Midterm Review Info Sec ch 1-7

Review Schedule

In a changing environment, policies can retain their effectiveness only if they are periodically reviewed for currency and accuracy, and modified to keep them updated • Any policy document should contain a properly organized schedule of reviews • Generally, a policy should be reviewed at least annually

Security Awareness

One of the least frequently implemented, but most effective security methods is the security awareness program • Security awareness programs: - set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure - remind users of the procedures to be followed When developing an awareness program: - Focus on people - Refrain from using technical jargon - Use every available venue - Define learning objectives, state them clearly, and provide sufficient detail and coverage - Keep things light - Don't overload the users - Help users understand their roles in InfoSec - Take advantage of in-house communications media - Make the awareness program formal; plan and document all actions. - Provide good information early, rather than perfect information late.

Mitigation

Reducing the impact to information assets should an attacker successfully exploit a vulnerability The mitigation risk control strategy is the control approach that attempts to reduce, by means of planning and preparation, the damage caused by a realized incident or disaster • This approach includes three types of plans: - Disaster recovery (DR) plan - Incident response (IR) plan - Business continuity (BC) plan • Mitigation depends upon the ability to detect and respond to an attack as quickly as possible

theft

ex illegal confiscation of equipment or information

practices figure 4-2

"Examples of actions that illustrate compliance with policies"

Information Security Roles and Titles

-Chief Information Security Officer (CISO) or Chief Security Officer (CSO) - Security managers - Security administrators and analysts - Security technicians - Security staffers and watchstanders - Security consultants - Security officers and investigators - Help desk personnel

4 steps FDIC: SLA

-Determining objectives - Defining requirements - Setting measurements - Establishing accountability

12 category of threat

1. compromises to intellectual property 2. Deviations in quality of service 3.Espionage or Trespass 4.Forces of Nature 5.Human Error or Failure 6.Information Extortion 7.Sabotage or Vandalism 8. Software Attacks 9. Technical Hardware Failures 10. Technical Software Failure 11.Technological obsolenscence 12. Theft

Issue-specific information security policies (ISSP)

An Issue-specific security policy (ISSP) is - An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies • An issue-specific security policy (ISSP) is designed to regulate the use of some technology or resource issue within the organization • In some organizations, ISSPs are referred to as fair and responsible use policies, describing the intent of the policy to regulate appropriate use • The ISSP should assure members of the organization that its purpose is not to establish a foundation for administrative enforcement or legal prosecution but rather to provide a common understanding of the purposes for which an employee can and cannot use the resource Every organization's ISSPs should: - Address specific technology-based systems - Require frequent updates - Contain an issue statement on the organization's position on an issue

Help Desk Personnel

An important part of the information security team is the help desk, which enhances the security team's ability to identify potential problems • When a user calls the help desk with a complaint about his or her computer, the network, or an Internet connection, the user's problem may turn out to be related to a bigger problem, such as a hacker, denial-ofservice attack, or a virus • Because help desk technicians perform a specialized role in information security, they have a need for specialized training

Threat Assessment

Armed with a properly classified inventory, you can assess potential weaknesses in each information asset—a process known as threat assessment • Any organization typically faces a wide variety of threats; if you assume that every threat can and will attack every information asset, then the project scope becomes too complex • To make the process less unwieldy, each step in the threat identification and vulnerability identification processes is managed separately and then coordinated at the end

Risk Assessment

Assessing the relative risk for each vulnerability is accomplished via a process called risk assessment • Risk assessment assigns a risk rating or score to each specific vulnerability • While this number does not mean anything in absolute terms, it enables you to gauge the relative risk associated with each vulnerable information asset, and it facilitates the creation of comparative ratings later in the risk control process

Risk Appetite

Before the organization can or should proceed, it needs to understand whether the current level of controls identified at the end of the risk assessment process results in a level of risk management it can accept • The amount of risk that remains after all current controls are implemented is residual risk • The organization may very well reach this point in the risk management process, examine the documented residual risk, simply state, "Yes, we can live with that," and then document everything for the next risk management review cycle • What is difficult is the process of formalizing exactly what the organization "can live with"; this process is the heart of risk appetite

