MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

DEPARTMENT OF COMPUTER SCIENCE AND ENGINEERING

SUBJECT NAME: INFORMATION SECURITY SUBJECT

CODE: CS T83

Prepared By:
Mr.S.BALAJI AP/CSE

Verified by: Approved by:

UNIT- IV
LOGICAL DESIGN: Blueprint for Security - Information Security Policy -
Standards and Practices - ISO 17799/BS 7799 - NIST Models - VISA
International Security Model - Design of Security Architecture - Planning for
Continuity.

INFORAMATION SECURITY Page|1

DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

INFORMATION SECURITY POLICY, STANDARDS, AND PRACTICES

A policy is a plan or course of action that conveys instructions from an organization’s
senior management to those who make decisions, take actions, and perform other duties.
Policies are organizational laws in that they dictate acceptable and unacceptable behavior
within the organization.
Like laws, policies define what is right, what is wrong, what the penalties are for violating
policy, and what the appeal process is. Standards, on the other hand, are more detailed
statements of what must be done to comply with policy. They have the same requirements
for compliance as policies.
Standards may be informal or part of an organizational culture, as in de facto
standards. Or standards may be published, scrutinized, and ratified by a group, as in
formal or de jure standards. Finally, practices, procedures, and guidelines effectively
explain how to comply with policy.
Figure shows policies as the force that drives standards, which in turn drive practices,
procedures, and guidelines.

Policies, Standards, and Practices

Policies are put in place to support the mission, vision, and strategic planning of an
organization. The mission of an organization is a written statement of an organization’s
purpose. The b of an organization is a written statement about the organization’s goals.
Strategic planning is the process of moving the organization toward its vision.

INFORAMATION SECURITY Page|2

DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

The security policy depends on the context in which it is used. Governmental

agencies view security policy in terms of national security and national policies to deal with
foreign states. A security policy can also communicate a credit card agency’s method for
processing credit card numbers. In general, a security policy is a set of rules that protect an
organization’s assets. An information security policy provides rules for the protection of
the information assets of the organization.

Management must define three types of security policy, according to the National Institute
of Standards and Technology’s Special Publication 800-14
1. Enterprise information security policies
2. Issue-specific security policies
3. Systems-specific security policies

For a policy to be effective and thus legally enforceable, it must meet the following criteria:
 Dissemination (distribution) — The organization must be able to demonstrate that
the policy has been made readily available for review by the employee. Common
dissemination techniques include hard copy and electronic distribution.
 Review (reading) — The organization must be able to demonstrate that it disseminated
the document in an intelligible form, including versions for illiterate, non-English
reading, and reading-impaired employees. Common techniques include recording the
policy in English and other languages.
 Comprehension (understanding) — The organization must be able to demonstrate
that the employee understood the requirements and content of the policy. Common
techniques include quizzes and other assessments.
 Compliance (agreement) — The organization must be able to demonstrate that the
employee agrees to comply with the policy, through act or affirmation. Common
techniques include logon banners which require a specific action (mouse click or
keystroke) to acknowledge agreement, or a signed document clearly indicating the
employee has read, understood, and agreed to comply with the policy.
 Uniform enforcement — The organization must be able to demonstrate that the policy
has been uniformly enforced, regardless of employee status or assignment.

INFORAMATION SECURITY Page|3

DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Enterprise Information Security Policy (EISP)

An Enterprise Information Security Policy (EISP) is also known as a general
security policy, organizational security policy, IT security policy, or information security
policy. The EISP is based on and directly supports the mission, vision, and direction of the
organization and sets the strategic direction, scope, and tone for all security efforts. The
EISP is an executive level document, usually drafted by or in cooperation with the chief
information officer of the organization. This policy is usually two to ten pages long and
shapes the philosophy of security in the IT environment. The EISP usually needs to be
modified only when there is a change in the strategic direction of the organization.

The EISP guides the development, implementation, and management of the security
program. It sets out the requirements that must be met by the information security
blueprint or framework. It defines the purpose, scope, constraints, and applicability of the
security program. It also assigns responsibilities for the various areas of security, including
systems administration, maintenance of the information security policies, and the practices
and responsibilities of the users. Finally, it addresses legal compliance.

According to the National Institute of Standards and Technology (NIST), the EISP typically
addresses compliance in the following two areas:
1. General compliance to ensure meeting the requirements to establish a program and
the responsibilities assigned therein to various organizational components.
2. The use of specified penalties and disciplinary action.

When the EISP has been developed, the CISO begins forming the security team and
initiating the necessary changes to the information security program.

EISP Elements
The specifics of EISPs vary from organization to organization, most EISP documents should
include the following elements:
An overview of the corporate philosophy on security

INFORAMATION SECURITY Page|4

DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

 Information on the structure of the information security organization and individuals

who fulfill the information security role.
 Fully articulated responsibilities for security that are shared by all members of the
organization (employees, contractors, consultants, partners, and visitors).
 Fully articulated responsibilities for security that are unique to each role within the
organization.

Components of EISP

Issue-Specific Security Policy (ISSP)

As an organization executes various technologies and processes to support routine
operations, it must instruct employees on the proper use of these technologies and
processes.

INFORAMATION SECURITY Page|5

DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

In general, the issue-specific security policy, or ISSP,

(1) addresses specific areas of technology
(2) requires frequent updates, and
(3) contains a statement on the organization’s position on a specific issue.

