Assignment
Computer Security:
Principles and Practice
Fourth Edition
By: William Stallings and Lawrie Brown
Lecture slides prepared for “Computer Security: Principles and Practice”, 4/e, by William Stallings and Lawrie Brown, Chapter 15, “IT Security Controls, Plans, and Procedures”.
1
Chapter 15
IT Security Controls, Plans, and Procedures
In Chapter 14 , we introduced IT security management as a formal process to
ensure that critical assets are sufficiently protected in a cost-effective manner.
We then discussed the critical risk assessment process. This chapter continues the
examination of IT security management. We survey the range of management,
operational, and technical controls or safeguards available that can be used to
improve security of IT systems and processes. We then explore the content of
the security plans that detail the implementation process. These plans must then
be implemented, with training to ensure that all personnel know their responsibilities,
and monitoring to ensure compliance. Finally, to ensure that a suitable level of
security is maintained, management must follow up the implementation with an
evaluation of the effectiveness of the security controls and an iteration of the entire
IT security management process.
2
We introduced the IT security management process in Chapter 14, illustrated by
Figure 14.1. Chapter 14 focused on the earlier stages of this process. In this chapter, we
focus on the latter stages, which include selecting controls, developing an implementation
plan, and the follow-up monitoring of the plan’s implementation. We broadly
follow the guidance provided in NIST SP 800-39 (Managing Information Security
Risk: Organization, Mission, and Information System View , March 2011), which was
developed by NIST in 2011 as the flagship document for providing guidance for an
integrated, organization-wide program for managing information security risk, in
response to FISMA. A broad summary of these steps is given in Figure 15.1. We will
discuss each of these in turn.
3
Security Control
Control is defined as:
“An action, device, procedure, or other measure that reduces risk by eliminating or preventing a security violation, by minimizing the harm it can cause, or by discovering and reporting it to enable corrective action.”
4
A risk assessment on an organization’s IT systems identifies areas needing treatment.
The next step, as shown in Figure 14.1 on risk analysis options, is to select suitable
controls to use in this treatment. An IT security control, safeguard, or countermeasure
(the terms are used interchangeably) helps to reduce risks. We use the following
definition:
“ An action, device, procedure, or other measure that reduces risk by eliminating or preventing a
security violation, by minimizing the harm it can cause, or by discovering and reporting it to enable corrective action.”
Control Classifications
Management controls
Focus on security policies, planning, guidelines, and standards that influence the selection of operational and technical controls to reduce the risk of loss and to protect the organization’s mission
These controls refer to issues that management needs to address
Operational controls
Address the correct implementation and use of security policies and standards, ensuring consistency in security operations and correcting identified operational deficiencies
These controls relate to mechanisms and procedures that are primarily implemented by people rather than systems
They are used to improve the security of a system or group of systems
Technical controls
Involve the correct use of hardware and software security capabilities in systems
These range from simple to complex measures that work together to secure critical and sensitive data, information, and IT systems functions
Some controls address multiple risks at the same time, and selecting such controls can
be very cost effective. Controls can be classified as belonging to one of the following
classes (although some controls include features from several of these):
• Management controls: Focus on security policies, planning, guidelines, and
standards that influence the selection of operational and technical controls to
reduce the risk of loss and to protect the organization’s mission. These controls
refer to issues that management needs to address. We discuss a number of these
in Chapters 14 and 15.
• Operational controls: Address the correct implementation and use of security
policies and standards, ensuring consistency in security operations and correcting
identified operational deficiencies. These controls relate to mechanisms
and procedures that are primarily implemented by people rather than systems.
They are used to improve the security of a system or group of systems. We will
discuss some of these in Chapters 16 and 17.
• Technical controls: Involve the correct use of hardware and software security
capabilities in systems. These range from simple to complex measures that work
together to secure critical and sensitive data, information, and IT systems functions.
5
Figure 15.2 illustrates some typical technical control measures. Parts One
and Two in this text discussed aspects of such measures.
6
Control Classes
Each of the control classes may include the following:
Supportive controls
Pervasive, generic, underlying technical IT security capabilities that are interrelated with, and used by, many other controls
Preventative controls
Focus on preventing security breaches from occurring, by inhibiting attempts to violate security policies or exploit a vulnerability
Detection and recovery controls
Focus on the response to a security breach, by warning of violations or attempted violations of security policies or the identified exploit of a vulnerability and by providing means to restore the resulting lost computing resources
In turn, each of these control classes may include the following:
• Supportive controls: Pervasive, generic, underlying technical IT security capabilities
that are interrelated with, and used by, many other controls.
• Preventative controls: Focus on preventing security breaches from occurring, by
inhibiting attempts to violate security policies or exploit a vulnerability.
• Detection and recovery controls: Focus on the response to a security breach, by
warning of violations or attempted violations of security policies or the identified
exploit of a vulnerability and by providing means to restore the resulting
lost computing resources.
The technical control measures shown in Figure 15.2 include examples of each of
these types of controls.
7
Table 15.1
NIST SP800-53 Security Controls
8
Lists of controls are provided in a number of national and international
standards, including ISO 27002 (Code of practice for information security management,
2013), ISO 13335 (Management of information and communications technology
security, 2004), FIPS 200 (Minimum Security Requirements for Federal Information
and Information Systems, March 2006) and NIST SP 800-53 (Recommended Security
Controls for Federal Information Systems, January 2015). There is broad agreement
among these and other standards as to the types of controls that should be used and
the detailed lists of typical controls. Indeed many of the standards cross-reference each
other, indicating their agreement on these lists. ISO 27002 is generally regarded as the
master list of controls and is cited by most other standards. Table 15.1 (adapted from
Table 1 in NIST SP 800-53) is a typical list of families of controls within each of the
classes.
