management and info security

biratpant

chapter7.pptx

Home >Information Systems homework help >management and info security

ITC358 ICT Management and Information Security

Chapter 7

Security Management Practices

In theory there is no difference between theory and practice, but in practice there is…

(Attributed to multiple sources, including Yogi Berra and Jan L.A. Van de Snepscheut)

Objectives

Upon completion of this chapter you should be able to:

List the elements of key information security management practices

Describe the key components of a security metrics program

Identify suitable strategies for the implementation of a security metric program

Discuss emerging trends in the certification and accreditation of U.S. federal IT systems

Introduction

Value Proposition

Organisations strive to deliver the most value with a given level of investment

Developing and using sound and repeatable information security management practices makes accomplishing this more likely

Benchmarking

To generate a security blueprint

Organisations usually draw from established security models and practices

Another way is to look at the paths taken by organisations similar to the one for which you are developing the plan

Benchmarking

Following the existing practices of a similar organisation, or industry-developed standards

Can help to determine which controls should be considered

Cannot determine how those controls should be implemented in your organisation

Standards of Due Care/Due Diligence

Categories of benchmarks

Standards of due care/due diligence

Best practices

Best practices include a sub-category of practices, called the gold standard, that are generally regarded as “the best of the best”

Standards of Due Care/Due Diligence (cont’d.)

Standard of due care

When organisations adopt minimum levels of security for legal defense, they may need to show that they have done what any prudent organisation would do in similar circumstances

Due diligence

Implementing controls at this minimum standard

Requires that an organisation ensure that the implemented standards continue to provide the required level of protection

Failure to demonstrate due care or due diligence can expose an organisation to legal liability

If it can be shown that the organisation was negligent in its information protection methods

Recommended Security Practices

Best Practices

Security efforts that seek to provide a superior level of performance in the protection of information

Considered among the best in the industry

Balance the need for information access with the need for adequate protection

Demonstrate fiscal responsibility

Companies with best practices may not be the best in every area

The Gold Standard

Some organisations prefer to implement the most protective, supportive, and yet fiscally responsible standards they can

Gold standard

A model level of performance that demonstrates industrial leadership, quality, and concern for the protection of information

Implementation requires a great deal of financial and personnel support

Selecting Recommended Practices

Choosing which recommended practices to implement can pose a challenge for some organisations

In industries that are regulated by governmental agencies, government guidelines are often requirements

For other organisations, government guidelines are excellent sources of information and can inform their selection of best practices

Selecting Recommended Practices (cont’d.)

Considerations for selecting best practices

Does your organisation resemble the identified target organisation of the best practice?

Are you in a similar industry as the target?

Do you face similar challenges as the target?

Is your organisational structure similar to the target?

Are the resources you can expend similar to those called for by the best practice?

Are you in a similar threat environment as the one assumed by the best practice?

Limitations to Benchmarking and Recommended Practices

The biggest barrier to benchmarking

Organisations don’t talk to each other

A successful attack is viewed as an organisational failure, and is kept secret, insofar as possible

More and more security administrators are joining professional associations and societies like ISSA and sharing their stories and lessons learned

An alternative to this direct dialogue is the publication of lessons learned

Baselining

A value or profile of a performance metric against which changes in the performance metric can be usefully compared

Process of measuring against established standards

Baseline measurements of security activities and events are used to evaluate the organisation’s future security performance

Can provide the foundation for internal benchmarking

Information gathered for an organisation’s first risk assessment becomes the baseline for future comparisons

Support for Baselining and Recommended Practices

Self-assessment for best security practices

People:

Do you perform background checks on all employees with access to sensitive data, areas, or access points?

Would the average employee recognise a security issue?

Would they choose to report it?

Would they know how to report it to the right people?

Self-assessment for best security practices (cont’d.)

Processes

Are enterprise security policies updated on at least an annual basis, employees educated on changes, and consistently enforced?

Does your enterprise follow a patch/update management and evaluation process to prioritise and mediate new security vulnerabilities?

Are the user accounts of former employees immediately removed on termination?

Are security group representatives involved in all stages of the project life cycle for new projects?

Support for Baselining and Recommended Practices (cont’d.)

Self-assessment for best security practices (cont’d.)

Technology

Is every possible route to the Internet protected by a properly configured firewall?

Is sensitive data on laptops and remote systems encrypted?

Do you regularly scan your systems and networks, using a vulnerability analysis tool, for security exposures?

Are malicious software scanning tools deployed on all workstations and servers?

Support for Baselining and Recommended Practices (cont’d.)

Performance Measures in Information Security Management

Costs, benefits and performance of InfoSec

Are measurable, despite the claim of some CISOs that they are not

Measurement requires the design and ongoing use of an InfoSec performance management program based on effective performance metrics

InfoSec Performance Management

Information security performance management

The process of designing, implementing and managing the use of collected data elements called measures

To determine the effectiveness of the overall security program

Measures are data points or computed trends that indicate the effectiveness of security countermeasures or controls

InfoSec Performance Management (cont’d.)