An ISSP may cover the following topics, among others:

 E-mail
 Use of the Internet
 Specific minimum configurations of computers to defend against worms and viruses
 Prohibitions against hacking or testing organization security controls
 Home use of company-owned computer equipment
 Use of personal equipment on company networks
 Use of telecommunications technologies (fax and phone)
 Use of photocopy equipment

There are a number of approaches to creating and managing ISSPs within an organization.
Three of the most common are:
1. Independent ISSP documents, each tailored to a specific issue
2. A single comprehensive ISSP document covering all issues
3. A modular ISSP document that unifies policy creation and administration, while
maintaining each specific issue’s requirements

The independent ISSP document typically has a scattershot effect. Each department
responsible for a particular application of technology creates a policy governing its use,
management, and control. This approach may fail to cover all of the necessary issues and
can lead to poor policy distribution, management, and enforcement.
The single comprehensive ISSP is centrally managed and controlled. With formal
procedures for the management of ISSPs in place, the comprehensive policy approach
establishes guidelines for overall coverage of necessary issues and clearly identifies
processes for the dissemination, enforcement, and review of these guidelines. Usually,
these policies are developed by those responsible for managing the information technology
resources. Unfortunately, these policies tend to overgeneralize the issues and skip over
vulnerabilities.
The optimal balance between the independent and comprehensive ISSP is the
modular ISSP. It is also centrally managed and controlled but is tailored to the individual
technology issues. The modular approach provides a balance between issue orientation and
policy management. The policies created with this approach comprise individual modules,
INFORAMATION SECURITY Page|6
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

each created and updated by people responsible for the issues addressed. These people
report to a central policy administration group that incorporates specific issues into an
overall comprehensive policy.

Components of an ISSP
1. Statement of policy
a. Scope and applicability
b. Definition of technology addressed
c. Responsibilities

INFORAMATION SECURITY Page|7

DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

2. Authorized access and usage of equipment

a. User access
b. Fair and responsible use
c. Protection of privacy

3. Prohibited usage of equipment

a. Disruptive use or misuse
b. Criminal use
c. Offensive or harassing materials
d. Copyrighted, licensed, or other intellectual property
e. Other restrictions

4. Systems management
a. Management of stored materials
b. Employer monitoring
c. Virus protection
d. Physical security
e. Encryption

5. Violations of policy
a. Procedures for reporting violations
b. Penalties for violations

6. Policy review and modification

a. Scheduled review of policy procedures for modification
b. Legal disclaimers

7. Limitations of liability
a. Statements of liability
b. Other disclaimers as needed

INFORAMATION SECURITY Page|8

DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Systems-Specific Policy (SysSP)

While issue-specific policies are formalized as written documents readily identifiable
as policy, system-specific security policies (SysSPs) sometimes have a different look. SysSPs
often function as standards or procedures to be used when configuring or maintaining
systems. For example, a SysSP might describe the configuration and operation of a network
firewall. This document could include a statement of managerial intent; guidance to
network engineers on the selection, configuration, and operation of firewalls; and an access
control list that defines levels of access for each authorized user.
SysSPs can be separated into two general groups, managerial guidance and
technical specifications, or they can be combined into a single policy document.

Managerial Guidance SysSPs

A managerial guidance SysSP document is created by management to guide the
implementation and configuration of technology as well as to address the behavior of people
in the organization in ways that support the security of information.
For example, while the method for implementing a firewall belongs in the technical
specifications SysSP, the firewall’s configuration must follow guidelines established by
management. An organization might not want its employees to access the Internet via the
organization’s network, for instance; in that case, the firewall should be implemented
accordingly.
Firewalls are not the only technology that may require system-specific policies. Any
system that affects the confidentiality, integrity, or availability of information must be
assessed to evaluate the trade-off between improved security and restrictions.
System-specific policies can be developed at the same time as ISSPs, or they can be
prepared in advance of their related ISSPs. Before management can craft a policy informing
users what they can do with the technology and how they are supposed to do it, it might be
necessary for system administrators to configure and operate the system. Some
organizations may prefer to develop ISSPs and SysSPs in tandem, so that operational
procedures and user guidelines are created simultaneously.

Technical Specifications SysSPs

While a manager can work with a systems administrator to create managerial policy as
described in the preceding section, the system administrator may in turn need to create a
policy to implement the managerial policy. Each type of equipment requires its own set of
policies, which are used to translate the management intent for the technical control into an
enforceable technical approach. For example, an ISSP may require that user passwords be

INFORAMATION SECURITY Page|9

DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

changed quarterly; a systems administrator can implement a technical control within a

specific application to enforce this policy.

There are two general methods of implementing such technical controls:

 access control lists and
 configuration rules

Access Control Lists

Access control lists (ACLs) consist of the user access lists, matrices, and capability
tables that govern the rights and privileges of users. ACLs can control access to file storage
systems, software components, or network communications devices. A capabilities table
specifies which subjects and objects users or groups can access; in some systems,
capabilities tables are called user profiles or user policies.
These specifications frequently take the form of complex matrices, rather than simple
lists or tables. The access control matrix includes a combination of tables and lists, such
that organizational assets are listed along the column headers, while users are listed along
the row headers. The resulting matrix contains ACLs in columns for a particular device or
asset, and capability tables in rows for a particular user.
In general, ACLs regulate the following:
 Who can use the system
 What authorized users can access
 When authorized users can access the system
 Where authorized users can access the system from

Configuration Rule Policies

Configuration rule policies are the specific instructions that govern how a security
system reacts to the data it receives. Rule-based policies are more specific to the operation
of a system than ACLs are, and they may or may not deal with users directly.
Many security systems, for example firewalls, intrusion detection and prevention
systems (IDPSs), and proxy servers, use specific configuration scripts that represent the
configuration rule policy to determine how the system handles each data element they
process.

