Information Assurance Professional - PowerPoint PPT Presentation

information assurance professional n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Information Assurance Professional PowerPoint Presentation
Download Presentation
Information Assurance Professional

play fullscreen
1 / 153
Information Assurance Professional
151 Views
Download Presentation
alpha
Download Presentation

Information Assurance Professional

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Information Assurance Professional National Security Registration Board Version 2.6

  2. Course Goals • This presents the fundamental concepts of information assurance. • It is designed to foster a mastery level understanding of the IA process. • The intention is to prepare a trained IA professional

  3. Course Application • You learn how to tailor a practical information assurance architecture using this BOK. • As well as how to deploy an appropriate set of flexible countermeasures.

  4. Three Assumptions • Three major assumptions underlie this course: • Assumption One • Effective Information security requires an integrated set of business and technological processes.

  5. The Three Assumption • Assumption Two • Effective information security programs must be deliberately designed and deployed organization-wide through a strategic planning process

  6. The Three Assumption • Assumption Three • Information security programs are systematic, • That is, they embody anappropriate set of persistent and interacting controls • These function seamlessly and as an integral element of day-to-day operation of the business

  7. The Importance of Planning • All three of these requirements must be satisfied for the solution to be correct. • That condition is not arrived at by chance. • It is always derived from a valid set of common best practices.

  8. The IBOK • The IBOK is a compendium, or body-of-knowledge rather than a standard • It is an integration of three existing models into a single unified concept • The idea is that, a harmonized set of recommendations is the most authoritative statement about best practice.

  9. Best Practice Models • There are at least threemodelsthat are used to guide that process, • The Generally Accepted System Security Principles (GASSP), 1999 • ISO 17799 and BS 7799:2 (2002) • COBIT (2006)

  10. Best Practice Models • Each of these embodies a fundamental set of principles derived from extensive “lessons learned” • Each of these provides a useful set of high level control objectives, which can be tailored, to any organizational need. • And each has the potential to serve as the basis of an effective solution.

  11. Best Practice Models • This model comprises the Information Security Body of Knowledge (IBOK). • It also presents a standard implementation methodology for this BOK.

  12. Course Assumptions • Individuals who successfully complete this course can be assumed to be: • Knowledgeable in the best practices for information assurance • Competent to implement security systems that are capable of being accredited by the NSRB.

  13. Text • The following are required • Information Security Body of Knowledge – IBOK Open Standard 2.2, International Standards Institution of Governors, 2004 • Training Guideline, IBOK, National Standards Registration Board, 2003

  14. Course Description • You will learn how to • Create an information security architecture • Establish detailed control procedures within this framework

  15. Course Description • Systematically identify and monitor areas of vulnerability • Assess the impact of threats as they are identified • Deploy appropriate technological and managerial countermeasures

  16. Course Objectives • At the end of this course you will be able to • Deploy an appropriate managerial and technical control framework • Establish a correct information security control set within that framework

  17. Course Objectives • Conduct a capable threat identification • Formulate a baseline defense in depth countermeasure set

  18. Course Objectives • Be able to valuate assets and justify the countermeasures based on that valuation • Be able to deploy, assess and continuously maintain operational countermeasures

  19. Course Agenda 3:00–3:30– Module One: Principles of Information Security 3:30–4:00– Module Two: The Information Assurance Process 4:00–4:45– Module Three: The Implementation Process 4:45-5:00– Initiate Project 5:00-5:30- Prepare Solution 5:30-5:45- Report Solution 5:45-6:00- Questions and Lessons Learned

  20. Module One The Five Basic Goals of the Information Assurance Process

  21. The Five Basic Goals of IA • Information assurance ensures the • Availability • Confidentiality • Integrity • Authentication • Non-Repudiation of Origin - Of information

  22. Definition: Confidentiality • Confidentiality is the condition that insures that information is not disclosed to unauthorized persons, processes or devices. • This implies the requirement for such discrete functions as • information identification and labeling • Need-to-know procedures.

  23. Definition: Integrity • Integrity is the condition of assuring trust. • Within the information security universe, integrity is specifically interpreted to mean: • that a transmission will arrive at its destination in exactly the same form as it was sent..

  24. Definition: Integrity • That requires ensuring: • the logical correctness and reliability of the operating system • the logical completeness of the hardware and software entities • the consistency of the data and occurrences of the stored data.