Table 15.2
ISO/IEC 27002
Security Controls
(Table can be found on page 493 in the textbook.)
Compare this with the list in Table 15.2, which details the categories of controls
given in ISO 27002, and with Table 1.4 which lists controls from FIPS 200, noting the
high degree of overlap. Within each of these control classes, there is a long list of specific
controls that may be chosen.
9
Table 15.3
Detailed
NIST SP800-53
Security Controls
(Table is on page 494-495 in the textbook)
Table 15.3 (adapted from the tables in Appendix D
and G of NIST SP 800-53) itemizes the full list of controls detailed in this standard.
To attain an acceptable level of security, some combination of these controls
should be chosen. If the baseline approach is being used, an appropriate baseline set
of controls is typically specified in a relevant industry or government standard. For
example, Appendix D in NIST SP 800-53 lists selections of baseline controls for use
in low-, moderate-, and high-impact IT systems. A selection should be made that is
appropriate to the organization’s overall risk profile, resources, and capabilities. These
should then be implemented across all the IT systems for the organization, with
adjustments in scope to address broad requirements of specific systems.
10
Table 15.3
Continued
NIST SP 800-18 (Guide for Developing Security Plans for Federal Information
Systems , February 2006) suggests that adjustments may be needed for considerations
related to the following:
• Technology: Some controls are only applicable to specific technologies, and
hence these controls are only needed if the system includes those technologies.
Examples of these include wireless networks and the use of cryptography. Some
may only be appropriate if the system supports the technology they require—
for example, readers for access tokens. If these technologies are not supported
on a system, then alternate controls, including administrative procedures or
physical access controls, may be used instead.
• Common controls: The entire organization may be managed centrally and may
not be the responsibility of the managers of a specific system. Control changes
would need to be agreed to and managed centrally.
• Public access systems: Some systems, such as the organization’s public Web
server, are designed for access by the general public. Some controls, such as those
relating to personnel security, identification, and authentication, would not apply
to access via the public interface. They would apply to administrative control of
such systems. The scope of application of such controls must be specified carefully.
• Infrastructure controls: Physical access or environmental controls are only relevant
to areas housing the relevant equipment.
• Scalability issues: Controls may vary in size and complexity in relation to the
organization employing them. For example, a contingency plan for systems critical
to a large organization would be much larger and more detailed than that
for a small business.
• Risk assessment: Controls may be adjusted according to the results of specific
risk assessment of systems in the organization, as we now consider.
If some form of informal or formal risk assessment process is being used, then
it provides guidance on specific risks to an organization’s IT systems that need to be
addressed. These will typically be some selection of operational or technical controls
that together can reduce the likelihood of the identified risk occurring, the consequences
if it does, or both, to an acceptable level. These may be in addition to those
controls already selected in the baseline, or may simply be more detailed and careful
specification and use of already selected controls.
The process illustrated in Figure 15.1 indicates that a recommended list of controls
should be made to address each risk needing treatment. The recommended controls
need to be compatible with the organization’s systems and policies, and their selection
may also be guided by legal requirements. The resulting list of controls should include
details of the feasibility and effectiveness of each control. The feasibility addresses factors
such as technical compatibility with and operational impact on existing systems
and user’s likely acceptance of the control. The effectiveness equates the cost of implementation
against the reduction in level of risk achieved by implementing the control.
11
12
The reduction in level of risk that results from implementing a new or enhanced
control results from the reduction in threat likelihood or consequence that the control
provides, as shown in Figure 15.3. The reduction in likelihood may
result either by reducing the vulnerabilities (flaws or weaknesses) in the system or
by reducing the capability and motivation of the threat source. The reduction in
consequence occurs by reducing the magnitude of the adverse impact of the threat
occurring in the organization.
Cost-Benefit Analysis
13
The organization will likely not have the resources to implement all the recommended
controls. Therefore, management should conduct a cost-benefit analysis to
identify those controls that are most appropriate, and provide the greatest benefit
to the organization given the available resources. This analysis may be qualitative or
quantitative and must demonstrate that the cost of implementing a given control is
justified by the reduction in level of risk to assets that it provides. It should include
details of the impact of implementing the new or enhanced control, the impact of
not implementing it, and the estimated costs of implementation. The analysis must
then assess the implementation costs and benefits against system and data criticality
to determine the importance of choosing this control.
Management must then determine which selection of controls provides an
acceptable resulting level of risk to the organization’s systems. This selection will
consider factors such as the following:
• If the control would reduce risk more than needed, then a less expensive
alternative could be used.
• If the control would cost more than the risk reduction provided, then an
alternative should be used.
• If a control does not reduce the risk sufficiently, then either more or different
controls should be used.
• If the control provides sufficient risk reduction and is the most cost effective,
then use it.
It is often the case that the cost of implementing a control is more tangible and
easily specified than the cost of not implementing it. Management must make a
business decision regarding these ill-defined costs in choosing the final selection of
controls and resulting residual risk.
