Information Security Requirements for Applications

1
Information Security Requirements for Applications

• A Proactive Approach to Information Security
• Robert Childs
• VP Information Security Officer
• First Community Bank
• 9-17-08

2
Agenda

• Why
• Policy
• What Is Information Security
• Risk Assessment
• Information Security Plan
• Information Security Plan Elements
• Summary

3
What About Security at the Front End

• When new application systems are implemented, how
  do you ensure controls and security are built in
  up front?
• How do you ensure compliance requirements are
  maintained?
• How will a new application affect your current IT
  controls or audit/ compliance standing?
• We all know that retro fitting security and
  controls into an application after implementation
  is costly and inefficient

4
What About Security at the Front End

• Implement a proactive approach to ensure
  information security controls are included and
  implemented for new systems
• Build it into your development and project
  processes
• How? First get a policy adopted

5
Information Security Plan - Policy

• Policy require an Information Security Plan to
  be developed for new applications
• Incorporate the security plan and requirements
  into new system Project Methodology
• Must be a deliverable for new all applications
  projects
• Security requirements defined up front as any
  other system requirements
• Risk Assessments key to defining requirements

6
Sample Policy Statements

• Information security risk assessments are to be
  performed for IT systems, new computer systems or
  systems undergoing major enhancements.
• Information security requirements are to be
  identified, defined and included in business and
  technical requirements for new implementations or
  enhancements of information technology (IT)
  systems
• Information Security Plans are to be developed
  and documented for IT systems, and should support
  the security requirements and mitigate the risks.

7
Sample Policy Statements

• The Security Plan should describe the ongoing
  security needs and processes for the Life Cycle
  of the system.
• Security requirements and controls identified
  should reflect business value of information
  assets involved and the consequence from failure
  of security. Security mechanisms should be cost
  beneficial, i.e., not exceed the costs of risk.
• Testing of security functionality and procedures
  is to be included in application and system
  testing and quality assurance processes.

8
Security Plan

• OK, were ready to do a security plan - but
  first lets go over briefly what is information
  security?
• When thinking and developing security
  requirements and controls, we need to keep our
  focus on what and why.

9
Just What is Information Security?

• Information Security is made up of a number of
  technical, operational and management components,
  in various layers, all working in coordinated and
  integrated processes.
• Management Controls address security topics that
  can be characterized as managerial. They are
  techniques and concerns that are normally
  addressed by management in the organization's
  computer security program.
• Operational Controls address security controls
  that focus on controls that are primarily
  implemented and executed by people (as opposed to
  systems).
• Technical Controls focus on security controls
  that the computer system executes. These
  controls are dependent upon the proper
  functioning of the system for their
  effectiveness.

10
Just What is Information Security?

• Information security is defined as the assurance
  and protection of
• Confidentiality ensuring that information is
  accessible only to those authorized to have
  access
• Integrity safeguarding the accuracy and
  completeness of information and processing
  methods
• Availability ensuring that authorized users have
  access to information and associated assets when
  required.
• Reliability increasing the reliability of
  systems and information.

11
First - the Risk Assessment

• Need to perform a risk assessment of the
  application and related business processes to
  determine the risks, which provide a basis for
  determining the controls needed
• Security risk assessments provide a mechanism to
  identify security requirements by identifying
  threats, vulnerabilities, security and control
  issues.
• Security risk assessments also provide a basis to
  compare cost of risk to cost of mitigations.

12
Security Plan Some Things to Keep In Mind

• Security Plan should describe the security needs
  and processes for the Life Cycle of the system.
  
• The security plan should not be just a one time
  effort, but should be a living document that
  reflects the life of the application.
• Security for an application is a set of ongoing
  integrated processes, and the Plan should reflect
  these processes and be kept up to date.

13
Security Plan General

• Create a template to use that outlines the
  various security controls that need to be
  addressed.
• Make the Security Plan a part of the Project
  Management Methodology a required deliverable
• Initiate the security plan development at the
  early stages of the project
• Use it to help define the security requirements
  for the application.

14
Security Plan Who Does It?

• Joint effort this is not just done by the
  information security folks
• Should be done by business, IT and security
  personnel together. Info Security staff can help
  facilitate the process.

15
Security Plan Elements

• Overview of Security Requirements and
  ProcessesOne or two paragraphs describing
  overview of security requirements and processes.
• Legal / Regulatory RequirementsSOX, GLBA,
  HIPPA, FDIC, SEC, State laws, privacy laws, etc.
  indicate what laws or regulations affect this
  system and data, how they affect it.
• Confidentiality Requirements / Data
  ClassificationDescribe confidentiality issues
  and requirements Classify the data as
  confidential, internal, public.

16
Security Plan Elements

• Roles Responsibilities for Security
  Administration FunctionsWhat job positions are
  responsible for the various security functions?
  What position administers the userids - is it
  centralized? Where - business area or IT
  Security Administration? Who approves access
  requests?
• Access Requirements and RestrictionsDescribe
  access rules and requirements what types of
  employees can access which data elements. Will
  access be by roles, groups? What access
  restrictions are there? What external users
  need access? What requirements for external
  access into the organizations network/systems?
  How do the roles and accesses permissions provide
  proper segregation of duties?

17
Security Plan Elements

• Security Logging and MonitoringDescribe the
  security and access logging processes,
  transaction logging, review of security
  exceptions, monitoring of security events, log
  review processes. Logging can be at O/S,
  database and application levels.
• Security TrainingSecurity awareness and
  security administrative process training, initial
  training, new user and ongoing security training
  plans. Determine training records and logging
  requirements for compliance purposes.
• Security TestingInitial implementation and
  periodic testing to ensure ongoing compliance to
  security requirements, including QA testing.
  Also, determine need for periodic security
  assessment reviews.

18
Security Plan Elements

• Infrastructure Telecommunications Security
  ComponentsDependencies, interaction with
  firewalls, router configuration or ACLs,
  intrusion detection, anti-virus, system logging,
  operating system security settings/configurations,
  network segregation, Web application based
  security requirements, configurations for web
  application/DMZ, secure telecommunications,
  HTTPS, etc.
• Backup and Disaster Recovery RequirementsAvailab
  ility requirements for system, backup
  requirements/frequency, DR requirements brief
  description here, refer to the specific DR Plan
  for details.

19
Security Plan Elements

• Remote Access RequirementsWhat
  restrictions/allowances for remote access by
  users any modem/VPN requirements for vendor or
  technical support how should any remote access
  by controlled, logged, monitored?
• Data IntegrityApplication and database controls
  to ensure data accuracy, such as batch and record
  totals, separation of duties, database integrity
  checks, and other measures to ensure data
  maintains accuracy and completeness.

20
Security Plan Elements

• Data and System Interfaces, Interconnections and
  DependenciesWhat data and system interfaces,
  interconnections are there with other systems,
  and what security protections are needed?
• Physical SecurityWhere are the physical
  components for the system, what physical security
  requirements are needed what secure
  room/computer facility to be used controls,
  logging and monitoring of physical access to
  computer hardware, data backups, etc.

21
Summary

• By getting business and IT personnel involved up
  front in performing a risk assessment and
  defining the various controls and security
  requirements, you will be able to get a solid
  security requirements and plan documented for the
  new application system. This helps everyone get
  a better understanding of the need for security
  and controls, gets their buy-in, and ensures the
  proper controls are addressed at the front end
  when it is more cost effective. This also
  ensures your ongoing compliance program stays on
  track as new systems come on board.

22

• Thank you!
• Questions?
• Robert (Bob) Childs
• VP Information Security Officer
• First Community Bank
• rchilds_at_fcbnm.com