managing information security€¦ · some high-level viewpoints outline 1 some high-level...

Managing Information SecurityCOMM037 Computer Security

Dr Hans Georg Schaathun

University of Surrey

Autumn 2010 – Week 3

Dr Hans Georg Schaathun Managing Information Security Autumn 2010 – Week 3 1 / 47

Session objectives

Understand fundamental concepts of managementBe able to use management concepts to plan effective andcost-efficient security measuresUnderstand the principles of accountability and responsibility ininformation security

Whitman and Mattord Ch. 5Raggad Ch. 2–3(Additional) Gollmann Ch. 2.2–2.6

Some high-level viewpoints

Outline

1 Some high-level viewpoints

2 Management Concepts

3 Information Security Lifecycle

4 Policies and Documents

5 Closing

Security and Management

... information security is primarily a management problem,not a technical one ...

Whitman & Mattord 2005

Why do they say this?

Security is not a product or service in itself.It is a feature of other products, services, or processes.Management of these processes must encompass security

product development processesservice provision processesother business processes

The CObIT Information CriteriaQuick Recap

Security is only part of thecriteriaThe CIA requirements guardthe value of information

together with other CObITcriteria

A large organisation and itsinformation assets

is a fine and complexmachineryrequires management withattention to all requirements

Effectiveness Efficiency

Confidentiality Integrity

Availability

Compliance Reliability

The fundamental dilemmaIBM Whitepaper view

Ambivalent attitude to security in businesses1 security problems cause serious losses

moneyreputation

2 security does not contribute to business processesit becomes a pure cost, like insurance and estates

Security is important, but it has to be cheap

Value for Money in Security

How do you measure value for money in security?

Minimise number of incidents with impact?Maximise number of incidents controlled by the security featurespurchased?

What would have been the impact if you did not pay forsecurity?

Security in Context

We want security to serve business processesWe cannot build a wall around the business

the business operates in a world of hazardsSecurity must be part of the processes

protecting the business in a world of hazards... not shield it from the world

Management Concepts

Outline

2 Management ConceptsLayers of ManagementFunctional Organisation

5 Closing

Management Concepts Layers of Management

Outline

5 Closing

Different Layers of Management

Strategic Management Upper management do long-term planning.They define and evealuate organisation-wide, overallgoals.

Functional Management Middle management is specialised fordifferent functional areas of the organisation, such asfinance, IT, (security?), estates, production, etc. Yet,functional managers have a long-term view, and workclosely with upper management.

Operational Management Lower management is responisble for theday-to-day running of the business. Operationalmanagers steer towards goals and targets set byhigher-level managers, and manage the finer detail of theorganisation.

Which layer is responsible for information security?

Different Layers of Management

Strategic Management Upper management do long-term planning.They define and evealuate organisation-wide, overallgoals.

Functional Management Middle management is specialised fordifferent functional areas of the organisation, such asfinance, IT, (security?), estates, production, etc. Yet,functional managers have a long-term view, and workclosely with upper management.

Operational Management Lower management is responisble for theday-to-day running of the business. Operationalmanagers steer towards goals and targets set byhigher-level managers, and manage the finer detail of theorganisation.

Which layer is responsible for information security?

Strategic Management

Security PlanningSecurity Auditing and CertificationRisk apetite

expensive, high-security servicelow-cost service with some risk

Strategic choices depends on customer base and target market

Senior Information Risk Owner (SIRO)

Government requirement for all government departmentsBoard-level individual responsible for information security acrossthe departmentWhat’s the purpose of this role?Raise security awareness to board-level

integrate security in board-level managementConsistent risk management

one individual to decide on acceptable riskLiability and accountability?

someone to sack when it goes wrong?or will the SIRO be able to pin the blame on someone else?

Some departments have reached farther than others

Functional Management

Risk managementRisk-driven programme

Operational Management

Implementationsfire wallssecurity software deployments

Administration and Maintenancesoftware patchesmonitoringconfiguration

Response to IncidentsRecoveryReporting

Management Concepts Functional Organisation

Outline

5 Closing

Security in the OrganisationQuestion

Do we need a functional unit for (Information) Security?

