The document outlines the essential components of an incident response plan and security policy, emphasizing the importance of education, training, and stakeholder involvement in maintaining information security. It details the roles of senior management, steering committees, and development teams, as well as the necessity for ongoing monitoring, vulnerability assessments, and compliance with legal and regulatory standards. The document also provides cost estimates related to the security training and awareness program implementation.

1. Presented by John M. Kennedy
October 30, 2007
ProMonsterMedia, LLP

2.  Incident Response Plan
 Security Requirements
 Information System
Security Policy
 Contingency Plan
 Security Education,
Training and Awareness
Program [SETA]

4.  How do I deal with this?
 What impact does it have?
 Who needs to know?

5.  DITSCAP
 HIPAA
 Sarbanes-Oxley

6.  Phone Contact List
 Check List
 Goals and Objectives
 Attack Impact Matrix
 Notification Matrix
 Evidence Guidance
 Actual Procedures Guides
(appendix)

7.  Senior Management
 Provides Support, Authority to
Act
 Provides Funding
 Provides Approval

8.  Steering Committee
 Overall direction of IRP
 Frequent review of draft plans
 One member from each
impacted department

9.  Development Team
 Project Officer
 Support Staff (each department)

10.  Create Steering Committee
 Establish Team Lead
 Identifying Critical Systems and
Data
 Identifying Disasters
 Draft Plan According to Matrix
 Plan Review
 Plan Approval

11.  Developed after the initial design
of system
 Step 1 - Definition
 Used after system has been put
into place.
 Step 4 – Post Accreditation

12.  No Simple Answer
 No “Canned” Solution
 Time to Prepare (depends…)
 How Prepared (documented)
 How Skilled (development team)
 Level of Support (departments)
 Size of Plan (manual size)
 Identify Members
 Identify Critical Systems
 Identify Critical Data
 Identify Appropriate Response

13.  Incident Response Team
 Members
(Maiwald, 2002)

15.  Security Policy
 Purpose
 Audience
 Security Measures
 Ongoing Monitoring
 Deployment of necessary security
measures tools.

16.  Initiation  System-Level
Phase Prioritization
 Development  Enterprise-
Phase Level
 Implementati Prioritization
on Phase
 Operations
Phase
 Disposal
Phase

17. Security
Database Feature
Security
Mechanism
Protection
Objective

18. • Security Features
Security Features the system-
to-be must have (e.g. Privacy)
• Protection Objectives
Principles that contribute
towards the security features
(e.g. Access Control)
• Security Mechanisms
Mechanisms to achieve the
protection objectives (e.g.
Authentication)

19.  Awareness and Training
 Awareness
 Training
 Education
 Certification

20.  Vulnerabilities assessment
 Access control
 Passwords
 Physical security
 Access cards
 Biometric Authentication
 Wireless security
 Network security
 TCP/IP Standards
 The internet protocol

21.  Firewalls and Anti-virus
 Types of protection
 Firewall architecture
 Host security
 Servers hardening
 Patching
 Clients Hardening

22.  Cryptography
 Symmetric vs. Asymmetric
encryption
 Public key infrastructure (PKI)
encryption
 Digital certificates
 E-Mail security
 Intrusion detection system (IDS)
 Penetration testing
 Logging and Traffic monitoring

23.  Audit
 RiskAssessment
 Disaster and Recovery

24.  Vulnerabilities assessment
 Defining the scope of vulnerability
management
 Asset inventory
 Information management
 Tools
 Reporting and remediation
 Response planning

25.  Access controls
 Reusable passwords
 Passwords must be changed
periodically
 Password policies
 Good password
 Physical security
 To buildings and infrastructure
 Access cards
 Biometric authentication
 Wireless security

26.  Network security
 TCP/IP Standards
 Internet protocol
 HTTPS Protocol
 Secure Socket Layer (SSL)

27.  Firewall
 Types of protection
 Packet inspection
 Application inspection
 Denial of service inspection
 Authentication of users
 Types of firewalls
 Router screening
 Computer based
 Host firewalls
 Stateful, ACLS, and application
firewalls

28.  Host security
 Hardening servers
 Hardening clients
 Hosting servers in a separate secure
buildings
 Patching installation
 Managing permissions
 Testing for vulnerabilities

29.  Cryptography
 Symmetric vs. Asymmetric
encryption
 Public key infrastructure (PKI)
encryption
 Digital certificates
 E-Mail security
 Intrusion detection system (IDS)
 Penetration testing
 Logging and Traffic monitoring

