Assignment

eko

Lecture1.pptx

Home >Computer Science homework help >Assignment

INST569: Data and System Security Lecture 1

Disciplines in Security Management

Security Architectures &

Models

Applications & Systems

Development Security

Operations

Security

Physical

Security

Telecommunications

Network Security

Security Management

Laws, Investigations

& Ethics

Business Continuity

Planning

Cryptography

Access Control Systems

Methodologies

Security Management

Security Management is defined as?

Identification of an organization’s information assets

Development, documentation and implementation

Align people, process and technology to meet organization’s confidentiality, integrity and availability objectives

Technology

People

Process

Balanced

Aligned

Applied

Security Management - Objectives

Key Objective

Reduce the effects of security threats and vulnerabilities to a level that is tolerable

All levels of the organization (personnel) understand their security-related responsibilities

Access controls should support the principles of least privilege and separation of duties

Emerging Objectives

Demonstrate due diligence and support objective oversight over information processes and electronic evidence.

Support the extension of the organization’s capabilities to address needs and opportunities

Security Management - Concepts

Key Requirements

Confidentiality

Integrity

Availability

Related Concepts

Privacy

Identification

Authentication

Authorization

Accountability

Non-repudiation

Documentation

Conflicts of Interest

Due Diligence

Threat

Vulnerability

Risk

Security Management – Concepts (cont.)

Separation/Segregation of Duties

The principle of separating of duties is that an organization should carefully separate duties, so that people involved in checking for inappropriate use are not also capable of make such inappropriate use.

Least-Privileges

The principle of least privilege is that users should not have access to information or capabilities beyond those requirement to complete their function.

What does this mean in practice?

No person should be responsible for completing a task involving sensitive, valuable or critical information from beginning to end. Likewise, a single person must not be responsible for approving their own work.

No person should have more access then they require.

Security Management – Concepts (cont.)

Functional Separation

Sales/Engineering

Design/Development

Development/Production

Development/Test

Security/Audit

Accounts Payable/Accounts Receivable

Encryption Key Management/Changing of Keys

Split Knowledge

Encryption keys are separated into two components, each of which does not reveal the other

General Roles

Executive Management

Have overall responsibility for security.

Chief Information Security Officer

Responsible for the overall security infrastructure including strategy, design, implementation and support.

Information Systems Security Professionals

Responsible for design, implementation, management, and review of the organization’s security policy, standards, measures, practices, procedures and controls

Data Owners

Responsible for determining sensitivity or classification levels of the data as well as maintaining accuracy and integrity of the data resident on the information system.

General Roles (cont.)

Process Owners

Responsible for ensuring the appropriate security, consistent with the security policy, is embedded in their info systems.

Technology Providers

Responsible for assisting with the implementation of information security.

Users

Responsible for following the policies and procedures set out in the organization’s security policy.

Information Systems Auditors

Responsible to provide independent assurance to management on the appropriateness of the security objectives, and on whether the security policies, standards, measures, practices, and procedures are appropriate and comply with the company’s security objectives

IS Responsibilities & Functions

Establish & Maintain Security Program

Develop/implement policies, procedures, guidelines and standards

Maintain resource access controls

Provide guidance on distributed processing & telecommunications security issues

Conduct security awareness training

Provide risk analysis services

Support vulnerability management activities

Support the investigation of incidents

Provide EDP audit coordination

Support Network/System/Application Design and Verification Process

Manage Projects

Prepare Business Cases

Other areas to address:

Employment practices

Background investigations

Hiring and Termination Practices

Security Awareness

People often the weakest link in security chain

Must be driven from the top-down

Must be comprehensive, all the way down to the floppy & hard copies

Education

Hard Copies

Web-Based

Training & Education

Emerging Trend – Driven by Regulation

- Continuous, Assessed and Verified

- Others?

IS Engineer

Critical Success Factors

Project

Management

Business

Development

IS Analyst

Contemporary IS Organization

Executive Management

Stakeholders

Primary Functions

Security Policy Management (Governance)

Risk Analysis

Data/Information Classification

Security Governance (Policy Management)

Policies – High-level statements that provide broad direction and signify management’s goals and intentions

Standards – More specific statements that represent a set of requirements needed to establish organizational controls (compulsory)

Guidelines – Non-binding suggestions for compliance with standards (non-compulsory)

Procedures – Step-by-step method to implement requirements of policies and standards (work instructions)

Senior Management Statement of Policy

General Organizational Policies

Functional Policies

Detailed Procedures

Guidelines

Standards

Tech. Baselines

Regulatory Requirements

Legal issues often drive an organization’s Information Security practices. Three key pieces of legislation are as follows:

Gramm-Leach-Bliley (GLB) Act (effective July 1, 2001), Privacy of Consumer Financial Information. This Act sets the restrictions for financial institutions on when they may disclose a consumers’ personal financial information to non-affiliated third parties.

