Security Management ver 3.0
Download
Report
Transcript Security Management ver 3.0
Information Security
Management
1
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Introduction
• Security management entails the identification
of an organization’s information assets and
the development, documentation, and
implementation of policies, standards,
procedures, and guidelines.
• Management tools such as information
classification, risk assessment, and risk
analysis are used to identify threats, classify
assets, and to rate system vulnerabilities so
that effective controls can be implemented.
2
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Objectives
• The CISSP should be able to:
– Identify the planning, organization, and roles of individuals in
identifying and securing an organization’s information
assets.
– Define the differences between policies, standards,
guidelines and procedures in terms of their application to
security administration.
– Define the importance of security awareness so employees
are aware of the need for information security.
– Describe the importance of risk management practices and
tools to identify, prioritize, and reduce the risk to specific
information assets.
– Define the roles of users in support of security processes
3
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
History of Information Security
4
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Security Management Topics
• Principles and Requirements
• Policy
• Organizational Roles and
Responsibilities
• Information Classification
• Risk Management and Analysis
5
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Section Objectives
• Identify the core principles of
information security
• Describe IT security requirements
• Discuss the need for Information
Security Requirements and Blueprints
6
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Goals of Information
Security
• The common thread among good information security objectives is
that they address all three core security principles.
Prevents unauthorized
disclosure of systems
and information.
Prevents unauthorized
modification of systems
and information.
Availability
Prevents disruption of
service and productivity.
© Copyright 2005 (ISC)2® All Rights Reserved.
7
Information Security Management v5.0
IT Security Requirements
8
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
IT Security Requirements (cont.)
9
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Organizational & Business
Requirements
• Security must address the business
requirements, not just a blanket where one
size fits all.
10
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
IT Security Requirements
Structure
11
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Security Blueprint Solutions
• Blueprints are used to identify,
develop and design security
requirements for a particular
business solution:
– Portal
– Enterprise Resource
Planning (ERP)
– Supply Chain
– Customer Relationships
Management (CRM)
– Manufacturing, etc.
• Not all aspects of a particular
blueprint will apply but all
should be considered.
12
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Architecture Blueprints
• Security Blueprint
– Tailored security best practices that, in
total, form a comprehensive security
policy program and technical
architecture.
– Composed of several security domains,
that at a minimum, are mapped from the
ISO/IEC 17799 standard.
13
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Architecture
Blueprints
(cont.)
14
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Infrastructure Blueprints
• Individual security blueprints reflect
• Tailored requirements meeting the
organization’s specific requirements
• Influenced by legal, regulatory,
business, IT drivers.
15
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Quick Quiz
• What are the three core security
principles?
• What are the two types of IT security
requirements? Describe each.
• What is the benefit of using an
Information Security blueprint?
16
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Section Summary
• Confidentiality, integrity, and availability are the
three core security principles.
• Functional requirements define security behavior
of the IT product or system.
• Assurance requirements establish confidence that
the security function will be performed as
intended.
• Information Security blueprints provide proven
models for establishing cost effective, sustainable
security business practices and solutions.
17
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Security Management Topics
• Principles and Requirements
• Policy
• Organizational Roles and
Responsibilities
• Information Classification
• Risk Management and Analysis
18
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Section Objectives
• Describe the purpose of organizational
policy
• List the supporting elements of policy
implementation
• Summarize the importance of
organizational roles and responsibilities
• Summarize the key components of the
security model
19
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Policy Overview
20
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Policy
• Documents and communicates
management’s goals and objectives.
• Defines the organization’s response to laws,
regulations, and standards of due care.
• Builds a foundation for a comprehensive and
effective security program.
• Defines what assets and principles the
organization considers valuable.
• Identifies organization goals and objectives.
21
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Policy (cont.)
• Protects the company and employees
from ‘surprises’.
• Gives authority to security activity.
• Provides for personal
responsibility/accountability.
• Provides a basis for interpreting or
resolving conflicts that might arise.
• Defines the elements, functions, and
scope of security team.
22
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Policy (cont.)
• Ensures that all employees and
contractors are aware of
organizational policy.
• Written documentation for incident
response and enforcement.
• Provides for exception handling,
rewards, discipline.