Should be conducted by management to identify controls that provide the greatest benefit to the organization given the available resources
May be qualitative or quantitative
Must show cost justified by reduction in risk
Should contrast the impact of implementing a control or not, and an estimation of cost
Management chooses selection of controls
Considers if it reduces risk too much or not enough, is too costly or appropriate
Fundamentally a business decision
IT Security Plan
Provides details of:
What will be done
What resources are needed
Who is responsible
Goal is to detail the actions needed to improve the identified deficiencies in the risk profile
14
Having identified a range of possible controls from which management has selected
some to implement, an IT security plan should then be created, as indicated in
Figures 14.1 and 15.1 . This is a document that provides details as to what will be
done, what resources are needed, and who will be responsible. The goal is to detail
the actions needed to improve the identified deficiencies in the organization’s risk
profile in a timely manner. NIST SP 800-30 (Risk Management Guide for Information Technology
Systems, September 2012) suggests that this plan should include details of:
• Risks (asset/threat/vulnerability combinations)
• Recommended controls (from the risk assessment)
• Action priority for each risk
• Selected controls (on the basis of the cost-benefit analysis)
• Required resources for implementing the selected controls
• Responsible personnel
• Target start and end dates for implementation
• Maintenance requirements and other comments
Should include
Risks, recommended controls, action priority
Selected controls, resources needed
Responsible personnel, implementation dates
Maintenance requirements
Table 15.4 Implementation Plan
15
These details are summarized in an implementation plan table, such as
that shown in Table 15.4 . This illustrates an example implementation plan for
the example risk identified and shown in Table 14.5 . The suggested controls are
specific examples of remote access, auditable event, user identification, system
backup, and configuration change controls, applied to the identified threatened
asset. All of them are chosen, because they are neither costly nor difficult to
implement. They do require some changes to procedures. The relevant network
administration staff must be notified of these changes. Staff members may also
require training on the correct implementation of the new procedures and their
rights and responsibilities.
Security Plan Implementation
16
The next phase in the IT security management process, as indicated in Figure 14.1, is
to manage the implementation of the controls detailed in the IT security plan. This
comprises the do stage of the cyclic implementation model discussed in Chapter 14 .
The implementation phase comprises not only the direct implementation of the
controls as detailed in the security plan, but also the associated specific training and
general security awareness programs for the organization.
The IT security plan documents what needs to be done for each selected control,
along with the personnel responsible, and the resources and time frame to
be used. The identified personnel then undertake the tasks needed to implement
the new or enhanced controls, be they technical, managerial, or operational.
This may involve some combination of system configuration changes, upgrades,
or new system installation. It may also involve the development of new or
extended procedures to document practices needed to achieve the desired
security goals. Note that even technical controls typically require associated
operational procedures to ensure their correct use. The use of these procedures
needs to be encouraged and monitored by management.
The implementation process should be monitored to ensure its correctness.
This is typically performed by the organizational security officer, who checks that:
• The implementation costs and resources used stay within identified bounds.
• The controls are correctly implemented as specified in the plan, in order that
the identified reduction in risk level is achieved.
• The controls are operated and administered as needed.
When the implementation is successfully completed, management needs to
authorize the system for operational use. This may be a purely informal process
within the organization. Alternatively, especially in government organizations,
this may be part of a formal process resulting in accreditation of the system
as meeting required standards. This is usually associated with the installation,
certification, and use of trusted computing system, as we will discuss in Chapter 27 .
In these cases an external accrediting body will verify the documented evidence of
the correct design and implementation of the system.
IT security plan documents:
What needs to be done for each selected control
Personnel responsible
Resources and time frame
Identified personnel:
Implement new or enhanced controls
May need system configuration changes, upgrades or new system installation
May also involve development of new or extended procedures
Need to be encouraged and monitored by management
When implementation is completed management authorizes the system for operational use
Implementation Follow-Up
Security management is a cyclic process
Constantly repeated to respond to changes in the IT systems and the risk environment
Need to monitor implemented controls
Evaluate changes for security implications
Otherwise increase chance of security breach
17
The IT security management process does not end with the implementation of
controls and the training of personnel. As we noted in Chapter 14, it is a cyclic
process, constantly repeated to respond to changes in the IT systems and the risk
environment. The various controls implemented should be monitored to ensure
their continued effectiveness. Any proposed changes to systems should be checked
for security implications and the risk profile of the affected system reviewed if
necessary. Unfortunately, this aspect of IT security management often receives
the least attention and in many cases is added as an afterthought, if at all. Failure
to do so can greatly increase the likelihood that a security failure will occur.
This follow-up stage of the management process includes a number of aspects:
• Maintenance of security controls
• Security compliance checking
• Change and configuration management
• Incident handling
Any of these aspects might indicate that changes are needed to the previous stages in
the IT security management process. An obvious example is that if a breach should
occur, such as a virus infection of desktop systems, then changes may be needed to
the risk assessment, to the controls chosen, or to the details of their implementation.
This can trigger a review of earlier stages in the process.
Includes a number of aspects
Maintenance of security controls
Security compliance checking
Change and configuration management
Incident handling
Maintenance
Need continued maintenance and monitoring of implemented controls to ensure continued correct functioning and appropriateness
Goal is to ensure controls perform as intended
Tasks
18
The first aspect concerns the continued maintenance and monitoring of the
implemented controls to ensure their continued correct functioning and
appropriateness. It is important that someone has responsibility for this maintenance
process, which is generally coordinated by the organization’s security officer.
The maintenance tasks include ensuring that:
• Controls are periodically reviewed to verify that they still function as intended.
• Controls are upgraded when new requirements are discovered.
• Changes to systems do not adversely affect the controls.
• New threats or vulnerabilities have not become known.
