Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

Information Assurance for the Enterprise

  • Be the first to comment


  1. 1. Chapter 3 Security Policy
  2. 2. Objectives <ul><li>Define information assets, risks, and countermeasures </li></ul><ul><li>Structure a synergistic information assurance solution </li></ul><ul><li>Identify the role of policy in the information assurance process </li></ul><ul><li>Design a functional information assurance and security management system </li></ul>
  3. 3. Protection of Information <ul><li>Ensuring protection of information is difficult </li></ul><ul><ul><li>Weak points are in the areas of policy and process, rather than technology </li></ul></ul><ul><ul><li>Breakdowns in security are likely to occur because of failure to: </li></ul></ul><ul><ul><ul><li>Understand the problem </li></ul></ul></ul><ul><ul><ul><li>Set proper goals </li></ul></ul></ul><ul><ul><ul><li>Follow correct procedure </li></ul></ul></ul>
  4. 4. Protection of Information <ul><li>Findings of Government Accountability Office (GAO) reveal the lack of: </li></ul><ul><ul><li>Risk-based information assurance plans </li></ul></ul><ul><ul><li>Documentation of information assurance policies </li></ul></ul><ul><ul><li>Programs for evaluating the effectiveness of controls </li></ul></ul><ul><ul><li>Application development and change controls </li></ul></ul><ul><ul><li>Implementation and software products usage control </li></ul></ul><ul><ul><li>Adequate knowledge of information assurance controls </li></ul></ul>
  5. 5. Definitions <ul><li>Assets – anything a person or organization owns that is valuable </li></ul><ul><ul><li>Tangible assets </li></ul></ul><ul><ul><li>Intangible assets </li></ul></ul><ul><li>Risk – likelihood that a particular threat will produce a harmful effect </li></ul><ul><ul><li>Assessed in terms of their impact and probability of occurrence </li></ul></ul><ul><ul><li>Increases or decreases based on number of vulnerabilities present </li></ul></ul>
  6. 6. Definitions <ul><li>Countermeasures – set of actions to prevent or slow an impending attack from threats </li></ul><ul><li>Information assurance process – thinking through and responding with the right set of countermeasures </li></ul><ul><ul><li>Other definitions include: </li></ul></ul><ul><ul><ul><li>Threats – any event that can have an undesirable affect on the condition of an asset </li></ul></ul></ul><ul><ul><ul><li>Vulnerabilities – flaws or weak points in a protection scheme </li></ul></ul></ul><ul><ul><ul><li>When a threat can exploit a vulnerability, the vulnerability becomes a weakness </li></ul></ul></ul>
  7. 7. Characteristics: Information Assurance Process <ul><li>Supports three common characteristics: </li></ul><ul><ul><li>Availability – ensures that information is provided to users when it is required </li></ul></ul><ul><ul><li>Integrity – centers on the qualities of authenticity, accuracy, and completeness </li></ul></ul><ul><ul><li>Confidentiality – need to restrict access to information or data </li></ul></ul><ul><ul><ul><li>From a system point of view, confidentiality is the assurance that access controls are enforced </li></ul></ul></ul>
  8. 8. Establishing Information Assurance Process <ul><li>Organizing appropriate set of countermeasures into a seamless and effective response profile </li></ul><ul><li>Requires integrating a range of elements into a working solution </li></ul><ul><ul><li>Ensuring coordination: integrating functions </li></ul></ul><ul><ul><ul><li>Solutions encompass measures from a diverse range of disciplines </li></ul></ul></ul><ul><ul><ul><li>Each discipline contributes elements that will be part of the eventual response </li></ul></ul></ul>
  9. 9. Establishing Information Assurance Process <ul><ul><li>Creating the assurance process – role of design </li></ul></ul><ul><ul><ul><li>Effective programs demand integrated business and technological processes </li></ul></ul></ul><ul><ul><ul><li>Must be designed deliberately and deployed through a strategic planning activity </li></ul></ul></ul><ul><ul><ul><li>Solutions must be composed of an integrated set of responses, embedded in day-to-day operation, invisible to end users </li></ul></ul></ul><ul><ul><li>Security infrastructure – making the process systematic </li></ul></ul><ul><ul><ul><li>Combined set of policies, roles and responsibilities and accountabilities for a given organization </li></ul></ul></ul><ul><ul><li>Planning – formalizing the assurance process </li></ul></ul><ul><ul><ul><li>Turns abstract policies into concrete actions </li></ul></ul></ul>