Alternatives to Feasibility Analysis

Benchmarking • Due care and due diligence • Best business practices • Gold standard • Government recommendations and best practices • Baseline

Managerial Guidance SysSPs

Created by management to guide the implementation and configuration of technology • Applies to any technology that affects the confidentiality, integrity or availability of information • Informs technologists of management intent

CIA Triad figure 1.3 *

Data & services: Confidentiality Integrity Availability

ch 7 five strategy options

Defense, Transference, Mitigation, Acceptance, and Termination

Maintenance Phase

During the maintenance phase, the policy development team monitors, maintains, and modifies the policy as needed to ensure that it remains effective as a tool to meet changing threats • The policy should have a built-in mechanism via which users can report problems with the policy, preferably anonymously • Periodic review should be built in to the process

Identifying Threats

Each threat presents a unique challenge to information security and must be handled with specific controls that directly address the particular threat and the threat agent's attack strategy • Before threats can be assessed in the risk identification process, however, each threat must be further examined to determine its potential to affect the targeted information asset • In general, this process is referred to as a threat assessment

Enterprise information security program policy (EISP)

Enterprise information security policy (EISP) is that high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts • An EISP is also known as a security program policy, general security policy, IT security policy, high-level InfoSec policy, or simply an InfoSec policy

three types of information security policy

Enterprise information security program policy (EISP) Issue-specific information security policies (ISSP) Systems-specific policies (SysSPs)

Assessing Risk

Estimating risk is not an exact science; thus some practitioners use calculated values for risk estimation, whereas others rely on broader methods of estimation • The goal is to develop a repeatable method to evaluate the relative risk of each of the vulnerabilities that have been identified and added to the list

Guidelines for Effective Policy

For policies to be effective, they must be properly: 1. Developed using industry-accepted practices, and formally approved by management 2. Distributed using all appropriate methods 3. Read by all employees 4. Understood by all employees 5. Formally agreed to by act or affirmation 6. Uniformly applied and enforced

Security in Small Organizations

In a small organization, InfoSec often becomes the responsibility of a jack-of-all-trades, a single security administrator with perhaps one or two assistants for managing the technical components • It is not uncommon in smaller organizations to have the systems or network administrators play these many roles • Because resources are often limited in smaller organizations, the security administrator frequently turns to freeware or open source software to lower the costs of assessing and implementing security • In small organizations, security training and awareness is most commonly conducted on a one-on-one basis, with the security administrator providing advice to users as needed Some feel that small organizations, to their advantage, avoid some threats precisely because of their small size • Threats from insiders are also less likely in an environment where every employee knows every other employee • In general, the less anonymity an employee has, the less likely he or she feels able to get away with abuse or misuse of company assets • Smaller organizations typically have either one individual who has full-time duties in InfoSec or, more likely, one individual who manages or conducts InfoSec duties in addition to those of other functional areas, most likely IT, possibly with one or two assistants

Policy and Revision Date

In some organizations, policies are drafted and published without a date, leaving users of the policy unaware of its age or status • This practice can create problems, including legal ones, if employees are complying with an out-of-date policy • Ideally, the policy document should include its date of origin, along with the dates, if any, of revisions • Some policies may need a "sunset clause," particularly if they govern information use for a short-term association with second-party businesses or agencies

Implementation Phase

In the implementation phase, the team must create a plan to distribute and verify the distribution of the policies • Members of the organization must explicitly acknowledge that they have received and read the policy (compliance) • The simplest way to document acknowledgment of a written policy is to attach a cover sheet that states "I have received, read, understood, and agreed to this policy" - The employee's signature and date provide a paper trail of his or her receipt of the policy

Policy Administrator

Just as information systems and InfoSec projects must have a champion and a manager, so must policies • The policy champion position combined with the manager position is called the policy administrator • Typically, this person is a mid-level staff member who is responsible for the creation, revision, distribution, and storage of the policy