INFORAMATION SECURITY P a g e | 10
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Security Policy Management

Policies are living documents that must be managed. It is unacceptable to create
such an important set of documents and then shelve it. These documents must be properly
disseminated (distributed, read, understood, agreed to, and uniformly applied) and
managed. How they are managed should be specified in the policy management section of
the issue-specific policy described earlier. Good management practices for policy
development and maintenance make for a more resilient organization.
For example, all policies, including security policies, undergo tremendous stress
when corporate mergers and divestitures occur; in such situations, employees are faced
with uncertainty and many distractions. System vulnerabilities can arise if, for instance,
incongruent security policies are implemented in different parts of a new, merged
organization. When two companies merge but retain separate policies, the difficulty of
implementing security controls increases. Likewise, when one company with unified policies
splits in two, each new company may require different policies.

To remain viable, security policies must have

 a responsible individual,
 a schedule of reviews,
 a method for making recommendations for reviews, and
 a policy issuance and revision date.

Responsible Individual
Just as information systems and information security projects must have champions
and managers, so must policies. The policy champion and manager is called the policy
administrator. Typically the policy administrator is a midlevel staff member and is
responsible for the creation, revision, distribution, and storage of the policy.

Schedule of Reviews

INFORAMATION SECURITY P a g e | 11
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Policies can only retain their effectiveness in a changing environment if they are
periodically reviewed for currency and accuracy and modified accordingly. Policies that are
not kept current can become liabilities, as outdated rules are enforced and new
requirements are ignored. In order to demonstrate due diligence, an organization must
actively seek to meet the requirements of the market in which it operates. This applies to
both public (government, academic, and nonprofit) and private (commercial and for-profit)
organizations. A properly organized schedule of reviews should be defined and published as
part of the document. Typically a policy should be reviewed at least annually to ensure that
it is still an effective control.

Review Procedures and Practices

To facilitate policy reviews, the policy manager should implement a mechanism by
which individuals can comfortably make recommendations for revisions, whether via e-mail,
office mail, or an anonymous drop box. If the policy is controversial, anonymous submission
of recommendations may be the best way to encourage staff opinions. Many employees are
intimidated by management and hesitate to voice honest opinions about a policy unless they
can do so anonymously.
Once the policy has come up for review, all comments should be examined and
management-approved improvements should be implemented. In reality, most policies are
drafted by a single responsible individual and are then reviewed by a higher-level manager.
But even this method does not preclude the collection and review of employee input.

Policy and Revision Date

The simple action of dating the policy is often omitted. When policies are drafted and
published without dates, confusion can arise. If policies are not reviewed and kept current,
or if members of the organization are following undated versions, disastrous results and
legal headaches can ensue. Such problems are particularly common in a high-turnover
environment. It is, therefore, important that the policy contain the date of origin, along with
the date(s) of any revisions. Some policies may also need a sunset clause indicating their
expiration date, particularly those that govern information use in short-term business
associations. Establishing a policy end date prevents a temporary policy from mistakenly
becoming permanent, and it also enables an organization to gain experience it a given
policy before adopting it permanently.

INFORAMATION SECURITY P a g e | 12
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Automated Policy Management

Recent years have seen the emergence of a new category of software for the
management of information security policies. This type of software was developed in
response to needs articulated by information security practitioners. While many software
products can meet the need for a specific technical control, there is now software to meet
the need for automating some of the busywork of policy management. Automation can
streamline the repetitive steps of writing policy, tracking the workflow of policy approvals,
publishing policy once it is written and approved, and tracking when individuals have read
the policy. Using techniques from computer-based training and testing, organizations can
train staff members and also improve the organization’s awareness program.

INFORMATION SECURITY BLUEPRINT

Once an organization has developed its information security policies and standards,
the information security community can begin developing the blueprint for the information
security program. If one or more components of policies, standards, or practices have not
been completed, management must determine whether or not to nonetheless proceed with
the development of the blueprint.
After the information security team has inventoried the organization’s information
assets and assessed and prioritized the threats to those assets, it must conduct a series of
risk assessments using quantitative or qualitative analyses, as well as feasibility studies and
cost benefit analyses.
These assessments, which include determining each asset’s current protection level,
are used to decide whether or not to proceed with any given control. Armed with a general
idea of the vulnerabilities in the information technology systems of the organization, the
security team develops a design blueprint for security, which is used to implement the
security program.
The security blueprint is the basis for the design, selection, and implementation of
all security program elements including policy implementation, ongoing policy
management, risk management programs, education and training programs, technological
controls, and maintenance of the security program. The security blueprint, built on top of

INFORAMATION SECURITY P a g e | 13
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

the organization’s information security policies, is a scalable, upgradeable, comprehensive

plan to meet the organization’s current and future information security needs.
The security framework, which is an outline of the overall information security
strategy for the organization and a roadmap for planned changes to the information
security environment of the organization.
To select a methodology in which to develop an information security blueprint, you
can adapt or adopt a published information security model or framework. This framework
can outline steps to take to design and implement information security in the organization.
There are a number of published information security frameworks, including ones from
government sources, which are presented later in this chapter. Because each information
security environment is unique, the security team may need to modify or adapt pieces from
several frameworks. Experience teaches you that what works well for one organization may
not precisely fit another.

ISO 17799/BS 7799

One of the most widely referenced security models is the Information Technology—
Code of Practice for Information Security Management, which was originally published as
British Standard BS7799. In 2000, this code of practice was adopted as an international
standard framework for information security by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC
17799. The document was revised in 2005 (becoming ISO 17799:2005), and it was then
renamed to ISO 27002 in2007, to align it with the document ISO 27001.
The stated purpose of ISO/IEC 27002 is to “give recommendations for information
security management for use by those who are responsible for initiating, implementing, or
maintaining security in their organization. It is intended to provide a common basis for
developing organizational security standards and effective security management practice
and to provide confidence in inter-organizational dealings.”11 Where ISO/IEC 27002 is
INFORAMATION SECURITY P a g e | 14
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

focused on a broad overview of the various areas of security, providing information on 127
controls over ten broad areas, ISO/IEC 27001 provides information on how to implement
ISO/IEC 27002 and how to set up an information security management system (ISMS).

