information security
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
1
Upon completion of this material, you should be able to:
Describe the dominant InfoSec management models, including national and international standards-based models
Explain why access control is an essential element of InfoSec management
Recommend an InfoSec management model and explain how it can be customized to meet the needs of a particular organization
Describe the fundamental elements of key InfoSec management practices
Learning Objectives
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
2
Introduction to Blueprints, Frameworks, and Security Management Models
Chapter 08: Security Management Models
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
InfoSec models are standards that are used for reference or comparison and often serve as the stepping-off point for emulation and adoption
One way to select a methodology is to adapt or adopt an existing security management model or set of practices
Because each InfoSec environment is unique, you may need to modify or adapt portions of several frameworks; what works well for one organization may not precisely fit another
Introduction to Blueprints, Frameworks, and Security Models
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
The communities of interest accountable for the security of an organization’s information assets must design a working security plan and then implement a management model to execute and maintain that plan
This may begin with the creation or validation of a security framework, followed by an InfoSec blueprint that describes existing controls and identifies other necessary security controls
A framework or security model is the outline of the more thorough and organization-specific blueprint
These documents form the basis for the design, selection, and initial and ongoing implementation of all subsequent security controls, including policy, SETA, and technologies
Introduction to Blueprints, Frameworks, and Security Models (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
5
To generate a usable security blueprint, most organizations draw on established security frameworks, models, and practices
Another way to create a blueprint is to look at the paths taken by other organizations
In this kind of benchmarking, you follow the recommended practices or industry standards
Introduction to Blueprints, Frameworks, and Security Models (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
6
Benchmarking is the comparison of two related measurements
Benchmarking describes both internal and external comparisons
Internal benchmarking, known as baselining, involves comparing organizational performance at some defined state against current or expected performance
External benchmarking involves comparing one’s organizational results against other similar organizations
Introduction to Blueprints, Frameworks, and Security Models (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
Security Management Models
Chapter 08: Security Management Models
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
8
One of the most widely referenced and often discussed security models is Information Technology—Code of Practice for Information Security Management, which was originally published as British Standard BS 7799, later published as ISO/IEC 17799, and then as ISO/IEC 27002
The original purpose of ISO/IEC 27002 was to offer guidance for the management of InfoSec to individuals responsible for their organization’s security programs
According to 27000.org, the standard was “intended to provide a common basis for developing organizational security standards and effective security management practice and to provide confidence in inter-organizational dealings”
The ISO 27000 Series
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
9
Where ISO/IEC 27002 is focused on a broad overview of the various areas of security, providing information on 127 controls over 10 areas, ISO/IEC 27001 provides information on how to implement ISO/IEC 27002 and how to set up an information security management system (ISMS)
One way to determine how closely an organization is complying with ISO 27002 is to use the SANS SCORE (Security Consensus Operational Readiness Evaluation) Audit Checklist, which is based on 17799:2005
The ISO 27000 Series (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
11
ISO 27000 Series current and planned
27000:2016 Series Overview and Terminology
27001:2013 InfoSec Mgmt System Specification
27002:2013 Code of Practice for InfoSec Mgmt
27003:2017 InfoSec Mgmt Systems Implementation Guidance
27004:2016 InfoSec Measurements
27005:2011 ISMS Risk Management
27006:2015 Requirements for Bodies Providing Audit and Certification of an ISMS
27007:2011 Guidelines for ISMS Auditing
27008:2011 Guidelines for InfoSec Auditing
27010:2015 Guidelines for Inter-sector and Inter-organizational Communications
27011:2016 Guidelines for Telecomm orgs
27013:2015 Guideline on the Integrated Implementation of ISO/IEC 20000-1 and ISO/IEC 27001
27014:2013 InfoSec Governance Framework
27015:2012 InfoSec Mgmt Guidelines for Financial Services
27016: 2014 InfoSec and Organizational Economics
27017:2015 Code of practice for InfoSec controls for cloud computing services based on ISO/IEC 27002
27018:2014 Code of practice for PII protection in public clouds acting as PII processors
27019:2013 InfoSec mgmt guidelines for process control systems specific to the energy industry
27023:2015 Mapping the revised editions of ISO/IEC 27001 and 27002
27031:2012 Guidelines for information and communication technology readiness for business continuity
27032:2012 Guidelines for cybersecurity
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
NIST documents have two notable advantages:
they are publicly available at no charge
