Assignment

JB12345

CH15-CompSec4e.pptx

Home >Information Systems homework help >Assignment

Computer Security:

Principles and Practice

Fourth Edition

By: William Stallings and Lawrie Brown

Lecture slides prepared for “Computer Security: Principles and Practice”, 4/e, by William Stallings and Lawrie Brown, Chapter 15, “IT Security Controls, Plans, and Procedures”.

Chapter 15

IT Security Controls, Plans, and Procedures

In Chapter 14 , we introduced IT security management as a formal process to

ensure that critical assets are sufficiently protected in a cost-effective manner.

We then discussed the critical risk assessment process. This chapter continues the

examination of IT security management. We survey the range of management,

operational, and technical controls or safeguards available that can be used to

improve security of IT systems and processes. We then explore the content of

the security plans that detail the implementation process. These plans must then

be implemented, with training to ensure that all personnel know their responsibilities,

and monitoring to ensure compliance. Finally, to ensure that a suitable level of

security is maintained, management must follow up the implementation with an

evaluation of the effectiveness of the security controls and an iteration of the entire

IT security management process.

We introduced the IT security management process in Chapter 14, illustrated by

Figure 14.1. Chapter 14 focused on the earlier stages of this process. In this chapter, we

focus on the latter stages, which include selecting controls, developing an implementation

plan, and the follow-up monitoring of the plan’s implementation. We broadly

follow the guidance provided in NIST SP 800-39 (Managing Information Security

Risk: Organization, Mission, and Information System View , March 2011), which was

developed by NIST in 2011 as the flagship document for providing guidance for an

integrated, organization-wide program for managing information security risk, in

response to FISMA. A broad summary of these steps is given in Figure 15.1. We will

discuss each of these in turn.

Security Control

Control is defined as:

“An action, device, procedure, or other measure that reduces risk by eliminating or preventing a security violation, by minimizing the harm it can cause, or by discovering and reporting it to enable corrective action.”

A risk assessment on an organization’s IT systems identifies areas needing treatment.

The next step, as shown in Figure 14.1 on risk analysis options, is to select suitable

controls to use in this treatment. An IT security control, safeguard, or countermeasure

(the terms are used interchangeably) helps to reduce risks. We use the following

definition:

“ An action, device, procedure, or other measure that reduces risk by eliminating or preventing a

security violation, by minimizing the harm it can cause, or by discovering and reporting it to enable corrective action.”

Control Classifications

Management controls

Focus on security policies, planning, guidelines, and standards that influence the selection of operational and technical controls to reduce the risk of loss and to protect the organization’s mission

These controls refer to issues that management needs to address

Operational controls

Address the correct implementation and use of security policies and standards, ensuring consistency in security operations and correcting identified operational deficiencies

These controls relate to mechanisms and procedures that are primarily implemented by people rather than systems

They are used to improve the security of a system or group of systems

Technical controls

Involve the correct use of hardware and software security capabilities in systems

These range from simple to complex measures that work together to secure critical and sensitive data, information, and IT systems functions

Some controls address multiple risks at the same time, and selecting such controls can

be very cost effective. Controls can be classified as belonging to one of the following

classes (although some controls include features from several of these):

• Management controls: Focus on security policies, planning, guidelines, and

standards that influence the selection of operational and technical controls to

reduce the risk of loss and to protect the organization’s mission. These controls

refer to issues that management needs to address. We discuss a number of these

in Chapters 14 and 15.

• Operational controls: Address the correct implementation and use of security

policies and standards, ensuring consistency in security operations and correcting

identified operational deficiencies. These controls relate to mechanisms

and procedures that are primarily implemented by people rather than systems.

They are used to improve the security of a system or group of systems. We will

discuss some of these in Chapters 16 and 17.

• Technical controls: Involve the correct use of hardware and software security

capabilities in systems. These range from simple to complex measures that work

together to secure critical and sensitive data, information, and IT systems functions.

Figure 15.2 illustrates some typical technical control measures. Parts One

and Two in this text discussed aspects of such measures.

Control Classes

Each of the control classes may include the following:

Supportive controls

Pervasive, generic, underlying technical IT security capabilities that are interrelated with, and used by, many other controls

Preventative controls

Focus on preventing security breaches from occurring, by inhibiting attempts to violate security policies or exploit a vulnerability

Detection and recovery controls

Focus on the response to a security breach, by warning of violations or attempted violations of security policies or the identified exploit of a vulnerability and by providing means to restore the resulting lost computing resources

In turn, each of these control classes may include the following:

• Supportive controls: Pervasive, generic, underlying technical IT security capabilities

that are interrelated with, and used by, many other controls.

• Preventative controls: Focus on preventing security breaches from occurring, by

inhibiting attempts to violate security policies or exploit a vulnerability.

• Detection and recovery controls: Focus on the response to a security breach, by

warning of violations or attempted violations of security policies or the identified

exploit of a vulnerability and by providing means to restore the resulting

lost computing resources.

The technical control measures shown in Figure 15.2 include examples of each of

these types of controls.

Table 15.1

NIST SP800-53 Security Controls

Lists of controls are provided in a number of national and international

standards, including ISO 27002 (Code of practice for information security management,

2013), ISO 13335 (Management of information and communications technology

security, 2004), FIPS 200 (Minimum Security Requirements for Federal Information

and Information Systems, March 2006) and NIST SP 800-53 (Recommended Security

Controls for Federal Information Systems, January 2015). There is broad agreement

among these and other standards as to the types of controls that should be used and

the detailed lists of typical controls. Indeed many of the standards cross-reference each

other, indicating their agreement on these lists. ISO 27002 is generally regarded as the

master list of controls and is cited by most other standards. Table 15.1 (adapted from

Table 1 in NIST SP 800-53) is a typical list of families of controls within each of the

classes.

