ISA 562

About This Presentation

Title:

ISA 562

Description:

Job rotation , Separation of duties, least privilege, mandatory vacations ...etc. ... others are willing to pay. Value of intellectual property. Convertibility ... – PowerPoint PPT presentation

Number of Views:80

Avg rating:3.0/5.0

Slides: 62

Provided by: ise2

Category:

Tags: isa

more less

Transcript and Presenter's Notes

Title: ISA 562

1
ISA 562Internet Security Theory Practice
Information Security Management CISSP Topic 1
2
Objectives

Roles of and responsibilities of individuals in a
security program
Security planning in an organization
Security awareness in the organization
Differences between policies, standards,
guidelines and procedures as related to security
Risk Management practices and tools

3
Introduction

Purpose of information security is to protect an
organization's valuable resources, such as
information, hardware and software.
Should be designed to increase organizational
success.
Information systems are often critical assets
that support the mission of an organization

4
Information Security TRIAD

The Overhanging goals of information security are
addressed through the AIC TRIAD.

5
IT Security Requirements - I

Security Solutions should be designed with two
main focus areas
Functional Requirements
Defines security behavior of the control measures
Selected based on risk Assessment
Properties
They should not depend on another control
Why?
They should fail safe by marinating security of
the system in an event of a failure
Why?

6
IT Security Requirements -II

2. Assurance Requirements
Provides confidence that security functions is
performing as expected.
Examples
Internal/External Audit.
Threat Risk Assessments
Third Party reviews
Compliance to best practices
3. Example for Functional vs. Assurance
Functional Requirement a network Firewall
Permits or denies traffic.
Assurance requirement logs are generated and
monitored

6
7
Organizational Business Requirements

Focus on organizational mission
Business driven
Depends upon organizational type
Example Military , government and commercial.
Must be sensible and cost effective
Solutions must be developed with due
consideration of the mission and environment of
business

8
IT Security Governance

Integral part of overall corporate governance
Must be fully integrated into the overall
risk-based threat analysis, it also
Ensures that the IT infrastructure of the
company
Meets the AIC requirements.
Supports the strategies and objectives of the
company.
Includes service level agreements when
outsourced.

8
9
Security Governance Major parts

Leadership
Security leaders must be fully integrated into
the company leadership where they can be heard.
Structure
it occurs at many different levels of the
organization and is in a layered approach.
Processes
by following internationally accepted best
practices
Job rotation , Separation of duties, least
privilege, mandatory vacations etc.
Some Examples for standards ISO 17799 ISO
270012005

10
Security Blueprints

Provide a structure for organizing requirements
and solutions.
they are used to ensure that security is
considered from a holistic view.
Used to identify and design security requirements
Infrastructure Security Blueprints

11
Policy overview

Operational environment is a complex web of laws,
regulations, requirements, competitors and
partners
Change frequently and interact with each other ,
within this environment
Management must develop and publish overall
security statements addressing
Security policies and their supporting elements
such as standards , baselines and guidelines.

12
Policy overview
12
13
Functions of Security policy - I

Provides Managements Goals and objectives in
writing
Documents compliance
Creates the security culture
Anticipates and protects others from surprises
Establishes the security activity/function
Holds individuals personally responsible/accountab
le

13
14
Functions of Security policy-II

Address foreseeable conflicts
Ensures employees and contractors are aware of
organizational policy and changes
Mandates an incident response plan
Establishes process for exception handling ,
rewards, discipline

14
15
Policy Infrastructure

High level policies are interpreted into a number
of functional policies.
Functional polices are derived from overarching
policy of the organizations and
create the foundation for the procedures,
standards, and baselines to accomplish the
security objectives
Functional polices gain their credibility from
senior managements buy-in.

15
16
Example Functional Policies

Data classification
Certification and accreditation
Access control
Outsourcing
Remote access
Acceptable Internet usage
Privacy
Dissemination control
Sharing control

17
Policy Implementation

Standards, procedures, baselines, and guidelines
turn the objectives and goals established by
management in the overarching and functional
policies into actionable and enforceable actions
for the employees.

18
Standards and procedure

Standards Adoption of common hardware and
software mechanism and products throughout the
enterprise.
Examples Desktop, Anti-Virus, Firewall
Procedures required step by step actions which
must be followed to accomplish a task.
Guidelines recommendations for security product
implementations, procurement and planning, etc.
Examples ISO17799, Common Criteria, ITIL

19
Baselines

Benchmarks used to ensure that a minimum level of
security configuration is provided across
multiple implementations and systems.
They establish consistent implementation of
security mechanisms.
Platform unique
Examples
VPN Setup,
IDS Configuration,
Password rules

19
20
Three Levels of security planning

Strategic Planning long term
Focuses on the high-level, long-range
organizational requirements
Examples overarching security policy
Tactical Level Planning medium-term
Focus on events that will affect the entire
organization.
Examples functional plans
Operational planning short-term
Fighting fires at the keyboard level, this
Directly affects the ability of the organization
to accomplish its objectives.