30.  Auditing
 Audit trails
 Purpose of audit mechanism
 Aspects of effective auditing
 Risk assessment
 Periodically assess risks
 Threat, vulnerability and asset
identification
 Disaster and recovery

31.  System milestones
 The development process will start
at the beginning of the project and
will be an ongoing process
 Estimated number of hours to
complete appendix-F = 10 Hours
 Estimated number of pages =
 5 IT personnel x ($35/hr) = $175
 $175x17(pages)x10(hrs/page)=
$ 29,750 total cost for appendix-F

32. Information
System Security
Policy

33.  Purposeof the Information
System Security Policy
 Target Information System

34.  Policy Content
 Identify Roles and Responsibilities
 Access Control & External Access
 User Characteristics
 Sensitivity of Processed Data
 Tasks and Estimates

35.  Informs all users of the goals and
constraints of using the system.
 Explains how the security program
is structured.
 Provides scope and direction for all
security activities within the
organization.
 Recognizes the system’s sensitive
assets.

36.  Characteristics of a well developed
security policy:
 Coverage
 Durability
 Realism
 Usefulness
 Comply with applicable laws and
regulations

37. System Description System
 Distributed Capabilities
Database  Stores and
 Queried by distributes
telecommuting information to
employees and clients
clients  Sensitive data
processed
 Malpractice
Lawsuits
 Disciplinary
Actions

38. Roles &
Access Control &
Responsibilities
External Access
 Designated Approving  Auditing
Authority (DAA)
 Public Key
 Information System Infrastructure & E-
Security Officer (ISSO) mail
 User Representatives  Internet Security
 Database  Virus Definition
Administrator Updates

39. User Sensitivity of
Characteristics Processed Data
 Data Classification
 Discretionary Access
Control
 Data Markings
 Password
Management  Printed Data

40.  Tasks
 1st : Draft of document
 2nd : Release of document
 3rd : Baseline document
 If approved

41.  Estimate based off NWA
50193/0002 for completion of 100
pages.
 8 man hours per page @ 1FTE =105 USD
 13 pgs x 105 USD = 10,500 USD
 Estimate
 10 pgs x 8 hrs = 80 hours
 80hr x 105 USD = 8,400 USD
 FTE (Full Time Engineer $13.13)
 USD (United States Dollars)

43.  “What do we do when we can
not use our facility?”
 “What can we do now to better
prepare our business unit to
respond when our facility is
unavailable?”

44.  The best way to  Observe
prepare for a information
disaster is to security
avoid the procedures
disaster. regarding
Therefore, look computers in
for any potential your facility, and
problems you encourage
can find and increased
correct them. security when
appropriate.
 Observe physical
security  Consider
procedures in encouraging
your facility, and security-training
encourage sessions where
increased appropriate.
security when
appropriate.

45. To maintain an acceptable
level of residual risk
throughout the lifecycle

46.  ITSystem Contingency
Plans
 Must be tested annually
 Table Top exercise
 Functional exercise

47.  Public
Law 107-347, also known
as Federal Information Security
Management Act of 2002 (FISMA)
 Require agencies to
identify and provide
information security
protections
commensurate with risk
and magnitude of harm
resulting from
unauthorized access, use,
disclosure, disruption,
modification or
destruction of
information and
information systems

48.  Contingency planning is the task
that develops a plan for
emergency response, backup
operations, and post-disaster
recovery.

49.  Thecontingency plan evaluation
task analyzes the contingency,
back-up, and continuity of
service plans to ensure the plans
are consistent with the
requirements identified in the
SSAA.

50.  Theteam plan has been
developed by the
ProMonsterMedia IT Working
Group
 Team Leaders are responsible for
part of the plan development
process.

51.  The form is to chart the progress
in developing your business
resumption plan
 Each plan segment/module is
listed with the development
responsibility.

52.  Thiscertification task that
ensures that change control and
configuration management
practices are, or will be, in place
and are sufficient to preserve
the integrity of the security
relevant software and hardware.

53.  Inspectionsof operational sites
to ensure their compliance with
the physical security, procedural
security, TEMPEST, and COMSEC
requirements.