23
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Policy Infrastructure
• Once an overall organizational security
policy has been approved by the
governing body of the organization it is
necessary to develop a supporting
infrastructure of control objectives.
This framework may include other functional
policies such as:
– Email and internet use policy
– Remote access policy
– Fraud policy
24
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Policy Implementation
From policies come the supporting
elements:
• Standards
• Procedures
• Baselines
• Guidelines
That will enforce the
security policy
principles on every
business process and
system.
25
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Standards
• Hardware and software mechanisms and
products.
Examples of Standards:
• Specific anti-virus software
• Specific access control system
• Specific firewall system
• Published guideline (e.g. ISO 17799)
adopted by an organization as a standard.
26
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Procedures
• Step by step required actions
Examples of Procedures:
• User registration
• Contracting for security purposes
• Information system material
destruction
• Incident response
27
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Baselines
• Establishes the implementation methods
for security mechanisms and products
• Platform unique
Examples of Baselines:
• Configurations for intrusion detection
systems
• Configurations for access control systems
28
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Guidelines
• Recommended actions
Examples of Guidelines:
• Government Recommendations
• Security Configuration Recommendations
• ISO 17799 / British Standard 7799
• Organizational Guidelines
• Product/System Evaluation Criteria
29
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Product/System Evaluation Criteria
History
30
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Trusted Computer System
Evaluation Criteria (TCSEC)
• Known as the Orange Book, published
in 1983, still provides benchmark for
systems produced decades later
• Basis for evaluating vendor security
products to protect confidentiality.
• Guidance to users for selection of
vendor products to achieve policy
requirements for data confidentiality.
• Assurance of a certain level of security
in products.
– Customer - metric to evaluate trust
– Vendor- security features to build-in
© Copyright 2005 (ISC)2® All Rights Reserved.
Higher Trust
A1
B3
B2
B1
C2
C1
D
Lower Trust
31
Information Security Management v5.0
Trusted Computer System
Evaluation Criteria (TCSEC)
Class
D
C1
C2
B1
B2
B3
A1
Description
Minimal Protection
Discretionary Security Protection
Controlled Access Protection
Labeled Security Protection
Structured Protection
Security Domains
Verified Design
32
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Trusted Computer System
Evaluation Criteria (TCSEC)
Functionality Requirements
C1 C2
Identification/Authentication
DAC
Audit
MAC
Labeled Subject & Object
Device Labels
Object Reuse
Trusted Path
B1
B2 B3 A1
Yes Yes Yes =
=
=
Yes Yes =
= Yes =
Yes Yes Yes Yes =
Yes Yes =
=
Yes =
=
=
Yes =
=
Yes =
=
=
=
Yes =
=
Yes – New/Changed/Enhanced Functionality Required = - No Additional Requirements33
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Information Technology Security
Evaluation Criteria (ITSEC)
The purpose of ITSEC was to:
• Harmonize security evaluation criteria
internationally.
• Build on experience accumulated.
• Avoid different security evaluation criteria.
• Standardize basic concepts and
approaches
– Across countries, across commercial,
government, or military applications.
34
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Common Criteria - ISO 15408
The purpose of the Common Criteria is to:
• Provide a common structure and language
for expressing product/system IT security
requirements.
• Establishing a common criteria base, so
that the results of product security
evaluation will be meaningful to a larger
audience.
35
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Common Criteria
EAL Levels
• EAL-1: Documentation conformity and establishing that the Target
does what its documentation claims.
• EAL-2: Tests the structure of the product through an evaluation,
which includes the product’s design history and testing.
• EAL-3: Evaluates a product in design stage, with independent
verification of the developer’s testing results, and evaluates the
developer’s checks for vulnerabilities, the development
environmental controls, and the Target’s configuration management.
• EAL-4: Is an even greater in-depth analysis of the development and
implementation of the Target and may require more significant
security engineering costs.
• EALs 5-7: Require even more formality in the design process and
implementation, analysis of the Target’s ability to handle attacks and
prevent covert channels, for products in high-risk environments.
36
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
ISO 17799 & BS 7799-2
• Two documents.
• Two purposes.
