ethical Differences Across Cultures
Cultural differences create difficulty in
determining what is and is not ethical
Difficulties arise when one nationality’s
ethical behavior conflicts with ethics of
another national group
Example:
many of ways in which Asian cultures use
computer technology is software piracy
Ethics and Education
Within a small population, Educating people
can help in leveling ethical perceptions.
Employees must be trained in expected
behaviors of an ethical employee, especially in
areas of information security.
They must be trained to understand what is
ethical and what is not.
Proper ethical training is vital in creating
informed, well prepared, and low-risk
system user
Ethics
Quality of professional security activity
depends upon the willingness of
practitioners
to observe special standards of conduct and
to manifest good faith in professional
relationships.
Rule1
A member shall perform professional duties in accordance with the law and the highest moral principles.
Ethical Considerations
1. A member shall abide by the law of the land in which the services are rendered and perform all duties in an honorable manner.
2. A member shall not knowingly become associated in responsibility for work with colleagues who do not conform to the law and these ethical standards.
3. A member shall be fair and respect the rights of others in performing professional responsibilities
Rule2
A member shall observe the precepts (general rule) of truthfulness, honesty, and integrity
Ethical Considerations
A member shall disclose all relevant information to those having a right to know.
A “right to know” is a legally enforceable claim or demand by a person for disclosure of information by a member. This right does not depend upon prior knowledge by the
person of the existence of the information to be disclosed.
A member shall not knowingly release misleading information, nor encourage or otherwise participate in the release of such information.
Rule3
A member shall be faithful and diligent (thorough) in discharging professional responsibilities.
Ethical Considerations
A member is faithful when fair and steadfast (Persistent ) in adherence to promises and commitments.
A member is diligent when employing best efforts in an assignment.
A member shall not act in matters involving conflicts of interest without appropriate disclosure and approval.
A member shall represent services or products fairly and truthfully.
Rule4
A member shall be competent in
discharging professional responsibilities.
Ethical Considerations
A member is competent who possesses
and applies the skills and knowledge
required for the task.
A member shall not accept a task beyond
the member's competence nor shall
competence be claimed when not
possessed.
Rule5
A member shall safeguard confidential information and exercise due care to prevent its improper disclosure.
Ethical Considerations
Disclosure of Confidential information should be restricted.
Due care requires that the professional must not knowingly reveal confidential
information or
use a confidence to the disadvantage of the principal or
to the advantage of the member or a third person unless the principal consents after full disclosure of all the facts. This confidentiality continues after the business relationship between the member and his principal has terminated.
Rule5
Ethical Considerations
A member who receives information and has
not agreed to be bound by confidentiality is
not bound from disclosing it.
• A member is not bound by confidential disclosures
of acts or omissions that constitute a violation of
the law.
A member shall not disclose confidential
information for personal gain without
appropriate authorization.
Rule6
A member shall not maliciously injure
the professional reputation or practice of
colleagues, clients, or employers.
Ethical Considerations A member shall not comment falsely and
with malice concerning a colleague's competence, performance, or professional capabilities.
A member who knows, or has reasonable grounds to believe, that another member has failed to conform to Code of Ethics, should inform the Ethical Standards Council.
Responsible Professional
Guidelines
A responsible professional
Acts with integrity
Increases personal competence
Sets high standards of personal performance
Accepts responsibility for his/her work
Advances the health, privacy, and general welfare of the public
Ethical
Guidelines
Ethical
Guidelines