Organisations use three types of measures

Those that determine the effectiveness of the execution of information security policy (ISSPs)

Those that determine the effectiveness and/or efficiency of the delivery of information security services

Those that assess the impact of an incident or other security event on the organisation or its mission

InfoSec Performance Management (cont’d.)

NIST SP 800-55 R1, Performance Measures in Information Security suggests

Consider the following factors

Measures must yield quantifiable information (percentages, averages, and numbers)

Data that supports the measures needs to be readily obtainable

Only repeatable information security processes should be considered for measurement

Measures must be useful for tracking performance and directing resources

InfoSec Performance Management (cont’d.)

Critical factors for the success of an information security performance program

Strong upper level management support

Practical information security policies and procedures

Quantifiable performance measures

Results oriented measures analysis

InfoSec Metrics

InfoSec metrics

Applying statistical and quantitative approaches of mathematical analysis to the process of measuring the activities and outcomes of the InfoSec program

Metrics means detailed measurements

Measures refers to aggregate, higher-level results

The two terms are used interchangeably in some organisations

Questions to answer before collecting, designing, and using measures

Why should these statistics be collected?

What specific statistics will be collected?

How will these statistics be collected?

When will these statistics be collected?

Who will collect these statistics?

Where (at what point in the function’s process) will these statistics be collected?

InfoSec Metrics (cont’d.)

Building the Performance Measures Program

An information security measures program

Must be able to demonstrate value to the organisation

Necessary even with strong management support

Capability Maturity Model Integrated (CMMI)

One of the most popular references that support the development of process improvement and performance measures

Developed by The Software Engineering Institute at Carnegie Mellon

Building the Performance Measures Program (cont’d.)

Another popular approach

NIST SP 800 - 55 R1: Performance Measurement for Information Security

Major activities

The identification and definition of the current information security program

Development and selection of specific measures to gauge the implementation, effectiveness, efficiency, and impact of the security controls

Building the Performance Measures Program (cont’d.)

Figure 7-1 Information security measures development process

Source: Course Technology/Cengage Learning (Based on NIST SP 800-55 Rev. 1)

Specifying InfoSec Measures

Assess and quantify what will be measured

One of the critical tasks

While InfoSec planning and organising activities may only require time estimates

You must obtain more detailed measurements when assessing the effort spent to complete production tasks and the time spent completing project tasks

Collecting InfoSec Measures

Some thought must go into the processes used for data collection and record keeping

Once the question of what to measure is answered

The how, when, where, and who questions of metrics collection must be addressed

Designing the collection process requires consideration of the metric’s intent

Along with a thorough knowledge of how production services are delivered

Collecting InfoSec Measures (cont’d.)

Determine whether the measures used will be macro-focus or micro-focus

Macro-focus measures examine the performance of the overall security program

Micro-focus measures examine the performance of an individual controller or group of controls within the information security program

Or use both macro- and micro-focus measures in a limited assessment

Collecting InfoSec Measures (cont’d.)

Organisations manage what they measure

It is important to prioritise individual metrics in the same manner as the performance they measure

Use a simple low-, medium-, or high-priority ranking system

Or a weighted scale approach

Involves assigning values to each measure based on its importance in the overall information security program, and on the overall risk mitigation goals and the criticality of the systems

Collecting InfoSec Measures (cont’d.)

Performance targets

Make it possible to define success in the security program

Many measures have a 100% target goal

Other types of performance measures

Those that determine relative effectiveness, efficiency, or impact of information security on the organisation’s goals

Are more subjective and require solid native and subjective reasoning

Table 7-2a Example performance measures documentation

Source: NIST SP 800-55, Rev 1

Collecting InfoSec Measures (cont’d.)

Table 7-2b Example performance measures documentation

Source: NIST SP 800-55, Rev 1

Collecting InfoSec Measures (cont’d.)

Table 7-3a Measures template and instructions

Source: NIST SP 800-55, Rev 1

Collecting InfoSec Measures (cont’d.)

Table 7-3b Measures template and instructions

Source: NIST SP 800-55, Rev 1

Collecting InfoSec Measures (cont’d.)

Candidate Measures

Percentage of the organisation's information systems budget devoted to information security

Percentage of high vulnerabilities mitigated within organisationally defined time periods after discovery

Percentage space of remote access points used to gain unauthorised access

Percentage of information systems personnel that have received security training

Collecting InfoSec Measures (cont’d.)

Candidate Measures (cont’d.)

Average frequency of audit records review and analysis for inappropriate activity

Percentage of new systems that have completed certification and accreditation (C&A) prior to their implementation

Percentage approved and implemented configuration changes identified in the latest automated baseline configuration

Collecting InfoSec Measures (cont’d.)

Candidate Measures (cont’d.)

Percentage of information systems that have conducted annual contingency plan testing

Percentage of users with access to shared accounts

Percentage of incidents reported within required time frame per applicable incident category

Percentage of system components that undergo maintenance in accordance with formal maintenance schedules

Collecting InfoSec Measures (cont’d.)

Candidate Measures (cont’d.)

