information security

profileg01
MgmtOfInfoSec_6e-Ch09_pr.pptx

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

1

Upon completion of this chapter, you should be able to:

List the elements of key information security management practices

Discuss and implement information security constraints on general hiring processes

Explain the role of information security in employee terminations

Describe the security practices used to regulate employee behavior and prevent misuse of information

Describe the key components of, and suitable strategies for the implementation of, a security performance measurement program

Discuss the various types of benchmarking and their use in security planning

Learning Objectives

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

2

Introduction to Security Practices

Chapter 09: Security Management Practices

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

Organizations strive to deliver the most value with a given level of investment—this is known as the “value proposition”

The development and use of sound and repeatable information security (InfoSec) management practices brings organizations closer to meeting this objective

Introduction to Security Practices

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

4

One of the challenges seldom considered in organizations is the need for a close working relationship between InfoSec, the HR department, and every department or division that is engaged in personnel management—specifically, hiring, evaluating, and terminating employees

Executives and supervisory groups want assurance that organizations are working toward the value proposition and measuring the quality of management practices, either by comparing their programs to those of other organizations or by measuring compliance according to established standards

Introduction to Security Practices (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

5

Security Employment Practices

Chapter 09: Security Management Practices

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

From an information security perspective, the hiring of employees is laden with potential security pitfalls

The CISO, in cooperation with the CIO and relevant information security managers, should establish a dialogue with HR personnel so that InfoSec considerations become part of the hiring process

Hiring

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

7

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

Integrating InfoSec into the hiring process begins with reviewing and updating job descriptions to include InfoSec responsibilities and screen for unwanted disclosures

Organizations that provide complete job descriptions when advertising open positions should omit the elements of the job description that describe access privileges or the type and sensitivity of information to which the position would have access

Job Descriptions

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

9

In general, information security should advise human resources to limit the information provided to the candidates on the access rights of the position

When an interview includes a site visit, the tour should avoid secure and restricted sites, because the visitor could observe enough information about the operations or information security functions to represent a potential threat to the organization

Interviews

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

10

A background check should be conducted before the organization extends an offer to any candidate, regardless of job level

Common types include:

Background Checks

Identity

Education and credential

Previous employment verification

References

Worker’s compensation history

Motor vehicle records

Drug history

Medical history

Credit history

Civil court history

Criminal court history

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

11

Once a candidate has accepted a job offer, the employment contract becomes an important security instrument

Job candidates can be offered “employment contingent upon agreement,” whereby they are not offered a position unless they agree to the binding organizational policies

New employees should receive, as part of their orientation, an extensive information security briefing

Organizations should conduct periodic security awareness and training activities to keep security at the forefront of employees’ minds and minimize employee mistakes

Contracts and Employment

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

12

To heighten information security awareness and change workplace behavior, organizations should incorporate information security components into employee performance evaluations

Employees pay close attention to job performance evaluations, and including information security tasks in them will motivate employees to take more care when performing these tasks

Security Expectations in the Performance Evaluation

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

13

When an employee leaves an organization, the following tasks must be performed:

The former employee’s access to the organization’s systems must be disabled

The former employee must return all removable media, technology, and data

The former employee’s hard drives must be secured

File cabinet locks must be changed

Office door locks must be changed

The former employee’s keycard access must be revoked

The former employee’s personal effects must be removed from the premises

The former employee should be escorted from the premises, once keys, keycards, and other business property have been turned over

Termination Issues

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

14

Termination Issues

When an employee leaves an organization, the following tasks must be performed:

The former employee’s access to the organization’s systems must be disabled.

The former employee must return all removable media.

The former employee’s hard drives must be secured.

File cabinet locks must be changed.

Office door locks must be changed.

The former employee’s keycard access must be revoked.

The former employee’s personal effects must be removed from the premises.

The former employee should be escorted from the premises, once keys, keycards, and other business property have been turned over.

In addition to performing these tasks, many organizations conduct an exit interview to remind the employee of any contractual obligations, such as nondisclosure agreements, and to obtain feedback on the employee’s tenure in the organization.