they have been available for some time; thus they have been broadly reviewed (and updated) by government and industry professionals
You can use the NIST SP (Special Publication) documents listed earlier, along with the discussion provided in this book, to help design a custom security framework for your organization’s InfoSec program
NIST Security Models
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
13
Key NIST SPs
SP 800-12, Rev. 1: Computer Security Handbook
SP 800-14: Generally Accepted Security Principles and Practices
SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal IS
SP 800-30, Rev. 1: Guide for Conducting Risk Assessments
SP 800-34, Rev. 1: Contingency Planning Guide for Federal IS
SP 800-37, Rev. 1: Guide for Applying the Risk Management Framework to Federal IS
SP 800-39: Managing InfoSec Risk: Organization, Mission, and IS View
SP 800-53, Rev. 4: Security and Privacy Controls for Federal IS and Orgs
SP 800-53A, Rev. 4: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans
SP 800-55. Rev. 1: Performance Measurement Guide for InfoSec
SP 800-61, Rev. 2: Computer Security Incident Handling Guide
SP 800-100: Information Security Handbook: A Guide for Managers
SP 800-184: Guide for Cybersecurity Event Recovery
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
Control Objectives for Information and Related Technology (COBIT) also provides advice about the implementation of sound controls and control objectives for InfoSec
COBIT was created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992
Control Objectives for Information and Related Technology (COBIT)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
17
COBIT 5 provides five principles focused on the governance and management of IT in an organization:
Principle 1: Meeting Stakeholder Needs
Principle 2: Covering the Enterprise End-to- End
Principle 3: Applying a Single, Integrated Framework
Principle 4: Enabling a Holistic Approach
Principle 5: Separating Governance from Management
Control Objectives for Information and Related Technology (COBIT) (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
18
The COBIT 5 framework also incorporates a series of “enablers” to support the principles:
Principles, policies, and frameworks are the vehicle to translate the desired behavior into practical guidance for day-to-day management
Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving overall IT-related goals
Organizational structures are the key decision-making entities in an enterprise
Culture, ethics, and behavior of individuals and of the enterprise are very often underestimated as a success factor in governance and management activities
Information is required for keeping the organization running and well governed, but at the operational level, information is very often the key product of the enterprise itself
Services, infrastructure, and applications include the infrastructure, technology, and applications that provide the enterprise with information technology processing and services
Control Objectives for Information and related Technology (COBIT) (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
19
COSO of the Treadway Commission is a U.S. private-sector initiative formed in 1985
Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence
COSO has established a common definition of internal controls, standards, and criteria, and helps organizations comply with critical regulations like Sarbanes-Oxley
Committee of Sponsoring Organizations (COSO)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
20
Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
Effectiveness and efficiency of operations
Reliability of financial reporting
Compliance with applicable laws and regulations
Committee of Sponsoring Organizations (COSO) (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
21
COSO’s framework is built on five interrelated components:
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
COSO Framework
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
22
The Information Technology Infrastructure Library (ITIL) is a collection of methods and practices useful for managing the development and operation of information technology infrastructures
The ITIL has been produced as a series of books, each of which covers an IT management topic
Since it includes a detailed description of a many significant IT-related practices, it can be tailored to many IT organizations
Information Technology Infrastructure Library (ITIL)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
23
The Information Security Governance Framework is a managerial model that provides guidance in the development and implementation of an organizational information security governance structure
The core of the Information Security Governance Framework includes recommendations for the responsibilities of members of an organization including:
Board of directors/trustees
Senior executives
Executive team members who report to a senior executive
Senior managers
All employees and users
Information Security Governance Framework
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
24
Security Architecture Models
Chapter 08: Security Management Models
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
Security architecture models illustrate information security implementations and can help organizations to quickly make improvements through adaptation
Some models are implemented into computer hardware and software, some are implemented as policies and practices, and some are implemented in both
Some models focus on the confidentiality of information, while other focus on the integrity of the information as it is being processed
Security Architecture Models
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
26
The Trusted Computer System Evaluation Criteria (TCSEC) is an older DoD standard that defines the criteria for assessing the access controls in a computer system
