ISA 562 Internet Security Theory & Practice. Information Security Management CISSP Topic 1. Objectives. Roles of and responsibilities of individuals in a security program Security planning in an organization Security awareness in the organization
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Information Security Management
CISSP Topic 1
Roles of and responsibilities of individuals in a security program
Security planning in an organization
Security awareness in the organization
Differences between policies, standards, guidelines and procedures as related to security
Risk Management practices and tools
Purpose of information security is to protect an organization's valuable resources, such as information, hardware and software.
Should be designed to increase organizational success.
Information systems are often critical assets that support the mission of an organization
The Overhanging goals of information security are addressed through the AIC TRIAD.
Security Solutions should be designed with two main focus areas:
Defines security behavior of the control measures
Selected based on risk Assessment
They should not depend on another control:
They should fail safe by marinating security of the system in an event of a failure:
2. Assurance Requirements:
Provides confidence that security functions is performing as expected.
Threat Risk Assessments
Third Party reviews
Compliance to best practices
3. Example for Functional vs. Assurance:
Functional Requirement: a network Firewall Permits or denies traffic.
Assurance requirement: logs are generated and monitored
Focus on organizational mission:
Depends upon organizational type:
Example: Military , government and commercial.
Must be sensible and cost effective
Solutions must be developed with due consideration of the mission and environment of business
Integral part of overall corporate governance:
Must be fully integrated into the overall risk-based threat analysis, it also
Ensures that the IT infrastructure of the company:
Meets the AIC requirements.
Supports the strategies and objectives of the company.
Includes service level agreements when outsourced.
Security leaders must be fully integrated into the company leadership where they can be heard.
it occurs at many different levels of the organization and is in a layered approach.
by following internationally accepted “best practices”:
Job rotation , Separation of duties, least privilege, mandatory vacations …etc.
Some Examples for standards : ISO 17799 & ISO 27001:2005
Provide a structure for organizing requirements and solutions.
they are used to ensure that security is considered from a holistic view.
Used to identify and design security requirements
Infrastructure Security Blueprints
Operational environment is a complex web of laws, regulations, requirements, competitors and partners
Change frequently and interact with each other , within this environment
Management must develop and publish overall security statements addressing
Security policies and their supporting elements such as standards , baselines and guidelines.
Provides Management’s Goals and objectives in writing
Creates the security culture
Anticipates and protects others from surprises
Establishes the security activity/function
Holds individuals personally responsible/accountable
Address foreseeable conflicts
Ensures employees and contractors are aware of organizational policy and changes
Mandates an incident response plan
Establishes process for exception handling , rewards, discipline
High level policies are interpreted into a number of functional policies.
Functional polices are derived from overarching policy of the organizations and
create the foundation for the procedures, standards, and baselines to accomplish the security objectives
Functional polices gain their credibility from senior management’s buy-in.
Certification and accreditation
Acceptable Internet usage
Standards, procedures, baselines, and guidelines turn the objectives and goals established by management in the overarching and functional policies into actionable and enforceable actions for the employees.
Standards: Adoption of common hardware and software mechanism and products throughout the enterprise.
Examples: Desktop, Anti-Virus, Firewall
Procedures: required step by step actions which must be followed to accomplish a task.
Guidelines: recommendations for security product implementations, procurement and planning, etc.
Examples: ISO17799, Common Criteria, ITIL
Benchmarks used to ensure that a minimum level of security configuration is provided across multiple implementations and systems.
They establish consistent implementation of security mechanisms.
Strategic Planning: long term
Focuses on the high-level, long-range organizational requirements
Examples: overarching security policy
Tactical Level Planning: medium-term
Focus on events that will affect the entire organization.
Examples: functional plans
Operational planning: short-term
Fighting fires at the keyboard level, this
Directly affects the ability of the organization to accomplish its objectives.
Every actor has a role:
must be clearly communicated and
understood by all actors.
