The document discusses guidelines for developing effective information security policies. It describes the importance of policy and outlines three types of policies: enterprise security policies, issue-specific policies, and system-specific policies. It emphasizes that policies should be properly disseminated, understood, and agreed upon. Effective policy development involves planning, analysis of needs and risks, design, implementation, and processes for ongoing maintenance.
Integrating security into the development of an application or software is necessary to decrease its risk of susceptibility to attacks and exploits. Traditional methods of security testing were performed on a finished product. However, with the rise in the intensity and the number of attack vectors, it has become necessary for organizations to include it as a part of every phase of an SDLC.
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
According to Technavio's latest market research report, the data security market value will grow by $2.85 Billion during 2021-2025.
To secure their data, organizations can use the CIA triad, a data security model developed to help the data security market and people deal with various IT security parts.
The webinar covers
• Overview Of CIA
• Description of Data Governance vs Information Security vs Privacy
• Relationship of CIA to Data Governance
• Relationship of CIA to Information Security
• Relationship of CIA to Privacy
• How to Implement and Maintain the CIA model (e.g., PDCA, etc.)
Presenters:
Anthony English
Our presenter for this webinar is Anthony English, one of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
Date: November 17, 2021
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Youtube video: https://youtu.be/eA8uQhdLZpw
Website link: https://pecb.com/
Information Security Management.Introductionyuliana_mar
Information Security Management. Introduction.
By Yuliana Martirosyan,
Based on Bell G. Reggard, Information Security Management. Concepts and Practices.
Slides for my lecture "Software security: vulnerabilities, exploits and
possible countermeasures" I had been giving for Samsung Electronics in Suwon, Korea (South).
This training creates the awareness of the security threats facing individuals, business owner’s, and corporations in today’s society and induces a’ plan-protection’ attitude. It enriches individuals, students’, business owners’ and workers’ approach to handling these threats and responding appropriately when these threats occur.
In this presentation we have covered the topic Data Security from the subject of Information Security. Where Data, Data Security, Security, Security Policy, Tools to secure data, Security Overview (Availability, Integrity, Authenticity, Confidentiality), Some myths and Dimensions of System Security and Security Issues are discussed.
The state of being protected against the unauthorized use of information, especially electronic data, or the measures are taken to achieve this.
"the growing use of mobile applications is posing a risk to information security"
create your own Security Management Model using the NIST Special Pub.pdfFORTUNE2505
create your own Security Management Model using the NIST Special Publication 800-14 and
Evaluate and apply NIST SP 800-26.
Solution
NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information
Technology Systems, describes best practices and provides information on commonly accepted
information security principles that can direct the security team in the development of a security
blueprint.
It also describes the philosophical principles that the security team should integrate into the
entire information security process, expanding upon the components of SP 800-12.
The more significant points made in NIST SP 800-14 are as follows:
1)Security Supports the Mission of the Organization.
2)Security is an Integral Element of Sound Management.
3)Security Should Be Cost-Effective
4)Systems Owners Have Security Responsibilities Outside Their Own Organizations.
5)Security Responsibilities and Accountability Should Be Made Explicit.
6)Security Requires a Comprehensive and Integrated Approach.
7)Security Should Be Periodically Reassessed.
8)Security is Constrained by Societal Factors.
It enumerates 33 principles for Securing Information Technology Systems:
Principle 1. Establish a sound security policy as the “foundation” for design.
Principle 2. Treat security as an integral part of the overall system design.
Principle 3. Clearly delineate the physical and logical security boundaries governed by
associated security policies.
Principle 4. Reduce risk to an acceptable level.
Principle 5. Assume that external systems are insecure.
Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease
in other aspects of operational effectiveness.
Principle 7. Implement layered security (Ensure no single point of vulnerability).
Principle 8. Implement tailored system security measures to meet organizational security goals.
Principle 9. Strive for simplicity.
Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in
response.
Principle 11. Minimize the system elements to be trusted.
Principle 12. Implement security through a combination of measures distributed physically and
logically.
Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of
expected threats.
Principle 14. Limit or contain vulnerabilities.
Principle 15. Formulate security measures to address multiple overlapping information domains.
Principle 16. Isolate public access systems from mission critical resources.
Principle 17. Use boundary mechanisms to separate computing systems and network
infrastructures.
Principle 18. Where possible, base security on open standards for portability and interoperability.
Principle 19. Use common language in developing security requirements.
Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support
incident investigations.
Principle 21. Design security to allow for regular adoption of new techno.
Integrating security into the development of an application or software is necessary to decrease its risk of susceptibility to attacks and exploits. Traditional methods of security testing were performed on a finished product. However, with the rise in the intensity and the number of attack vectors, it has become necessary for organizations to include it as a part of every phase of an SDLC.
CIA Triad in Data Governance, Information Security, and Privacy: Its Role and...PECB
According to Technavio's latest market research report, the data security market value will grow by $2.85 Billion during 2021-2025.
To secure their data, organizations can use the CIA triad, a data security model developed to help the data security market and people deal with various IT security parts.
The webinar covers
• Overview Of CIA
• Description of Data Governance vs Information Security vs Privacy
• Relationship of CIA to Data Governance
• Relationship of CIA to Information Security
• Relationship of CIA to Privacy
• How to Implement and Maintain the CIA model (e.g., PDCA, etc.)
Presenters:
Anthony English
Our presenter for this webinar is Anthony English, one of the top cybersecurity professionals in Atlantic Canada with extensive Canadian and International experience in cybersecurity covering risk assessment, management, mitigation, security testing, business continuity, information security management systems, architecture security reviews, project security, security awareness, lectures, presentations and standards-based compliance.
Date: November 17, 2021
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements
https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701
Webinars: https://pecb.com/webinars
Articles: https://pecb.com/article
Whitepapers: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
Youtube video: https://youtu.be/eA8uQhdLZpw
Website link: https://pecb.com/
Information Security Management.Introductionyuliana_mar
Information Security Management. Introduction.
By Yuliana Martirosyan,
Based on Bell G. Reggard, Information Security Management. Concepts and Practices.
Slides for my lecture "Software security: vulnerabilities, exploits and
possible countermeasures" I had been giving for Samsung Electronics in Suwon, Korea (South).
This training creates the awareness of the security threats facing individuals, business owner’s, and corporations in today’s society and induces a’ plan-protection’ attitude. It enriches individuals, students’, business owners’ and workers’ approach to handling these threats and responding appropriately when these threats occur.
In this presentation we have covered the topic Data Security from the subject of Information Security. Where Data, Data Security, Security, Security Policy, Tools to secure data, Security Overview (Availability, Integrity, Authenticity, Confidentiality), Some myths and Dimensions of System Security and Security Issues are discussed.
The state of being protected against the unauthorized use of information, especially electronic data, or the measures are taken to achieve this.
"the growing use of mobile applications is posing a risk to information security"
create your own Security Management Model using the NIST Special Pub.pdfFORTUNE2505
create your own Security Management Model using the NIST Special Publication 800-14 and
Evaluate and apply NIST SP 800-26.
Solution
NIST SP800-14, subtitled Generally Accepted Principles and Practices for Securing Information
Technology Systems, describes best practices and provides information on commonly accepted
information security principles that can direct the security team in the development of a security
blueprint.
It also describes the philosophical principles that the security team should integrate into the
entire information security process, expanding upon the components of SP 800-12.
The more significant points made in NIST SP 800-14 are as follows:
1)Security Supports the Mission of the Organization.
2)Security is an Integral Element of Sound Management.
3)Security Should Be Cost-Effective
4)Systems Owners Have Security Responsibilities Outside Their Own Organizations.
5)Security Responsibilities and Accountability Should Be Made Explicit.
6)Security Requires a Comprehensive and Integrated Approach.
7)Security Should Be Periodically Reassessed.
8)Security is Constrained by Societal Factors.
It enumerates 33 principles for Securing Information Technology Systems:
Principle 1. Establish a sound security policy as the “foundation” for design.
Principle 2. Treat security as an integral part of the overall system design.
Principle 3. Clearly delineate the physical and logical security boundaries governed by
associated security policies.
Principle 4. Reduce risk to an acceptable level.
Principle 5. Assume that external systems are insecure.
Principle 6. Identify potential trade-offs between reducing risk and increased costs and decrease
in other aspects of operational effectiveness.
Principle 7. Implement layered security (Ensure no single point of vulnerability).
Principle 8. Implement tailored system security measures to meet organizational security goals.
Principle 9. Strive for simplicity.
Principle 10. Design and operate an IT system to limit vulnerability and to be resilient in
response.
Principle 11. Minimize the system elements to be trusted.
Principle 12. Implement security through a combination of measures distributed physically and
logically.
