Information Security Management CISSP Topic 1 ISA 562 Internet Security Theory and Practice
An introductory course at the graduate level
It covers the topics of
The CISSP exam at varying depth
But is NOT a CISSP course
Matt Bishop: Computer Security Art and Science
Official ISC 2 Guide to the CISSP CBK
Objectives Roles and responsibilities of individuals in a security program Security planning in an organization Security awareness in the organization Differences between policies, standards, guidelines and procedures Risk Management practices and tools
Syllabus of the Course
Bishop’s book for the first part
Papers for some classes
IC 2 book for the second part
Cover material relevant to the PhD qualifying examination in security
Purpose of information security:
to protect an organization's information resources data, hardware, and software.
To increase organizational success: IS are critical assets supporting its mission
Information Security TRIAD
The Overhanging goals of information security are addressed through the AIC TRIAD.
IT Security Requirements - I
Security should be designed for two requirements:
Functional : Define behavior of the control means based on risk assessment
should not depend on another control:
Why? fail safe by maintaining security during a system failure
Assurance: Provide confidence that security functions perform as expected.
Third Party reviews
Compliance to best practices
Functional: a network Firewall to permit or deny traffic.
Assurance: logs are generated, monitored, and reviewed
Organizational & Business Requirements
Focus on organizational mission:
Business or goals driven
Depends on type of organization:
Military , Government, or Commercial.
Must be sensible and cost effective
Solution considers the mission and environment Trade-off
IT Security Governance
Integral part of corporate governance:
Fully integrated into overall risk-based threat analysis
Ensure that IT infrastructure:
Meets all requirements.
Supports the strategies and objectives of the company.
Includes service level agreements [if outsourced].
Security Governance: Major parts
Security leaders must be part of the company leadership -- where they can be heard.
occurs at many levels and should use a layered approach.
follow internationally accepted “ best practices ” :
Job rotation , Separation of duties, least privilege, mandatory vacations, … etc.
Examples of standards : ISO 17799 & ISO 27001:2005
Provide a structure for organizing requirements and solutions.
Ensure that security is considered holistically.
To identify and design security requirements
Operational environment is a web of laws, regulations, requirements, and agreements or contracts with partners and competitors
Change frequently and interact with each other
Management must develop and publish security statements addressing policies and supporting elements, such as standards , baselines, and guidelines.
Functions of Security policy
Provide Management Goals and Objectives in writing
Ensure Document compliance
Create a security culture
Anticipate and protect others from surprises
Establish the security activity/function
Hold individuals responsible and accountable
Address foreseeable conflicts
Make sure employees and contractors aware of organizational policy and changes to it
Require incident response plan
Establish process for exception handling, rewards, and discipline
High level policies interpreted into functional policies.
Functional polices derived from overarching policy and create the foundation for procedures, standards, and baselines to accomplish the objectives
Polices gain credibility by top management buy-in.
Examples of Functional Policies
Certification and accreditation
Acceptable mail and Internet usage
Standards, procedures, baselines, and guidelines turn management objectives and goals [functional policies] into enforceable actions for employees.
Standards and procedure
Standards (local): Adoption of common hardware and software mechanism and products throughout the enterprise.
Examples: Desktop, Anti-Virus, Firewall
Procedures: step by step actions that must be followed to accomplish a task.
Guidelines: recommendations for product implementations, procurement and planning, etc.
Examples: ISO17799, Common Criteria, ITIL
Benchmarks: to ensure that a minimum level of security configuration is provided across implementations and systems.
establish consistent implementation of security mechanisms.
Three Levels of security planning
Strategic: long term
Focus on high-level, long-range organizational requirements
Example: overall security policy
2. Tactical: medium-term
Focus on events that affect all the organization
Example: functional plans
3. Operational: short-term
Fight fires at the keyboard level, directly affecting how the organization accomplishes its objectives.
Organizational roles and responsibilities
Everyone has a role:
with responsibility clearly communicated and understood
Duties associated with the role must be assigned
Reviewing violation reports
Attending awareness training
Specific Roles and Responsibilities (duties)
Publish and endorse security policy
Establish goals and objectives
State overall responsibility for asset protection.