Introduction to
Cyber/Information Security
Module 2: Security Management
�Module 2: Security Management
Chapter I: Security Management Practices
1.
2.
3.
4.
5.
6.
7.
Overview of Security Management
Information Classification Process
Security Policy
Risk Management
Security Procedures and Guidelines
Business Continuity and Disaster Recovery
Ethics and Best Practices
�Module 2: Security Management
Chapter 2: Security Laws and Standards
1.
2.
3.
4.
5.
6.
Security Assurance
Security Laws
IPR
International Standards
Security Audit
SSE-CMM / COBIT etc
�Security Principles
Identification:
To have proper identification of a user.
Authentication:
To authenticate identity of the user
Authorization:
To authorize authenticated user.
Privacy:
User will use the data for authorized purpose.
Non-Repudiation:
User cannot deny doing a particular thing.
�Information Security
Information is an integral part of any
business and managing it correctly rests on
three basic pillars(CIA Triangle)
Confidentiality: the information must only
be accessible to its predefined recipients.
Integrity: the information must be correct
and complete.
Availability: the information must be
accessible when it is needed.
�Information Security
Security
Management must ensure that
the information is correct and complete,
that it is always available for business
purposes and that it is only used by the
people who are authorized to do so.
�Information Security
Information
Security (InfoSec) includes
three components:
Management
of Information Security
Network Security
Computer and Data Security
�Security Management
The main benefits of proper Security
Management are:
Interruptions to service caused by viruses,
computers being hacked into, etc. are avoided.
The number of incidents is minimized.
Information is accessible when it is needed and
data integrity is preserved.
Data confidentiality, and the privacy of customers
and users, is preserved.
Regulations on data protection are complied with.
customers and users will have the quality of
service, and their confidence in it, is improved.
�Security Management
The main difficulties when implementing Security
Management may be summarised as:
There is insufficient commitment to the process from
all the members of the IT organisation.
Excessively restrictive security policies are established,
with a negative effect on the business.
The tools needed to monitor and guarantee the
security of the service (firewalls, antivirus software,
etc.) are not available.
Staff are not given adequate training to be able to
apply security protocols.
There is a lack of coordination between the different
processes, making it impossible to evaluate the risks
properly.
��Information Security Management
Principles
of Information Security
Management
Planning
Policy
Programs
Protection
People
Project
Management
�Principles of Information Security
Management
Planning
InfoSec
planning model includes the activities
essential to support the design, creation and
implementation of InfoSec strategies with the
IT environment.
Various plans-incident response plan,
business continuity plan, disaster recovery
plan, policy plan, personnel plan, risk
management plan, education training
awareness plan.
�Principles of Information Security
Management
Policy
It
is a set of organizational guidelines that lists
out certain rules of organizational behavior.
Three general categories:
General Program Policy(Enterprise security policy)
Issue specific security policy
System specific policies
�Principles of Information Security
Management
Programs
It
includes specific entities managed in the
InfoSec domain such as
SETA(security education training & Awareness),
physical security program and
guards program.
�Principles of Information Security
Management
Protection
It
includes risk management activities such as
risk assessment and control ,
protection mechanisms ,
technologies and tools.
�Principles of Information Security
Management
People
People
play key role in the organisation and it
is important that managers recognise the key
role that people play.
Includes the information security personnel ,
security of personnel as well as aspects of
SETA program.
�Principles of Information Security
Management
Project
This
Management
is present through out all the phases of
InfoSec program .
It involves identifying and controlling project
resources, measuring success and making
required changes.
�Need of ISMS
InfoSec
achieved through technical means
is limited.
InfoSec also depends on people, policies,
processes and procedures.
Limited resources
It is an ongoing activity.
�Benefits of ISMS
Manages
risk to suit the business activity
Manages incident handling activities
Builds a security culture-increases trust
and customer confidence and business
opportunity
Conforms to the requirements of the
standard.
�Applications of ISMS
Banks
Insurance
companies
Manufacturing companies
Hospitals
BPOs
Software developments
�Information Classification
�Information Classification
Organizations like to classify their information
for suitable treatment.
All organizations government, public, private,
defense need to classify their information.
Reason for classification: not all
data/information have the same level of
importance or same level of relevance/criticality
to an organization.
Eg: trade secrets ,formulae, new product
information loss can create significant loss to the
organization
�Information Classification
Benefits
of information Classification
information
classification is a demonstration
toward an organizations commitment to
security protections.
It helps identify which information is most
sensitive or vital to an organization.