  10. 10. Policy and Information Assurance <ul><li>Integration of diverse components is guided by information assurance policies </li></ul><ul><li>Policies are a shared understanding of the process to be followed </li></ul><ul><ul><li>They must be uniform to ensure seamlessness </li></ul></ul><ul><ul><li>They coordinate work across the organization </li></ul></ul><ul><ul><li>They establish the critical path to assurance </li></ul></ul><ul><ul><li>They are defined based on a standard </li></ul></ul>
  11. 11. Policy and Information Assurance <ul><li>In information assurance, policies support five common aims: </li></ul><ul><ul><li>Prevention – security from internal and external penetration, and prevention of undesirable occurrence </li></ul></ul><ul><ul><li>Detection – reaction to the nature, existence, presence, or fact of a penetration </li></ul></ul><ul><ul><li>Containment – protection of sensitive data </li></ul></ul><ul><ul><li>Deterrence – policies, procedures, and actions designed to discourage penetration </li></ul></ul><ul><ul><li>Recovery – restoration after a failure or penetration </li></ul></ul>
  12. 12. Policy and Information Assurance <ul><li>Three different types of policies are associated with specific types of decision making </li></ul>
  13. 13. Policy and Information Assurance <ul><li>To create awareness, the definition process should include: </li></ul><ul><ul><li>Definition of information as an organizational asset </li></ul></ul><ul><ul><li>Identification and evaluation of the sensitivity of systems and data </li></ul></ul><ul><ul><li>Creation of plans to ensure security and control of each identified system </li></ul></ul><ul><ul><li>Development and implementation of training programs </li></ul></ul><ul><ul><ul><li>To enable and enforce the understanding and the use of proper information assurance measures </li></ul></ul></ul>
  14. 14. Relationship: Policy and Assurance Process <ul><li>A formal information assurance planning exercise is essential to the development of a tailored, organization-wide assurance scheme </li></ul>
  15. 15. General Requirements for the Information Assurance Process <ul><li>Information integrity, confidentiality, availability, authentication, and nonrepudiation </li></ul><ul><li>Relevant needs represented in the solution </li></ul><ul><li>Responsibility to performing functions assigned and understood explicitly </li></ul><ul><li>Accountability and enforcement </li></ul><ul><li>Regular and systematic assessments </li></ul><ul><li>Participants should understand the importance </li></ul><ul><li>Continuity of operation </li></ul><ul><li>Conformity to legal requirements </li></ul><ul><li>Proportionate expense </li></ul><ul><li>Ethical use of information </li></ul>
  16. 16. General Requirements for the Information Assurance Process <ul><li>Functional elements of the comprehensive long-range information assurance planning process </li></ul>
  17. 17. Developing an Assurance Plan <ul><li>A formal representation of how the organization intends to address its policy requirements </li></ul><ul><ul><li>Characteristics of a strategic plan: </li></ul></ul><ul><ul><ul><li>Complete </li></ul></ul></ul><ul><ul><ul><li>Correct </li></ul></ul></ul><ul><ul><ul><li>Understandable </li></ul></ul></ul><ul><ul><ul><li>Unambiguous </li></ul></ul></ul><ul><ul><ul><li>Traceable </li></ul></ul></ul><ul><ul><li>Strategic plan should provide a description of evaluation of the system </li></ul></ul><ul><ul><ul><li>Insures that the operation of the system meets the goals defined by the plan </li></ul></ul></ul>
  18. 18. Designing a Functional Information Security System <ul><li>Outcome of the planning process is a formal Information Security Management System </li></ul><ul><ul><li>“ISMS” describes a comprehensive set of discrete management controls arrayed into an operational solution </li></ul></ul>
  19. 19. Designing a Functional Information Security System <ul><li>Development of an ISMS must originate with the senior management </li></ul>
  20. 20. Defining the Information Assurance Boundaries <ul><li>Information assurance boundaries – based on the concept of perimeters </li></ul><ul><ul><li>Information assurance perimeter – the outer boundary of the space to be secured </li></ul></ul><ul><ul><ul><li>First step: establish the perimeter of the ISMS </li></ul></ul></ul><ul><ul><li>Complicated by the feasibility factor </li></ul></ul><ul><ul><ul><li>The likelihood that a task or purpose can be accomplished </li></ul></ul></ul><ul><ul><ul><li>Based on whether the perimeter selected assures all priority assets and fits within the available resources and capabilities of the organization </li></ul></ul></ul>
  21. 21. Defining the Information Assurance Boundaries <ul><li>Assess the effects of threats against the financial and staff resources </li></ul><ul><ul><li>Factors include answers to questions such as: </li></ul></ul><ul><ul><ul><li>What is the level of criticality for each of the information assets that falls within the scope of the system? </li></ul></ul></ul><ul><ul><ul><li>What is the degree of assurance required for each? </li></ul></ul></ul><ul><ul><ul><li>What are the effects of identifiable threats? </li></ul></ul></ul><ul><ul><ul><li>How accessible is the data? </li></ul></ul></ul><ul><ul><ul><li>How complex and critical is the system? </li></ul></ul></ul>