This standard is part of a larger series of standards collectively referred to as the Rainbow Series, due to the color-coding used to uniquely identify each document
TCSEC is also known as the “Orange Book” and is considered the cornerstone of the series
TCSEC was replaced by the “Common Criteria” in 2005
TCSEC and the Trusted Computing Base
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
27
TCSEC defines a trusted computing base (TCB) as the combination of all hardware, firmware, and software responsible for enforcing the security policy
In this context, security policy refers to the rules of configuration for a system, rather than a managerial guidance document
The TCB is made up of the hardware and software that has been implemented to provide security for a particular information system
Trusted Computing Base
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
28
Within the TCB is a conceptual object known as the reference monitor to mediate access to objects by subjects
Systems administrators must be able to audit or periodically review the reference monitor to ensure it is functioning effectively, without unauthorized modification
One of the biggest challenges in TCB is the existence of covert channels
Trusted Computing Base Reference Monitor
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
29
The international standard Information Technology System Evaluation Criteria (ITSEC) is very similar to TCSEC
Under ITSEC, Targets of Evaluation (ToE) are compared to detailed security function specifications, resulting in an assessment of systems functionality and comprehensive penetration testing
Like TCSEC, ITSEC was, for the most part, functionally replaced by the Common Criteria
Information Technology System Evaluation Criteria
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
The Common Criteria for Information Technology Security Evaluation (“Common Criteria” or “CC”) is an international standard (ISO/IEC 15408) for computer security certification
It is widely considered the successor to both TCSEC and ITSEC in that it reconciles some of the differences between the various other standards
The CC process assures that the specification, implementation, and evaluation of computer security products are performed in a rigorous and standard manner
The Common Criteria
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
Access Control Models
Chapter 08: Security Management Models
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
Access controls regulate the admission of users into trusted areas of the organization—both the logical access to the information systems, or the physical access to the organization’s facilities
Access control is maintained by means of a collection of policies, programs to carry out those policies, and technologies that enforce policies
Access Control Models
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
33
The general application of access control comprises four processes:
Obtaining the identity of the entity requesting access to a logical or physical area (identification)
Confirming the identity of the entity seeking access to a logical or physical area (authentication)
Determining which actions an authenticated entity can perform in that physical or logical area (authorization)
Documenting the activities of the authorized individual and systems (accountability)
Access Control Models (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
Access control is built on several key principles:
Least privilege: The principle by which members of the organization can access the minimum amount of information for the minimum amount of time necessary to perform their required duties
Need to know: Limits a user’s access to the specific information required to perform the currently assigned task, and not merely to the category of data required for a general work function
Separation of duties: A control requiring that significant tasks be split up in such a way that more than one individual is responsible for their completion
Access Control
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
35
Directive—Employs administrative controls such as policy and training designed to proscribe certain user behavior in the organization
Deterrent—Discourages or deters an incipient incident
Preventative—Helps an organization avoid an incident
Detective—Detects or identifies an incident or a threat when it occurs
Corrective—Remedies a circumstance or mitigates damage done during an incident
Recovery—Restores operating conditions back to normal
Compensating—Resolves shortcomings
Categories of Access Controls
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
36
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
A Mandatory Access Control (MAC) is required and is structured and coordinated within a data classification scheme that rates each collection of information as well as each user
These ratings are often referred to as sensitivity levels or classification levels
When MACs are implemented, users and data owners have limited control over access to information resources
Mandatory Access Controls (MACs)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
38
Data owners must classify the information assets for which they are responsible and review the classifications periodically
The U.S. government uses a three-level classification scheme for information deemed to be National Security Information (NSI), as defined in Executive Order 13526:
Top Secret
Secret
Confidential
Simple scheme for other organizations:
Public
For official (or internal) use only
Confidential (or Sensitive)
Data Classification Model
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
39
Another component of a data classification scheme is the personnel security clearance structure, in which each user of an information asset is assigned an authorization level that identifies the level of information classification he or she can access