Table 15.2

ISO/IEC 27002

Security Controls

(Table can be found on page 493 in the textbook.)

Compare this with the list in Table 15.2, which details the categories of controls

given in ISO 27002, and with Table 1.4 which lists controls from FIPS 200, noting the

high degree of overlap. Within each of these control classes, there is a long list of specific

controls that may be chosen.

Table 15.3

Detailed

NIST SP800-53

Security Controls

(Table is on page 494-495 in the textbook)

Table 15.3 (adapted from the tables in Appendix D

and G of NIST SP 800-53) itemizes the full list of controls detailed in this standard.

To attain an acceptable level of security, some combination of these controls

should be chosen. If the baseline approach is being used, an appropriate baseline set

of controls is typically specified in a relevant industry or government standard. For

example, Appendix D in NIST SP 800-53 lists selections of baseline controls for use

in low-, moderate-, and high-impact IT systems. A selection should be made that is

appropriate to the organization’s overall risk profile, resources, and capabilities. These

should then be implemented across all the IT systems for the organization, with

adjustments in scope to address broad requirements of specific systems.

Table 15.3

Continued

NIST SP 800-18 (Guide for Developing Security Plans for Federal Information

Systems , February 2006) suggests that adjustments may be needed for considerations

related to the following:

• Technology: Some controls are only applicable to specific technologies, and

hence these controls are only needed if the system includes those technologies.

Examples of these include wireless networks and the use of cryptography. Some

may only be appropriate if the system supports the technology they require—

for example, readers for access tokens. If these technologies are not supported

on a system, then alternate controls, including administrative procedures or

physical access controls, may be used instead.

• Common controls: The entire organization may be managed centrally and may

not be the responsibility of the managers of a specific system. Control changes

would need to be agreed to and managed centrally.

• Public access systems: Some systems, such as the organization’s public Web

server, are designed for access by the general public. Some controls, such as those

relating to personnel security, identification, and authentication, would not apply

to access via the public interface. They would apply to administrative control of

such systems. The scope of application of such controls must be specified carefully.

• Infrastructure controls: Physical access or environmental controls are only relevant

to areas housing the relevant equipment.

• Scalability issues: Controls may vary in size and complexity in relation to the

organization employing them. For example, a contingency plan for systems critical

to a large organization would be much larger and more detailed than that

for a small business.

• Risk assessment: Controls may be adjusted according to the results of specific

risk assessment of systems in the organization, as we now consider.

If some form of informal or formal risk assessment process is being used, then

it provides guidance on specific risks to an organization’s IT systems that need to be

addressed. These will typically be some selection of operational or technical controls

that together can reduce the likelihood of the identified risk occurring, the consequences

if it does, or both, to an acceptable level. These may be in addition to those

controls already selected in the baseline, or may simply be more detailed and careful

specification and use of already selected controls.

The process illustrated in Figure 15.1 indicates that a recommended list of controls

should be made to address each risk needing treatment. The recommended controls

need to be compatible with the organization’s systems and policies, and their selection

may also be guided by legal requirements. The resulting list of controls should include

details of the feasibility and effectiveness of each control. The feasibility addresses factors

such as technical compatibility with and operational impact on existing systems

and user’s likely acceptance of the control. The effectiveness equates the cost of implementation

against the reduction in level of risk achieved by implementing the control.

The reduction in level of risk that results from implementing a new or enhanced

control results from the reduction in threat likelihood or consequence that the control

provides, as shown in Figure 15.3. The reduction in likelihood may

result either by reducing the vulnerabilities (flaws or weaknesses) in the system or

by reducing the capability and motivation of the threat source. The reduction in

consequence occurs by reducing the magnitude of the adverse impact of the threat

occurring in the organization.

Cost-Benefit Analysis

The organization will likely not have the resources to implement all the recommended

controls. Therefore, management should conduct a cost-benefit analysis to

identify those controls that are most appropriate, and provide the greatest benefit

to the organization given the available resources. This analysis may be qualitative or

quantitative and must demonstrate that the cost of implementing a given control is

justified by the reduction in level of risk to assets that it provides. It should include

details of the impact of implementing the new or enhanced control, the impact of

not implementing it, and the estimated costs of implementation. The analysis must

then assess the implementation costs and benefits against system and data criticality

to determine the importance of choosing this control.

Management must then determine which selection of controls provides an

acceptable resulting level of risk to the organization’s systems. This selection will

consider factors such as the following:

• If the control would reduce risk more than needed, then a less expensive

alternative could be used.

• If the control would cost more than the risk reduction provided, then an

alternative should be used.

• If a control does not reduce the risk sufficiently, then either more or different

controls should be used.

• If the control provides sufficient risk reduction and is the most cost effective,

then use it.

It is often the case that the cost of implementing a control is more tangible and

easily specified than the cost of not implementing it. Management must make a

business decision regarding these ill-defined costs in choosing the final selection of

controls and resulting residual risk.