Information Security could be part of IT.Information Security could be a separate Unit.

Alongside IT

Organisational ModelWith Security Functional Unit (Raggad)

Organisational ModelWithout Security Functional Unit (Raggad)

Security in the Organisation

Functional Unit Heads take part in Strategic ManagementWith a Security Functional Unit

Security is represented in Upper ManagementWithout the Security Functional Unit

the Security Head does not take part in Strategic Planningi.e. s/he is not a SIRO in the government sense.

Could the Head of General IT take the role as SIRO?

Information Security Lifecycle

Outline

3 Information Security LifecycleLife CyclesInformation Security Lifecycle

5 Closing

Information Security Lifecycle Life Cycles

Outline

5 Closing

Managing a Project

1 Analyse2 Plan3 Implement4 Enjoy the fruits of your work ...5 Done. Leave it behind you.6 Next Project.

What is missing here?

Managing a Project

Learning Cyclesa general cycle

What havewe done?

What tochange?

What shallit be?

What todo?

Do it!Enjoy it!

Learning Cyclesa general cycle (2)

Evaluation

Analysis Vision

ActionBenefit

Learn from each step –input into next step

Learning Cyclesa general cycle (2)

Evaluation

Analysis Vision

ActionBenefit

Learn from each step –input into next step

Using the cycle

Evaluation and Reflectionthink through what you have done at each stepuse your experience in the next stepmake each iteration better than the last step

Experience does not always give improvementimprovement is a concious effort, based on experiencemany people have a beginner’s experience over and over again

Adapt it to your style and the problem at handwhere do you start? (analysis? action? plan?)many short cycles? or fewer long cycles?

Don’t overdo itconstant reflection and evaluation leaves no time for real workreserve time for reflection – to think backuse the rest of the time to act – to move forward

Using the cycle

Application the cycle

Software Development LifecycleWaterfall methodologies – few iterationsAgile development – many iterations

rapid iterations to aquire understanding and experienceuse this to improve planning

Personal DevelopmentPlan your own developmentReflect to improve

ManagementPeriodic reviews of the organisationDevelop new plans and implement changes

Information Security Lifecycle Information Security Lifecycle

Outline

5 Closing

The Information Security LifecycleISO 27004

Plan Do

Act Check

1 Assess realistic likelihood ofsecurity failures

2 Select objectives andcontrols

1 Implement controls2 Define how to measure the

effectiveness of controls3 Measure the effectivenesss

of controlsto verify that securityrequirements are met

1 Regular review2 Review Risk Assessments3 Include results of

effectivenessmeasurements

4 Management Review of theISMS

5 Output of the reviewincludes

update of risksIprovement decissions

1 Implement identifiedimprovement in the ISMS

Plan Do

Act Check

Plan Do

Act Check

Plan Do

Act Check

Plan Do

Act Check

Policies and Documents

Outline

4 Policies and DocumentsCommunicationCase Study (Policy)

5 Closing

Policies and Documents Communication

Outline

5 Closing

Communication with your Organisation

The organisation is a fine machineryeach part must know its roleall the parts must be co-ordinated to work together

Management is responsible for co-ordination and consistencyhas the overview

Everyone must no his/her own partgood communication is key to co-ordination

Policies, standards, and other documents are essentialcommunication tools

Warning

Documents do not exist for there own sakeDocuments are not security featuresEach document has a purpose

otherwise it is not worth writingEach document has a target audience

and must be written specifically for that audiencedifferent audiences have different needs and abilities

Don’t write documents that no one will readdon’t make the document longer than what will be read

If you do not know why you write a particular document, it isbound to be a bad one.

Warning

Documents

Policy

Standard

Guideline

Security Policy

Definition (Organisational Security Policy)The laws, rules, and practices regulating how an organisationmanages, protects, and distributes resources to achieve specifiedsecurity policy objectives.