Principle 13. Provide assurance that the system is, and continues to be, resilient in the face of
expected threats.
Principle 14. Limit or contain vulnerabilities.
Principle 15. Formulate security measures to address multiple overlapping information domains.
Principle 16. Isolate public access systems from mission critical resources.
Principle 17. Use boundary mechanisms to separate computing systems and network
infrastructures.
Principle 18. Where possible, base security on open standards for portability and interoperability.
Principle 19. Use common language in developing security requirements.
Principle 20. Design and implement audit mechanisms to detect unauthorized use and to support
incident investigations.
Principle 21. Design security to allow for regular adoption of new techno.
ISO/IEC 27001 & ISO/IEC 27002:2022: What you need to knowPECB
Data is one of the most crucial assets within an organization, hence, it is highly important to prioritize its security.
How would ISO/IEC 27002:2022 and ISO/IEC 27001 help you in this regard?
The webinar covers
• ISO/IEC 27001
• Latest changes in the ISO/IEC 27002:2022
• The relation between ISO/IEC 27001 and ISO/IEC 27002:2022
• How the latest changes in the ISO/IEC 27002:2022 impacts your business?
Presenters:
Carl Carpenter
Carl is a former CISO of a $6B entity where he was responsible for protecting data of all types and regulatory environments such as FFIEC, HIPAA, and PCI as well as working with the FBI, IRS, and US Department of Labor around investigations relating to money laundering. He has performed assessments against Fortune 10 and 50 companies in the areas of GDPR, CCPA, ISO/IEC 27001 and currently performs CMMC assessments as well as CMMC pre-audit support to help ensure a successful CMMC audit. Prior to that, Carl retired from the US Military where he was involved in counter-terrorist, counter-narcotics, counter-intelligence operations and training foreign military members in these same concepts. Carl is also a PECB trainer in ISO/IEC 27001, ISO/IEC 27032, and CMMC Foundations and holds numerous other certifications.
In 2016, Carl joined Arrakis Consulting where he started as an auditor and providing CISO-as-a-Service to small or medium sized companies that needed more experience without increased cost. In 2017, Carl added active penetration testing to his portfolio of skills and routinely performs penetration tests against companies of all sizes. Carl also trains people on a variety of skills such as penetration testing, network engineering, network administration, OSI model, subnetting, etc…
Carl holds a Bachelors from Western Governors University in Network Security and Operations as well as numerous certifications from ITIL, Cisco, CompTIA, Microsoft, CMMC-AB, ISACA, OneTrust, RSA, PCI Council, Citrix, and Novell
Andreas Christoforides
Mr. Christoforides is an active IT auditor and a trainer for a various organization on Information Security Management Systems. He is a member of the Cyprus Computer Society, a PECB certified trainer for ISO/IEC 27001, ISO 22301 and GDPR CDPO, and a former Deputy Head of IT Infrastructure at a Bulgarian Leading Bank.
In 2019, he joined BEWISE and delivered to clients a wide range of Cybersecurity projects in the areas of strategy, governance and risk management, data privacy and protection (GDPR), and business resilience and recovery. He conducts IT Risk Assessments and develops IT policies and procedures towards establishing an effective and secure IT Governance framework.
Mr. Christoforides holds a BEng degree from Birmingham City University and a variety of other qualifications from Microsoft and CISCO.
YouTube video: https://youtu.be/tWyuEiXVHnY
In this article I will provide an Overview of A new Information Security Management System
Standard ISO/IEC 27001:2013 , The new standard just Published from a few Days Earlier .
ISO/IEC 27001:2013 Provides requirements for Establishing, Implementing, Maintaining
and Continually Improving an Information Security Management System.
ISO/IEC 27001:2013 gives Organization a Perfect Information Security management framework for implementing
and maintaining security.
In this Article, I tried to shed some light on new standard and its Mandatory Requirements, Optional Requirements ,
Structure , Benefits , Certification Process and Estimated time for Implementation and Certification.
Ch04_MoIS5e_v02.pptx business business business business business business bu...JawaherAlbaddawi
business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business business
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. Computer Science
CPSC 449/Fall 2005 Security Information Management 2
Part I
1. Introduction
2. Policy
3. Enterprise Information Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
7. Another Approach to Policy Development
8. SP 800-18 Guide for Developing
3. Computer Science
CPSC 449/Fall 2005 Security Information Management 3
Introduction
This chapter focuses on information
security policy:
What it is
How to write it
How to implement it
How to maintain it
4. Computer Science
CPSC 449/Fall 2005 Security Information Management 4
Policy
Policy is an essential foundation of effective
infosec program
The success of an information resources
protection program depends on the policy
generated, & on the attitude of management
toward securing information on automated
systems.
