information security
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
1
Upon completion of this chapter, you should be able to:
List the elements of key information security management practices
Discuss and implement information security constraints on general hiring processes
Explain the role of information security in employee terminations
Describe the security practices used to regulate employee behavior and prevent misuse of information
Describe the key components of, and suitable strategies for the implementation of, a security performance measurement program
Discuss the various types of benchmarking and their use in security planning
Learning Objectives
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
2
Introduction to Security Practices
Chapter 09: Security Management Practices
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
Organizations strive to deliver the most value with a given level of investment—this is known as the “value proposition”
The development and use of sound and repeatable information security (InfoSec) management practices brings organizations closer to meeting this objective
Introduction to Security Practices
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
4
One of the challenges seldom considered in organizations is the need for a close working relationship between InfoSec, the HR department, and every department or division that is engaged in personnel management—specifically, hiring, evaluating, and terminating employees
Executives and supervisory groups want assurance that organizations are working toward the value proposition and measuring the quality of management practices, either by comparing their programs to those of other organizations or by measuring compliance according to established standards
Introduction to Security Practices (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
5
Security Employment Practices
Chapter 09: Security Management Practices
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
From an information security perspective, the hiring of employees is laden with potential security pitfalls
The CISO, in cooperation with the CIO and relevant information security managers, should establish a dialogue with HR personnel so that InfoSec considerations become part of the hiring process
Hiring
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
7
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
Integrating InfoSec into the hiring process begins with reviewing and updating job descriptions to include InfoSec responsibilities and screen for unwanted disclosures
Organizations that provide complete job descriptions when advertising open positions should omit the elements of the job description that describe access privileges or the type and sensitivity of information to which the position would have access
Job Descriptions
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
9
In general, information security should advise human resources to limit the information provided to the candidates on the access rights of the position
When an interview includes a site visit, the tour should avoid secure and restricted sites, because the visitor could observe enough information about the operations or information security functions to represent a potential threat to the organization
Interviews
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
10
A background check should be conducted before the organization extends an offer to any candidate, regardless of job level
Common types include:
Background Checks
Identity
Education and credential
Previous employment verification
References
Worker’s compensation history
Motor vehicle records
Drug history
Medical history
Credit history
Civil court history
Criminal court history
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
11
Once a candidate has accepted a job offer, the employment contract becomes an important security instrument
Job candidates can be offered “employment contingent upon agreement,” whereby they are not offered a position unless they agree to the binding organizational policies
New employees should receive, as part of their orientation, an extensive information security briefing
Organizations should conduct periodic security awareness and training activities to keep security at the forefront of employees’ minds and minimize employee mistakes
Contracts and Employment
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
12
To heighten information security awareness and change workplace behavior, organizations should incorporate information security components into employee performance evaluations
Employees pay close attention to job performance evaluations, and including information security tasks in them will motivate employees to take more care when performing these tasks
Security Expectations in the Performance Evaluation
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
13
When an employee leaves an organization, the following tasks must be performed:
The former employee’s access to the organization’s systems must be disabled
The former employee must return all removable media, technology, and data
The former employee’s hard drives must be secured
File cabinet locks must be changed
Office door locks must be changed
The former employee’s keycard access must be revoked
The former employee’s personal effects must be removed from the premises
The former employee should be escorted from the premises, once keys, keycards, and other business property have been turned over
Termination Issues
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
14
Termination Issues
When an employee leaves an organization, the following tasks must be performed:
The former employee’s access to the organization’s systems must be disabled.
The former employee must return all removable media.
The former employee’s hard drives must be secured.
File cabinet locks must be changed.
Office door locks must be changed.
The former employee’s keycard access must be revoked.
The former employee’s personal effects must be removed from the premises.
The former employee should be escorted from the premises, once keys, keycards, and other business property have been turned over.
In addition to performing these tasks, many organizations conduct an exit interview to remind the employee of any contractual obligations, such as nondisclosure agreements, and to obtain feedback on the employee’s tenure in the organization.
