planning for security chapter 5. information security quality security programs begin & end...
TRANSCRIPT
![Page 1: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/1.jpg)
Planning for Security
Chapter 5
![Page 2: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/2.jpg)
Information Security
Quality security programs begin & end with policy.
Primarily management problem, not technical one.
![Page 3: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/3.jpg)
Information Security Policies Form basis for all IS security planning
Direct how issues should be addressed Don’t specify proper operation of equipment or
software Should never contradict law Obligates personnel to function in manner that
adds to security of info Least expensive control to execute Most difficult to implement properly Standup in court if challenged Be properly administered through dissemination
and documented acceptance
![Page 4: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/4.jpg)
Policy Plan or course of action Convey instructions Organizational laws Dictate acceptable and unacceptable
behavior Define
What is right What is wrong The appeal process What are the penalties for violating policy
Written to support the mission, vision and strategic plan of org
![Page 5: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/5.jpg)
Standards
Detail statements of what must be done to comply with policy
Types Informal – de facto standards Formal – de jure standards
![Page 6: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/6.jpg)
Policies are sanctioned by
senior management
Standards are built on should policy and carry
the weight of policy
Practices, procedures, and
guidelines include detailed steps
required
Policies
Standards
Practices Procedures Guidelines
Drive
Drive
Policies, Standards, and Practices
![Page 7: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/7.jpg)
Mission/Vision/Strategic Plan
Mission – written statement of organization purpose
Vision – written statement of organization goals
Strategic Plan - written statement of moving the organization toward its mission
![Page 8: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/8.jpg)
Policies
Security Policy Set of rules that protects & organization's
assets
Information security policy Set of rules protects organization’s
information assets
Three types General or Enterprise Issue-specific System-specific
![Page 9: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/9.jpg)
EISP
Enterprise Information Security Policy Executive level document General Information Security
Document 2-10 pages in length Shapes the philosophy of security in
IT Contains requirements to be met Assigns responsibilities Addresses legal compliance
![Page 10: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/10.jpg)
ISSP
Issue-Specific Security Policy Addresses specific areas of
technology Requires frequent updates Contains statement on
organization’s position on specific issue
![Page 11: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/11.jpg)
3 Approaches to ISSP
Independent document tailored to a specific issue Scattered approach Departmentalized
Single comprehensive document covering all issues Centralized management and control Tend to over generalize the issue Skip vulnerabilities
![Page 12: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/12.jpg)
3 Approaches to ISSP
Modular plan Unified policy creation and
administration Maintain each specific issue’s
requirements Provide balance
![Page 13: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/13.jpg)
Elements of Issue-Specific Security Policy Statement
Statement of Policy Appropriate Use Systems management Violations of policy Policy review and modification Limitations of Liability
![Page 14: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/14.jpg)
Statement of Policy
Clear statement of policy Fair and responsible use of the
Internet
What is the scope of the policy? Responsible person What technologies and issues
are addressed?
![Page 15: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/15.jpg)
Appropriate Use
Who can use the technology What it can be used for Defines “fair and reasonable
use” What can it cannot be used
for
![Page 16: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/16.jpg)
Systems Management
Focus on user’s relationship to systems management
Regulating Use of e-mail Storage of materials Authorized monitoring of employees Scrutiny of e-mail and electronic
documents
![Page 17: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/17.jpg)
Violations of Policy
Give guidance on penalties and repercussions of violating policy
Specifics on penalties How to report violations
![Page 18: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/18.jpg)
Policy Review and Modification
Procedures and a timetable for periodic review
Specific methodology for review
Specific methodology for modification
![Page 19: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/19.jpg)
Limitations of Liability
Set of disclaimers If employee violates policy or
law, the company will not protect them
Company is not liable for actions of employees
![Page 20: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/20.jpg)
SysSP
System-Specific Policy Frequently codified as
standards & procedures Used when configuring or
maintaining system Example
Access Control Lists (ACLs) Configuration rules
![Page 21: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/21.jpg)
Continuity Strategies
Continuous availability of info systems
Probability high for attack Managers must be ready to act Contingency Plan (CP)
Prepared by organization Anticipate, react to, & recover from
attacks Restore organization to normal
operations
![Page 22: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/22.jpg)
ContingencyPlanning
IncidentResponse
(Focus on immediate response)
DisasterRecovery
(Focus on restoring system)
BusinessContinuity
(Focusestablish business
functions at alternate site)
Components of Contingency Plan
![Page 23: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/23.jpg)
Figure 5-22 – Contingency Planning Timeline
23
![Page 24: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/24.jpg)
Figure 5-23 – Major Steps in Contingency Planning
24
![Page 25: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/25.jpg)
Incident Response Planning
Activities to be performed when an incident has been identified
What is an incident? If action threatens information &
completed Characteristics
Directed against information assets Realistic change of success Threaten the confidentiality, integrity,
or availability of info
![Page 26: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/26.jpg)
Incident Response
Set of activities taken to plan for, detect, and correct the impact
Incident planning Requires understanding BIA
scenarios Develop series of predefined
responses Enables org to react quickly
![Page 27: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/27.jpg)
Incident Response
Incident detection Mechanisms – intrusion
detection systems, virus detection, system administrators, end users