5. Computer Science
CPSC 449/Fall 2005 Security Information Management 5
You, the policy maker, set the tone & the
emphasis on how important a role infosec will
have within your agency.
Your primary responsibility is to set the
information resource security policy for the
organization with the objectives of reduced
risk, compliance with laws & regulations, &
assurance of operational continuity,
information integrity, & confidentiality.”
6. Computer Science
CPSC 449/Fall 2005 Security Information Management 6
A quality infosec program begins & ends with policy
Policies are least expensive means of control & often
the most difficult to implement
Basic rules to follow when shaping policy:
Never conflict with law
Stand up in court
Properly supported and administered
Contribute to the success of the organization
Involve end users of information systems
8. Computer Science
CPSC 449/Fall 2005 Security Information Management 8
Bulls-eye model layers
1. Policies: first layer of defense
2. Networks: threats first meet organization’s
network
3. Systems: computers & manufacturing
systems
4. Applications: all applications systems
9. Computer Science
CPSC 449/Fall 2005 Security Information Management 9
Policies are important reference documents
for internal audits & for resolution of legal
disputes about management’s due diligence
Policy documents can act as a clear
statement of management’s intent
11. Computer Science
CPSC 449/Fall 2005 Security Information Management 11
Policy: plan or course of action that influences
& determines decisions
Standards: more detailed statement of what
must be done to comply with policy
Practices, procedures & guidelines:explain
how employees will comply with policy
12. Computer Science
CPSC 449/Fall 2005 Security Information Management 12
For policies to be effective, they must be:
Properly disseminated
Read
Understood
Agreed-to
13. Computer Science
CPSC 449/Fall 2005 Security Information Management 13
Policies require constant modification &
maintenance
In order to produce a complete infosec policy,
management must define 3 types of infosec
policy:
Enterprise infosec program policy
Issue-specific infosec policies
Systems-specific infosec policies
14. Computer Science
CPSC 449/Fall 2005 Security Information Management 14
Part I
1. Introduction
2. Policy
3. Enterprise Information Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
7. Another Approach to Policy Development
8. SP 800-18 Guide for Developing
15. Computer Science
CPSC 449/Fall 2005 Security Information Management 15
Enterprise InfoSec Policy (EISP)
Sets strategic direction, scope, & tone for
organization’s security efforts
Assigns responsibilities for various areas of
infosec
Guides development, implementation,&
management requirements of infosec
program
16. Computer Science
CPSC 449/Fall 2005 Security Information Management 16
EISP documents should provide:
An overview of corporate philosophy on
security
Information about infosec organization &
infosec roles:
Responsibilities for security shared by all
organization members
Responsibilities for security unique to each
organizational role
17. Computer Science
CPSC 449/Fall 2005 Security Information Management 17
Components of the EISP
Statement of Purpose: What the policy is for
Information Technology Security Elements: Defines
infosec
Need for Information Technology Security: justifies
importance of infosec in the organization
Information Technology Security Responsibilities &
Roles: Defines organizational structure
References Information Technology standards &
guidelines
18. Computer Science
CPSC 449/Fall 2005 Security Information Management 18
Sample EISP
Protection Of Information: Information must be
protected in a manner commensurate with its
sensitivity, value, & criticality
Use Of Information: Company X information must be
used only for business purposes expressly authorized
by management
Information Handling, Access, & Usage: Information
is a vital asset & all accesses to, uses of, &
processing of Company X information must be
consistent with policies & standards
19. Computer Science
CPSC 449/Fall 2005 Security Information Management 19
Data & Program Damage Disclaimers: Company X
disclaims any responsibility for loss or damage to
data or software that results from its efforts to
protect the confidentiality, integrity, & availability of
the information handled by computers &
communications systems
Legal Conflicts: Company X infosec policies were
drafted to meet or exceed the protections found in
existing laws & regulations, & any Company X infosec
policy believed to be in conflict with existing laws or
regulations must be promptly reported to infosec
management
20. Computer Science
CPSC 449/Fall 2005 Security Information Management 20
Exceptions To Policies: Exceptions to infosec policies
exist in rare instances where a risk assessment
examining the implications of being out of
compliance has been performed, where a standard
risk acceptance form has been prepared by the data
owner or management, & where this form has been
approved by both InfoSec management & Internal
Audit management
Policy Non-Enforcement: Management's non-
enforcement of any policy requirement does not
constitute its consent
21. Computer Science
CPSC 449/Fall 2005 Security Information Management 21
Violation Of Law: Company X management must
seriously consider prosecution for all known violations
of the law
Revocation Of Access Privileges: Company X reserves
the right to revoke a user’s information technology
