ISA 562 - PowerPoint PPT Presentation

1 / 61
About This Presentation
Title:

ISA 562

Description:

Job rotation , Separation of duties, least privilege, mandatory vacations ...etc. ... others are willing to pay. Value of intellectual property. Convertibility ... – PowerPoint PPT presentation

Number of Views:80
Avg rating:3.0/5.0
Slides: 62
Provided by: ise2
Category:
Tags: isa

less

Transcript and Presenter's Notes

Title: ISA 562


1
ISA 562Internet Security Theory Practice
Information Security Management CISSP Topic 1
2
Objectives
  • Roles of and responsibilities of individuals in a
    security program
  • Security planning in an organization
  • Security awareness in the organization
  • Differences between policies, standards,
    guidelines and procedures as related to security
  • Risk Management practices and tools

3
Introduction
  • Purpose of information security is to protect an
    organization's valuable resources, such as
    information, hardware and software.
  • Should be designed to increase organizational
    success.
  • Information systems are often critical assets
    that support the mission of an organization

4
Information Security TRIAD
  • The Overhanging goals of information security are
    addressed through the AIC TRIAD.

5
IT Security Requirements - I
  • Security Solutions should be designed with two
    main focus areas
  • Functional Requirements
  • Defines security behavior of the control measures
  • Selected based on risk Assessment
  • Properties
  • They should not depend on another control
  • Why?
  • They should fail safe by marinating security of
    the system in an event of a failure
  • Why?

6
IT Security Requirements -II
  • 2. Assurance Requirements
  • Provides confidence that security functions is
    performing as expected.
  • Examples
  • Internal/External Audit.
  • Threat Risk Assessments
  • Third Party reviews
  • Compliance to best practices
  • 3. Example for Functional vs. Assurance
  • Functional Requirement a network Firewall
    Permits or denies traffic.
  • Assurance requirement logs are generated and
    monitored

6
7
Organizational Business Requirements
  • Focus on organizational mission
  • Business driven
  • Depends upon organizational type
  • Example Military , government and commercial.
  • Must be sensible and cost effective
  • Solutions must be developed with due
    consideration of the mission and environment of
    business

8
IT Security Governance
  • Integral part of overall corporate governance
  • Must be fully integrated into the overall
    risk-based threat analysis, it also
  • Ensures that the IT infrastructure of the
    company
  • Meets the AIC requirements.
  • Supports the strategies and objectives of the
    company.
  • Includes service level agreements when
    outsourced.

8
9
Security Governance Major parts
  • Leadership
  • Security leaders must be fully integrated into
    the company leadership where they can be heard.
  • Structure
  • it occurs at many different levels of the
    organization and is in a layered approach.
  • Processes
  • by following internationally accepted best
    practices
  • Job rotation , Separation of duties, least
    privilege, mandatory vacations etc.
  • Some Examples for standards ISO 17799 ISO
    270012005

10
Security Blueprints
  • Provide a structure for organizing requirements
    and solutions.
  • they are used to ensure that security is
    considered from a holistic view.
  • Used to identify and design security requirements
  • Infrastructure Security Blueprints

11
Policy overview
  • Operational environment is a complex web of laws,
    regulations, requirements, competitors and
    partners
  • Change frequently and interact with each other ,
    within this environment
  • Management must develop and publish overall
    security statements addressing
  • Security policies and their supporting elements
    such as standards , baselines and guidelines.

12
Policy overview
12
13
Functions of Security policy - I
  • Provides Managements Goals and objectives in
    writing
  • Documents compliance
  • Creates the security culture
  • Anticipates and protects others from surprises
  • Establishes the security activity/function
  • Holds individuals personally responsible/accountab
    le

13
14
Functions of Security policy-II
  • Address foreseeable conflicts
  • Ensures employees and contractors are aware of
    organizational policy and changes
  • Mandates an incident response plan
  • Establishes process for exception handling ,
    rewards, discipline

14
15
Policy Infrastructure
  • High level policies are interpreted into a number
    of functional policies.
  • Functional polices are derived from overarching
    policy of the organizations and
  • create the foundation for the procedures,
    standards, and baselines to accomplish the
    security objectives
  • Functional polices gain their credibility from
    senior managements buy-in.

15
16
Example Functional Policies
  • Data classification
  • Certification and accreditation
  • Access control
  • Outsourcing
  • Remote access
  • Acceptable Internet usage
  • Privacy
  • Dissemination control
  • Sharing control

17
Policy Implementation
  • Standards, procedures, baselines, and guidelines
    turn the objectives and goals established by
    management in the overarching and functional
    policies into actionable and enforceable actions
    for the employees.

