Information Assurance Professional National Security Registration Board Version 2.6
Course Goals • This presents the fundamental concepts of information assurance. • It is designed to foster a mastery level understanding of the IA process. • The intention is to prepare a trained IA professional
Course Application • You learn how to tailor a practical information assurance architecture using this BOK. • As well as how to deploy an appropriate set of flexible countermeasures.
Three Assumptions • Three major assumptions underlie this course: • Assumption One • Effective Information security requires an integrated set of business and technological processes.
The Three Assumption • Assumption Two • Effective information security programs must be deliberately designed and deployed organization-wide through a strategic planning process
The Three Assumption • Assumption Three • Information security programs are systematic, • That is, they embody anappropriate set of persistent and interacting controls • These function seamlessly and as an integral element of day-to-day operation of the business
The Importance of Planning • All three of these requirements must be satisfied for the solution to be correct. • That condition is not arrived at by chance. • It is always derived from a valid set of common best practices.
The IBOK • The IBOK is a compendium, or body-of-knowledge rather than a standard • It is an integration of three existing models into a single unified concept • The idea is that, a harmonized set of recommendations is the most authoritative statement about best practice.
Best Practice Models • There are at least threemodelsthat are used to guide that process, • The Generally Accepted System Security Principles (GASSP), 1999 • ISO 17799 and BS 7799:2 (2002) • COBIT (2006)
Best Practice Models • Each of these embodies a fundamental set of principles derived from extensive “lessons learned” • Each of these provides a useful set of high level control objectives, which can be tailored, to any organizational need. • And each has the potential to serve as the basis of an effective solution.
Best Practice Models • This model comprises the Information Security Body of Knowledge (IBOK). • It also presents a standard implementation methodology for this BOK.
Course Assumptions • Individuals who successfully complete this course can be assumed to be: • Knowledgeable in the best practices for information assurance • Competent to implement security systems that are capable of being accredited by the NSRB.
Text • The following are required • Information Security Body of Knowledge – IBOK Open Standard 2.2, International Standards Institution of Governors, 2004 • Training Guideline, IBOK, National Standards Registration Board, 2003
Course Description • You will learn how to • Create an information security architecture • Establish detailed control procedures within this framework
Course Description • Systematically identify and monitor areas of vulnerability • Assess the impact of threats as they are identified • Deploy appropriate technological and managerial countermeasures
Course Objectives • At the end of this course you will be able to • Deploy an appropriate managerial and technical control framework • Establish a correct information security control set within that framework
Course Objectives • Conduct a capable threat identification • Formulate a baseline defense in depth countermeasure set
Course Objectives • Be able to valuate assets and justify the countermeasures based on that valuation • Be able to deploy, assess and continuously maintain operational countermeasures
Course Agenda 3:00–3:30– Module One: Principles of Information Security 3:30–4:00– Module Two: The Information Assurance Process 4:00–4:45– Module Three: The Implementation Process 4:45-5:00– Initiate Project 5:00-5:30- Prepare Solution 5:30-5:45- Report Solution 5:45-6:00- Questions and Lessons Learned
Module One The Five Basic Goals of the Information Assurance Process
The Five Basic Goals of IA • Information assurance ensures the • Availability • Confidentiality • Integrity • Authentication • Non-Repudiation of Origin - Of information
Definition: Confidentiality • Confidentiality is the condition that insures that information is not disclosed to unauthorized persons, processes or devices. • This implies the requirement for such discrete functions as • information identification and labeling • Need-to-know procedures.
Definition: Integrity • Integrity is the condition of assuring trust. • Within the information security universe, integrity is specifically interpreted to mean: • that a transmission will arrive at its destination in exactly the same form as it was sent..
Definition: Integrity • That requires ensuring: • the logical correctness and reliability of the operating system • the logical completeness of the hardware and software entities • the consistency of the data and occurrences of the stored data.
Definition: Authentication • Authentication is a security service designed to establish the validity of a transmission, message, or originator • It is also a means of verifying an individual’s authorizations to receive specific categories of information
Definition: Authentication • Authentication ensures that the occurrence of false identities is eliminated. • An individual, an organization, or a computer has to be able to prove its identity to be properly secured.