Duties associated with the role Specific must be assigned
Reviewing violation reports
Attending awareness training
Publish and endorse security policy
establishing goals, objectives
overall responsibility for asset protection.
Information systems security professionals:
Security design, implementation, management,
Review of the organization security policies.
set user access conditions
decide on business continuality priorities
Security of the information entrusted to them
Information System Auditor
Auditing assurance guarantees.
Compliance with procedures (AIC) and policies
Background checks/Security clearances
Check references/ educational records
Sign Employment agreement
Low level Checks
Consult the Human Resources (H.R.) department
Established procedures to address these groups on an individual basis.
Examples of third party are:
Job description and defended roles and responsibilities
Least privilege/Need to know
Compliance with need to share
Separation of duties
Provides employees with a reminder of their security responsibilities.
Motivate personnel to comply with requirements
Provides skills needed to perform the security functions in their jobs.
Focus on security-related job skills
Specifically address security requirements of the organization, etc.
Provides decision-making, and security management skills that are important for the success of an organizations security program.
Address the audience
Data Owner and custodian
Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability,
and the resulting impact of that adverse event on the organization (SP800-30)
Threat: the Potential for a mal-actor to exercise a specific vulnerability.
Vulnerability: A Flaw or weakness in system security procedures, design, implementation or internal controls that could be exercised and could result in a security breach or violation of systems security policy.
Likelihood: the probability that a potential vulnerability may be exercised within the threat environment.
Countermeasures: A risk reduction control
maybe technical, operational or management controls or a combination of these type
Asset: Something that is valued by the organization to accomplish its goals and objectives
Threat: Any potential danger to information or an information systems.
Unauthorized access, Hardware failure, Loss of key personnel
Threat Agent: Anything that has the potential of causing a threat.
Exposure: An opportunity for a threat to cause loss.
Vulnerability: Is a weakness that could be exploited.
Attack: An Intentional action trying to cause harm.
Countermeasures and safeguards: Are those measures and actions that are taken to protect systems.
Risk: The probability that some unwanted event could occur
Residual Risk: The amount of risk remaining after countermeasures and safeguards are applied
The purpose of risk management is to identify potential problems
Before they occur
So that risk-handling activities may be planned and invoked as needed
Across the life of the product or project
The Risk arises when threat-agent attack assets and vulnerabilities are present
Residual Risk happens when threat-agent attack assets and countermeasuresare in place but are not sufficient
Risk Management identifies and reduces total risks ( threats, vulnerabilities, & asset value)
Mitigating controls: Safeguards & Countermeasures reduce risk
Residual Risk should be set to an acceptable level
Identifies and justifies risk mitigation efforts
Identifies the threats to business processes and information systems
Justifies the implementation of specific countermeasures to mitigate risk
Describes current security posture
Conducted based on risk to the organization's objectives/mission
Focuses policy and resources
Identifies areas with specific risk requirements
Part of good IT Governance
Business continuity process
Insurance and liability decisions
Legitimizes security awareness programs
Risk Assessment must also address emerging threats
Change in culture of the organization or environment
Unauthorized use of technology, etc.
Can come from many different areas
May be discovered by periodic risk assessments
Community and government records
Vendor/security provider alerts
Other types of threats :
Natural disasters – flood, tornado, etc.