Policy Development and Implementation Using the SecSDLC

Like any major project, a policy development or redevelopment project should be well planned, properly funded, and aggressively managed to ensure that it is completed on time and within budget • One way to accomplish this goal is to use a systems development life cycle (SDLC)

Likelihood

Likelihood is the overall rating - a numerical value on a defined scale - of the probability that a specific vulnerability will be exploited • Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset, i.e. 1- 100, low-med-high, etc. • Whatever rating system you employ for assigning likelihood, use professionalism, experience, and judgment to determine the rating—and use it consistently • Whenever possible, use external references for likelihood values, after reviewing and adjusting them for your specific circumstances

Information Aggregation

Many organizations collect, swap, and sell personal information as a commodity

Security in Medium-Sized Organizations

Medium-sized organizations may still be large enough to implement the multi-tiered approach to security described for large organizations, though perhaps with fewer dedicated groups and more functions assigned to each group • In a medium-sized organization, more of the functional areas are assigned to other departments within IT but outside the InfoSec department, especially the central authentication function • The medium-sized organization only have one full-time security person, with perhaps three individuals with part-time InfoSec responsibilities

Microsoft Risk Management Approach

Microsoft Corp. also promotes a risk management approach • Four phases in the MS InfoSec risk management process: - Assessing risk - Conducting decision support - Implementing controls - Measuring program effectiveness

Common law, case law, and precedent

Originates from a judicial branch or oversight board and involves the interpretation of law based on the actions of a previous and/or higher court or board

Security Managers

Security managers are accountable for the day-to-day operations of the InfoSec program • They accomplish objectives identified by the CISO, to whom they and they resolve issues identified by technicians, administrators, analysts, or staffers whom they supervise • Managing security requires an understanding of technology but not necessarily technical mastery

Security Staffers and Watchstanders

Security staffer is a catchall title that applies to those who perform routine watchstanding or administrative activities • The term "watchstander" includes the people who watch intrusion consoles, monitor e-mail accounts, and perform other routine yet critical roles that support the mission of the InfoSec department • Security watchstanders are often entry-level InfoSec professionals responsible for monitoring some aspect of the organization's security posture, whether technical or managerial • In this position, new InfoSec professionals have the opportunity to learn more about the organization's InfoSec program before becoming critical components of its administration

Security Technician

Security technicians are the technically qualified individuals who configure firewalls and IDPSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technology is properly implemented • A security technician is usually an entry-level position, but one that requires strong technical skills, which can make this job challenging for those who are new to the field, given that it is difficult to get the job without experience and yet experience comes with the job • Security technicians who want to move up in the corporate hierarchy must expand their technical knowledge horizontally, gaining an understanding of the general organizational issues of InfoSec as well as all technical areas

Security Training

Security training involves providing members of the organization with detailed information and hands-on instruction to enable them to perform their duties securely • Management can either develop customized training or outsource all or part of the training program • There are two methods for customizing training for users by functional background or skill level - Functional background: • General user • Managerial user • Technical user - Skill level: • Novice • Intermediate • Advanced

Analysis Phase

The Analysis phase should include the following activities: - A new or recent risk assessment or IT audit documenting the current InfoSec needs of the organization - The gathering of key reference materials—including any existing policies

FAIR Approach

The Factor Analysis of Information Risk (FAIR) framework includes: - A taxonomy for information risk - Standard nomenclature for information risk terms - A framework for establishing data collection criteria - Measurement scales for risk factors - A computational engine for calculating risk - A modeling construct for analyzing complex risk scenarios Basic FAIR analysis is comprised of ten steps in four stages: Stage 1 - Identify scenario components: 1. Identify the asset at risk 2. Identify the threat community under consideration Stage 2 - Evaluate Loss Event Frequency (LEF): 3. Estimate the probable Threat Event Frequency (TEF) 4. Estimate the Threat Capability (TCap) 5. Estimate Control strength (CS) 6. Derive Vulnerability (Vuln) 7. Derive Loss Event Frequency (LEF) Stage 3 - Evaluate Probable Loss Magnitude (PLM) 8. Estimate worst-case loss 9. Estimate probable loss Stage 4—Derive and articulate Risk 10. Derive and articulate Risk • Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low

