Blueprint for Security Chapter 6

1
Blueprint for SecurityChapter 6

• Begin with the end in mind.
• -- Stephen Covey

2
Learning Objectives

• Upon completion of this chapter you should be
  able to
• Understand managements responsibilities and role
  in the development, maintenance, and enforcement
  of information security policy, standards,
  practices, procedures, and guidelines
• Understand the differences between the
  organizations general information security
  policy and the requirements and objectives of the
  various issue-specific and system-specific
  policies.
• Know what an information security blueprint is
  and what its major components are.
• Understand how an organization institutionalizes
  its policies, standards, and practices using
  education, training, and awareness programs.
• Become familiar with what viable information
  security architecture is, what it includes, and
  how it is used.

3
Information Security Policy, Standards, and
Practices

• Management from all communities of interest must
  consider policies as the basis for all
  information security efforts
• Policies direct how issues should be addressed
  and technologies used
• Security policies are the least expensive control
  to execute, but the most difficult to implement
• Shaping policy is difficult because
• Never conflict with laws
• Stand up in court, if challenged
• Be properly administered

4
Definitions

• A policy is
• A plan or course of action, as of a government,
  political party, or business, intended to
  influence and determine decisions, actions, and
  other matters
• Policies are organizational laws
• Standards, on the other hand, are more detailed
  statements of what must be done to comply with
  policy
• Practices, procedures, and guidelines effectively
  explain how to comply with policy
• For a policy to be effective it must be properly
  disseminated, read, understood and agreed to by
  all members of the organization

5
Types of Policy

• Management defines three types of security
  policy
• General or security program policy
• Issue-specific security policies
• Systems-specific security policies

6
Figure 6-1 Policies Standards Practices
7
Security Program Policy

• A security program policy (SPP) is also known as
• A general security policy
• IT security policy
• Information security policy
• Sets the strategic direction, scope, and tone for
  all security efforts within the organization
• An executive-level document, usually drafted by
  or with, the CIO of the organization and is
  usually 2 to 10 pages long

8
Issue-Specific Security Policy (ISSP)

• As various technologies and processes are
  implemented, certain guidelines are needed to use
  them properly
• The ISSP
• addresses specific areas of technology
• requires frequent updates
• contains an issue statement on the organizations
  position on an issue
• Three approaches
• Create a number of independent ISSP documents
• Create a single comprehensive ISSP document
• Create a modular ISSP document

9
Example ISSP Structure

• Statement of Policy
• Authorized Access and Usage of Equipment
• Prohibited Usage of Equipment
• Systems Management
• Violations of Policy
• Policy Review and Modification
• Limitations of Liability

10
(No Transcript)
11
Systems-Specific Policy (SysSP)

• While issue-specific policies are formalized as
  written documents, distributed to users, and
  agreed to in writing, SysSPs are frequently
  codified as standards and procedures used when
  configuring or maintaining systems
• Systems-specific policies fall into two groups
• Access control lists (ACLs) consist of the access
  control lists, matrices, and capability tables
  governing the rights and privileges of a
  particular user to a particular system
• Configuration rules comprise the specific
  configuration codes entered into security systems
  to guide the execution of the system

12
ACL Policies

• Both Microsoft Windows NT/2000 and Novell Netware
  5.x/6.x families of systems translate ACLs into
  sets of configurations that administrators use to
  control access to their respective systems
• ACLs allow configuration to restrict access from
  anyone and anywhere
• ACLs regulate
• Who can use the system
• What authorized users can access
• When authorized users can access the system
• Where authorized users can access the system from
• How authorized users can access the system

13
Rule Policies

• Rule policies are more specific to the operation
  of a system than ACLs
• Many security systems require specific
  configuration scripts telling the systems what
  actions to perform on each set of information
  they process

14
(No Transcript)
15
Policy Management

• Policies are living documents that must be
  managed and nurtured, and are constantly changing
  and growing
• Documents must be properly managed
• Special considerations should be made for
  organizations undergoing mergers, takeovers, and
  partnerships
• In order to remain viable, policies must have
• an individual responsible for reviews
• a schedule of reviews
• a method for making recommendations for reviews
• a specific effective and revision date

16
Information Classification

• The classification of information is an important
  aspect of policy
• The same protection scheme created to prevent
  production data from accidental release to the
  wrong party should be applied to policies in
  order to keep them freely available, but only
  within the organization
• In todays open office environments, it may be
  beneficial to implement a clean desk policy
• A clean desk policy stipulates that at the end of
  the business day, all classified information must
  be properly stored and secured