Should be conducted by management to identify controls that provide the greatest benefit to the organization given the available resources

May be qualitative or quantitative

Must show cost justified by reduction in risk

Should contrast the impact of implementing a control or not, and an estimation of cost

Management chooses selection of controls

Considers if it reduces risk too much or not enough, is too costly or appropriate

Fundamentally a business decision

IT Security Plan

Provides details of:

What will be done

What resources are needed

Who is responsible

Goal is to detail the actions needed to improve the identified deficiencies in the risk profile

Having identified a range of possible controls from which management has selected

some to implement, an IT security plan should then be created, as indicated in

Figures 14.1 and 15.1 . This is a document that provides details as to what will be

done, what resources are needed, and who will be responsible. The goal is to detail

the actions needed to improve the identified deficiencies in the organization’s risk

profile in a timely manner. NIST SP 800-30 (Risk Management Guide for Information Technology

Systems, September 2012) suggests that this plan should include details of:

• Risks (asset/threat/vulnerability combinations)

• Recommended controls (from the risk assessment)

• Action priority for each risk

• Selected controls (on the basis of the cost-benefit analysis)

• Required resources for implementing the selected controls

• Responsible personnel

• Target start and end dates for implementation

• Maintenance requirements and other comments

Should include

Risks, recommended controls, action priority

Selected controls, resources needed

Responsible personnel, implementation dates

Maintenance requirements

Table 15.4 Implementation Plan

These details are summarized in an implementation plan table, such as

that shown in Table 15.4 . This illustrates an example implementation plan for

the example risk identified and shown in Table 14.5 . The suggested controls are

specific examples of remote access, auditable event, user identification, system

backup, and configuration change controls, applied to the identified threatened

asset. All of them are chosen, because they are neither costly nor difficult to

implement. They do require some changes to procedures. The relevant network

administration staff must be notified of these changes. Staff members may also

require training on the correct implementation of the new procedures and their

rights and responsibilities.

Security Plan Implementation

The next phase in the IT security management process, as indicated in Figure 14.1, is

to manage the implementation of the controls detailed in the IT security plan. This

comprises the do stage of the cyclic implementation model discussed in Chapter 14 .

The implementation phase comprises not only the direct implementation of the

controls as detailed in the security plan, but also the associated specific training and

general security awareness programs for the organization.

The IT security plan documents what needs to be done for each selected control,

along with the personnel responsible, and the resources and time frame to

be used. The identified personnel then undertake the tasks needed to implement

the new or enhanced controls, be they technical, managerial, or operational.

This may involve some combination of system configuration changes, upgrades,

or new system installation. It may also involve the development of new or

extended procedures to document practices needed to achieve the desired

security goals. Note that even technical controls typically require associated

operational procedures to ensure their correct use. The use of these procedures

needs to be encouraged and monitored by management.

The implementation process should be monitored to ensure its correctness.

This is typically performed by the organizational security officer, who checks that:

• The implementation costs and resources used stay within identified bounds.

• The controls are correctly implemented as specified in the plan, in order that

the identified reduction in risk level is achieved.

• The controls are operated and administered as needed.

When the implementation is successfully completed, management needs to

authorize the system for operational use. This may be a purely informal process

within the organization. Alternatively, especially in government organizations,

this may be part of a formal process resulting in accreditation of the system

as meeting required standards. This is usually associated with the installation,

certification, and use of trusted computing system, as we will discuss in Chapter 27 .

In these cases an external accrediting body will verify the documented evidence of

the correct design and implementation of the system.

IT security plan documents:

What needs to be done for each selected control

Personnel responsible

Resources and time frame

Identified personnel:

Implement new or enhanced controls

May need system configuration changes, upgrades or new system installation

May also involve development of new or extended procedures

Need to be encouraged and monitored by management

When implementation is completed management authorizes the system for operational use

Implementation Follow-Up

Security management is a cyclic process

Constantly repeated to respond to changes in the IT systems and the risk environment

Need to monitor implemented controls

Evaluate changes for security implications

Otherwise increase chance of security breach

The IT security management process does not end with the implementation of

controls and the training of personnel. As we noted in Chapter 14, it is a cyclic

process, constantly repeated to respond to changes in the IT systems and the risk

environment. The various controls implemented should be monitored to ensure

their continued effectiveness. Any proposed changes to systems should be checked

for security implications and the risk profile of the affected system reviewed if

necessary. Unfortunately, this aspect of IT security management often receives

the least attention and in many cases is added as an afterthought, if at all. Failure

to do so can greatly increase the likelihood that a security failure will occur.

This follow-up stage of the management process includes a number of aspects:

• Maintenance of security controls

• Security compliance checking

• Change and configuration management

• Incident handling

Any of these aspects might indicate that changes are needed to the previous stages in

the IT security management process. An obvious example is that if a breach should

occur, such as a virus infection of desktop systems, then changes may be needed to

the risk assessment, to the controls chosen, or to the details of their implementation.

This can trigger a review of earlier stages in the process.

Includes a number of aspects

Maintenance of security controls

Security compliance checking

Change and configuration management

Incident handling

Maintenance

Need continued maintenance and monitoring of implemented controls to ensure continued correct functioning and appropriateness

Goal is to ensure controls perform as intended

Tasks

The first aspect concerns the continued maintenance and monitoring of the

implemented controls to ensure their continued correct functioning and

appropriateness. It is important that someone has responsibility for this maintenance

process, which is generally coordinated by the organization’s security officer.

The maintenance tasks include ensuring that:

• Controls are periodically reviewed to verify that they still function as intended.

• Controls are upgraded when new requirements are discovered.

• Changes to systems do not adversely affect the controls.

• New threats or vulnerabilities have not become known.

