750 likes | 765 Views
This workbook provides a comprehensive guide for small businesses to implement security measures, including strategic security plans, tactical security planning, operational security plans, and audit standards. It covers various regulatory requirements such as FERPA and HIPAA and aims to improve the security of American infrastructure.
 
                
                E N D
Small Business Security Workbook Susan Lincke Assoc Prof Computer Science University of Wisconsin-Parkside Based on CISA Review Manual 2009
Acknowledgments Material is from: • CISA Review Manual, 2009 • CISM Review Manual, 2009 • All-in-One CISSP Exam Guide, 4th Edition, McGraw Hill, 2008 • Essentials of Corporate Fraud, T L Coenen, John Wiley & Sons, 2008 • The Art of the Steal, Frank Abignale, Broadway Books, 2001 Author: Susan J Lincke, PhD Univ. of Wisconsin-Parkside Contributors: Gabriel John Reviewers: Tim Knautz, Will Zheng Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author and/or source(s) and do not necessarily reflect the views of the National Science Foundation.
Imagine a small business… School with 300 students, must adhere to FERPA… Doctor’s office, handling cancer cases, must adhere to HIPAA… Branch of United Way, receives and gives large donations… City government with services that must be reliable and guarantee citizen privacy… Not-for-profit handling alcoholic, drug-abuse, homeless shelter, …
Small Businesses tend to… • Be led by non-technical, no-security global- & detailed-view management • Have no or few IT employees • When IT employees exist, mgmt relationship is close, but no spare time • Suffer poor security • Great for school projects
Goals were to… • Help small businesses implement security by speeding up security implementation process, at low cost • Achieve near-COBIT Level 3 • Help students gain valuable experience and train for CISA & CISM certification • Stabilize security of American infrastructure
Small Business Security Workbook - Overview 3. Strategic Security Plans 3.1 Code of Ethics 3.2 Policy Manual 3.3 Risk Analysis 3.4 Business Impact Analysis & Business Continuity 4. Tactical Security Planning 4.1 Information Security 4.2 Network Security Plan 4.3 Physical Security Plan 4.4 Incident Response 4.5 Metrics 5. Operational Security Plans 5.1 ‘Absolutely Necessary’ Security Standards 5.2 ‘Highly Recommended’ Security Practices. 6. Audit Standards
Illinois Personal Information Protection Act Restricted data includes: Social Security Number Driver’s license # or state ID # Financial account number (credit/debit) and access code/password National HIPAA protects: Health status, treatment, or payment http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702.
Due Diligence Due Diligence = Did careful risk assessment (RA) Due Care = Implemented recommended controls from RA Liability minimized if reasonable precautions taken Policies & Procedures Compliance Risk Assessment Adequate Security Controls Senior Mgmt Support Backup & Recovery Business Continuity &Disaster Recovery Monitoring & Metrics
Business-Driven Approach to Security Business Impact Assessment Risk Mgmt Policy Strategic versus Tactical Planning Information Security Network Security Audit Physical Security Incident Response
Business-Driven Approach to Security What are our core values? Policy Development Defining the Tone from the Top Establishing a Culture Living the Standard
Code of Ethics This code of ethics provides general guidelines, and is not intended to cover every potential scenario. Examples are provided only as necessary for the employee to understand general concepts. General Employee Conduct While at Work Unethical Behavior Conflict of Interest Confidentiality Relationship with Customers and Suppliers Gifts & Entertainment Using the Organization’s Assets for Personal Activities Reporting Fraud or Unethical Behavior [1] This Code of Ethics is adapted from “Essentials of Corporate Fraud”, Tracy L Coenen, John Wiley & Sons, 2008.