ISO 27005 Standard for InfoSec Risk Management

The ISO 27000 series includes a standard for the performance of Risk Management, ISO 27005 (http://www.27000.org/iso-27005.htm) • The 27005 document includes five-stage a risk management methodology: 1. Risk Assessment 2. Risk Treatment 3. Risk Acceptance 4. Risk Communication 5. Risk Monitoring and Review

Risk Identification

The Risk Management project should be well organized and funded, with a clear champion, a statement of work, and all needed support. • Risk identification begins with the process of self-examination • Managers: - Identify the organization's information assets - Classify and categorize them into useful groups - Prioritize them by overall importance

Chief Information Security Officer (CISO) or Chief Security Officer (CSO)

The chief information security officer (CISO), or in some cases, the CSO, is primarily responsible for the assessment, management, and implementation of the program that secures the organization's information • The senior executive responsible for security may also be called the director of security, senior security manager, or some similar title • The CISO usually reports directly to the CIO, although in larger organizations one or more additional layers of management may separate the two officers

Cost Benefit Analysis (CBA)

The criterion most commonly used when evaluating a project that implements InfoSec controls and safeguards is economic feasibility • Organizations can begin this type of economic feasibility analysis by valuing the information assets and determining the loss in value if those information assets became compromised • This decision-making process is called a cost benefit analysis or an economic feasibility study

Prioritizing (Rank Ordering) Information Assets

The final step in the risk identification process is to prioritize, or rank order, the assets • This goal can be achieved by using a weighted table analysis

Identification and Prioritization of Information Assets

The risk identification process begins with the identification of information assets, including people, procedures, data and information, software, hardware, and networking elements • This step should be done without pre-judging the value of each asset; values will be assigned later in the process

Security Administrators and Analysts

The security administrator is a hybrid of a security technician and a security manager, with both technical knowledge and managerial skill • The security analyst is a specialized security administrator that, in addition to performing security administration duties, must analyze and design security solutions within a specific domain • Security analysts must be able to identify users' needs and understand the technological complexities and capabilities of the security systems they design

Project Management Tools

There are many tools that support the management of the diverse resources in complex projects - Most project managers combine software tools that implement one or more of the dominant modeling approaches • Projectitis occurs when the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than accomplishing meaningful project work prjectlibre libreplan openproject project-open redmine agilefant

PMBoK Knowledge Areas

To apply project management to InfoSec, you must first identify an established project management methodology • While other project management approaches exist, the PMBoK, promoted by the Project Management Institute (PMI) is considered the industry best practice

Acceptance

Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control The acceptance risk control strategy is the decision to do nothing to protect an information asset from risk, and to accept the outcome from any resulting exploitation • It may or may not be a conscious business decision. • Unconscious acceptance of risk is not a valid approach to risk control • An organization that decides on acceptance as a strategy for every identified risk of loss may in fact be unable to conduct proactive security activities and may have an apathetic approach to security in general

Organizational feasibility

analysis examines how well the proposed information security alternatives will contribute to efficiency, effectiveness, and overall operation of an organization

guidelines figure 4-2

are "Non-mandatory recommendations the employee may use as a reference in complying with a policy"

procedure figure 4-2

are "Step-by-step instructions designed to assist employees in following policies, standards and guidelines"

General business

articulates and communicates organizational policy and objectives and allocates resources to the other groups

behavioral types of leaders

autocratic democratic laissez-faire

components of info sec figure 1.1 *

computer security data security network security

organization's information assets

data, hardware, software, procedures, people

Political feasibility

defines what can and cannot occur based on the consensus and relationships between the communities of interest, especially given that the budget allocation decisions can be politically charged

Technical feasibility

determines whether or not the organization has or can acquire the technology and expertise to implement, support and manage the new safeguards

standard figure 4-2

is "A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance"

ch 4 information security policy Policy figure 4-2

is a set of "Organizational guidelines that dictate certain behavior within the organization" Policies define what you can do and not do, whereas the other documents focus on the how