This review includes regular analysis of log files to ensure various system

components are functioning as expected, and to determine a baseline of activity

against which abnormal events can be compared when handling incidents.

We discuss security auditing further in Chapter 18 .

The goal of maintenance is to ensure that the controls continue to perform as

intended, and hence that the organization’s risk exposure remains as chosen. Failure

to maintain controls could lead to a security breach with a potentially significant

impact on the organization.

Periodic review of controls

Upgrade of controls to meet new requirements

System changes do not impact controls

Address new threats or vulnerabilities

Security Compliance

Audit process to review security processes

Goal is to verify compliance with security plan

Use internal or external personnel

Usually based on use of checklists which verify:

Suitable policies and plans were created

Suitable selection of controls were chosen

That they are maintained and used correctly

Often as part of wider general audit

Security compliance checking is an audit process to review the organization’s security

processes. The goal is to verify compliance with the security plan. The audit may

be conducted using either internal or external personnel. It is generally based on

the use of checklists, which verify that the suitable policies and plans have been

created, that suitable controls were chosen, and that the controls are maintained and

used correctly.

This audit process should be conducted on new IT systems and services

once they are implemented; and on existing systems periodically, often as part of

a wider, general audit of the organization or whenever changes are made to the

organization’s security policy.

Change and Configuration Management

Change management is the process used to review proposed changes to systems for

implications on the organization’s systems and use. Changes to existing systems can

occur for a number of reasons, such as the following:

• Users reporting problems or desired enhancements

• Identification of new threats or vulnerabilities

• Vendor notification of patches or upgrades to hardware or software

• Technology advances

• Implementation of new IT features or services, which require changing existing

systems

• Identification of new tasks, which require changing existing systems

The impact of any proposed change on the organization’s systems should be

evaluated. This includes not only security-related aspects, but wider operational

issues as well. Thus change management is an important component of the

general systems administration process. Because changes can affect security,

this general process overlaps IT security management and must interact with it.

An important example is the constant flow of patches addressing bugs and

security failings in common operating systems and applications. If the organization is

running systems of any complexity, with a range of applications, then patches should

ideally be tested to ensure that they don’t adversely affect other applications. This can

be a time-consuming process that may require considerable administration resources,

and could leave the organization exposed to a new vulnerability for a period. Otherwise,

the patches or upgrades could be applied without testing, which may possibly

result in other failures in the systems and the loss of functionality, but will also

improve system security due to faster patching. Management need to decide whether

availability or security has higher priority in such cases.

Ideally, most proposed changes should act to improve the security profile of

a system. However, it is possible that for imperative business reasons a change is

proposed that reduces the security of a system. In cases like this, it is important

that the reasons for the change, its consequences on the security profile for the

organization, and management authorization of it be documented. The benefits to

the organization would need to be traded off against the increased risk level.

The change management process may be informal or formal, depending on the

size of the organization and its overall IT management processes. In a formal process,

any proposed change should be documented and tested before implementation. As

part of this process, any related documentation, including relevant security documentation

and procedures, should be updated to reflect the change.

Configuration management is concerned with specifically keeping track of the

configuration of each system in use and the changes made to each. This includes lists

of the hardware and software versions installed on each system. This information

is needed to help restore systems following a failure (whether security related or

not) and to know what patches or upgrades might be relevant to particular systems.

Again, this is a general systems administration process with security implications

and must interact with IT security management.

Change management is the process to review proposed changes to systems

Evaluate the impact

Important component of general systems administration process

Test patches to make sure they do not adversely affect other applications

May be informal or formal

Configuration management is specifically concerned with keeping track of the configuration of each system in use and the changes made to them

Keep lists of hardware and software versions installed on each system to help restore them following a failure

Know what patches or upgrades might be relevant

Also part of general systems administration process

Case Study: Silver Star Mines

Given risk assessment, the next stage is to identify possible controls

Based on assessment it is clear many categories are not in use

General issue of systems not being patched or upgraded

Need contingency plans

SCADA: add intrusion detection system

Info integrity: better centralize storage

Email: provide backup system

Consider the case study introduced in Chapter 14, which involves the operations

of a fictional company Silver Star Mines. Given the outcome of the risk assessment

for this company, the next stage in the security management process is to identify

possible controls. From the information provided during this assessment, clearly a

number of the possible controls listed in Table 15.3 are not being used. A comment

repeated many times was that many of the systems in use had not been regularly

upgraded, and part of the reason for the identified risks was the potential for system

compromise using a known but unpatched vulnerability. That clearly suggests

that attention needs to be given to controls relating to the regular, systematic

maintenance of operating systems and applications software on server and client

systems. Such controls include

• Configuration management policy and procedures

• Baseline configuration

• System maintenance policy and procedures

• Periodic maintenance

• Flaw remediation

• Malicious code protection

• Spam and spyware protection

Given that potential incidents are possible, attention should also be given to

developing contingency plans to detect and respond to such incidents and to enable

speedy restoration of system function. Attention should be paid to controls such as

• Audit monitoring, analysis, and reporting

• Audit reduction and report generation

• Contingency planning policy and procedures

• Incident response policy and procedures

• Information system backup

• Information system recovery and reconstitution

These controls are generally applicable to all the identified risks and constitute

good general systems administration practice. Hence, their cost effectiveness

would be high because they provide an improved level of security across multiple

identified risks.

Now consider the specific risk items. The top-priority risk relates to the

reliability and integrity of the Supervisory Control and Data Acquisition (SCADA)

nodes and network. These were identified as being at risk because many of these

systems are running older releases of operating systems with known insecurities.