BS7799:2 Major Process Steps

In the United Kingdom, correct implementation of these standards (both volumes), as
determined by a BS7799 certified evaluator, allowed organizations to obtain information
security management system (ISMS) certification and accreditation. When the standard
first came out, several countries, including the United States, Germany, and Japan, refused
to adopted it, claiming that there were fundamental problems, including:
 The global information security community had not defined any justification for a
code of practice as identified in the ISO/IEC 17799.
 ISO/IEC 17799 lacked “the necessary measurement precision of a technical standard.
 There was no reason to believe that ISO/IEC 17799 was more useful than any other
approach.

INFORAMATION SECURITY P a g e | 15
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

 ISO/IEC 17799 was not as complete as other frameworks.

 ISO/IEC 17799 was hurriedly prepared given the tremendous impact its adoption
could have on industry information security controls.

ISO/IEC 27002 is an interesting framework for information security, but aside from those
relatively few U.S. organizations that operate in the European Union.

ISO/IEC 27001:2005: The Information Security Management System

ISO/IEC 27001 provides implementation details using a Plan-Do-Check-Act cycle.

Plan-Do-Check-Act Cycle
Plan:
1. Define the scope of the ISMS.
2. Define an ISMS policy.
3. Define the approach to risk assessment.
4. Identify the risks.
5. Assess the risks.
6. Identify and evaluate options for the treatment of risk.
7. Select control objectives and controls.
8. Prepare a statement of applicability (SOA).

Do:
9. Formulate a risk treatment plan.
10. Implement the risk treatment plan.
11. Implement controls.
12. Implement training and awareness programs.
13. Manage operations.
14. Manage resources.
15. Implement procedures to detect and respond to security incidents.
Check:
16. Execute monitoring procedures.
17. Undertake regular reviews of ISMS effectiveness.
18. Review the level of residual and acceptable risk.
19. Conduct internal ISMS audits.
20. Undertake regular management review of the ISMS.
21. Record actions and events that impact an ISMS.

INFORAMATION SECURITY P a g e | 16
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Act:
22. Implement identified improvements.
23. Take corrective or preventive action.
24. Apply lessons learned.
25. Communicate results to interested parties.
26. Ensure improvements achieve objectives.

BS7799:2—Plan-Do-Check-Act

ISO/IEC 27001 provides some implementation information, it simply specified what

must be done—not how to do it. As noted by Gamma Secure Systems, “The standard has
an appendix that gives guidance on the use of the standard, in particular to expand on the
Plan-Do-Check-Act concept. It is important to realize that there will be many Plan-Do-
Check-Act cycles within a single ISMS all operating asynchronously at different speeds.”
ISO/IEC 27001’s primary purpose is to enable organizations that adopt it to obtain
certification, and thus it serves better as an assessment tool than as an implementation
framework.

INFORAMATION SECURITY P a g e | 17
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

NIST SECURITY MODELS

The many documents available from the Computer Security Resource Center of the
National Institute for Standards and Technology. Because the NIST documents are publicly
available at no charge and have been available for some time, they have been broadly
reviewed by government and industry professionals, and are among the references cited by
the federal government when it decided not to select the ISO/IEC 17799 standards.
The following NIST documents can assist in the design of a security framework:
 SP 800-12: An Introduction to Computer Security: The NIST Handbook
 SP 800-14: Generally Accepted Security Principles and Practices for Securing
Information Technology Systems
 SP 800-18 Rev. 1: Guide for Developing Security Plans for Federal Information
Systems
 SP 800-26: Security Self-Assessment Guide for Information Technology Systems
 SP 800-30: Risk Management Guide for Information Technology Systems

NIST Special Publication SP 800-12 SP 800-12

An Introduction to Computer Security: The NIST Handbook , is an excellent reference
and guide for the security manager or administrator in the routine management of
information security. It provides little guidance, however, on design and implementation of
new security systems, and therefore should be used only as a precursor to understanding
an information security blueprint.

NIST Special Publication 800-14

Generally Accepted Principles and Practices for Securing Information Technology
Systems provides best practices and security principles that can direct the security team in
the development of a security blueprint. In addition to detailing security best practices
across the spectrum of security areas, it provides philosophical principles that the security
team should integrate into the entire information security process.

Table presents the table of contents of the NIST SP 800-14. The document can guide
the development of the security framework and should be combined with other NIST
publications providing the necessary structure to the entire security process.

2.1 Security Supports the Mission of the Organization: Failure to develop an

information security system based on the organization’s mission, vision, and culture
guarantees the failure of the information security program.

INFORAMATION SECURITY P a g e | 18
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