21
Organizational roles and responsibilities

Every actor has a role
Entails responsibility
must be clearly communicated and
understood by all actors.
Duties associated with the role Specific must be
assigned
Examples
Securing email
Reviewing violation reports
Attending awareness training

22
Specific Roles and Responsibilities (duties)- 1

Executive Management
Publish and endorse security policy
establishing goals, objectives
overall responsibility for asset protection.
Information systems security professionals
Security design, implementation, management,
Review of the organization security policies.

22
23
Specific Roles and responsibilities - 2

Owners
information classification
set user access conditions
decide on business continuality priorities
Custodians
Security of the information entrusted to them
Information System Auditor
Auditing assurance guarantees.
Users
Compliance with procedures (AIC) and policies

24
Personal Security Hiring staff

Background checks/Security clearances
Check references/ educational records
Sign Employment agreement
Examples
Non-disclosure agreements
Non-compete agreements
Low level Checks
Consult the Human Resources (H.R.) department
Termination procedures

25
Third party considerations

Established procedures to address these groups on
an individual basis.
Examples of third party are
Vendors/Suppliers
Contractors
Temporary Employees
Customers

26
Personnel good practices

Job description and defended roles and
responsibilities
Least privilege/Need to know
Compliance with need to share
Separation of duties
Job rotation
Mandatory vacations

27
Security Awareness

Awareness training
Provides employees with a reminder of their
security responsibilities.
Motivate personnel to comply with requirements
Examples
Videos
Newsletters
Posters
Key-chains, etc.

27
28
Training and Education

Job training
Provides skills needed to perform the security
functions in their jobs.
Focus on security-related job skills
Specifically address security requirements of the
organization, etc.
Professional Education
Provides decision-making, and security management
skills that are important for the success of an
organizations security program.

29
Good training practices

Address the audience
Management
Data Owner and custodian
Operations personnel
User
Support personnel

30
Risk from NIST SP 800-30

Risk is a function of the likelihood of a given
threat-sources exercising a particular potential
vulnerability,
and the resulting impact of that adverse event
on the organization (SP800-30)

30
31
Definitions Related to Risk

Threat the Potential for a mal-actor to exercise
a specific vulnerability.
Vulnerability A Flaw or weakness in system
security procedures, design, implementation or
internal controls that could be exercised and
could result in a security breach or violation of
systems security policy.
Likelihood the probability that a potential
vulnerability may be exercised within the threat
environment.
Countermeasures A risk reduction control
maybe technical, operational or management
controls or a combination of these type

32
Risk Management concept flow
33
Risk Management Definitions

Asset Something that is valued by the
organization to accomplish its goals and
objectives
Threat Any potential danger to information or an
information systems.
Examples
Unauthorized access, Hardware failure, Loss of
key personnel
Threat Agent Anything that has the potential of
causing a threat.
Exposure An opportunity for a threat to cause
loss.
Vulnerability Is a weakness that could be
exploited.
Attack An Intentional action trying to cause
harm.
Countermeasures and safeguards Are those
measures and actions that are taken to protect
systems.
Risk The probability that some unwanted event
could occur
Residual Risk The amount of risk remaining after
countermeasures and safeguards are applied

34
Risk Management

The purpose of risk management is to identify
potential problems
Before they occur
So that risk-handling activities may be planned
and invoked as needed
Across the life of the product or project

35
The Risk Equation
36
Risk Factors

The Risk arises when threat-agent attack assets
and vulnerabilities are present
Residual Risk happens when threat-agent attack
assets and countermeasures are in place but are
not sufficient

37
Risk Management

Risk Management identifies and reduces total
risks ( threats, vulnerabilities, asset value)
Mitigating controls Safeguards Countermeasures
reduce risk
Residual Risk should be set to an acceptable level

38
Purpose of risk Analysis

Identifies and justifies risk mitigation efforts
Identifies the threats to business processes and
information systems
Justifies the implementation of specific
countermeasures to mitigate risk
Describes current security posture
Conducted based on risk to the organization's
objectives/mission

39
Benefits of Risk Analysis

Focuses policy and resources
Identifies areas with specific risk requirements
Part of good IT Governance
Supports
Business continuity process
Insurance and liability decisions
Legitimizes security awareness programs

