information security

profileg01
MgmtOfInfoSec_6e-Ch08_pr.pptx

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

1

Upon completion of this material, you should be able to:

Describe the dominant InfoSec management models, including national and international standards-based models

Explain why access control is an essential element of InfoSec management

Recommend an InfoSec management model and explain how it can be customized to meet the needs of a particular organization

Describe the fundamental elements of key InfoSec management practices

Learning Objectives

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

2

Introduction to Blueprints, Frameworks, and Security Management Models

Chapter 08: Security Management Models

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

InfoSec models are standards that are used for reference or comparison and often serve as the stepping-off point for emulation and adoption

One way to select a methodology is to adapt or adopt an existing security management model or set of practices

Because each InfoSec environment is unique, you may need to modify or adapt portions of several frameworks; what works well for one organization may not precisely fit another

Introduction to Blueprints, Frameworks, and Security Models

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

The communities of interest accountable for the security of an organization’s information assets must design a working security plan and then implement a management model to execute and maintain that plan

This may begin with the creation or validation of a security framework, followed by an InfoSec blueprint that describes existing controls and identifies other necessary security controls

A framework or security model is the outline of the more thorough and organization-specific blueprint

These documents form the basis for the design, selection, and initial and ongoing implementation of all subsequent security controls, including policy, SETA, and technologies

Introduction to Blueprints, Frameworks, and Security Models (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

5

To generate a usable security blueprint, most organizations draw on established security frameworks, models, and practices

Another way to create a blueprint is to look at the paths taken by other organizations

In this kind of benchmarking, you follow the recommended practices or industry standards

Introduction to Blueprints, Frameworks, and Security Models (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

6

Benchmarking is the comparison of two related measurements

Benchmarking describes both internal and external comparisons

Internal benchmarking, known as baselining, involves comparing organizational performance at some defined state against current or expected performance

External benchmarking involves comparing one’s organizational results against other similar organizations

Introduction to Blueprints, Frameworks, and Security Models (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

Security Management Models

Chapter 08: Security Management Models

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

8

One of the most widely referenced and often discussed security models is Information Technology—Code of Practice for Information Security Management, which was originally published as British Standard BS 7799, later published as ISO/IEC 17799, and then as ISO/IEC 27002

The original purpose of ISO/IEC 27002 was to offer guidance for the management of InfoSec to individuals responsible for their organization’s security programs

According to 27000.org, the standard was “intended to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings”

The ISO 27000 Series

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

9

Where ISO/IEC 27002 is focused on a broad overview of the various areas of security, providing information on 127 controls over 10 areas, ISO/IEC 27001 provides information on how to implement ISO/IEC 27002 and how to set up an information security management system (ISMS)

One way to determine how closely an organization is complying with ISO 27002 is to use the SANS SCORE (Security Consensus Operational Readiness Evaluation) Audit Checklist, which is based on 17799:2005

The ISO 27000 Series (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

11

ISO 27000 Series current and planned

27000:2016 Series Overview and Terminology

27001:2013 InfoSec Mgmt System Specification

27002:2013 Code of Practice for InfoSec Mgmt

27003:2017 InfoSec Mgmt Systems Implementation Guidance

27004:2016 InfoSec Measurements

27005:2011 ISMS Risk Management

27006:2015 Requirements for Bodies Providing Audit and Certification of an ISMS

27007:2011 Guidelines for ISMS Auditing

27008:2011 Guidelines for InfoSec Auditing

27010:2015 Guidelines for Inter-sector and Inter-organizational Communications

27011:2016 Guidelines for Telecomm orgs

27013:2015 Guideline on the Integrated Implementation of ISO/IEC 20000-1 and ISO/IEC 27001

27014:2013 InfoSec Governance Framework

27015:2012 InfoSec Mgmt Guidelines for Financial Services

27016: 2014 InfoSec and Organizational Economics

27017:2015 Code of practice for InfoSec controls for cloud computing services based on ISO/IEC 27002

27018:2014 Code of practice for PII protection in public clouds acting as PII processors