Health Insurance Portability and Accountability Act (HIPAA) of 1996 (Privacy compliance required by April 14, 2003; Security compliance required by April 20, 2005). This Act states that all healthcare providers must ensure the privacy of patient information; employ appropriate security controls to support confidentiality, integrity and availability.

Sarbanes-Oxley Act (Section 404) of 2002. This act requires corporate management of publicly traded companies to issue a report on the adequacy and effectiveness of its internal controls, based on documentation and substantive testing/verification.

Common Standards & Criteria Framework

FISCAM

Clinger-Cohen

COBIT

ISO 900X

ISO 17799

HIPAA

GLB

SOA

FERC/NERC

Policy Implementation

General Process

Identify Purpose

Set objectives

Assign responsibility

Provide resources

Allocate staff

Implement using standards, procedures & guidelines

Types of Policies

Access Controls

Use Of Computing Resources

Micro Computing

Networking

Telecommunications

Safeguarding Sensitive Information

Disaster Recovery

Emergency Notification

Records Retention

Copying Copyrighted Publications/Software

Data classification

Media Disposal

Other Activities?

- Cost/Benefit/Impact Assessment

- Enforcement Considerations

- User Access and maintenance

- Compliance Monitoring

Security Governance Example

Enterprise Systems

Baselines

Policies

Standards

Dev

Exceptions

Policy

Management

Policy

Procedure

Standards

SOP’s

TSR’s

Compliance

Monitoring

Tool

Intranet Update Process

Remove, Add, Update

Exception

Handling

Users

Policy, Standards, TSR’s

User Accounts, Roles and Access

Web

Standards

Exception Management

Access

Management

Control

Criteria

Risk Management

What is Risk Management?

To mitigate risk which means reducing risk until it reaches an acceptable level.

It is forward looking and serves to identify and assess potential threats to an organization and its information

Who defines what an acceptable level of risk is?

Can risk be eliminated or reduced completely?

What are the main components of risk management?

1. Identification

2. Analysis

3. Control

4. Minimization of loss

Key Risk Management Activities

Risk Analysis

Vulnerability Assessment

Security Management

Business

Summary of Overall Approach

Identify what you’re protecting yourself from; then select an appropriate security strategy

A risk management answers fundamental questions:

Identify assets - What I am trying to protect?

Identify risks/threats - What do I need to protect against?

Prioritize risks – Which risks are most critical to protect against?

Measure/define impacts – What could happen if the risk materializes?

Determine costs/benefits - How much time, effort & money am I willing to expend to obtain adequate protection?

After risks are determined, develop/revise:

the policies & procedures needed to support the reduction of risks

define detective, preventive or corrective safeguards (controls) to mitigate the risk (high level)

Identify solutions with high likelihood of success for the organization.

Data/Information Classification

What is a data classification?

process driven activity that categorizes organizational information, for the purpose of managing and monitoring its usage, transmittal, storage and disposal, and the safeguards to ensure its protection.

When is data or information classification necessary?

prioritizes the data that needs to be protected

authorized or unauthorized disclosure has an impact on the tangible or intangible assets of the organization or the mission it serves.

What are data classification’s objectives?

General

Minimize information risks like destruction, alteration or disclosure

Government

Avoid unauthorized disclosure

Comply with privacy law

Commercial

Maintain competitive edge

Protect legal tactics

Comply with laws

Roles and Models

Owners

Responsible for security

Determine sensitivity/criticality

Custodians

Possess information

Implement/administer controls IAW owner’s instructions

Users

Access data

Need to know basis

Comply with controls

Government:

Top Secret

Secret

Confidential

Unclassified

Commercial:

Eyes only

For Internal Use Only

Company confidential

Public

Leading Practices – Security Management

Keeping the business risks associated with information systems under control within an enterprise requires clear direction from executive management, allocation of adequate resources, effective arrangement for promoting good information security practices across the enterprise.