Two methods for handling handle employee outprocessing, depending on the employee’s reasons for leaving, are as follows:

In addition to performing these tasks, many organizations conduct an exit interview to remind the employee of any contractual obligations, such as nondisclosure agreements, and to obtain feedback on the employee’s tenure in the organization

Two methods for handling employee outprocessing, depending on the employee’s reasons for leaving, are hostile and friendly departures

Termination Issues (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

15

Hostile departure

Security cuts off all logical and keycard access, before the employee is terminated

The employee reports for work, is escorted into the supervisor’s office and then escorted to his or her office, cubicle, or personal area to collect personal effects under supervision, or informed their personal property will be sent to them

The employee is asked to surrender all keys, keycards, and other organizational identification and access devices, PDAs, pagers, cell phones, and all remaining company property, and is then escorted from the building

Termination Issues (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

16

Friendly departure

The employee may have tendered notice well in advance of the actual departure date, which can make it much more difficult for security to maintain positive control over the employee’s access and information usage

Employee accounts are usually allowed to continue, with a new expiration date

The employee can come and go at will and usually collects any belongings and leaves without escort

The employee is asked to drop off all organizational property before departing

Termination Issues (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

17

In either circumstance, the offices and information used by departing employees must be inventoried, their files stored or destroyed, and all property returned to organizational stores

It is possible that departing employees have collected and taken home information or assets that could be valuable in their future jobs

Only by scrutinizing system logs during the transition period and after the employee has departed, and sorting out authorized actions from system misuse or information theft, can the organization determine whether a breach of policy or a loss of information has occurred

Termination Issues (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

18

There are various ways of monitoring and controlling employees to minimize their opportunities to misuse information

Separation of duties is used to make it difficult for an individual to violate information security and breach the confidentiality, integrity, or availability of information

Two-man control requires that two individuals review and approve each other’s work before the task is considered complete

Personnel Security Practices

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

19

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

20

Job rotation requires that every employee be able to perform the work of at least one other employee

If that approach is not feasible, an alternative is task rotation, in which all critical tasks can be performed by multiple individuals

For similar reasons, each employee should be required to take a mandatory vacation, of at least one week per year

This policy gives the organization a chance to perform a detailed review of everyone’s work

Personnel Security Practices (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

21

Finally, another important way to minimize opportunities for employee misuse information is to limit access to information

That is, employees should be able to access only the information they need, and only for the period required to perform their tasks

This idea is referred to as the principle of least privilege

Personnel Security Practices (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

22

Organizations are required by law to protect sensitive or personal employee information, including personally identifying facts such as employee addresses, phone numbers, Social Security numbers, medical conditions, and even names and addresses of family members

This responsibility also extends to customers, patients, and anyone with whom the organization has business relationships

While personnel data is, in principle, no different than other data that information security is expected to protect, certainly more regulations cover its protection

Security of Personnel and Personal Data

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

23

Many individuals who are not regular employees often have access to sensitive organizational information

Relationships with individuals in this category should be carefully managed to prevent threats to information assets from materializing

Security Considerations for Temporary Employees, Consultants, and Other Workers

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

24

Because temporary workers are not employed by the organization for which they’re working, they may not be subject to the contractual obligations or general policies that govern other employees

Unless specified in its contract with the organization, the temp agency may not be liable for losses caused by its workers

From a security standpoint, access to information for these individuals should be limited to what is necessary to perform their duties

Temporary Workers

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

25

While professional contractors may require access to virtually all areas of the organization to do their jobs, service contractors usually need access only to specific facilities, and they should not be allowed to wander freely in and out of buildings

Any service agreements or contracts should contain the following stipulations: The facility requires 24–48 hours’ notice of a maintenance visit; the facility requires all on-site personnel to undergo background checks; and the facility requires advance notice for cancellation or rescheduling of a maintenance visit

Contract Employees

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

26

Consultants have their own security requirements and contractual obligations

They should be handled like contract employees, with special requirements, such as information or facility access requirements, being integrated into the contract before they are given free access to the facility

Just because you pay security consultants, it doesn’t mean that protecting your information is their number one priority

Always remember to apply the principle of least privilege when working with consultants

Consultants

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

27

Businesses sometimes engage in strategic alliances with other organizations to exchange information, integrate systems, or enjoy some other mutual advantage

A prior business agreement must specify the levels of exposure that both organizations are willing to tolerate

In particular, security and technology consultants must be prescreened, escorted, and subjected to nondisclosure agreements to protect the organization from intentional or accidental breaches of confidentiality

Business Partners

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

28

Information Security Performance Measurement

Chapter 09: Security Management Practices

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

While CISOs sometimes claim that the costs and benefits and performance of InfoSec are almost impossible to measure, in fact they are measurable

Doing so requires the design and ongoing use of an InfoSec performance management program based on effective performance metrics

Performance Measures in InfoSec Management

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

30

InfoSec performance management is the process of designing, implementing, and managing the use of the collected data elements (called measures or metrics) to determine the effectiveness of the overall security program

Performance measurements (or measures) are data points or computed trends that may indicate the effectiveness of security countermeasures or controls—technical and managerial—as implemented in the organization