40
Emerging threats factors

Risk Assessment must also address emerging
threats
New technology
Change in culture of the organization or
environment
Unauthorized use of technology, etc.
Can come from many different areas
May be discovered by periodic risk assessments

41
Sources to identity threats

Users
Systems administrators
Security officers
Auditors
Operations
Facility records
Community and government records
Vendor/security provider alerts
Other types of threats
Natural disasters flood, tornado, etc.
Environment-overcrowding or poor moral
Facility -physical security or location of
building

42
Risk analysis key factors

Obtain senior management support
Establish the risk assessment team
Define and approve the purpose and scope of the
risk assessment team
Select team members
State the official authority and responsibility
of the team
Have management review findings and
recommendations
Risk team members
Some of the areas which should be included
Information System Security, IT Operations
Management, Internal Audit, Physical security, etc

43
Use of automated tools for risk management

Objectives is to minimize manual effort
Can be time consuming to setup
Perform calculations quickly
Estimate future expected losses
Determine the benefit of security measures

44
Preliminary security evaluation

Identify vulnerabilities
Review existing security measures
Document findings
Obtain management review and approval

45
Risk analysis types

Two types of Risk analysis
Quantitative Risk analysis
Qualitative Risk analysis
Both provide valuable metrics
Both are often required to get a full picture

46
Quantitative risk analysis

Assign independently objective numeric monetary
values
Fully quantitative if all elements of the risk
analysis are quantified
difficult to achieve
Requires substantial time and personnel resources

47
Determining asset value

Cost to acquire, develop, and maintain
Value to owners, custodians, or users
Liability for protection
Recognize cost and value in the real world
Price others are willing to pay
Value of intellectual property
Convertibility/negotiability

48
Quantitative analysis steps

Estimate potential losses
SLE Single Loss Expectancy
SLE Asset Value () X Exposure Factor ()
Exposure Factor of asset loss when threat is
successful
Types of loss to consider
Physical destruction/theft, Loss data, etc
Conduct threat analysis
ARO-Annual Rate of Occurrence
Expected number of exposures/incidents per year
Likelihood of an unwanted event happening
Determine Annual Loss Expectancy (ALE)
Combine potential loss and rate/year
Magnitude of risk Annual Loss Expectancy
Purpose of ALE
Justify security countermeasures
ALESLE ARO

49
Qualitative Risk analysis

Scenario oriented
Does not attempt to assign absolute numeric
values to risk components
Purely qualitative risk analysis is possible
Qualitative risk analysis factors
Rank seriousness of the threats and sensitivity
of assets
Perform a carefully reasoned risk assessment

50
Other risk analysis methods

Failure modes and effects analysis
Potential failures of each part or module
Examine effects of failure at three levels
Immediate level (part or module)
Intermediate level (process or package)
System-wide
Fault tree analysis
Sometimes called spanning tree analysis
Create a tree of all possible threats to, or
faults of the system
Branches are general categories such as network
threats, physical threats, component failures,
etc.
Prune branches that do not apply
Concentrate on remaining threats.

51
Risk mitigation options

Risk Acceptance
Risk Reduction
Risk Transference
Risk Avoidance

52
The right amount of security

Cost/Benefit analysis- balance between the cost
to protect and asset value
To estimate, need to know
Asset value
Threats, Adversary, means , motives, and
opportunity.
Vulnerabilities and Resulting risk
Countermeasures
Risk tolerance

53
Countermeasures selection principles

Based on cost/benefit analysis, total cost of
safeguard
Selection and acquisition
Construction and placement
Environment modification
Nontrivial operating cost
Maintenance, testing
Potential side effects
Cost must be justified by the potential loss
Accountability
At least one person for each safeguard
Associate directly with performance reviews
Absence of design secrecy

54
Countermeasures selection principles (Continued)

Audit capability
Must be testable
Include auditors in design and implementation
Vendor Trustworthiness
Review past performance
Independence of control and subject
Safeguards control/constrain subjects
Controllers administer the safeguards
Controllers and subject are from different
populations
Universal application
Impose safeguards uniformly
Minimize exceptions

55
Countermeasures selection principles (Continued)

Compartmentalization and defense in depth
Safeguards role
Consider to improve security through layers of
security
Isolation, economy and least common mechanism
Isolate from other safeguards
Simple design is more cost effective and
reliable, etc
Acceptance and tolerance by personnel
Care must be taken to avoid implementing controls
that pose an unreasonable constrains
Less intrusive controls are more acceptable
Minimize human intervention
Reduces the possibility of errors and
exceptions by reducing the reliance on
administrative staff to maintain the control