17
Systems Design

• At this point in the Security SDLC, the analysis
  phase is complete and the design phase begins
  many work products have been created
• Designing a plan for security begins by creating
  or validating a security blueprint
• Then use the blueprint to plan the tasks to be
  accomplished and the order in which to proceed
• Setting priorities can follow the recommendations
  of published sources, or from published standards
  provided by government agencies, or private
  consultants

18
(No Transcript)
19
Information Security Blueprints

• One approach is to adapt or adopt a published
  model or framework for information security
• A framework is the basic skeletal structure
  within which additional detailed planning of the
  blueprint can be placed as it is developed of
  refined
• Experience teaches us that what works well for
  one organization may not precisely fit another

20
ISO 17799/BS 7799

• One of the most widely referenced and often
  discussed security models is the Information
  Technology Code of Practice for Information
  Security Management, which was originally
  published as British Standard BS 7799
• This Code of Practice was adopted as an
  international standard by the International
  Organization for Standardization (ISO) and the
  International Electrotechnical Commission (IEC)
  as ISO/IEC 17799 in 2000 as a framework for
  information security

21
(No Transcript)
22
ISO 17799 / BS 7799

• Several countries have not adopted 17799 claiming
  there are fundamental problems
• The global information security community has not
  defined any justification for a code of practice
  as identified in the ISO/IEC 17799
• 17799 lacks the necessary measurement precision
  of a technical standard
• There is no reason to believe that 17799 is more
  useful than any other approach currently
  available
• 17799 is not as complete as other frameworks
  available
• 17799 is perceived to have been hurriedly
  prepared given the tremendous impact its adoption
  could have on industry information security
  controls

23
ISO/IEC 17799

• Organizational Security Policy is needed to
  provide management direction and support
• Objectives
• Operational Security Policy
• Organizational Security Infrastructure
• Asset Classification and Control
• Personnel Security
• Physical and Environmental Security
• Communications and Operations Management
• System Access Control
• System Development and Maintenance
• Business Continuity Planning
• Compliance

24
NIST Security Models

• Another approach available is described in the
  many documents available from the Computer
  Security Resource Center of the National
  Institute for Standards and Technology
  (csrc.nist.gov) Including
• NIST SP 800-12 - The Computer Security Handbook
• NIST SP 800-14 - Generally Accepted Principles
  and Practices for Securing IT Systems
• NIST SP 800-18 - The Guide for Developing
  Security Plans for IT Systems

25
NIST SP 800-14

• Security Supports the Mission of the Organization
• Security is an Integral Element of Sound
  Management
• Security Should Be Cost-Effective
• Systems Owners Have Security Responsibilities
  Outside Their Own Organizations
• Security Responsibilities and Accountability
  Should Be Made Explicit
• Security Requires a Comprehensive and Integrated
  Approach
• Security Should Be Periodically Reassessed
• Security is Constrained by Societal Factors
• 33 Principles enumerated

26
IETF Security Architecture

• The Security Area Working Group acts as an
  advisory board for the protocols and areas
  developed and promoted through the Internet
  Society
• No specific architecture is promoted through IETF
• RFC 2196 Site Security Handbook provides an
  overview of five basic areas of security
• Topics include
• security policies
• security technical architecture
• security services
• security incident handling

27
VISA Model

• VISA International promotes strong security
  measures and has security guidelines
• Developed two important documents that improve
  and regulate its information systems
• Security Assessment Process
• Agreed Upon Procedures
• Using the two documents, a security team can
  develop a sound strategy for the design of good
  security architecture
• The only down side to this approach is the very
  specific focus on systems that can or do
  integrate with VISAs systems

28
Baselining and Best Practices

• Baselining and best practices are solid methods
  for collecting security practices, but they can
  have the drawback of providing less detail than
  would a complete methodology
• It is possible to gain information by baselining
  and using best practices and thus work backwards
  to an effective design
• The Federal Agency Security Practices Site
  (fasp.csrc.nist.gov) is designed to provide best
  practices for public agencies

29
Professional Membership

• It may be worth the information security
  professionals time and money to join
  professional societies with information on best
  practices for its members
• Many organizations have seminars and classes on
  best practices for implementing security
• Finding information on security design is the
  easy part, sorting through the collected mass of
  information, documents, and publications can take
  a substantial investment in time and human
  resources

30
NIST SP 800-26

• Management Controls
• Risk Management
• Review of Security Controls
• Life Cycle Maintenance
• Authorization of Processing (Certification and
  Accreditation)
• System Security Plan
• Operational Controls
• Personnel Security
• Physical Security
• Production, Input/Output Controls
• Contingency Planning
• Hardware and Systems Software
• Data Integrity
• Documentation
• Security Awareness, Training, and Education
• Incident Response Capability
• Technical Controls
• Identification and Authentication
• Logical Access Controls