InfoSec Performance Management

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

31

 Organizations use three types of measurements:

Those that determine the effectiveness of the execution of InfoSec policy, most commonly issue-specific security policies

Those that determine the effectiveness and/or efficiency of the delivery of InfoSec services, whether they be managerial services, such as security training, or technical services, such as the installation of anti-virus software

Those that assess the impact of an incident or other security event on the organization or its mission

InfoSec Performance Management

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

32

According to NIST SP 800-55 R1—Performance Measurement Guide for Information Security, the following factors must be considered during development and implementation of an information security performance management program:

Measurements must yield quantifiable information (percentages, averages, and numbers)

Data that supports the measurements needs to be readily obtainable

Only repeatable information security processes should be considered for measurement

Measurements must be useful for tracking performance and directing resources

InfoSec Performance Management (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

33

Also according to SP 800-55 R.1, four factors are critical to the success of an information security performance program:

Strong upper level management support

Practical InfoSec policies and procedures

Quantifiable performance measurements

Results-oriented measurement analysis

InfoSec Performance Management (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

34

When an organization applies statistical and quantitative approaches of mathematical analysis to the process of measuring the activities and outcomes of the InfoSec program, it is using InfoSec metrics

In some organizations, the terms metrics and measures are interchangeable. In others, the term “metrics” is used for more granular, detailed measurements, while the term “measurements” is used for aggregate, higher-level results

InfoSec Performance Management (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

35

Before beginning the process of designing, collecting, and using measures, the CISO should be prepared to answer the following questions:

Why should these measurements be collected?

What specific measurements will be collected?

How will these measurements be collected?

When will these measurements be collected?

Who will collect these measurements?

Where (at what point in the function’s process) will these measurements be collected?

InfoSec Performance Management (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

36

Even with strong management support, an information security measures program as part of a security performance management program must be able to demonstrate value to the organization

One of the most popular among the many references that support the development of a process improvement and performance measures is the Capability Maturity Model Integrated (CMMI) from the CMMI Institute at Carnegie Mellon

Building the Performance Measurement Program

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

37

Another popular approach is that of NIST SP 800-55 R1: Performance Measurement for Information Security. This process is divided into two major activities:

Identification and definition of the current InfoSec program

Development and selection of specific measures to gauge the implementation, effectiveness, efficiency, and impact of the security controls

Building the Performance Measurement Program (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

38

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

39

One of the critical tasks in the measurement process is to assess and quantify what will be measured

While InfoSec planning and organizing activities may only require time estimates, you must obtain more detailed measurements when assessing the effort spent to complete production tasks and the time spent completing project tasks

Measurements collected from production statistics depend greatly on the number of systems and the number of users of those systems

Specifying InfoSec Measurements

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

40

Some thought must go into the processes used for data collection and record keeping

Once the question of what to measure is answered, the how, when, where, and who questions of metrics collection must be addressed

Designing the collection process requires thoughtful consideration of the intent of the metric along with a thorough knowledge of how production services are delivered

Collecting InfoSec Measurements

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

41

One of the priorities in building an information security measurement program is determining whether these measures will be macro-focus or micro-focus, or some combination thereof

Macro-focus measurements examine the performance of the overall security program

Micro-focus measurements examine the performance of an individual controller or group of controls within the information security program

What is important is that the measurements are specifically tied to individual InfoSec goals and objectives

Measurements Development Approach

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

42

Because organizations seem to manage what they measure, it is important to ensure that individual metrics are prioritized in the same manner as the processes they measure

This can be achieved with a simple low-, medium-, or high-priority ranking system, or a weighted scale approach

While there are literally hundreds of measurements that could be used, only those associated with appropriate-level priority activities should be incorporated

Measurement Prioritization and Selection

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

43

Performance targets make it possible to define success in the security program; many InfoSec performance measurements targets are represented by a 100% target goal

Other types of performance measures, such as those used to determine relative effectiveness or efficiency or impact of information security on the organization’s goals, tend to be more subjective and require solid native and subjective reasoning

One of the fundamental challenges in InfoSec performance measurement is defining effective security; in other words when is InfoSec effective?