18
Standards and procedure
  • Standards Adoption of common hardware and
    software mechanism and products throughout the
    enterprise.
  • Examples Desktop, Anti-Virus, Firewall
  • Procedures required step by step actions which
    must be followed to accomplish a task.
  • Guidelines recommendations for security product
    implementations, procurement and planning, etc.
  • Examples ISO17799, Common Criteria, ITIL

19
Baselines
  • Benchmarks used to ensure that a minimum level of
    security configuration is provided across
    multiple implementations and systems.
  • They establish consistent implementation of
    security mechanisms.
  • Platform unique
  • Examples
  • VPN Setup,
  • IDS Configuration,
  • Password rules

19
20
Three Levels of security planning
  • Strategic Planning long term
  • Focuses on the high-level, long-range
    organizational requirements
  • Examples overarching security policy
  • Tactical Level Planning medium-term
  • Focus on events that will affect the entire
    organization.
  • Examples functional plans
  • Operational planning short-term
  • Fighting fires at the keyboard level, this
  • Directly affects the ability of the organization
    to accomplish its objectives.

21
Organizational roles and responsibilities
  • Every actor has a role
  • Entails responsibility
  • must be clearly communicated and
  • understood by all actors.
  • Duties associated with the role Specific must be
    assigned
  • Examples
  • Securing email
  • Reviewing violation reports
  • Attending awareness training

22
Specific Roles and Responsibilities (duties)- 1
  • Executive Management
  • Publish and endorse security policy
  • establishing goals, objectives
  • overall responsibility for asset protection.
  • Information systems security professionals
  • Security design, implementation, management,
  • Review of the organization security policies.

22
23
Specific Roles and responsibilities - 2
  • Owners
  • information classification
  • set user access conditions
  • decide on business continuality priorities
  • Custodians
  • Security of the information entrusted to them
  • Information System Auditor
  • Auditing assurance guarantees.
  • Users
  • Compliance with procedures (AIC) and policies

24
Personal Security Hiring staff
  • Background checks/Security clearances
  • Check references/ educational records
  • Sign Employment agreement
  • Examples
  • Non-disclosure agreements
  • Non-compete agreements
  • Low level Checks
  • Consult the Human Resources (H.R.) department
  • Termination procedures

25
Third party considerations
  • Established procedures to address these groups on
    an individual basis.
  • Examples of third party are
  • Vendors/Suppliers
  • Contractors
  • Temporary Employees
  • Customers

26
Personnel good practices
  • Job description and defended roles and
    responsibilities
  • Least privilege/Need to know
  • Compliance with need to share
  • Separation of duties
  • Job rotation
  • Mandatory vacations

27
Security Awareness
  • Awareness training
  • Provides employees with a reminder of their
    security responsibilities.
  • Motivate personnel to comply with requirements
  • Examples
  • Videos
  • Newsletters
  • Posters
  • Key-chains, etc.

27
28
Training and Education
  • Job training
  • Provides skills needed to perform the security
    functions in their jobs.
  • Focus on security-related job skills
  • Specifically address security requirements of the
    organization, etc.
  • Professional Education
  • Provides decision-making, and security management
    skills that are important for the success of an
    organizations security program.

29
Good training practices
  • Address the audience
  • Management
  • Data Owner and custodian
  • Operations personnel
  • User
  • Support personnel

30
Risk from NIST SP 800-30
  • Risk is a function of the likelihood of a given
    threat-sources exercising a particular potential
    vulnerability,
  • and the resulting impact of that adverse event
    on the organization (SP800-30)

30
31
Definitions Related to Risk
  • Threat the Potential for a mal-actor to exercise
    a specific vulnerability.
  • Vulnerability A Flaw or weakness in system
    security procedures, design, implementation or
    internal controls that could be exercised and
    could result in a security breach or violation of
    systems security policy.
  • Likelihood the probability that a potential
    vulnerability may be exercised within the threat
    environment.
  • Countermeasures A risk reduction control
  • maybe technical, operational or management
    controls or a combination of these type

