Single paper

Jackie Channn

conklin_principlesofcomputersecurity_5e_Chap003_PPT.pptx

Home >Computer Science homework help >Single paper

Operational and Organizational Security

Chapter 3

Principles of Computer Security, Fifth Edition

Objectives

Identify various operational aspects to security in your organization.

Identify various policies and procedures in your organization.

Identify the security awareness and training needs of an organization.

Understand the different types of agreements employed in negotiating security requirements.

Principles of Computer Security, Fifth Edition

Key Terms (1 of 2)

Acceptable use policy (AUP)

Account disablement

Account lockout

Business partnership agreement (BPA)

Due care

Due diligence

Guidelines

Incident response policy

Interconnection security agreement (ISA)

Memorandum of understanding (MOU)

Nondisclosure agreement (NDA)

Principles of Computer Security, Fifth Edition

Acceptable use policy (AUP) – A policy that communicates to users what specific uses of computer resources are permitted.

Account disablement - the step between the account having access and the account being removed from the system.

Account lockout - Akin to disablement, although lockout typically refers to the ability to log on. If a user mistypes their password a certain number of times, they may be forced to wait a set amount of time while their account is locked before attempting to log in again. Business partnership agreement (BPA) – A written agreement defining the terms and conditions of a business partnership. Due care – The degree of care that a reasonable person would exercise under similar circumstances. Due diligence – The reasonable steps a person or entity would take in order to satisfy legal or contractual requirements—commonly used when buying or selling something of significant value. Guidelines – Recommendations relating to a policy.

Incident response policy – Policies and procedures that outline how the organization will prepare for security incidents and respond to them when they occur.

Interconnection security agreement (ISA) – An agreement between parties to establish procedures for mutual cooperation and coordination between them with respect to security requirements associated with their joint project.

Memorandum of understanding (MOU) – A document executed between two parties that defines some form of agreement. Nondisclosure agreement (NDA) - standard corporate document used to explain the boundaries of company secret material

Key Terms (2 of 2)

Policies

Procedures

Security policy

Service level agreement (SLA)

Standard operating procedure

Standards

User habits

Principles of Computer Security, Fifth Edition

Policies – Policies are high-level, broad statements of what the organization wants to accomplish. They are made by management when laying out the organization’s position on some issue.

Procedures – Procedures are the step-by-step instructions on how to implement policies in the organization. They describe exactly how employees are expected to act in a given situation or to accomplish a specific task. Security policy – The security policy is a high-level statement produced by senior management that outlines both what security means to the organization and the organization’s goals for security. Service level agreement (SLA) – An agreement between parties concerning the expected or contracted uptime associated with a system.

Standard operating procedure - mandatory step-by-step instructions set by the organization so that in the performance of their duties, employees will meet the stated security objectives of the firm. Standards – Standards are mandatory elements regarding the implementation of a policy. They are accepted specifications that provide specific details on how a policy is to be enforced. Some standards are externally driven. User habits – Are a front-line security tool in engaging the workforce to improve the overall security posture of an organization.

Policies, Procedures, Standards, and Guidelines (1 of 3)

Policies – high-level, broad statements of what the organization wants to accomplish

Made by management when laying out the organization’s position on some issue

Procedures – step-by-step instructions on how to implement policies in the organization

Describe exactly how employees are expected to act in a given situation or to accomplish a specific task

Principles of Computer Security, Fifth Edition

An important part of any organization’s approach to implementing security are the policies, procedures, standards, and guidelines that are established to detail what users and administrators should be doing to maintain the security of the systems and network. Collectively, these documents provide the guidance needed to determine how security will be implemented in the organization.

Policies, Procedures, Standards, and Guidelines (2 of 3)

Standards – mandatory elements regarding the implementation of a policy

Accepted specifications providing specific details on how a policy is to be enforced

Possibly externally driven

Guidelines – recommendations relating to a policy

Key term: recommendations

Not mandatory steps

Principles of Computer Security, Fifth Edition

Policies, Procedures, Standards, and Guidelines (3 of 3)

Four steps of the policy lifecycle

Plan (adjust) for security in your organization.

Develop the policies, procedures, and guidelines

Implement the plans.

Includes an instruction period

Monitor the implementation.

Ensure effectiveness

Evaluate the effectiveness.

Vulnerability assessment and penetration test

Principles of Computer Security, Fifth Edition

Just as the network itself constantly changes, the policies, procedures, standards, and guidelines should be included in living documents that are periodically evaluated and changed as necessary. The constant monitoring of the network and the periodic review of the relevant documents are part of the process that is the operational model. When applied to policies, this process results in what is known as the policy lifecycle.

A vulnerability assessment is an attempt to identify and prioritize the list of vulnerabilities within a system or network.