  22. 22. Defining the Information Assurance Boundaries <ul><li>Decision process that underlies setting the boundaries for the ISMS based on the value of the asset </li></ul>
  23. 23. Building the Information Assurance Boundaries <ul><li>Specifies rules for the behaviors needed to counteract threats to the information assets </li></ul><ul><li>Fundamental activities that should be recognizable include: </li></ul><ul><ul><li>Top-down understanding and refinement </li></ul></ul><ul><ul><li>Progressive (or iterative) enhancement </li></ul></ul><ul><ul><li>Optimization based on feasibility </li></ul></ul><ul><ul><li>Continuous control </li></ul></ul><ul><ul><li>Measurement and assessment </li></ul></ul>
  24. 24. Building the Information Assurance Boundaries <ul><li>Identification of realistic threats </li></ul>
  25. 25. Building the Information Assurance Boundaries <ul><li>Optimum set of controls </li></ul><ul><ul><li>Step 1: Organizational setup </li></ul></ul><ul><ul><ul><li>Launches the process, an awareness exercise </li></ul></ul></ul><ul><ul><ul><li>Requires total up-front commitment from all involved </li></ul></ul></ul><ul><ul><li>Step 2: Asset identification and baselining </li></ul></ul><ul><ul><ul><li>Form of the asset must be known and categorized </li></ul></ul></ul><ul><ul><ul><li>Aggregate set of secured assets is termed a baseline </li></ul></ul></ul><ul><ul><li>Step 3: Risk analysis </li></ul></ul><ul><ul><ul><li>Evaluates the damage that might occur and analyzes and categorizes the acceptable options </li></ul></ul></ul>
  26. 26. Building the Information Assurance Boundaries <ul><ul><li>Step 4: Asset valuation </li></ul></ul><ul><ul><ul><li>What is the level of criticality of each particular information asset in the asset baseline? </li></ul></ul></ul><ul><ul><ul><li>What is the specific degree of resource commitment required to assure it? </li></ul></ul></ul><ul><ul><li>Step 5: Selection of a control set </li></ul></ul><ul><ul><ul><li>Involves the specification, design, scheduling, and installation of a working control set </li></ul></ul></ul><ul><ul><ul><li>Information and associated controls, must be directly traceable to each other </li></ul></ul></ul>
  27. 27. Building the Information Assurance Boundaries <ul><ul><li>Step 6: Operational testing </li></ul></ul><ul><ul><ul><li>Validation takes place after the deployment of the system </li></ul></ul></ul><ul><ul><ul><li>Employs assumptions developed in the risk analysis </li></ul></ul></ul>
  28. 28. Building the Information Assurance Boundaries <ul><ul><li>Step 7: Finalization of the baseline </li></ul></ul><ul><ul><ul><li>Aggregate controls are finalized into the released version of the security system </li></ul></ul></ul><ul><ul><ul><li>Baseline that represents operational form of the information assurance system is maintained under strict configuration management </li></ul></ul></ul>
  29. 29. Maintaining Information Assurance Over Time <ul><li>Ensures that the information assurance system continues to be appropriate to the environment </li></ul><ul><li>A disciplined and systematic process is used to guarantee that the protection will be maintained </li></ul><ul><li>A continuous process based on continuous feedback from operations </li></ul>
  30. 30. Handling Expectations <ul><li>Information assurance operates under process entropy that causes well-defined processes to eventually fall apart </li></ul><ul><li>Exception processes – rapid response agents who respond to new or unexpected incidents </li></ul><ul><ul><li>Attributes of countermeasures </li></ul></ul><ul><ul><ul><li>Timely – ensure effective remediation </li></ul></ul></ul><ul><ul><ul><li>Responsive – evolved directly from the threat </li></ul></ul></ul><ul><ul><ul><li>Disciplined – structured and followed systematically </li></ul></ul></ul><ul><ul><ul><li>Usable – involves all types of users in the solution </li></ul></ul></ul>
  31. 31. Essential Role of Accountability in Maintaining Assurance <ul><li>Accountability – mechanism that enables the internal control function </li></ul><ul><ul><li>Tasks to be executed to ensure accountability: </li></ul></ul><ul><ul><ul><li>Establish a direct link between identified risks and accountable parties </li></ul></ul></ul><ul><ul><ul><li>Ensure that accountable parties understand their duties </li></ul></ul></ul><ul><ul><ul><li>Ensure that accountable parties have accepted their responsibilities </li></ul></ul></ul><ul><ul><ul><li>Ensure that accountable parties are capable of responding to incidents </li></ul></ul></ul><ul><ul><li>Enforcement should be tailored to the information assurance policies </li></ul></ul>
