Published on

Information Assurance for the Enterprise

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Chapter 3 Security Policy
  2. 2. Objectives <ul><li>Define information assets, risks, and countermeasures </li></ul><ul><li>Structure a synergistic information assurance solution </li></ul><ul><li>Identify the role of policy in the information assurance process </li></ul><ul><li>Design a functional information assurance and security management system </li></ul>
  3. 3. Protection of Information <ul><li>Ensuring protection of information is difficult </li></ul><ul><ul><li>Weak points are in the areas of policy and process, rather than technology </li></ul></ul><ul><ul><li>Breakdowns in security are likely to occur because of failure to: </li></ul></ul><ul><ul><ul><li>Understand the problem </li></ul></ul></ul><ul><ul><ul><li>Set proper goals </li></ul></ul></ul><ul><ul><ul><li>Follow correct procedure </li></ul></ul></ul>
  4. 4. Protection of Information <ul><li>Findings of Government Accountability Office (GAO) reveal the lack of: </li></ul><ul><ul><li>Risk-based information assurance plans </li></ul></ul><ul><ul><li>Documentation of information assurance policies </li></ul></ul><ul><ul><li>Programs for evaluating the effectiveness of controls </li></ul></ul><ul><ul><li>Application development and change controls </li></ul></ul><ul><ul><li>Implementation and software products usage control </li></ul></ul><ul><ul><li>Adequate knowledge of information assurance controls </li></ul></ul>
  5. 5. Definitions <ul><li>Assets – anything a person or organization owns that is valuable </li></ul><ul><ul><li>Tangible assets </li></ul></ul><ul><ul><li>Intangible assets </li></ul></ul><ul><li>Risk – likelihood that a particular threat will produce a harmful effect </li></ul><ul><ul><li>Assessed in terms of their impact and probability of occurrence </li></ul></ul><ul><ul><li>Increases or decreases based on number of vulnerabilities present </li></ul></ul>
  6. 6. Definitions <ul><li>Countermeasures – set of actions to prevent or slow an impending attack from threats </li></ul><ul><li>Information assurance process – thinking through and responding with the right set of countermeasures </li></ul><ul><ul><li>Other definitions include: </li></ul></ul><ul><ul><ul><li>Threats – any event that can have an undesirable affect on the condition of an asset </li></ul></ul></ul><ul><ul><ul><li>Vulnerabilities – flaws or weak points in a protection scheme </li></ul></ul></ul><ul><ul><ul><li>When a threat can exploit a vulnerability, the vulnerability becomes a weakness </li></ul></ul></ul>
  7. 7. Characteristics: Information Assurance Process <ul><li>Supports three common characteristics: </li></ul><ul><ul><li>Availability – ensures that information is provided to users when it is required </li></ul></ul><ul><ul><li>Integrity – centers on the qualities of authenticity, accuracy, and completeness </li></ul></ul><ul><ul><li>Confidentiality – need to restrict access to information or data </li></ul></ul><ul><ul><ul><li>From a system point of view, confidentiality is the assurance that access controls are enforced </li></ul></ul></ul>
  8. 8. Establishing Information Assurance Process <ul><li>Organizing appropriate set of countermeasures into a seamless and effective response profile </li></ul><ul><li>Requires integrating a range of elements into a working solution </li></ul><ul><ul><li>Ensuring coordination: integrating functions </li></ul></ul><ul><ul><ul><li>Solutions encompass measures from a diverse range of disciplines </li></ul></ul></ul><ul><ul><ul><li>Each discipline contributes elements that will be part of the eventual response </li></ul></ul></ul>
  9. 9. Establishing Information Assurance Process <ul><ul><li>Creating the assurance process – role of design </li></ul></ul><ul><ul><ul><li>Effective programs demand integrated business and technological processes </li></ul></ul></ul><ul><ul><ul><li>Must be designed deliberately and deployed through a strategic planning activity </li></ul></ul></ul><ul><ul><ul><li>Solutions must be composed of an integrated set of responses, embedded in day-to-day operation, invisible to end users </li></ul></ul></ul><ul><ul><li>Security infrastructure – making the process systematic </li></ul></ul><ul><ul><ul><li>Combined set of policies, roles and responsibilities and accountabilities for a given organization </li></ul></ul></ul><ul><ul><li>Planning – formalizing the assurance process </li></ul></ul><ul><ul><ul><li>Turns abstract policies into concrete actions </li></ul></ul></ul>
  10. 10. Policy and Information Assurance <ul><li>Integration of diverse components is guided by information assurance policies </li></ul><ul><li>Policies are a shared understanding of the process to be followed </li></ul><ul><ul><li>They must be uniform to ensure seamlessness </li></ul></ul><ul><ul><li>They coordinate work across the organization </li></ul></ul><ul><ul><li>They establish the critical path to assurance </li></ul></ul><ul><ul><li>They are defined based on a standard </li></ul></ul>
