management and info security
ITC358 ICT Management and Information Security
Chapter 2
Planning for Security
1
You got to be careful if you don’t know where you’re going,
because you might not get there. – Yogi Berra
1
Objectives
Upon completion of this material, you should be able to:
Identify the roles in organisations that are active in the planning process
Explain the principal components of information security system implementation planning in the organisational planning scheme
Differentiate between strategic organisational InfoSec and specialised contingency planning
Describe the unique considerations and relationships between strategic and contingency plans
2
Figure 2-1 Information Security and Planning
Source: Course Technology/Cengage Learning
Introduction
3
The Role of Planning
Successful organisations utilise planning
Planning involves
Employees
Management
Stockholders
Other outside stakeholders
The physical and technological environment
The political and legal environment
The competitive environment
4
The Role of Planning (cont’d.)
Strategic planning includes:
Vision statement
Mission statement
Strategy
Coordinated plans for sub units
Knowing how the general organisational planning process works helps in the information security planning process
5
The Role of Planning (cont’d.)
Planning is creating action steps toward goals, and then controlling them
Planning provides direction for the organisation’s future
In the top-down method, an organisation’s leaders choose the direction
Planning begins with the general and ends with the specific
6
Values Statement
Establishes organisational principles
Makes organisation’s conduct standards clear
RWW values commitment, honesty, integrity and social responsibility among its employees, and is committed to providing its services in harmony with its corporate, social, legal and natural environments
The values, vision, and mission statements together provide the foundation for planning
7
Vision Statement
The vision statement expresses what the organisation wants to become
Vision statements should be ambitious
Random Widget Works will be the preferred manufacturer of choice for every business’s widget equipment needs, with an RWW widget in every machine they use
8
Mission Statement
Mission statement
Declares the business of the organisation and its intended areas of operations
Explains what the organisation does and for whom
Random Widget Works, Inc. designs and manufactures quality widgets and associated equipment and supplies for use in modern business environments
9
Figure 2-2 Microsoft’s Mission and Values Statement
Strategic Planning
Strategy is the basis for long-term direction
Strategic planning guides organisational efforts
Focuses resources on clearly defined goals
“… strategic planning is a disciplined effort to produce fundamental decisions and actions that shape and guide what an organisation is, what it does, and why it does it, with a focus on the future.”
11
Creating a Strategic Plan
Figure 2-3 Top-down Strategic Planning
Source: Course Technology/Cengage Learning
12
Creating a Strategic Plan (cont’d.)
An organisation develops a general strategy
Then creates specific strategic plans for major divisions
Each level or division translates those objectives into more specific objectives for the level below
In order to execute this broad strategy executives must define individual managerial responsibilities
13
Planning Levels
Strategic goals are translated into tasks
Objectives should be specific, measurable, achievable, reasonably high and time-bound (SMART)
Strategic planning then begins a transformation from general to specific objectives
14
Planning Levels (cont’d.)
Figure 2-4 Planning Levels
Source: Course Technology/Cengage Learning
15
Planning Levels (cont’d.)
Tactical Planning
Has a shorter focus than strategic planning
Usually one to three years
Breaks applicable strategic goals into a series of incremental objectives
16
Planning Levels (cont’d.)
Operational Planning
Used by managers and employees to organise the ongoing, day-to-day performance of tasks
Includes clearly identified coordination activities across department boundaries such as:
Communications requirements
Weekly meetings
Summaries
Progress reports
17
Planning and the CISO
Elements of a strategic plan
Executive summary
Mission statement and vision statement
Organisational profile and history
Strategic issues and core values
Program goals and objectives
Management/operations goals and objectives
Appendices (optional)
18
Planning and the CISO (cont’d.)
Tips for creating a strategic plan
Create a compelling vision statement that frames the evolving plan, and acts as a magnet for people who want to make a difference
Embrace the use of the balanced scorecard approach
Deploy a draft high level plan early, and ask for input from stakeholders in the organisation
19
Planning and the CISO (cont’d.)
Tips for creating a strategic plan (cont’d.)
Make the evolving plan visible
Make the process invigorating for everyone
Be persistent
Make the process continuous
Provide meaning
Be yourself
Lighten up and have some fun
20
Information Security Governance
Governance of information security is a strategic planning responsibility
Importance has grown in recent years
Information security objectives must be addressed at the highest levels of an organisation's management team
To be effective and offer a sustainable approach
21
Information Security Governance (cont.)
Information security governance includes
Providing strategic direction
Establishing objectives
Measuring progress toward those objectives
Verifying that risk management practices are appropriate
Validating that the organisation’s assets are used properly
22
Information Security Governance (cont’d.)