![Page 28: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/28.jpg)
Incident Detection
Possible indicators Presence of unfamiliar files Execution of unknown
programs or processes Unusual consumption of
computing resources Unusual system crashes
![Page 29: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/29.jpg)
Incident Detection
Probable indicators Activities at unexpected times Presence of new accounts Reported attacks Notification form IDS
![Page 30: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/30.jpg)
Incident Detection
Definite indicators Use of dormant accounts Changes to logs Presence of hacker tools Notification by partner or peer Notification by hackers
![Page 31: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/31.jpg)
Incident Detection
Predefined Situation Loss of availability Loss of integrity Loss of confidentiality Violation of policy Violation of law
![Page 32: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/32.jpg)
Incident Reaction
Actions outlined in the IRP Guide the organization
Stop the incident Mitigate the impact Provide information recovery
Notify key personnel Document incident
![Page 33: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/33.jpg)
Incident Containment Strategies
Sever affected communication circuits Disable accounts Reconfigure firewall Disable process or service Take down email Stop all computers and network
devices Isolate affected channels, processes,
services, or computers
![Page 34: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/34.jpg)
Incident Recovery
Get everyone moving and focused Assess Damage Recovery
Identify and resolve vulnerabilities Address safeguards Evaluate monitoring capabilities Restore data from backups Restore process and services Continuously monitor system Restore confidence
![Page 35: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/35.jpg)
Disaster Recovery Plan
Provide guidance in the event of a disaster
Clear establishment of priorities Clear delegation of roles &
responsibilities Alert key personnel Document disaster Mitigate impact Evacuation of physical assets
![Page 36: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/36.jpg)
Crisis Management
Disaster recovery personnel must know their responses without any supporting documentation
Focus first & foremost -people involved
Team responsibilities Support personnel and loved ones Determine impact on normal operations Keep public informed Communicate with major players
![Page 37: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/37.jpg)
Business Continuity Planning
Prepares an organization to reestablish critical operations
Temporary facilities Continuity strategy Integration of off-side data storage
& recovery functions Off-site backup Identification of critical business
functions Identification of critical resources
![Page 38: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/38.jpg)
Alternative Site Configurations Hot sites
Fully configured computer facilities All services & communication links Physical plant operations
Warm sites Does not include actual applications Application may not be installed and
configured Required hours to days to become
operational
![Page 39: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/39.jpg)
Alternative Site Configurations
Cold sites Rudimentary services and facilities No hardware or peripherals empty room
![Page 40: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/40.jpg)
Alternative Site Configurations
Time-shares Hot, warm, or cold Leased with other orgs
Service bureau Provides service for a fee
Mutual agreements Rolling mobile site
![Page 41: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/41.jpg)
Off-Site Disaster Data Storage
“off-site” – how far? Electronic vaulting
Transfer of large batches of data Receiving server archives data Fee
Journaling Transfer of live transactions to off-site Only transactions are transferred Transfer is real time
![Page 42: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/42.jpg)
Off-Site Disaster Data Storage
Shadowing Duplicated databases Multiple servers Processes duplicated 3 or more copies
simultaneously
![Page 43: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/43.jpg)
ACL Policies
Restrict access from anyone & anywhere
Can regulate specific user, computer, time, duration, file
![Page 44: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/44.jpg)
ACL Policies
What regulated Who can use the system What authorization users can
access When authorization users can
access Where authorization users can
access
![Page 45: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/45.jpg)
ACL Policies
Authorization determined by persons identity
Can regulated specific computer equipment
Regulate access to data Read Write Modify Copy Compare
![Page 46: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/46.jpg)
Rule Policies
More specific operation of a system than ACL
May or may not deal with user directly
Define configuration of firewalls, IDS, and proxy servers
![Page 47: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/47.jpg)
Policy Management
Living documents Must be managed Constantly changed and grow Must be properly disseminated Must be properly managed Responsible individual
Policy administrator
Champion & manager
Not necessarily a technically oriented person
![Page 48: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/48.jpg)
Reviews
Schedule Retain effectiveness in changing
environment Periodically reviewed Should be defined and published Should be reviewed at least annually
Procedures and practices Recommendations for change Reality one person drafts
![Page 49: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/49.jpg)
Document Configuration Management
Include date of original Includes date of revision Include expiration date
![Page 50: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/50.jpg)
Information Classification
Control for the protection of information
Important facet of policy Least
“for internal use only”
Clean desk policy
![Page 51: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/51.jpg)
Information Security Blueprint
Risk Assessment Quantitative and qualitative analysis Feasibility studies Cost benefit analysis Good idea of systems vulnerabilities
Specify tasks to be accomplished Specify order of performing tasks Serve as plan for IS security needs
for years not just today
![Page 52: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/52.jpg)
Information Security Blueprint
Basis for design, selection & implementation All security policies Education Training program Technology controls
![Page 53: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/53.jpg)
Security Models
ISO (International Organization for Standards)
IEC (International Electrotechnical Commission)
![Page 54: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/54.jpg)
Security Models
ISO/IEC 17799 Purpose – “give recommendations
for information security management for use by those who are responsible for initiating, implementing, or maintaining security in their organization.