Establishing Performance Targets

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

44

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

45

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

47

Once developed, information security performance measurements must be implemented and integrated into ongoing information security management operations

For the most part, it is insufficient to simply collect these measures once

Performance measurement is an ongoing, continuous improvement operation

InfoSec Performance Measurement Implementation

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

48

Phase 1—Prepare for data collection; identify, define, develop, and select InfoSec measures

Phase 2—Collect data and analyze results; collect, aggregate, and consolidate metric data collection and compare measurements with targets (gap analysis)

Phase 3—Identify corrective actions; develop a plan to serve as the roadmap for closing the gap identified in Phase 2

Phase 4—Develop the business case

Phase 5—Obtain resources; address the budgeting cycle for acquiring resources needed to implement remediation actions identified in Phase 3

Phase 6—Apply corrective actions; close the gap by implementing the recommended corrective actions in the security program or in the security controls

NIST InfoSec Performance Measurement Implementation

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

50

In most cases, simply listing the measurements collected does not adequately convey their meaning

In addition, you must make decisions about how to present correlated metrics

The CISO must also consider to whom the results of the performance measures program should be disseminated, and how they should be delivered

Reporting InfoSec Performance Measurements

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

51

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

Benchmarking

Chapter 09: Security Management Practices

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

Organizations usually generate a security blueprint by drawing from established security models and frameworks

Another way to create such a blueprint is to look at the paths taken by organizations similar to the one whose plan you are developing

Using this method, which is called benchmarking (or external benchmarking), you compare your organization’s efforts to those of other organizations you feel are similar in size, structure, or industry

Benchmarking can help to determine which controls should be considered, but it cannot determine how those controls should be implemented in your organization

Benchmarking

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

54

Benchmarking can also be used as an internal tool to compare current performance against past performance and to look for trends of improvement or areas that need additional work

In information security, two categories of benchmarks are used

Standards of due care and due diligence

Recommended practices or best security practices

Best practices include a subcategory of practices—called the gold standard—that are generally regarded as “the best of the best”

Benchmarking (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

55

For legal reasons, certain organizations may be compelled to adopt a stipulated minimum level of security, as to establish a future legal defense they may need to verify that they have done what any prudent organization would do in similar circumstances; this is known as a standard of due care

Due diligence requires that an organization ensure that the implemented standards continue to provide the required level of protection

Organizations must make sure that they have met a reasonable level of security in all areas and that they have adequately protected all information assets before making efforts to improve individual areas to meet the highest standards

Standards of Due Care/Due Diligence

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

56

Security efforts that seek to provide a superior level of performance in the protection of information are called recommended practices, whereas security efforts that are considered among the best in the industry are termed best security practices (BSPs), although the terms are used interchangeably

BSPs balance the need for information access with the need for adequate protection while demonstrating fiscal responsibility

Companies with best practices may not be the best in every area; they may only have established a high quality or successful security effort in one area

Recommended Security Practices

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

57

Industries that are regulated by laws and standards and are subject to government or industry oversight are required to meet the regulatory or industry guidelines in their security practices

For other organizations, government and industry guidelines can serve as excellent sources of information about what is required to control InfoSec risks

Selecting Recommended Practices

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

58

When choosing from among recommended practices for your organization, consider the following:

Does your organization resemble the identified target organization of the recommended practice?

Are you in a similar industry as the target?

Do you face similar challenges as the target?

Is your organizational structure similar to the target?

Can your organization expend resources at the level required by the recommended practice?

Is your threat environment similar to the one assumed by the recommended practice?

Selecting Recommended Practices (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

59

The biggest barrier to benchmarking in information security is that many organizations don’t share results; a successful attack is often perceived as an organizational failure, and is kept secret, if possible

An increasing number of security administrators are joining professional associations and societies like ISSA and ISACA, and sharing their stories and lessons learned

An alternative to this direct dialogue is the publication of lessons learned in security journals

Limitations to Benchmarking and Recommended Practices

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

60

Another barrier to benchmarking is that no two organizations are identical

Organizations that offer products or services in the same market may differ dramatically in size, composition, management philosophy, organizational culture, technological infrastructure, and planned expenditures for security

A third problem with benchmarking is that recommended practices are a moving target

Knowing what happened a few years ago, which is typical in benchmarking, does not necessarily tell you what to do next

Limitations to Benchmarking and Recommended Practices (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

61

A specific subset of benchmarking is baselining, also known as internal benchmarking, in which the organization conducts an initial assessment of current performance (known as a baseline)

In InfoSec, baseline measurements of security activities and events are used to provide a basis for comparison of the organization’s current security performance against future performance

Baselining

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

62

The Gartner group offers 12 questions as a self-assessment for recommended security practices:

People:

Do you perform background checks on all employees with access to sensitive data, areas, or access points?

Would the average employee recognize a security issue?

Would they choose to report it?

Would they know how to report it to the right people?

Support for Benchmarks and Baselines

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

63

Processes:

Are enterprise security policies updated on at least an annual basis, employees educated on changes, and consistently enforced?

