Published on

Information Assurance for the Enterprise

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Chapter 4 Building and Documenting an Information Assurance Framework
  2. 2. Objectives <ul><li>Difference between policies and procedures </li></ul><ul><li>What is an information assurance structure </li></ul><ul><li>How to tailor an information assurance structure </li></ul><ul><li>How to document and information assurance infrastructure </li></ul>
  3. 3. Control Process <ul><li>Control process is implemented through a framework of standard procedures </li></ul><ul><ul><li>They need to be coherent, rational, and understandable </li></ul></ul><ul><ul><li>They are tailored for efficiency and effectiveness </li></ul></ul>
  4. 4. Difference Between Policy and Procedure <ul><li>Level of focus </li></ul><ul><ul><li>The focus of policies is long-term and strategic </li></ul></ul><ul><ul><li>The focus of procedures is short-term and day-to-day </li></ul></ul>
  5. 5. Procedure <ul><li>A specification of sequence and timing of steps of a response </li></ul><ul><li>A description of action to be taken to achieve a goal </li></ul><ul><li>A definition of actions performed as part of routine operation </li></ul><ul><li>A method rather than the outcome </li></ul><ul><li>A tangible mechanism for evaluating whether the system has met its intended goals </li></ul><ul><li>In case of information, procedures: </li></ul><ul><ul><li>Specify the set of assurance activities that must be executed to ensure security </li></ul></ul><ul><ul><li>Define all information assurance and security actions </li></ul></ul>
  6. 6. Infrastructure <ul><li>An information assurance infrastructure is an essential part of security as it: </li></ul><ul><ul><li>Specifies the steps the organization will take to ensure security </li></ul></ul><ul><ul><li>Makes the process tangible so that it is understood and executed properly </li></ul></ul><ul><ul><li>Describes how all information assurance and security practices will be established and enforced </li></ul></ul><ul><ul><li>Ensures that the information within the infrastructure is overseen and managed </li></ul></ul>
  7. 7. Five Pillars of Assurance <ul><li>Confidentiality – ensures that information is not disclosed to unauthorized persons, processes, or devices </li></ul><ul><li>Integrity – reflects the logical correctness of essential components </li></ul><ul><li>Availability – provides authorized users with timely, reliable access to data and information services </li></ul><ul><li>Authentication – confirms authorization to acquire specific items of information </li></ul><ul><li>Non-repudiation – provides proof of delivery and provides identification </li></ul>
  8. 8. Instituting a Sustainable Security Operation <ul><li>Two conditions have to be satisfied: </li></ul><ul><ul><li>A concrete reference point has to be adopted and documented to guide the process </li></ul></ul><ul><ul><li>The organization has to follow all specified security practices rigorously </li></ul></ul>
  9. 9. Role of Policy in Creating an Infrastructure <ul><li>Policies state the approach that will be followed to enforce the five pillars of security </li></ul><ul><ul><li>They should be both comprehensive and coherent </li></ul></ul><ul><ul><ul><li>They constitute the framework that dictates the scope and application of the information assurance process </li></ul></ul></ul><ul><ul><ul><li>They must have the right set of procedures to enact it </li></ul></ul></ul><ul><ul><ul><li>Procedures are progressively refined, until the desired level of control is established </li></ul></ul></ul><ul><ul><li>Eventual product of this logical decomposition process is the finalized information assurance infrastructure </li></ul></ul>
  10. 10. Role of Policy in Creating an Infrastructure <ul><li>Information assurance infrastructure is an array of control behaviors </li></ul><ul><ul><li>Designed to ensure security and applicable to all levels </li></ul></ul><ul><li>Standard approach characteristics: </li></ul><ul><ul><li>Concrete and can be tailored into specifics of the tasks to be performed </li></ul></ul><ul><ul><li>Outcomes can be used to judge whether the information assurance process is operating properly </li></ul></ul><ul><ul><li>Outcomes of these tasks can be assessed and specific responsibility can be assigned </li></ul></ul><ul><ul><li>Establishes tangible accountability for information assurance and security performance </li></ul></ul>