privileges at any time
Industry-Specific InfoSec Standards: Company X
information systems must employ industry-specific
infosec standards
22. Computer Science
CPSC 449/Fall 2005 Security Information Management 22
Use Of infosec Policies & Procedures: All Company X
infosec documentation including, but not limited to,
policies, standards, & procedures, must be classified
as “Internal Use Only,” unless expressly created for
external business processes or partners
Security Controls Enforceability: All information
systems security controls must be enforceable prior
to being adopted as a part of standard operating
procedure
23. Computer Science
CPSC 449/Fall 2005 Security Information Management 23
Thinking about the EISP (10 min):
Information Security Policy Documents
Review and Evaluation
Appropriate Use of Information Technology
Resources
Identification of Risks from Third Party Access
Physical Security Area
Personnel Security Screening
Information Security Education and Training
24. Computer Science
CPSC 449/Fall 2005 Security Information Management 24
Part I
1. Introduction
2. Policy
3. Enterprise Information Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
7. Another Approach to Policy Development
8. SP 800-18 Guide for Developing
25. Computer Science
CPSC 449/Fall 2005 Security Information Management 25
Issue-Specific Security Policy (ISSP)
Provides detailed, targeted guidance to instruct organization in
secure use of tech systems
Begins with intro to fundamental technological philosophy of
organization
Serves to protect employee & organization from
inefficiency/ambiguity
Documents how technology-based system is controlled
Identifies Processes & authorities that provide this control
Serves to indemnify organization against liability for
inappropriate or illegal system use
26. Computer Science
CPSC 449/Fall 2005 Security Information Management 26
ISSP should
Address specific technology-based systems
Require frequent updates
Contain an issue statement on the
organization’s position on an issue
27. Computer Science
CPSC 449/Fall 2005 Security Information Management 27
ISSP topics could include
email
use of Internet & World Wide Web
specific minimum configurations of computers to defend against
malware
prohibitions against hacking or testing organization security controls
home use of company-owned computer equipment
use of personal equipment on company networks
use of telecommunications technologies
use of photocopy equipment
28. Computer Science
CPSC 449/Fall 2005 Security Information Management 28
Components of the ISSP
Statement of Purpose:
Scope & Applicability
Definition of Technology Addressed
Responsibilities
Authorized Access & Usage of Equipment:
User Access
Fair & Responsible Use
Protection of Privacy
more ...
29. Computer Science
CPSC 449/Fall 2005 Security Information Management 29
Prohibited Usage of Equipment:
Disruptive Use or Misuse
Criminal Use
Offensive or Harassing Materials
Copyrighted, Licensed, or other Intellectual Property
Other Restrictions
Systems Management:
Management of Stored Materials
Employer Monitoring
Virus Protection
Physical Security
Encryption
more ...
30. Computer Science
CPSC 449/Fall 2005 Security Information Management 30
Violations of Policy:
Procedures for Reporting Violations
Penalties for Violations
Policy Review & Modification:
Scheduled Review of Policy & Procedures for Modification
Limitations of Liability:
Statements of Liability or Disclaimers
31. Computer Science
CPSC 449/Fall 2005 Security Information Management 31
Common approaches to implementing
ISSP
Number of independent ISSP documents
Single comprehensive ISSP document
Modular ISSP document that unifies policy
creation & administration
Recommended approach is modular policy,
which provides a balance between issue
orientation & policy management
32. Computer Science
CPSC 449/Fall 2005 Security Information Management 32
Discussion (10 min)
Guidelines on anti-virus process
Email-policy
Password
Third party connection agreement
Acceptable use policy
33. Computer Science
CPSC 449/Fall 2005 Security Information Management 33
Part I
1. Introduction
2. Policy
3. Enterprise Information Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
7. Another Approach to Policy Development
8. SP 800-18 Guide for Developing
34. Computer Science
CPSC 449/Fall 2005 Security Information Management 34
Systems-Specific Policies (SysSPs)
They may often be created to function as
standards or procedures to be used when
configuring or maintaining systems
SysSPs can be separated into:
Management guidance
Technical specifications
Combined in a single policy document
35. Computer Science
CPSC 449/Fall 2005 Security Information Management 35
Created by management to guide the
implementation & configuration of technology
Applies to any technology that affects the
confidentiality, integrity or availability of
information
Informs technologists of management intent
Management Guidance SysSPs
36. Computer Science
CPSC 449/Fall 2005 Security Information Management 36
Technical Specifications SysSPs
System administrators’ directions on
implementing managerial policy
Each type of equipment has its own type of
policies
Two general methods of implementing such
technical controls:
1. Access control lists
2. Configuration rules
38. Computer Science
CPSC 449/Fall 2005 Security Information Management 38
Access Control Lists
ACLs enable administrations to restrict access
according to user, computer, time, duration,
or even a particular file
more ...