  32. 32. Communicating Organization and Technical Direction <ul><li>Success of the information assurance process rests on effective communication </li></ul><ul><ul><li>Participants must understand the rules of behavior </li></ul></ul><ul><ul><li>Information assurance schemes are complex and subject to change </li></ul></ul><ul><ul><ul><li>Behavior must be attuned to the situation </li></ul></ul></ul>
  33. 33. Ensuring Organizational Awareness <ul><li>To ensure organizational awareness </li></ul><ul><ul><li>All applicable policy, procedure goals, and nuances of operation must be communicated </li></ul></ul><ul><ul><ul><li>Communication process must be formally structured and carefully managed </li></ul></ul></ul><ul><ul><ul><li>Participants should understand the reasons for adequate protection </li></ul></ul></ul><ul><ul><ul><ul><li>Ensured by an awareness or “buy-in” program prior to establishing the system </li></ul></ul></ul></ul>
  34. 34. Enforcing Discipline <ul><li>Activities need to be performed on a disciplined basis and in a repeatable way </li></ul><ul><ul><li>Consistent performance – essential to success </li></ul></ul><ul><ul><li>Effective control relies on the ability to </li></ul></ul><ul><ul><ul><li>Supervise and enforce individual and group behavior </li></ul></ul></ul><ul><ul><ul><li>Monitor employee performance </li></ul></ul></ul><ul><ul><ul><li>Invoke willingness and ability of individuals to follow procedure continuously on a daily basis </li></ul></ul></ul>
  35. 35. Review Process <ul><li>Management review </li></ul><ul><ul><li>Evaluates the performance of individuals and the execution of the process </li></ul></ul><ul><ul><li>Supports decisions about boundary settings, corrective actions, and allocation of resources </li></ul></ul><ul><ul><li>Identifies and reports variations from that plan and/or the defined procedures and presents evidence </li></ul></ul><ul><ul><li>Informs supervisory personnel and staff about a failure to perform properly </li></ul></ul><ul><ul><li>Involves the participation of the individual who has been assigned accountability for the process </li></ul></ul>
  36. 36. Review Process <ul><li>Technical reviews </li></ul><ul><ul><li>Focus on items related to the performance of technology against requirements </li></ul></ul><ul><ul><ul><li>Technical components include hardware, software, and documentation </li></ul></ul></ul><ul><ul><ul><li>Entails questions such as </li></ul></ul></ul><ul><ul><ul><ul><li>Proper implementation </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Performance conformity to specifications </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Purpose achievement </li></ul></ul></ul></ul><ul><ul><li>Supports technical and management personnel with direct responsibility </li></ul></ul><ul><ul><li>Discovers and reports vulnerabilities that affect performance </li></ul></ul>
  37. 37. Formal versus Informal Review <ul><li>Inspections – considerable analysis is conducted prior to the generation of findings </li></ul><ul><li>Walkthroughs – findings are reported with the action items as general recommendations </li></ul><ul><ul><li>Audits ensure trust to the process of walkthroughs </li></ul></ul><ul><ul><ul><li>Identifies emerging problems </li></ul></ul></ul><ul><ul><ul><li>Offers independent certification of conformance </li></ul></ul></ul><ul><ul><ul><li>Lists applicable standards, criteria, and evidences that support audit conclusions </li></ul></ul></ul><ul><ul><li>Audits usually require </li></ul></ul><ul><ul><ul><li>A common model, or standard, as the reference point </li></ul></ul></ul><ul><ul><ul><li>Sound documentary evidence of processes, procedures, and other deliverables to support findings </li></ul></ul></ul>
  38. 38. Measuring Performance <ul><li>Ability to base management decisions on data is an important aspect of an ongoing information assurance maintenance process </li></ul><ul><li>Measurement programs </li></ul><ul><ul><li>Allow decision making based on evidence </li></ul></ul><ul><ul><li>Allow assessment of performance </li></ul></ul><ul><ul><li>Bring deviations to the right person’s attention </li></ul></ul><ul><ul><ul><li>This is ensured by regularized reviews of each operational element </li></ul></ul></ul>
  39. 39. Measuring Performance <ul><li>Attributes of an effective assessment program: </li></ul><ul><ul><li>Factual – values are directly observable </li></ul></ul><ul><ul><li>Adaptable – measures are used that appropriately fit the circumstance </li></ul></ul><ul><ul><li>Meaningful – Outcomes are understandable to all </li></ul></ul><ul><li>Rule: whatever measures are selected must be applied consistently and uniformly </li></ul>