Most organizations have developed roles and corresponding security clearances so individuals are assigned into authorization levels correlating with the classifications of the information assets
Beyond a simple reliance on the security clearance is the incorporation of the need-to-know principle, based on the requirement that people are not allowed to view data simply because it falls within their level of clearance; they must also have a business-related need-to-know
Security Clearances
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
40
Managing an information asset includes all aspects of its life cycle—from specification to design, acquisition, implementation, use, storage, distribution, backup, recovery, retirement, and destruction
An information asset that has a classification designation other than unclassified or public must be clearly marked as such—with a cover page and headers and footers
To maintain the confidentiality of classified documents, managers can implement a clean desk policy—requiring employees to secure all information in an appropriate storage container at the end of each business day
Managing Classified Information Assets
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
41
When copies of classified information are no longer valuable or too many copies exist, care should be taken to destroy them properly to discourage dumpster diving
While bins stored on private property can be protected from trespassers, in 1998, in California v. Greenwood, the Supreme Court ruled that there is no expectation of privacy for items thrown away in trash or refuse containers
Managing Classified Information Assets (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
42
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
43
Lattice-based access control, a variation on the MAC form of access control, assigns users a matrix of authorizations for particular areas of access
The level of authorization may vary depending on the classification authorizations that individuals possess for each group of information assets or resources
The lattice structure contains subjects and objects, and the boundaries associated with each subject/object pair are clearly demarcated
Lattice-Based Access Controls
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
44
Nondiscretionary controls are determined by a central authority in the organization and can be based on roles—called role-based access controls or RBAC—or on a specified set of tasks—called task-based controls
Role-based controls are tied to the role that a particular user performs in an organization, whereas task-based controls are tied to a particular assignment or responsibility
Nondiscretionary Controls
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
45
Discretionary Access Controls (DACs) are implemented at the discretion or option of the data user
Most personal computer operating systems are designed based on the DAC model
One discretionary model is rule-based access controls where access is granted based on a set of rules specified by the central authority
Discretionary Access Controls (DACs)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
46
Content-dependent access controls—As the name suggests, access to a specific set of information may be dependent on its content (e.g., Marketing information for the Marketing Department)
Constrained user interfaces—Some systems are designed specifically to restrict what information an individual user can access (e.g., ATMs)
Temporal (time-based) isolation—In some cases, access to information is limited by a time-of-day constraint (e.g., time-release safes)
Other Forms of Access Control
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
47
Academic Access Control Models
Chapter 08: Security Management Models
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
The Bell-LaPadula (BLP) confidentiality model is a state machine reference model that helps ensure the confidentiality of an information system by means of mandatory access controls (MACs), data classification, and security clearances
A state machine model is one in which the design follows a conceptual approach in which the state of the content of the system being modeled is always in a known secure condition, in other words, this kind of model is provably secure
Bell-LaPadula Confidentiality Model
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
49
A system that serves as a reference monitor compares the level of classification of the data with the clearance of the entity requesting access; it allows access only if the clearance is equal to or higher than the classification
BLP security rules prevent information from being moved from a level of higher security level to a level of lower security
Bell-LaPadula Confidentiality Model (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
50
Access modes can be one of two types: simple security and the * (star) property
Simple security (also called the read property) prohibits a subject of lower clearance from reading an object of higher classification, but allows a subject with a higher clearance level to read an object at a lower level (read down)
The * property (the write property) prohibits a high-level subject from sending messages to a lower-level object
In short, the principle is “no read up, no write down”
Bell-LaPadula Confidentiality Model (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
51
The Biba integrity model is similar to BLP
The intent is to provide access controls to ensure that objects or subjects cannot have less integrity as a result of read/write operations
The Biba model ensures that no information from a subject can be passed on to an object in a higher security level
This prevents contaminating data of higher integrity with data of lower integrity
Biba Integrity Model