39. Computer Science
CPSC 449/Fall 2005 Security Information Management 39
Include user access lists, matrices, & capability tables
that govern rights & privileges
Can control access to file storage systems, object
brokers, or other network communications devices
Capability Table: similar method that specifies which
subjects & objects users or groups can access
Specifications are frequently complex matrices, rather
than simple lists or tables
Level of detail & specificity (often called granularity)
may vary from system to system
40. Computer Science
CPSC 449/Fall 2005 Security Information Management 40
ACLs regulate
Who can use the system
What authorized users can access
When authorized users can access the system
Where authorized users can access the
system from
How authorized users can access the system
Restricting what users can access, e.g.
printers, files, communications, & applications
41. Computer Science
CPSC 449/Fall 2005 Security Information Management 41
ACL Administrators set user privileges
Read
Write
Create
Modify
Delete
Compare
Copy
42. Computer Science
CPSC 449/Fall 2005 Security Information Management 42
Configuration rules are specific configuration codes
entered into security systems to guide execution of
system when information is passing through it
Rule policies are more specific to system operation
than ACLs & may or may not deal with users directly
Many security systems require specific configuration
scripts telling systems what actions to perform on
each set of information processed
46. Computer Science
CPSC 449/Fall 2005 Security Information Management 46
Combination SysSPs
Often organizations create a single document
combining elements of both Management
Guidance & Technical Specifications SysSPs
While this can be confusing, it is very
practical
Care should be taken to articulate required
actions carefully as procedures are presented
47. Computer Science
CPSC 449/Fall 2005 Security Information Management 47
Part I
1. Introduction
2. Policy
3. Enterprise Information Security Policy
4. Issue-Specific Security Policy (ISSP)
5. System-Specific Policy
6. Guidelines for Policy Management
7. Another Approach to Policy Development
8. SP 800-18 Guide for Developing
48. Computer Science
CPSC 449/Fall 2005 Security Information Management 48
Guidelines for Policy Development
Often useful to view policy development as a
two-part project:
1. Design & develop policy (or redesign &
rewrite outdated policy)
2. Establish management processes to
perpetuate policy within organization
The former is an exercise in project
management, while the latter requires
adherence to good business practices
49. Computer Science
CPSC 449/Fall 2005 Security Information Management 49
Policy development or re-development
projects should be well planned, properly
funded, & aggressively managed to ensure
completion on time & within budget
When a policy development project is
undertaken, the project can be guided by the
SecSDLC process
50. Computer Science
CPSC 449/Fall 2005 Security Information Management 50
1. Investigation Phase
The policy development team should:
Obtain support from senior management, & active
involvement of IT management, specifically CIO
Clearly articulate goals of policy project
Gain participation of correct individuals affected by
recommended policies
more ...
51. Computer Science
CPSC 449/Fall 2005 Security Information Management 51
Be composed from Legal, Human Resources &
end-users
Assign project champion with sufficient stature &
prestige
Acquire a capable project manager
Develop detailed outline of & sound estimates for,
the cost & scheduling of the project
52. Computer Science
CPSC 449/Fall 2005 Security Information Management 52
2. Analysis Phase
Should include the following activities:
New or recent risk assessment or IT audit
documenting the current infosec needs of the
organization
Key reference materials, including any
existing policies
53. Computer Science
CPSC 449/Fall 2005 Security Information Management 53
3 & 4. Design phase
Should include:
How policies will be distributed
How verification of distribution will be
accomplished
Specifications for any automated tools
Revisions to feasibility analysis reports based on
improved costs & benefits as design is clarified
54. Computer Science
CPSC 449/Fall 2005 Security Information Management 54
5. Implementation Phase
Write the policies!