  11. 11. Policy and Information Assurance <ul><li>In information assurance, policies support five common aims: </li></ul><ul><ul><li>Prevention – security from internal and external penetration, and prevention of undesirable occurrence </li></ul></ul><ul><ul><li>Detection – reaction to the nature, existence, presence, or fact of a penetration </li></ul></ul><ul><ul><li>Containment – protection of sensitive data </li></ul></ul><ul><ul><li>Deterrence – policies, procedures, and actions designed to discourage penetration </li></ul></ul><ul><ul><li>Recovery – restoration after a failure or penetration </li></ul></ul>
  12. 12. Policy and Information Assurance <ul><li>Three different types of policies are associated with specific types of decision making </li></ul>
  13. 13. Policy and Information Assurance <ul><li>To create awareness, the definition process should include: </li></ul><ul><ul><li>Definition of information as an organizational asset </li></ul></ul><ul><ul><li>Identification and evaluation of the sensitivity of systems and data </li></ul></ul><ul><ul><li>Creation of plans to ensure security and control of each identified system </li></ul></ul><ul><ul><li>Development and implementation of training programs </li></ul></ul><ul><ul><ul><li>To enable and enforce the understanding and the use of proper information assurance measures </li></ul></ul></ul>
  14. 14. Relationship: Policy and Assurance Process <ul><li>A formal information assurance planning exercise is essential to the development of a tailored, organization-wide assurance scheme </li></ul>
  15. 15. General Requirements for the Information Assurance Process <ul><li>Information integrity, confidentiality, availability, authentication, and nonrepudiation </li></ul><ul><li>Relevant needs represented in the solution </li></ul><ul><li>Responsibility to performing functions assigned and understood explicitly </li></ul><ul><li>Accountability and enforcement </li></ul><ul><li>Regular and systematic assessments </li></ul><ul><li>Participants should understand the importance </li></ul><ul><li>Continuity of operation </li></ul><ul><li>Conformity to legal requirements </li></ul><ul><li>Proportionate expense </li></ul><ul><li>Ethical use of information </li></ul>
  16. 16. General Requirements for the Information Assurance Process <ul><li>Functional elements of the comprehensive long-range information assurance planning process </li></ul>
  17. 17. Developing an Assurance Plan <ul><li>A formal representation of how the organization intends to address its policy requirements </li></ul><ul><ul><li>Characteristics of a strategic plan: </li></ul></ul><ul><ul><ul><li>Complete </li></ul></ul></ul><ul><ul><ul><li>Correct </li></ul></ul></ul><ul><ul><ul><li>Understandable </li></ul></ul></ul><ul><ul><ul><li>Unambiguous </li></ul></ul></ul><ul><ul><ul><li>Traceable </li></ul></ul></ul><ul><ul><li>Strategic plan should provide a description of evaluation of the system </li></ul></ul><ul><ul><ul><li>Insures that the operation of the system meets the goals defined by the plan </li></ul></ul></ul>
  18. 18. Designing a Functional Information Security System <ul><li>Outcome of the planning process is a formal Information Security Management System </li></ul><ul><ul><li>“ISMS” describes a comprehensive set of discrete management controls arrayed into an operational solution </li></ul></ul>
  19. 19. Designing a Functional Information Security System <ul><li>Development of an ISMS must originate with the senior management </li></ul>
  20. 20. Defining the Information Assurance Boundaries <ul><li>Information assurance boundaries – based on the concept of perimeters </li></ul><ul><ul><li>Information assurance perimeter – the outer boundary of the space to be secured </li></ul></ul><ul><ul><ul><li>First step: establish the perimeter of the ISMS </li></ul></ul></ul><ul><ul><li>Complicated by the feasibility factor </li></ul></ul><ul><ul><ul><li>The likelihood that a task or purpose can be accomplished </li></ul></ul></ul><ul><ul><ul><li>Based on whether the perimeter selected assures all priority assets and fits within the available resources and capabilities of the organization </li></ul></ul></ul>
  21. 21. Defining the Information Assurance Boundaries <ul><li>Assess the effects of threats against the financial and staff resources </li></ul><ul><ul><li>Factors include answers to questions such as: </li></ul></ul><ul><ul><ul><li>What is the level of criticality for each of the information assets that falls within the scope of the system? </li></ul></ul></ul><ul><ul><ul><li>What is the degree of assurance required for each? </li></ul></ul></ul><ul><ul><ul><li>What are the effects of identifiable threats? </li></ul></ul></ul><ul><ul><ul><li>How accessible is the data? </li></ul></ul></ul><ul><ul><ul><li>How complex and critical is the system? </li></ul></ul></ul>