A penetration test is a method to check the security of a system by simulating an attack by a malicious individual to ensure the security is adequate.

Security Policies

Security policy – a high-level statement produced by senior management

Outlines both what security means to the organization and the organization’s goals for security

Main security policy broken down into additional policies covering specific topics

Should include other policies

Change management, data policies, human resources policies

Principles of Computer Security, Fifth Edition

Change Management Policy

Change management ensures proper procedures followed when modifications to the IT infrastructure are made.

Modifications prompted by a number of different events

“Management” implies process controlled in some systematic way.

Change management process includes various stages:

Request change, review and approve process, examine consequences, implement change, document process

Principles of Computer Security, Fifth Edition

Modifications can be prompted by a number of different events, including new legislation, updated versions of software or hardware, implementation of new software or hardware, or improvements to the infrastructure.

A change management process should include various stages, including a method to request a change to the infrastructure, a review and approval process for the request, an examination of the consequences of the change, resolution (or mitigation) of any detrimental effects the change might incur, implementation of the change, and documentation of the process as it related to the change.

Data Policies (1 of 8)

Data can be shared for the purpose of processing or storage.

Control over data is a significant issue in third-party relationships.

Who owns the data?

Principles of Computer Security, Fifth Edition

Data Policies (2 of 8)

Data ownership

Data requires a data owner.

Data ownership roles for all data elements need to be defined in the business.

Data ownership is a business function.

The requirements for security, privacy, retention, and other business functions must be established.

Not all data requires the same handling restrictions, but all data requires these characteristics to be defined.

This is the responsibility of the data owner.

Principles of Computer Security, Fifth Edition

Data Policies (3 of 8)

Unauthorized data sharing

Unauthorized data sharing can be a significant issue, and in today’s world, data has value and is frequently used for secondary purposes.

Ensuring that all parties in the relationship understand the data-sharing requirements is an important prerequisite.

Ensuring that all parties understand the security requirements of shared data is important.

Principles of Computer Security, Fifth Edition

Data Policies (4 of 8)

Data backup requirements involve:

Determining level of backup, restore objectives, and level of protection requirements

Can be defined by the data owner and then executed by operational IT personnel

Determining the backup responsibilities and developing the necessary operational procedures to ensure that adequate backups occur are important security elements.

Principles of Computer Security, Fifth Edition

Data ownership requirements include backup responsibilities.

Data Policies (5 of 8)

Classification of information

Needed because of different importance or sensitivity

Factors affecting information classification

Value to the organization, age, and laws or regulations governing protection

Most widely known classification system – U.S. government

Confidential, Secret, and Top Secret

Business classifications

Publicly Releasable, Proprietary, Company Confidential, and For Internal Use Only

Principles of Computer Security, Fifth Edition

A key component of IT security is the protection of the information processed and stored on the computer systems and network. Organizations deal with many different types of information, and they need to recognize that not all information is of equal importance or sensitivity. This requires classification of information into various categories, each with its own requirements for its handling.

Each policy for the classification of information should describe how it should be protected, who may have access to it, who has the authority to release it and how, and how it should be destroyed. All employees of the organization should be trained in the procedures for handling the information that they are authorized to access. Discretionary and mandatory access control techniques use classifications as a method to identify who may have access to what resources.

Data Policies (6 of 8)

Data labeling, handling, and disposal

Data labeling enables an understanding of level of protection required.

For data inside an information-processing system:

Protections should be designed into the system

Data outside system require other means of protection.

Training ensures labeling occurs and is used and followed.

Important for users whose roles are impacted by the material

Important for proper data handling and disposal

Principles of Computer Security, Fifth Edition

Effective data classification programs include data labeling, which enables personnel working with the data to know whether it is sensitive and to understand the levels of protection required.

When the data is inside an information-processing system, the protections should be designed into the system. But when the data leaves this cocoon of protection, whether by printing, downloading, or copying, it becomes necessary to ensure continued protection by other means. This is where data labeling assists users in fulfilling their responsibilities.

Personnel are intimately involved in several specific tasks associated with data handling and data destruction/disposal and, if properly trained, can act as a security control. Untrained or inadequately trained personnel will not be a productive security control and, in fact, can be a source of potential compromise.

Data Policies (7 of 8)

Need to know goes hand-in-hand with least privilege.

Guiding factor is that:

Each individual supplied absolute minimum amount of information and privileges needed to perform work

Access requires justified need to know.

Policy should spell out these two principles:

Who in the organization can grant access to information

Who can assign privileges to employees

Principles of Computer Security, Fifth Edition

Data Policies (8 of 8)

Disposal and destruction policy

Important papers should be shredded.

Delete all files and overwrite data on magnetic storage data before discarding.