• ISO 17799
– Code of Practice – Guidance and Support
• BS 7799-2
– Management System Standard (certifiable
and measurable requirements)
37
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
ISO 17799 / BS 7799-2
ISO 17799
BS 7799-2
•Comprehensive guidance on • Management system
a range of controls for
standard.
implementing Information
• Used to demonstrate
Security.
compliance with defined
requirements.
•A package of ‘good’ advice. • Assessments against this
standard will determine that
selected controls are
implemented correctly and
are effective.
38
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
BS 7799-2: 10 Categories of
Information Management
39
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Suggested ISO 17799 Blueprint
Components
Management
Administration
Policies & Standards
Procedures
Classification &
Control
Systems Planning
Configuration
Management
Development &
Maintenance
Budgeting & Accounting
Organization
Monitoring
Infrastructure
Logging &
Reporting
Personnel
Incident Response
Roles &
Responsibility
Compliance
Training &
Awareness
Audit & Certification
Third-Party Access
Risk Management
Access Control
Validated Access
Secure Communications Reliable Transactions
Authorization
Integrity
Authentication
Non-Repudiation
Confidentiality
Administration
Accountability
Environment Access
Perimeter Network Internal Network
Application
Facility
Areas
Internet
Workstation
Web/eMail
Extranet
Servers
Enterprise
Wireless
LAN
Middleware
Dial-Up
WAN
Database
Equipment
Media
Infrastructure Integrity
Malicious Software
Protection
Content
Intrusion / Misuse
Physical
Configuration
Operating Systems
Network Devices
Segmentation
Availability
Recovery
Continuity
Backup
Redundancy
40
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Security Model Components
Assess Business
Objectives
Vulnerability
Assessments
Penetration
Testing
Quantitative and
Qualitative Risk
Assessments
Risk Analysis
Define Risk and
Threats
Protection
Requirements
Data
Classification
Functionality
Evaluation
Legal Liabilities
Cost Effective Solutions
Security
Awareness
System
Reliability
Anti-Virus Software
Procedures,
Standards,
Guidelines
Countermeasures
Policies
Effective Security & Assurance
41
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Security Management Topics
• Principles and Requirements
• Policy
• Organizational Roles and
Responsibilities
• Information Classification
• Risk Management and Analysis
42
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Organizational Roles and
Responsibilities
• For security to be effective, it is
imperative that individual roles,
responsibilities, and authority are
clearly communicated and
understood by all.
• Organizations must assign security
related functions to designated
employees.
43
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Organizational Roles and
Responsibilities (cont.)
Responsibilities to consider include:
• Executive Management - assigned overall
responsibility for asset protection.
• Information Systems Security
Professionals - responsible for the design,
implementation, management, and review
of the organization’s security policies,
standards, baselines, procedures, and
guidelines.
44
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Organizational Roles and
Responsibilities (cont.)
• Owners - responsible for:
– ensuring that appropriate security,
consistent with the organization’s
security policy, is implemented in their
information systems
– determining appropriate sensitivity or
classification levels
– determining access privileges
45
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Organizational Roles and
Responsibilities (cont.)
• Custodian – a function who has “custody” of the
system/databases, not necessarily belonging to
them, for any period of time. Usually network
administration or operations.
• Users - responsible to use resources and
preserve availability, integrity, and confidentiality
of assets - responsible to adhere to security
policy.
• IS/IT Function - responsible for implementing
and adhering to security policies.
46
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Organizational Roles and
Responsibilities (cont.)
• Information Systems Auditor - responsible
for:
– providing independent assurance to
management on the appropriateness of the
security objectives.
– determining whether the security policy,
standards, baselines, procedures, and
guidelines are appropriate and effective to
comply with the organization’s security
objectives.
– Identifying whether the objectives and
controls are being achieved.
47
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Hiring Procedures
•
•
•
•
Background checks.
Follow up on references.
Verification of educational records.
Sign employment agreements:
– Non-disclosure.
– Business ethics including telephone and
Internet usage.
48
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Hiring Procedures (cont.)
• If low level checks are done at initial hiring
- be alert for need for further checks if
internal movement within company to
higher level classification.
• Hiring must be co-ordinated with Human
Resources department (not just local
manager).
– Use standard checklists for hiring interviews.
– Cover points such as keys, ID card,
passwords, equipment loaned out to
employee (laptops, cell phones, pagers).
49
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Termination Procedures
• Use standard checklists for
termination interviews.