Further, these systems cannot be patched or upgraded because the key applications

they run have not been updated or validated to run on newer O/S versions. Given

these limitations on the ability to reduce the vulnerability of individual nodes,

attention should be paid to the firewall and application proxy servers that isolate

the SCADA nodes and network from the wider corporate network. These systems

can be regularly maintained and managed according to the generally applied list

of controls we identified. Further, because the traffic to and from the SCADA

network is highly structured and predictable, it should be possible to implement

an intrusion detection system with much greater reliability than applies to

general-use corporate networks. This system should be able to identify attack

traffic, as it would be very different from normal traffic flows. Such a system

might involve a more detailed, automated analysis of the audit records

generated on the existing firewall and proxy server systems. More likely, it

could be an independent system connected to and monitoring the traffic

through these systems. The system could be further extended to include an

automated response capability, which could automatically sever the network

connection if an attack is identified. This approach recognizes that the network

connection is not needed for the correct operation of the SCADA nodes.

Indeed, they were designed to operate without such a network connection,

which is much of the reason for their insecurity. All that would be lost is

the improved overall monitoring and management of the SCADA nodes.

With this functionality, the likelihood of a successful attack, already regarded as

very unlikely, can be further reduced.

The second priority risk relates to the integrity of stored information.

Clearly all the general controls help ameliorate this risk. More specifically, much

of the problem relates to the large number of documents scattered over a large

number of systems with inconsistent management. This risk would be easier to

manage if all documents identified as critical to the operation of the company

were stored on a smaller pool of application and file servers. These could be

managed appropriately using the generally applicable controls. This suggests

that an audit of critical documents is needed to identify who is responsible

for them and where they are currently located. Then policies are needed that

specify that critical documents should be created and stored only on approved

central servers. Existing documents should be transferred to these servers.

Appropriate education and training of all affected users is needed to help ensure

that these policies are followed.

The next three risks relate to the availability or integrity of the key Financial,

Procurement, and Maintenance/Production systems. The generally applicable

controls we identified should adequately address these risks once the controls are

applied to all relevant servers.

The final risk relates to the availability, integrity, and confidentiality of e-mail.

As was noted in the risk assessment, this is primarily the responsibility of the parent

company’s IT group that manages the external mail gateway. There is a limited

amount that can be done on the local site. The use of the generally applicable

controls, particularly those relating to malicious code protection and spam and

spyware protection on client systems, will assist in reducing this risk. In addition,

as part of the contingency planning and incident response policies and procedures,

consideration could be given to a backup e-mail system. For security this system

would use client systems isolated from the company intranet, connected to an

external local network service provider. This connection would be used to provide

limited e-mail capabilities for critical messages should the main company intranet

e-mail system be compromised.

Silver Star Mines: Implementation Plan

This analysis of possible controls is summarized in Table 15.5 , which lists

the controls identified and the priorities for their implementation. This table must

be extended to include details of the resources required, responsible personnel,

time frame, and any other comments. This plan would then be implemented, with

suitable monitoring of its progress. Its successful implementation leads then to

longer term follow-up, which should ensure that the new policies continue to be

applied appropriately and that regular reviews of the company’s security profile

occur. In time this should lead to a new cycle of risk assessment, plan development,

and follow-up.

Summary

Monitoring risks

Maintenance

Security compliance

Change and configuration management

Incident handling

Case study: Silver Star Mines

IT security management implementation

Security controls or safeguards

IT security plan

Implementation of controls

Implementation of security plan

Security awareness and training

Chapter 15 summary.

Step 2: Respond to Risks

Evaluate Recommended Control Options

Determine Risk Response

Select Controls

Develop Implementation Plan

Implement Selected Controls

Step 1: Prioritize Risks Management review of risk register

Figure 15.1 IT Security Management Controls and Implementation

Step 3: Monitor Risks

(accept, avoid, mitigate, share)

Step 2: Respond to Risks

Evaluate Recommended Contr ol Options

Determine Risk Response

Select Controls

Develop Implementation Plan

Implement Selected Contr ols

Step 1: Prioritize Risks

Management review of risk register

Figure 15.1 IT Security Management Contr ols and Implementation

Step 3: Monitor Risks

(accept, avoid, mitigate, shar e)

Resource

User or

Process

Transaction Privacy

Authentication

Authorization

Access Control Enforcement

Proof of Wholeness

Intrusion Detection and Containment

Audit

State Restore

Detect, Recover

Prevent

Non- repudiation

Figure 15.2 Technical Security Controls

Identification

Cryptographic Key Managemetn

Security Administration

System Protections (least privilege, object reuse, process separation, etc,)

Protected Communications (safe from disclosure, substitution, modification, & replay)

Support

Resource

User

Process

Transaction

Privacy

Authentication

Authorization

Access Control

Enforcement

Proof of

Wholeness

Intrusion Detection

and Containment

Audit

State Restore

Detect, Recover

Prevent

Non-

repudiation

Figure 15.2 Technical Security Contr ols

Identification

Cryptographic Key Managemetn

Security Administration

System Protections

(least privilege, object r euse, process separation, etc,)

Protected Communications

(safe from disclosure, substitution, modification, & r eplay)

Support

CLASS	CONTROL FAMILY
Management	Planning
Management	Program Management
Management	Risk Assessment
Management	Security Assessment and Authorization
Management	System and Services Acquisition
Operational	Awareness and Training
Operational	Configuration Management
Operational	Contingency Planning
Operational	Incident Response
Operational	Maintenance
Operational	Media Protection
Operational	Personnel Security
Operational	Physical and Environmental Protection
Operational	System and Information Integrity
Technical	Access Control
Technical	Audit and Accountability
Technical	Identification and Authentication
Technical	System and Communications Protection

Security Policies Ensure that information security policies support business requirements and comply with relevant laws and regulations.

