Practical Reflection

Chapter05_Lecture_Commonality.pdf

Home >Computer Science homework help >Practical Reflection

Chapter 5

Commonality

Cyber Attacks Protecting National Infrastructure, 1st ed.

• Certain security attributes must be present in all aspects and areas of national infrastructure to ensure maximum resilience against attack

• Best practices, standards, and audits establish a low- water mark for all relevant organizations

• Audits must be both meaningful and measurable – Often the most measurable things aren’t all that

meaningful

C h a p te

r 5 –

C o m

m o n a lity

Introduction

• Common security-related best practices/standards – Federal Information Security Management Act (FISMA)

– Health Insurance Portability and Accountability Act (HIPAA)

– Payment Card Industry Data Security Standard (PCI DSS)

– ETSI Cyber Security Technical Committee (TC-CYBER)

– ISO/IEC 27000 Standard family (ISO27K) • ISO 27001 – Security management systems

• ISO 27002 – Code of practice for InfoSec controls

– COBIT - Control Objectives for Information and related Technology

– NIST Cybersecurity Framework

C h a p te

r 5 –

C o m

m o n a lity

Introduction

Fig. 5.1 – Illustrative security audits for two organizations

C h a p te

r 5 –

C o m

m o n a lity

C h a p te

r 5 –

C o m

m o n a lity

Fig. 5.2 – Relationship between meaningful and measurable

requirements

• The primary motivation for proper infrastructure protection should be success based and economic – Not the audit score

• Security of critical components relies on – Step #1: Standard audit

– Step #2: World-class focus

• Sometimes security audit standards and best practices proven through experience are in conflict

C h a p te

r 5 –

C o m

m o n a lity

Meaningful Best Practices for Infrastructure Protection

C h a p te

r 5 –

C o m

m o n a lity

Fig. 5.3 – Methodology to achieve world-class infrastructure

protection practices

• Four basic security policy considerations are recommended – Enforceable: Policies without enforcement are not

valuable

– Small: Keep it simple and current

– Online: Policy info needs to be online and searchable

– Inclusive: Good policy requires analysis in order to include computing and networking elements in the local nat’l infrastructure environment

C h a p te

r 5 –

C o m

m o n a lity

Locally Relevant and Appropriate Security Policy

C h a p te

r 5 –

C o m

m o n a lity

Fig. 5.4 – Decision process for security policy analysis

• Create an organizational culture of security protection

• Culture of security is one where standard operating procedures provide a secure environment

• Ideal environment marries creativity and interest in new technologies with caution and a healthy aversion to risk

C h a p te

r 5 –

C o m

m o n a lity

Culture of Security Protection

C h a p te

r 5 –

C o m

m o n a lity

Fig. 5.5 – Spectrum of organizational culture of security options

• Organizations should be explicitly committed to infrastructure simplification

• Common problems found in design and operation of national infrastructure – Lack of generalization

– Clouding the obvious

– Stream-of-consciousness design

– Nonuniformity

C h a p te

r 5 –

C o m

m o n a lity

Infrastructure Simplification

C h a p te

r 5 –

C o m

m o n a lity

Fig. 5.6 – Sample cluttered engineering chart

C h a p te

r 5 –

C o m

m o n a lity

Fig. 5.7 – Simplified engineering chart

• How to simplify a national infrastructure environment – Reduce its size

– Generalize concepts

– Clean interfaces

– Highlight patterns

– Reduce clutter

C h a p te

r 5 –

C o m

m o n a lity

Infrastructure Simplification

• Key decision-makers need certification and education programs

• Hundred percent end-user awareness is impractical; instead focus on improving security competence of decision-makers – Senior Managers

– Designers and developers

– Administrators

– Security team members

• Create low-cost, high-return activities to certify and educate end users

C h a p te

r 5 –

C o m

m o n a lity

Certification and Education

C h a p te

r 5 –

C o m

m o n a lity

Fig. 5.8 – Return on investment (ROI) trends for security education

• Create and establish career paths and reward structures for security professionals

• These elements should be present in national infrastructure environments – Attractive salaries

– Career paths

– Senior managers

C h a p te

r 5 –

C o m

m o n a lity

Career Path and Reward Structure

• Companies and agencies being considered for national infrastructure work should be required to demonstrate past practice in live security incidents

• Companies and agencies must do a better job of managing their inventory of live incidents

C h a p te

r 5 –

C o m

m o n a lity

Responsible Past Security Practice

• Companies and agencies being considered for national infrastructure work should provide evidence of the following past practices – Past damage

– Past prevention

– Past response

C h a p te

r 5 –

C o m

m o n a lity

Responsible Past Security Practice

• A national commonality plan involves balancing the following concerns – Plethora of existing standards

– Low-water mark versus world class

– Existing commissions and boards

C h a p te

r 5 –

C o m

m o n a lity

National Commonality Program