Information Security

is about identifying, measuring and mitigating the risk associated with operating information assets

other methods

mitre european network and informantion secury agency (enisa) new zealand's isecTLtd.

six ps

planning policy programs protection people project management

Communications securtity

protection of all communications media, technology and content

cyber (computer) Security

protection of computerized information processing systems

operations security

protection of details of an organizations operations

Physical security

protection of physical objects

network security

protection of voice and data networking componets

ch 1 InfoSec

protects the organization's information assets from the many threats they face

Operational feasibility

refers to user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders - User acceptance and support can be achieved by means of communication, education, and involvement

SP 800-18, Rev.1: Guide for Developing Security Plans for Federal Information Systems

reinforces a business process centered approach to policy management

ch 6 Risk Management

risk identification, risk assessment, risk appetite risk control the process of identifying risk assessing its relative magnitude and taking steps to reduce it to an acceptable level is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be controlled or mitigated

behavioral feasibility

same as operational feasibility

IT

supports the business objectives of the organization by supplying and supporting IT appropriate to the business' needs

Defense

—Applying safeguards that eliminate or reduce the remaining uncontrolled risk The defense risk control strategy attempts to prevent the exploitation of the vulnerability • This is the preferred approach and is accomplished by means of countering threats, removing vulnerabilities in assets, limiting access to assets, and adding protective safeguards • This approach is sometimes referred to as "avoidance". • Three common methods of risk defense are: - Application of policy - Application of training and education - Implementation of technology

Access Control Lists (ACLs)

• Include the user access lists, matrices, and capability tables that govern the rights and privileges • A capability table specifies which subjects and objects that users or groups can access • These specifications are frequently complex matrices, rather than simple lists or tables • In general ACLs enable administrations to restrict access according to user, computer, time, duration, or even a particular file In general ACLs regulate: - Who can use the system - What authorized users can access - When authorized users can access the system - Where authorized users can access the system from - How authorized users can access the system

Delivery Methods

• Selection of the training delivery method is not always based on the best outcome for the trainee • Often other factors — budget, scheduling, and needs of the organization — come first - One-on-One - Formal Class - Computer-Based Training (CBT) - Distance Learning/Web Seminars - User Support Group - On-the-Job Training - Self-Study (Noncomputerized)

Technical Specifications SysSPs

System administrators directions on implementing managerial policy • Each type of equipment has its own type of policies • There are two general methods of implementing such technical controls: - access control lists - configuration rules

compromises to intellectual property

ex Piracy, copyright infringement

Information Extortion

ex blackmail, information disclosure

Sabotage or Vandalism

ex destruction of systems or information

Technical Hardware Failures

ex equipment failure

Forces of Nature

ex fire, floods, earthquakes, lightning

Deviations in quality of service

ex internet service provider(ISP), power, or WAN service problems

technological obsolenscence

ex antiquated or outdated technologies

Technical Software Failure

ex bugs, code problems, unknown loopholes

Espionage or Trespass

ex unauthorized access and/or data collection

Software Attacks

ex viruses, worms, macros, denial of service

Confidentiality

"An attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems" Limiting access to information only to those who need it, and preventing access by those who don't To protect the confidentiality of information, a number of measures are used: - Information classification - Secure document (and data) storage - Application of general security policies - Education of information custodians and end users - Cryptography (encryption)

Availability

"An attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction" Availability of information means that users, either people or other systems, have access to it in a usable format Availability does not imply that the information is accessible to any user; rather, it means it can be accessed when needed by authorized users

Accountability

"the access control mechanism that ensures all actions on a system authorized or unauthorized—can be attributed to an authenticated identity. Also known as auditability"

Human Error or Failure

ex accidents, employee mistakes

Review Procedures and Practices

• To facilitate policy reviews, the policy administrator should implement a mechanism by which individuals can easily make recommendations for revisions to the policies and other related documentation • Recommendation methods could include e-mail, office mail, or an anonymous drop box • Once the policy has come up for review, all comments should be examined and management-approved changes should be implemented