– Ensure all access cards and tools are
returned.
• Remove user access immediately
upon departure.
• Suspension/disciplinary procedures
50
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Good Practices
• Job descriptions and defined roles and
responsibilities
• Least privilege / need to know
• Separation of duties
– Forces collusion in order to manipulate the
system for unauthorized purposes.
• Job rotation
• Mandatory vacations
51
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Security Awareness
• Awareness material provides employees
with a reminder of their security
responsibilities
• Training provides skills needed to perform
the security functions in their jobs
• Education provides decision-making, and
security management skills that are
important for the success of an
organization’s security program.
52
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Raising the Collective Awareness
• Variety of methods – videos, newsletters,
posters, briefings, key-chains, trinkets, etc.
• Motivate personnel to comply with
requirements.
• To be effective, the campaign must be
creative and frequently changed.
• Should reward practices such as
protecting the physical area and
equipment, protecting passwords, and
reporting security violations.
53
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Providing Training Material &
Courses
• Training should be focused on securityrelated job skills.
• Specify and address security requirements
of the organization.
• Increase the ability to hold employees
accountable for their actions.
• Specialized or technical training is needed
for specific personnel, such as configuring
firewalls or conducting audits.
54
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Information System Security
Education
• Education that is more in-depth is
typically targeted for information
systems security professionals in
order to gain expertise .
• Normally this is accomplished through
external programs and should be
regarded as part of career
development.
55
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Good Practices
• Speak Audience’s Language by
addressing interests of:
– Management
– Data owner and custodian
– User
– Operations
– Support personnel
56
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Good Practices
• Topics include items such as:
– Policies, standards, procedures, baselines,
and guidelines
– Errors, accidents, and omissions
– Physical and environmental hazards
– Continuity Planning
– Malicious code/logic
– Media handling responsibilities
– Incident reporting
– Social engineering
57
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Information Security Assurance
Mechanisms
• Internal/External Audit Reports
– COBIT, IIA’s Red Book, Yellow Book, etc.
• Periodic Review by Management
– Security Reviews (Internal), Checklists,
Supervision
• Third Party Reviews
– Attack and Penetration Tests
– Policy Review
– Threat Risk Assessments
58
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Quick Quiz
• What are the supporting elements
of policy implementation?
• What is the importance of defining
organizational roles and
responsibilities when implementing
organizational policy?
59
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Section Summary
• Standards, procedures, baselines, and guidelines are the
supporting elements of policy implementation. These
elements help enforce the security policy principles within
each business process and on each system.
• For security to be effective, it is imperative that individual
roles, responsibilities, and authority are clearly
communicated and understood by all.
• ISO 17799 provides comprehensive guidance on a range
of controls for implementing information security.
• BS 7799-2 is the management system standard and can
be used to demonstrate compliance with defined
requirements.
60
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Security Management Topics
• Principles and Requirements
• Policy
• Organizational Roles and
Responsibilities
• Information Classification
• Risk Management and Analysis
61
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Section Objectives
• Describe the purpose of information
classification
• List the benefits of information
classification
• Summarize the steps involved in
ensuring classification effectiveness
62
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Information Classification
Objectives
• Ensure that information assets receive an
appropriate level of protection.
• Provide security classifications that will indicate
the need and priorities for security protection.
• Minimize risks of unauthorized information
alteration.
• Avoid unauthorized disclosure.
• Maintain competitive edge.
• Protect legal tactics.
• Comply with privacy laws, regulations and
industry standards.
63
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Information Classification Benefits
• Awareness among employees and customers of
the organization’s commitment to protect
information.
• Identification of critical information.
• Identification of sensitivity to modification.
– Enable focus on integrity controls.
• Sensitive to the need to protect confidential
information.
– Understanding of value of information.
– Meeting legal requirements.
64
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Information Classification Examples
•
•
•
•
•
FOUO - For official use only
Financially sensitive
Sensitive management
Proprietary – competitive edge
Private – records about individuals,
trade secrets, etc
65
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Information Classification
• Information is classified by the Information
Owner or designate.
– Accurate classification depends on the ability and
knowledge of the classifier.
– Must be aware of regulations and customer and
business expectations.
– Classification must be done in a consistent manner
– often the decisions can be somewhat arbitrary.