This review includes regular analysis of log files to ensure various system
components are functioning as expected, and to determine a baseline of activity
against which abnormal events can be compared when handling incidents.
We discuss security auditing further in Chapter 18 .
The goal of maintenance is to ensure that the controls continue to perform as
intended, and hence that the organization’s risk exposure remains as chosen. Failure
to maintain controls could lead to a security breach with a potentially significant
impact on the organization.
Periodic review of controls
Upgrade of controls to meet new requirements
System changes do not impact controls
Address new threats or vulnerabilities
Security Compliance
Audit process to review security processes
Goal is to verify compliance with security plan
Use internal or external personnel
Usually based on use of checklists which verify:
Suitable policies and plans were created
Suitable selection of controls were chosen
That they are maintained and used correctly
Often as part of wider general audit
19
Security compliance checking is an audit process to review the organization’s security
processes. The goal is to verify compliance with the security plan. The audit may
be conducted using either internal or external personnel. It is generally based on
the use of checklists, which verify that the suitable policies and plans have been
created, that suitable controls were chosen, and that the controls are maintained and
used correctly.
This audit process should be conducted on new IT systems and services
once they are implemented; and on existing systems periodically, often as part of
a wider, general audit of the organization or whenever changes are made to the
organization’s security policy.
Change and Configuration Management
20
Change management is the process used to review proposed changes to systems for
implications on the organization’s systems and use. Changes to existing systems can
occur for a number of reasons, such as the following:
• Users reporting problems or desired enhancements
• Identification of new threats or vulnerabilities
• Vendor notification of patches or upgrades to hardware or software
• Technology advances
• Implementation of new IT features or services, which require changing existing
systems
• Identification of new tasks, which require changing existing systems
The impact of any proposed change on the organization’s systems should be
evaluated. This includes not only security-related aspects, but wider operational
issues as well. Thus change management is an important component of the
general systems administration process. Because changes can affect security,
this general process overlaps IT security management and must interact with it.
An important example is the constant flow of patches addressing bugs and
security failings in common operating systems and applications. If the organization is
running systems of any complexity, with a range of applications, then patches should
ideally be tested to ensure that they don’t adversely affect other applications. This can
be a time-consuming process that may require considerable administration resources,
and could leave the organization exposed to a new vulnerability for a period. Otherwise,
the patches or upgrades could be applied without testing, which may possibly
result in other failures in the systems and the loss of functionality, but will also
improve system security due to faster patching. Management need to decide whether
availability or security has higher priority in such cases.
Ideally, most proposed changes should act to improve the security profile of
a system. However, it is possible that for imperative business reasons a change is
proposed that reduces the security of a system. In cases like this, it is important
that the reasons for the change, its consequences on the security profile for the
organization, and management authorization of it be documented. The benefits to
the organization would need to be traded off against the increased risk level.
The change management process may be informal or formal, depending on the
size of the organization and its overall IT management processes. In a formal process,
any proposed change should be documented and tested before implementation. As
part of this process, any related documentation, including relevant security documentation
and procedures, should be updated to reflect the change.
Configuration management is concerned with specifically keeping track of the
configuration of each system in use and the changes made to each. This includes lists
of the hardware and software versions installed on each system. This information
is needed to help restore systems following a failure (whether security related or
not) and to know what patches or upgrades might be relevant to particular systems.
Again, this is a general systems administration process with security implications
and must interact with IT security management.
Change management is the process to review proposed changes to systems
Evaluate the impact
Important component of general systems administration process
Test patches to make sure they do not adversely affect other applications
May be informal or formal
Configuration management is specifically concerned with keeping track of the configuration of each system in use and the changes made to them
Keep lists of hardware and software versions installed on each system to help restore them following a failure
Know what patches or upgrades might be relevant
Also part of general systems administration process
Case Study: Silver Star Mines
Given risk assessment, the next stage is to identify possible controls
Based on assessment it is clear many categories are not in use
General issue of systems not being patched or upgraded
Need contingency plans
SCADA: add intrusion detection system
Info integrity: better centralize storage
Email: provide backup system
21
Consider the case study introduced in Chapter 14, which involves the operations
of a fictional company Silver Star Mines. Given the outcome of the risk assessment
for this company, the next stage in the security management process is to identify
possible controls. From the information provided during this assessment, clearly a
number of the possible controls listed in Table 15.3 are not being used. A comment
repeated many times was that many of the systems in use had not been regularly
upgraded, and part of the reason for the identified risks was the potential for system
compromise using a known but unpatched vulnerability. That clearly suggests
that attention needs to be given to controls relating to the regular, systematic
maintenance of operating systems and applications software on server and client
systems. Such controls include
• Configuration management policy and procedures
• Baseline configuration
• System maintenance policy and procedures
• Periodic maintenance
• Flaw remediation
• Malicious code protection
• Spam and spyware protection
Given that potential incidents are possible, attention should also be given to
developing contingency plans to detect and respond to such incidents and to enable
speedy restoration of system function. Attention should be paid to controls such as
• Audit monitoring, analysis, and reporting
• Audit reduction and report generation
• Contingency planning policy and procedures
• Incident response policy and procedures
• Information system backup
• Information system recovery and reconstitution
These controls are generally applicable to all the identified risks and constitute
good general systems administration practice. Hence, their cost effectiveness
would be high because they provide an improved level of security across multiple
identified risks.
Now consider the specific risk items. The top-priority risk relates to the
reliability and integrity of the Supervisory Control and Data Acquisition (SCADA)
nodes and network. These were identified as being at risk because many of these
systems are running older releases of operating systems with known insecurities.