COBIT / System Security Eng – Capability Maturity Model Stage 5 Optimized Continual reevaluation ensures responsiveness and improvement Stage 4 Managed and Measurable Operating effectiveness is evaluated; automatic processes introduced Stage 3 Defined Process Controls, policies, procedures, and event handling are fully documented Stage 2 Repeatable but Intuitive Many controls are in place but not documented; events are tracked Stage 1 Initial/Ad Hoc Control processes are important but no coordinated effort exists Stage 0 Nonexistent: Control processes are not recognized as important
Policy Documentation Employees must understand intent Auditors test for compliance Policy= Direction for Control Philosophy of organization Created by Senior Mgmt Reviewed periodically Procedures: Detailed steps to implement a policy. Written by process owners Standards: An image of what is acceptable Guidelines Recommendations and acceptable alternatives
Example Policy Information assets are protected for confidentiality, integrity, and availability. Information assets are identified and classified by criticality and sensitivity: Information assets pertaining to the operation of the business are cataloged, including listing the owner, value, and classification of data criticality and sensitivity.
Business-Driven Approach to Security What are our company assets? What are our vulnerabilities? Risk Mgmt What should we protect? How much are we liable for? How much should we spend? What kind of security technology should we use? Where should we use these security techniques & technology?
Security Evaluation: Risk Assessment Five Steps include: Assign Values to Assets: Where are the Crown Jewels? Determine Loss due to Threats & Vulnerabilities Confidentiality, Integrity, Availability Estimate Likelihood of Exploitation Weekly, monthly, 1 year, 10 years? Compute Expected Loss Loss = Downtime + Recovery + Liability + Replacement Risk Exposure = ProbabilityOfVulnerability * $Loss Treat Risk Survey & Select New Controls Reduce, Transfer, Avoid or Accept Risk Risk Leverage = (Risk exposure before reduction) – (risk exposure after reduction) / (cost of risk reduction)
1 week 1 year 5 years (.2) 10 years (.1) 20 years (.05) 50 years (.02) Threat (Probability) Hacker/Criminal Loss of Electricity Malware 1 2 Snow emergency Social Engineering Intruder Stolen Laptop Vulnerability (Severity) Spy Flood, Earthquake Disgruntled Employee Fire Terrorist 4 3 Step 3: Estimate Likelihood of ExploitationVulnerability Assessment Quadrant Map Slow down business Temp. shut business Threaten Business
Step 4: Compute Loss Using Quantitative Analysis Single Loss Expectancy (SLE): The cost to the organization if one threat occurs once Eg. Stolen laptop= Replacement cost + Cost of installation of special software and data Assumes no liability Annualized Rate of Occurrence (ARO): Probability or frequency of the threat occurring in one year If a fire occurs once every 25 years, ARO=1/25 Annual Loss Expectancy (ALE): The annual expected financial loss to an asset, resulting from a specific threat ALE = SLE x ARO
Step 5: Treat Risk Risk Acceptance: Handle attack when necessary E.g.: Comet hits Risk Avoidance: Stop doing risky behavior E.g.: Do not use Social Security Numbers Risk Mitigation: Implement control to minimize vulnerability E.g. Firewall Risk Transference: Pay someone to assume risk for you E.g., Buy malpractice insurance (doctor) While financial impact can be transferred, legal responsibility cannot
Business-Driven Approach to Security What are our company assets? What are our vulnerabilities? Business Impact Assessment Which business processes are of strategic importance? What disasters could occur? What impact would these have financially? On life? On reputation? What is the required recovery time period? How much data can we afford to lose after a disaster?
Recovery Time: Terms Interruption Window: Time duration organization can wait between point of failure and service resumption Service Delivery Objective (SDO): Level of service in Alternate Mode Maximum Tolerable Outage: Max time in Alternate Mode Disaster Recovery Plan Implemented Regular Service Regular Service Alternate Mode SDO Time… Restoration Plan Implemented Interruption Window Interruption Maximum Tolerable Outage
Classification of Services Critical $$$$: Cannot be performed manually. Tolerance to interruption is very low Vital $$: Can be performed manually for very short time Sensitive $: Can be performed manually for a period of time, but may cost more in staff Nonsensitive ¢: Can be performed manually for an extended period of time with little additional cost and minimal recovery effort
RPO and RTO Recovery Point Objective Recovery Time Objective Interruption • 2 • Hours 24 Hours One Week One Day One Hour How far back can you fail to? How long can you operate without a system? One week’s worth of data? Which services can last how long?