2.2 Security Is an Integral Element of Sound Management : Effective management

includes planning, organizing, leading, and controlling. Security enhances management
functions by providing input during the planning process for organizational initiatives.
Information security controls support sound management via the enforcement of both
managerial and security policies.
2.3 Security Should Be Cost-Effective: The costs of information security should be
considered part of the cost of doing business, much like the cost of the computers,
networks, and voice communications systems. These are not profit-generating areas of the
organization and may not lead to competitive advantages. Information security should
justify its own costs. The use of security measures that do not justify their cost must have a
strong business justification.
2.4 Systems Owners Have Security Responsibilities Outside Their Own
Organizations: Whenever systems store and use information from customers, patients,
clients, partners, or others, the security of this information becomes the responsibility of
the owner of the systems. Each system’s owners are expected to diligently work with those
who have systems that are interconnected with their own to assure the confidentiality,
integrity, and availability of the entire value chain of interconnected systems.
2.5 Security Responsibilities and Accountability Should Be Made Explicit: Policy
documents should clearly identify the security responsibilities of users, administrators, and
managers. To be legally binding, the policies must be documented, disseminated, read,
understood, and agreed to by all involved members of the organization.
2.6 Security Requires a Comprehensive and Integrated Approach: Security personnel
alone cannot effectively implement security. The three communities of interest (information
technology management and professionals, information security management and
professionals, and users, managers, administrators, and other stakeholders) should
participate in the process of developing a comprehensive information security program.
2.7 Security Should Be Periodically Reassessed: Information security that is
implemented and then ignored is considered negligent, the organization having not
demonstrated due diligence. Security is an ongoing process. To be effective against a
constantly shifting set of threats and a changing user base, the security process must be
periodically repeated. Continuous analyses of threats, assets, and controls must be
conducted and new blueprints developed. Only thorough preparation, design,
implementation, eternal vigilance, and ongoing maintenance can secure the organization’s
information assets.
2.8 Security Is Constrained by Societal Factors: There are a number of factors that
influence the implementation and maintenance of security. Legal demands, shareholder
requirements, even business practices affect the implementation of security controls and
INFORAMATION SECURITY P a g e | 19
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

safeguards. For example, security professionals generally prefer to isolate information

assets from the Internet, which is the leading avenue of threats to the assets, but the
business requirements of the organization may preclude this control measure.

NIST SP800-15 Table of Contents

2. Generally Accepted System Security Principles
2.1 Computer Security Supports the Mission of the Organization
2.2 Computer Security Is an Integral Element of Sound Management
2.3 Computer Security Should Be Cost-Effective
2.4 Systems Owners Have Security Responsibilities Outside Their Own Organizations
2.5 Computer Security Responsibilities and Accountability Should Be Made Explicit
2.6 Computer Security Requires a Comprehensive and Integrated Approach
2.7 Computer Security Should Be Periodically Reassessed
2.8 Computer Security Is Constrained by Societal Factors

3. Common IT Security Practices

3.1 Policy
3.1.1 Program Policy
3.1.2 Issue-Specific Policy
3.1.3 System-Specific Policy
3.1.4 All Policies

3.2 Program Management

3.2.1 Central Security Program
3.2.2 System-Level Program
3.3 Risk Management
3.3.1 Risk Assessment
3.3.2 Risk Mitigation
3.3.3 Uncertainty Analysis

3.4 Life Cycle Planning

INFORAMATION SECURITY P a g e | 20
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

3.4.1 Security Plan

3.4.2 Initiation Phase
3.4.3 Development/Acquisition Phase
3.4.4 Implementation Phase
3.4.5 Operation/Maintenance Phase
3.4.6 Disposal Phase

3.5 Personnel/User Issues

3.5.1 Staffing
3.5.2 User Administration
3.6 Preparing for Contingencies and Disasters
3.6.1 Business Plan
3.6.2 Identify Resources
3.6.3 Develop Scenarios
3.6.4 Develop Strategies
3.6.5 Test and Revise Plan

3.7 Computer Security Incident Handling

3.7.1 Uses of a Capability
3.7.2 Characteristics

3.8 Awareness and Training

3.9 Security Considerations in Computer Support and Operations
3.10 Physical and Environmental Security

3.11 Identification and Authentication

3.11.1 Identification
3.11.2 Authentication
3.11.3 Passwords
3.11.4 Advanced Authentication
3.12 Logical Access Control
3.12.1 Access Criteria
3.12.2 Access Control Mechanisms
3.13 Audit Trails
3.13.1 Contents of Audit Trail Records
3.13.2 Audit Trail Security
3.13.3 Audit Trail Reviews
INFORAMATION SECURITY P a g e | 21
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

3.13.4 Keystroke Monitoring

3.14 Cryptography

“Principles for Securing Information Technology Systems,” which is part of NIST SP 800-
14.
1. Establish a sound security policy as the foundation for design.
2. Treat security as an integral part of the overall system design.
3. Clearly delineate the physical and logical security boundaries governed by associated
security policies.
4. Reduce risk to an acceptable level.
5. Assume that external systems are insecure.
6. Identify potential trade-offs between reducing risk and increased costs and decrease in
other aspects of operational effectiveness.
7. Implement layered security (ensure no single point of vulnerability).
8. Implement tailored system security measures to meet organizational security goals.
9. Strive for simplicity.
10.Design and operate an IT system to limit vulnerability and to be resilient in response.
11.Minimize the system elements to be trusted.
12.Implement security through a combination of measures distributed physically and
logically.
13.Provide assurance that the system is, and continues to be, resilient in the face of
expected threats.
14.Limit or contain vulnerabilities.
15.Formulate security measures to address multiple overlapping information domains.
16.Isolate public access systems from mission critical resources (e.g., data, processes,
etc.).
17.Use boundary mechanisms to separate computing systems and network infrastructures.
18.Where possible, base security on open standards for portability and interoperability.
19.Use common language in developing security requirements.
20.Design and implement audit mechanisms to detect unauthorized use and to support
incident investigations.
21.Design security to allow for regular adoption of new technology, including a secure and
logical technology upgrade process.
22.Authenticate users and processes to ensure appropriate access control decisions both
within and across domains.
23.Use unique identities to ensure accountability.
24.Implement least privilege.
INFORAMATION SECURITY P a g e | 22
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

25.Do not implement unnecessary security mechanisms.

26.Protect information while being processed, in transit, and in storage.
27.Strive for operational ease of use.
28.Develop and exercise contingency or disaster recovery procedures to ensure
appropriate availability.
29.Consider custom products to achieve adequate security.
30.Ensure proper security in the shutdown or disposal of a system.
31.Protect against all likely classes of “attacks.”
32.Identify and prevent common errors and vulnerabilities.
33.Ensure that developers are trained in how to develop secure software.

