isa 562 summer 2008 1 information security management cissp topic 1 isa 562 internet security theory...
Post on 18-Dec-2015
214 views
TRANSCRIPT
ISA 562 Summer 2008 1
Information Security Information Security ManagementManagement
CISSP Topic 1CISSP Topic 1
ISA 562ISA 562Internet Security Theory Internet Security Theory
and Practiceand Practice
ISA 562 Summer 2008 2
Course OutlineCourse OutlineAn introductory course at the graduate An introductory course at the graduate
levellevel
It covers the topics of It covers the topics of The CISSP exam at varying depth
But is NOT a CISSP course
Textbooks:Textbooks: Matt Bishop: Computer Security Art and Science
Official ISC2 Guide to the CISSP CBK
ISA 562 Summer 2008 3
ObjectivesObjectivesRoles and responsibilities of individuals in a Roles and responsibilities of individuals in a
security programsecurity program
Security planning in an organizationSecurity planning in an organization
Security awareness in the organization Security awareness in the organization
Differences between policies, standards, Differences between policies, standards, guidelines and proceduresguidelines and procedures
Risk Management practices and toolsRisk Management practices and tools
ISA 562 Summer 2008
Syllabus of the CourseSyllabus of the Course• Bishop’s book for the first part• Papers for some classes
• IC2 book for the second part
• Cover material relevant to the PhD qualifying examination in security
ISA 562 Summer 2008
IntroductionIntroduction• Purpose of information security:
– to protect an organization's information resources data, hardware, and software.
• To increase organizational success: IS are critical assets supporting its mission
ISA 562 Summer 2008
Information Security TRIADInformation Security TRIAD
• The Overhanging goals of information security are addressed through the AIC TRIAD.
ISA 562 Summer 2008
IT Security Requirements - IIT Security Requirements - ISecurity should be designed for two requirements:1. Functional: Define behavior of the control means
based on risk assessmentProperties:• should not depend on another control:• Why? fail safe by maintaining security during a system failure
2. Assurance: Provide confidence that security functions perform as expected.
• Internal/External Audit.• Third Party reviews• Compliance to best practices
Examples– Functional: a network Firewall to permit or deny traffic.– Assurance: logs are generated, monitored, and reviewed
ISA 562 Summer 2008
Organizational & Business Organizational & Business RequirementsRequirements
• Focus on organizational mission: – Business or goals driven
• Depends on type of organization:– Military , Government, or Commercial.
• Must be sensible and cost effective– Solution considers the mission and
environment Trade-off
ISA 562 Summer 2008
IT Security GovernanceIT Security Governance
Integral part of corporate governance: – Fully integrated into overall risk-based threat
analysis Ensure that IT infrastructure:
– Meets all requirements.– Supports the strategies and objectives of the
company.– Includes service level agreements [if
outsourced].
ISA 562 Summer 2008
Security Governance: Major Security Governance: Major partsparts
1. Leadership: • Security leaders must be part of the company
leadership -- where they can be heard.
2. Structure:• occurs at many levels and should use a layered
approach.
3. Processes: • follow internationally accepted “best practices”:• Job rotation , Separation of duties, least privilege, mandatory
vacations, …etc.• Examples of standards : ISO 17799 & ISO 27001:2005
ISA 562 Summer 2008
Security BlueprintsSecurity Blueprints
Provide a structure for organizing requirements and solutions.– Ensure that security is considered
holistically.
To identify and design security requirements
ISA 562 Summer 2008
Policy Overview Policy Overview 1. Operational environment is a web of laws,
regulations, requirements, and agreements or contracts with partners and competitors
2. Change frequently and interact with each other
3. Management must develop and publish security statements addressing policies and supporting elements, such as standards , baselines, and guidelines.
ISA 562 Summer 2008
Policy overview Policy overview
ISA 562 Summer 2008
Functions of Security policy Functions of Security policy 1. Provide Management Goals and Objectives in
writing2. Ensure Document compliance 3. Create a security culture 4. Anticipate and protect others from surprises 5. Establish the security activity/function6. Hold individuals responsible and accountable7. Address foreseeable conflicts8. Make sure employees and contractors aware of
organizational policy and changes to it9. Require incident response plan10. Establish process for exception handling,
rewards, and discipline
ISA 562 Summer 2008
Policy InfrastructurePolicy Infrastructure1. High level policies interpreted
into functional policies.2. Functional polices derived
from overarching policy and create the foundation for procedures, standards, and baselines to accomplish the objectives
3. Polices gain credibility by top management buy-in.
ISA 562 Summer 2008
Examples of Functional PoliciesExamples of Functional Policies1. Data classification2. Certification and accreditation3. Access control4. Outsourcing 5. Remote access6. Acceptable mail and Internet usage7. Privacy8. Dissemination control9. Sharing control
ISA 562 Summer 2008
Policy Implementation Policy Implementation
• Standards, procedures, baselines, and guidelines turn management objectives and goals [functional policies] into enforceable actions for employees.
ISA 562 Summer 2008
Standards and procedureStandards and procedure1. Standards (local): Adoption of common
hardware and software mechanism and products throughout the enterprise.
Examples: Desktop, Anti-Virus, Firewall
2. Procedures: step by step actions that must be followed to accomplish a task.
3. Guidelines: recommendations for product implementations, procurement and planning, etc.
Examples: ISO17799, Common Criteria, ITIL
ISA 562 Summer 2008
Security BaselinesSecurity Baselines
Benchmarks: to ensure that a minimum level of security configuration is provided across implementations and systems.– establish consistent implementation of
security mechanisms.– Platform unique
Examples: • VPN Setup, • IDS Configuration, • Password rules
ISA 562 Summer 2008
Three Levels of security planningThree Levels of security planning 1. Strategic: long term• Focus on high-level, long-range organizational
requirements – Example: overall security policy
2. Tactical: medium-term• Focus on events that affect all the organization
– Example: functional plans
3. Operational: short-term• Fight fires at the keyboard level, directly affecting
how the organization accomplishes its objectives.
ISA 562 Summer 200821
Organizational roles and Organizational roles and responsibilities responsibilities
• Everyone has a role:– with responsibility clearly communicated
and understood
• Duties associated with the role must be assigned
• Examples: – Securing email– Reviewing violation reports – Attending awareness training
ISA 562 Summer 2008
Specific Roles and Specific Roles and Responsibilities (duties)Responsibilities (duties)
• Executive Management:– Publish and endorse security policy– Establish goals and objectives– State overall responsibility for asset protection.
• IS security professionals:– Security design, implementation, management, – Review of organization security policies.
• Owner:– Information classification – Set user access conditions– Decide on business continuity priorities
• Custodian:– Entrusted with the Security of the information
• IS Auditor:– Audit assurance guarantees.
• User:– Compliance with procedures and policies
ISA 562 Summer 200823
Personnel Security: Hiring staffPersonnel Security: Hiring staff• Background check/Security clearance• Check references/Educational records• Sign Employment agreement
– Non-disclosure agreements– Non-compete agreements
• Low level Checks• Consult with HR Department• Termination/dismissal procedure
ISA 562 Summer 2008
Third party considerationsThird party considerations
Include:– Vendors/Suppliers– Contractors– Temporary Employees– Customers
Must established procedures for these groups.