It supports the tenets of CIA as it pertains to
data.
it helps identify which protections apply to
which information.
It fulfils statutory requirements towards
regulatory, compliance or legal mandates.
�Information Classification
The
information produced or processed by
an organization must be classified
according to organizations sensitivity to its
loss or disclosure.
The data owners are responsible for
defining the sensitivity level of data.
Enables security controls to be properly
implemented as per the classification.
�Terms for information
Classification
The
following definitions describe several
schemes used for levels of
data/information classification
Unclassified
Sensitive
but unclassified(SBU)
Confidential
Secret
Top Secret
�Information Classification
Unclassified: information is neither sensitive
not classified. The public release of this
information does not violate confidentiality.
Sensitive but unclassified(SBU): information
designated as minor secret, but may not
create serious damage if disclosed. Eg: health
care, answers to tests.
Confidential: information is designated to be
of a confidential nature. The unauthorised
disclosure of this information could cause
some damage to security. Eg: teacher
feedback
�Information Classification
Secret:
Information that is designated to
be of a secret nature. The unauthorized
disclosure of this nature could cause
serious damage to the security. Eg:
contract
Top Secret: this the highest level of
information classification. (eg: normally in
defense organisations) any unauthorised
disclosure of top secret information will
cause exceptionally grave damage to
security
�Information Classification
It
is not a good practice to deal with too
much data or to provide employees /other
business entities with all the data.
Organizations make data available to
concerned people on a need to know
basis.
Following classification is also prevalent in
most private organizations.
Public
Sensitive
Private
�Information Classification
Public: information similar to unclassified
information. All of organizations information
that doesnt fit into any to the categories is
considered to be public. This information
probably should not be discussed. But even if
it is disclosed it is not expected to seriously or
adversely impact the organization/
Sensitive: information that requires higher
level of classification than normal data. This
information is protected from a loss of
confidentiality as well as loss of integrity
owing to an unauthorized alteration.
�Information Classification
Private:
this information is considered as
personal nature and is intended for
company use only. Its disclosure can
adversely affect the company or its
employees. Eg: salary levels, medical
information.
�Criteria for classification of data
and information
Classification of an Information Object
Value: Most common criteria for classifying data
in private sector. If information is valuable to its
organization or its competitors than it need to be
classified.
Age: the classification of information may be
lowered if information value decreases over time.
Useful Life: If the information has become
obsolete owing to new information, substantial
changes in the company, the information can be
declassified.
Personal Association: If information is personally
associated with specific individuals or addressed
by privacy law ,it may be classified.
�How do organizations classify
data and information
Primary
procedural steps
Identify
owner/administrator/custodian for
data information which are considered to be
important.
Specify criteria for information to be classified
and labeled.
Classify data by owner
Specify and document any exceptions to the
classification policy.
�How do organizations classify
data and information
Primary
procedural steps
Depending
on its classification specify who is
authorized to access the data/information.
Specify the termination procedures for
declassifying the information.
Create an enterprise awareness program about
the data/information classification controls.
�Information classification: Roles
The
roles and responsibilities of all the
participants in the information
classification program must be clearly
defined.
Owner
Custodian
User
�Information classification: Roles
Owner:
responsible
for information asset that
must be protected
Making original decision about the level
of classification of information based on
the business need.
Reviewing the classification assignment
periodically and making alterations if
required.
Delegating the responsibility of
protection.
�Information classification: Roles
Custodian
Running
regular backups and
routinely testing for validity.
Performing data restoration from
backups
Maintaining the retained records in
accordance with legal requirements.
�Information classification: Roles
User:
Its
is mandatory for users to follow
the operating procedures that are
defined in an organizations security
policy.
Prevent open view
Take necessary care to maintain
companys security policy.
�Data Obfuscation
It
is one of solution for data theft.
Data obfuscation is that data which is
rendered unusable by some means but is
not considered as serious form of
encryption.
It is not very difficult to decipher
obfuscation scheme given enough data.
Effective method involves chopping text
into segments, re-arranging as well as
obfuscating it.
�Business Classification Systems
Critical:
functions supported by systems
cannot be performed unless replaced by
identical capabilities. Tolerance to
interruption is low. Cost of interruption is
high.
E.g.
Entry to High security vault using Finger
print reader. If reader gets damaged,
functionality halts.
�Business Classification Systems
Vital:
functions can be performed
manually but only for a brief period of
time. Higher tolerance to interruption than
critical systems. Cost of interruption is
low. (if restoration is within time limit)
E.g.
