information security: model, process and outputs presentation to pria wg november 10, 2006
TRANSCRIPT
Information Security:Model, Process and Outputs
Presentation to PRIA WGNovember 10, 2006
2
Agenda
• Information Security Method• Example
3
Information Security Method
• The problem…simply stated?
• The solution:– Model– Process– Outputs
4
Problem: Managing Information Risk
Severity: LowLikelihood: Low
Severity: ModerateLikelihood: Low
Severity: LowLikelihood: Moderate
Severity: HighLikelihood: Low
Severity: ModerateLikelihood: Moderate
Severity: LowLikelihood: High
Severity: ModerateLikelihood: High
Severity: HighLikelihood: Moderate
Severity: HighLikelihood: High
* In some cases, consequence severity may not change. The goal then is to drive “likelihood of occurrence” to zero.
(inc
reas
ing
)
Sev
erit
y of
Con
seq
uen
ce*
Likelihood of Occurrence(increasing )
5
Security Solution:Model / Process / Outputs
• Five component security model
• Step-by-step security solution development process
• Ten “must have” outputs for understanding, managing and monitoring your security solution
6
InformationSecurityModel
Information Security Model
1. Business & Risk Description (Foundation)
2. Policy and Architecture (Framework)
3. Solution Specification(People, Processes & Technology)
4. Support(Testing, Maintenance & Sustainability)
5. Education(Initial and Continual)
7
Information Security Model (cont.)
• Business & Risk Description– Overall description of business scenario(s)
– Understanding of information assets, users, and operational environment
– Identification and summarization of business risks associated with information assets
• Framework– Definition of an information security policy
• Major statements (requirements) regarding information security
• Can be considered the “what is allowed / not allowed” document
– Definition of an information security architecture• The “big picture” that ties together information resources and how they should be
protected
• Identifies the major information systems and the interconnectivity between those systems
8
Information Security Model (cont.)
• Solution– Detailed specifications
• Technology
• Procedures
• Personnel
– Implementation planning
– Implementation and test
– Certification & accreditation
• Support Program– Follow-on Testing, Re-certification & Reporting
– Maintenance & Monitoring
– Insurance & Contingency Planning
• Awareness Program– General security literature
– Specific “How to…” guides
– Periodic “refresher” courses
9
Information Security Process
• Expands on the Model
• A step-by-step, manageable approach to defining, deploying, operating and maintaining an information security solution
• Generates the ten “must have” outputsSecuritySolution
InformationSecurityModel
10
Information Security Process (cont.)
1ADefine
Business Functions
1ADefine
Business Functions
1BDefine Assets
1BDefine Assets
1CDefine
Operational Environ.
1CDefine
Operational Environ.
1DSummarize
Risks
1DSummarize
Risks
Business & Risk Description
2ADevelop Policy
2ADevelop Policy
2BDevelop Solution
Arch.
2BDevelop Solution
Arch.
Framework
4CDevelop
Contingency Plans
4CDevelop
Contingency Plans
4BMonitor Solution
4BMonitor Solution
4AMaintain Solution
4AMaintain Solution
Support Program
5Educate
Personnel
5Educate
Personnel
Awareness Program
3ASpecify Solution
3ASpecify Solution
3BImplement Solution
3BImplement Solution
Solution Assess and Re-assess Risk
Throughout Process
Assess and Re-assess Risk
Throughout Process
Major Executive Review
11
The Results
• A security solution:– Derived from business requirements– Derived from defined business risks– Results in appropriate protection of business assets
• Risk management capability– Each step after the risk summarization step forces a risk
mitigation review for each identified risk– What one step cannot address, another step will address– The monitoring step ensures that risk management and
monitoring always exists
12
The Results (cont.)
