This document discusses the information security life cycle, which includes 6 steps: 1) security planning, 2) security analysis, 3) security design, 4) security implementation, 5) security review, and 6) continual security. It focuses on the first two steps of security planning and security analysis. For security planning, it covers asset definition, security policy, security objectives, and security scope. For security analysis, it describes the key activities of asset analysis, impact analysis, threat analysis, exposure analysis, vulnerability analysis, analyzing existing security controls, and risk analysis to define security requirements.

1. @mang.roisz
Information Security
Management
(Bel G. Ragad.) 2010
Chapter 3
The Information Life Cycle
CRC PressTaylor & Francis Group

2. @mang.roisz
Information Security Life Cycle
1. Security
planning
3. Security design
4. Security
implementation
5. Security review
2. Security
analysis
6. Continual
security
Risk

3. @mang.roisz
Security Planning
Asset definition
Security policy
Security objectives
Security scope

4. @mang.roisz
Asset definition
• The identification and definition of assets is the first step in any security analysis. Its needed to
identify the information asset for which an approved budget is made available for its protection.
• Two approach used in the initial identification of the information assets that are candidates for a
security project: problem-based approach and objective based approach

5. @mang.roisz
Security Policy
• Security policy of an information asset is its acceptable computing behavior
• Security policy should define the acceptable asset interaction with the rest of the components in
the computing environment

6. @mang.roisz
Security Policy
“Any violation of the
acceptable computing
behavior of an
information asset can
therefore only be
achieved with strict
enforcement of its
security policy”

7. @mang.roisz
Security Objective
“it is important that these security
objectives be closely linked to the
business mission of the information
asset and that they be well defined.
Any incompleteness or ambiguity in
their definition will translate into
deficient security requirement that will
lead to inadequate security for the
target information asset”

8. @mang.roisz
Security Scope
• Not all security requirement can be met, but enough should be satisfied to establish the
acceptable security risk level established by the asset security policy
• The scope defines the depth of the security design and the breath of the security requirements
that must be addressed to achieve the security objectives set for the information asset
• Security must have respect budget constraints and any feasibility conditions established by
project feasibility study

9. @mang.roisz

10. @mang.roisz
Security Analysis
Asset analysis
Impact analysis
Threat analysis
Exposure analysis
Vulnerability analysis
Analysis of effectiveness of existing security controls
Risk analysis
Security Requirements

11. @mang.roisz
• The objective of security analysis in a security life cycle is to define the security requirements
needed to adequately protect the target information asset.The security requirements should
reflect the results of risk assessment in terms of risks to the confidentiality, integrity, and
availability of the system and its information
• Security analysis is an investment for the organization. It includes assessing the threats and
risks, managing the risks, and revising or establishing a security policy for the information asset.
There is, however, no doubt that the outcomes of these activities should always be in accordance
with the existing organizational security policy, which regulates how the organization manages,
protects, and distributes resources to achieve the organization’s security objectives (defined
earlier)

12. @mang.roisz

13. @mang.roisz
Any security analysis methodology adopted
by an organization should include at least the
following activities:

14. @mang.roisz
1. Asset analysis:The asset has to be studied in terms of its acquisition cost, operating cost,
maintenance cost, its benefits, and its contribution in generating the business value of the
enterprise.
2. Impact analysis: Estimating potential harm that might be inflicted on the asset as well as resulting
impacts for the organization.
3. Threat analysis: Identifying and defining threats to the target information asset, and estimating
their likelihood of occurrence.
4. Exposure analysis: Independently of its vulnerabilities, the asset may be exposed in such a way that
if the threat materializes the worst of the possible impact levels may be realized.
5. Vulnerability analysis:Analyzing asset vulnerabilities and estimating asset exposure levels.
6. Analysis of current security controls: Estimating the effectiveness of the current security controls.
7. Risk analysis: Measuring the risks using exposure rating, asset vulnerabilities, and the effectiveness
of current security controls.
8. Security requirements: Defining the security requirements to use in designing the security of the
information asset.

15. @mang.roisz
Aset analysis
• We first need to identify all components constituting the information asset and assign value to
them
• The criticality of the information asset consists of two components: sensitivity, and availability
• the criticality of an information asset should be defined in terms of the criticality value
• The criticality concept is closely related to business value. If an information asset has no business
value, its criticality will be nil. Often, the higher the business value, the higher the criticality of
the asset.Criticality can, however, be alternatively defined in terms of potential losses that may
take place if the security of the information asset is compromiseds of all of its components.