  11. 11. Ensuring a Disciplined Process: Establishing the Culture <ul><li>Only way to assure security is by demanding disciplined performance of assigned duties </li></ul><ul><ul><li>Requires a high degree of disciplined practice by people responsible for carrying out the tasks </li></ul></ul><ul><ul><ul><li>The managers </li></ul></ul></ul><ul><ul><ul><li>The workers </li></ul></ul></ul><ul><ul><li>Requires the right level of information assurance and security practice </li></ul></ul>
  12. 12. Ensuring a Disciplined Process: Establishing the Culture <ul><li>Effective information assurance process has to ensure that the people within the system are operating in a secure manner </li></ul>
  13. 13. Ensuring a Disciplined Process: Establishing the Culture <ul><li>Information assurance safeguards are aimed at: </li></ul><ul><ul><li>Identifying suspicious or undesirable behavior </li></ul></ul><ul><ul><ul><li>Build a baseline of acceptable, or normal, practices to judge performance </li></ul></ul></ul><ul><ul><li>Embedding a comprehensive understanding of information assurance </li></ul></ul><ul><ul><ul><li>Policies </li></ul></ul></ul><ul><ul><ul><li>Procedures </li></ul></ul></ul><ul><ul><ul><li>Work practices </li></ul></ul></ul>
  14. 14. Developing An Information Assurance Infrastructure <ul><li>Nine essential qualities of a correctly functioning system: </li></ul><ul><ul><li>Suitability </li></ul></ul><ul><ul><li>Accuracy </li></ul></ul><ul><ul><li>Interoperability </li></ul></ul><ul><ul><li>Compliance </li></ul></ul><ul><ul><li>Integrity </li></ul></ul><ul><ul><li>Maturity </li></ul></ul><ul><ul><li>Fault tolerance </li></ul></ul><ul><ul><li>Recoverability </li></ul></ul><ul><ul><li>Replaceability </li></ul></ul>
  15. 15. Developing An Information Assurance Infrastructure <ul><li>Refinement process </li></ul>
  16. 16. Ensuring Common Understanding: Metrics and Security <ul><li>Tailoring specifics will require derivation from: </li></ul><ul><ul><li>Policies expressed as a formal specification </li></ul></ul><ul><ul><li>Perspectives of stakeholders </li></ul></ul><ul><li>Outcome should be a substantive set of documented practices </li></ul><ul><ul><li>Should characterize the information assurance functions </li></ul></ul><ul><li>Requirements must be communicated unambiguously </li></ul><ul><ul><li>Terms and measures used should be integrated into a single document </li></ul></ul><ul><li>Need for a deliberate program to develop an appropriate set of common metrics </li></ul>
  17. 17. Ensuring Common Understanding: Metrics and Security <ul><li>Organizational environment determines the metrics </li></ul><ul><ul><li>Nature, rigor, and application will vary based on the demand of the security situation </li></ul></ul><ul><ul><li>Basis for decision is the level of control required to establish an assurable system </li></ul></ul><ul><ul><ul><li>Achieved by continuing to break down each measure into sub-factors </li></ul></ul></ul><ul><ul><ul><li>Sub-factors should also be traceable through the hierarchy of measures </li></ul></ul></ul><ul><ul><li>Measurement set must be refined and updated continuously </li></ul></ul>
  18. 18. Accommodating Human Factors in the Infrastructure <ul><li>Disciplined performance determines how correctly each procedure will be followed </li></ul><ul><ul><li>Behavior of humans within the infrastructure is: </li></ul></ul><ul><ul><ul><li>Ensured by the monitoring and enforcing compliance of documented procedures </li></ul></ul></ul><ul><ul><ul><li>Harder to assure since it is governed by perceptions and emotions rather than logical rules </li></ul></ul></ul><ul><ul><ul><li>Challenging, as motivating people to comply requires continuous oversight and strict enforcement </li></ul></ul></ul><ul><ul><ul><li>Feasible with coherent and explicit definition of acceptable behavior </li></ul></ul></ul>
  19. 19. Documentation: Conveying the Form of the Infrastructure <ul><li>Every information assurance infrastructure has to be documented completely </li></ul><ul><ul><li>Documentation should communicate the three vital elements of the process: </li></ul></ul><ul><ul><ul><li>Policies </li></ul></ul></ul><ul><ul><ul><li>Procedures </li></ul></ul></ul><ul><ul><ul><li>Work instructions </li></ul></ul></ul><ul><ul><li>Mechanism that is employed to document these is the Information Assurance Manual </li></ul></ul>
  20. 20. Information Assurance Manual <ul><li>Communicates the organization’s specific approach to information assurance and security </li></ul><ul><li>Serves as a reference point for developing standard operating procedures </li></ul><ul><li>Integrates all required procedures and work practices for each policy into a statement of purpose </li></ul>