  22. 22. Defining the Information Assurance Boundaries <ul><li>Decision process that underlies setting the boundaries for the ISMS based on the value of the asset </li></ul>
  23. 23. Building the Information Assurance Boundaries <ul><li>Specifies rules for the behaviors needed to counteract threats to the information assets </li></ul><ul><li>Fundamental activities that should be recognizable include: </li></ul><ul><ul><li>Top-down understanding and refinement </li></ul></ul><ul><ul><li>Progressive (or iterative) enhancement </li></ul></ul><ul><ul><li>Optimization based on feasibility </li></ul></ul><ul><ul><li>Continuous control </li></ul></ul><ul><ul><li>Measurement and assessment </li></ul></ul>
  24. 24. Building the Information Assurance Boundaries <ul><li>Identification of realistic threats </li></ul>
  25. 25. Building the Information Assurance Boundaries <ul><li>Optimum set of controls </li></ul><ul><ul><li>Step 1: Organizational setup </li></ul></ul><ul><ul><ul><li>Launches the process, an awareness exercise </li></ul></ul></ul><ul><ul><ul><li>Requires total up-front commitment from all involved </li></ul></ul></ul><ul><ul><li>Step 2: Asset identification and baselining </li></ul></ul><ul><ul><ul><li>Form of the asset must be known and categorized </li></ul></ul></ul><ul><ul><ul><li>Aggregate set of secured assets is termed a baseline </li></ul></ul></ul><ul><ul><li>Step 3: Risk analysis </li></ul></ul><ul><ul><ul><li>Evaluates the damage that might occur and analyzes and categorizes the acceptable options </li></ul></ul></ul>
  26. 26. Building the Information Assurance Boundaries <ul><ul><li>Step 4: Asset valuation </li></ul></ul><ul><ul><ul><li>What is the level of criticality of each particular information asset in the asset baseline? </li></ul></ul></ul><ul><ul><ul><li>What is the specific degree of resource commitment required to assure it? </li></ul></ul></ul><ul><ul><li>Step 5: Selection of a control set </li></ul></ul><ul><ul><ul><li>Involves the specification, design, scheduling, and installation of a working control set </li></ul></ul></ul><ul><ul><ul><li>Information and associated controls, must be directly traceable to each other </li></ul></ul></ul>
  27. 27. Building the Information Assurance Boundaries <ul><ul><li>Step 6: Operational testing </li></ul></ul><ul><ul><ul><li>Validation takes place after the deployment of the system </li></ul></ul></ul><ul><ul><ul><li>Employs assumptions developed in the risk analysis </li></ul></ul></ul>
  28. 28. Building the Information Assurance Boundaries <ul><ul><li>Step 7: Finalization of the baseline </li></ul></ul><ul><ul><ul><li>Aggregate controls are finalized into the released version of the security system </li></ul></ul></ul><ul><ul><ul><li>Baseline that represents operational form of the information assurance system is maintained under strict configuration management </li></ul></ul></ul>
  29. 29. Maintaining Information Assurance Over Time <ul><li>Ensures that the information assurance system continues to be appropriate to the environment </li></ul><ul><li>A disciplined and systematic process is used to guarantee that the protection will be maintained </li></ul><ul><li>A continuous process based on continuous feedback from operations </li></ul>
  30. 30. Handling Expectations <ul><li>Information assurance operates under process entropy that causes well-defined processes to eventually fall apart </li></ul><ul><li>Exception processes – rapid response agents who respond to new or unexpected incidents </li></ul><ul><ul><li>Attributes of countermeasures </li></ul></ul><ul><ul><ul><li>Timely – ensure effective remediation </li></ul></ul></ul><ul><ul><ul><li>Responsive – evolved directly from the threat </li></ul></ul></ul><ul><ul><ul><li>Disciplined – structured and followed systematically </li></ul></ul></ul><ul><ul><ul><li>Usable – involves all types of users in the solution </li></ul></ul></ul>
  31. 31. Essential Role of Accountability in Maintaining Assurance <ul><li>Accountability – mechanism that enables the internal control function </li></ul><ul><ul><li>Tasks to be executed to ensure accountability: </li></ul></ul><ul><ul><ul><li>Establish a direct link between identified risks and accountable parties </li></ul></ul></ul><ul><ul><ul><li>Ensure that accountable parties understand their duties </li></ul></ul></ul><ul><ul><ul><li>Ensure that accountable parties have accepted their responsibilities </li></ul></ul></ul><ul><ul><ul><li>Ensure that accountable parties are capable of responding to incidents </li></ul></ul></ul><ul><ul><li>Enforcement should be tailored to the information assurance policies </li></ul></ul>