Further, these systems cannot be patched or upgraded because the key applications
they run have not been updated or validated to run on newer O/S versions. Given
these limitations on the ability to reduce the vulnerability of individual nodes,
attention should be paid to the firewall and application proxy servers that isolate
the SCADA nodes and network from the wider corporate network. These systems
can be regularly maintained and managed according to the generally applied list
of controls we identified. Further, because the traffic to and from the SCADA
network is highly structured and predictable, it should be possible to implement
an intrusion detection system with much greater reliability than applies to
general-use corporate networks. This system should be able to identify attack
traffic, as it would be very different from normal traffic flows. Such a system
might involve a more detailed, automated analysis of the audit records
generated on the existing firewall and proxy server systems. More likely, it
could be an independent system connected to and monitoring the traffic
through these systems. The system could be further extended to include an
automated response capability, which could automatically sever the network
connection if an attack is identified. This approach recognizes that the network
connection is not needed for the correct operation of the SCADA nodes.
Indeed, they were designed to operate without such a network connection,
which is much of the reason for their insecurity. All that would be lost is
the improved overall monitoring and management of the SCADA nodes.
With this functionality, the likelihood of a successful attack, already regarded as
very unlikely, can be further reduced.
The second priority risk relates to the integrity of stored information.
Clearly all the general controls help ameliorate this risk. More specifically, much
of the problem relates to the large number of documents scattered over a large
number of systems with inconsistent management. This risk would be easier to
manage if all documents identified as critical to the operation of the company
were stored on a smaller pool of application and file servers. These could be
managed appropriately using the generally applicable controls. This suggests
that an audit of critical documents is needed to identify who is responsible
for them and where they are currently located. Then policies are needed that
specify that critical documents should be created and stored only on approved
central servers. Existing documents should be transferred to these servers.
Appropriate education and training of all affected users is needed to help ensure
that these policies are followed.
The next three risks relate to the availability or integrity of the key Financial,
Procurement, and Maintenance/Production systems. The generally applicable
controls we identified should adequately address these risks once the controls are
applied to all relevant servers.
The final risk relates to the availability, integrity, and confidentiality of e-mail.
As was noted in the risk assessment, this is primarily the responsibility of the parent
company’s IT group that manages the external mail gateway. There is a limited
amount that can be done on the local site. The use of the generally applicable
controls, particularly those relating to malicious code protection and spam and
spyware protection on client systems, will assist in reducing this risk. In addition,
as part of the contingency planning and incident response policies and procedures,
consideration could be given to a backup e-mail system. For security this system
would use client systems isolated from the company intranet, connected to an
external local network service provider. This connection would be used to provide
limited e-mail capabilities for critical messages should the main company intranet
e-mail system be compromised.
Silver Star Mines: Implementation Plan
22
This analysis of possible controls is summarized in Table 15.5 , which lists
the controls identified and the priorities for their implementation. This table must
be extended to include details of the resources required, responsible personnel,
time frame, and any other comments. This plan would then be implemented, with
suitable monitoring of its progress. Its successful implementation leads then to
longer term follow-up, which should ensure that the new policies continue to be
applied appropriately and that regular reviews of the company’s security profile
occur. In time this should lead to a new cycle of risk assessment, plan development,
and follow-up.
Summary
Monitoring risks
Maintenance
Security compliance
Change and configuration management
Incident handling
Case study: Silver Star Mines
IT security management implementation
Security controls or safeguards
IT security plan
Implementation of controls
Implementation of security plan
Security awareness and training
23
Chapter 15 summary.
Step 2: Respond to Risks
Evaluate Recommended Control Options
Determine Risk Response
Select Controls
Develop Implementation Plan
Implement Selected Controls
Step 1: Prioritize Risks Management review of risk register
Figure 15.1 IT Security Management Controls and Implementation
Step 3: Monitor Risks
(accept, avoid, mitigate, share)
Step 2: Respond to Risks
Evaluate Recommended Contr ol Options
Determine Risk Response
Select Controls
Develop Implementation Plan
Implement Selected Contr ols
Step 1: Prioritize Risks
Management review of risk register
Figure 15.1 IT Security Management Contr ols and Implementation
Step 3: Monitor Risks
(accept, avoid, mitigate, shar e)
Resource
User or
Process
Transaction Privacy
Authentication
Authorization
Access Control Enforcement
Proof of Wholeness
Intrusion Detection and Containment
Audit
State Restore
Detect, Recover
Prevent
Non- repudiation
Figure 15.2 Technical Security Controls
Identification
Cryptographic Key Managemetn
Security Administration
System Protections (least privilege, object reuse, process separation, etc,)
Protected Communications (safe from disclosure, substitution, modification, & replay)
Support
Resource
User
or
Process
Transaction
Privacy
Authentication
Authorization
Access Control
Enforcement
Proof of
Wholeness
Intrusion Detection
and Containment
Audit
State Restore
Detect, Recover
Prevent
Non-
repudiation
Figure 15.2 Technical Security Contr ols
Identification
Cryptographic Key Managemetn
Security Administration
System Protections
(least privilege, object r euse, process separation, etc,)
Protected Communications
(safe from disclosure, substitution, modification, & r eplay)
Support
|
CLASS |
CONTROL FAMILY |
|
Management |
Planning |
|
Management |
Program Management |
|
Management |
Risk Assessment |
|
Management |
Security Assessment and Authorization |
|
Management |
System and Services Acquisition |
|
Operational |
Awareness and Training |
|
Operational |
Configuration Management |
|
Operational |
Contingency Planning |
|
Operational |
Incident Response |
|
Operational |
Maintenance |
|
Operational |
Media Protection |
|
Operational |
Personnel Security |
|
Operational |
Physical and Environmental Protection |
|
Operational |
System and Information Integrity |
|
Technical |
Access Control |
|
Technical |
Audit and Accountability |
|
Technical |
Identification and Authentication |
|
Technical |
System and Communications Protection |
Security Policies Ensure that information security policies support business requirements and comply with relevant laws and regulations.