27019:2013 InfoSec mgmt guidelines for process control systems specific to the energy industry

27023:2015 Mapping the revised editions of ISO/IEC 27001 and 27002

27031:2012 Guidelines for information and communication technology readiness for business continuity

27032:2012 Guidelines for cybersecurity

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

NIST documents have two notable advantages:

they are publicly available at no charge

they have been available for some time; thus they have been broadly reviewed (and updated) by government and industry professionals

You can use the NIST SP (Special Publication) documents listed earlier, along with the discussion provided in this book, to help design a custom security framework for your organization’s InfoSec program

NIST Security Models

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

13

Key NIST SPs

SP 800-12, Rev. 1: Computer Security Handbook

SP 800-14: Generally Accepted Security Principles and Practices

SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal IS

SP 800-30, Rev. 1: Guide for Conducting Risk Assessments

SP 800-34, Rev. 1: Contingency Planning Guide for Federal IS

SP 800-37, Rev. 1: Guide for Applying the Risk Management Framework to Federal IS

SP 800-39: Managing InfoSec Risk: Organization, Mission, and IS View

SP 800-53, Rev. 4: Security and Privacy Controls for Federal IS and Orgs

SP 800-53A, Rev. 4: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans

SP 800-55. Rev. 1: Performance Measurement Guide for InfoSec

SP 800-61, Rev. 2: Computer Security Incident Handling Guide

SP 800-100: Information Security Handbook: A Guide for Managers

SP 800-184: Guide for Cybersecurity Event Recovery

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

Control Objectives for Information and Related Technology (COBIT) also provides advice about the implementation of sound controls and control objectives for InfoSec

COBIT was created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992

Control Objectives for Information and Related Technology (COBIT)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

17

COBIT 5 provides five principles focused on the governance and management of IT in an organization:

Principle 1: Meeting Stakeholder Needs

Principle 2: Covering the Enterprise End-to- End

Principle 3: Applying a Single, Integrated Framework

Principle 4: Enabling a Holistic Approach

Principle 5: Separating Governance from Management

Control Objectives for Information and Related Technology (COBIT) (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

18

The COBIT 5 framework also incorporates a series of “enablers” to support the principles:

Principles, policies, and frameworks are the vehicle to translate the desired behavior into practical guidance for day-to-day management

Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals

Organizational structures are the key decision-making entities in an enterprise

Culture, ethics, and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities

Information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the enterprise itself

Services, infrastructure, and applications include the infrastructure, technology, and applications that provide the enterprise with information technology processing and services

Control Objectives for Information and related Technology (COBIT) (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

19

COSO of the Treadway Commission is a U.S. private-sector initiative formed in 1985

Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence

COSO has established a common definition of internal controls, standards, and criteria, and helps organizations comply with critical regulations like Sarbanes-Oxley

Committee of Sponsoring Organizations (COSO)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

20

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

Effectiveness and efficiency of operations

Reliability of financial reporting

Compliance with applicable laws and regulations

Committee of Sponsoring Organizations (COSO) (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

21

COSO’s framework is built on five interrelated components:

Control environment

Risk assessment

Control activities

Information and communication

Monitoring

COSO Framework

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

22

The Information Technology Infrastructure Library (ITIL) is a collection of methods and practices useful for managing the development and operation of information technology infrastructures

The ITIL has been produced as a series of books, each of which covers an IT management topic

Since it includes a detailed description of a many significant IT-related practices, it can be tailored to many IT organizations

Information Technology Infrastructure Library (ITIL)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

23

The Information Security Governance Framework is a managerial model that provides guidance in the development and implementation of an organizational information security governance structure

The core of the Information Security Governance Framework includes recommendations for the responsibilities of members of an organization including:

Board of directors/trustees

Senior executives

Executive team members who report to a senior executive

Senior managers

All employees and users

Information Security Governance Framework

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

24

Security Architecture Models

Chapter 08: Security Management Models

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

Security architecture models illustrate information security implementations and can help organizations to quickly make improvements through adaptation

Some models are implemented into computer hardware and software, some are implemented as policies and practices, and some are implemented in both