Management Commitment

Security policy

Personnel policies

Established security organization – with accountability

Technical competency

Routine and special security awareness and education program

Data security and value classification

Accountability/ownership assignment

On-going risk analysis program

Established and current standards, procedures

Layered security architecture

Complete physical protections

Business continuity program

Ongoing monitoring

Management review and oversight

Integrated Information Security Framework

Information Security - Defined

Information Security is ?

Protection of classified information that is stored on computers or transmitted by radio, telephone teletype, or any other means.

The protection of information against unauthorized disclosure, transfer modification, or destruction, whether accidental or intentional.

The protection of information systems

against unauthorized access to or

modification of information, whether in

storage, processing or transit, and against

the denial of service to authorized users or

the provision of service to unauthorized

users, including those measures necessary

to detect, document, and counter such threats.

Ideal Attributes (Good)

Enabling, cost effective, contemporary

Unfortunate Attributes (Bad)

Cost of doing business, restrictive, overly complex, administratively burdensome

Avoidable Attributes (Ugly)

Ineffective, does not support business requirements

What does business expect from

information security?

Challenges and Barriers

Where do security professionals

typically fail?

Understanding the impact and

implication of security on business

and operations

Integrating the security engineering lifecycle with the IT development lifecycle

Positioning the need or case for change in terms that the business can understand

Working with management to develop and implement the process for change

Standard Conventions to dispel

Information security viewed as a cost vs. enabler

Approached as a ‘religion not a business-driven function

Emphasis just on technology, less on people, organization and process

Approaches to Security

There are many ways to address the application of security to contemporary organizations: the method or approach needs to be selected, one size does not fit all.

There are approaches to address a security need or requirement that do not involve technology. The important aspect of this is understanding the implications of the approach to a particular business. In some regards, it is the difference between being a security professional and a security product/service vendor.

Awareness and understanding of the scope of security have evolved over the past forty years. Each advancement added additional insights and features of security that addressed business and operational considerations.

Evolution of Information Security

1970

1980

1983

1988

1995

Computer Security

Data Security

Information Security

Information System Security

Enterprise Protection

Industrial Security

1960

Communication Security

200X

Enterprise Risk

Management

Evolution of Information Security

There are now ten domains in the Common Body of Knowledge associated with Information Security. Information Security Management plays a central role in integrating the ten domains, but each domain has its specific characteristics and skill requirements.

Most information security professionals enter the INFOSEC discipline through one or more areas, and don't typically get experience in integrating their skills until much later in their career.

Information Security Disciplines

Security Architectures

Models

Applications & Systems

Development Security

Operations

Security

Physical

Security

Telecommunications

Network Security

Information

Security Management

Laws, Investigations

& Ethics

Business Continuity

Planning

Cryptography

Access Control Systems

Methodologies

Purpose of Slide

Graphically depict the 10 areas of study that will be covered during the next 8 weeks.

Objectives/Discussion Points

While the arraignment of the domains is somewhat arbitrary, the placement of security management in the center is accurate in illustrating the role, function and interaction of the information security management function.

Ask the class – Have they experience in any one or more of the areas? And to specify.

Ask the class – if applicable, what is/was the method for introduction or preparation?

Ask the class – if applicable, what was the interaction between their area and other areas depicted?

Most information security professionals enter the discipline through one or more areas, and don’t typically get experience with the majority until much later in their career. The benefit of this class is that it provides a wide or comprehensive look at the areas, similar to the preparation of a general practitioner in medicine. During the course of the class and the program, it is likely that the students will find one or more area that they wish to specialize in, either in a profession or advanced research.

Key Points/Take-Aways or Summary

The domains are presented separately, and the degree that the students can recognize and leverage the interactions and dependencies will play a direct role in how they are able to apply the knowledge.

Transition to next slide:

That said, lets start off the discussion with Security Management {next slide}

Security Awareness

Aspects of the Contemporary Security

Awareness Program

Key Points

Policy based

Mirror’s managements perspective regarding user’s responsibility

Component of risk management program

Contents

Introduces security features and standards for the organization

Acceptable Use and Disclosure/policies

Addresses security responsibilities and reporting structures

Identify and categorizes incidents

Establishes reporting procedures

Laws Related to Security

Many types of legal systems exist

Common law

Religious law

Civil law

Common law of the US

Three branches

Legislative – make statutory laws

Administrative – make administrative laws

Judicial – make common laws found in courts

Compilation of Statutory Law

Statutory laws are collected as session laws which are arranged in order of enactment, or as codes that arrange the law according to subject matter.

In US law (state and federal), session laws are found in the Statutes at Large (Stat.) and statutory codes are held in the United States Code (U.S.C.).