32
Risk Management concept flow
33
Risk Management Definitions
  • Asset Something that is valued by the
    organization to accomplish its goals and
    objectives
  • Threat Any potential danger to information or an
    information systems.
  • Examples
  • Unauthorized access, Hardware failure, Loss of
    key personnel
  • Threat Agent Anything that has the potential of
    causing a threat.
  • Exposure An opportunity for a threat to cause
    loss.
  • Vulnerability Is a weakness that could be
    exploited.
  • Attack An Intentional action trying to cause
    harm.
  • Countermeasures and safeguards Are those
    measures and actions that are taken to protect
    systems.
  • Risk The probability that some unwanted event
    could occur
  • Residual Risk The amount of risk remaining after
    countermeasures and safeguards are applied

34
Risk Management
  • The purpose of risk management is to identify
    potential problems
  • Before they occur
  • So that risk-handling activities may be planned
    and invoked as needed
  • Across the life of the product or project

35
The Risk Equation
36
Risk Factors
  • The Risk arises when threat-agent attack assets
    and vulnerabilities are present
  • Residual Risk happens when threat-agent attack
    assets and countermeasures are in place but are
    not sufficient

37
Risk Management
  • Risk Management identifies and reduces total
    risks ( threats, vulnerabilities, asset value)
  • Mitigating controls Safeguards Countermeasures
    reduce risk
  • Residual Risk should be set to an acceptable level

38
Purpose of risk Analysis
  • Identifies and justifies risk mitigation efforts
  • Identifies the threats to business processes and
    information systems
  • Justifies the implementation of specific
    countermeasures to mitigate risk
  • Describes current security posture
  • Conducted based on risk to the organization's
    objectives/mission

39
Benefits of Risk Analysis
  • Focuses policy and resources
  • Identifies areas with specific risk requirements
  • Part of good IT Governance
  • Supports
  • Business continuity process
  • Insurance and liability decisions
  • Legitimizes security awareness programs

40
Emerging threats factors
  • Risk Assessment must also address emerging
    threats
  • New technology
  • Change in culture of the organization or
    environment
  • Unauthorized use of technology, etc.
  • Can come from many different areas
  • May be discovered by periodic risk assessments

41
Sources to identity threats
  • Users
  • Systems administrators
  • Security officers
  • Auditors
  • Operations
  • Facility records
  • Community and government records
  • Vendor/security provider alerts
  • Other types of threats
  • Natural disasters flood, tornado, etc.
  • Environment-overcrowding or poor moral
  • Facility -physical security or location of
    building

42
Risk analysis key factors
  • Obtain senior management support
  • Establish the risk assessment team
  • Define and approve the purpose and scope of the
    risk assessment team
  • Select team members
  • State the official authority and responsibility
    of the team
  • Have management review findings and
    recommendations
  • Risk team members
  • Some of the areas which should be included
  • Information System Security, IT Operations
    Management, Internal Audit, Physical security, etc

43
Use of automated tools for risk management
  • Objectives is to minimize manual effort
  • Can be time consuming to setup
  • Perform calculations quickly
  • Estimate future expected losses
  • Determine the benefit of security measures

44
Preliminary security evaluation
  • Identify vulnerabilities
  • Review existing security measures
  • Document findings
  • Obtain management review and approval

45
Risk analysis types
  • Two types of Risk analysis
  • Quantitative Risk analysis
  • Qualitative Risk analysis
  • Both provide valuable metrics
  • Both are often required to get a full picture

46
Quantitative risk analysis
  • Assign independently objective numeric monetary
    values
  • Fully quantitative if all elements of the risk
    analysis are quantified
  • difficult to achieve
  • Requires substantial time and personnel resources

47
Determining asset value
  • Cost to acquire, develop, and maintain
  • Value to owners, custodians, or users
  • Liability for protection
  • Recognize cost and value in the real world
  • Price others are willing to pay
  • Value of intellectual property
  • Convertibility/negotiability

48
Quantitative analysis steps
  • Estimate potential losses
  • SLE Single Loss Expectancy
  • SLE Asset Value () X Exposure Factor ()
  • Exposure Factor of asset loss when threat is
    successful
  • Types of loss to consider
  • Physical destruction/theft, Loss data, etc
  • Conduct threat analysis
  • ARO-Annual Rate of Occurrence
  • Expected number of exposures/incidents per year
  • Likelihood of an unwanted event happening
  • Determine Annual Loss Expectancy (ALE)
  • Combine potential loss and rate/year
  • Magnitude of risk Annual Loss Expectancy
  • Purpose of ALE
  • Justify security countermeasures
  • ALESLE ARO