Some models focus on the confidentiality of information, while other focus on the integrity of the information as it is being processed

Security Architecture Models

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

26

The Trusted Computer System Evaluation Criteria (TCSEC) is an older DoD standard that defines the criteria for assessing the access controls in a computer system

This standard is part of a larger series of standards collectively referred to as the Rainbow Series, due to the color-coding used to uniquely identify each document

TCSEC is also known as the “Orange Book” and is considered the cornerstone of the series

TCSEC was replaced by the “Common Criteria” in 2005

TCSEC and the Trusted Computing Base

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

27

TCSEC defines a trusted computing base (TCB) as the combination of all hardware, firmware, and software responsible for enforcing the security policy

In this context, security policy refers to the rules of configuration for a system, rather than a managerial guidance document

The TCB is made up of the hardware and software that has been implemented to provide security for a particular information system

Trusted Computing Base

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

28

Within the TCB is a conceptual object known as the reference monitor to mediate access to objects by subjects

Systems administrators must be able to audit or periodically review the reference monitor to ensure it is functioning effectively, without unauthorized modification

One of the biggest challenges in TCB is the existence of covert channels

Trusted Computing Base Reference Monitor

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

29

The international standard Information Technology System Evaluation Criteria (ITSEC) is very similar to TCSEC

Under ITSEC, Targets of Evaluation (ToE) are compared to detailed security function specifications, resulting in an assessment of systems functionality and comprehensive penetration testing

Like TCSEC, ITSEC was, for the most part, functionally replaced by the Common Criteria

Information Technology System Evaluation Criteria

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

The Common Criteria for Information Technology Security Evaluation (“Common Criteria” or “CC”) is an international standard (ISO/IEC 15408) for computer security certification

It is widely considered the successor to both TCSEC and ITSEC in that it reconciles some of the differences between the various other standards

The CC process assures that the specification, implementation, and evaluation of computer security products are performed in a rigorous and standard manner

The Common Criteria

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

Access Control Models

Chapter 08: Security Management Models

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

Access controls regulate the admission of users into trusted areas of the organization—both the logical access to the information systems, or the physical access to the organization’s facilities

Access control is maintained by means of a collection of policies, programs to carry out those policies, and technologies that enforce policies

Access Control Models

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

33

The general application of access control comprises four processes:

Obtaining the identity of the entity requesting access to a logical or physical area (identification)

Confirming the identity of the entity seeking access to a logical or physical area (authentication)

Determining which actions an authenticated entity can perform in that physical or logical area (authorization)

Documenting the activities of the authorized individual and systems (accountability)

Access Control Models (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

Access control is built on several key principles:

Least privilege: The principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties

Need to know: Limits a user’s access to the specific information required to perform the currently assigned task, and not merely to the category of data required for a general work function

Separation of duties: A control requiring that significant tasks be split up in such a way that more than one individual is responsible for their completion

Access Control

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

35

Directive—Employs administrative controls such as policy and training designed to proscribe certain user behavior in the organization

Deterrent—Discourages or deters an incipient incident

Preventative—Helps an organization avoid an incident

Detective—Detects or identifies an incident or a threat when it occurs

Corrective—Remedies a circumstance or mitigates damage done during an incident

Recovery—Restores operating conditions back to normal

Compensating—Resolves shortcomings

Categories of Access Controls

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

36

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

A Mandatory Access Control (MAC) is required and is structured and coordinated within a data classification scheme that rates each collection of information as well as each user

These ratings are often referred to as sensitivity levels or classification levels

When MACs are implemented, users and data owners have limited control over access to information resources

Mandatory Access Controls (MACs)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

38

Data owners must classify the information assets for which they are responsible and review the classifications periodically

The U.S. government uses a three-level classification scheme for information deemed to be National Security Information (NSI), as defined in Executive Order 13526:

Top Secret

Secret

Confidential

Simple scheme for other organizations:

Public

For official (or internal) use only

Confidential (or Sensitive)