United States Code

The USC contains the following elements

Code title number

Abbreviation for the code (U.S.C.)

Statutory section number

Date of the edition or supplement

Example: “18 U.S.C. § 1001 (1992)”

Section 1001 of title 18 in the United States Code is Crimes and Crimial Procedures that many computer crimes are prosecuted under.

Computer Fraud and Abuse Act – “18 U.S.C. § 1030 (1986)”

Compilation of Administrative Law

Arranged chronologically in administrative registers or by subject matter in administrative codes.

Federal Register (Fed. Reg.)

Code of Federal Regulations (C.F.R.)

C.F.R. citations contain

Number of C.F.R. title

Abbreviation of the code

Section number

Year of publication

Example: “12 C.F.R § 100.4 (1992)”

Common Law

System Categories

Criminal Law – covers crime that violates government laws enacted for the protection of the public. Punishment can be financial penalties and imprisonment.

Civil Law – covers crime that results in damage or loss to individuals or organizations. Financial punishment can be inflicted for punitive, compensatory, or statutory damages.

Administrative Law – Standards for performance and conduct by government agencies. Punishment can be financial penalties and imprisonment.

Common Law

Other Categories

Intellectual Property Law

Patent – legally enforceable right to prevent others from practicing the invention for a period of time (17 years in the US)

Copyright – protects ‘original works of authorship’ from reproduction, adaptation, public distribution, and performances of the work.

Trade Secret – secures and maintains confidentiality of proprietary technical or business information.

Trademark – Establishes a word, name, symbol, etc. to identify goods and distinguish them from others.

Information Privacy Law

Protection of information about private individuals from disclosure or misuse.

Common Law

Intellectual property rights

Security Techniques to Protect Trade Secrets

Numbering Copies

Logging Document Issuance

Checking Files & Workstations

Secure Storage

Controlled Distribution

Limitations on Copying

Contractual Commitments to Protect Proprietary Rights

Licensing Agreements with Vendors

Liability for Compliance

Common Law

Information Privacy Law

EU law is more strict than US law

Principles

Data should be collected in accordance with the law

Information about an individual cannot be disclosed without permission of the law or individual

Records kept should be accurate and up to date

Individuals can correct errors in their personal data

Individuals can receive a report of data held on them

Personal information can only be transferred to locations where equivalent data protection is in place.

Common Law

Information Privacy (cont)

Example: private medical information

Healthcare security issues

Access controls need more granularity and least privilege

Most applications do not incorporate adequate security controls

Systems must be accessible to outside partners and members

Providing internet access to records

Criminal and Civil penalties can be imposed

Misuse of information can lead to public perception changing about an organization

Common Law

Information Privacy (cont)

Health Insurance Portability and Accountability Act (HIPAA )

August 21, 1996

Addresses issues of health care privacy in the US.

Rights that an individual who is a subject of individually identifiable health information should have

Procedures that should be established for the exercise of such rights

Uses and disclosures of information that should be authorized or required

Common Law

Electronic Monitoring

Must be conducted in a lawful manner

Must be applied in a consistent fashion

Enticement – occurs after unauthorized access is gained (honeypot)

Entrapment – encourages commission of a crime.

Computer Crime Laws

Federal

Computer Fraud and Abuse Act (Title 18, U.S. Code, 1030) prosecutes for:

*Accessing Federal Interest Computer (FIC) to acquire national defense information

Accessing an FIC to obtain financial information

Accessing an FIC to deny the use of the computer

*Accessing an FIC to affect a fraud

*Damaging or denying use of an FIC thru transmission of code, program, information or command

Furthering a fraud by trafficking in passwords

Computer Crime Laws

Federal

Economic Espionage Act of 1996: Obtaining trade secrets to benefit a foreign entity

Electronic Funds Transfer Act: Covers use, transport, sell, receive or furnish counterfeit, altered, lost, stolen, or fraudulently obtained debit instruments in interstate or foreign commerce.

Child Pornography Prevention Act of 1996 (CPPA): Prohibits use of computer technology to produce child pornography.

Computer Security Act of 1987: Requires Federal Executive agencies to Establish Computer Security Programs.

Federal Computer Crime Laws (cont)

Electronic Communications Privacy Act (ECPA): Prohibits unauthorized interception or retrieval of electronic communications

Fair Credit Reporting Act: Governs types of data that companies may be collected on private citizens & how it may be used.