16. @mang.roisz
Aset analysis
• That is, the value of the asset can also alternatively be represented in terms of potential losses.
These losses may be presented in terms of the replacement value, the immediate impact of the
loss, or any other consequences to the organization.
• An easy way to value the asset may be to represent the losses using linguistic terms or
qualitative ranking of low, medium, or high losses

17. @mang.roisz
Impact Analysis
• The impact of the target information asset may be estimated by measuring the business value of
the organization when all assets work as expected, and then measuring the new business value
after the asset fails
• The occurrence of a threat can, in fact, produce, through information leakage, information
corruption, and denial of service, and multiple impacts (presented earlier) such as unauthorized
disclosure of information, unauthorized modification to data, disruption of
functions/unavailability, and deceptive actions
• Once the impacts are known for the target asset, the impact levels have to be estimated for each
impact

18. @mang.roisz
Some kind of Impact
1. Unauthorized access: An unauthorized agent (human or process) gains access to the information
asset in an unauthorized manner. Even though this situation does not always cause actual harm to
the asset, it may lead to other effects such as the ones list here.
2. Unauthorized disclosure of information: An agent (authorized or not; human or process) divulges
information processed at the information asset in an unauthorized manner (intentionally or
unintentionally).
3. Unauthorized modification to data: An agent (authorized or not; human or process) modifies
data/information processed at the information asset in an unauthorized manner (intentionally or
unintentionally).
4. Unavailability:This consists of disruption of asset services and functions.The threat temporarily or
permanently disrupts services provided by the information asset so that it is not fully available as
configured according to its security policy.The disruption of asset services and functions includes
the denial of services provided by the information asset, including unavailability of data or services.
5. Deceptive actions:This occurs when the agent (human or process) that disrupts the security of the
information asset cannot be detected, identified, or caught.

19. @mang.roisz

20. @mang.roisz

21. @mang.roisz
Threat analysis
• threats are usually organized into two main categories: natural and man-made
• The latter category of made threats may be accidental or intentional
• Knowing the distribution of threats originating at the same source is sometimes very useful
because the countermeasures and responses are independent

22. @mang.roisz

23. @mang.roisz
RootThreat Category Effect ofThreat to Asset (Secondary
(SecondaryThreat)
Threat Impact and Consequences
NaturalThreats
Earthquake, fires, flooding,
thunderstorms
Power outage, fires Loss or degradation of communications, destruction of equipment
Biological incidents Diseases, death of security experts Disruption of functions/ denial of service
AccidentalThreats
User error File/data deletion, mishandling of
equipment, invalid input
Disruption of functions, unauthorized modification to data
Administrator error Misconfiguration of information asset Unauthorized access to the information asset, which may lead to
unauthorized disclosure of information, modification of data,
disruption of asset services, deceptive actions
Hardware/software failure Failure of servers, loss of Internet
connections, failure of
communication devices
Disruption of functions/ services, destruction of equipment,
unauthorized modification of data
IntentionalThreats
Hackers Password cracking, eavesdropping,
spoofing, trojan horse, virus,
masquerading
Unauthorized disclosure of information; and unauthorized access to
the information asset, which may lead to unauthorized disclosure of
information, modification of data, disruption of asset services,
deceptive actions

24. @mang.roisz
Exposure analysis
• we should all know how to estimate impact levels and likelihood of occurrences
• We will now see how to measure exposure levels to threats for the information asset. Exposure rating is
a measure the organization may use to determine which threat scenario it is most exposed to. It is
important to note that because the exposure rate is not related to asset vulnerabilities or current
security controls, the exposure rate we describe here is not a risk level

25. @mang.roisz
Vulnerability analysis
• The adequate identification of existing vulnerabilities and existing security controls is essential
to correctly assess the level of risk associated with each scenario. But now that we know the
exposure ratings, we can identify the vulnerabilities of the asset that the identified threats can
exploit to harm the asset.We should also identify existing security controls to determine if the
current level of protection is appropriate, considering the asset level of exposure and its
vulnerabilities.
• An information asset vulnerability describes a characteristic of, or weakness in, an asset or one of
its component that tends to support the occurrence of a threat. All known vulnerabilities
associated with the asset, technical or nontechnical, should be listed