In case of failure of List in 30 floored
building, one can use staircase for time being
�Business Classification Systems
Sensitive:
functions can be performed
manually at a tolerable cost for an
extended period of time.
E.g.
Due to non-functioning of in-house
printing machine, Paper printing is
outsourced.
Non-critical
: functions may be
interrupted for an extended period of time,
at little or no cost to the company.
E.g.
non-functioning of Coffee machine
�Event Classification
Events that can result in damage to
Information Systems are typically classified
as:
Disaster: an event that causes permanent and
substantial damage or destruction to the property,
equipment, information, staff or services of the
business. E.g. natural disasters
Crisis: an abnormal situation the presents some
extraordinary risks to a business and that will
develop into a disaster. E.g. server getting hacked
Catastrophe: major disruptions resulting from the
destruction of critical equipment in processing.
E.g. Hard disk crash
�Security Policy
�Policy (in general)
A
policy is a principle or protocol to guide
decisions and achieve rational outcomes.
It is a statement of intent, and is
implemented as a procedure or protocol.
Policies are generally adopted by senior
management.
Policies can assist in both subjective and
objective decision making.
�Policy (in general)
During
subjective decision making, policy
assists mgmt to consider the relative
merits of a number of factors before
making decision. E.g. work life balance
policy
Objective decision making are usually
operational in nature and can be
objectively tested. e.g. password policy
�Types of Policies (in general)
In general, Policy can be following types
Regulatory Policy
Advisory Policy
Informative Policy
�Regulatory Policy
These
kind of policies are must for an
organization owing to compliance,
regulation or other legal requirements as
prevalent in the organizations operating
environment.
E.g.
Staff teaching for PG course must have
certain qualification
These
are very detailed and specific to
the industry in which the business
organization operates.
�Regulatory Policy
Purposes
of the regulatory policy are
Ensuring
that an organization follows the
standard procedure or base practices of an
operation in its specific industry
Giving an organization the confidence that it is
following the standard and accepted industry
policy.
�Advisory Policy (good to follow)
These
are not the mandatory but are
strongly recommended
Normally consequences of not following
them are defined.
E.g.
Business Conduct guidelines policy, if not
followed may result into job termination
Organizations
expects employees to treat
these as mandatory policies.
Many policies fall under this broad
category.
�Informative policy
These
are simply to inform reader.
There are no implied or specified
requirements.
Audience can be internal entity or external
party
�Information Security Policy
�Need of the Policy
A
quality information security program, is
all about having good policies in place i.e.
from start to end.
Policies contribute to the success of
organization.
Policies form an important reference
documents for
Conducting
internal audits
Resolving legal disputes about the
management
�Information Security Policy
A security policy is a preventative mechanism for
protecting important company data and
processes.
It communicates a coherent (logical) security
standard to users, management and technical
staff.
A policy can be used to measure the relative security
of current systems.
A policy is important for defining interfaces to
external partners.
There are mandatory legal requirements as regards
protection of customer and employee data.
A policy is a prerequisite to quality control (ISO 900x).
�Information Security Policy
ISP
sets the strategic direction and scope
for all the organization's security efforts.
It assigns responsibilities for information
security such as
maintenance
of information security policies
practices
and
responsibilities of other users.
ISP
states the importance of InfoSec to
achieve organizations mission and
objectives.
�Information Security Policy
A
good ISP must include
Statement
of purpose:
Outlines scope and applicability
i.e. what is the purpose of this Policy and who is
responsible for implementation.
Security
elements
Need for information Security
Roles and Responsibilities
Reference to Other Standards and Guidelines
�Information Security Policy
Success
of Information Security program
lies in policy development.
i.e.
depending on how policies are defined and
how they are implemented.
What
is Policy??
Policies
are statements of managements
intentions and their goals.
Policy is a plan or course of action intended to
influence and determine decisions, actions and
other matters.
�Information Security Policy
This can be an organizations email policy
1. Email-Policy coverage:
2.
Confidentiality of information disclosed through email communication.
Senders responsibility for the contents of the e-mails
Disclosure of sensitive information such as password,
PIN and credit card.
Appropriate use of e-mails:
Employees working for the organization should use
the email facility for business purpose only
No Obscene or profane message should be sent
through emails.
Size of the attachment should be restricted within
approved limit
�Information Security Policy
This can be an organizations email policy
1. Managements authority on email
The management reserves the rights to
monitor the use of email.
