ISA 562

1
ISA 562Internet Security Theory and Practice
Information Security Management CISSP Topic 1
2
Course Outline

• An introductory course at the graduate level
• It covers the topics of
• The CISSP exam at varying depth
• But is NOT a CISSP course
• Textbooks
• Matt Bishop Computer Security Art and Science
• Official ISC2 Guide to the CISSP CBK

3
Objectives

• Roles and responsibilities of individuals in a
  security program
• Security planning in an organization
• Security awareness in the organization
• Differences between policies, standards,
  guidelines and procedures
• Risk Management practices and tools

4
Syllabus of the Course

• Bishops book for the first part
• Papers for some classes
• IC2 book for the second part
• Cover material relevant to the PhD qualifying
  examination in security

5
Introduction

• Purpose of information security
• to protect an organization's information
  resources ? data, hardware, and software.
• To increase organizational success IS are
  critical assets supporting its mission

6
Information Security TRIAD

• The Overhanging goals of information security are
  addressed through the AIC TRIAD.

7
IT Security Requirements - I

• Security should be designed for two requirements
• Functional Define behavior of the control means
  ? based on risk assessment
• Properties
• should not depend on another control
• Why? fail safe by maintaining security during a
  system failure
• Assurance Provide confidence that security
  functions perform as expected.
• Internal/External Audit.
• Third Party reviews
• Compliance to best practices
• Examples
• Functional a network Firewall to permit or deny
  traffic.
• Assurance logs are generated, monitored, and
  reviewed

8
Organizational Business Requirements

• Focus on organizational mission
• Business or goals driven
• Depends on type of organization
• Military , Government, or Commercial.
• Must be sensible and cost effective
• Solution considers the mission and environment ?
  Trade-off

9
IT Security Governance

• Integral part of corporate governance
• Fully integrated into overall risk-based threat
  analysis
• Ensure that IT infrastructure
• Meets all requirements.
• Supports the strategies and objectives of the
  company.
• Includes service level agreements if outsourced.

10
Security Governance Major parts

• Leadership
• Security leaders must be part of the company
  leadership -- where they can be heard.
• Structure
• occurs at many levels and should use a layered
  approach.
• Processes
• follow internationally accepted best practices
• Job rotation , Separation of duties, least
  privilege, mandatory vacations, etc.
• Examples of standards ISO 17799 ISO 270012005

11
Security Blueprints

• Provide a structure for organizing requirements
  and solutions.
• Ensure that security is considered holistically.
• To identify and design security requirements

12
Policy Overview

• Operational environment is a web of laws,
  regulations, requirements, and agreements or
  contracts with partners and competitors
• Change frequently and interact with each other
• Management must develop and publish security
  statements addressing policies and supporting
  elements, such as standards , baselines, and
  guidelines.

13
Policy overview
14
Functions of Security policy

• Provide Management Goals and Objectives in
  writing
• Ensure Document compliance
• Create a security culture
• Anticipate and protect others from surprises
• Establish the security activity/function
• Hold individuals responsible and accountable
• Address foreseeable conflicts
• Make sure employees and contractors aware of
  organizational policy and changes to it
• Require incident response plan
• Establish process for exception handling,
  rewards, and discipline

15
Policy Infrastructure

• High level policies interpreted into functional
  policies.
• Functional polices derived from overarching
  policy and create the foundation for procedures,
  standards, and baselines to accomplish the
  objectives
• Polices gain credibility by top management buy-in.

16
Examples of Functional Policies

• Data classification
• Certification and accreditation
• Access control
• Outsourcing
• Remote access
• Acceptable mail and Internet usage
• Privacy
• Dissemination control
• Sharing control

17
Policy Implementation

• Standards, procedures, baselines, and guidelines
  turn management objectives and goals functional
  policies into enforceable actions for employees.

18
Standards and procedure

• Standards (local) Adoption of common hardware
  and software mechanism and products throughout
  the enterprise.
• Examples Desktop, Anti-Virus, Firewall
• Procedures step by step actions that must be
  followed to accomplish a task.
• Guidelines recommendations for product
  implementations, procurement and planning, etc.
• Examples ISO17799, Common Criteria, ITIL

19
Security Baselines

• Benchmarks to ensure that a minimum level of
  security configuration is provided across
  implementations and systems.
• establish consistent implementation of security
  mechanisms.
• Platform unique
• Examples
• VPN Setup,
• IDS Configuration,
• Password rules

20
Three Levels of security planning

• Strategic long term
• Focus on high-level, long-range organizational
  requirements
• Example overall security policy
• 2. Tactical medium-term
• Focus on events that affect all the organization
• Example functional plans
• 3. Operational short-term
• Fight fires at the keyboard level, directly
  affecting how the organization accomplishes its
  objectives.

21
Organizational roles and responsibilities

• Everyone has a role
• with responsibility clearly communicated and
  understood
• Duties associated with the role must be assigned
• Examples
• Securing email
• Reviewing violation reports
• Attending awareness training

22
Specific Roles and Responsibilities (duties)

• Executive Management
• Publish and endorse security policy
• Establish goals and objectives
• State overall responsibility for asset
  protection.
• IS security professionals
• Security design, implementation, management,
• Review of organization security policies.
• Owner
• Information classification
• Set user access conditions
• Decide on business continuity priorities
• Custodian
• Entrusted with the Security of the information
• IS Auditor
• Audit assurance guarantees.
• User
• Compliance with procedures and policies

23
Personnel Security Hiring staff

• Background check/Security clearance
• Check references/Educational records
• Sign Employment agreement
• Non-disclosure agreements
• Non-compete agreements
• Low level Checks
• Consult with HR Department
• Termination/dismissal procedure

24
Third party considerations

• Include
• Vendors/Suppliers
• Contractors
• Temporary Employees
• Customers
• Must established procedures for these groups.