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
52
The Biba Model assigns integrity levels to subjects and objects using two properties: the simple integrity (read) property or the integrity * property (write)
The simple integrity property permits a subject to have read access to an object only if the security level of the subject is either lower or equal to the level of the object
The integrity * property permits a subject to have write access to an object only if the security level of the subject is equal to or higher than that of the object
In short “no write up, no read down”
Biba Integrity Model (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
53
The Clark-Wilson integrity model, which is built upon principles of change control rather than integrity levels, was designed for the commercial environment
The change control principles upon which it operates are:
No changes by unauthorized subjects
No unauthorized changes by authorized subjects
The maintenance of internal and external consistency
Clark-Wilson Integrity Model
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
54
These controls are part of the CWI model:
Subject authentication and identification
Access to objects by means of well-formed transactions
Execution by subjects on a restricted set of programs
The elements of the Clark-Wilson model are:
Constrained data item (CDI)—Data item with protected integrity
Unconstrained data item—Data not controlled by Clark-Wilson; nonvalidated input or any output
Integrity verification procedure (IVP)—Procedure that scans data and confirms its integrity
Transformation procedure (TP)—Procedure that only allows changes to a constrained data item
Clark-Wilson Integrity Model (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
55
The Graham-Denning access control model has three parts: a set of objects, a set of subjects, and a set of rights; subjects are composed of two things: a process and a domain
The eight primitive protection rights are:
Create object
Create subject
Delete object
Delete subject
Read access right
Grant access right
Delete access right
Transfer access right
Graham-Denning Access Control Model
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
The Harrison-Ruzzo-Ullman (HRU) model defines a method to allow changes to access rights and the addition and removal of subjects and objects, a process that the Bell-LaPadula model does not
Since systems change over time, their protective states need to change
HRU is built on an access control matrix and includes a set of generic rights and a specific set of commands
Harrison-Ruzzo-Ullman (HRU) model
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
57
The Brewer-Nash model—commonly known as a Chinese Wall—is designed to prevent a conflict of interest between two parties
The Brewer-Nash model requires users to select one of two conflicting sets of data, after which they cannot access the conflicting data
Brewer-Nash (Chinese Wall)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
58
A framework is the outline of a more thorough blueprint used in the creation of the InfoSec environment. A security model is a generic blueprint offered by a service organization
One of the most widely referenced security models is “ISO/IEC 27001: 2005 Information Technology—Code of Practice for InfoSec Management,” which is designed to give recommendations for InfoSec management. Other approaches to structuring InfoSec management are found in the many documents available from NIST’s Computer Security Resource Center
Control Objectives for Information and Related Technology (COBIT) provides advice about the implementation of sound controls and control objectives for InfoSec
Summary
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
59
The Committee of Sponsoring Organizations (COSO) of the Treadway Commission has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems. The Information Technology Infrastructure Library (ITIL) is a collection of methods and practices useful for managing the development and operation of information technology infrastructures
The Information Security Governance Framework is a managerial model provided by an industry working group that provides guidance in the development and implementation of an organizational InfoSec governance structure
Security architecture models illustrate InfoSec implementations and can help organizations make quick improvements through adaptation. The most common model is the Trusted Computer System Evaluation Criteria (TCSEC)
Summary (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
60
Access controls regulate the admission of users into trusted areas of the organization. Access control comprises four elements: identification, authentication, authorization, and accountability
Access control is built on the principles of least privilege, need-to-know, and separation of duties
Approaches to access control include directive, deterrent, preventative, detective, corrective, recovery, and compensating. Access controls may be classified as management, operational (or administrative), or technical
Mandatory access controls (MACs) are controls required by the system that operate within a data classification and personnel clearance scheme
Summary (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
61
Nondiscretionary controls are determined by a central authority in the organization and can be based on roles or on a specified set of tasks
Discretionary access controls (DACs) are implemented at the discretion or option of the data user
Common academic access control models include the Bell-LaPadula (BLP) confidentiality model, the Biba integrity model, the Clark-Wilson integrity model, the Graham-Denning access control model, the Harrison-Ruzzo-Ullman (HRU) model for access rights, and the Brewer-Nash model
Summary (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
62