54.  Review configuration &
security Management
 Follow change mgmt
documented in SSAA
 Determine if system security
mgmt continues to support
mission and architecture
 Conduct risk management
review
 Assess if risk to CIAA is being
maintained at an acceptable
level
 Conduct compliance
validation if needed
 Ensure continued compliance
w/SSAA requlations, current
threat assessment, and concept
of operations
 Maintain SSAA

56. 1. Definition
2. The Target Audience
3. Rationale and Purpose
4. System Milestones
5. Content Development
6. Estimates
7. References
8. Appendices

57. Definition

58. What is Security Education,
Training and Awareness
[SETA] Plan?
Michael Whitman (2006) stated that
a SETA plan is a: “Program
designed to provide direct,
applied measures to influence
employee behavior, increase
employee abilities and enable the
organization to hold employees
accountable for their actions.” (p.
22.).
Now, why educating, training and
People awareness is so important
for protecting and Securing
Critical or sensitive information?

59. The Target
Audience

60. The Weakest Link
The most secure Point of Failure in any Security
program.
Security is everyone's
responsibility!
 According to Wilson & Hash (2003) the
key factor to provide security is not
the technology or the state of the art
efforts to protect and secure the
Information Systems [IS].
 To provide adequate information
security the people factor is the key
factor because they are the system’s
weakest link. (p. 1)
SEC_RITY is not complete without
U!

61. Database Security
SETA PROGRAM
RATIONALE
All people perusing or
administering the Database
Management System and
Information Systems must:
 Understand the ProMonsterMedia’s mission
and their roles and responsibilities
 Follow ProMonsterMedia’s Information
System Security Policy, regulations and
practices.
 Be trained and/or aware of the risks,
threats and the methods of controls
implemented to protect and secured the
Information System assets and resources
and critical (Wilson & Hash October 2003).

62. The Rationale and
Purpose

63.  “Only two things are infinite, the
universe and human stupidity,
and I'm not sure about the
former.”
 “Problemscannot be solved at
the same level of awareness that
created them.”
(Whitman, 2006, p. 30)

64. Best Practices &
Guides
Legal Components: Official Sources and
Documentation
1. ISO 17799
2. COBIT 4.0
3. HIPAA (Privacy & Security Rules)
4. GLB-A
5. PCI Data Security Standard
6. OMB Circular A-130
7. FISMA Public Law 107-347
8. NIST SP 800-16
9. NIST SP 800-50
10. Section 508 of the Rehabilitation Act
(Addison, 2007)

65.  1. By building in-depth knowledge,
as needed, to design, implement, or
operate security programs for
organizations and systems
 2. By developing skills and
knowledge so that computer users
can perform their jobs while using IT
systems more securely
 3. By improving awareness of the
need to protect system resources
(NIST, 1995).

66. The System
Milestones

67. 1 2
Program
Strategy
Design &
Planning
Development
3
Delivery,
Administration &
Post-implementation

68. These are the following phases of this life cycle
development process for SETA described by Wilson and
Hash (2003) in the NIST SP800-50:
1. Awareness and Training Program
Design (Wilson & Hash, 2003, Section
3)
2. Awareness and Training Material
Development (Wilson & Hash, 2003,
Section 4)
1. Program Implementation (Wilson &
Hash, 2003, Section 5)
2. Post-Implementation (Wilson & Hash,
2003, Section 6)

69. Specific Content
Development

70.  Laws And Regulations
 It Security Program
 System Environment
 System Interconnection
 Information Sharing
 Sensitivity
 Risk Management
 Management Controls
 Acquisition/Development/Installat
ion/
 Implementation Controls
 Operational Controls
 Awareness, Training, And
Education Controls
 Technical Controls
(Wilson, Zafra de, Tressler, & Ippolito, April 1998)

71. Three models:
1. Centralized
2. Partially
Decentralized
3. Fully
Decentralized
(Wilson & Hash, 2003)
Figure 2 Model 1 –
Centralized Program
Management
(Wilson & Hash,
2003, p. 23, figure
3-1)

72. The NIST SP800.16
states: “Education
integrates all of the
security skills and
competencies of the
various functional
specialties into a
common body of
knowledge . . . and
strives to produce IT
security specialists and
professionals capable of
vision and pro-active
response.” (Wilson,
Zafra, Tressler et al,
1998)
Wilson & Hash (2003)
indicated that “Training
strives to produce
relevant and needed
security skills and
competencies.” (p. 9)
“Awareness is not
training or education, is
bringing the attention
on the importance of
Security Issues.”
(Wilson, Zafra, Tressler
et al, 1998)
Figure 2 is Depicting the
continuum (Wilson &
Hash, 2003, p. 18,
figure 2-1 )

73. Figure 3 Need
assessment (Wilson
& Hash, 2003, p. 29,
figure 3-5 ).

74. The NIST SP800-50
(2003) provides the
following questions (p.
29):
• What awareness, training,
and/or education are
needed (i.e., what is
required)?
• What is currently being
done to meet these
needs?
• What is the current status
regarding how these
needs are being
addressed (i.e., how well
are current efforts
working)?
• Where are the gaps
Figure 4 shows the required
between the needs and level of training versus the
what is being done (i.e., current level of effort
what more needs to be (Wilson & Hash, 2003, p. 30,
figure 3-7 )
done)?
• Which needs are most
critical?