Destroy data magnetically using a strong magnetic field to degauss the media.

File off magnetic material from the surface of a hard drive platter.

Shred floppy media, CDs and DVDs.

Best practice is to match the action to the risk level.

Principles of Computer Security, Fifth Edition

Many potential intruders have learned the value of dumpster diving. An organization must be concerned about not only paper trash and discarded objects, but also the information stored on discarded objects such as computers. Several government organizations have been embarrassed when old computers sold to salvagers proved to contain sensitive documents on their hard drives. It is critical for every organization to have a strong disposal and destruction policy and related procedures.

Password and Account Policies (1 of 4)

Average user has 20 passwords

Password complexity should include

Minimum length

Uppercase

Lowercase

Numerals

Non-alphabetic characters

Principles of Computer Security, Fifth Edition

Password and Account Policies (2 of 4)

Account expiration

Should occur when a user is no longer authorized on a given system

Manager should notify Human Resources (HR)

Account recovery

Can be serious, especially if an administrator password is lost

Need a recovery plan

Principles of Computer Security, Fifth Edition

Password and Account Policies (3 of 4)

Account disablement

Preferable to removal because removal might result in permission and ownership problems

Account lockout

Temporary disablement (e.g., if user tries to log on too many times)

Password history

Should prevent users from reusing prior passwords

Principles of Computer Security, Fifth Edition

Password and Account Policies (4 of 4)

Password reuse

Not a good idea

Password length

At least 10 characters, with 12 preferable

Protection of Passwords

Should prevent users from writing down or sharing

Principles of Computer Security, Fifth Edition

Human Resources Policies (1 of 14)

Humans are the weakest link in security chain.

Three policies are needed:

Policy for hiring of individuals

Policy to keep employees from “disgruntled” category

Policy to address employees leaving organization

Security must be considered in all policies.

Principles of Computer Security, Fifth Edition

Human Resources Policies (2 of 14)

Code of ethics

Describes expected behavior at highest level

Sets tone for how employees act and conduct business

Code inclusions

Demand honesty from employees

Demand employees perform all activities in a professional manner

Address principles of privacy and confidentiality

State how employees treat client and organizational data

Cover how to handle conflicts of interests

Principles of Computer Security, Fifth Edition

By outlining a code of ethics, the organization can encourage an environment that is conducive to integrity and high ethical standards. For additional ideas on possible codes of ethics, check professional organizations such as the Institute for Electrical and Electronics Engineers (IEEE), the Association for Computing Machinery (ACM), or the Information Systems Security Association (ISSA).

Human Resources Policies (3 of 14)

Job rotation

By rotating jobs, individuals get a better perspective on how various parts of IT can enhance or hinder the business

Rotating individuals through security positions can result in a much wider understanding throughout the organization about potential security problems.

A benefit is that the company does not have to rely on any one individual too heavily for security expertise.

Separation of duties no individual can conduct transactions alone

Principles of Computer Security, Fifth Edition

Benefit of job rotation:

If all security tasks are the domain of one employee, and that individual leaves suddenly, security at the organization could suffer. On the other hand, if security tasks are understood by many different individuals, the loss of any one individual has less of an impact on the organization.

Human Resources Policies (4 of 14)

Employee hiring and promotions

Policies should ensure organization hires the most capable and trustworthy employees.

Policies should minimize the risk that the employee will ignore company rules and affect security.

Periodic reviews by supervisory personnel, additional drug checks, and monitoring of activity during work

Policy should handle employee’s status change.

Especially if construed as negative

If employee promoted, privileges may still change

Principles of Computer Security, Fifth Edition

It is becoming common for organizations to run background checks on prospective employees and to check the references prospective employees supply. Frequently, organizations require drug testing, check for any past criminal activity, verify claimed educational credentials, and confirm reported work history. For highly sensitive environments, special security background investigations can also be required.

If the change can be construed as a negative personnel action (such as a demotion), supervisors should be alerted to watch for changes in behavior that might indicate the employee is contemplating or conducting unauthorized activity. It is likely that the employee will be upset, and whether he acts on this to the detriment of the company is something that needs to be guarded against. In the case of a demotion, the individual may also lose certain privileges or access rights, and these changes should be made quickly so as to lessen the likelihood that the employee will destroy previously accessible data if he becomes disgruntled and decides to take revenge on the organization.

If the employee is promoted, privileges may still change, but the need to make the change to access privileges may not be as urgent, though it should still be accomplished as quickly as possible. If the move is a lateral one, changes may also need to take place, and again they should be accomplished as quickly as possible.

Human Resources Policies (5 of 14)

Retirement, separation, or termination of an employee

Employee announced retirements – limit access to sensitive documents when employee announces their intention.