Actions of the Board of Directors
Inculcating a culture that recognises the importance of information security
Aligning management’s investment in information security with organisational strategies and risk environment
Assuring comprehensive development and implementation of an information security program
Demanding reports from the various layers of management on the information security program’s effectiveness and adequacy
23
Desired Outcomes
Outcomes of information security governance
Strategic alignment of information security with business strategy to support organisational objectives
Risk management to reduce potential impacts on information resources
Resource management with efficient use of information security knowledge and infrastructure
24
Desired Outcomes (cont’d.)
Outcomes of information security governance (cont’d.)
Performance measurement to ensure that organisational objectives are achieved
Value delivery by optimising information security investments in support of organisational objectives
25
Desired Outcomes (cont’d.)
Recommended Board of Director practices
Place information security on the board’s agenda
Identify information security leaders, hold them accountable and ensure support for them
Ensure the effectiveness of the corporation’s information security policy through review and approval
Assign information security to a key committee and ensure adequate support for that committee
26
Implementing Information Security Governance
Figure 2-6 General Governance Framework
Source: IDEAL is a service mark of Carnegie Mellon University
27
Implementing Information Security Governance (cont’d.)
Figure 2-7 The IDEAL model governance framework
Source: IDEAL is a service mark of Carnegie Mellon University
28
Planning for Information Security Implementation
Figure 2-8 Information security governance responsibilities
Source: Information Security Governance: A Call to Action
29
Planning For Information Security Implementation (cont’d.)
Roles of the CIO and CISO
Translating overall strategic plan into tactical and operational information security plans
The CISO plays a more active role in the development of the planning details than does the CIO
30
Planning For Information Security Implementation (cont’d.)
CISO Job Description
Creates a strategic information security plan with a vision for the future of information security
Understands the fundamental business activities and suggests appropriate information security solutions to protect these activities
Develops action plans, schedules, budgets, and status reports
31
Planning For Information Security Implementation (cont’d.)
Implementation can begin
After plan has been translated into IT and information security objectives and tactical and operational plans
Methods of implementation
Bottom-up
Top-down
32
Planning For Information Security Implementation (cont’d.)
Figure 2-9 Approaches to security implementation
Source: Course Technology/Cengage learning
33
Introduction to the Security Systems Development Life Cycle
An SDLC is a methodology for the design and implementation of an information system
SDLC-based projects may be initiated by events or planned
At the end of each phase, a review occurs to determine if the project should be continued, discontinued, outsourced, or postponed
SecSDLC methodology is similar to SDLC
Identification of specific threats and the risks they represent
Design and implementation of specific controls to counter those threats and manage risks posed to the organisation
34
Introduction to the Security Systems Development Life Cycle (cont’d.)
Figure 2-10 Phases of the SecSDLC
Source: Course Technology/Cengage learning
35
Investigation in the SecSDLC
Phase begins with directive from management specifying the process, outcomes, and goals of the project and its budget
Frequently begins with the affirmation or creation of security policies (anz example)
Teams assembled to analyse problems, define scope, specify goals and identify constraints
Introduction to the Security Systems Life Development Cycle (cont’d.)
36
Investigation in the SecSDLC (cont’d.)
Feasibility analysis
Determines whether the organisation has the resources and commitment to conduct a successful security analysis and design
Analysis in the SecSDLC
Prepare analysis of existing security policies and programs, along with known threats and current controls
Introduction to the Security Systems Development Life Cycle (cont’d.)
37
Analysis in the SecSDLC (cont’d.)
Analyse relevant legal issues that could affect the design of the security solution
Risk management begins in this stage
The process of identifying, assessing, and evaluating the levels of risk facing the organisation, specifically the threats to the information stored and processed by the organisation
A threat is an object, person, or other entity that represents a constant danger to an asset
Introduction to the Security Systems Development Life Cycle (cont’d.)
38
An attack
A deliberate act that exploits a vulnerability to achieve the compromise of a controlled system
Accomplished by a threat agent that damages or steals an organisation’s information or physical assets
An exploit
A technique or mechanism used to compromise a system
A vulnerability
An identified weakness of a controlled system in which necessary controls that are not present or are no longer effective
Introduction to the Security Systems Development Life Cycle (cont’d.)
39
Table 2-1 Threats to Information Security
Introduction to the Security Systems Development Life Cycle (cont’d.)
Source: Course Technology/Cengage Learning
(adapted from Whitman, 2003)
40
Some common attacks
Malicious code
Hoaxes
Back doors
Password crack
Brute force
Dictionary
Denial-of-service (DoS) and distributed denial-of-service (DDoS)
Introduction to the Security Systems Development Life Cycle (cont’d.)
41
Some common attacks (cont’d.)
Spoofing
Man-in-the-middle
Spam
Mail bombing
Sniffer
Social engineering
Buffer overflow
Timing
Introduction to the Security Systems Development Life Cycle (cont’d.)