  21. 21. Information Assurance Manual <ul><li>Advantages: </li></ul><ul><ul><li>Implements and ensures continuous performance of processes </li></ul></ul><ul><ul><li>Valuable tool for communicating to stakeholders </li></ul></ul><ul><ul><li>Advertises new initiatives and accomplishments </li></ul></ul><ul><ul><li>Itemizes every procedure the organization will follow to comply with each stated policy </li></ul></ul><ul><ul><li>Facilitates the day-to-day assignment of specific employee responsibility </li></ul></ul><ul><ul><li>Key mechanism for demonstrating due diligence in performance of information assurance </li></ul></ul>
  22. 22. Ensuring Sustainability: Documentation Set <ul><li>Documentation set – procedures, work practices, and information assurance manual </li></ul><ul><ul><li>A complete set of operating procedures are written to implement each policy </li></ul></ul><ul><ul><li>Operating procedure defines what will be done on a day-to-day basis </li></ul></ul><ul><ul><li>Work practices are developed for each procedure </li></ul></ul><ul><ul><ul><li>Itemizes the behaviors designated to accomplish each procedure </li></ul></ul></ul>
  23. 23. Implementation: Achieving the Right Level of Detail <ul><li>At the minimum every documented procedure states: </li></ul><ul><ul><li>Steps to be taken, their measurement, and their evaluation criteria </li></ul></ul><ul><ul><li>Expected output, the measurement, and evaluation criteria </li></ul></ul><ul><ul><li>Interrelationship with other procedures </li></ul></ul><ul><ul><li>Qualifications and skills of people performing the procedure </li></ul></ul><ul><ul><li>Tools, rules, practices, methodologies, and conventions employed </li></ul></ul>
  24. 24. Implementation: Achieving the Right Level of Detail <ul><li>Ten areas of information assurance should be itemized using this policy/procedure/work instruction model: </li></ul><ul><ul><li>Physical security practices </li></ul></ul><ul><ul><li>Personnel security practices </li></ul></ul><ul><ul><li>Operational security practices </li></ul></ul><ul><ul><li>Network security practices </li></ul></ul><ul><ul><li>Software security practices </li></ul></ul><ul><ul><li>Development process security practices </li></ul></ul><ul><ul><li>Transmission security/encryption practices </li></ul></ul><ul><ul><li>Business continuity practices </li></ul></ul><ul><ul><li>Legal and regulatory compliance practices </li></ul></ul><ul><ul><li>Ethical practices </li></ul></ul>
  25. 25. Walking the Talk – the Role of Detailed Work Practices <ul><li>Specifications communicate the steps chosen to ensure an end-to-end information assurance process </li></ul><ul><ul><li>Specification of management practices </li></ul></ul><ul><ul><ul><li>Lays out the details of the management oversight and control function </li></ul></ul></ul><ul><ul><li>Specification of operations practices </li></ul></ul><ul><ul><ul><li>Roadmap for the execution and maintenance of the specific process </li></ul></ul></ul><ul><ul><li>Specification of assurance and accountability practices </li></ul></ul><ul><ul><ul><li>Verification and validation of the execution of assurance functions </li></ul></ul></ul>
  26. 26. Tailoring a Concrete Information Assurance System <ul><li>Effective information assurance and security depends on establishing the right set of policies, procedures, and work practices, tailored into a concrete infrastructure </li></ul><ul><ul><li>It is necessary to satisfy at least five generic requirements: </li></ul></ul><ul><ul><ul><li>Understand the resource </li></ul></ul></ul><ul><ul><ul><li>Maintain the resource </li></ul></ul></ul><ul><ul><ul><li>Develop the resource </li></ul></ul></ul><ul><ul><ul><li>Use the resource </li></ul></ul></ul><ul><ul><ul><li>Manage the resource </li></ul></ul></ul>
  27. 27. Tailoring a Concrete Information Assurance System <ul><li>Tailoring process </li></ul><ul><ul><li>Ensures that it is correctly aligned with the environmental, sensitivity, and information assurance requirements of the situation </li></ul></ul><ul><ul><li>Involves the preparation of a relevant response to six areas discussed further: </li></ul></ul><ul><ul><ul><li>Context </li></ul></ul></ul><ul><ul><ul><li>Scope </li></ul></ul></ul><ul><ul><ul><li>System operation </li></ul></ul></ul><ul><ul><ul><li>General purpose </li></ul></ul></ul><ul><ul><ul><li>Environment </li></ul></ul></ul><ul><ul><ul><li>Sensitivity </li></ul></ul></ul>
  28. 28. Tailoring a Concrete Information Assurance System <ul><li>Context - understand the context in which the system operates </li></ul><ul><ul><li>Determines the assurance approach </li></ul></ul><ul><li>Scope - must be defined </li></ul><ul><ul><li>Unique and meaningful boundaries have to be established </li></ul></ul><ul><ul><li>Logical interrelationships have to be made explicit </li></ul></ul>