• Documented solution to support:– Change control– Awareness training– Audits and accreditation
• A review process:– Two major reviews
• Risk Summary Review• Solution Specification Review
– Major reviews intended for trade-off analyses– Risk mitigation reviews after each step following Risk
Summarization Step– Other reviews can be performed as needed and in-line with
already established corporate review procedures
13
The Results:Ten “Must Have” Outputs
BusinessDescription(Use Cases)
RiskSummarySecurityPolicy
SecurityArchitecture
SecuritySolutionSpec
14
The Results:Ten “Must Have” Outputs
SolutionImplement.Plan
SolutionMaint.Plan
SolutionMonit.Plan
ContingencyPlans
EducationProgramPlan
15
Ongoing Process…
• There is no “one-time” solution to managing information security risks
• Conditions change Risks change
• Each output is a living document that needs to be reviewed for accuracy and relevancy– Periodically (i.e., time-driven events)– Ad hoc (i.e., event-driven events)
• Reapply process (or portions of process) as needed based on changing risks
16
Example: eRecording(Business Analysis)
County Recorder (eRecording
System)
County Recorder (eRecording
System)
eRec Docs
eRec Docs
Settlement Agent
Assets: eRecording Documents
Participants: Settlement Agent and County Recorder
Workflow: Electronic Recording of a Closed eMortgage
Communications: Internet based
Applications: Web Browser / eRecording System
17
Example: eRecording(Risk Analysis)
• Potential vulnerabilities:– Unprotected eRecording documents– Unprotected communications– Insecure eRecording System
• Potential threats:– Untrustworthy settlement agent– Man-in-the-Middle (phishing, pharming, etc.)– Internet based attacks (worms, viruses, etc.)
• Potential risks (i.e., threats exploiting vulnerabilities)– Corrupted eRecording documents– Exposure of settlement agent’s eRecording account information– eRecording System is down and unavailable
• All potential risks can be bubbled up to be financial, reputation or safety risks.
18
Example: eRecording(Policy & Architecture)
• Secure the eRecording documents (integrity, authentication)
• Secure the communications (authentication, confidentiality)
• Secure the eRecording System (integrity, authentication, availability)
County Recorder (eRecording
System)
County Recorder (eRecording
System)
eMtgeMtg
Settlement Agent
19
Example: eRecording(Technology & Procedures)
• Secure the eRecording Documents:– Technology: XML Digital Signature– Procedure: Trusted Personnel Program for
Settlement Agents
• Secure the Communications:– Technology: SSL/VPN– Procedure: Trusted Procedure for Issuing and
Managing Accounts at the eRecording System
• Secure the eRecording System:– Technology: Crypto, Redundancy– Procedure: Secure Configuration, Ensure Security
Patches are Installed and Up to Date, Trusted Personnel Program for eRecording Operators
20
Example: eRecording(Maintenance)
• Maintenance:– eRecording System maintenance
• Performance testing• Security patches
– eRecording Documents maintenance• Standards updates• Updates to data in eRecording documents (e.g., privacy
issues?)
21
Example: eRecording(Monitoring)
• Monitoring– Identify security incidents of concern:
• Multiple failed attempts to authenticate to eRecording System
• eRecording System downtime• Integrity check failures within eRecording System• Integrity check failures within eRecording Documents
– Determine reporting procedures for security incidents• Audit and review lower level security incidents• Alerts and notifications for higher level security incidents
– Internal notifications– External notifications
22
Example: eRecording(Business Continuity)
• Disaster recovery procedures for eRecording System– Temporary operations– Fully restored operations
• Failover operations for non-disaster events at eRecording System– Smooth switch over to temporary operations– Process for converting back to original operations
23
Example: eRecording(Education)
• Educate settlement agents:– Importance of secured eRecording Documents– Importance of acting as a trustworthy settlement agent– Accessing and using the eRecording System– Identifying and reporting security incidents
• Educate eRecording System operators:– Importance of a secured and available eRecording System– Operating, maintaining and monitoring the eRecording System– Security incident response procedures– Business continuity and disaster recovery procedures
