Blueprint for Security Chapter 6 - PowerPoint PPT Presentation

1 / 48
About This Presentation
Title:

Blueprint for Security Chapter 6

Description:

– PowerPoint PPT presentation

Number of Views:97
Avg rating:3.0/5.0
Slides: 49
Provided by: faculty87
Category:

less

Transcript and Presenter's Notes

Title: Blueprint for Security Chapter 6


1
Blueprint for SecurityChapter 6
  • Begin with the end in mind.
  • -- Stephen Covey

2
Learning Objectives
  • Upon completion of this chapter you should be
    able to
  • Understand managements responsibilities and role
    in the development, maintenance, and enforcement
    of information security policy, standards,
    practices, procedures, and guidelines
  • Understand the differences between the
    organizations general information security
    policy and the requirements and objectives of the
    various issue-specific and system-specific
    policies.
  • Know what an information security blueprint is
    and what its major components are.
  • Understand how an organization institutionalizes
    its policies, standards, and practices using
    education, training, and awareness programs.
  • Become familiar with what viable information
    security architecture is, what it includes, and
    how it is used.

3
Information Security Policy, Standards, and
Practices
  • Management from all communities of interest must
    consider policies as the basis for all
    information security efforts
  • Policies direct how issues should be addressed
    and technologies used
  • Security policies are the least expensive control
    to execute, but the most difficult to implement
  • Shaping policy is difficult because
  • Never conflict with laws
  • Stand up in court, if challenged
  • Be properly administered

4
Definitions
  • A policy is
  • A plan or course of action, as of a government,
    political party, or business, intended to
    influence and determine decisions, actions, and
    other matters
  • Policies are organizational laws
  • Standards, on the other hand, are more detailed
    statements of what must be done to comply with
    policy
  • Practices, procedures, and guidelines effectively
    explain how to comply with policy
  • For a policy to be effective it must be properly
    disseminated, read, understood and agreed to by
    all members of the organization

5
Types of Policy
  • Management defines three types of security
    policy
  • General or security program policy
  • Issue-specific security policies
  • Systems-specific security policies

6
Figure 6-1 Policies Standards Practices
7
Security Program Policy
  • A security program policy (SPP) is also known as
  • A general security policy
  • IT security policy
  • Information security policy
  • Sets the strategic direction, scope, and tone for
    all security efforts within the organization
  • An executive-level document, usually drafted by
    or with, the CIO of the organization and is
    usually 2 to 10 pages long

8
Issue-Specific Security Policy (ISSP)
  • As various technologies and processes are
    implemented, certain guidelines are needed to use
    them properly
  • The ISSP
  • addresses specific areas of technology
  • requires frequent updates
  • contains an issue statement on the organizations
    position on an issue
  • Three approaches
  • Create a number of independent ISSP documents
  • Create a single comprehensive ISSP document
  • Create a modular ISSP document

9
Example ISSP Structure
  • Statement of Policy
  • Authorized Access and Usage of Equipment
  • Prohibited Usage of Equipment
  • Systems Management
  • Violations of Policy
  • Policy Review and Modification
  • Limitations of Liability

10
(No Transcript)
11
Systems-Specific Policy (SysSP)
  • While issue-specific policies are formalized as
    written documents, distributed to users, and
    agreed to in writing, SysSPs are frequently
    codified as standards and procedures used when
    configuring or maintaining systems
  • Systems-specific policies fall into two groups
  • Access control lists (ACLs) consist of the access
    control lists, matrices, and capability tables
    governing the rights and privileges of a
    particular user to a particular system
  • Configuration rules comprise the specific
    configuration codes entered into security systems
    to guide the execution of the system

12
ACL Policies
  • Both Microsoft Windows NT/2000 and Novell Netware
    5.x/6.x families of systems translate ACLs into
    sets of configurations that administrators use to
    control access to their respective systems
  • ACLs allow configuration to restrict access from
    anyone and anywhere
  • ACLs regulate
  • Who can use the system
  • What authorized users can access
  • When authorized users can access the system
  • Where authorized users can access the system from
  • How authorized users can access the system

13
Rule Policies
  • Rule policies are more specific to the operation
    of a system than ACLs
  • Many security systems require specific
    configuration scripts telling the systems what
    actions to perform on each set of information
    they process

14
(No Transcript)
15
Policy Management
  • Policies are living documents that must be
    managed and nurtured, and are constantly changing
    and growing
  • Documents must be properly managed
  • Special considerations should be made for
    organizations undergoing mergers, takeovers, and
    partnerships
  • In order to remain viable, policies must have
  • an individual responsible for reviews
  • a schedule of reviews
  • a method for making recommendations for reviews
  • a specific effective and revision date

16
Information Classification
  • The classification of information is an important
    aspect of policy
  • The same protection scheme created to prevent
    production data from accidental release to the
    wrong party should be applied to policies in
    order to keep them freely available, but only
    within the organization
  • In todays open office environments, it may be
    beneficial to implement a clean desk policy
  • A clean desk policy stipulates that at the end of
    the business day, all classified information must
    be properly stored and secured