The management could store email for
retrieval at a later date for legal purpose
�Password policy
The policy on password can define multiple
attributes like
1. Whether user ID and password can match
2. Maximum occurrences of consecutive
characters
3. Maximum Lifetime of the password
4. Minimum length of password
5. Whether users previous password can be
used.
�Policy Mapping
Policies include procedures, standards, guidelines, baselines
Laws, Regulations, Requirements, Organizational goals, Objectives
General Organizational Policies
Functional Policies
Procedures
Standards
Guidelines
Baselines
�Policy Mapping
Procedures are the detailed steps required to
perform a specific task.
Standards describe the uniform use of specific
technologies throughout the organization.
Guidelines are recommended methods (not
compulsory) to perform specific task.
E.g. Use of OS, router configuration, application
E.g. Using Malware, Antivirus software on all
machines
Baselines, similar to standards but give an in
details description about diff. OS and versions.
E.g. Windows 2007, Windows 2008, Red HAT
Enterprise Linux 5.
�Security Policy Life Cycle
Investigate
Analyze
Design
blueprint for security
Design
planning for continuity
Implement
Maintain
�Security Policy Life Cycle
Investigation
It
Phase
has the support from senior management
Has Support and active involvement of IT
management
Defines clear articulation of goals
Includes the participation of the affected
communities of interest.
Defines detailed outline of the scope of the
policy development project
�Security Policy Life Cycle
Analysis phase produces following:
A new Risk assessment or
IT audit document specifying the Info. Security
needs
Key reference materials that includes existing
policies
Design Phase
It contains initial design framework, after
refinement it turns into blueprint.
Users or organization members acknowledge what
they have received by making signature and date
on a form
�Security Policy Life Cycle
Implementation
Phase
Policy
development team writes policies by
using various resources:
The Web
Government sites such as NIST
Professional literature
Peer networks
Professional consultants
Maintenance
Policy
phase
development team is responsible for
monitoring, maintaining and modifying the
policy.
�Types of Information Security
Policies
Management defines three types of policies
1. General or Security program policies
2. Issue-specific security policies
3. System-specific security policies
�Types of Information Security
Policies
General
SPP
or Security Program policy (SPP)
is also called as general security policy or
IT security policy or information security
policy.
SPP is used to set the strategic direction, scope
and tone for all security tasks within
organization.
The Chief Inspection Officer (CIO) has the
responsibility of drafting the executive-level
document.
Normally 2 to 10 pages long
�Types of Information Security
Policies
Issue-specific
This
security policies (ISSP)
contains the issue statement on the
organizations position on an issue.
It addresses specific areas of technology and
requires frequent updates.
ISSP ensures a common understanding about
the purposes for which as employee can and
can not use a technology.
�Types of Information Security
Policies
Issue-specific
Protects
security policies (ISSP)
both employee and organization from
facing the inefficiency and ambiguity.
It motivates the use of technology- based
systems.
It protects the organization against liability for
an employees illegal use of the system.
E.g. Non Disclosure Agreement
�Types of Information Security
Policies
Three
approaches for creating/managing
ISSP are:
Create
number of independent issue specific
documents tailored for specific issues.
Create single comprehensive document
covering all issues.
Create a modular document unifying overall
policy creation/ management while addressing
specific details with respect to individual
issues.
�Components of ISSP
Policy Statement
this outlines the scope and applicability i.e. what
is the purpose and who is responsible for
implementation.
It also defines technologies used.
Authorized access and usage of Equipment
It states user has no particular rights of use apart
from the specified in the policy.
Specifies who can use the technology mentioned
in policy and for what purpose it can be used. E.g.
cameras provided by college can not be used for
personal usage.
Users have no general rights to use other than for
organization's purpose.
�Components of ISSP
Prohibited
usage of Equipment
Specifies
common prohibitions such as for
criminal use, personal use, disruptive use of
computer, use of copy righted licensed data
Systems
Defines
Management
the responsibilities of users and
administrators
This includes management of stored material,
managing employees, virus protection,
encryption of data, physical security
�Components of ISSP
Policy
violations
Specifies
penalties for each kind of policy
violation
Also mentions procedures for reporting policy
violation
Policy
Review and Modification
Specifies
procedures and timetable for policy
review i.e. how frequently it should be
modified.
�Components of ISSP
Limitations
It
of Liability
includes statement of liability or disclaimers
E.g. employee is caught doing illegal activities
with organizations data or any other assets, he
will not be protected by the organization for
violating the company policy.
�System-specific security policies
While
ISP are known for writing
documents and making users aware of
them, SysSP specify the standards and
procedures used for configuring and
maintaining system.