Make certain policies are enforceable as
written
Policy distribution is not always as
straightforward
Effective policy:
Is written at a reasonable reading level
Attempts to minimize technical jargon &
management terminology
56. Computer Science
CPSC 449/Fall 2005 Security Information Management 56
6. Maintenance Phase
Maintain & modify policy as needed to ensure that it
remains effective as a tool to meet changing threats
Policy should have a built-in mechanism via which
users can report problems with the policy, preferably
anonymously
Periodic review should be built into the process
61. Computer Science
CPSC 449/Fall 2005 Security Information Management 61
ISPME Checklist
Perform risk assessment or information technology
audit to determine your org’s unique infosec needs
Clarify what “policy” means within your org so that
you are not preparing a “standard,” “procedure,” or
some other related material
Ensure that roles & responsibilities related to infosec
are clarified, including responsibility for issuing &
maintaining policies
more ...
62. Computer Science
CPSC 449/Fall 2005 Security Information Management 62
Convince management that it is advisable to have documented
infosec policies
Identify top management staff who will be approving final
infosec document & all influential reviewers
Collect & read all existing internal infosec awareness material &
make a list of the included bottom-line messages
Conduct a brief internal survey to gather ideas that stakeholders
believe should be included in a new or updated infosec policy
more ...
63. Computer Science
CPSC 449/Fall 2005 Security Information Management 63
Examine other policies issued by your organization, such as
those from HR management, to identify prevailing format, style,
tone, length, & cross-references
Identify audience to receive infosec policy materials &
determine whether they will each get a separate document or a
separate page on an intranet site
Determine extent to which audience is literate, computer
knowledgeable, & receptive to security messages
more ...
64. Computer Science
CPSC 449/Fall 2005 Security Information Management 64
Decide whether some other awareness efforts must
take place before infosec policies are issued
Using ideas from the risk assessment, prepare a list
of absolutely essential policy messages that must be
communicated
If there is more than one audience, match the
audiences with the bottom-line messages to be
communicated through a coverage matrix.
more ...
65. Computer Science
CPSC 449/Fall 2005 Security Information Management 65
Determine how the policy material will be disseminated, noting
the constraints & implications of each medium of
communication
Review compliance checking, disciplinary, & enforcement
processes to ensure they all can work smoothly with new policy
document
Determine whether number of messages is too large to be
handled all at one time, & if so, identify different categories of
material that will be issued at different times
more ...
66. Computer Science
CPSC 449/Fall 2005 Security Information Management 66
Have an outline of topics to be included in the first document
reviewed by several stakeholders
Based on comments from stakeholders, revise initial outline &
prepare a first draft
Have first draft document reviewed by stakeholders for initial
reactions, presentation suggestions, & implementation ideas
Revise draft in response to comments from stakeholders
more ...
67. Computer Science
CPSC 449/Fall 2005 Security Information Management 67
Request top management approval on policy
Prepare extracts of policy document for selected
purposes
Develop awareness plan that uses policy document
as a source of ideas & requirements
Create working papers memo indicating disposition
of all comments received from reviewers, even if no
changes were made
more ...
68. Computer Science
CPSC 449/Fall 2005 Security Information Management 68
Write memo about project, what you learned,
& what needs to be fixed so that next version
of policy document can be prepared more
efficiently, better received by readers, & more
responsive to unique circumstances facing
your organization
Prepare list of next steps that will be required
to implement requirements specified in policy
document
69. Computer Science
CPSC 449/Fall 2005 Security Information Management 69
ISPME Next Steps
Post Polices To Intranet Or Equivalent
Develop A Self-Assessment Questionnaire
Develop Revised User ID Issuance Form
Develop Agreement To Comply With InfoSec Policies
Form
Develop Tests To Determine If Workers Understand
Policies
Assign InfoSec Coordinators
Train InfoSec Coordinators
more ...