INFORAMATION SECURITY P a g e | 23
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

IETF SECURITY ARCHITECTURE

The Security Area Working Group acts as an advisory board for the protocols and
areas developed and promoted by the Internet Society and the Internet Engineering Task
Force (IETF), and while the group endorses no specific information security architecture,
one of its requests for comment (RFC), RFC 2196.

RFC 2196: Site Security Handbook Table of Contents

1. Introduction
1.1 Purpose of this Work
1.2 Audience
1.3 Definitions
1.4 Related Work
1.5 Basic Approach
1.6 Risk Assessment
2. Security Policies
2.1 What Is a Security Policy and Why Have One?
2.2 What Makes a Good Security Policy?
2.3 Keeping the Policy Flexible
3. Architecture
3.1 Objectives
3.2 Network and Service Configuration
3.3 Firewalls
4. Security Services and Procedures
4.1 Authentication
4.2 Confidentiality
4.3 Integrity
4.4 Authorization
4.5 Access
4.6 Auditing
4.7 Securing Backups
5. Security Incident Handling
5.1 Preparing and Planning for Incident Handling
5.2 Notification and Points of Contact
5.3 Identifying an Incident
5.4 Handling an Incident
5.5 Aftermath of an Incident
5.6 Responsibilities
INFORAMATION SECURITY P a g e | 24
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

6. Ongoing Activities
7. Tools and Locations
8. Mailing Lists and Other Resources
9. References

SECURITY ARCHITECTURE
Spheres of Security
The spheres of security are the foundation of the security framework. The spheres of
security illustrate how information is under attack from a variety of sources. The sphere of
use, on the left-hand side of Figure illustrates the ways in which people access information.
For example, people read hard copies of documents and can also access information
through systems.
Information, as the most important asset in this model, is at the center of the sphere.
Information is always at risk from attacks whenever it is accessible by people or computer
systems. Networks and the Internet are indirect threats, as exemplified by the fact that a
person attempting to access information from the Internet must traverse local networks.
The sphere of protection, on the right-hand side of Figure illustrates that between each
layer of the sphere of use there must exist a layer of protection, represented in the figure by
the shaded bands. For example, the items labeled “Policy and law” and “Education and
training” are placed between people and the information.
Controls are also implemented between systems and the information, between networks
and the computer systems, and between the Internet and internal networks. This reinforces
the concept of defense in depth. A variety of controls can be used to protect the
information.

INFORAMATION SECURITY P a g e | 25
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Levels of Controls
 Information security safeguards provide three levels of control: managerial,
operational, and technical. Managerial controls are security processes that are
designed by strategic planners and implemented by the security administration of the
organization. Management controls set the direction and scope of the security process
and provide detailed instructions for its conduct, as well as addressing the design and
implementation of the security planning process and security program management.
 Operational controls are management and lower-level planning functions that deal with
the operational functionality of security in the organization, such as disaster recovery and
incident response planning. Operational controls address personnel security, physical
security, and the protection of production inputs and outputs. In addition, operational
controls guide the development of education, training, and awareness programs for
users, administrators, and management. Finally, they address hardware and software
systems maintenance and the integrity of data.
 Technical controls are the tactical and technical implementations of security in the
organization. While operational controls address specific operational issues, such as
developing and integrating controls into the business functions, technical controls are the
components put in place to protect an organization’s information assets. They include
logical access controls, such as identification, authentication, authorization,
accountability, cryptography, and the classification of assets and users.

INFORAMATION SECURITY P a g e | 26
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Defense in Depth
One of the basic tenets of security architectures is the layered implementation of
security. This layered approach is called defense in depth. To achieve defense in depth, an
organization must establish multiple layers of security controls and safeguards, which can
be organized into policy, training and education, and technology.
While policy itself may not prevent attacks, it certainly prepares the organization to
handle them, and coupled with other layers, it can deter attacks. Technology is also
implemented in layers, with detection equipment working in tandem with reaction
technology, all operating behind access control mechanisms. Implementing multiple types
of technology and thereby precluding that the failure of one system will compromise the
security of information is referred to as redundancy.
Redundancy can be implemented at a number of points throughout the security
architecture, such as in firewalls, proxy servers, and access controls.

Defense in Depth

Security Perimeter
 A perimeter is boundary of an area. A security perimeter defines the boundary
between the outer limit of an organization’s security and the beginning of the outside
world. A security perimeter is the level of security that protects all internal systems from
outside threats.
 Within security perimeters the organization can establish security domains, or areas of
trust within which users can freely communicate. The assumption is that if individuals
have access to one system within a security domain, they have authorized access to all
systems within that particular domain.
INFORAMATION SECURITY P a g e | 27
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Security Perimeters

Firewalls
 A firewall is a device that selectively discriminates against information flowing into or
out of the organization. A firewall is usually a computing device or a specially configured
computer that allows or prevents access to a defined area based on a set of rules.
 Firewalls are usually placed on the security perimeter, just behind or as part of a
gateway router.
While the gateway router’s primary purpose is to connect the organization’s systems to the
outside world, it too can be used as the front-line defense against attacks, as it can be
configured to allow only set types of protocols to enter.

There are a number of types of firewalls—

 packet filtering,
 stateful packet filtering,
 proxy
 application level

A firewall can be a single device or a firewall subnet, which consists of multiple firewalls
creating a buffer between the outside and inside networks.

INFORAMATION SECURITY P a g e | 28
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

DMZs
A buffer against outside attacks is frequently referred to as a demilitarized zone
(DMZ). The DMZ is a no-man’s-land between the inside and outside networks; it is also
where some organizations place Web servers. These servers provide access to
organizational Web pages, without allowing Web requests to enter the interior networks.