Definition (Automated Security Policy)Set of restrictions and properties that specify how a computing systemprevents information and computing resources from being used toviolate an organisational security policy.

Security Policy

Definition (Organisational Security Policy)The laws, rules, and practices regulating how an organisationmanages, protects, and distributes resources to achieve specifiedsecurity policy objectives.

Definition (Automated Security Policy)Set of restrictions and properties that specify how a computing systemprevents information and computing resources from being used toviolate an organisational security policy.

Scope of the Security Policy

The organisational security policyaims to secure the resources of the organisationnot limited to software and hardwarethe users are part of the system

The automated security policyone of the means to implement the organisational security policylimited to software and hardware

Organisation and managementcontributes to securityprivileges must be assigned intelligentlyprivileged users must use their rights correctly.

Policies and Other Documents

Policy defines the priorities and focus on the why of security.Responsibilities are assigned, and security requirementsmay be defined.

Standard defines mandatory rules of conduct, aiming to implementthe policy.

Guidelines is a set of best practice and advice to help units andindividuals to implement the policies and the standards.They are not mandatory.

The AudienceThe Organisational Security Policy

Different audiencesUsersOwnersSystem AdministratorsCustomers (and other beneficiaries)Developers (system designers and programmers)

Each group needs1 Assurance

their security needs are taken care of2 Awareness of their responsibility

they know to act correctly, maintaining security

The AudienceThe Organisational Security Policy

Different audiencesUsersOwnersSystem AdministratorsCustomers (and other beneficiaries)Developers (system designers and programmers)

Each group needs1 Assurance

their security needs are taken care of2 Awareness of their responsibility

they know to act correctly, maintaining security

Structure of the Policy

No set format for policiesyou write what the application requiresdifferent organisations — different needs

It depends on other documentsSome things are necessary, but could go in a policy document orelsewhereCatalogue of Assets, Threat Descriptions, Risk Analysis

Literature tends to focus on large corporationsrarely explicit or specificbut tend to assume a dozen people in the information securitydepartment...

Very little literature on policies for SMEsIlona Ilvonen (ECIW 2009)

Bottom line — there is no cookbook for thisyou will help to think, and look at what the problem requires

Policies must be managed over timeWe will return to this

Information Security Management Life CycleIlona Ilvonen 2009

1. Define goals,roles, andresponsibilities

2. Analysecurrent statusand risks

3. Define/Updatepolicies andprocedures

4. Training andawareness

Security Policy in ContextSystems Design

Working as a system designerwhat is the role of the security policy?

Requirements gatheringmany requirements are stated in the policymany requirements follow from the policy

Security Policy in ContextSystems Design

Working as a system designerwhat is the role of the security policy?

Requirements gatheringmany requirements are stated in the policymany requirements follow from the policy

Policies and Documents Case Study (Policy)

Outline

5 Closing

The Enron/Andersen Scandal

The Enron Energy Corporation (USA)Criminal investigation for fraud (a few years ago)

Arthur Andersen ConsultingWorld renowned accounting company

Andersen was implicated when they destroyed client files... relating to Enron

Security Policyor Obstruction of Justice

Andersen staff charged with obstruction of justiceshredding documents relevant for the investigation

Claimed to be following policyAnderson should not keep client files longer than necessary

Who’s right? Should client files be destroyed?

A question of timing

When policy contradicts lawthe law is rightthe policy is illegal

However, that was not the problemIncosistent implementation of the policy

Shredded started after the investigationConsistent and timely shredding according to policy

one could get away with thatTimely shredding according to policy before the investigation isknown

That’s OK.

Closing

Outline

5 Closing

Closing

Summary

Security Awareness and Decissions are required at all levels ofmanagement

Strategic managementFunctional managementOperational management

Good communications is essential to implement decissions in theorganisationManagement and Development require continuous learning andimprovement

Lifecycles is a common and useful modelEvaluation and Reflection is key to the cycle