Foreign Corrupt Practices Act: Covers improper foreign operations, but applies to all companies registered with the SEC, and requires companies to institute security programs.

Freedom of Information Act: Permits public access to information collected by the Federal Executive Branch.

Computer Laws (continued)

Civil Law (Tort Law)- Getting sued for damages

Damage/Loss to an Individual or Business

Type of Punishment Different: No Incarceration

Primary Purpose is Financial Restitution

Compensatory Damages: Actual Damages, Attorney Fees, Lost Profits, Investigation Costs

Punitive Damages: Set by Jury to Punish Offender

Statutory Damages: Established by Law

Easier to Obtain Conviction: Preponderance of Evidence

Impoundment Orders/Writs of Possession: Equivalent to Search Warrant

Compensatory - Actual damages, attorney fees, lost profits, investigation costs

Punitive - Set by Jury, punish offender

Statutory - Damages established by law, violation entitles victim

Computer Laws (continued)

International Law: Lots of Problems

Lack of Universal Cooperation

Differences in Interpretations of Laws

Outdated Laws Against Fraud

Problems with Evidence Admissibility

Extradition

Low Priority

Computer Crime

Computer Crime has to be treated as a Separate Category because ordinary rules don’t or can’t apply.

Rules of Property: Lack of Tangible Assets

Rules of Evidence: Lack of Original Documents

Threats to Integrity and Confidentiality: Goes beyond normal definition of a loss

Value of Data: Difficult to Measure. Cases of Restitution only for Media

Terminology: Statues have not kept pace. Is Computer Hardware “Machinery”? Does Software quality as “Supplies”.

Computer Crime (continued)

Difficulties in Prosecution

Understanding of computer issues: Judges, Lawyers, Police, Jurors

Evidence: Lack of Tangible Evidence

Forms of Assets: e.g., Magnetic Particles, Computer Time

Juveniles:

Many Perpetrators are Juveniles

Adults Don’t Take Juvenile Crime Seriously

Protection for Computer Objects

Hardware - Patents

Firmware

Patents for Physical Devices

Trade Secret Protection for Code

Object Code Software - Copyrights

Source Code Software - Trade Secrets

Documentation - Copyrights

Corporate Record keeping

Accuracy of Computer Records: Potential Use in Court

IRS Rules: Inadequate Controls May Impact Audit Findings

Labor and Management Relations

Collective Bargaining: Disciplinary Actions, Workplace Rules

Work Stoppage

Limitations on Background Investigations

Limitations on Drug and Polygraph Testing

Disgruntled Employees

Non-Disclosure Requirements

Immigration Laws

Establishment and Enforcement of Security Rules

Management Problems

Management Problems (cont)

Data Communications: Disclosure through -

Eavesdropping and Interception

Loss of Confidential Information

Outsourcing Issues

Contract Review

Review of Contractor’s Capabilities

Impact of Downsizing

Contractor Use of Proprietary Software

Management Problems (cont)

Personal Injury Liability

Employee Safety

Carpal Tunnel Syndrome

Radiation Injury

Insurance Against Legal Liability

Requirements for Security Precautions

Right to Inspect Premises

Cooperation with Insurance Company

Limiting Legal Liability

Due Care: Minimum and Customary Practice of Responsible Protection of Assets

Due Diligence: The Prudent Management and Execution of Due Care

Programming Errors: Take reasonable precautions for -

Loss of a Program

Unauthorized Revisions

Availability of Backup Versions

Product Liability

Liability for Database Inaccuracies: Due to Security Breaches

European Union: No Limits on Personal Liability for Personal Injury

Limiting Legal Liability (cont)

Liability of Defamation

Libel Due to Inaccuracy of Data

Unauthorized Release of Confidential Information

Alteration of Visual Images

Foreign Corrupt Practices Act

Mandate for Security Controls or Cost/Benefit Analysis

Potential SEC Litigation

Audit Committee

Legal

Corp. Communications

Operations/Business Units

Finance & Accounting

Technology/Director

Management Reporting

Policy Management

Security Awareness and Training

Risk Assessments

Risk Management

Threat Assessment

Threat Monitoring

Incident Response

Virus Management

Vulnerability Assessment

Vulnerability Monitoring

Threat/Vulnerability Management

Account Management

Resource Management

Asset Classification

Change Control

Asset Management

Operations

Advisory Services

Internal/External

Risk Assessments

Architecture and Design Services

Design Services

Development Support

Investigation and Forensics

Development Support

Engineering and Design

CISO/Director

CIO/CTO

CEO/President