26. @mang.roisz
Analysis of effectiveness of existing security controls
• Evaluating the current security controls will help in determining whether or not adequate
protection against specific threats is in place
• Existing security controls should also be studied to determine if they are currently providing the
prescribed protection
• If a control is not providing adequate protection, it can be considered a vulnerability
• Existing security controls should be identified for each (asset, threat, impact) scenario.
• A security control is retained in the security program if it consists of measures that will prevent
or reduce the likelihood of threats that attempt to exploit asset vulnerabilities.Those security
controls normally provide functionality in at least one of the following areas: confidentiality,
integrity, availability, and physical security
• Once appropriate asset vulnerabilities and security controls are identified, the effectiveness of
the existing security controls needs to be assessed in order to get an estimate of the risk level
associated with each (asset, threat, impact, exposure, vulnerabilities, existing security controls)
scenario

27. @mang.roisz
Risk analysis
• The definition of cost-effective security solutions that are capable of reducing the risk associated
with an information asset to an acceptable level specified in the asset security policy is not an
activity that can be performed without the adoption of an effective risk analysis methodology
• Such a methodology has to be simple to understand, communicate, and use, but it also has to be
complete, effective, and efficient in producing the feasible security controls that work
• The risk can be defined as a measure indicating the likelihood and consequences of threat events
or undesired events that could compromise the security of the information asset, considering its
vulnerabilities and given the effectiveness of existing security controls
• The outcome of this process should indicate to the organization the degree of risk associated
with the target information asset.
• This outcome is important because it is the basis for making security control selection, as
needed, and risk mitigation decisions

28. @mang.roisz
Risk Analysis
• The following is an example of the exposure level:
1. Very low exposure
2. Low exposure
3. Moderate exposure
4. High exposure
5. Very high exposure
• The following is an example of the vulnerability level:
1. Low vulnerability level
2. Moderate vulnerability level
3. High vulnerability level

29. @mang.roisz
• The effectiveness of the existing relevant security controls should be estimated.The
effectiveness of a security control is a measure of the effect that a security control has on the
probability of a threat to exploit asset vulnerabilities and on the resulting impacts should the
threat materialize
• We can express the effectiveness rates for a security control as follows:
1. Low: Minimal reduction of probability that asset vulnerabilities would be exploited when the
security control is implemented.
2. Moderate: Moderate reduction of probability that asset vulnerabilities would be exploited when the
security control is implemented.
3. High: High reduction of probability that asset vulnerabilities would be exploited when the security
control is implemented.
• The security analysis team now has at hand all the information needed to estimate risks

30. @mang.roisz

31. @mang.roisz
Security Requirements
• So far, we have completed the following steps:
1. We defined the target information asset of the security project.
2. We identified existing threats and estimated their likelihood.
3. We estimated impacts and impact levels for the information asset.
4. We estimated asset exposures based on threat likelihood and impact levels.
5. We estimated asset vulnerabilities.
6. We estimated levels of effectiveness for the existing security controls.
7. We estimated risk levels based on threat likelihood, threat vulnerabilities, and asset exposure levels.

32. @mang.roisz
Security Requirements
• we can now define the security requirements for our information asset., but we need to answer
the following three questions:
1. How much confidentiality do we need to provide to protect our information asset?
2. How much data integrity do we need to provide to protect our information asset?
3. How much availability do we need to provide to protect the information asset?

33. @mang.roisz
Security Design
Risk Mitigation
Design of SecurityTraining Programs
Design of Security Planning Programs
Design of the Risk-Driven Security Programs

34. @mang.roisz
• The security design activity aims at devising security to meet the security objectives defined for the
target information asset
• The security design activity will therefore consist of five security design tasks:
1. Security design for confidentiality
2. Security design for integrity
3. Security design for availability
4. Security design for authentication
5. Security design for non-repudiation
• We now have at hand the following information:
1. Information about the information asset
2. Information about current threats
3. Information about impacts and impact levels
4. Information about asset security exposure levels
5. Information about asset vulnerabilities
6. Information about the effectiveness of existing security controls
7. Information about security risk levels

35. @mang.roisz
• refers to the security activity comprising security design and discussion of the security design
objectives listed earlier.There are, however, three possible solutions:
1. design our own security controls for each of the five security objective set for the target information
asset;
2. hire security experts who can recommend the appropriate security controls that correspond to the
security objectives on hand; and
3. select security controls from prescribed security control catalogs