Forced retirement – determine risk if employee becomes disgruntled.

New job offer – carefully consider continued access to sensitive information.

Termination – assume he is or will become disgruntled.

Principles of Computer Security, Fifth Edition

An employee leaving an organization can be either a positive or a negative action.

Combinations should be quickly changed once an employee has been informed of their termination. Access cards, keys, and badges should be collected; the employee should be escorted to her desk and watched as she packs personal belongings; and then she should be escorted from the building.

Note: It is better to give a potentially disgruntled employee several weeks of paid vacation than to have him trash sensitive files to which he has access. Because employees typically know the pattern of management behavior with respect to termination, doing the right thing will pay dividends in the future for a firm.

Human Resources Policies (6 of 14)

Exit interviews are a powerful tool for collecting information when people leave a firm

On-boarding/off-boarding business partners

Agreements tend to be fairly specific with respect to terms associated with mutual expectations associated with the process of the business.

Important considerations prior to the establishment of the relationship include:

On-boarding and off-boarding processes

Data retention and destruction by the third party

Principles of Computer Security, Fifth Edition

Just as it is important to manage the on- and off-boarding processes of company personnel, it is important to consider the same types of elements when making arrangements with third parties. Agreements with business partners tend to be fairly specific with respect to terms associated with mutual expectations associated with the process of the business. Considerations regarding the on-boarding and off-boarding processes are important, especially the off-boarding. When a contract arrangement with a third party comes to an end, issues as to data retention and destruction by the third party need to be addressed. These considerations need to be made prior to the establishment of the relationship, not added at the time that it is coming to an end.

Note: On-boarding and off-boarding business procedures should be well documented to ensure compliance with legal requirements.

Human Resources Policies (7 of 14)

Adverse reactions

How to deal with employees who violate policies

Mandatory vacations

Employee who never takes time off might be involved in nefarious activity.

Requiring mandatory vacations serves as a security protection mechanism.

Tool to detect fraud

Necessity of a second person familiar with security procedures to fill in while employee on vacation

Principles of Computer Security, Fifth Edition

Organizations have provided vacation time to their employees for many years. Few, however, force employees to take this time if they don’t want to. From a security standpoint, an employee who never takes time off might be involved in nefarious activity, such as fraud or embezzlement, and might be afraid that if he leaves on vacation, the organization will discover his illicit activities. As a result, requiring employees to use their vacation time through a policy of mandatory vacations can be security protection mechanism. Using mandatory vacations as a tool to detect fraud will require that somebody else also be trained in the functions of the employee who is on vacation. Having a second person familiar with security procedures is also a good policy in case something happens to the primary employee.

Human Resources Policies (8 of 14)

Social media networks

Considered a form of third party

Challenge of terms of use as there is no negotiated set of agreements with respect to requirements

Only option is to adopt provided terms of service

Principles of Computer Security, Fifth Edition

The rise of social media networks has changed many aspects of business. Whether used for marketing, communications, customer relations, or some other purpose, social media networks can be considered a form of third party. One of the challenges in working with social media networks and/or applications is their terms of use. While a relationship with a typical third party involves a negotiated set of agreements with respect to requirements, there is no negotiation with social media networks. The only option is to adopt their terms of service, so it is important to understand the implications of these terms with respect to the business use of the social network.

Human Resources Policies (9 of 14)

Acceptable use policy (AUP)

AUP outlines what the organization considers to be the appropriate use of company resources, such as computer systems, e-mail, Internet access, and networks.

Goal is to ensure employee productivity while limiting organizational liability through inappropriate use of the organization’s assets.

Policy clearly delineates what activities are not allowed.

It states if the organization considers it appropriate to monitor the employees’ use of the systems and network.

Principles of Computer Security, Fifth Edition

The AUP should clearly delineate what activities are not allowed. It should address issues such as the use of resources to conduct personal business, installation of hardware or software, remote access to systems and networks, the copying of company-owned software, and the responsibility of users to protect company assets, including data, software, and hardware. Statements regarding possible penalties for ignoring any of the policies (such as termination) should also be included.

Related to appropriate use of the organization’s computer systems and networks by employees is the appropriate use by the organization. The most important of such issues is whether the organization considers it appropriate to monitor the employees’ use of the systems and network.

If monitoring is considered appropriate, the organization should include a statement to this effect in the banner that appears at login. This repeatedly warns employees, and possible intruders, that their actions are subject to monitoring and that any misuse of the system will not be tolerated. Should the organization need to use in a civil or criminal case any information gathered during monitoring, the issue of whether the employee had an expectation of privacy, or whether it was even legal for the organization to be monitoring, is simplified if the organization can point to a statement that is always displayed that instructs users that use of the system constitutes consent to monitoring. Before any monitoring is conducted, or the actual wording on the warning message is created, the organization’s legal counsel should be consulted to determine the appropriate way to address this issue in the particular jurisdiction.