– All classified items must be clearly labeled.
– Classification process must include manner for
declassifying and destroying material.
66
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Information Classification (cont.)
• All data handled by the organization must be
reviewed for classification
– Paper, magnetic, video and audio recordings,
facsimile, scratch paper, etc.
• Consider the following as part of classification:
–
–
–
–
–
–
Exclusive possession (trade secret, etc)
Utility (usefulness)
Cost of creation/recreation
Liability (for protection)
Convertibility/negotiability (EFT, etc)
Operational impact (if unavailable)
67
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Information Classification (cont.)
Marking and Labeling
• Mark sensitive magnetic or optical
media
• Mark both cover and inside of
documents
• Label documents (or objects) for
access control permissions - such as
in directories, files, or database fields
68
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Assurance of Classification
Effectiveness and Adherence
• Periodic checks for documents left in
‘open view’.
• Information Flow Matrix review.
• Data Dictionary review.
• Check for correct disposal/shredding of
documents/media.
• Review of access levels of users.
• Physical Security including access by
maintenance and cleaning personnel.
69
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Quick Quiz
• What are some of the benefits of
information classifications?
• What types of information should be
reviewed for classifications?
70
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Section Summary
• Information classifications help ensure that
information assets receive the appropriate
level of protection.
• All media containing data handled by the
organization must be reviewed for
classification, including paper, magnetic
media, video, audio, facsimile, etc.
• Classifications must be done in a consistent
manner.
71
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Security Management Topics
• Principles and Requirements
• Policy
• Organizational Roles and
Responsibilities
• Information Classification
• Risk Management and Analysis
72
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Section Objectives
•
•
•
•
Define the key risk management terms
Describe the importance of a risk analysis
List examples of potential threats
Describe the two types of risk analysis –
quantitative and qualitative
• Describe the safeguards selection
principles
73
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Risk Management Definitions
• Asset - a resource (physical or logical) that is valued by the
organization.
• Threat - any potential danger to information or an information
system.
• Threat Agent – the source that has the potential of causing a
threat.
• Exposure - instance of being exposed to losses from a threat.
• Vulnerability - an information system weakness that could be
exploited.
• Attack – an action intending harm by exploiting a vulnerability.
• Countermeasures and Safeguards - an entity that mitigates
the potential risk.
• Risk - likelihood of an unwanted event occurring.
• Residual Risk - the portion of risk that remains.
74
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Risk Management Information
Security Concept Flow
75
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Risk Management Definition
• A discipline for living with the possibility
that future events may cause harm.
• Risk Management reduces risks by
defining and controlling threats and
vulnerabilities.
(Threats, Vulnerability, & Asset Value) = Total Risk
Concept of mitigating controls:
Total Risk - Countermeasures = Residual Risk
76
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
• Risk levels in the red area
indicate immediate action
should be taken to reduce the
risk.
• Risk levels in the orange area
indicate that actions should be
planned and initiated to reduce
the risk.
• Risk levels in the yellow area
indicate these should be
monitored and prepared to
respond if they are realized.
• Risk levels in the green area
indicate no specific actions
need to be taken.
Consequence of Occurrence
Risk Management
Control Objectives
Probability of Occurrence
77
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
How Much Security is Enough?
• This decision is the balance between the cost to protect
an asset against the level of acceptable risk.
• To determine the answer to this question, we must
understand the:
– Adversary, means, motives, and opportunity;
– Asset value;
– Threats;
– Vulnerabilities;
– Resulting Risk;
– Countermeasures; and
Security is a Balancing Act!!!
– Risk tolerance.
78
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Adversaries, Means, Motives, and
Opportunities
Spy,
expertise,
resources,
tools
Motive
National Security
Industry Espionage
Monetary Gain &
Revenge
Prestige & Thrill
Classified
Information
and services
Scripts
Tools,
books
Curiosity
Financial
Damage
Sophisticated
Tools,
Expertise
and infinite
resources
Infinite Time,
Tools, Social
Engineering
79
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Purpose of Risk Analysis
• Risk Analysis
– Identify the threats to business
processes and information systems.
– Justify the implementation of specific
countermeasures to mitigate risk.
80
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Importance of Risk Analysis
• Risk Analysis is important in order to
ensure that the resources and policy of an
organization are directed appropriately.