49
Qualitative Risk analysis
  • Scenario oriented
  • Does not attempt to assign absolute numeric
    values to risk components
  • Purely qualitative risk analysis is possible
  • Qualitative risk analysis factors
  • Rank seriousness of the threats and sensitivity
    of assets
  • Perform a carefully reasoned risk assessment

50
Other risk analysis methods
  • Failure modes and effects analysis
  • Potential failures of each part or module
  • Examine effects of failure at three levels
  • Immediate level (part or module)
  • Intermediate level (process or package)
  • System-wide
  • Fault tree analysis
  • Sometimes called spanning tree analysis
  • Create a tree of all possible threats to, or
    faults of the system
  • Branches are general categories such as network
    threats, physical threats, component failures,
    etc.
  • Prune branches that do not apply
  • Concentrate on remaining threats.

51
Risk mitigation options
  • Risk Acceptance
  • Risk Reduction
  • Risk Transference
  • Risk Avoidance

52
The right amount of security
  • Cost/Benefit analysis- balance between the cost
    to protect and asset value
  • To estimate, need to know
  • Asset value
  • Threats, Adversary, means , motives, and
    opportunity.
  • Vulnerabilities and Resulting risk
  • Countermeasures
  • Risk tolerance

53
Countermeasures selection principles
  • Based on cost/benefit analysis, total cost of
    safeguard
  • Selection and acquisition
  • Construction and placement
  • Environment modification
  • Nontrivial operating cost
  • Maintenance, testing
  • Potential side effects
  • Cost must be justified by the potential loss
  • Accountability
  • At least one person for each safeguard
  • Associate directly with performance reviews
  • Absence of design secrecy

54
Countermeasures selection principles (Continued)
  • Audit capability
  • Must be testable
  • Include auditors in design and implementation
  • Vendor Trustworthiness
  • Review past performance
  • Independence of control and subject
  • Safeguards control/constrain subjects
  • Controllers administer the safeguards
  • Controllers and subject are from different
    populations
  • Universal application
  • Impose safeguards uniformly
  • Minimize exceptions

55
Countermeasures selection principles (Continued)
  • Compartmentalization and defense in depth
  • Safeguards role
  • Consider to improve security through layers of
    security
  • Isolation, economy and least common mechanism
  • Isolate from other safeguards
  • Simple design is more cost effective and
    reliable, etc
  • Acceptance and tolerance by personnel
  • Care must be taken to avoid implementing controls
    that pose an unreasonable constrains
  • Less intrusive controls are more acceptable
  • Minimize human intervention
  • Reduces the possibility of errors and
    exceptions by reducing the reliance on
    administrative staff to maintain the control

55
56
Countermeasures selection principles (Continued)
  • Sustainability
  • Reaction and recovery
  • Countermeasures should do the following when
    activated
  • Avoids asset destruction and stops further damage
  • Prevents disclosure of sensitive information
    through a covert channel
  • Maintains confidence in system security
  • Captures information related to the attack and
    attacker
  • Override and fail-safe defaults
  • Residual and reset

57
Basis and origin of ethics
  • Religion, law, tradition, culture
  • National interest
  • Individual rights
  • Enlightened self interest
  • Common good/interest
  • Professional ethics/practices
  • Standards of good practice

58
Ethics
  • Formal ethical theories
  • Teleology Ethics in terms of goals, purposes, or
    ends
  • Deontology Ethical behavior is duty
  • Common ethical fallacies
  • Computers are a game
  • Law-abiding citizen, Free information
  • Shatterproof
  • Candy-from-a-baby
  • Hackers
  • Difficult to define
  • Start with senior management

59
Codes of ethics - examples
  • Relevant professional codes of ethics include
  • Internet Activities Board (IAB)
  • Any activity is unethical unacceptable that
    purposely
  • Seeks to gain unauthorized access to the internet
    resources
  • Disrupts the intended use of the internet
  • Wastes resources through such actions
  • Destroys the integrity of computer-based
    information
  • Compromises the privacy of users
  • Involves negligence in the conduct of
    internet-wide experiments

60
Codes of ethics - examples
  • Relevant professional codes of ethics include
  • (ISC)2 and other professional codes
  • ISC2 Code of ethics preamble
  • Protect society, the commonwealth, and the
    infrastructure
  • Provide diligent and competent services to
    principals,etc
  • Auditors
  • Professional codes may have legal importance

60
61
References
  • ISC2 CBK Material
  • ISC2 official Guide
  • CISSP All-in-one
Write a Comment
User Comments (0)
About PowerShow.com