Human Resources Policies (10 of 14)

Internet usage policy

Goal: ensure maximum employee productivity and to limit potential liability to the organization from inappropriate use of the Internet in a workplace

Address what sites employees allowed and not allowed to visit

Spell out the acceptable use parameters

Describe circumstances an employee allowed to post something from the organization’s network on the Web

Need procedure to post the object or message

Principles of Computer Security, Fifth Edition

The Internet provides a tremendous temptation for employees to waste hours as they surf the Web for the scores of games from the previous night, conduct quick online stock transactions, or read the review of the latest blockbuster movie everyone is talking about. In addition, allowing employees to visit sites that may be considered offensive to others (such as pornographic or hate sites) can open the company to accusations of condoning a hostile work environment and result in legal liability.

Human Resources Policies (11 of 14)

E-mail usage policy

Specifies what the company allows employees to send in, or as attachments to, e-mail messages

Spells out whether nonwork e-mail traffic allowed

Describes type of message considered inappropriate to send

Specifies disclaimers that must be attached to an employee’s message sent to an individual outside the company

Reminds employees of the risks of clicking on links in e-mails, or opening attachments

Principles of Computer Security, Fifth Edition

This policy should spell out whether nonwork e-mail traffic is allowed at all or is at least severely restricted. It needs to cover the type of message that would be considered inappropriate to send to other employees (for example, no offensive language, no sex-related or ethnic jokes, no harassment, and so on). The policy should also specify any disclaimers that must be attached to an employee’s message sent to an individual outside the company. The policy should remind employees of the risks of clicking on links in e-mails, or opening attachments, as these can be social engineering attacks.

Human Resources Policies (12 of 14)

Clean desk policy

Specifies that sensitive information must not be left unsecured in the work area when the worker is not present to act as custodian

Identifies and prohibits things that are not obvious upon first glance, such as passwords on sticky notes under keyboards and mouse pads or in unsecured desk drawers

Training for clean desk activities making the issue a personal one

Principles of Computer Security, Fifth Edition

Preventing access to information is also important in the work area. Even leaving the desk area and going to the bathroom can leave information exposed and subject to compromise.

All of these elements that demonstrate the need for a clean desk are lost if employees do not make them personal. Training for clean desk activities needs to make the issue a personal one, where consequences are understood and the workplace reinforces the positive activity.

Human Resources Policies (13 of 14)

Bring your own device (BYOD) policy

Primary purpose

Lower risk associated with connecting a wide array of personal devices to a company’s network and accessing sensitive data on them.

Center element of a BYOD policy

Security, in the form of risk management

Device requirements

Must be maintained in a current, up-to-date software posture, and with certain security features

Principles of Computer Security, Fifth Edition

Everyone seems to have a smartphone, a tablet, or other personal Internet device that they use in their personal lives. Bringing these to work is a natural extension of one’s normal activities, but this raises the question of what policies are appropriate before a firm allows these devices to connect to the corporate network and access company data. Like all other policies, planning is needed to define the appropriate pathway to the company objectives. Personal devices offer cost savings and positive user acceptance, and in many cases these factors make allowing BYOD a sensible decision.

Devices need to be maintained in a current, up-to-date software posture, and with certain security features, such as screen locks and passwords enabled. Remote wipe and other features should be enabled, and highly sensitive data, especially in aggregate, should not be allowed on the devices. Users should have specific training as to what is allowed and what isn’t and should be made aware of the increased responsibility associated with a mobile means of accessing corporate resources.

In some cases it may be necessary to define a policy associated with personally owned devices. This policy will describe the rules and regulations associated with use of personally owned devices with respect to corporate data, network connectivity, and security risks.

Human Resources Policies (14 of 14)

Explains guiding principles in guarding personal data to which organizations are given access

Personally identifiable information (PII)

Includes any data that can be used to uniquely identify an individual

Name, address, driver’s license number, and other details

Necessary measures taken by company

Ensure data is protected from compromise

Principles of Computer Security, Fifth Edition

Customers place an enormous amount of trust in organizations to which they provide personal information. These customers expect their information to be kept secure so that unauthorized individuals will not gain access to it and so that authorized users will not use the information in unintended ways.

Due Care and Due Diligence

Due care generally refers to the standard of care a reasonable person is expected to exercise in all situations.

Due diligence generally refers to the standard of care a business is expected to exercise in preparation for a business transaction.

The standard applied—reasonableness—is extremely subjective and often is determined by a jury.

Many sectors have a set of “security best practices.”