17
Systems Design
  • At this point in the Security SDLC, the analysis
    phase is complete and the design phase begins
    many work products have been created
  • Designing a plan for security begins by creating
    or validating a security blueprint
  • Then use the blueprint to plan the tasks to be
    accomplished and the order in which to proceed
  • Setting priorities can follow the recommendations
    of published sources, or from published standards
    provided by government agencies, or private
    consultants

18
(No Transcript)
19
Information Security Blueprints
  • One approach is to adapt or adopt a published
    model or framework for information security
  • A framework is the basic skeletal structure
    within which additional detailed planning of the
    blueprint can be placed as it is developed of
    refined
  • Experience teaches us that what works well for
    one organization may not precisely fit another

20
ISO 17799/BS 7799
  • One of the most widely referenced and often
    discussed security models is the Information
    Technology Code of Practice for Information
    Security Management, which was originally
    published as British Standard BS 7799
  • This Code of Practice was adopted as an
    international standard by the International
    Organization for Standardization (ISO) and the
    International Electrotechnical Commission (IEC)
    as ISO/IEC 17799 in 2000 as a framework for
    information security

21
(No Transcript)
22
ISO 17799 / BS 7799
  • Several countries have not adopted 17799 claiming
    there are fundamental problems
  • The global information security community has not
    defined any justification for a code of practice
    as identified in the ISO/IEC 17799
  • 17799 lacks the necessary measurement precision
    of a technical standard
  • There is no reason to believe that 17799 is more
    useful than any other approach currently
    available
  • 17799 is not as complete as other frameworks
    available
  • 17799 is perceived to have been hurriedly
    prepared given the tremendous impact its adoption
    could have on industry information security
    controls

23
ISO/IEC 17799
  • Organizational Security Policy is needed to
    provide management direction and support
  • Objectives
  • Operational Security Policy
  • Organizational Security Infrastructure
  • Asset Classification and Control
  • Personnel Security
  • Physical and Environmental Security
  • Communications and Operations Management
  • System Access Control
  • System Development and Maintenance
  • Business Continuity Planning
  • Compliance

24
NIST Security Models
  • Another approach available is described in the
    many documents available from the Computer
    Security Resource Center of the National
    Institute for Standards and Technology
    (csrc.nist.gov) Including
  • NIST SP 800-12 - The Computer Security Handbook
  • NIST SP 800-14 - Generally Accepted Principles
    and Practices for Securing IT Systems
  • NIST SP 800-18 - The Guide for Developing
    Security Plans for IT Systems

25
NIST SP 800-14
  • Security Supports the Mission of the Organization
  • Security is an Integral Element of Sound
    Management
  • Security Should Be Cost-Effective
  • Systems Owners Have Security Responsibilities
    Outside Their Own Organizations
  • Security Responsibilities and Accountability
    Should Be Made Explicit
  • Security Requires a Comprehensive and Integrated
    Approach
  • Security Should Be Periodically Reassessed
  • Security is Constrained by Societal Factors
  • 33 Principles enumerated

26
IETF Security Architecture
  • The Security Area Working Group acts as an
    advisory board for the protocols and areas
    developed and promoted through the Internet
    Society
  • No specific architecture is promoted through IETF
  • RFC 2196 Site Security Handbook provides an
    overview of five basic areas of security
  • Topics include
  • security policies
  • security technical architecture
  • security services
  • security incident handling

27
VISA Model
  • VISA International promotes strong security
    measures and has security guidelines
  • Developed two important documents that improve
    and regulate its information systems
  • Security Assessment Process
  • Agreed Upon Procedures
  • Using the two documents, a security team can
    develop a sound strategy for the design of good
    security architecture
  • The only down side to this approach is the very
    specific focus on systems that can or do
    integrate with VISAs systems

28
Baselining and Best Practices
  • Baselining and best practices are solid methods
    for collecting security practices, but they can
    have the drawback of providing less detail than
    would a complete methodology
  • It is possible to gain information by baselining
    and using best practices and thus work backwards
    to an effective design
  • The Federal Agency Security Practices Site
    (fasp.csrc.nist.gov) is designed to provide best
    practices for public agencies

29
Professional Membership
  • It may be worth the information security
    professionals time and money to join
    professional societies with information on best
    practices for its members
  • Many organizations have seminars and classes on
    best practices for implementing security
  • Finding information on security design is the
    easy part, sorting through the collected mass of
    information, documents, and publications can take
    a substantial investment in time and human
    resources

