CIS2005 System Security and Control

1
CIS2005System Security and Control

• Lecture 9
• Module 9 Security planning

2
Security plan

• A Security plan is a formal document used by
  Management to assess the current security of
  their Organisations system and plan the
  implementation of further controls required.

3
Why have a security plan?

• An official document
• Tool for orderly process/practice improvement
• Can be used to measure the effect of changes
• With appropriate management endorsement can
  reinforce commitment to security

4
Likely members of a Security planning team

• Computer hardware personnel
• Programmers/systems analysts
• Data entry personnel
• Physical security personnel
• Users representatives
• Network staff
• The size makeup of the team will obviously
  depend on the size of the organisation or project

5
Components of a security plan

• Security policy
• Current security status
• Recommendations requirements
• Accountability (Responsibility for
  implementation)
• Implementation timetable
• Review plan

6
Security Policy

• Consists of the following sections
• Goals
• Responsibility
• Commitment
• for the organisation with relation to Information
  Systems Security

7
Security Policy Goals section

• What the organisation expects to achieve in terms
  of security (information systems)
• A statement of what is to be achieved not how it
  will be achieved
• Will flow from organisational strategic plan and
  IS strategic plan
• Example
• Preserve the integrity of the organisations data
• Secure sensitive/confidential data
• Be able to resume operations within 24 hours
  after a major disaster

8
Security Policy Responsibilities section

• Responsibilities for meeting the security goals
• Individuals, groups (departments), managers
• There should be an allocation of responsibility
  made for each goal in the previous section..

9
Security Policy Commitment section

• Level of commitment provided
• Reflects managements understanding and
  appreciation of security issues
• How security is viewed as a priority when
  compared with other organisational issues
• In monetary terms, human and other resources

10
Current security status

• This section of the Security Plan outlines
• Vulnerabilities and threats that have not yet
  been addressed
• Existing controls
• Note this is the current security status
• provides a benchmark for future reviews a
  starting point for developing the plan

11
Recommended Controls

• There should be a sub-section in the
  Recommendations section for the controls for each
  vulnerability identified in the Current Security
  Status section. (One sub-section per vmap)
• Reference should be made to the Appendices to
  justify the choice of security controls by
  commenting on
• the cost-effectiveness of recommended controls,
  and
• their payback period

12
Recommended Controls (Contd)

• The controls should be explained well, so that
  there can be no misinterpretation by the reader.
• Propose priority for implementation
• Briefly propose any security policies and/or
  procedures relevant to the vulnerability.
• The following slides are to give the difference
  between a policy and procedure, not the depth
  required for your assignment.

13
Example policy

• Should a failure occur at any time, the
  administration database must be able to be
  restored within 20 minutes such that no more than
  1 hour of processing / data is lost.

14
Example Procedure

• At 6.00pm each day, the shift backup operator
  will
• Shut down administration database
• Ensure that a formatted tape is installed on tape
  drive 1
• Start daily backup from backup menu
• Ensure that backup job finishes successfully
  (view backup log)
• Label tape with current date/time system
• Store tape off-site in Room A Building Z
• Retrieve oldest tape in the cycle from storage
  and place on rack near main server in readiness
  for next backup

15
Responsibilities for implementation

• Who is responsible for implementing each of the
  recommended controls?
• Individual PC users
• Database administrators
• Network administrators
• Personnel staff
• etc.

16
Timetable for implementation

• When to implement?
• How long would it take?
• In what order to implement?

17
Timetable for implementation (contd)

• Use some form of pictorial representation (eg.
  Gantt chart) to represent timelines
• Gantt Chart is a graphical representation of a
  project that shows each task activity as a
  horizontal bar
• Easy to see at a glance what has to be done and
  when it has to be achieved

18
Simple example of a Gantt chart
From this chart, we can see that it is expected
that the implementation of the UPS will take 2
weeks, and start at Week 2. The Generator will
take 1 week and start at Week 3.
19
Timetable for implementation (contd)

• The timetable should
• List all the recommended security controls
• List items in the order of implementation
• Specify start and completion times
• Provide measurable milestones for progress
  assessment
• Reflect the recommended priorities

20
Timetable for review

• The Security plan must be reviewed on a regular
  basis
• What controls are to be reviewed?
• When, or at what intervals, are the controls to
  be reviewed?
• Who is responsible for the review?
• This should be done in a table for readability,
  not just text.

21
It is vital to have commitment to the security
plan at all levels within an organisation
particularly at the senior management
level.Otherwise it becomes a purely academic
exercise
22
A security plan is not a static document it
must continually evolve through regular reviews
23
Assignment 2

• You, as a security consultant, must assess the
  scenario given and prepare a report to the
  management
• Your report is to provide the basis for decision
  making
• Covers all the modules discussed to date
• It builds on the Risk Analysis that you performed
  for Ass 1. You can make changes to your Ass 1
  sections for Ass 2.

24
Assignment 2 (contd)

• Supplementary information should be presented in
  the Appendices. Appendices must be properly
  labelled and referred to from the report. This
  includes Vmaps, CBAs, Graphs and Assumptions
  made.
• See marking sheet to guide your efforts
• Report format must comply with the Communication
  Skills Handbook, this includes Exec Summary,
  Introduction, Conclusion etc!

25
Assignment 2 due on 15 Oct 2003

• If you have not already started Start now