Principles of Computer Security, Fifth Edition

Note: Due diligence is the application of a specific standard of care. Due care is the degree of care that an ordinary person would exercise.

An organization must take reasonable precautions before entering a business transaction or it might be found to have acted irresponsibly. In terms of security, organizations are expected to take reasonable precautions to protect the information that they maintain on individuals. Should a person suffer a loss as a result of negligence on the part of an organization in terms of its security, that person typically can bring a legal suit against the organization.

The organization will need to show that it had taken reasonable precautions to protect the information, and that, despite these precautions, an unforeseen security event occurred that caused the injury to the other party. Since this is so subjective, it is hard to describe what would be considered reasonable, but many sectors have a set of “security best practices” for their industry, which provides a basis for organizations in that sector to start from. If the organization decides not to follow any of the best practices accepted by the industry, it needs to be prepared to justify its reasons in court should an incident occur. If the sector the organization is in has regulatory requirements, justifying why the mandated security practices were not followed will be much more difficult (if not impossible).

Due Process

Due process is concerned with guaranteeing fundamental fairness, justice, and liberty in relation to an individual’s legal rights.

Individual’s rights outlined by Constitution and Bill of Rights

Procedural due process uses concept of “fair”.

Courts recognize series of rights embodied by the Constitution.

Organizational due process occurs in administrative actions adversely affecting employees.

Principles of Computer Security, Fifth Edition

Of interest is the recognition by courts of a series of rights that are not explicitly specified by the Constitution but that the courts have decided are implicit in the concepts embodied by the Constitution. An example of this is an individual’s right to privacy.

From an organization’s point of view, due process may come into play during an administrative action that adversely affects an employee. Before an employee is terminated, for example, were all of the employee’s rights protected? An actual example pertains to the rights of privacy regarding employees’ e-mail messages.

As the number of cases involving employers examining employee e-mails grows, case law continues to be established and the courts eventually will settle on what rights an employee can expect. The best thing an employer can do if faced with this sort of situation is to work closely with HR staff to ensure that appropriate policies are followed and that those policies are in keeping with current laws and regulations.

Incident Response Policies and Procedures

Incident response policy and associated procedures

Developed to outline how the organization will prepare for security incidents and respond to them when they occur

Designed in advance

Should cover five phases:

Preparation, detection, containment and eradication, recovery, and follow-up actions

Principles of Computer Security, Fifth Edition

No matter how careful an organization is, eventually a security incident of some sort will occur. When it happens, how effectively the organization responds to it will depend greatly on how prepared it is to handle incidents.

Security Awareness and Training

Programs enhance an organization’s security posture.

Teach personnel how to follow the correct set of actions to perform their duties in a secure manner

Make personnel aware of the indicators and effects of social engineering attacks

Properly trained employees perform duties in a more effective manner.

Security awareness programs and campaigns include:

Seminars, videos, posters, newsletters, similar materials

Fairly easy to implement and not very costly

Principles of Computer Security, Fifth Edition

Properly trained employees are able to perform their duties in a more effective manner, including their duties associated with information security. The extent of information security training will vary depending on the organization’s environment and the level of threat, but initial employee security training at the time of being hired is important, as is periodic refresher training. A strong security education and awareness training program can go a long way toward reducing the chance that a social engineering attack will be successful.

Security Policy Training and Procedures

Personnel need training with respect to the tasks and expectations to perform complex tasks.

Applies to security policy and operational security details

Use refresher training for periodic reinforcement.

Collection of policies should paint a picture describing the desired security culture of the organization.

Security policy – high-level directive

Second-level policies – password, access, information handling, and acceptable use policies

Principles of Computer Security, Fifth Edition

If employees are going to be expected to comply with the organization’s security policy, they must be properly trained in its purpose, meaning, and objectives. Training with respect to the information security policy, individual responsibilities, and expectations is something that requires periodic reinforcement through refresher training.

Because the security policy is a high-level directive that sets the overall support and executive direction with respect to security, it is important that the meaning of this message be translated and supported. Second-level policies such as password, access, information handling, and acceptable use policies also need to be covered. The collection of policies should paint a picture describing the desired security culture of the organization. The training should be designed to ensure that people see and understand the whole picture, not just the elements.

Role-based Training

Training needs to be targeted to the user with regard to their role in the subject of the training.

Role-based training is an important part of information security training.

Applies to:

Data Owner - User

System Administrator - Privileged User

System Owner - Executive User

Principles of Computer Security, Fifth Edition

If a person has job responsibilities that may impact information security, then role-specific training is needed to ensure that the individual understands the responsibilities as they relate to information security. Some roles, such as system administrator or developer, have clearly defined information security responsibilities. The roles of others, such as project manager or purchasing manager, have information security impacts that are less obvious, but these roles require training as well. In fact, the less-obvious but wider-impact roles of middle management can have a large effect on the information security culture, and thus if a specific outcome is desired, it requires training.