Two methods for handling handle employee outprocessing, depending on the employee’s reasons for leaving, are as follows:
In addition to performing these tasks, many organizations conduct an exit interview to remind the employee of any contractual obligations, such as nondisclosure agreements, and to obtain feedback on the employee’s tenure in the organization
Two methods for handling employee outprocessing, depending on the employee’s reasons for leaving, are hostile and friendly departures
Termination Issues (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
15
Hostile departure
Security cuts off all logical and keycard access, before the employee is terminated
The employee reports for work, is escorted into the supervisor’s office and then escorted to his or her office, cubicle, or personal area to collect personal effects under supervision, or informed their personal property will be sent to them
The employee is asked to surrender all keys, keycards, and other organizational identification and access devices, PDAs, pagers, cell phones, and all remaining company property, and is then escorted from the building
Termination Issues (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
16
Friendly departure
The employee may have tendered notice well in advance of the actual departure date, which can make it much more difficult for security to maintain positive control over the employee’s access and information usage
Employee accounts are usually allowed to continue, with a new expiration date
The employee can come and go at will and usually collects any belongings and leaves without escort
The employee is asked to drop off all organizational property before departing
Termination Issues (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
17
In either circumstance, the offices and information used by departing employees must be inventoried, their files stored or destroyed, and all property returned to organizational stores
It is possible that departing employees have collected and taken home information or assets that could be valuable in their future jobs
Only by scrutinizing system logs during the transition period and after the employee has departed, and sorting out authorized actions from system misuse or information theft, can the organization determine whether a breach of policy or a loss of information has occurred
Termination Issues (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
18
There are various ways of monitoring and controlling employees to minimize their opportunities to misuse information
Separation of duties is used to make it difficult for an individual to violate information security and breach the confidentiality, integrity, or availability of information
Two-man control requires that two individuals review and approve each other’s work before the task is considered complete
Personnel Security Practices
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
19
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
20
Job rotation requires that every employee be able to perform the work of at least one other employee
If that approach is not feasible, an alternative is task rotation, in which all critical tasks can be performed by multiple individuals
For similar reasons, each employee should be required to take a mandatory vacation, of at least one week per year
This policy gives the organization a chance to perform a detailed review of everyone’s work
Personnel Security Practices (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
21
Finally, another important way to minimize opportunities for employee misuse information is to limit access to information
That is, employees should be able to access only the information they need, and only for the period required to perform their tasks
This idea is referred to as the principle of least privilege
Personnel Security Practices (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
22
Organizations are required by law to protect sensitive or personal employee information, including personally identifying facts such as employee addresses, phone numbers, Social Security numbers, medical conditions, and even names and addresses of family members
This responsibility also extends to customers, patients, and anyone with whom the organization has business relationships
While personnel data is, in principle, no different than other data that information security is expected to protect, certainly more regulations cover its protection
Security of Personnel and Personal Data
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
23
Many individuals who are not regular employees often have access to sensitive organizational information
Relationships with individuals in this category should be carefully managed to prevent threats to information assets from materializing
Security Considerations for Temporary Employees, Consultants, and Other Workers
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
24
Because temporary workers are not employed by the organization for which they’re working, they may not be subject to the contractual obligations or general policies that govern other employees
Unless specified in its contract with the organization, the temp agency may not be liable for losses caused by its workers
From a security standpoint, access to information for these individuals should be limited to what is necessary to perform their duties
Temporary Workers
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
25
While professional contractors may require access to virtually all areas of the organization to do their jobs, service contractors usually need access only to specific facilities, and they should not be allowed to wander freely in and out of buildings
Any service agreements or contracts should contain the following stipulations: The facility requires 24–48 hours’ notice of a maintenance visit; the facility requires all on-site personnel to undergo background checks; and the facility requires advance notice for cancellation or rescheduling of a maintenance visit
Contract Employees
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
26
Consultants have their own security requirements and contractual obligations
They should be handled like contract employees, with special requirements, such as information or facility access requirements, being integrated into the contract before they are given free access to the facility
Just because you pay security consultants, it doesn’t mean that protecting your information is their number one priority
Always remember to apply the principle of least privilege when working with consultants
Consultants
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
27
Businesses sometimes engage in strategic alliances with other organizations to exchange information, integrate systems, or enjoy some other mutual advantage
A prior business agreement must specify the levels of exposure that both organizations are willing to tolerate
In particular, security and technology consultants must be prescreened, escorted, and subjected to nondisclosure agreements to protect the organization from intentional or accidental breaches of confidentiality
Business Partners
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
28
Information Security Performance Measurement
Chapter 09: Security Management Practices