Organization of Information Security Provide a management framework for controlling the implementation of security policies, and ensuring security of mobile devices.

Human Resource Security Ensure that employees and contractors understand and comply with security policies. Protect the organization's interests during the process of terminating or changing employment.

Asset Management Identify assets to be protected and define appropriate responsibilities for managing assets. prevent unauthorized disclosure, modification, removal or destruction of information stored on media.

Access Control Define access privileges for access to information and information processing facilities. Ensure authorized user access and prevent unauthorized user access. Hold users accountable for safeguarding their authentication information.

Cryptography Ensure proper and effective use of cryptographic software and hardware so as to provide confidentiality, integrity, and authenticity services.

Physical and Environmental Security Define and implement policies to secure information processing facilities and to manage physical access to secure locations and secured facilities. Prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations.

Operations Security Ensure that the operation of information processing facilities conforms to security policies. Measures include ensuring that information and information processing facilities are protected against malware; protecting against loss of data; recording events and generate evidence; ensuring the integrity of operational systems to prevent exploitation of technical vulnerabilities.

Communications Security Implement security policies to protect network equipment and facilities, and to protect information transferred within an organization and with an external entity.

System acquisition, development and maintenance Ensure that security policies and procedures apply throughout a system's lifetime.

Supplier relationships Ensure that agreements with suppliers meet security policy requirements. Monitor and assess compliance with security agreements.

Information security incident management Implement an incident management capability that enables management of information security incidents, including reporting and documenting incidents and responses.

Information security continuity Ensure that security policies address requirements for incorporation into the organization's business continuity management systems.

Compliance Ensure that legal, statutory, regulatory or contractual obligations related to information security are met. Ensure that systems and personnel comply with the organization's security policies.

Access Control Access Control Policy and Procedures, Account Management, Access Enforcement, Information Flow Enforcement, Separation of Duties, Least Privilege, Unsuccessful Login Attempts, System Use Notification, Previous Logon (Access) Notification, Concurrent Session Control, Session Lock, Permitted Actions without Identification or Authentication, Security Attributes, Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Information Systems, User-Based Collaboration and Information Sharing, Publicly Accessible Content Awareness and Training Security Awareness and Training Policy and Procedures, Security Awareness, Security Training, Security Training Records, Contacts with Security Groups and Associations Audit and Accountability Audit and Accountability Policy and Procedures, Auditable Events, Content of Audit Records, Audit Storage Capacity, Response to Audit Processing Failures, Audit Review, Analysis, and Reporting, Audit Reduction and Report Generation, Time Stamps, Protection of Audit Information, Non-repudiation, Audit Record Retention, Audit Generation, Monitoring for Information Disclosure, Session Audit Security Assessment and Authorization Security Assessment and Authorization Policies and Procedures, Security Assessments, Information System Connections, Plan of Action and Milestones, Security Accreditation, Continuous Monitoring Configuration Management Configuration Management Policy and Procedures, Baseline Configuration, Configuration Change Control, Security Impact Analysis, Access Restrictions for Change, Configuration Settings, Least Functionality, Information System Component Inventory, Configuration Management Plan Contingency Planning Contingency Planning Policy and Procedures, Contingency Plan, Contingency Training, Contingency Plan Testing and Exercises, Alternate Storage Site, Alternate Processing Site, Telecommunications Services, Information System Backup, Information System Recovery and Reconstitution Identification and Authentication Identification and Authentication Policy and Procedures, Identification and Authentication (Organizational Users), Device Identification and Authentication, Identifier Management, Authenticator Management, Authenticator Feedback, Cryptographic Module Authentication, Identification and Authentication (Non- Organizational Users) Incident Response Incident Response Policy and Procedures, Incident Response Training, Incident Response Testing and Exercises, Incident Handling, Incident Monitoring, Incident Reporting, Incident Response Assistance, Incident Response Plan Maintenance System Maintenance Policy and Procedures, Controlled Maintenance, Maintenance Tools, Non-Local Maintenance, Maintenance Personnel, Timely Maintenance Media Protection Media Protection Policy and Procedures, Media Access, Media Marking, Media Storage, Media Transport, Media Sanitization Physical and Environmental Protection Physical and Environmental Protection Policy and Procedures, Physical Access Authorizations, Physical Access Control, Access Control for Transmission Medium, Access Control for Output Devices, Monitoring Physical Access, Visitor Control, Access Records, Power Equipment and Power Cabling, Emergency Shutoff, Emergency Power, Emergency Lighting, Fire Protection, Temperature and Humidity Controls, Water Damage Protection, Delivery and Removal, Alternate Work Site, Location of Information System Components, Information Leakage

Access Control

Access Control Policy and Procedures, Account Management, Access Enforcement, Information Flow Enforcement, Separation

of Duties, Least Privilege, Unsuccessful Login Attempts, System Use Notification, Previous Logon (Access) Notification,

Concurrent Session Control, Session Lock, Permitted Actions without Identification or Authentication, Security Attributes,

Remote Access, Wireless Access, Access Control for Mobile Devices, Use of External Information Systems, User-Based