36. @mang.roisz
Risk Mitigation
• The risk mitigation process aims at reducing the security of the asset to its acceptable risk level
as specified in its security policy
• Before determining the candidate security controls to be selected for risk mitigation, we have to
compute the current risk position of the information asset.
• The basic risk of the asset is the current risk of the asset before any new security controls for risk
mitigation have been implemented
• In addition to the effectiveness of the security controls and their cost, the process of selecting
security controls takes into account many other factors, such as the corporate security policy, the
asset security policy, legislation and regulation, safety and reliability requirements, technical
requirements, etc
• Once the security program is devised for the purpose of mitigating the asset risk below the
acceptable risk level of the asset, it is still not final unless it gets approved by management,
including the appropriate authorizing officials
• Usually, however, the security control selection process is iterative and, often, final decisions are
not immediately obtained

37. @mang.roisz

38. @mang.roisz

39. @mang.roisz
Design of SecurityTraining Programs
• The security maintenance team is in charge of the continual security of the information asset
target of our security life cycle.
• Most members of this team have at least professional-level skills in the following areas:
1. Access control systems and methodology
2. Telecommunications and network security
3. Security management practices
4. Security architecture and models
5. Cryptography
6. Physical security
7. Operations security
8. Applications and systems development
9. Business continuity planning
10. Law, investigation, and ethics
“In addition to the specialized security training
program reserved for the security maintenance
team, there is a need to design a security
awareness program for users and other
individuals who interact in some way with the
information asset. Even the janitor who
cleans the computer rooms at night has to be
trained in physical security matters related to
the operations of the information asset.”

40. @mang.roisz
Design of Security Planning Programs
• Security planning consists of mainly two aspects:
1. the design of a security plan that defines security requirements of information for the next 3 years,
and
2. the design of a business continuity plan that defines the actions to be taken to continue business
operations when a disaster takes place

41. @mang.roisz
Design of the Risk-Driven Security Programs

42. @mang.roisz

43. @mang.roisz

44. @mang.roisz
Security Implementation

45. @mang.roisz
• The implementation step must ensure both usability and sustainability of the security program
• The security implementation staff should develop their own testing procedures, which should
simulate real-world intrusion attempts to break or circumvent certain security aspects
embedded in the target security design
• Even though security design is the territory of capable security specialists, because users of the
final system where those security mechanisms are embedded are not security professionals,
there are many social factors that will contribute, as much as security, to the performance of the
designed security features
• In fact, both usability and sustainability are two goals to be incorporated in any security design.
While the security implementation team will make any possible effort to hide any added
complexity due to embedded security controls, it is imperative that all configurations applied on
the target information asset yield to adequate security implementation as specified in the asset
security policy

46. @mang.roisz
Security Review

47. @mang.roisz
• The review phase consists of two main steps:
1. Security review for authorization
2. Security auditing
• The purpose of this phase is to ensure that the authorizing official and the asset owner agree on
the proposed security program, including the asset’s documented security requirements, before
the certification agent begins the assessment of the security controls in the information asset

48. @mang.roisz
Continual Security

49. @mang.roisz
• Continual security consists of continuous monitoring activities intended to ensure that security
risks stay at accepted levels and that if the effectiveness of current security controls diminish and
cause the accepted risk levels to be violated, corrective actions are planned to bring the risk
levels back to their accepted levels
• The following steps are usually planned to achieve continual security:
1. Configuration management and control
2. Monitoring of security controls
3. Monitoring of the computing environment for any changes
4. Reporting of changes and documentation

50. @mang.roisz
• The continual security phase may include the following activities:
1. Periodic assessments of risk, including the magnitude of harm that could result from the
unauthorized access, use, disclosure, disruption, modification, or destruction of information and
information systems that support the operations and assets of the agency
2. Periodic review of policies and procedures that are based on risk assessments, cost-effectively reduce
information security risks to an acceptable level, and ensure that information security is addressed
throughout the security life cycle of the information asset
3. Security awareness training to inform personnel of the information security risks associated with
their activities and their responsibilities in complying with organization’s policies and procedures
designed to reduce these risks
4. Periodic testing and evaluation of the effectiveness of information security policies, procedures,
practices, and security controls to be periodically performed
5. A process for planning, implementing, evaluating, and documenting remedial actions to address any
deficiencies in the information security policies, procedures, and practices of the agency
6. Procedures for detecting, reporting, and responding to security incidents

51. @mang.roisz
Summary

52. @mang.roisz
• This chapter presented the security life cycle of an information asset.The security life cycle
consists of six phases: planning the security life cycle, security analysis, security design, security
implementation, security review, and continual security.The chapter also discussed all the
phases of the security life cycle. In particular, we explained how to estimate impacts and impact
levels for a target information asset.We also explained how an asset’s security exposures are
estimated.
• The chapter also discussed how to assess security risks and how to mitigate security risks in the
context of a holistic risk-driven security program for the target information asse