75.  Did our team
completed a needs
assessment?
 did our team
develop a overall
strategy?
 Did our team
complete an
awareness and
training Program
for implementing
the strategy
previously
developed?
 did the security
team finally
develop the
awareness and
training material? Figure 5 Key Steps Leading to
Program Implementation (Wilson
& Hash, 2003, p. 42, figure 5-1 )

76. Figure 6 The Post-implementation
(Wilson & Hash, 2003, p. 46,
figure 6-1 )

77. Figure 7 Evaluation and Feedback
Methodology (Wilson & Hash, 2003,
p. 48, figure 6-2 )

78. Estimates

79.  Government Security Classification Costs
Estimate
Fiscal Year 2005
Total = $7.7 Billion
Personnel Security = $1.15 Billion
Physical Security = $1 Billion
Information Security = $4 Billion
Information Technology = $3.6 Billion
Classification Management = $310 Million
Declassification = $57 Million
Professional Education and Training =
$219 Million
Security Management and Planning =
$1.2 Billion
Unique = $6.6 Million
(ISOO, 2005)

80. Total = 60 Estimated SETA Team 1 Program 2
Strategy Design &
Hours per 180 Estimated pages. PlanningDevelopment
3
Delivery,
Administration &
Post-implementation
PHASE Estimating Estimated
SETA Team
Hours Number of Pages
The SETA
1s
t STRATEGIC
PLANNING
5 50
Program Design
2n
d And
Development
30 50
Delivery,
Administration
& Post-
25 80
3r Implementation
d

81. Estimate based for completion of 180
pages
1 SETA Security Team hours equals $250.00 US
Dollars [USD]
Estimated Total of pages equals 180
Estimated Total amount of SETA Security Team
equals 60
Estimate Appendix “O” SETA plan cost 60
SETA
Security TEAM hours x $250.00 per
hours = $15,000.00 US Dollars
Other expenses and Misc. = 5,000.00
USD
ESTIMATED TOTAL COST =
$20,000.00

82. Thank you for your attention and
just as a reminder:
Security is about “us” not only
about you. We are all in it.
Do you have any questions?

83. SETA Appendices

88. 2007 LandWarNet Conference. (2007, Aug 21) Notes
Addison, S. (July 3, 2007) Best Practices for Security
Awareness Training. Security-awareness.com. Retrieved on
October 24, 2007, from http://security-awareness-
training.com/2007/07/23/best-practices-for-security-
awareness-training/
Bowen, p. Hash, J. & Wilson, M.(2006). Information Security
Handbook. Retrieved October26, 2007, from
http://www.nist.gov
Brackin, C. (2003). Vulnerability Management: Tools,
Challenges, & Best Practices. Retrieved October 26, 2007,
from http://www.sans.org/reading room
Business Resumption Development Guide (2006, May 5) Buckley
King LPA
Canavan, S. & Diver, S. (2007). Information Security Policy- A
Development Guide for Large & Small Companies.
Retrieved October 26, 2007, from
http://www.sans.org/reading room
Department of Defense [DoD]. (July 31, 2000). Information
Technology Security
Certification and Accreditation Process (DITSCAP).
Application Manual DoD 8510.1-M. Retrieved October 24,
2007, from
http://www.dtic.mil/whs/directives/corres/pdf/851001m.
pdf

89. Department of Defense (1997, Dec 30). Information Assurance.
Retrieved October 28, 2007, from
http://iase.disa.mil/ditscap/DitscapFrame.html
DIACAP and the GIGIA Archicture. (2005, March). Retrieved
October 27, 2007, from
http://www.afei.org/documents/DIACAPandtheGIGCCRTS_3
71.pdf
DISA (June 21, 2007). Enclave Security Technical Implementation
Guide Version 4, Release 1. DISA Field Security Operations.
Developed by DISA for the DoD. Retrieved on October 28,
2007, from http://iase.disa.mil/stigs/stig/enclave-stig-
v4r1.pdf
DOD 5200.28-STD. (1985, December 26). Trusted Computer
System Evaluation Criteria. Security Functionality
Requirements. (1992, January 28). Minimum Security
Functionality Requirements For Multi-User Operating
Systems. Retrieved October 15, 2007 from
http://security.isu.edu/pdf/secfunreq.pdf
dWarNet Conference. (2007, Aug 21) NotesDepartment of
Defense Information Assurance. (1997, Dec 30). Retrieved
October 28, 2007, from
http://iase.disa.mil/ditscap/DitscapFrame.html
Foix, R. (2004, October 4). Expanding responsibility for incident
response. Computerworld, 38(40), 28-28. Retrieved October
27, 2007, from Computer Source database.

