Information Security Management

1

• Chapter 1
• Information Security Management

2
Objective

• Concept of Information Security Management
• Information Classification Process
• Security Policy Implementation
• The roles and responsibilities of Security
  Administration
• Risk Management Assessment
• Security Awareness Training

3
Introduction

• Information Security is to protect an
  organizations valuable resources.
• It ensures that all resources are protected, and
  available to an organization, at all times, when
  needed. This leads to information classification,
  and security policy.
• However, security issues cannot be eliminated
  completely. This leads to the Risk management.

4
Purposes of Information Security Management

• Three basic requirements
• Availability
• Assure that a computer system is accessible by
  authorized users whenever needed.
• Integrity
• To protect the system information from
  intentional or accidental unauthorized changes.
• Confidentiality
• Assure that unauthorized people cannot access the
  protected information.

5
Other Concepts in Security Management

• Identification
• The means in which users claim their identities
  to a system. Used for access control.
• Authentication
• The testing or reconciliation of evidence of a
  users identity.
• Accountability
• Audit trails and logs.
• Authorization
• The rights and permissions granted to an
  individual.
• Privacy
• The level of confidentiality and privacy
  protection.

6
Information Classification

• Why do we need information classification?
• Not all data has the same value to an
  organization.
• Should focus the protection and control on the
  information that need it the most.
• Can be used to comply with privacy laws, or to
  enable regulatory compliance.

7
Classification Terms

• In governmental data classification
• Unclassified can be released to public
• Sensitive but unclassified minor secret, no
  serious damage if disclosed
• Confidential unauthorized disclosure could cause
  some damage
• Secret unauthorized disclosure could cause
  serious damage
• Top secret unauthorized disclosure could cause
  exceptionally grave damage to national security

8
Classification Terms

• In private sector
• Public similar to unclassified
• Sensitive requires a high level of
  classification than normal data
• Private intended for company use only, such as
  salary levels
• Confidential very sensitive data, unauthorized
  disclosure could seriously and negatively impact
  a company

9
Classification Procedures

• The following steps are listed in priority order
• Identify the administrator/custodian
• Specify the criteria of how the information will
  be classified and labeled
• Classify the data by its owner, who is subject to
  review by a supervisor
• Specify and document any exceptions to the
  classification policy
• Specify the controls that will be applied to each
  classification level
• Specify the termination procedures for
  declassifying the information or for transferring
  custody of the information to another entity
• Create an enterprise awareness program about the
  classification controls

10
Information Classification Roles

• Owner
• Information owner may be an executive or manager
  of an organization. He is responsible for the
  asset of information that must be protected. He
  makes the original determination to decide what
  level of classification the information requires.
  He delegates the responsibility of data
  protection duties to the custodian.
• Custodian
• Information custodian is delegated the
  responsibility of protecting the information by
  its owner. This role is commonly executed by IT
  systems personnel.
• User
• End user can be anyone (operator, employee, or
  external party) that routinely uses the
  information as part of their job.

11
Policies, Standards, Guidelines, Procedures

• Security policies are the basis for a sound
  security implementation.
• Questions
• What are policies, standards, guidelines, and
  procedures?
• Why do we use policies, standards, guidelines,
  and procedures?
• What are the common policy types?

12
Polices

• Polices are considered the first and highest
  level of documentation, from which the lower
  level elements of standards, procedures, and
  guidelines flow.
• Usually are general statements.

13
Polices hierarchy
14
Policies

• Senior Management Statement of Policy
• The first policy of any policy creation process
• A general, high-level statement which contains
• An acknowledgement of the importance of the
  computing resources to the business model
• A statement of support for information security
  throughout the enterprise
• A commitment to authorize and manage the
  definition of the lower level standards,
  procedures, and guidelines

15
Standards, Guidelines, Procedures

• These are the three elements of policy
  implementation, which contain the actual details
  of the policy.
• They should be separate documents from the
  general policies.
• Standards specify the use of specific
  technologies in a uniform way. It is compulsory.
• Guidelines similar to standards, but more
  flexible, not compulsory, just recommendations.
• Procedures embody the detailed steps that are
  followed to perform a specific task. The lowest
  level in the policy chain.