Percentage of media that passes sanitisation procedures testing

Percentage of physical security incidents allowing unauthorised entry into facilities containing information assets

Percentage of employees who are authorised access to information systems only after they sign an acknowledgment that they have read and understood the appropriate policies

Collecting InfoSec Measures (cont’d.)

Candidate Measures (cont’d.)

Percentage of individuals screened before being granted access to organisational information and information systems

Percentage of vulnerabilities remediated within organisation-specified time frames

Percentage of system and service acquisition contracts that include security requirements and/or specifications

Collecting InfoSec Measures (cont’d.)

Candidate Measures (cont’d.)

Percentage of mobile computers and devices that perform all cryptographic operations using organisationally specified cryptographic modules operating in approved modes of operations

Percentage of operating system vulnerabilities for which patches have been applied or that have been otherwise mitigated

InfoSec Performance Measurement Implementation

Information security performance measures must be implemented and integrated into ongoing information security management operations

It is insufficient to simply collect these measures once

Performance measurement is an ongoing, continuous improvement operation

Figure 7-2 Information security measurement program implementation process

Source: Course Technology/Cengage Learning

Collecting InfoSec Measures (cont’d.)

Reporting InfoSec Performance Measures

Listing the measurements collected does not adequately convey their meaning

Decisions must be made about how to present correlated metrics

Consider to whom the results of the performance measures program should be disseminated, and how they should be delivered

Emerging Trends In Certification And Accreditation

Accreditation

The authorisation of an IT system to process, store, or transmit information.

It is issued by a management official and serves as a means of assuring that systems are of adequate quality

Challenges managers and technical staff to find the best methods to assure security, given technical constraints, operational constraints, and mission requirements

Emerging Trends In Certification And Accreditation (cont’d.)

Certification

The comprehensive evaluation of the technical and nontechnical security controls of an IT system

Supports the accreditation process that establishes the extent to which a particular design and implementation meets a set of specified security requirements

Organisations pursue accreditation or certification to gain a competitive advantage

Also provides assurance to customers

SP 800-37: Guidelines for Security Certification and Accreditation of Federal Information Technology Systems

Develops standard guidelines and procedures for certifying and accrediting Federal IT systems

Including the critical infrastructure of the U.S.

Defines essential minimum security controls for Federal IT systems

SP 800-37: Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.)

Promotes the development of public and private sector assessment organisations

And certification of individuals capable of providing cost effective, high quality, security certifications based on standard guidelines and procedures

SP 800-37: Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.)

Benefits of the security certification and accreditation (C&A) initiative

More consistent, comparable, and repeatable certifications of IT systems

SP 800-37: Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.)

Benefits of the security certification and accreditation (C&A) initiative (cont’d.)

More complete, reliable, information for authorising officials

Leads to better understanding of complex IT systems and associated risks and vulnerabilities, and informed decisions by management officials

SP 800-37: Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.)

Benefits of the security certification and accreditation (C&A) initiative (cont’d.)

Greater availability of competent security evaluation and assessment services

More secure IT systems within the Federal government

Figure 7-3 Special publications supporting SP 800-37

Source: Course Technology/Cengage Learning (Based on NIST SP 800-37)

Three-step security controls selection process

Step 1: Characterise the system

Step 2: Select the appropriate minimum security controls for the system

Step 3: Adjust security controls based on system exposure and risk decision

SP 800-37: Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.)

Systems certified to one of three levels

Security Certification Level 1

The entry-level certification appropriate for low priority (concern) systems

Security Certification Level 2

The mid-level certification appropriate for moderate priority (concern) systems

SP 800-37: Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.)

Systems certified to one of three levels (cont’d.)

Security Certification Level 3

The top-level certification appropriate for high priority (concern) systems

SP 800-37: Guidelines for Security Certification and Accreditation of Federal Information Technology Systems (cont’d.)

SP 800-53 Rev 3: Recommended Security Controls for Federal Information Systems and Organisations

SP 800-53 is part two of the C&A project

Its purpose is to establish a set of standardised, minimum security controls for IT systems addressing low, moderate, and high levels of concern for confidentiality, integrity, and availability

SP 800-53 Rev 3: Recommended Security Controls for Federal Information Systems and Organisations (cont’d.)

SP 800-53 (cont’d.)

Controls are broken into the three familiar general classes of security controls: management, operational, and technical

Critical elements represent important security-related focus areas for the system

Each critical element addressed by one or more security controls

SP 800-53 Rev 3: Recommended Security Controls for Federal Information Systems and Organisations (cont’d.)

SP 800-53 (cont’d.)

As technology evolves, so will the set of security controls, requiring additional control mechanisms

Figure 7-4 Participants in the certification and accreditation process

The Future of Certification and Accreditation

Newer NIST documents focus less upon certification and accreditation strategy

And more on a holistic risk management strategy incorporating an authorisation strategy rather than accreditation

Certification is being replaced by the term “security control assessment”

Figure 7-5 Risk management framework

Source: Course Technology/Cengage Learning (Based on content from NIST Risk Management Framework, SP 800-53 Rev. 1)

Summary

Introduction

Security management practices

Emerging trends in certification and accreditation