Environment-overcrowding or poor moral
Facility -physical security or location of building
Obtain senior management support
Establish the risk assessment team
Define and approve the purpose and scope of the risk assessment team
Select team members
State the official authority and responsibility of the team
Have management review findings and recommendations
Risk team members
Some of the areas which should be included:
Information System Security, IT & Operations Management, Internal Audit, Physical security, etc
Objectives is to minimize manual effort
Can be time consuming to setup
Perform calculations quickly
Estimate future expected losses
Determine the benefit of security measures
Review existing security measures
Obtain management review and approval
Two types of Risk analysis
Quantitative Risk analysis
Qualitative Risk analysis
Both provide valuable metrics
Both are often required to get a full picture
Assign independently objective numeric monetary values
Fully quantitative if all elements of the risk analysis are quantified
difficult to achieve
Requires substantial time and personnel resources
Cost to acquire, develop, and maintain
Value to owners, custodians, or users
Liability for protection
Recognize cost and value in the real world
Price others are willing to pay
Value of intellectual property
Estimate potential losses
SLE – Single Loss Expectancy
SLE = Asset Value ($) X Exposure Factor (%)
Exposure Factor=% of asset loss when threat is successful
Types of loss to consider
Physical destruction/theft, Loss data, etc
Conduct threat analysis
ARO-Annual Rate of Occurrence
Expected number of exposures/incidents per year
Likelihood of an unwanted event happening
Determine Annual Loss Expectancy (ALE)
Combine potential loss and rate/year
Magnitude of risk = Annual Loss Expectancy
Purpose of ALE
Justify security countermeasures
ALE=SLE * ARO
Does not attempt to assign absolute numeric values to risk components
Purely qualitative risk analysis is possible
Qualitative risk analysis factors
Rank seriousness of the threats and sensitivity of assets
Perform a carefully reasoned risk assessment
Failure modes and effects analysis
Potential failures of each part or module
Examine effects of failure at three levels
Immediate level (part or module)
Intermediate level (process or package)
Fault tree analysis
Sometimes called “spanning tree analysis”
Create a “tree” of all possible threats to, or faults of the system
“Branches” are general categories such as network threats, physical threats, component failures, etc.
Prune “branches” that do not apply
Concentrate on remaining threats.
Cost/Benefit analysis- balance between the cost to protect and asset value
To estimate, need to know:
Threats, Adversary, means , motives, and opportunity.
Vulnerabilities and Resulting risk
Based on cost/benefit analysis, total cost of safeguard
Selection and acquisition
Construction and placement
Nontrivial operating cost
Potential side effects
Cost must be justified by the potential loss
At least one person for each safeguard
Associate directly with performance reviews
Absence of design secrecy
Must be testable
Include auditors in design and implementation
Review past performance
Independence of control and subject
Safeguards control/constrain subjects
Controllers administer the safeguards
Controllers and subject are from different populations
Impose safeguards uniformly
Compartmentalization and defense in depth
Consider to improve security through layers of security
Isolation, economy and least common mechanism
Isolate from other safeguards
Simple design is more cost effective and reliable, etc
Acceptance and tolerance by personnel
Care must be taken to avoid implementing controls that pose an unreasonable constrains
Less intrusive controls are more acceptable
Minimize human intervention
Reduces the possibility of errors and “exceptions” by reducing the reliance on administrative staff to maintain the control
Reaction and recovery
Countermeasures should do the following when activated
Avoids asset destruction and stops further damage
Prevents disclosure of sensitive information through a covert channel
Maintains confidence in system security
Captures information related to the attack and attacker
Override and fail-safe defaults
Residual and reset
Religion, law, tradition, culture
Enlightened self interest
Standards of good practice
Formal ethical theories
Teleology: Ethics in terms of goals, purposes, or ends
Deontology: Ethical behavior is duty
Common ethical fallacies
Computers are a game
Law-abiding citizen, Free information
Difficult to define
Start with senior management
Relevant professional codes of ethics include:
Internet Activities Board (IAB)
Any activity is unethical & unacceptable that purposely:
Seeks to gain unauthorized access to the internet resources
Disrupts the intended use of the internet
Wastes resources through such actions
Destroys the integrity of computer-based information
Compromises the privacy of users
Involves negligence in the conduct of internet-wide experiments
Relevant professional codes of ethics include:
(ISC)2 and other professional codes:
ISC2 Code of ethics preamble
Protect society, the commonwealth, and the infrastructure
Provide diligent and competent services to principals,etc
Professional codes may have legal importance
ISC2 CBK Material
ISC2 official Guide