16
Roles and Responsibilities
Role Description
Senior Manager Has the ultimate responsibility for security
InfoSec Officer Has the functional responsibility for security
Owner Determines the data classification
Custodian Preserves the informations C.I.A.
User/Operator Performs the stated policies
Auditor Examines security
17
Risk Analysis and Assessment

• Risk Management
• Identifying, analyzing and assessing, mitigating,
  or transferring risk
• Core problems
• What could happen (threat event) ?
• If it happened, how bad could it be (threat
  impact) ?
• How often could it happen (threat frequency,
  annualized) ?
• How certain are the answers to the first three
  questions (recognition of uncertainty) ?

18
Cont.

• Risk Analysis
• The process of analyzing a target environment and
  the relationships of its risk-related attributes.
  It should identify threat vulnerabilities,
  associate these vulnerabilities with affected
  assets, identify the potential for and nature of
  an undesirable result, and identify and evaluate
  risk-reducing countermeasures.
• Risk Assessment
• The assignment of value to assets, threat
  frequency, consequence, and other elements of
  chance. It is used to characterize both the
  process and the result of analyzing and assessing
  risk.

19
Cont.

• After risk analysis and assessment, three more
  questions
• What can be done (risk mitigation) ?
• How much will it cost (annualized) ?
• Is it cost-effective (cost/benefit analysis) ?
• Its essential that the process of analyzing and
  assessing risk is well understood by all parties
  and executed on a timely basis.

20
Terms and definitions

• Single Loss Expectancy or Exposure (SLE)
• The monetary loss for each occurrence of a
  threatened event
• SLE Asset Value x Exposure Factor
• Exposure Factor (EF)
• Represent a measure of the magnitude of loss or
  impact on the value of an asset. Expressed as a
  percent, ranging from 0 to100, of asset value
  loss arising from a threat event.
• A threat event could be a tornado, theft, or
  computer virus infection.

21
Cont.

• Annualized Rate of Occurrence (ARO)
• The frequency with which a threat is expected to
  occur. E.g., a threat occurring 50 times in a
  given year has an ARO of 50, and a threat
  occurring 1 time in 10 years has an ARO of 0.1.
• Annualized Loss Expectancy (ALE)
• ALE SLE x ARO

22
Example
Asset Risk Asset Value Potential Loss (SLE) Annualized Frequency (ARO) Annual Loss Expectancy (ALE)
Facility Fire 560,000 230,000 .25 57,500
Trade Secret Stolen 43,500 40,000 .75 30,000
File Server Failed 11,500 11,500 .5 5,750
Data Virus 8,900 6,500 .8 5,200
Customer Credit Card Info Stolen 323,500 300,000 .65 195,000
23
Central Tasks

• Establish Information Risk Management (IRM)
  Policy
• Establish and Fund an IRM Team
• Establish IRM Methodology and Tools
• Identify and Measure Risk
• Project Sizing

24
Risk analysis process

• Asset valuation process
• Determine the value of an asset
• Quantitative risk analysis
• Assign independently objective numeric values to
  the components of the risk assessment and to the
  assessment of potential losses
• Qualitative risk analysis
• Address intangible values of data loss
• Safeguard selection
• Cost/benefit analysis
• Value of safeguard (ALE before) (ALE after)
  annual safeguard cost

25
Security Awareness and Training

• People are often the weakest link in a security
  chain.
• Employees must be aware of the need to secure
  information and to protect the information assets
  of an enterprise.
• Operators need training in the skills to fulfill
  their job functions securely.

26

• Chapter 2
• Business Continuity Planning
• and
• Disaster Recovery Planning

27
Overview

• Business Continuity Planning (BCP)
• Make the plans and create the framework to ensure
  that the business can continue in an emergency.
  It includes
• Scope and plan initiation
• Business impact analysis (BIA)
• Business continuity plan development
• Disaster Recovery Planning (DRP)
• Recover from an emergency with the minimum of
  impact to the organization. It includes
• Disaster recovery planning processes
• Testing the disaster recovery plan
• Disaster recovery procedures

28
Business Continuity Planning

• Objectives
• To prevent interruptions to normal business
  activity
• To protect critical business processes from
  natural or man-made failures or disasters
• To minimize the effect of disturbances and to
  allow for resumption of business processes
• To reduce the risk of financial loss and enhance
  a companys ability to recover from a disruptive
  event promptly
• To minimize the cost associated with the
  disruptive event and mitigate the risk associated
  with it