Compliance with Laws, Best Practices, and Standards (1 of 2)

Wide array of laws, regulations, contractual requirements, standards, and best practices associated with information security.

Organization must build them into their own policies and procedures.

Principles of Computer Security, Fifth Edition

There is a wide array of laws, regulations, contractual requirements, standards, and best practices associated with information security. Each places its own set of requirements upon an organization and its personnel. The only effective way for an organization to address these requirements is to build them into their own policies and procedures. Training to one’s own policies and procedures would then translate into coverage of these external requirements.

Compliance with Laws, Best Practices, and Standards (2 of 2)

External requirements impart a specific training and awareness component upon the organization.

Payment Card Industry Data Security Standard (PCI DSS), Gramm Leach Bliley Act (GLBA), or Health Insurance Portability Accountability Act (HIPAA)

Principles of Computer Security, Fifth Edition

User Habits

User habits are a front-line security tool in engaging the workforce to improve the overall security posture of an organization.

Individual user responsibilities vary between organizations and the type of business in which each organization is involved.

There are certain very basic responsibilities that all users should be instructed to adopt.

Principles of Computer Security, Fifth Edition

Basic responsibilities:

Lock the door to your office or workspace, including drawers and cabinets.

Do not leave sensitive information inside your car unprotected.

Secure storage media containing sensitive information in a secure storage device.

Shred paper containing organizational information before discarding it.

Do not divulge sensitive information to individuals (including other employees) who do not have an authorized need to know it. Do not discuss sensitive information with family members. (The most common violation of this rule occurs in regard to HR information, as employees, especially supervisors, may complain to their spouse or friends about other employees or about problems that are occurring at work.)

Protect laptops and other mobile devices that contain sensitive or important organization information wherever the device may be stored or left. (It’s a good idea to ensure that sensitive information is encrypted on the laptop or mobile device so that, should the equipment be lost or stolen, the information remains safe.)

Be aware of who is around you when discussing sensitive corporate information. Does everybody within earshot have the need to hear this information? Enforce corporate access control procedures. Be alert to, and do not allow, piggybacking, shoulder surfing, or access without the proper credentials.

Be aware of the correct procedures to report suspected or actual violations of security policies.

Follow procedures established to enforce good password security practices. Passwords are such a critical element that they are frequently the ultimate target of a social engineering attack. Though such password procedures may seem too oppressive or strict, they are often the best line of defense.

Training Metrics and Compliance

Requirements for maintaining a trained workforce

Record-keeping system measuring compliance with attendance and the effectiveness of the training

Follow up and gather training metrics

Challenges

Maintaining active listing of training and retraining

Monitoring the effectiveness of the training; measuring effectiveness by actual impact on employee behavior

Standard operating procedures

Mandatory step-by-step instructions

Principles of Computer Security, Fifth Edition

Interoperability Agreements (1 of 5)

Many business operations involve actions between many different parties.

Actions require communication between the parties.

Define the responsibilities and expectations of the parties

Define business objectives

Define environment within which the objectives will be pursued

Written agreements used to ensure agreement is understood between the parties.

Principles of Computer Security, Fifth Edition

Numerous forms of legal agreements and contracts are used in business, but with respect to security, some of the most common ones are the service level agreement, business partnership agreement, memorandum of understanding, and interconnection security agreement.

Interoperability Agreements (2 of 5)

Service level agreements (SLA)

Contractual agreements between entities that describe specified levels of service that the servicing entity agrees to guarantee for the customer

SLA rules

Describe entire set of product or service functions in sufficient detail that their requirement will be unambiguous

Provide a clear means of determining whether a specified function or service has been provided at the agreed-upon level of performance

Principles of Computer Security, Fifth Edition

SLAs essentially set the requisite level of performance of a given contractual service. SLAs are typically included as part of a service contract and set the level of technical expectations. An SLA can define specific services, the performance level associated with a service, issue management and resolution, and so on. SLAs are negotiated between customer and supplier and represent the agreed-upon terms. An organization contracting with a service provider should remember to include in the agreement a section describing the service provider’s responsibility in terms of business continuity and disaster recovery. The provider’s backup plans and processes for restoring lost data should also be clearly described.