Definition: Authentication • This also implies an authorization function. • Authorization describes the system’s ability to regulate access to resources once the identity is verified.
Definition: Availability • Availability implies the ability to provide authorized users with timely and reliable access to data and information services. • It is characterized by best practices such as: • back-up power • continuous signal • off-site recovery
Definition: Availability • Availability also describes the overall goal of security management. • Which is to ensure the requisite level of trustworthiness in day-to-day operation
Definition: Availability • In reality, availability is a condition, rather than a specific security function. • It is often traded off against purely security related conditions, like confidentiality.
Definition: Availability • Because availability ensures functioning… • There might be a time when assuring availability outweighs procedures that are necessary to secure information.
Definition: Availability • The judgment to sacrifice any of the other security services for the sake of enhanced availability is a risk mitigation decision • Which is usually motivated by threats and vulnerabilities in the business case.
Definition: Non-Repudiation • Non-repudiation of origin provides the sender with proof of delivery • AND • It underwrites the identity of the sender to the recipient.
Definition: Non-Repudiation • As a result, neither party can later deny that the message was legitimately sent and received. • Non-repudiation has ramifications for everything from purchases on e-bay, to modern battlefield orders.
Module One: Questions • What are the Five Elements of IA? • What does integrity ensure? • What is often traded off against availability? • What is the value of non-repudiation to businesses? • What does authentication require to work properly? • What is a risk mitigation decision? • What is non-repudiation based on? • What is availability characterized by? • What does need-to-know support? • What basic condition does offsite backup ensure?
Module Two The Information Assurance Process
The Information Assurance Process • Information assurance is a multifaceted process composed of fifteen elements and one critical capability • Each is a discrete function and each contributes differently to the overall purposes of securing information. • These fifteen elements comprise a lifecycle.
The Information Assurance Process • All fifteen function within that lifecycle to ensure an effective level of security. • Each element plays its proper role at a logical place within the process.
The Information Assurance Process • The outcome is adequate protection of all information assets Adequate protection assumes the presence of all necessary safeguards !
Building a Holistic Solution • Electronic assurance constitutes just one aspect of that protection. • Full protection has to incorporate all of the organizational functions and human factors relevant to security.
Building a Holistic Solution • The outcome must constitute a holistic response. • In essence the response must integrate: • All of the assurance measures • To protect all information • At all times
The Fifteen Principles • The IBOK integrates a common body of knowledge. • That BOK itemizes fifteen aspectsof security (and one critical process).
The Fifteen Principles • Each must be addressed in order for a security solution to be complete. • These are arrayed in the lifecycle model demonstrated on the next set of slides
IA Lifecycle – Lifecycle Scope The Information Resource Is described by Asset Identification AND Evaluated by a Risk Assessment
IA Lifecycle – Management Security Policy Which is Shaped by Defines Security Discipline Security Infrastructure Which Enforces And Access Control Ethical Conduct Which is Maintained by Security of Operations
IA Lifecycle – Countermeasures Process Countermeasures Management Countermeasures Technical Countermeasures Physical Security Software Assurance Continuity Compliance Personnel Security NETSEC Process Assurance Crypto
Principle One: Asset Identification • The form of the information resource has to be understood in order to properly secure it. • Thus, everything that is part of that resource has to be identified, labeled and placed in a documented asset baseline. • It is also necessary to establish a system for controlling changes to that baseline.
Principle Two: Risk Assessment • Risk assessment defines the form of the security response. • Current operations as well as prospective ones are systematically evaluated using risk assessment • The goal is to identify potential threats, vulnerabilities and weaknesses within the asset base
Principle Three: Security Policy • Then the organization establishes uniform policies to guide the assurance process. • These policies are the basis for the solution. • The outcome is a rational set of guidelines for information assurance.
Principle Four: Infrastructure • The procedural infrastructure is a tangible realization of security policy • The organization has to design and enforce a logical and consistent set of procedures • These must be directly traceable to the policies they implement.