29
Disruptive Events

• Natural events
• Fires, explosions, hazardous material spills of
  environmental toxins
• Earthquakes, storms, floods, and fires due to
  acts of nature
• Power outages or other utility failures
• Man-made events
• Bombings, sabotages, or other intentional attacks
• Strikes and job actions
• Employee or operator unavailability due to
  emergency evacuation or other issues
• Communications infrastructure failures

30
BCP (I)

• Scope and Plan Initiation
• The first step to create a BCP
• Create the scope for the plan, and the other
  elements needed to define the parameters of the
  plan
• Examine the companys operations and support
  services
• Scope activities
• Create a detailed account of the work required
• List the resources to be used
• Define the management practices to be employed

31
BCP (I) roles and responsibilities
Who Does What
Executive management staff Initiates the project, gives final approval, and gives ongoing support
Senior business unit management Identifies and prioritizes time-critical systems
BCP committee Directs the planning, implementation, and test processes
Functional business units Participate in implementation and testing
32
BCP (II)

• Business Impact Analysis (BIA)
• To create a document to be used to help
  understand what impact a disruptive event would
  have on the business
• Three primary goals
• Criticality prioritization time-critical
  business process vs. Non-time-critical business
  process
• Downtime estimation what is the longest period
  of time a critical process can remain interrupted
  before the company can never recover maximum
  tolerable downtime (MTD)
• Resource requirements the most time-sensitive
  processes may need the most resource allocation

33
BCP (II) BIA Steps

• Gathering assessment materials
• Which business units are critical to continuing
  an acceptable level of operations
• Organizational chart, functional
  interrelationships of the organization
• Performing vulnerability assessment
• Quantitative financial assessment
• Incurring financial losses from loss of revenue,
  capital expenditure, or personal liability
  resolution
• Additional operational expenses incurred due to
  the disruptive event
• Incurring financial losses from violation of
  contract agreements, violation of regulatory or
  compliance requirements
• Qualitative operational assessment
• Loss of competitive advantage or market share
• Loss of public confidence or credibility, or
  public embarrassment
• Define the Critical support areas that must be
  present to sustain continuity of the business
  processes
• Telecommunications, data communications,
  information technology areas
• Physical infrastructure or plant facilities,
  transportation services
• Accounting, payroll, transaction processing,
  customer service, purchasing

34
BCP (II) BIA Steps

• Analyzing the information
• Documenting required processes, identifying
  interdependencies, and determining what an
  acceptable interruption period would be
• To describe what support the defined critical
  areas will require to preserve the revenue stream
  and maintain pre-defined processes
• Documentation and recommendation
• Full documentation of all the processes,
  procedures, analysis, and results, and the
  presentation of recommendations to the
  appropriate senior management.
• Contain the gathered material, list the
  identified critical support areas, summarize the
  quantitative and qualitative impact statements,
  and provide the recommended recovery priorities
  generated from the analysis

35
BCP (III)

• Business Continuity Plan Development
• Use the information collected in BIA to create
  the recovery strategy plan to support the
  critical business functions.
• Defining the continuity strategy, should include
  the following elements
• Computing to preserve the elements of hardware,
  software, communication lines, applications, and
  data
• Facilities to address to use of the main
  buildings or campus and any remote facilities
• People operators, management, and technical
  support personnel will have defined roles in
  implementing the continuity strategy
• Supplies and equipment paper, forms, or
  specialized security equipment must be defined
• Documenting the continuity strategy

36
BCP (IV)

• Plan Approval and Implementation
• Senior management approval
• Create an awareness of the pan enterprise-wide
• Specific training may be required for certain
  personnel to carry out their tasks
• Maintenance of the plan
• Use job descriptions that centralize
  responsibility for updates
• Create audit procedures that can report regularly
  on the state of the plan
• Ensure multiple versions of the plan do not exist

37
Disaster Recovery Planning

• Objective
• To provide an organized way to make decisions if
  a disruptive event occurs
• To reduce confusion and enhance the ability of
  the organization to deal with the crisis
• To protect an organization from major computer
  services failure
• To minimize the risk to the organization from
  delays in providing services
• To guarantee the reliability of standby systems
  through testing and simulation
• To minimize the decision-making required by
  personnel during a disaster

38
I. DRP Process

• This phase involves the development and creation
  of the recovery plans.
• Define the steps we will need to perform to
  protect the business in the event of an actual
  disaster.
• Two steps
• Data processing continuity planning
• Planning for the disaster and creating the plans
  to cope with it
• Data recovery plan maintenance
• Keeping the plans up-to-date and relevant