90. G. (2002). Implementing an Effective IT Security Program.
Retrieved October 27, 2007,
from http://www.sans.org/reading room
GadAllah, S. (2003). The Importance of Logging & Traffic
Monitoring for Information
Security. Retrieved October 27, 2007, from
http://www.sans.org/reading room
Iase.disa.mil. Information Assurance Support Environment Profile:
Retrieved October
26, 2007, from http://iase.disa.mil/
Information Security Oversight Office [ISOO]. (2005). Report On
Cost Estimates For
Security Classification Activities Background And Methodology.
Retrieved on October
28, 2007, from http://www.archives.gov/isoo/reports/2005-
cost-report.html
Kyle, S. (2003). Biometrics: An In Depth Examination. Retrieved
October 27, 2007, from
http://www.sans.org/reading room
Maiwald, Eric. Security Planning and Disaster Recovery. Blacklick,
OH, USA: McGraw-Hill Professional, 2002.
National Computer Security Center (NCSC).(1987). A Guide to
Understanding Audit in
Trusted Systems. Retrieved October 27, 2007, from
http://csrc,ncsl.nist.gov/publications/secpubs/rainbow/tg001.tx
t

91. Panko, R. (2004). Corporate Computer and Network Security.
Upper Saddle River, NJ: Pearson Education Inc.
Pfleeger, C. & Pfleeger, S. (2003). Security In Computing (3rd
ed).Upper Saddle River, NJ: Pearson Education Inc.
Pfleeger, Charles, P. & Pfleeger, Shari, L. (2003)
Pratt, M. (2007, May 16). Five tips for building an incident
response plan. Retrieved October 27, 2007, from
Computerworld Web site:
http://www.computerworld.com/action/article.do?command
=viewArticleBasic&articleId=9019558&pageNumber=1
Ross, R. (2004) Guide for the Security Certification and
Accreditation of Federal Information Systems. Maryland:
Diana Publishing Company Security in Computing (3rd
Edition) New Jersey: Prentice Hall
Setty, H. (2001). System Administrator-Security Best Practices.
October 26, 2007, from http://www.sans.org/reading room

92. Thompson, D. (2005). Implementing a Secure Wireless Network
for a Windows Environment. Retrieved October 27, 2007,
from http://www.sans.org/reading room
Whitman, M. E. (2006). Assuring the Integrity of Financial
Information Systems: Awareness and Responsibility of
Employees and Business Partners. Michael E., Ph.D., CISSP.
Center for Information Security Education. Kennesaw State
University. Retrieved October 24, 2007 from
http://www3.uakron.edu/cba/cretisa/2006/whitman_infosec
.pdf
Wilson, M., & Hash, J. (October 2003). Building an Information
Technology. Security Awareness and Training Program. NIST
Special Publication 800-50. Computer Security Division.
Information Technology Laboratory. National Institute of
Standards and Technology. Gaithersburg, MD 20899-8933.
Wilson, M., & Hash, J. (October, 2003). Information Technology
Security Awareness, Training, Education, And Certification.
Computer Security Division Information Technology
Laboratory, ITL Bulletin. National Institute of Standards and
Technology, NIST. Retrieved on October 23, 2007 from
http://www.itl.nist.gov/lab/bulletns/bltnoct03.htm.

93. Wilson, M., Zafra de, D. E., Tressler, J.D., Ippolito, J.B. (April
1998).Information Technology Security Training
Requirements: A Role- and Performance-Based Model.
Computer Security. Information Technology Laboratory
National Institute of Standards and Technology, NIST
Special Publication 800-16 U.S. Supersedes Special
Publication 500-172DEPARTMENT OF COMMERCE
Technology Administration National Institute of Standards
and Technology Performance-Based Model. Gaithersburg,
MD 20899-0001. Retrieved October 24, 2007, from
http://csrc.nist.gov/publications/nistpubs/800-16/800-
16.pdf
www.dtic.mil (n.d). Retrieved October 22, 2007, from
http://www.dtic.mil/whs/directives/corres/text/p85101m.txt