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
While CISOs sometimes claim that the costs and benefits and performance of InfoSec are almost impossible to measure, in fact they are measurable
Doing so requires the design and ongoing use of an InfoSec performance management program based on effective performance metrics
Performance Measures in InfoSec Management
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
30
InfoSec performance management is the process of designing, implementing, and managing the use of the collected data elements (called measures or metrics) to determine the effectiveness of the overall security program
Performance measurements (or measures) are data points or computed trends that may indicate the effectiveness of security countermeasures or controls—technical and managerial—as implemented in the organization
InfoSec Performance Management
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
31
Organizations use three types of measurements:
Those that determine the effectiveness of the execution of InfoSec policy, most commonly issue-specific security policies
Those that determine the effectiveness and/or efficiency of the delivery of InfoSec services, whether they be managerial services, such as security training, or technical services, such as the installation of anti-virus software
Those that assess the impact of an incident or other security event on the organization or its mission
InfoSec Performance Management
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
32
According to NIST SP 800-55 R1—Performance Measurement Guide for Information Security, the following factors must be considered during development and implementation of an information security performance management program:
Measurements must yield quantifiable information (percentages, averages, and numbers)
Data that supports the measurements needs to be readily obtainable
Only repeatable information security processes should be considered for measurement
Measurements must be useful for tracking performance and directing resources
InfoSec Performance Management (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
33
Also according to SP 800-55 R.1, four factors are critical to the success of an information security performance program:
Strong upper level management support
Practical InfoSec policies and procedures
Quantifiable performance measurements
Results-oriented measurement analysis
InfoSec Performance Management (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
34
When an organization applies statistical and quantitative approaches of mathematical analysis to the process of measuring the activities and outcomes of the InfoSec program, it is using InfoSec metrics
In some organizations, the terms metrics and measures are interchangeable. In others, the term “metrics” is used for more granular, detailed measurements, while the term “measurements” is used for aggregate, higher-level results
InfoSec Performance Management (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
35
Before beginning the process of designing, collecting, and using measures, the CISO should be prepared to answer the following questions:
Why should these measurements be collected?
What specific measurements will be collected?
How will these measurements be collected?
When will these measurements be collected?
Who will collect these measurements?
Where (at what point in the function’s process) will these measurements be collected?
InfoSec Performance Management (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
36
Even with strong management support, an information security measures program as part of a security performance management program must be able to demonstrate value to the organization
One of the most popular among the many references that support the development of a process improvement and performance measures is the Capability Maturity Model Integrated (CMMI) from the CMMI Institute at Carnegie Mellon
Building the Performance Measurement Program
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
37
Another popular approach is that of NIST SP 800-55 R1: Performance Measurement for Information Security. This process is divided into two major activities:
Identification and definition of the current InfoSec program
Development and selection of specific measures to gauge the implementation, effectiveness, efficiency, and impact of the security controls
Building the Performance Measurement Program (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
38
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
39
One of the critical tasks in the measurement process is to assess and quantify what will be measured
While InfoSec planning and organizing activities may only require time estimates, you must obtain more detailed measurements when assessing the effort spent to complete production tasks and the time spent completing project tasks
Measurements collected from production statistics depend greatly on the number of systems and the number of users of those systems
Specifying InfoSec Measurements
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
40
Some thought must go into the processes used for data collection and record keeping
Once the question of what to measure is answered, the how, when, where, and who questions of metrics collection must be addressed
Designing the collection process requires thoughtful consideration of the intent of the metric along with a thorough knowledge of how production services are delivered
Collecting InfoSec Measurements
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
41
One of the priorities in building an information security measurement program is determining whether these measures will be macro-focus or micro-focus, or some combination thereof
Macro-focus measurements examine the performance of the overall security program
Micro-focus measurements examine the performance of an individual controller or group of controls within the information security program
What is important is that the measurements are specifically tied to individual InfoSec goals and objectives
Measurements Development Approach
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
42
Because organizations seem to manage what they measure, it is important to ensure that individual metrics are prioritized in the same manner as the processes they measure
This can be achieved with a simple low-, medium-, or high-priority ranking system, or a weighted scale approach
While there are literally hundreds of measurements that could be used, only those associated with appropriate-level priority activities should be incorporated
Measurement Prioritization and Selection
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
43
Performance targets make it possible to define success in the security program; many InfoSec performance measurements targets are represented by a 100% target goal
Other types of performance measures, such as those used to determine relative effectiveness or efficiency or impact of information security on the organization’s goals, tend to be more subjective and require solid native and subjective reasoning
One of the fundamental challenges in InfoSec performance measurement is defining effective security; in other words when is InfoSec effective?