  29. 29. Tailoring a Concrete Information Assurance System <ul><li>System operation - components should be categorized in terms of their role </li></ul><ul><ul><li>Designate specific purpose of each asset </li></ul></ul><ul><ul><li>Protection has to be aligned with purpose </li></ul></ul><ul><ul><li>Analyze, understand, and address threats </li></ul></ul><ul><li>General purpose - function of each component </li></ul><ul><ul><li>Simple description that satisfies two goals: </li></ul></ul><ul><ul><ul><li>Allows users to make informed assignments of priorities for the protected components </li></ul></ul></ul><ul><ul><ul><li>Allows users to coordinate the implementation and management of the functions assigned to them </li></ul></ul></ul>
  30. 30. Tailoring a Concrete Information Assurance System <ul><li>Environmental considerations – technical and environmental factors that might impact the assurance process </li></ul><ul><li>Sensitivity requirements - specify the sensitivity of each item </li></ul><ul><ul><li>Characterized based on risk category: </li></ul></ul><ul><ul><ul><li>High risk – comprises of information characterized as critical and would result in significant losses </li></ul></ul></ul><ul><ul><ul><li>Medium risk – would be an important concern but not necessarily critical </li></ul></ul></ul><ul><ul><ul><li>Low risk – some minimal level of risk; not vital </li></ul></ul></ul>
  31. 31. Types of Controls <ul><li>Information assurance control procedures fall into four categories: </li></ul>
  32. 32. Types of Controls <ul><li>In addition to application it is important: </li></ul><ul><ul><li>To understand the operational status of the control </li></ul></ul><ul><ul><li>In the designing process </li></ul></ul><ul><ul><ul><li>Some controls will exist while others will need to be established </li></ul></ul></ul><ul><ul><li>To have a complete understanding of: </li></ul></ul><ul><ul><ul><li>Where procedures have been implemented already </li></ul></ul></ul><ul><ul><ul><li>Where it must be developed </li></ul></ul></ul>
  33. 33. Types of Controls <ul><li>Classification is based on a decision about whether each necessary control item is: </li></ul><ul><ul><li>In place – a measure must be both operational and judged to be effective </li></ul></ul><ul><ul><li>Planned – includes specific control functions planned, but not actually operational </li></ul></ul><ul><ul><li>In place and planned – have part of the control in place while other parts are still missing </li></ul></ul><ul><ul><li>Not feasible – control measures would be desirable but not cost effective nor feasible </li></ul></ul>
  34. 34. Management Controls <ul><li>These controls are behavioral </li></ul><ul><ul><li>Implement information assurance policies and procedures </li></ul></ul><ul><ul><li>Regulate access to protected information through procedures </li></ul></ul><ul><ul><li>Deployed based on the assessed impact of the threats they are designed to address </li></ul></ul>
  35. 35. Development and Implementation Process Controls <ul><li>These controls ensure that information assurance protection is designed into the system from inception </li></ul><ul><ul><li>Used primarily during the system development phase </li></ul></ul><ul><ul><li>Ensures that appropriate technical, physical, administrative, and personnel security requirements are satisfied </li></ul></ul><ul><ul><li>Based on the verification and validation review process </li></ul></ul>
  36. 36. Operational Controls <ul><li>The day-to-day procedures that protect the operation from a wide variety of threats </li></ul><ul><li>Operational controls fall into six categories: </li></ul><ul><ul><li>Physical and environmental protection </li></ul></ul><ul><ul><li>Production and input/output control </li></ul></ul><ul><ul><li>Contingency planning </li></ul></ul><ul><ul><li>Installation and update controls </li></ul></ul><ul><ul><li>Configuration management control </li></ul></ul><ul><ul><li>Documentation control </li></ul></ul>
  37. 37. Technical Controls <ul><li>Technical controls include: </li></ul><ul><ul><li>Automated access controls – control access </li></ul></ul><ul><ul><li>Authorization controls – provide the appropriate level of access to each entity </li></ul></ul><ul><ul><ul><li>Detect unauthorized activities </li></ul></ul></ul><ul><ul><li>Integrity control procedures – protect data from accidental or malicious alteration or destruction </li></ul></ul>