Provides a common basis Must pay for these
![Page 55: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/55.jpg)
Security Modes
NIST Available from Computer Security
Resource Center of National Institute for Standards & Technology
Publically available at no charge Several publications dealing with
various aspects
![Page 56: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/56.jpg)
Security Models
IETF Internet Engineering Task Force
VISA Internal Focus on system that can and do
integrate with VISA
Base lining and Best Practices Comparison of your organization
security with another
![Page 57: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/57.jpg)
Hybrid Framework
People must become a layer of security
Human firewall Information security
implementation Policies People
Education, training, and awareness Technology
![Page 58: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/58.jpg)
Figure 5-15 – Spheres of Security
Principles of Information Security, 2nd Edition
58
![Page 59: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/59.jpg)
Hybrid Framework
Managerial Controls Cover security process Implemented by security
administrator Set directions and scope Addresses the design and
implementation Addresses risk management &
security control reviews Necessity and scope of legal
compliance
![Page 60: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/60.jpg)
Hybrid Framework
Operational Controls Operational functionality of
security Disaster recovery Incident response planning Personnel and physical security Protection of production inputs
and outputs
![Page 61: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/61.jpg)
Hybrid Framework
Operational Controls Development of education,
training & awareness Addresses hardware and
software system maintenance Integrity of data
![Page 62: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/62.jpg)
Hybrid Framework
Technical Controls Addresses the tactical & technical
issues Addresses specifics of technology
selection & acquisition Addresses identification Addresses authentication Addresses authorization Addresses accountability
![Page 63: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/63.jpg)
Hybrid Framework
Technical Controls Addresses development &
implementation of audits Covers cryptography Classification of assets and users
![Page 64: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/64.jpg)
Hybrid Framework Security Architecture
Components Defenses in Depth
One of basic tenants Implementation of security in
layers Policy Training Technology
Security Perimeter Defines the edge between the
outer limit of an organization’s security and the beginning of the outside world
![Page 65: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/65.jpg)
Hybrid Framework
Security Architecture Components First level of security – protects all
internal systems from outside threats
Multiple technologies segregate the protected information
Security domains or areas of trust
![Page 66: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/66.jpg)
Key Technology Components
SETA Security education, training and
awareness Employee errors among top threats Purpose
Improve awareness of need to protect
Develop skills and knowledge
Build in-depth knowledge to design, implement, or operate security programs
![Page 67: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/67.jpg)
Comparative Framework of SETA
Education Training Awareness
Attribute Why How What
Level Insight Knowledge Information
Objective Understanding Skill Exposure
Teaching method
Theoretical instruction•Discussion seminar•Background reading•Hands-on practice
Practical instruction•Lecture•Case study•Posters
Media•Videos•Newsletters
Test measure
Essay(interpret learning)
Problem solving(apply learning)
True or falseMultiple choice(identify learning)
Impact timeframe
Long-term Intermediate Short-term
![Page 68: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/68.jpg)
Business Impact Analysis (BIA)
Investigate & assess impact of various attack
First risk assessment – then BIA Prioritized list of threats & critical
info Detailed scenarios of potential
impact of each attack Answers question
“if the attack succeeds, what do you do then?”
![Page 69: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/69.jpg)
BIA Sections
Threat attack identification & prioritization Attack profile – detailed description of
activities that occur during an attack Determine the extent of resulting
damage
Business Unit analysis Analysis & prioritization-business
functions Identify & prioritize functions w/in orgs
units
![Page 70: Planning for Security Chapter 5. Information Security Quality security programs begin & end with policy. Primarily management problem, not technical](https://reader036.vdocuments.us/reader036/viewer/2022062407/56649c905503460f94949e74/html5/thumbnails/70.jpg)
BIA Sections Attack success scenario
development Series of scenarios showing impact Each treat on prioritized list Alternate outcomes
Best, worst, probable cases Potential damage assessment
Estimate cost of best, worst, probable What must be done under each Not how much to spend
Subordinate Plan Classification Basis for classification as disastrous
not disastrous