• Focus
– To identify the areas of risk to an organization
or functional area.
– To identify special circumstances that may
need better controls – regulatory and financial
areas.
81
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Additional Benefits of Risk Analysis
• May be applicable to
– The business continuity process.
– Insurance and liability.
– Implementing countermeasures, new
controls and procedures.
– Legitimizing security awareness
programs.
82
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Examples of Threats
Threats include, but are not limited to:
• Unauthorized access
• Hardware failure
• Utility failure
• Loss of key personnel
• Human errors
• Neighboring hazards
• Tampering
• Disgruntled employees
83
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Emerging Threats Factor
Risk Assessment must also include
emerging threats:
• New technology
• Change in culture
• Unauthorized use of technology (i.e.,
wireless technologies, rogue
modems, PDAs - Personal Digital
Assistants, unlicensed software)
84
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Input Sources to Identify Threats
Includes, but is not limited to:
• Users
• System administrators
• Auditors
• Security officers
• Operations
• Facility records
• Community records
• Government records
• Watchdog alerts (CERT/CC, Bugtraq, etc.)
85
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Risk Analysis Key Factors
• Obtain Management Support.
– Define and approve purpose and scope
of Risk Assessment Team.
– Select team members.
– State official authority and responsibility
of team.
– Have Management review findings and
recommendations.
86
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Suggested Team Members
•
•
•
•
•
•
•
Information System Security
IT & Operations management
System and network administrators
Internal audit
Physical security
Business process and information owners
Advisors (Human Resources, Legal,
Emergency Measures Coordinator, Safety
Officers)
87
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Preliminary Security Evaluation
• Identify vulnerabilities related to:
– Natural disasters
– Environment - work scene
– Facility
– Access controls
– Data processing controls
• Review existing security measures.
• Document findings.
• Obtain management review and approval.
88
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Risk Analysis Types
Subtopics
• Quantitative Risk Analysis
– Primary Steps
– Automated Tools
• Qualitative Risk Analysis
89
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Quantitative Risk Analysis Definition
• Attempts to assign independently
objective numeric values (e.g., monetary
values) to the elements of the risk
assessment and to the assessment of
potential losses.
• When all elements (asset value, impact,
threat frequency, safeguard effectiveness,
safeguard costs, uncertainty and
probability) are quantified, the process is
considered to be fully quantitative.
90
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Quantitative Risk Analysis
Difficulties
• Purely quantitative risk analysis can
be difficult to achieve -- quantitative
measures must be applied to
qualitative elements.
• Usually requires substantial time
and personnel resources to
complete the quantitative process.
91
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Three Steps for Quantitative
Three primary steps are:
1. Estimate potential losses
2. Conduct a threat analysis
3. Determine annual loss expectancy
92
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Step One
Estimate potential losses
(SLE – Single Loss Expectancy)
– SLE = Asset Value ($) X Exposure Factor (%)
– Exposure Factor is percentage of asset loss
when threat is successful
– Types of loss to consider:
•
•
•
•
•
Physical destruction/theft of assets
Loss of data
Theft of information
Indirect theft of assets
Delayed processing
93
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Step Two
Conduct threat analysis
ARO – Annual Rate of Occurrence
– Number of exposures or incidents that
could be expected per year.
– Likelihood of an unwanted event
happening.
94
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Step Three
Determine Annual Loss Expectancy
– Combine potential loss and rate/year
– Magnitude of risk = Annual Loss Expectancy
– Guide
• Security measures
• Amount to spend
Annualized Loss Expectancy (ALE) =
Single Loss Expectancy (SLE) x Annualized Rate of
Occurrence (ARO)
95
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Using Automated Tools
• Objective minimize manual effort.
– After database created.
– Rerun analysis with different
parameters to answer the “what ifs”.
– Perform calculations quickly.
• Estimate future expected losses.
• Determine benefit of security measures.
96
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Subtopics
• Quantitative Risk Analysis
• Qualitative Risk Analysis
97
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Qualitative Risk Analysis Definition
• Scenario oriented
• Does not attempt to assign absolute
numeric values to components.
• Purely qualitative risk analysis is
possible.
98
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Qualitative Risk Analysis - Process
• Rank seriousness of threats and sensitivity
of assets.