42
Prioritise the risk posed by each category of threat
Identify and assess the value of your information assets
Assign a comparative risk rating or score to each specific information asset
Introduction to the Security Systems Development Life Cycle (cont’d.)
43
Design in the SecSDLC
Create and develop a blueprint for security
Examine and implement key policies
Evaluate the technology needed to support the security blueprint
Generate alternative solutions
Agree upon a final design
Introduction to the Security Systems Development Life Cycle (cont’d.)
44
Security models may be used to guide the design process
Models provide frameworks for ensuring that all areas of security are addressed
Organisations can adapt or adopt a framework to meet their own information security needs
Introduction to the Security Systems Development Life Cycle (cont’d.)
45
A critical design element of the information security program is the information security policy
Management must define three types of security policy
Enterprise information security policies
Issue-specific security policies
Systems-specific security policies
Introduction to the Security Systems Development Life Cycle (cont’d.)
46
SETA program consists of three elements
Security education, security training, and security awareness
The purpose of SETA is to enhance security by
Improving awareness
Developing skills and knowledge
Building in-depth knowledge
Introduction to the Security Systems Development Life Cycle (cont’d.)
47
SETA
Another integral part of the InfoSec program is the security education and training program.
The SETA program consists of three elements: security education, security training, and security awareness.
The purpose of SETA is to enhance security by:
Improving awareness of the need to protect system resources;
developing skills and knowledge so computer users can perform their jobs more securely and
building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems.
Design controls and safeguards
Used to protect information from attacks by threats
Three categories of controls: managerial, operational and technical
Managerial controls
Address the design and implementation of the security planning process, security program management, risk management, and security control reviews
Introduction to the Security Systems Development Life Cycle (cont’d.)
48
Operational controls cover management functions and lower level planning
Disaster recovery
Incident response planning
Personnel security
Physical security
Protection of production inputs and outputs
Introduction to the Security Systems Development Life Cycle (cont’d.)
49
Technical controls
Address tactical and technical issues related to designing and implementing security in the organisation
Technologies necessary to protect information are examined and selected
Introduction to the Security Systems Development Life Cycle (cont’d.)
50
Contingency planning
Prepare, react and recover from circumstances that threaten the organisation
Types of contingency planning
Incident response planning (IRP)
Disaster recovery planning (DRP)
Business continuity planning (BCP)
Records destroyed in Liverpool council fire
Introduction to the Security Systems Development Life Cycle (cont’d.)
51
Physical security
Design, implementation, and maintenance of countermeasures that protect the physical resources of an organisation
Physical resources include
People
Hardware
Supporting information system elements
Introduction to the Security Systems Development Life Cycle (cont’d.)
52
Implementation in the SecSDLC
Security solutions are acquired, tested, implemented, and tested again
Personnel issues are evaluated and specific training and education programs conducted
Management of the project plan
Planning the project
Supervising the tasks and action steps within the project
Wrapping up the project
Introduction to the Security Systems Development Life Cycle (cont’d.)
53
Members of the development team
Champion
Team leader
Security policy developers
Risk assessment specialists
Security professionals
Systems administrators
End users
Introduction to the Security Systems Development Life Cycle (cont’d.)
54
Staffing the information security function
Decide how to position and name the security function
Plan for the proper staffing of the information security function
Understand the impact of information security across every role in IT
Integrate solid information security concepts into the personnel management practices of the organisation
Introduction to the Security Systems Development Life Cycle (cont’d.)
55
Information security professionals
Chief information officer (CIO)
Chief information security officer (CISO)
Security managers
Security technicians
Data owners
Data custodians
Data users
Introduction to the Security Systems Development Life Cycle (cont’d.)
56
Professional certifications
CISSP
SSCP
GIAC
Security +
CISM
Introduction to the Security Systems Development Life Cycle (cont’d.)
57
Maintenance and change in the SecSDLC
Once the information security program is implemented, it must be operated, properly managed, and kept up to date by means of established procedures
If the program is not adjusting adequately to the changes in the internal or external environment, it may be necessary to begin the cycle again
Introduction to the Security Systems Development Life Cycle (cont’d.)
58
Aspects of a maintenance model
External monitoring
Internal monitoring
Planning and risk assessment
Vulnerability assessment and remediation
Readiness and review
Vulnerability assessment
Introduction to the Security Systems Development Life Cycle (cont’d.)
59
Introduction to the Security Systems Development Life Cycle (cont’d.)
Figure 2-11 Maintenance model
Source: Course Technology/Cengage learning
60
Security program management
A formal management standard can provide some insight into the processes and procedures needed
Examples include the BS7799 / ISO17799 / ISO27xxx model or the NIST models described earlier
Introduction to the Security Systems Development Life Cycle (cont’d.)
61
Summary
Introduction
Components of organisational planning
Information security governance
Planning for information security implementation
Introduction to the security systems development life cycle
62