Does your enterprise follow a patch/update management and evaluation process to prioritize and mediate new security vulnerabilities?

Are the user accounts of former employees immediately removed on termination?

Are security group representatives involved in all stages of the project life cycle for new projects?

Support for Benchmarks and Baselines (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

64

Technology:

Is every possible route to the Internet protected by a properly configured firewall?

Is sensitive data on laptops and remote systems encrypted?

Are your information assets and the systems they use regularly assessed for security exposures using a vulnerability analysis methodology?

Are systems and networks regularly reviewed for malicious software and telltales from prior attacks?

Support for Benchmarks and Baselines (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

65

Area 1: Build and maintain a secure network and systems

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Area 2: Protect cardholder data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

PCI/DSS Recommended Practices

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

Area 3: Maintain a vulnerability management program

5. Protect all systems against malware and regularly update antivirus software or programs

6. Develop and maintain secure systems and applications

Area 4: Implement strong access control measures

7. Restrict access to cardholder data by a business’s need to know

8. Identify and authenticate access to system components

9. Restrict physical access to cardholder data

PCI/DSS Recommended Practices (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

Area 5: Regularly monitor and test networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Area 6: Maintain an information security policy

12. Maintain a policy that addresses information security for all personnel

PCI/DSS Recommended Practices (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

Organizations that do not do business with the federal government and would not be concerned with NIST certification and accreditation (C&A) procedures may still desire to seek a recognized level of certification of their security management systems

While ISO does not directly conduct certification assessments or issue certificates, it does authorize third parties to perform these tasks

ISO Certification

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

The ISO certification process takes approximately six to eight weeks and involves three steps:

1. Initial assessment of the candidate organization

2. Writing of a certification manual by the candidate organization

3. Presentation of certification

ISO Certification (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

Management should integrate InfoSec concepts and practices into the organization’s employment activities, in accordance with the value proposition

The CISO should work with the CIO and HR to integrate InfoSec concerns into the hiring process. During the hiring process, applying regulated and constrained job descriptions can increase the degree of professionalism in the InfoSec field and improve the consistency of roles and responsibilities among organizations

When an interview includes a site visit, the tour should avoid secure and restricted sites

Summary

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

71

A background check should be conducted before the organization extends an offer to any candidate, regardless of job level, to uncover past criminal behavior or other information. Background checks differ in their levels of detail and depth

Once a candidate has accepted a job offer, the employment contract becomes an important security instrument. Many of the policies discussed in Chapter 4 require an employee to agree in writing

As part of their orientation, new employees should receive an extensive InfoSec briefing that should cover policies, security procedures, access levels, and training on the secure use of information systems

Summary (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

72

When an employee leaves an organization, a number of security-related concerns arise, including the continuity of protection for all information to which the employee had access

Separation of duties, two-person control, job and task rotation, mandatory vacations, and least privilege are among the practices and methods recommended to minimize employees’ opportunities to misuse information

Government-mandated requirements for the privacy and security of personnel and personal data must be met by the organization’s hiring program

Organizations often need the special services of temporary employees, contractors, and consultants. These relationships must be carefully managed to prevent InfoSec breaches

Summary (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

73

InfoSec performance management is the process of designing, implementing, and managing the use of the collected data elements called measurements to determine the effectiveness of the overall security program

There are three types of InfoSec performance measurements: those that determine the effectiveness of the execution of InfoSec policy, those that determine the effectiveness and/or efficiency of the delivery of InfoSec services, and those that assess the impact of an incident or other security event on the organization or its mission

One of the critical tasks in the measurement process is to assess and quantify what will be measured and how it is measured

Summary (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

74

Benchmarking is a process of following the recommended or existing practices of a similar organization or industry-developed standards. Two categories of benchmarks are used: standards of due care/due diligence and recommended practices

Organizations may be compelled to adopt a stipulated minimum level of security (that which any prudent organization would do), which is known as a standard of due care. Implementing controls at this minimum standard is deemed due diligence

Security efforts that seek to provide a superior level of performance in the protection of information are called recommended business practices or best practices. Security efforts that are among the best in the industry are termed best security practices

Summary (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

75

A practice related to benchmarking is baselining—a level of performance against which changes can be usefully compared. Baselining can provide the foundation for internal benchmarking

ISO 27000 certification is a form of external recognition that is useful for the following types of organizations: those that do not do business with the federal government, those that do business internationally, and those just seeking to influence potential customers with their level of security. ISO 27000 certification allows an organization to demonstrate an externally reviewed competence in information security management practices

Summary (Continued)

© 2018 Cengage May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use

‹#›

Management of Information Security, 6th ed - Whitman & Mattord

76