Authentication

"The access control mechanism that requires the validation and verification of an unauthenticated entity's purported identity" It is the process by which a control establishes whether a user (or system) has the identity it claims to have Individual users may disclose a personal identification number (PIN), a password, or a passphrase to authenticate their identities to a computer system

Integrity

"an attribute of information that describes how data is whole, complete, and uncorrupted" integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state Corruption can occur while information is being entered, stored, or transmitted

Privacy

"in the context of information security, the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality" information that is collected, used, and stored by an organization is to be used only for the purposes stated to the data owner at the time it was collected

Authorization

"the access control mechanism that represents the matching of an authenticated entity to a list of information assets and corresponding access levels" After the identity of a user is authenticated, authorization defines what the user (whether a person or a computer) has been specifically and explicitly permitted by the proper authority to do, such as access, modify, or delete the contents of an information asset

Identification

"the access control mechanism whereby unverified entities who seek access to a resource provide a label by which they are known to the system" An information system possesses the characteristic of identification when it is able to recognize individual users Identification and authentication are essential to establishing the level of access or authorization that an individual is granted Identification is typically performed by means of a user name or other ID

Security Officers and Investigators

Occasionally, the physical security and InfoSec programs are blended into a single, converged functional unit • When that occurs, several roles are added to the pure IT security program, including physical security officers and investigators • Sometimes referred to as the guards, gates, and guns (GGG) aspect of security, these roles are often closely related to law enforcement and may rely on employing persons trained in law enforcement and/or criminal justice

Classifying and Categorizing Information Assets

Once the initial inventory is assembled, determine whether its asset categories are meaningful to the risk managementprogram • Inventory should also reflect sensitivity and security priority assigned to each information asset • A data classification scheme categorizes these information assets based on their sensitivity and security needs • Each of these categories designates the level of protection needed for a particular information asset • Some asset types, such as personnel, may require an alternative classification scheme that would identify the clearance needed to use the asset type • Classification categories must be comprehensive and mutually exclusive

Ch 5 Security in Large Organizations

One recommended approach is to separate the functions into those: 1. Performed by nontechnology business units outside the IT area of management control, such as: Legal and Training 2. Performed by IT groups outside the InfoSec area of management control, such as: Systems security administration; Network security administration and Centralized authentication 3. Performed within the InfoSec department as a customer service to the organization and its external partners, such as: Risk assessment; Systems testing; Incident response planning; Disaster recovery planning; Performance measurement and Vulnerability assessment 4. Performed within the InfoSec department as a compliance enforcement obligation, such as: Policy; Compliance/audit and Risk management • It remains the CISO's responsibility to see that information security functions are adequately performed somewhere within the organization • The deployment of full-time security personnel depends on a number of factors, including sensitivity of the information to be protected, industry regulations and general profitability • The more money the company can dedicate to its personnel budget, the more likely it is to maintain a large information security staff

Statutory law

Originates from a legislative branch specifically tasked with the creation and publication of laws and statutes

Regulatory or administrative law

Originates from an executive branch or authorized regulatory agency, and includes executive orders and regulations

ch2 Constitutional law

Originates with the U.S. Constitution, a state constitution, or local constitution, by laws, or charter

Specialized areas of security

Physical security Operations security Communications security Cyber (or computer)security Network security

Termination

Removing or discontinuing the information asset from the organization's operating environment Like acceptance, the termination risk management strategy is based on the organization's need or choice not to protect an asset; - Here, however, the organization does not wish the information asset to remain at risk and so removes it from the environment that represents risk • The cost of protecting an asset may outweigh its value, or, it may be too difficult or expensive to protect an asset, compared to the value or advantage that asset offers the company • In either case, termination must be a conscious business decision, not simply the abandonment of an asset, which would technically qualify as acceptance

Transference

Shifting risks to other areas or to outside entities The transference risk control strategy attempts to shift risk to another entity • This goal may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or implementing service contracts with providers • When an organization does not have adequate security management and administration experience, it should hire individuals or firms that provide expertise in those areas (outsourcing)