  32. 32. Communicating Organization and Technical Direction <ul><li>Success of the information assurance process rests on effective communication </li></ul><ul><ul><li>Participants must understand the rules of behavior </li></ul></ul><ul><ul><li>Information assurance schemes are complex and subject to change </li></ul></ul><ul><ul><ul><li>Behavior must be attuned to the situation </li></ul></ul></ul>
  33. 33. Ensuring Organizational Awareness <ul><li>To ensure organizational awareness </li></ul><ul><ul><li>All applicable policy, procedure goals, and nuances of operation must be communicated </li></ul></ul><ul><ul><ul><li>Communication process must be formally structured and carefully managed </li></ul></ul></ul><ul><ul><ul><li>Participants should understand the reasons for adequate protection </li></ul></ul></ul><ul><ul><ul><ul><li>Ensured by an awareness or “buy-in” program prior to establishing the system </li></ul></ul></ul></ul>
  34. 34. Enforcing Discipline <ul><li>Activities need to be performed on a disciplined basis and in a repeatable way </li></ul><ul><ul><li>Consistent performance – essential to success </li></ul></ul><ul><ul><li>Effective control relies on the ability to </li></ul></ul><ul><ul><ul><li>Supervise and enforce individual and group behavior </li></ul></ul></ul><ul><ul><ul><li>Monitor employee performance </li></ul></ul></ul><ul><ul><ul><li>Invoke willingness and ability of individuals to follow procedure continuously on a daily basis </li></ul></ul></ul>
  35. 35. Review Process <ul><li>Management review </li></ul><ul><ul><li>Evaluates the performance of individuals and the execution of the process </li></ul></ul><ul><ul><li>Supports decisions about boundary settings, corrective actions, and allocation of resources </li></ul></ul><ul><ul><li>Identifies and reports variations from that plan and/or the defined procedures and presents evidence </li></ul></ul><ul><ul><li>Informs supervisory personnel and staff about a failure to perform properly </li></ul></ul><ul><ul><li>Involves the participation of the individual who has been assigned accountability for the process </li></ul></ul>
  36. 36. Review Process <ul><li>Technical reviews </li></ul><ul><ul><li>Focus on items related to the performance of technology against requirements </li></ul></ul><ul><ul><ul><li>Technical components include hardware, software, and documentation </li></ul></ul></ul><ul><ul><ul><li>Entails questions such as </li></ul></ul></ul><ul><ul><ul><ul><li>Proper implementation </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Performance conformity to specifications </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Purpose achievement </li></ul></ul></ul></ul><ul><ul><li>Supports technical and management personnel with direct responsibility </li></ul></ul><ul><ul><li>Discovers and reports vulnerabilities that affect performance </li></ul></ul>
  37. 37. Formal versus Informal Review <ul><li>Inspections – considerable analysis is conducted prior to the generation of findings </li></ul><ul><li>Walkthroughs – findings are reported with the action items as general recommendations </li></ul><ul><ul><li>Audits ensure trust to the process of walkthroughs </li></ul></ul><ul><ul><ul><li>Identifies emerging problems </li></ul></ul></ul><ul><ul><ul><li>Offers independent certification of conformance </li></ul></ul></ul><ul><ul><ul><li>Lists applicable standards, criteria, and evidences that support audit conclusions </li></ul></ul></ul><ul><ul><li>Audits usually require </li></ul></ul><ul><ul><ul><li>A common model, or standard, as the reference point </li></ul></ul></ul><ul><ul><ul><li>Sound documentary evidence of processes, procedures, and other deliverables to support findings </li></ul></ul></ul>
  38. 38. Measuring Performance <ul><li>Ability to base management decisions on data is an important aspect of an ongoing information assurance maintenance process </li></ul><ul><li>Measurement programs </li></ul><ul><ul><li>Allow decision making based on evidence </li></ul></ul><ul><ul><li>Allow assessment of performance </li></ul></ul><ul><ul><li>Bring deviations to the right person’s attention </li></ul></ul><ul><ul><ul><li>This is ensured by regularized reviews of each operational element </li></ul></ul></ul>
  39. 39. Measuring Performance <ul><li>Attributes of an effective assessment program: </li></ul><ul><ul><li>Factual – values are directly observable </li></ul></ul><ul><ul><li>Adaptable – measures are used that appropriately fit the circumstance </li></ul></ul><ul><ul><li>Meaningful – Outcomes are understandable to all </li></ul></ul><ul><li>Rule: whatever measures are selected must be applied consistently and uniformly </li></ul>