Organization of Information Security Provide a management framework for controlling the implementation of security policies, and ensuring security of mobile devices.
Human Resource Security Ensure that employees and contractors understand and comply with security policies. Protect the organization's interests during the process of terminating or changing employment.
Asset Management Identify assets to be protected and define appropriate responsibilities for managing assets. prevent unauthorized disclosure, modification, removal or destruction of information stored on media.
Access Control Define access privileges for access to information and information processing facilities. Ensure authorized user access and prevent unauthorized user access. Hold users accountable for safeguarding their authentication information.
Cryptography Ensure proper and effective use of cryptographic software and hardware so as to provide confidentiality, integrity, and authenticity services.
Physical and Environmental Security Define and implement policies to secure information processing facilities and to manage physical access to secure locations and secured facilities. Prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations.
Operations Security Ensure that the operation of information processing facilities conforms to security policies. Measures include ensuring that information and information processing facilities are protected against malware; protecting against loss of data; recording events and generate evidence; ensuring the integrity of operational systems to prevent exploitation of technical vulnerabilities.
Communications Security Implement security policies to protect network equipment and facilities, and to protect information transferred within an organization and with an external entity.
System acquisition, development and maintenance Ensure that security policies and procedures apply throughout a system's lifetime.
Supplier relationships Ensure that agreements with suppliers meet security policy requirements. Monitor and assess compliance with security agreements.
Information security incident management Implement an incident management capability that enables management of information security incidents, including reporting and documenting incidents and responses.
Information security continuity Ensure that security policies address requirements for incorporation into the organization's business continuity management systems.
Compliance Ensure that legal, statutory, regulatory or contractual obligations related to information security are met. Ensure that systems and personnel comply with the organization's security policies.
Access Control Access Control Policy and Procedures, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Unsuccessful Login Attempts, System Use Notification, Previous Logon (Access) Notification, Concurrent Session Control, Session Lock, Permitted Actions without Identification or Authentication, Security Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Information Systems, User-Based Collaboration and Information Sharing, Publicly Accessible Content Awareness and Training Security Awareness and Training Policy and Procedures, Security Awareness, Security Training, Security Training Records, Contacts with Security Groups and Associations Audit and Accountability Audit and Accountability Policy and Procedures, Auditable Events, Content of Audit Records, Audit Storage Capacity, Response to Audit Processing Failures, Audit Review, Analysis, and Reporting, Audit Reduction and Report Generation, Time Stamps, Protection of Audit Information, Non-repudiation, Audit Record Retention, Audit Generation, Monitoring for Information Disclosure, Session Audit Security Assessment and Authorization Security Assessment and Authorization Policies and Procedures, Security Assessments, Information System Connections, Plan of Action and Milestones, Security Accreditation, Continuous Monitoring Configuration Management Configuration Management Policy and Procedures, Baseline Configuration, Configuration Change Control, Security Impact Analysis, Access Restrictions for Change, Configuration Settings, Least Functionality, Information System Component Inventory, Configuration Management Plan Contingency Planning Contingency Planning Policy and Procedures, Contingency Plan, Contingency Training, Contingency Plan Testing and Exercises, Alternate Storage Site, Alternate Processing Site, Telecommunications Services, Information System Backup, Information System Recovery and Reconstitution Identification and Authentication Identification and Authentication Policy and Procedures, Identification and Authentication (Organizational Users), Device Identification and Authentication, Identifier Management, Authenticator Management, Authenticator Feedback, Cryptographic Module Authentication, Identification and Authentication (Non- Organizational Users) Incident Response Incident Response Policy and Procedures, Incident Response Training, Incident Response Testing and Exercises, Incident Handling, Incident Monitoring, Incident Reporting, Incident Response Assistance, Incident Response Plan Maintenance System Maintenance Policy and Procedures, Controlled Maintenance, Maintenance Tools, Non-Local Maintenance, Maintenance Personnel, Timely Maintenance Media Protection Media Protection Policy and Procedures, Media Access, Media Marking, Media Storage, Media Transport, Media Sanitization Physical and Environmental Protection Physical and Environmental Protection Policy and Procedures, Physical Access Authorizations, Physical Access Control, Access Control for Transmission Medium, Access Control for Output Devices, Monitoring Physical Access, Visitor Control, Access Records, Power Equipment and Power Cabling, Emergency Shutoff, Emergency Power, Emergency Lighting, Fire Protection, Temperature and Humidity Controls, Water Damage Protection, Delivery and Removal, Alternate Work Site, Location of Information System Components, Information Leakage
Access Control
Access Control Policy and Procedures, Account Management, Access Enforcement, Information Flow Enforcement, Separation
of Duties, Least Privilege, Unsuccessful Login Attempts, System Use Notification, Previous Logon (Access) Notification,