Security Education

Some organizations may have employees within the InfoSec department who are not prepared by their background or experience for the InfoSec roles they are supposed to perform • When tactical circumstances allow and/or strategic imperatives dictate, these employees may be encouraged to use a formal education method • Local and regional resources might also provide information and services in educational areas

7 steps to Implement Training

Step 1: Identify program scope, goals, and objectives Step 2: Identify training staff Step 3: Identify target audiences Step 4: Motivate management and employees Step 5: Administer the program Step 6: Maintain the program Step 7: Evaluate the program

Solving Problems

Step 1: Recognize and Define the Problem Step 2: Gather Facts and Make Assumptions Step 3: Develop Possible Solutions Step 4: Analyze and Compare Possible Solutions (Feasibility analyses) Step 5: Select, Implement, and Evaluate a solution

Systems-specific policies (SysSPs)

Systems-Specific Security Policies (SysSPs) sometimes have a different look and may seem more like procedures to some readers • They may often function as standards or procedures to be used when configuring or maintaining systems • SysSPs can be separated into: - Managerial guidance - Technical specifications Or combined in a single unified SysSP document

Security Consultants

The InfoSec consultant is typically an independent expert in some aspect of InfoSec • He or she is usually brought in when the organization makes the decision to outsource one or more aspects of its security program • While it is usually preferable to involve a formal security services company, qualified individual consultants are available for hire

The OCTAVE Methods

The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method defines the essential components of a comprehensive, systematic, context-driven, self-directed information security risk evaluation • By following the OCTAVE Method, an organization can make information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information technology assets • The operational or business units and the IT department work together to address the information security needs of the organization There are three variations of the OCTAVE Method: - The original OCTAVE method, which forms the basis for the OCTAVE body of knowledge, and which was designed for larger organizations (300 or more users) - OCTAVE-S, for smaller organizations of about 100 users - OCTAVE-Allegro, a streamlined approach for information security assessment and assurance

Implementing Security Education, Training, and Awareness Programs

The SETA program is designed to reduce accidental security breaches by members of the organization • SETA programs offer three major benefits: - They can improve employee behavior - They can inform members of the organization about where to report violations of policy - They enable the organization to hold employees accountable for their actions • The purpose of SETA is to enhance security: - By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems - By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely - By improving awareness of the need to protect system resources Management of Info

Design Phase

The first task in the design phase is the drafting of the actual policy document • While this task can be done by a committee, it is most commonly done by a single author - There are a number of references and resources available on the Web, through professional literature and from peers and consultants • Next, the development team or committee reviews the work of the primary author and makes recommendations about its revision • Once the committee approves the document, it goes to the approving manager or executive for sign-off

Investigation Phase

The policy development team should attain: - Support from senior management, - Support and active involvement of IT management, specifically the CIO - Clear articulation of goals - Participation of the correct individuals from the communities of interest affected by the policies • Be composed from Legal, Human Resources and end-users • Assign a project champion with sufficient stature and prestige • Acquire a capable project manager - A detailed outline of the scope of the policy development project and sound estimates for the cost and scheduling of the project

NIST Risk Management Framework

• National Institute for Standards and Technology (NIST) has modified its fundamental approach to systems management and certification/ accreditation to one that follows the industry standard of effective risk management • As discussed in "Special Publication 800-39: Managing Information Security Risk: Organization, Mission, and Information System View" The first component of risk management addresses how organizations frame risk or establish a risk context—that is, describing the environment in which risk-based decisions are made • The risk frame establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations • Establishing a realistic and credible risk frame requires that organizations identify: (i) risk assumptions (ii) risk constraints (iii) risk tolerance; and (iv) priorities and tradeoffs

Automated Tools

• The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and maintenance • Tools like Vigilent Policy Center (VPC) keep policies confidential, behind password-protected intranets, and generate periodic reports indicating which employees have and have not read and acknowledged the policies • Tools such as VPC also make it clear which manager was responsible for the policy, as his or her name is prominently displayed on the policy, along with the date of approval