– Qualitative grades such as:
•
•
•
•
Blank (no effect)
Low
Medium
High
• Perform a carefully reasoned risk
assessment.
99
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Qualitative Risk Analysis –
Scenarios
• Match threats to assets via scenarios.
• Describe range of threats.
– Potential act
– Assets subject to loss
• Procedure
– Write scenario for each major threat.
– Functional managers credibility/practicality
review.
– Evaluate use of safeguards.
100
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Qualitative Risk Analysis –
Scenarios (cont.)
• Test scenarios
– Based on test results, document findings
• Current/planned protection
• Remaining deficiencies
• Scalability
– Limited security study -- 2 or 3 one-page scenarios.
– Broad study hundreds of scenarios.
• Advantages
– Communication
– Identifying security strengths and vulnerabilities
– Evaluating safeguards
101
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Other Risk Analysis Methods
• Failure Modes and Effects Analysis
– Examine potential failures of each part or
module
– Examine effects of failure at three levels
• Immediate level (part or module)
• Intermediate level (process or package)
• System-wide
– Collect total impact for failure of given
modules
– Determine whether module should be
strengthened or further supported
102
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Other Risk Analysis Methods
• Fault Tree Analysis
– Sometimes known in information security as
‘spanning tree analysis’
– Create a "tree" of all possible threats to or
faults of the system
• ‘Branches’ are general categories such as
network threats, physical threats,
component failures, etc.
• Prune ‘branches’ that do not apply
– If system is not networked, eliminate network
branch
• Concentrate on remaining threats
© Copyright 2005 (ISC)2® All Rights Reserved.
103
Information Security Management v5.0
The Value of Information
• Determine asset costs and value.
– Cost to acquire, develop, and maintain.
– Value to owners, custodians, users, or
adversaries.
– Recognize cost and value in the real world.
• Price others are willing to pay (published
references, mailing lists, etc.)..
• Value of intellectual property (trade secrets,
patents, copyrights, etc.).
104
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Factors that affect Information
Valuation
• Circumstances that affect value
– Time-sensitive value of information.
– Replacement without disruption/loss.
– Any undesirable results from
disclosure/modification/denial-of-use.
– Lost opportunity costs if value not
established.
105
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Comparison
106
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Rating Likelihood and
Consequences
•
Likelihood and Consequences rating
Likelihood
•
Consequence
Rare (very low)
E
Insignificant (low - no business impact)
1
Unlikely (low)
D
Minor (low – minor business impact, some loss of confidence)
2
Moderate (medium)
C
Moderate (Medium – business is interrupted, loss of confidence)
3
Likely (high)
B
Major (High – business is disrupted, major loss of confidence)
4
Almost Certain (very high)
A
Catastrophic (High – business cannot continue)
5
Likelihood Qualification – how to arrive at a likelihood rating
How to Qualify Likelihood
Rating
Skill ( High skill level required low or no skill required)
1 = high skill required 5 = no skill required
Ease of Access (very difficult to do very simple to do)
1 = very difficult 5 = simple
Incentive (high incentive Low incentive)
1 = low or no incentive 5 = high incentive
Resource (requires expensive or rare equipment no resources required
1 = Rare/expensive 5 = No resource required
Total (add rating and divide by 4)
1 = E, 2 = D, 3 = C, 4 = B, 5 = A
107
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Risk Levels (ANZ 4360 Standard)
Consequence:
Insignificant
Minor
Moderate
Major
Catastrophic
1
2
3
4
5
A (almost certain)
H
H
E
E
E
B (likely)
M
H
H
E
E
C (possible)
L
M
H
E
E
D (unlikely)
L
L
M
H
E
E (rare)
L
L
M
H
H
Likelihood:
E
Extreme Risk: Immediate action required to mitigate the risk or decide to not proceed
H
High Risk: Action should be taken to compensate for the risk
M
Moderate Risk: Action should be taken to monitor the risk
L
Low Risk: Routine acceptance of the risk
© Copyright 2005 (ISC)2® All Rights Reserved.
108
Information Security Management v5.0
Remedial Selection Measures
• Risk Reduction: Provide countermeasures to reduce
the risk and strengthen the security posture
• Risk Transference: Transfer risk to another party.