Establishing Performance Targets
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
44
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
45
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
47
Once developed, information security performance measurements must be implemented and integrated into ongoing information security management operations
For the most part, it is insufficient to simply collect these measures once
Performance measurement is an ongoing, continuous improvement operation
InfoSec Performance Measurement Implementation
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
48
Phase 1—Prepare for data collection; identify, define, develop, and select InfoSec measures
Phase 2—Collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets (gap analysis)
Phase 3—Identify corrective actions; develop a plan to serve as the roadmap for closing the gap identified in Phase 2
Phase 4—Develop the business case
Phase 5—Obtain resources; address the budgeting cycle for acquiring resources needed to implement remediation actions identified in Phase 3
Phase 6—Apply corrective actions; close the gap by implementing the recommended corrective actions in the security program or in the security controls
NIST InfoSec Performance Measurement Implementation
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
50
In most cases, simply listing the measurements collected does not adequately convey their meaning
In addition, you must make decisions about how to present correlated metrics
The CISO must also consider to whom the results of the performance measures program should be disseminated, and how they should be delivered
Reporting InfoSec Performance Measurements
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
51
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
Benchmarking
Chapter 09: Security Management Practices
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
Organizations usually generate a security blueprint by drawing from established security models and frameworks
Another way to create such a blueprint is to look at the paths taken by organizations similar to the one whose plan you are developing
Using this method, which is called benchmarking (or external benchmarking), you compare your organization’s efforts to those of other organizations you feel are similar in size, structure, or industry
Benchmarking can help to determine which controls should be considered, but it cannot determine how those controls should be implemented in your organization
Benchmarking
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
54
Benchmarking can also be used as an internal tool to compare current performance against past performance and to look for trends of improvement or areas that need additional work
In information security, two categories of benchmarks are used
Standards of due care and due diligence
Recommended practices or best security practices
Best practices include a subcategory of practices—called the gold standard—that are generally regarded as “the best of the best”
Benchmarking (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
55
For legal reasons, certain organizations may be compelled to adopt a stipulated minimum level of security, as to establish a future legal defense they may need to verify that they have done what any prudent organization would do in similar circumstances; this is known as a standard of due care
Due diligence requires that an organization ensure that the implemented standards continue to provide the required level of protection
Organizations must make sure that they have met a reasonable level of security in all areas and that they have adequately protected all information assets before making efforts to improve individual areas to meet the highest standards
Standards of Due Care/Due Diligence
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
56
Security efforts that seek to provide a superior level of performance in the protection of information are called recommended practices, whereas security efforts that are considered among the best in the industry are termed best security practices (BSPs), although the terms are used interchangeably
BSPs balance the need for information access with the need for adequate protection while demonstrating fiscal responsibility
Companies with best practices may not be the best in every area; they may only have established a high quality or successful security effort in one area
Recommended Security Practices
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
57
Industries that are regulated by laws and standards and are subject to government or industry oversight are required to meet the regulatory or industry guidelines in their security practices
For other organizations, government and industry guidelines can serve as excellent sources of information about what is required to control InfoSec risks
Selecting Recommended Practices
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
58
When choosing from among recommended practices for your organization, consider the following:
Does your organization resemble the identified target organization of the recommended practice?
Are you in a similar industry as the target?
Do you face similar challenges as the target?
Is your organizational structure similar to the target?
Can your organization expend resources at the level required by the recommended practice?
Is your threat environment similar to the one assumed by the recommended practice?
Selecting Recommended Practices (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
59
The biggest barrier to benchmarking in information security is that many organizations don’t share results; a successful attack is often perceived as an organizational failure, and is kept secret, if possible
An increasing number of security administrators are joining professional associations and societies like ISSA and ISACA, and sharing their stories and lessons learned
An alternative to this direct dialogue is the publication of lessons learned in security journals
Limitations to Benchmarking and Recommended Practices
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
60
Another barrier to benchmarking is that no two organizations are identical
Organizations that offer products or services in the same market may differ dramatically in size, composition, management philosophy, organizational culture, technological infrastructure, and planned expenditures for security
A third problem with benchmarking is that recommended practices are a moving target
Knowing what happened a few years ago, which is typical in benchmarking, does not necessarily tell you what to do next
Limitations to Benchmarking and Recommended Practices (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
61
A specific subset of benchmarking is baselining, also known as internal benchmarking, in which the organization conducts an initial assessment of current performance (known as a baseline)
In InfoSec, baseline measurements of security activities and events are used to provide a basis for comparison of the organization’s current security performance against future performance
Baselining
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
62
The Gartner group offers 12 questions as a self-assessment for recommended security practices:
People:
Do you perform background checks on all employees with access to sensitive data, areas, or access points?
Would the average employee recognize a security issue?
Would they choose to report it?
Would they know how to report it to the right people?
Support for Benchmarks and Baselines
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
63
Processes:
Are enterprise security policies updated on at least an annual basis, employees educated on changes, and consistently enforced?
Does your enterprise follow a patch/update management and evaluation process to prioritize and mediate new security vulnerabilities?