39
Processing Backup Services

• Processing backup services are very important to
  the disaster recovery plan
• Most common alternate processing types
• Mutual aid agreements
• Subscription services
• Multiple centers
• Service bureaus
• Other data center backup alternatives

40
Mutual aid agreements

• An arrangement with another company that may have
  similar computing needs.
• Both parties agree to support each other in the
  case of a disruptive event. Assume each
  organizations operations area will have the
  capacity to support the others in time of need.
• Advantages
• Allow an organization to obtain a disaster
  processing site at very little or no cost.
• Disadvantages
• Difficult to have extra unused capacity to enable
  full operational processing during the event.
• What happens if both organizations are affected
  by a large disaster?
• Should be considered only if there is a perfect
  partner, and there is no other alternative to
  disaster recovery.

41
Subscription services

• Rely on third-party, commercial services
• Three basic forms of subscription services
• Hot site
• Fully configured computer facility with
  electrical power and HVAC (heating, ventilation,
  air conditioning), and functioning servers and
  workstations.
• 24/7 availability, exclusivity of use,
  immediately available after the disruptive event
  occurs
• The most expensive one, intensive administrative
  overhead
• Cold site
• A room with electrical power and HVAC,
  communications links may be ready or not.
• It is ready for equipment to be brought in during
  an emergency, but no computer hardware resides at
  the site.
• Warm site
• A cross between hot site and cold site. Computer
  facilities are ready with electrical power and
  HVAC. But the applications may not be installed
  or configured. Without full complement of
  workstations.
• Takes some time and effort to start production
  processing at the new site.

42
Multiple centers

• The processing is spread over several operations
  centers
• Could be owned and managed by the same
  organization or used in conjunction with some
  sort of reciprocal agreement.
• Has the same disadvantage as for mutual aid.

43
Service Bureaus

• Contract with a service bureau to fully provide
  all alternate backup processing services
• Quick response and availability, possible testing
• Disadvantages
• Expense
• Resource contention during a large emergency

44
Transaction Redundancy Implementations

• Electronic vaulting
• The transfer of backup data to an off-site
  location
• Remote journaling
• The parallel processing of transactions to an
  alternate site. A communications line is used to
  transmit live data as it occurs.
• Database shadowing
• To create event more redundancy by duplicating
  the database sets to multiple servers.

45
Disaster Recovery Plan Maintenance

• Disaster recovery plans often get out of date.
• Like BCP maintenance
• To build maintenance procedures into the
  organization
• To create audit procedures that can report
  regularly on the state of the plan

46
II. Testing the DRP

• Regular disaster recovery drills and tests are a
  cornerstone of any disaster recovery plan.
• Reasons for testing
• Verify the accuracy of the recovery procedures
  and identify deficiencies
• Prepare and train the personnel to execute their
  emergency duties
• Verify the processing capability of the alternate
  backup site

47
Five Test Types

• Checklist
• Distribute copies of the plan to each business
  unit for review, to ensure the plan addresses all
  procedures and critical areas of the
  organization. This is a preliminary step to a
  real test.
• Structured walk-through
• Business unit management representatives meet to
  walk through the plan. To ensure that the plan
  accurately reflects the organization ability to
  recover successfully.
• Simulation
• All the operational and support personnel
  expected to perform during an actual emergency
  meet in a practice session. To test the ability
  of the personnel to respond to a simulated
  disaster.
• Parallel
• A full test of the recovery plan, utilizing all
  personnel. Critical systems are run at an
  alternate site.
• Full-interruption
• A disaster is replicated even to the point of
  ceasing normal production operations. The plan is
  totally implemented as if it were a real
  disaster.

48
III. Disaster recovery procedures

• This part details
• what roles various personnel will take on
• what tasks must be implemented to recover and
  salvage the site
• how the company interfaces with external groups
• financial considerations.

49
Primary element

• The recovery team
• To implement the recovery procedures at the
  declaration of the disaster. To get the
  pre-defined critical business functions operating
  at the alternate backup processing site.
• The salvage team
• To return the primary site to normal processing
  environmental conditions. To identify sources of
  expertise, equipment, and supplies that can make
  the return to the site possible.
• The normal operations resume
• To return production processing from alternate
  site to the primary site with the minimum of
  disruption and risk
• Other recovery issues
• Interfacing with external groups employee
  relations fraud and crime financial
  disbursement media relations