  25. Definition: Authentication • Authentication is a security service designed to establish the validity of a transmission, message, or originator • It is also a means of verifying an individual’s authorizations to receive specific categories of information

  26. Definition: Authentication • Authentication ensures that the occurrence of false identities is eliminated. • An individual, an organization, or a computer has to be able to prove its identity to be properly secured.

  27. Definition: Authentication • This also implies an authorization function. • Authorization describes the system’s ability to regulate access to resources once the identity is verified.

  28. Definition: Availability • Availability implies the ability to provide authorized users with timely and reliable access to data and information services. • It is characterized by best practices such as: • back-up power • continuous signal • off-site recovery

  29. Definition: Availability • Availability also describes the overall goal of security management. • Which is to ensure the requisite level of trustworthiness in day-to-day operation

  30. Definition: Availability • In reality, availability is a condition, rather than a specific security function. • It is often traded off against purely security related conditions, like confidentiality.

  31. Definition: Availability • Because availability ensures functioning… • There might be a time when assuring availability outweighs procedures that are necessary to secure information.

  32. Definition: Availability • The judgment to sacrifice any of the other security services for the sake of enhanced availability is a risk mitigation decision • Which is usually motivated by threats and vulnerabilities in the business case.

  33. Definition: Non-Repudiation • Non-repudiation of origin provides the sender with proof of delivery • AND • It underwrites the identity of the sender to the recipient.

  34. Definition: Non-Repudiation • As a result, neither party can later deny that the message was legitimately sent and received. • Non-repudiation has ramifications for everything from purchases on e-bay, to modern battlefield orders.

  35. Module One: Questions • What are the Five Elements of IA? • What does integrity ensure? • What is often traded off against availability? • What is the value of non-repudiation to businesses? • What does authentication require to work properly? • What is a risk mitigation decision? • What is non-repudiation based on? • What is availability characterized by? • What does need-to-know support? • What basic condition does offsite backup ensure?

  36. Module Two The Information Assurance Process

  37. The Information Assurance Process • Information assurance is a multifaceted process composed of fifteen elements and one critical capability • Each is a discrete function and each contributes differently to the overall purposes of securing information. • These fifteen elements comprise a lifecycle.

  38. The Information Assurance Process • All fifteen function within that lifecycle to ensure an effective level of security. • Each element plays its proper role at a logical place within the process.

  39. The Information Assurance Process • The outcome is adequate protection of all information assets Adequate protection assumes the presence of all necessary safeguards !

  40. Building a Holistic Solution • Electronic assurance constitutes just one aspect of that protection. • Full protection has to incorporate all of the organizational functions and human factors relevant to security.

  41. Building a Holistic Solution • The outcome must constitute a holistic response. • In essence the response must integrate: • All of the assurance measures • To protect all information • At all times

  42. The Fifteen Principles • The IBOK integrates a common body of knowledge. • That BOK itemizes fifteen aspectsof security (and one critical process).

  43. The Fifteen Principles • Each must be addressed in order for a security solution to be complete. • These are arrayed in the lifecycle model demonstrated on the next set of slides

  44. IA Lifecycle – Lifecycle Scope The Information Resource Is described by Asset Identification AND Evaluated by a Risk Assessment

  45. IA Lifecycle – Management Security Policy Which is Shaped by Defines Security Discipline Security Infrastructure Which Enforces And Access Control Ethical Conduct Which is Maintained by Security of Operations

  46. IA Lifecycle – Countermeasures Process Countermeasures Management Countermeasures Technical Countermeasures Physical Security Software Assurance Continuity Compliance Personnel Security NETSEC Process Assurance Crypto

  47. Principle One: Asset Identification • The form of the information resource has to be understood in order to properly secure it. • Thus, everything that is part of that resource has to be identified, labeled and placed in a documented asset baseline. • It is also necessary to establish a system for controlling changes to that baseline.

  48. Principle Two: Risk Assessment • Risk assessment defines the form of the security response. • Current operations as well as prospective ones are systematically evaluated using risk assessment • The goal is to identify potential threats, vulnerabilities and weaknesses within the asset base

  49. Principle Three: Security Policy • Then the organization establishes uniform policies to guide the assurance process. • These policies are the basis for the solution. • The outcome is a rational set of guidelines for information assurance.

  50. Principle Four: Infrastructure • The procedural infrastructure is a tangible realization of security policy • The organization has to design and enforce a logical and consistent set of procedures • These must be directly traceable to the policies they implement.