SysSPs are mostly technical.
It provides guidance and states procedures
for configuring some specific system,
technologies and application.
�System-specific security policies
System
configuration includes
Intrusion
detection systems configuration
Firewall configuration
Workstation configuration
�System-specific security policies
SysSPs
can be categorized into two groups:
Access
Control List (ACLs)
This consists of Access control lists, matrices
and capability tables controlling the rights and
privileges of a particular user to a particular
system
�Access Control List
�Access Control List
�System-specific security policies
2. Configuration Rules:
This consists of specific configuration codes
entered into security systems, which govern
the system execution.
Configuration rules are more specific to the
system operation than ACLs
These rules define specific configuration
scripts, which guides Operating System for
what actions to perform on each set of
information they process.
�Policy Infrastructure
Foundations
for information Security is
Information Security Policy and
Standards.
The major information security functions
are:
1.
2.
3.
Information protection
Control the access to information
Administer (monitor) the users
�Policy Infrastructure
Information
Protection
Control
access
Administer
Users
Manage Security
Information Security Policies and Standards
�Policy Design Life Cycle
First,
identify the information security
goals and Cabinet goals. Then form the
policy.
Policy should include standards,
procedures and guidelines.
Make users aware of all these so that they
can do their job securely.
Once the users actions are secured then
only complete Information Security can be
achieved.
�Policy Design Life Cycle
Cabinet
Goal
IS Goal
Policy
Standards
Procedures
Awareness
Action
InfoSec
Guidelines
�Design Processes
Policy
life cycle can be designed by using
10 -step approach, each step allows the
designing of policy.
�Policy Design Processes
Policy life cycle can be designed by using 10 -step
approach, each step allows the designing of
policy.
1. Collect Background Information
2. Perform Risk Assessment
3. Create a Policy Review Board
4. Develop the Information Security Plan
5. Develop IS Policies, Standards and guidelines
6. Implement Policies and Standards
7. Awareness and Training
8. Monitor for Compliance
9. Evaluate policy Effectiveness
10. Modify the Policy
�Policy Design 10 step approach
1.
Collect Background Information
Based on existing policy, Identify what
procedures and guidelines to be included in
the new policy.
Determine different levels of control which
will need access to the confidential
information.
Decide who should design the policy e.g.
top management or anyone related to law.
�Policy Design 10 step approach
2. Perform Risk Assessment
Validate the policy against any possible risks.
Indentify the risky and complex functions
Identify the difficult processes
Identify the confidential data and possible
risks associated with it.
Analyze the possible vulnerabilities.
�Policy Design - 10 step approach
3. Create a Policy Review Board
Determine the policy Development Process
Write the initial draft
Send the draft to Review Board for their
Comments and Suggestions
Modify draft to incorporate the suggestions
Resolve the issues (if any) face to face.
Submit the updated Draft Policy to the
Cabinet for approval
�Policy Design - 10 step approach
4. Develop Information Security Plan
Determine
the organizational goals
Define the various Roles and
Responsibilities
Notify users of Information about the
directions specified in the policy.
Establish a foundation for compliance, risk
assessment and audit of information security.
�Policy Design - 10 step approach
5. Develop IS policies , Standard and
Guidelines
Policies
Standard
These are high level statement written by Board
of Directors that notifies workers about who
are responsible to make any type of decision.
These are requirement statement that depicts
specific technical specifications.
Guidelines
These are recommendations which can be
included in policy
�Policy Design - 10 step approach
6. Implement Policies and Standards
Notify and distribute the policy amongst users
Make an agreement with a policy before accessing
the confidential system.
Enforce the control to meet the policy.
7. Awareness and Training
Make the system user aware of their expected
behavior
Train user about how and when
Training will help to minimize the information loss
and theft
It also reduces the need of strict controls
�Policy Design - 10 step approach
8. Monitor for compliance
Security
management is required for
establishing controls on information
Security management must review the status
of control regularly
Implement the user contracts (i.e. code of
conduct)
Establish effective authorization approval
Conduct internal review process
Conduct internal audit reviews
�Policy Design - 10 step approach
9. Evaluate Policy Effectiveness
Evaluate the policy if any problems
Document the policy regularly
Report it to management
10. Modify the Policy
Modifications are necessary to incorporate the
changes like
Upcoming technology
New threats
New goals or modified existing goals
Changes in the standard
Changes in law
Un success in existing policy
�Sample Policy
Sample
Policy