Data Classification Model

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

39

Another component of a data classification scheme is the personnel security clearance structure, in which each user of an information asset is assigned an authorization level that identifies the level of information classification he or she can access

Most organizations have developed roles and corresponding security clearances so individuals are assigned into authorization levels correlating with the classifications of the information assets

Beyond a simple reliance on the security clearance is the incorporation of the need-to-know principle, based on the requirement that people are not allowed to view data simply because it falls within their level of clearance; they must also have a business-related need-to-know

Security Clearances

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

40

Managing an information asset includes all aspects of its life cycle—from specification to design, acquisition, implementation, use, storage, distribution, backup, recovery, retirement, and destruction

An information asset that has a classification designation other than unclassified or public must be clearly marked as such—with a cover page and headers and footers

To maintain the confidentiality of classified documents, managers can implement a clean desk policy—requiring employees to secure all information in an appropriate storage container at the end of each business day

Managing Classified Information Assets

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

41

When copies of classified information are no longer valuable or too many copies exist, care should be taken to destroy them properly to discourage dumpster diving

While bins stored on private property can be protected from trespassers, in 1998, in California v. Greenwood, the Supreme Court ruled that there is no expectation of privacy for items thrown away in trash or refuse containers

Managing Classified Information Assets (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

42

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

43

Lattice-based access control, a variation on the MAC form of access control, assigns users a matrix of authorizations for particular areas of access

The level of authorization may vary depending on the classification authorizations that individuals possess for each group of information assets or resources

The lattice structure contains subjects and objects, and the boundaries associated with each subject/object pair are clearly demarcated

Lattice-Based Access Controls

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

44

Nondiscretionary controls are determined by a central authority in the organization and can be based on roles—called role-based access controls or RBAC—or on a specified set of tasks—called task-based controls

Role-based controls are tied to the role that a particular user performs in an organization, whereas task-based controls are tied to a particular assignment or responsibility

Nondiscretionary Controls

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

45

Discretionary Access Controls (DACs) are implemented at the discretion or option of the data user

Most personal computer operating systems are designed based on the DAC model

One discretionary model is rule-based access controls where access is granted based on a set of rules specified by the central authority

Discretionary Access Controls (DACs)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

46

Content-dependent access controls—As the name suggests, access to a specific set of information may be dependent on its content (e.g., Marketing information for the Marketing Department)

Constrained user interfaces—Some systems are designed specifically to restrict what information an individual user can access (e.g., ATMs)

Temporal (time-based) isolation—In some cases, access to information is limited by a time-of-day constraint (e.g., time-release safes)

Other Forms of Access Control

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

47

Academic Access Control Models

Chapter 08: Security Management Models

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

The Bell-LaPadula (BLP) confidentiality model is a state machine reference model that helps ensure the confidentiality of an information system by means of mandatory access controls (MACs), data classification, and security clearances

A state machine model is one in which the design follows a conceptual approach in which the state of the content of the system being modeled is always in a known secure condition, in other words, this kind of model is provably secure

Bell-LaPadula Confidentiality Model

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

49

A system that serves as a reference monitor compares the level of classification of the data with the clearance of the entity requesting access; it allows access only if the clearance is equal to or higher than the classification

BLP security rules prevent information from being moved from a level of higher security level to a level of lower security

Bell-LaPadula Confidentiality Model (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

50

Access modes can be one of two types: simple security and the * (star) property

Simple security (also called the read property) prohibits a subject of lower clearance from reading an object of higher classification, but allows a subject with a higher clearance level to read an object at a lower level (read down)

The * property (the write property) prohibits a high-level subject from sending messages to a lower-level object

In short, the principle is “no read up, no write down”

Bell-LaPadula Confidentiality Model (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

51

The Biba integrity model is similar to BLP

The intent is to provide access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations

The Biba model ensures that no information from a subject can be passed on to an object in a higher security level

This prevents contaminating data of higher integrity with data of lower integrity

Biba Integrity Model

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

52

The Biba Model assigns integrity levels to subjects and objects using two properties: the simple integrity (read) property or the integrity * property (write)

