Systems and Software Consortium | 2214 Rock Hill Road, Herndon, VA 20170-4227Phone: (703)742-8877 | FAX: (703)742-7200

www.systemsandsoftware.org

Best Practices forInformation Security

Management

Bob Small, CISSP, CEH

small@software.org

March 2006

March 2006 2

Take-away Messages

• Defense in depth solutions• Effective security requires a rigorous risk management

process• Must be effective and cost effective• Think about it from the adversary’s perspective

March 2006 3

Key Elements of Security

Integrity

AvailabilityConfidentiality

People Process

Technology

March 2006 4

Defense In Depth

Speed bumps are a better metaphor for information security than bank vaults

March 2006 5

Risk Management Process

Degree of Assurance Required

Asset Identification and Valuation

Asset Identification and Valuation

Identification of Vulnerabilities

Identification of Vulnerabilities

Identification of Threats

Identification of Threats

Evaluation of Impacts

Evaluation of Impacts

Business Risks

Business Risks

Risk Assessment

Ranking of Risks

Ranking of Risks

Likelihood ofOccurrence

Likelihood ofOccurrence

Review of existing security controls

Review of existing security controls

Risk Mitigation

Identification of new security controls

Identification of new security controls

Policy and ProceduresPolicy and Procedures

Implement Controls to Reduce Risk

Implement Controls to Reduce Risk

Risk Acceptance (Residual Risk)

Risk Acceptance (Residual Risk)

Gap analysis

March 2006 6

International Standards for ISMS

Confidentiality

Integrity

Availability

People, process, tools

Plan | Do | Check | Act

Tangible assets

Intangible assets

Information Security Management System

ISO 17799, Code of Practice For Information Security Management

ISO 27001, InformationSecurity Management

Systems – Requirement

These standards are accepted as industry best practices

March 2006 7

Control Areas In ISO 17799

133 controls in 11 areas

Security Policy Organization of Information Security

Asset Management Human Resource Security

Physical and Environmental SecurityCommunications and Operations Management

Access ControlInformation Systems Acquisition, Development and Maintenance

Information Security Incident Management

Business Continuity ManagementCompliance

March 2006 8

Security Policy

Security Policy

Objective: Provide management direction and support for information security in accordance with business requirements and relevant laws and regulations

• It must be written

• It must be reviewed periodically

March 2006 9

Security Must Be Managed In All Relationships

ISMS Scope

Internal Support

Functions

Facilities

HR

F&A

LegalMarketing

IT Support

Audit

Data ArchivingConsultants

External Support

FunctionsEach arrow represents a contract, MOA, SLA, etc.

Customers

March 2006 10

Information Assets Must Be Managed

Inventory of Assets

• Tangible

• Intangible

Acceptable UseOwnership

Information Labelingand Handling

Classification Guidelines

March 2006 11

Human Resources Security

Termination or Changeof Employment

During EmploymentPrior to Employment

March 2006 12

Think Creatively About Information Security

Catch Me If You Can

The Shawshank Redemption

The Italian Job

March 2006 13

ISMS Resources

• ISO 17799, Code of Practice for Information Security Management

• ISO 27001, Information Security Management Systems – Requirements

http://www.iso.org

http://csrc.nist.gov• National Institute for Standards & Technology

• SP 800-70, The NIST Security Configuration Checklists Program

• SP 800-66, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

• SP 800-30, Risk Management Guide for Information Technology Systems

http://www.incits.org• INCITS CS1 (Cybersecurity)

March 2006 14

Thank You

?

?

??

??

?

??