Example: Insurance
• Risk Acceptance: Accepting the risk and absorbing the
cost when and if occurs
• Risk Avoidance: Decide not to continue with the activity
or not to support the situation that causes the risk
109
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Risk Acceptance
• Security is the balance of protection measures
against the acceptance of risk.
Risk Acceptance:
• Is a cost decision
– The amount of investment required to lower the risk.
• Is a pain decision
– The ability to deal with ongoing security incidents.
• Is a visibility decision
– The potential impact to corporate reputation.
• Should not be a surprise decision
– Accepting risk without knowing it.
110
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Countermeasure and Safeguard
Selection Principles
Cost Effectiveness
• Cost/benefit analysis
– Total cost of safeguard
•
•
•
•
•
•
Selection
Acquisition (materials and mechanisms)
Construction and placement
Environment modification
Nontrivial operating cost
Maintenance, Testing
111
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Countermeasure and Safeguard
Cost Effectiveness
• Cost must justify the potential loss, where cost
must never exceed the benefit
• (ALE before Safeguard) –
• (ALE after Safeguard) –
• (Annual cost of Safeguard) = Value of Safeguard
•
•
•
•
Example:
(ALE before Safeguard, $10,000) –
(ALE after Safeguard, $1000) –
(Annual cost of Safeguard, $500) = Value of
Safeguard, $8500
© Copyright 2005 (ISC)2® All Rights Reserved.
112
Information Security Management v5.0
Selection Principles (cont.)
• Accountability
– At least one person for each safeguard
– Associate directly with performance
• Absence of design secrecy
– Changeability of safeguards
• Audit Capability
– Must be testable
– Include auditors in design and implementation
113
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Selection Principles (cont.)
• Vendor trustworthiness
– Review past performance
• Independence of control and subject
– Safeguards control/constrain subjects
– Controllers administer safeguards
– Controllers and subjects different populations
• Universal application
– Impose safeguards uniformly
– Minimize exceptions
114
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Selection Principles (cont.)
• Compartmentalization and defense in
depth
– Safeguard’s role
• Relative to environment and other safeguards
• Compartmentalization localizes vulnerability
• Depth establishes serial hurdles
• Isolation, economy, and least common
mechanism
– Isolate from other safeguards
– Minimize dependence on common mechanisms
– Simple design cost effective and reliable
115
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Selection Principles (cont.)
• Acceptance and tolerance by personnel
– Avoid unreasonable constraints
• Minimum human intervention
– Manual functions weakest in a safeguard
• Sustainability
– More automatic = more sustainable
116
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Selection Principles (cont.)
• Reaction and recovery
– Evaluate reaction when activated
• Avoid asset destruction
• Does not provide covert channel
• Does not panic personnel
• Does stop loss
• Does identify suspect
117
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Selection Principles (cont.)
• Override and fail-safe defaults
– Safeguards must have shutdown capability
– Default to lack of permission
• Residuals and reset
– Conditions after safeguard activation
• Assets at least as secure as before
– Asset protection during resetting
– Erasure of residual data
118
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Quick Quiz
• What is a threat?
• How does risk management reduce
risk?
• What are the two types of risk
analysis?
119
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Section Summary
• A threat is any potential danger to
information or an information system.
• Risk management reduces risk by
defining and controlling threats and
vulnerabilities.
• The two types of risk analysis are
quantitative and qualitative risk
analysis.
120
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
121
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0
Section of ISO 27002
1.
2.
3.
4.
5.
6.
Risk assessment
Security policy - management direction
Organization of information security governance of information security
Asset management - inventory and
classification of information assets
Human resources security - security aspects
for employees joining, moving and leaving
an organization
Physical and environmental security protection of the computer facilities
7.
Communications and operations
management - management of technical
security controls in systems and networks
8. Access control - restriction of access rights
to networks, systems, applications, functions
and data
9. Information systems acquisition,
development and maintenance - building
security into applications
10. Information security incident management anticipating and responding appropriately to
information security breaches
11. Business continuity management protecting, maintaining and recovering
business-critical processes and systems
12. Compliance - ensuring conformance with
information security policies, standards, laws
and regulations
122
© Copyright 2005 (ISC)2® All Rights Reserved.
Information Security Management v5.0