The simple integrity property permits a subject to have read access to an object only if the security level of the subject is either lower or equal to the level of the object

The integrity * property permits a subject to have write access to an object only if the security level of the subject is equal to or higher than that of the object

In short “no write up, no read down”

Biba Integrity Model (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

53

The Clark-Wilson integrity model, which is built upon principles of change control rather than integrity levels, was designed for the commercial environment

The change control principles upon which it operates are:

No changes by unauthorized subjects

No unauthorized changes by authorized subjects

The maintenance of internal and external consistency

Clark-Wilson Integrity Model

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

54

These controls are part of the CWI model:

Subject authentication and identification

Access to objects by means of well-formed transactions

Execution by subjects on a restricted set of programs

The elements of the Clark-Wilson model are:

Constrained data item (CDI)—Data item with protected integrity

Unconstrained data item—Data not controlled by Clark-Wilson; nonvalidated input or any output

Integrity verification procedure (IVP)—Procedure that scans data and confirms its integrity

Transformation procedure (TP)—Procedure that only allows changes to a constrained data item

Clark-Wilson Integrity Model (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

55

The Graham-Denning access control model has three parts: a set of objects, a set of subjects, and a set of rights; subjects are composed of two things: a process and a domain

The eight primitive protection rights are:

Create object

Create subject

Delete object

Delete subject

Read access right

Grant access right

Delete access right

Transfer access right

Graham-Denning Access Control Model

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

The Harrison-Ruzzo-Ullman (HRU) model defines a method to allow changes to access rights and the addition and removal of subjects and objects, a process that the Bell-LaPadula model does not

Since systems change over time, their protective states need to change

HRU is built on an access control matrix and includes a set of generic rights and a specific set of commands

Harrison-Ruzzo-Ullman (HRU) model

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

57

The Brewer-Nash model—commonly known as a Chinese Wall—is designed to prevent a conflict of interest between two parties

The Brewer-Nash model requires users to select one of two conflicting sets of data, after which they cannot access the conflicting data

Brewer-Nash (Chinese Wall)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

58

A framework is the outline of a more thorough blueprint used in the creation of the InfoSec environment. A security model is a generic blueprint offered by a service organization

One of the most widely referenced security models is “ISO/IEC 27001: 2005 Information Technology—Code of Practice for InfoSec Management,” which is designed to give recommendations for InfoSec management. Other approaches to structuring InfoSec management are found in the many documents available from NIST’s Computer Security Resource Center

Control Objectives for Information and Related Technology (COBIT) provides advice about the implementation of sound controls and control objectives for InfoSec

Summary

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

59

The Committee of Sponsoring Organizations (COSO) of the Treadway Commission has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems. The Information Technology Infrastructure Library (ITIL) is a collection of methods and practices useful for managing the development and operation of information technology infrastructures

The Information Security Governance Framework is a managerial model provided by an industry working group that provides guidance in the development and implementation of an organizational InfoSec governance structure

Security architecture models illustrate InfoSec implementations and can help organizations make quick improvements through adaptation. The most common model is the Trusted Computer System Evaluation Criteria (TCSEC)

Summary (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

60

Access controls regulate the admission of users into trusted areas of the organization. Access control comprises four elements: identification, authentication, authorization, and accountability

Access control is built on the principles of least privilege, need-to-know, and separation of duties

Approaches to access control include directive, deterrent, preventative, detective, corrective, recovery, and compensating. Access controls may be classified as management, operational (or administrative), or technical

Mandatory access controls (MACs) are controls required by the system that operate within a data classification and personnel clearance scheme

Summary (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

61

Nondiscretionary controls are determined by a central authority in the organization and can be based on roles or on a specified set of tasks

Discretionary access controls (DACs) are implemented at the discretion or option of the data user

Common academic access control models include the Bell-LaPadula (BLP) confidentiality model, the Biba integrity model, the Clark-Wilson integrity model, the Graham-Denning access control model, the Harrison-Ruzzo-Ullman (HRU) model for access rights, and the Brewer-Nash model

Summary (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

62