Proxy Servers
An alternative to firewall subnets or DMZs is a proxy server, or proxy firewall. A
proxy server performs actions on behalf of another system. When deployed, a proxy server
is configured to look like a Web server and is assigned the domain name that users would
be expecting to find for the system and its services. When an outside client requests a
articular Web page, the proxy server receives the request as if it were the subject of the
request, then asks for the same information from the true Web server, and then responds to
the request. This gives requestors the response they need without allowing them to gain
direct access to the internal and more sensitive server.
The proxy server may be hardened and become a bastion host placed in the public
area of thenetwork, or it might be placed within the firewall subnet or the DMZ for added
protection. For more frequently accessed Web pages, proxy servers can cache or
temporarily store the page, and thus are sometimes called cache servers.

Intrusion Detection and Prevention Systems (IDPSs)

INFORAMATION SECURITY P a g e | 29
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

To detect unauthorized activity within the inner network or on individual machines,

organizations can implement intrusion detection and prevention systems (IDPSs).
IDPSs come in two versions, with hybrids possible.
 Host-based IDPSs are usually installed on the machines they protect to monitor the
status of various files stored on those machines. The IPDS learns the configuration of the
system, assigns priorities to various files depending on their value, and can then alert the
administrator of suspicious activity.
 Network-based IDPSs look at patterns of network traffic and attempt to detect unusual
activity based on previous baselines. This could include packets coming into the
organization’s networks with addresses from machines that are within the organization
(IP spoofing). It could also include high volumes of traffic going to outside addresses (as
in cases of data theft) or coming into the network (as in a denial-of-service attack).

Intrusion Detection and Prevention Systems

SETA program
 Once your organization has defined the polices that will guide its security program and
selected an overall security model by creating or adapting a security framework and a
corresponding detailed implementation blueprint, it is time to implement a security
education, training, and awareness (SETA) program.
 The SETA program is the responsibility of the CISO and is a control measure designed to
reduce the incidences of accidental security breaches by employees.
 Employee errors are among the top threats to information assets, so it is well worth
expending the organization’s resources to develop programs to combat this threat.
 SETA programs are designed to supplement the general education and training
programs that many organizations use to educate staff on information security.

INFORAMATION SECURITY P a g e | 30
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

 For example, if an organization detects that many employees are opening questionable
e-mail attachments, those employees must be retrained. As a matter of good practice,
systems development life cycles must include user training during the implementation
phase.

The SETA program consists of three elements

1. security education,
2. security training, and
3. security awareness
An organization may not be capable of or willing to undertake all three of these elements,
and may outsource elements to local educational institutions. The purpose of SETA is to
enhance security by doing the following:
 Improving awareness of the need to protect system resources
 Developing skills and knowledge so computer users can perform their jobs more
securely
 Building in-depth knowledge, as needed, to design, implement, or operate security
programs for organizations and systems.
Compares the features of security education, training, and awareness within the
organization.

Security Education
Everyone in an organization needs to be trained and made aware of information
security, but not every member of the organization needs a formal degree or certificate in
information security. When management agrees that formal education is appropriate, an
employee can investigate available courses from local institutions of higher learning or

INFORAMATION SECURITY P a g e | 31
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

continuing education. A number of universities have formal coursework in information

security.

Security Training
Security training provides detailed information and hands-on instruction to
employees to prepare them to perform their duties securely. Management of information
security can develop customized in-house training or outsource the training program.
Alternatives to formal training programs are industry training conferences and
programs offered through professional agencies such as SANS (www.sans.org), (ISC)
(www.isc2.org), ISSA (www.issa.org), and CSI (www.gocsi.com). Many of these programs
are too technical for the average employee, but may be ideal for the continuing education
requirements of information security professionals.

Security Awareness
One of the least frequently implemented, but most beneficial, programs is the
security awareness program. A security awareness program is designed to keep information
security at the forefront of users’ minds. These programs don’t have to be complicated or
expensive. Good programs can include newsletters, security posters videos, bulletin boards,
flyers, and trinkets.
The security newsletter is the most cost-effective method of disseminating security
information and news to the employee. Newsletters can be distributed via hard copy, e-
mail, or intranet. Newsletter topics can include new threats to the organization’s
information assets, the schedule for upcoming security classes, and the addition of new
security personnel.
The goal is to keep the idea of information security in users’ minds and to stimulate
users to care about security. If a security awareness program is not actively implemented,
employees may begin to neglect security matters and the risk of employee accidents and
failures is likely to increase.

INFORAMATION SECURITY P a g e | 32
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

CONTINUITY STRATEGIES
Continuous availability of info systems
Probability high for attack
Managers must be ready to act
Contingency Plan (CP)
Prepared by organization
Anticipate, react to, & recover from attacks
Restore organization to normal operations

Components of Contingency Plan

Before planning can begin, a team has to plan effort and prepare resulting
documents.
Champion: high-level manager to support, promote, and endorse findings of project.
Project manager: leads project and makes sure sound project planning process is
used, a complete and useful project plan is developed, and project resources are
prudently managed.
Team members: should be managers or their representatives from various
communities of interest: business, IT, and information security.

INFORAMATION SECURITY P a g e | 33
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Business Impact Analysis (BIA)

Investigate & assess impact of various attack
First risk assessment – then BIA
Prioritized list of threats & critical info
Detailed scenarios of potential impact of each attack
Answers question
“if the attack succeeds, what do you do then?”