Disruption vs. Recovery Costs Service Downtime * Hot Site Cost * Warm Site Alternative Recovery Strategies Minimum Cost * Cold Site Time
Alternative Recovery Strategies Hot Site: Fully configured, ready to operate within hours Warm Site: Ready to operate within days: no or low power main computer. Does contain disks, network, peripherals. Cold Site: Ready to operate within weeks. Contains electrical wiring, air conditioning, flooring Duplicate or Redundant Info. Processing Facility: Standby hot site within the organization Reciprocal Agreement with another organization or division Mobile Site: Fully- or partially-configured trailer comes to your site, with microwave or satellite communications
Disaster Recovery Test Execution Always tested in this order: Desk-Based Evaluation/Paper Test: A group steps through a paper procedure and mentally performs each step. Preparedness Test: Part of the full test is performed. Different parts tested regularly. Full Operational Test: Simulation of a full disaster
Backup & Offsite Library • Backups are kept off-site (1 or more) • Off-site is sufficiently far away (disaster-redundant) • Library is equally secure as main site; unlabelled • Library has constant environmental control (humidity-, temperature-controlled, UPS, smoke/water detectors, fire extinguishers) • Detailed inventory of storage media & files is maintained
Business-Driven Approach to Security What are our company assets? What are our vulnerabilities? Information Security What Assets do we need to protect? What data is sensitive? What data is critical? How should we treat sensitive data? Who should have access to sensitive data? Who decides who has access to sensitive data?
Sensitivity Classification(Example) Sensitive CISA Review Manual 2009
Information Owneror Data Owner Is responsible for the data within business (mgr/director - not IT) Determines who can have access to data and may grant permissions directly OR Gives written permission for access directly to security administrator Periodically reviews authorization to restrict authorization creep CISA Review Manual 2009
Physical Information Security Public Private Sensitive
Business-Driven Approach to Security What are our company assets? What are our vulnerabilities? Network Security Where do we perform various applications from? What applications can enter and leave our network? What parts of the network will processing occur? How should we best protect the sensitive data? What illegal transactions should we be monitoring for?
Path of Logical AccessHow many logical access checks are required? How could access control be improved? Border Router/Firewall The Internet De-Militarized Zone Router/Firewall WLAN Private Network
Personnel, Finance Medical Plan Medical DB Secure Server Chris Laptop Internet cable modem SecureWLAN VLAN Jamie Laptop home Web/ Email Server hospital Terry Comp. Who can access which information from where?
Business-Driven Approach to Security What are our company assets? What are our vulnerabilities? Incident Response What incidents could occur that we should be prepared for? What shall we do if our network is penetrated? Who do we contact? How do we prioritize which applications are served?
Incident Response Plan (IRP) Preparation Plan PRIOR to Incident Identification Determine what is/has happened Containment Limit incident Determine and remove root cause Analysis & Eradication Return operations to normal Recovery Process improvement: Plan for the future Lessons Learned
Stage 1: Preparation What shall we do if different types of incidents occur? (BIA helps) When is the incident management team called? How can governmental agencies or law enforcement help? When do we involve law enforcement? What equipment do we need to handle an incident? What shall we do to prevent or discourage incidents from occurring? (e.g. banners, policies) Where on-site & off-site shall we keep the IRP?
(1) Detection Technologies Organization must have sufficient detection & monitoring capabilities to detect incidents in a timely manner Proactive Detection includes: Network Intrusion Detection System (NIDS) Host Intrusion Detection System (HIDS) Includes personal firewalls Vulnerability/audit testing Centralized Incident Management System Input: Server, system logs Coordinates & co-relates logs from many systems Tracks status of incidents to closure Reactive Detection: Reports of unusual or suspicious activity