70. Computer Science
CPSC 449/Fall 2005 Security Information Management 70
Prepare & Deliver A Basic InfoSec Training Course
Develop Application Specific InfoSec Policies
Develop A Conceptual Hierarchy Of InfoSec Requirements
Assign Information Ownership & Custodianship
Establish An infosec Management Committee
Develop An infosec Architecture Document
71. Computer Science
CPSC 449/Fall 2005 Security Information Management 71
A Final Note on Policy
Lest you believe that the only reason to have policies
is to avoid litigation, it is important to emphasize the
preventative nature of policy
Policies exist first & foremost to inform employees of
what is & is not acceptable behaviour in the
organization
Policy seeks to improve employee productivity, &
prevent potentially embarrassing situations
72. Computer Science
CPSC 449/Fall 2005 Security Information Management 72
Summary
Why Policy?
Enterprise InfoSec Policy
Issue-Specific Security Policy
System-Specific Policy
Guidelines for Policy Development
73. Computer Science
CPSC 449/Fall 2005 Security Information Management 73
Part II
1. Introduction
2. Security Standard Criteria and Product
Security Evaluation Process
3. Computer Products Evaluation Standards
4. Major Evaluation Criteria
74. Computer Science
CPSC 449/Fall 2005 Security Information Management 74
1 Introduction
Security Evaluation Process
Security Standards and Criteria
The Orange Book
U.S. Federal Criteria
Information Technology Security Evaluation
Criteria (ITSEC)
The Trusted Network Interpretation (TNI): The
Red Book
Common Criteria (CC)
75. Computer Science
CPSC 449/Fall 2005 Security Information Management 75
2 Security Standards, Criteria
and Evaluation Process
Purpose
Criteria
Process
Structure
Outcome/benefit
76. Computer Science
CPSC 449/Fall 2005 Security Information Management 76
2.1 Purpose of Evaluation
Certification
Accreditation
Evaluation
Potential market benefit
77. Computer Science
CPSC 449/Fall 2005 Security Information Management 77
2.2 Criteria
Defines several degrees of rigor acceptable at
each testing level of security
Defines the formal requirements the product
need to meet at each Assurance level
Assurance levels are based on Trusted
Computer System Evaluation (TCSEC)
79. Computer Science
CPSC 449/Fall 2005 Security Information Management 79
2.4 Structure of Evaluation
Functionality – what and how much the
product can do
Effectiveness – whether the product meets
the effectiveness threshold
Assurance – give buyer assurance and
guarantee
80. Computer Science
CPSC 449/Fall 2005 Security Information Management 80
2.5 Outcome/Benefits
A great product
For evaluator, cut down the evaluation cost
without cutting the value of evaluation
For buyer, result in good product to enhance the
security
Evaluation of a computer product can be
done using either a standard or a criteria
81. Computer Science
CPSC 449/Fall 2005 Security Information Management 81
3 Computer Products Evaluation
Standards
American National Standards Institute (ANSI)
British Standards Institute (BSI)
Institute of Electrical and Electronic Engineers Standards
Association (IEEE-SA)
International Information System Security Certification
Consortium (ISC)2
International Organization for Standardization (ISO)
National Institute of Standards and Technology (NIST)
National Security Agency (NSA)
International Architecture Board (IAB)
Organization for the Advancement of Structured Information
Standards (OASIS)
Underwriters Laboratories
Worldwide Web Consortium (W3C)
82. Computer Science
CPSC 449/Fall 2005 Security Information Management 82
4 Major Evaluation Criteria
The Orange Book
U.S. Federal Criteria
Information Technology Security Evaluation
Criteria (ITSEC)
The Trusted Network Interpretation (TNI):
The Red Book
Common Criteria (CC)
83. Computer Science
CPSC 449/Fall 2005 Security Information Management 83
The Orange Book
Three Objectives
A yardstick for user
Guidance for manufacturer
Basis for security requirements
Two requirements
Specific security feature requirements
Assurance requirements
84. Computer Science
CPSC 449/Fall 2005 Security Information Management 84
The Orange Book
Four Assurance Levels
Class D – Minimal Protection
Class C
C1: Discretionary Security Protection (DSP)
C2: Controlled Access Protection (CAP)
Class B
B1: Labeled Security Protection
B2: Structured Protection
B3: Security Domain
Class A1: Verified Protection
85. Computer Science
CPSC 449/Fall 2005 Security Information Management 85
Questions
Does evaluation mean security?
One advantage of process-oriented security
evaluation is that it is cheap. Find other
reasons why it is popular. Why, despite its
popularity, is it reliable?
Why is the product rated as B2/B3/A1 better
than that rated C2/B1, or is it?
How do I know if a product is evaluated?
How do I get my product evaluated?