INFORAMATION SECURITY P a g e | 34
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

BIA Sections
Threat attack identification & prioritization
Attack profile – detailed description of activities that occur during an attack
Determine the extent of resulting damage
Business Unit analysis
Analysis & prioritization-business functions
Identify & prioritize functions w/in orgs units
Attack success scenario development
Series of scenarios showing impact
Each treat on prioritized list
Alternate outcomes
• Best, worst, probable cases
Potential damage assessment
Estimate cost of best, worst, probable
What must be done under each
Not how much to spend
Subordinate Plan Classification
Basis for classification as disastrous not disastrous

Incident Response Planning (IRPs)

Incident response planning covers identification of, classification of, and response to
an incident
Attacks classified as incidents if they:
Are directed against information assets
Have a realistic chance of success
Could threaten confidentiality, integrity, or availability of information
resources
Incident response (IR) is more reactive, than proactive, with the exception of
planning that must occur to prepare IR teams to be ready to react to an incident.

Incident Response
Set of activities taken to plan for, detect, and correct the impact
Incident planning
Requires understanding BIA scenarios
Develop series of predefined responses
Enables org to react quickly
Incident detection
INFORAMATION SECURITY P a g e | 35
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Mechanisms – intrusion detection systems, virus detection, system

administrators, end users

Incident Detection
Possible indicators
Presence of unfamiliar files
Execution of unknown programs or processes
Unusual consumption of computing resources
Unusual system crashes
Probable indicators
Activities at unexpected times
Presence of new accounts
Reported attacks
Notification form IDS
Definite indicators
Use of dormant accounts
Changes to logs
Presence of hacker tools
Notification by partner or peer
Notification by hackers
Predefined Situation
Loss of availability
Loss of integrity
Loss of confidentiality
Violation of policy
Violation of law

Incident Reaction
Actions outlined in the IRP
Guide the organization
Stop the incident
Mitigate the impact
Provide information recovery
Notify key personnel
Document incident
Incident Containment Strategies
Sever affected communication circuits
INFORAMATION SECURITY P a g e | 36
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Disable accounts
Reconfigure firewall
Disable process or service
Take down email
Stop all computers and network devices
Isolate affected channels, processes, services, or computers

Incident Recovery
Get everyone moving and focused
Assess Damage
Recovery
Identify and resolve vulnerabilities
Address safeguards
Evaluate monitoring capabilities
Restore data from backups
Restore process and services
Continuously monitor system
Restore confidence

Disaster Recovery Plan (DRPs)

Provide guidance in the event of a disaster
Clear establishment of priorities
Clear delegation of roles & responsibilities
Alert key personnel
Document disaster
Mitigate impact
Evacuation of physical assets

Crisis Management
Disaster recovery personnel must know their responses without any supporting
documentation.
Actions taken during and after a disaster focusing on people involved and addressing
viability of business.
Crisis management team responsible for managing event from an enterprise
perspective and covers:
Support personnel and loved ones
Determine impact on normal operations
INFORAMATION SECURITY P a g e | 37
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Keep public informed

Communicate with major players such as major customers, suppliers, partners,
regulatory agencies, industry organizations, the media, and other interested
parties.

Business Continuity Planning (BCPs)

Outlines reestablishment of critical business operations during a disaster that
impacts operations.
If disaster has rendered the business unusable for continued operations, there must
be a plan to allow business to continue functioning.
Development of BCP somewhat simpler than IRP or DRP; consists primarily of
selecting a continuity strategy and integrating off-site data storage and recovery
functions into this strategy.

Continuity Strategies
There are a number of strategies for planning for business continuity
Determining factor in selecting between options usually cost
In general there are three exclusive options: hot sites; warm sites; and cold sites
Three shared functions: time-share; service bureaus; and mutual agreements

Alternative Site Configurations

Hot sites
Fully configured computer facilities
All services & communication links
Physical plant operations
Warm sites
Does not include actual applications
Application may not be installed and configured
Required hours to days to become operational
Cold sites
Rudimentary services and facilities
No hardware or peripherals
empty room
Time-shares
Hot, warm, or cold
Leased with other orgs
INFORAMATION SECURITY P a g e | 38
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Service bureau
Provides service for a fee
Mutual agreements
A contract between two or more organizations that specifies how each will
assist the other in the event of a disaster.

Off-Site Disaster Data Storage

To get sites up and running quickly, organization must have ability to port data into
new site’s systems
Electronic vaulting
Transfer of large batches of data
Receiving server archives data
Fee
Journaling
Transfer of live transactions to off-site
Only transactions are transferred
Transfer is real time
Shadowing
Duplicated databases
Multiple servers
Processes duplicated
3 or more copies simultaneously

Model for a Consolidated Contingency Plan

Single document set supports concise planning and encourages smaller organizations
to develop, test, and use IR and DR plans.
Model is based on analyses of disaster recovery and incident response plans of
dozens of organizations.

The Planning Document

Six steps in contingency planning process
Identifying mission- or business-critical functions
Identifying resources that support critical functions
Anticipating potential contingencies or disasters
Selecting contingency planning strategies
INFORAMATION SECURITY P a g e | 39
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

Implementing contingency strategies

Testing and revising strategy

VISA INTERNATIONAL SECURITY MODEL

 Visa International promotes strong security measures in its business associates and has
established guidelines for the security of its information systems.
 Visa has developed two important documents that improve and regulate its information
systems: Security Assessment Process and Agreed Upon Procedures
 Using the two documents, a security team can develop a sound strategy for the design
of good security architecture.
 The only downside to this approach is the specific focus on systems that can or do
integrate with Visa systems with the explicit purpose of carrying the aforementioned
cardholder information.

INFORAMATION SECURITY P a g e | 40
DEPARTMENT OF CSE
 MANAKULA VINAYAGAR INSTITUTE OF TECHNOLOGY

INFORAMATION SECURITY P a g e | 41
DEPARTMENT OF CSE