Collaboration and Information Sharing, Publicly Accessible Content

Awareness and Training

Security Awareness and Training Policy and Procedures, Security Awareness, Security Training, Security Training Records,

Contacts with Security Groups and Associations

Audit and Accountability

Audit and Accountability Policy and Procedures, Auditable Events, Content of Audit Records, Audit Storage Capacity, Response

to Audit Processing Failures, Audit Review, Analysis, and Reporting, Audit Reduction and Report Generation, Time Stamps,

Protection of Audit Information, Non-repudiation, Audit Record Retention, Audit Generation, Monitoring for Information

Disclosure, Session Audit

Security Assessment and Authorization

Security Assessment and Authorization Policies and Procedures, Security Assessments, Information System Connections, Plan of

Action and Milestones, Security Accreditation, Continuous Monitoring

Configuration Management

Configuration Management Policy and Procedures, Baseline Configuration, Configuration Change Control, Security Impact

Analysis, Access Restrictions for Change, Configuration Settings, Least Functionality, Information System Component

Inventory, Configuration Management Plan

Contingency Planning

Contingency Planning Policy and Procedures, Contingency Plan, Contingency Training, Contingency Plan Testing and Exercises,

Alternate Storage Site, Alternate Processing Site, Telecommunications Services, Information System Backup, Information

System Recovery and Reconstitution

Identification and Authentication

Identification and Authentication Policy and Procedures, Identification and Authentication (Organizational Users), Device

Identification and Authentication, Identifier Management, Authenticator Management, Authenticator Feedback, Cryptographic

Module Authentication, Identification and Authentication (Non- Organizational Users)

Incident Response

Incident Response Policy and Procedures, Incident Response Training, Incident Response Testing and Exercises, Incident

Handling, Incident Monitoring, Incident Reporting, Incident Response Assistance, Incident Response Plan

Maintenance

System Maintenance Policy and Procedures, Controlled Maintenance, Maintenance Tools, Non-Local Maintenance, Maintenance

Personnel, Timely Maintenance

Media Protection

Media Protection Policy and Procedures, Media Access, Media Marking, Media Storage, Media Transport, Media Sanitization

Physical and Environmental Protection

Physical and Environmental Protection Policy and Procedures, Physical Access Authorizations, Physical Access Control, Access

Control for Transmission Medium, Access Control for Output Devices, Monitoring Physical Access, Visitor Control, Access

Records, Power Equipment and Power Cabling, Emergency Shutoff, Emergency Power, Emergency Lighting, Fire Protection,

Temperature and Humidity Controls, Water Damage Protection, Delivery and Removal, Alternate Work Site, Location of

Information System Components, Information Leakage

Planning Security Planning Policy and Procedures, System Security Plan, Rules of Behavior, Privacy Impact Assessment, Security-Related Activity Planning Personnel Security Personnel Security Policy and Procedures, Position Categorization, Personnel Screening, Personnel Termination, Personnel Transfer, Access Agreements, Third-Party Personnel Security, Personnel Sanctions Risk Assessment Risk Assessment Policy and Procedures, Security Categorization, Risk Assessment, Vulnerability Scanning System and Services Acquisition System and Services Acquisition Policy and Procedures, Allocation of Resources, Life Cycle Support, Acquisitions, Information System Documentation, Software Usage Restrictions, User Installed Software, Security Engineering Principles, External Information System Services, Developer Configuration Management, Developer Security Testing, Supply Chain Protection, Trustworthiness, Critical Information System Components System and Communications Protection System and Communications Protection Policy and Procedures, Application Partitioning, Security Function Isolation, Information in Shared Resources, Denial of Service Protection, Resource Priority, Boundary Protection, Transmission Integrity, Transmission Confidentiality, Network Disconnect, Trusted Path, Cryptographic Key Establishment and Management, Use of Cryptography, Public Access Protections, Collaborative Computing Devices, Transmission of Security Attributes, Public Key Infrastructure Certificates, Mobile Code, Voice Over Internet Protocol, Secure Name /Address Resolution Service (Recursive or Caching Resolver), Architecture and Provisioning for Name/Address Resolution Service, Session Authenticity, Fail in Known State, Thin Nodes, Honeypots, Operating System-Independent Applications, Protection of Information at Rest, Heterogeneity, Virtualization Techniques, Covert Channel Analysis, Information System Partitioning, Transmission Preparation Integrity, Non- Modifiable Executable Programs System and Information Integrity System and Information Integrity Policy and Procedures, Flaw Remediation, Malicious Code Protection, Information System Monitoring, Security Alerts Advisories and Directives, Security Functionality Verification, Software and Information Integrity, Spam Protection, Information Input Restrictions, Information Input Validation, Error Handling, Information Output Handling and Retention, Predictable Failure Prevention Program Management Information Security Program Plan, Senior Information Security Officer, Information Security Resources, Plan of Action and Milestones Process, Information System Inventory, Information Security Measures of Performance, Enterprise Architecture, Critical Infrastructure Plan, Risk Management Strategy, Security Authorization Process, Mission/Business Process Definition

Planning

Security Planning Policy and Procedures, System Security Plan, Rules of Behavior, Privacy Impact Assessment, Security-Related

Activity Planning

Personnel Security

Personnel Security Policy and Procedures, Position Categorization, Personnel Screening, Personnel Termination, Personnel

Transfer, Access Agreements, Third-Party Personnel Security, Personnel Sanctions

Risk Assessment

Risk Assessment Policy and Procedures, Security Categorization, Risk Assessment, Vulnerability Scanning