Interoperability Agreements (3 of 5)

Business partnership agreement (BPA)

Legal agreement between partners establishing the terms, conditions, and expectations of the relationship between the partners

Sharing of profits and losses, the responsibilities of each partner, the addition or removal of partners, and any other issues

Uniform Partnership Act (UPA)

Lays out uniform set of rules associated with partnerships to resolve any partnership terms

Designed as “one size fits all”

Principles of Computer Security, Fifth Edition

Interoperability Agreements (4 of 5)

Memorandum of understanding (MOU)

Legal document used to describe a bilateral agreement between parties

Written agreement expressing a set of intended actions between the parties with respect to some common pursuit or goal

More formal and detailed than a simple handshake

Generally lacks the binding powers of a contract

Common to find between different units within an organization to detail expectations associated with the common business interest

Principles of Computer Security, Fifth Edition

Interoperability Agreements (5 of 5)

Interconnection security agreement (ISA)

These are specialized agreement between organizations that have interconnected IT systems.

Purpose is to document the security requirements associated with the interconnection.

ISA as part of an MOU

ISA can detail specific technical security aspects of a data interconnection.

Nondisclosure Agreements (NDAs) – explain the boundaries of corporate secret material

Principles of Computer Security, Fifth Edition

The Security Perimeter (1 of 5)

Various networks components

Connection to the Internet

Protection is attached to it such as a firewall.

Intrusion detection system (IDS)

May be either on the inside or the outside of the firewall or both

Specific location depends on the company and what it is more concerned about preventing

Router

Enhances security

Principles of Computer Security, Fifth Edition

Note: The security perimeter, with its several layers of security, along with additional security mechanisms that may be implemented on each system (such as user IDs/passwords), creates what is sometimes known as defense-in-depth. This implies that security is enhanced when there are multiple layers of security (the depth) through which an attacker would have to penetrate to reach the desired goal.

The Security Perimeter (2 of 5)

Figure 3.1 Basic diagram of an organization’s network

Principles of Computer Security, Fifth Edition

If the average administrator were asked to draw a diagram depicting the various components of their network, the diagram would probably look something like Figure 3.1.

A very simple depiction—an actual network can have numerous subnets and extranets as well as wireless access points—but the basic components are present. Beyond this security perimeter is the corporate network.

The Security Perimeter (3 of 5)

Additional possible access points into the network

Public switched telephone network (PSTN) and wireless access points

Authorized modems or wireless networks

Potential exists for unauthorized versions of both

Voice over IP (VoIP)

Eliminates the traditional land lines in an organization and replaces them with special telephones that connect to the IP data network

Insider seen as biggest danger to any organization

Principles of Computer Security, Fifth Edition

Most experts will agree that the biggest danger to any organization does not come from external attacks but rather from the insider—a disgruntled employee or somebody else who has physical access to the facility. Given physical access to an office, the knowledgeable attacker will quickly find the information needed to gain access to the organization’s computer systems and network. Consequently, every organization also needs security policies, procedures, and guidelines that cover physical security, and every security administrator should be concerned with these as well. While physical security (which can include such things as locks, cameras, guards and entry points, alarm systems, and physical barriers) will probably not fall under the purview of the security administrator, the operational state of the organization’s physical security measures is just as important as many of the other network-centric measures.

Note: An increasing number of organizations are implementing VoIP solutions to bring the telephone and computer networks together. While there are some tremendous advantages to doing this in terms of both increased capabilities and potential monetary savings, bringing the two networks together may also introduce additional security concerns. Another common method to access organizational networks today is through wireless access points. These may be provided by the organization itself to enhance productivity, or they may be attached to the network by users without organizational approval. The impact of all of these additional methods that can be used to access a network is to increase the complexity of the security problem.

The Security Perimeter (4 of 5)

Figure 3.2 A more complete diagram of an organization’s network

Principles of Computer Security, Fifth Edition

The Security Perimeter (5 of 5)

Physical security

Consists of all mechanisms used to ensure that physical access to the computer systems and networks is restricted to only authorized users

Additional physical security mechanisms

Routers, firewalls, and intrusion detection systems

Consider access from all six sides

Security of obvious points of entry be examined (doors and windows)

Walls themselves as well as the floor and ceiling

Principles of Computer Security, Fifth Edition

Questions such as the following should be addressed:

Is there a false ceiling with tiles that can be easily removed?

Do the walls extend to the actual ceiling or only to a false ceiling?

Is there a raised floor?

Do the walls extend to the actual floor, or do they stop at a raised floor?

How are important systems situated?

Do the monitors face away from windows, or could the activity of somebody at a system be monitored?

Who has access to the facility?

What type of access control is there, and are there any guards?

Who is allowed unsupervised access to the facility?

Is there an alarm system or security camera that covers the area?

What procedures govern the monitoring of the alarm system or security camera and the response should unauthorized activity be detected?

Chapter Summary

Identify various operational aspects to security in your organization.

Identify various policies and procedures in your organization.

Identify the security awareness and training needs of an organization.

Understand the different types of agreements employed in negotiating security requirements.

Principles of Computer Security, Fifth Edition