Concurrent Session Control, Session Lock, Permitted Actions without Identification or Authentication, Security Attributes,
Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Information Systems, User-Based
Collaboration and Information Sharing, Publicly Accessible Content
Awareness and Training
Security Awareness and Training Policy and Procedures, Security Awareness, Security Training, Security Training Records,
Contacts with Security Groups and Associations
Audit and Accountability
Audit and Accountability Policy and Procedures, Auditable Events, Content of Audit Records, Audit Storage Capacity, Response
to Audit Processing Failures, Audit Review, Analysis, and Reporting, Audit Reduction and Report Generation, Time Stamps,
Protection of Audit Information, Non-repudiation, Audit Record Retention, Audit Generation, Monitoring for Information
Disclosure, Session Audit
Security Assessment and Authorization
Security Assessment and Authorization Policies and Procedures, Security Assessments, Information System Connections, Plan of
Action and Milestones, Security Accreditation, Continuous Monitoring
Configuration Management
Configuration Management Policy and Procedures, Baseline Configuration, Configuration Change Control, Security Impact
Analysis, Access Restrictions for Change, Configuration Settings, Least Functionality, Information System Component
Inventory, Configuration Management Plan
Contingency Planning
Contingency Planning Policy and Procedures, Contingency Plan, Contingency Training, Contingency Plan Testing and Exercises,
Alternate Storage Site, Alternate Processing Site, Telecommunications Services, Information System Backup, Information
System Recovery and Reconstitution
Identification and Authentication
Identification and Authentication Policy and Procedures, Identification and Authentication (Organizational Users), Device
Identification and Authentication, Identifier Management, Authenticator Management, Authenticator Feedback, Cryptographic
Module Authentication, Identification and Authentication (Non- Organizational Users)
Incident Response
Incident Response Policy and Procedures, Incident Response Training, Incident Response Testing and Exercises, Incident
Handling, Incident Monitoring, Incident Reporting, Incident Response Assistance, Incident Response Plan
Maintenance
System Maintenance Policy and Procedures, Controlled Maintenance, Maintenance Tools, Non-Local Maintenance, Maintenance
Personnel, Timely Maintenance
Media Protection
Media Protection Policy and Procedures, Media Access, Media Marking, Media Storage, Media Transport, Media Sanitization
Physical and Environmental Protection
Physical and Environmental Protection Policy and Procedures, Physical Access Authorizations, Physical Access Control, Access
Control for Transmission Medium, Access Control for Output Devices, Monitoring Physical Access, Visitor Control, Access
Records, Power Equipment and Power Cabling, Emergency Shutoff, Emergency Power, Emergency Lighting, Fire Protection,
Temperature and Humidity Controls, Water Damage Protection, Delivery and Removal, Alternate Work Site, Location of
Information System Components, Information Leakage
Planning Security Planning Policy and Procedures, System Security Plan, Rules of Behavior, Privacy Impact Assessment, Security-Related Activity Planning Personnel Security Personnel Security Policy and Procedures, Position Categorization, Personnel Screening, Personnel Termination, Personnel Transfer, Access Agreements, Third-Party Personnel Security, Personnel Sanctions Risk Assessment Risk Assessment Policy and Procedures, Security Categorization, Risk Assessment, Vulnerability Scanning System and Services Acquisition System and Services Acquisition Policy and Procedures, Allocation of Resources, Life Cycle Support, Acquisitions, Information System Documentation, Software Usage Restrictions, User Installed Software, Security Engineering Principles, External Information System Services, Developer Configuration Management, Developer Security Testing, Supply Chain Protection, Trustworthiness, Critical Information System Components System and Communications Protection System and Communications Protection Policy and Procedures, Application Partitioning, Security Function Isolation, Information in Shared Resources, Denial of Service Protection, Resource Priority, Boundary Protection, Transmission Integrity, Transmission Confidentiality, Network Disconnect, Trusted Path, Cryptographic Key Establishment and Management, Use of Cryptography, Public Access Protections, Collaborative Computing Devices, Transmission of Security Attributes, Public Key Infrastructure Certificates, Mobile Code, Voice Over Internet Protocol, Secure Name /Address Resolution Service (Recursive or Caching Resolver), Architecture and Provisioning for Name/Address Resolution Service, Session Authenticity, Fail in Known State, Thin Nodes, Honeypots, Operating System-Independent Applications, Protection of Information at Rest, Heterogeneity, Virtualization Techniques, Covert Channel Analysis, Information System Partitioning, Transmission Preparation Integrity, Non- Modifiable Executable Programs System and Information Integrity System and Information Integrity Policy and Procedures, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts Advisories and Directives, Security Functionality Verification, Software and Information Integrity, Spam Protection, Information Input Restrictions, Information Input Validation, Error Handling, Information Output Handling and Retention, Predictable Failure Prevention Program Management Information Security Program Plan, Senior Information Security Officer, Information Security Resources, Plan of Action and Milestones Process, Information System Inventory, Information Security Measures of Performance, Enterprise Architecture, Critical Infrastructure Plan, Risk Management Strategy, Security Authorization Process, Mission/Business Process Definition
Planning
Security Planning Policy and Procedures, System Security Plan, Rules of Behavior, Privacy Impact Assessment, Security-Related
Activity Planning
Personnel Security
Personnel Security Policy and Procedures, Position Categorization, Personnel Screening, Personnel Termination, Personnel
Transfer, Access Agreements, Third-Party Personnel Security, Personnel Sanctions