Are the user accounts of former employees immediately removed on termination?
Are security group representatives involved in all stages of the project life cycle for new projects?
Support for Benchmarks and Baselines (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
64
Technology:
Is every possible route to the Internet protected by a properly configured firewall?
Is sensitive data on laptops and remote systems encrypted?
Are your information assets and the systems they use regularly assessed for security exposures using a vulnerability analysis methodology?
Are systems and networks regularly reviewed for malicious software and telltales from prior attacks?
Support for Benchmarks and Baselines (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
65
Area 1: Build and maintain a secure network and systems
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Area 2: Protect cardholder data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
PCI/DSS Recommended Practices
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
Area 3: Maintain a vulnerability management program
5. Protect all systems against malware and regularly update antivirus software or programs
6. Develop and maintain secure systems and applications
Area 4: Implement strong access control measures
7. Restrict access to cardholder data by a business’s need to know
8. Identify and authenticate access to system components
9. Restrict physical access to cardholder data
PCI/DSS Recommended Practices (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
Area 5: Regularly monitor and test networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Area 6: Maintain an information security policy
12. Maintain a policy that addresses information security for all personnel
PCI/DSS Recommended Practices (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
Organizations that do not do business with the federal government and would not be concerned with NIST certification and accreditation (C&A) procedures may still desire to seek a recognized level of certification of their security management systems
While ISO does not directly conduct certification assessments or issue certificates, it does authorize third parties to perform these tasks
ISO Certification
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
The ISO certification process takes approximately six to eight weeks and involves three steps:
1. Initial assessment of the candidate organization
2. Writing of a certification manual by the candidate organization
3. Presentation of certification
ISO Certification (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
Management should integrate InfoSec concepts and practices into the organization’s employment activities, in accordance with the value proposition
The CISO should work with the CIO and HR to integrate InfoSec concerns into the hiring process. During the hiring process, applying regulated and constrained job descriptions can increase the degree of professionalism in the InfoSec field and improve the consistency of roles and responsibilities among organizations
When an interview includes a site visit, the tour should avoid secure and restricted sites
Summary
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
71
A background check should be conducted before the organization extends an offer to any candidate, regardless of job level, to uncover past criminal behavior or other information. Background checks differ in their levels of detail and depth
Once a candidate has accepted a job offer, the employment contract becomes an important security instrument. Many of the policies discussed in Chapter 4 require an employee to agree in writing
As part of their orientation, new employees should receive an extensive InfoSec briefing that should cover policies, security procedures, access levels, and training on the secure use of information systems
Summary (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
72
When an employee leaves an organization, a number of security-related concerns arise, including the continuity of protection for all information to which the employee had access
Separation of duties, two-person control, job and task rotation, mandatory vacations, and least privilege are among the practices and methods recommended to minimize employees’ opportunities to misuse information
Government-mandated requirements for the privacy and security of personnel and personal data must be met by the organization’s hiring program
Organizations often need the special services of temporary employees, contractors, and consultants. These relationships must be carefully managed to prevent InfoSec breaches
Summary (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
73
InfoSec performance management is the process of designing, implementing, and managing the use of the collected data elements called measurements to determine the effectiveness of the overall security program
There are three types of InfoSec performance measurements: those that determine the effectiveness of the execution of InfoSec policy, those that determine the effectiveness and/or efficiency of the delivery of InfoSec services, and those that assess the impact of an incident or other security event on the organization or its mission
One of the critical tasks in the measurement process is to assess and quantify what will be measured and how it is measured
Summary (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
74
Benchmarking is a process of following the recommended or existing practices of a similar organization or industry-developed standards. Two categories of benchmarks are used: standards of due care/due diligence and recommended practices
Organizations may be compelled to adopt a stipulated minimum level of security (that which any prudent organization would do), which is known as a standard of due care. Implementing controls at this minimum standard is deemed due diligence
Security efforts that seek to provide a superior level of performance in the protection of information are called recommended business practices or best practices. Security efforts that are among the best in the industry are termed best security practices
Summary (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
75
A practice related to benchmarking is baselining—a level of performance against which changes can be usefully compared. Baselining can provide the foundation for internal benchmarking
ISO 27000 certification is a form of external recognition that is useful for the following types of organizations: those that do not do business with the federal government, those that do business internationally, and those just seeking to influence potential customers with their level of security. ISO 27000 certification allows an organization to demonstrate an externally reviewed competence in information security management practices
Summary (Continued)
© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use
‹#›
Management of Information Security, 6th ed - Whitman & Mattord
76