System and Services Acquisition

System and Services Acquisition Policy and Procedures, Allocation of Resources, Life Cycle Support, Acquisitions, Information

System Documentation, Software Usage Restrictions, User Installed Software, Security Engineering Principles, External

Information System Services, Developer Configuration Management, Developer Security Testing, Supply Chain Protection,

Trustworthiness, Critical Information System Components

System and Communications Protection

System and Communications Protection Policy and Procedures, Application Partitioning, Security Function Isolation,

Information in Shared Resources, Denial of Service Protection, Resource Priority, Boundary Protection, Transmission Integrity,

Transmission Confidentiality, Network Disconnect, Trusted Path, Cryptographic Key Establishment and Management, Use of

Cryptography, Public Access Protections, Collaborative Computing Devices, Transmission of Security Attributes, Public Key

Infrastructure Certificates, Mobile Code, Voice Over Internet Protocol, Secure Name /Address Resolution Service (Recursive or

Caching Resolver), Architecture and Provisioning for Name/Address Resolution Service, Session Authenticity, Fail in Known

State, Thin Nodes, Honeypots, Operating System-Independent Applications, Protection of Information at Rest, Heterogeneity,

Virtualization Techniques, Covert Channel Analysis, Information System Partitioning, Transmission Preparation Integrity, Non-

Modifiable Executable Programs

System and Information Integrity

System and Information Integrity Policy and Procedures, Flaw Remediation, Malicious Code Protection, Information System

Monitoring, Security Alerts Advisories and Directives, Security Functionality Verification, Software and Information Integrity,

Spam Protection, Information Input Restrictions, Information Input Validation, Error Handling, Information Output Handling and

Retention, Predictable Failure Prevention

Program Management

Information Security Program Plan, Senior Information Security Officer, Information Security Resources, Plan of Action and

Milestones Process, Information System Inventory, Information Security Measures of Performance, Enterprise Architecture,

Critical Infrastructure Plan, Risk Management Strategy, Security Authorization Process, Mission/Business Process Definition

Figure 15.3 Residual Risk

Add a targeted control Residual

risk

New or enhanced controls

Reduce magnitude of impact

Reduce number of

flaws or errors

Figure 15.3 Residual Risk

Add a targeted

control

Residual

risk

New or

enhanced

controls

Reduce

magnitude

of impact

Reduce

number of

flaws or errors

Risk (Asset/Threat)

Hacker attack on Internet router

Level of Risk High

Recommended Controls

•Disable external telnet access •Use detailed auditing of privileged command use •Set policy for strong admin passwords •Set backup strategy for router configuration file •Set change control policy for the router configuration

Priority High

Selected Controls •Implement all recommended controls •Update related procedures with training for affected staff

Required Resources

•3 days IT net admin time to change & verify router configuration, write policies; •1 day of training for network administration staff

Responsible Persons

John Doe, Lead Network System Administrator, Corporate IT Support Team

Start – End Date February 6, 2017 to February 9, 2017

Other Comments •Need periodic test and review of configuration and policy use

Risk

(Asset/Threat)

Hacker attack on Internet router

Level of Risk

High

Recommended

Controls

•Disable external telnet access

•Use detailed auditing of privileged command use

•Set policy for strong admin passwords

•Set backup strategy for router configuration file

•Set change control policy for the router configuration

Priority

High

Selected Controls

•Implement all recommended controls

•Update related procedures with training for affected staff

Required

Resources

•3 days IT net admin time to change & verify router configuration, write

policies;

•1 day of training for network administration staff

Responsible

Persons

John Doe, Lead Network System Administrator,

Corporate IT Support Team

Start – End Date

February 6, 2017 to February 9, 2017

Other Comments

•Need periodic test and review of configuration and policy use

Risk (Asset/Threat) Level of Risk

Recommended Controls Priority Selected Controls

All risks (generally applicable)

1. Configuration and periodic maintenance policy for servers

2. Malicious code (SPAM, spyware) prevention

3. Audit monitoring, analysis, reduction, and reporting on servers

4. Contingency planning and incident response policies and procedures

5. System backup and recovery procedures

1 1. 2. 3. 4. 5.

Reliability and integrity of SCADA nodes and network

High 1. Intrusion detection and response system

2 1.

Integrity of stored file and database information

Extreme 1. Audit of critical documents 2. Document creation and storage policy 3. User security education and training

3 1. 2. 3.

Availability and integrity of Financial, Procurement, and Maintenance/ Production Systems

High - - (general controls)

Availability, integrity and confidentiality of e-mail

High 1. Contingency planning – backup e-mail service

4 1.

Risk (Asset/Threat) Level of

Risk

Recommended Controls Priority Selected

Controls

All risks (generally

applicable)

1. Configuration and periodic maintenance

policy for servers

2. Malicious code (SPAM, spyware)

prevention

3. Audit monitoring, analysis, reduction,

and reporting on servers

4. Contingency planning and incident

response policies and procedures

5. System backup and recovery procedures

1 1.

Reliability and integrity of

SCADA nodes and network

High 1. Intrusion detection and response system

2 1.

Integrity of stored file and

database information

Extreme 1. Audit of critical documents

2. Document creation and storage policy

3. User security education and training

3 1.

Availability and integrity of

Financial, Procurement, and

Maintenance/ Production

Systems

High - - (general

controls)

Availability, integrity and

confidentiality of e-mail

High 1. Contingency planning – backup e-mail

service

4 1.