31
Figure 6-16 Spheres of Security
32
Sphere of Use

• Generally speaking, the concept of the sphere is
  to represent the 360 degrees of security
  necessary to protect information at all times
• The first component is the sphere of use
• Information, at the core of the sphere, is
  available for access by members of the
  organization and other computer-based systems
• To gain access to the computer systems, one must
  either directly access the computer systems or go
  through a network connection
• To gain access to the network, one must either
  directly access the network or go through an
  Internet connection

33
Sphere of Protection

• The sphere of protection overlays each of the
  levels of the sphere of use with a layer of
  security, protecting that layer from direct or
  indirect use through the next layer
• The people must become a layer of security, a
  human firewall that protects the information from
  unauthorized access and use
• Information security is therefore designed and
  implemented in three layers
• policies
• people (education, training, and awareness
  programs)
• technology

34
Controls

• Management controls cover security processes that
  are designed by the strategic planners and
  performed by security administration of the
  organization
• Operational controls deal with the operational
  functionality of security in the organization
• Operational controls also address personnel
  security, physical security, and the protection
  of production inputs and outputs
• Technical controls address those tactical and
  technical issues related to designing and
  implementing security in the organization

35
The Framework

• Management Controls
• Program Management
• System Security Plan
• Life Cycle Maintenance
• Risk Management
• Review of Security Controls
• Legal Compliance
• Operational Controls
• Contingency Planning
• Security ETA
• Personnel Security
• Physical Security
• Production Inputs and Outputs
• Hardware Software Systems Maintenance
• Data Integrity

• Technical Controls
• Logical Access Controls
• Identification, Authentication, Authorization,
  and Accountability
• Audit Trails
• Asset Classification and Control
• Cryptography

36
SETA

• As soon as the policies exist, policies to
  implement security education, training, and
  awareness (SETA) should follow
• SETA is a control measure designed to reduce
  accidental security breaches
• Supplement the general education and training
  programs in place to educate staff on information
  security
• Security education and training builds on the
  general knowledge the employees must possess to
  do their jobs, familiarizing them with the way to
  do their jobs securely

37
SETA Elements

• The SETA program consists of three elements
• security education
• security training
• security awareness
• The organization may not be capable or willing to
  undertake all three of these elements but may
  outsource them
• The purpose of SETA is to enhance security by
• Improving awareness of the need to protect system
  resources
• Developing skills and knowledge so computer users
  can perform their jobs more securely
• Building in-depth knowledge, as needed, to
  design, implement, or operate security programs
  for organizations and systems

38
(No Transcript)
39
Security Education

• Everyone in an organization needs to be trained
  and aware of information security, but not every
  member of the organization needs a formal degree
  or certificate in information security
• When formal education for appropriate individuals
  in security is needed an employee can identify
  curriculum available from local institutions of
  higher learning or continuing education
• A number of universities have formal coursework
  in information security
• (See for example http//infosec.kennesaw.edu)

40
Security Training

• Security training involves providing members of
  the organization with detailed information and
  hands-on instruction designed to prepare them to
  perform their duties securely
• Management of information security can develop
  customized in-house training or outsource the
  training program

41
Security Awareness

• One of the least frequently implemented, but the
  most beneficial programs is the security
  awareness program
• Designed to keep information security at the
  forefront of the users minds
• Need not be complicated or expensive
• If the program is not actively implemented,
  employees begin to tune out, and the risk of
  employee accidents and failures increases

42
(No Transcript)
43
Comments

• Defense in Depth
• One of the foundations of security architectures
  is the requirement to implement security in
  layers
• Defense in depth requires that the organization
  establish sufficient security controls and
  safeguards, so that an intruder faces multiple
  layers of controls
• Security Perimeter
• The point at which an organizations security
  protection ends, and the outside world begins
• Referred to as the security perimeter
• Unfortunately the perimeter does not apply to
  internal attacks from employee threats, or
  on-site physical threats

44
(No Transcript)
45
(No Transcript)
46
Key Technology Components

• Other key technology components
• A firewall is a device that selectively
  discriminates against information flowing into or
  out of the organization
• The DMZ (demilitarized zone) is a no-mans land,
  between the inside and outside networks, where
  some organizations place Web servers
• In an effort to detect unauthorized activity
  within the inner network, or on individual
  machines, an organization may wish to implement
  Intrusion Detection Systems or IDS

47
(No Transcript)
48
(No Transcript)