Risk Assessment
Risk Assessment Policy and Procedures, Security Categorization, Risk Assessment, Vulnerability Scanning
System and Services Acquisition
System and Services Acquisition Policy and Procedures, Allocation of Resources, Life Cycle Support, Acquisitions, Information
System Documentation, Software Usage Restrictions, User Installed Software, Security Engineering Principles, External
Information System Services, Developer Configuration Management, Developer Security Testing, Supply Chain Protection,
Trustworthiness, Critical Information System Components
System and Communications Protection
System and Communications Protection Policy and Procedures, Application Partitioning, Security Function Isolation,
Information in Shared Resources, Denial of Service Protection, Resource Priority, Boundary Protection, Transmission Integrity,
Transmission Confidentiality, Network Disconnect, Trusted Path, Cryptographic Key Establishment and Management, Use of
Cryptography, Public Access Protections, Collaborative Computing Devices, Transmission of Security Attributes, Public Key
Infrastructure Certificates, Mobile Code, Voice Over Internet Protocol, Secure Name /Address Resolution Service (Recursive or
Caching Resolver), Architecture and Provisioning for Name/Address Resolution Service, Session Authenticity, Fail in Known
State, Thin Nodes, Honeypots, Operating System-Independent Applications, Protection of Information at Rest, Heterogeneity,
Virtualization Techniques, Covert Channel Analysis, Information System Partitioning, Transmission Preparation Integrity, Non-
Modifiable Executable Programs
System and Information Integrity
System and Information Integrity Policy and Procedures, Flaw Remediation, Malicious Code Protection, Information System
Monitoring, Security Alerts Advisories and Directives, Security Functionality Verification, Software and Information Integrity,
Spam Protection, Information Input Restrictions, Information Input Validation, Error Handling, Information Output Handling and
Retention, Predictable Failure Prevention
Program Management
Information Security Program Plan, Senior Information Security Officer, Information Security Resources, Plan of Action and
Milestones Process, Information System Inventory, Information Security Measures of Performance, Enterprise Architecture,
Critical Infrastructure Plan, Risk Management Strategy, Security Authorization Process, Mission/Business Process Definition
Figure 15.3 Residual Risk
Add a targeted control Residual
risk
New or enhanced controls
Reduce magnitude of impact
Reduce number of
flaws or errors
Figure 15.3 Residual Risk
Add a targeted
control
Residual
risk
New or
enhanced
controls
Reduce
magnitude
of impact
Reduce
number of
flaws or errors
Risk (Asset/Threat)
Hacker attack on Internet router
Level of Risk High
Recommended Controls
•Disable external telnet access •Use detailed auditing of privileged command use •Set policy for strong admin passwords •Set backup strategy for router configuration file •Set change control policy for the router configuration
Priority High
Selected Controls •Implement all recommended controls •Update related procedures with training for affected staff
Required Resources
•3 days IT net admin time to change & verify router configuration, write policies; •1 day of training for network administration staff
Responsible Persons
John Doe, Lead Network System Administrator, Corporate IT Support Team
Start – End Date February 6, 2017 to February 9, 2017
Other Comments •Need periodic test and review of configuration and policy use
Risk
(Asset/Threat)
Hacker attack on Internet router
Level of Risk
High
Recommended
Controls
•Disable external telnet access
•Use detailed auditing of privileged command use
•Set policy for strong admin passwords
•Set backup strategy for router configuration file
•Set change control policy for the router configuration
Priority
High
Selected Controls
•Implement all recommended controls
•Update related procedures with training for affected staff
Required
Resources
•3 days IT net admin time to change & verify router configuration, write
policies;
•1 day of training for network administration staff
Responsible
Persons
John Doe, Lead Network System Administrator,
Corporate IT Support Team
Start – End Date
February 6, 2017 to February 9, 2017
Other Comments
•Need periodic test and review of configuration and policy use
Risk (Asset/Threat) Level of Risk
Recommended Controls Priority Selected Controls
All risks (generally applicable)
1. Configuration and periodic maintenance policy for servers
2. Malicious code (SPAM, spyware) prevention
3. Audit monitoring, analysis, reduction, and reporting on servers
4. Contingency planning and incident response policies and procedures
5. System backup and recovery procedures
1 1. 2. 3. 4. 5.
Reliability and integrity of SCADA nodes and network
High 1. Intrusion detection and response system
2 1.
Integrity of stored file and database information
Extreme 1. Audit of critical documents 2. Document creation and storage policy 3. User security education and training
3 1. 2. 3.
Availability and integrity of Financial, Procurement, and Maintenance/ Production Systems
High - - (general controls)
Availability, integrity and confidentiality of e-mail
High 1. Contingency planning – backup e-mail service
4 1.
Risk (Asset/Threat) Level of
Risk
Recommended Controls Priority Selected
Controls
All risks (generally
applicable)
1. Configuration and periodic maintenance
policy for servers
2. Malicious code (SPAM, spyware)
prevention
3. Audit monitoring, analysis, reduction,
and reporting on servers
4. Contingency planning and incident
response policies and procedures
5. System backup and recovery procedures
1 1.
2.
3.
4.
5.
Reliability and integrity of
SCADA nodes and network
High 1. Intrusion detection and response system
2 1.
Integrity of stored file and
database information
Extreme 1. Audit of critical documents
2. Document creation and storage policy
3. User security education and training
3 1.
2.
3.
Availability and integrity of
Financial, Procurement, and
Maintenance/ Production
Systems
High - - (general
controls)
Availability, integrity and
confidentiality of e-mail
High 1. Contingency planning – backup e-mail
service
4 1.