30
NIST SP 800-26
  • Management Controls
  • Risk Management
  • Review of Security Controls
  • Life Cycle Maintenance
  • Authorization of Processing (Certification and
    Accreditation)
  • System Security Plan
  • Operational Controls
  • Personnel Security
  • Physical Security
  • Production, Input/Output Controls
  • Contingency Planning
  • Hardware and Systems Software
  • Data Integrity
  • Documentation
  • Security Awareness, Training, and Education
  • Incident Response Capability
  • Technical Controls
  • Identification and Authentication
  • Logical Access Controls

31
Figure 6-16 Spheres of Security
32
Sphere of Use
  • Generally speaking, the concept of the sphere is
    to represent the 360 degrees of security
    necessary to protect information at all times
  • The first component is the sphere of use
  • Information, at the core of the sphere, is
    available for access by members of the
    organization and other computer-based systems
  • To gain access to the computer systems, one must
    either directly access the computer systems or go
    through a network connection
  • To gain access to the network, one must either
    directly access the network or go through an
    Internet connection

33
Sphere of Protection
  • The sphere of protection overlays each of the
    levels of the sphere of use with a layer of
    security, protecting that layer from direct or
    indirect use through the next layer
  • The people must become a layer of security, a
    human firewall that protects the information from
    unauthorized access and use
  • Information security is therefore designed and
    implemented in three layers
  • policies
  • people (education, training, and awareness
    programs)
  • technology

34
Controls
  • Management controls cover security processes that
    are designed by the strategic planners and
    performed by security administration of the
    organization
  • Operational controls deal with the operational
    functionality of security in the organization
  • Operational controls also address personnel
    security, physical security, and the protection
    of production inputs and outputs
  • Technical controls address those tactical and
    technical issues related to designing and
    implementing security in the organization

35
The Framework
  • Management Controls
  • Program Management
  • System Security Plan
  • Life Cycle Maintenance
  • Risk Management
  • Review of Security Controls
  • Legal Compliance
  • Operational Controls
  • Contingency Planning
  • Security ETA
  • Personnel Security
  • Physical Security
  • Production Inputs and Outputs
  • Hardware Software Systems Maintenance
  • Data Integrity
  • Technical Controls
  • Logical Access Controls
  • Identification, Authentication, Authorization,
    and Accountability
  • Audit Trails
  • Asset Classification and Control
  • Cryptography

36
SETA
  • As soon as the policies exist, policies to
    implement security education, training, and
    awareness (SETA) should follow
  • SETA is a control measure designed to reduce
    accidental security breaches
  • Supplement the general education and training
    programs in place to educate staff on information
    security
  • Security education and training builds on the
    general knowledge the employees must possess to
    do their jobs, familiarizing them with the way to
    do their jobs securely

37
SETA Elements
  • The SETA program consists of three elements
  • security education
  • security training
  • security awareness
  • The organization may not be capable or willing to
    undertake all three of these elements but may
    outsource them
  • The purpose of SETA is to enhance security by
  • Improving awareness of the need to protect system
    resources
  • Developing skills and knowledge so computer users
    can perform their jobs more securely
  • Building in-depth knowledge, as needed, to
    design, implement, or operate security programs
    for organizations and systems

38
(No Transcript)
39
Security Education
  • Everyone in an organization needs to be trained
    and aware of information security, but not every
    member of the organization needs a formal degree
    or certificate in information security
  • When formal education for appropriate individuals
    in security is needed an employee can identify
    curriculum available from local institutions of
    higher learning or continuing education
  • A number of universities have formal coursework
    in information security
  • (See for example http//infosec.kennesaw.edu)

40
Security Training
  • Security training involves providing members of
    the organization with detailed information and
    hands-on instruction designed to prepare them to
    perform their duties securely
  • Management of information security can develop
    customized in-house training or outsource the
    training program

41
Security Awareness
  • One of the least frequently implemented, but the
    most beneficial programs is the security
    awareness program
  • Designed to keep information security at the
    forefront of the users minds
  • Need not be complicated or expensive
  • If the program is not actively implemented,
    employees begin to tune out, and the risk of
    employee accidents and failures increases

42
(No Transcript)
43
Comments
  • Defense in Depth
  • One of the foundations of security architectures
    is the requirement to implement security in
    layers
  • Defense in depth requires that the organization
    establish sufficient security controls and
    safeguards, so that an intruder faces multiple
    layers of controls
  • Security Perimeter
  • The point at which an organizations security
    protection ends, and the outside world begins
  • Referred to as the security perimeter
  • Unfortunately the perimeter does not apply to
    internal attacks from employee threats, or
    on-site physical threats

44
(No Transcript)
45
(No Transcript)
46
Key Technology Components
  • Other key technology components
  • A firewall is a device that selectively
    discriminates against information flowing into or
    out of the organization
  • The DMZ (demilitarized zone) is a no-mans land,
    between the inside and outside networks, where
    some organizations place Web servers
  • In an effort to detect unauthorized activity
    within the inner network, or on individual
    machines, an organization may wish to implement
    Intrusion Detection Systems or IDS

47
(No Transcript)
48
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com