Midterm Review Info Sec ch 1-7
Review Schedule
In a changing environment, policies can retain their effectiveness only if they are periodically reviewed for currency and accuracy, and modified to keep them updated • Any policy document should contain a properly organized schedule of reviews • Generally, a policy should be reviewed at least annually
Security Awareness
One of the least frequently implemented, but most effective security methods is the security awareness program • Security awareness programs: - set the stage for training by changing organizational attitudes to realize the importance of security and the adverse consequences of its failure - remind users of the procedures to be followed When developing an awareness program: - Focus on people - Refrain from using technical jargon - Use every available venue - Define learning objectives, state them clearly, and provide sufficient detail and coverage - Keep things light - Don't overload the users - Help users understand their roles in InfoSec - Take advantage of in-house communications media - Make the awareness program formal; plan and document all actions. - Provide good information early, rather than perfect information late.
Mitigation
Reducing the impact to information assets should an attacker successfully exploit a vulnerability The mitigation risk control strategy is the control approach that attempts to reduce, by means of planning and preparation, the damage caused by a realized incident or disaster • This approach includes three types of plans: - Disaster recovery (DR) plan - Incident response (IR) plan - Business continuity (BC) plan • Mitigation depends upon the ability to detect and respond to an attack as quickly as possible
theft
ex illegal confiscation of equipment or information
practices figure 4-2
"Examples of actions that illustrate compliance with policies"
Information Security Roles and Titles
-Chief Information Security Officer (CISO) or Chief Security Officer (CSO) - Security managers - Security administrators and analysts - Security technicians - Security staffers and watchstanders - Security consultants - Security officers and investigators - Help desk personnel
4 steps FDIC: SLA
-Determining objectives - Defining requirements - Setting measurements - Establishing accountability
12 category of threat
1. compromises to intellectual property 2. Deviations in quality of service 3.Espionage or Trespass 4.Forces of Nature 5.Human Error or Failure 6.Information Extortion 7.Sabotage or Vandalism 8. Software Attacks 9. Technical Hardware Failures 10. Technical Software Failure 11.Technological obsolenscence 12. Theft
Issue-specific information security policies (ISSP)
An Issue-specific security policy (ISSP) is - An organizational policy that provides detailed, targeted guidance to instruct all members of the organization in the use of a resource, such as one of its processes or technologies • An issue-specific security policy (ISSP) is designed to regulate the use of some technology or resource issue within the organization • In some organizations, ISSPs are referred to as fair and responsible use policies, describing the intent of the policy to regulate appropriate use • The ISSP should assure members of the organization that its purpose is not to establish a foundation for administrative enforcement or legal prosecution but rather to provide a common understanding of the purposes for which an employee can and cannot use the resource Every organization's ISSPs should: - Address specific technology-based systems - Require frequent updates - Contain an issue statement on the organization's position on an issue
Help Desk Personnel
An important part of the information security team is the help desk, which enhances the security team's ability to identify potential problems • When a user calls the help desk with a complaint about his or her computer, the network, or an Internet connection, the user's problem may turn out to be related to a bigger problem, such as a hacker, denial-ofservice attack, or a virus • Because help desk technicians perform a specialized role in information security, they have a need for specialized training
Threat Assessment
Armed with a properly classified inventory, you can assess potential weaknesses in each information asset—a process known as threat assessment • Any organization typically faces a wide variety of threats; if you assume that every threat can and will attack every information asset, then the project scope becomes too complex • To make the process less unwieldy, each step in the threat identification and vulnerability identification processes is managed separately and then coordinated at the end
Risk Assessment
Assessing the relative risk for each vulnerability is accomplished via a process called risk assessment • Risk assessment assigns a risk rating or score to each specific vulnerability • While this number does not mean anything in absolute terms, it enables you to gauge the relative risk associated with each vulnerable information asset, and it facilitates the creation of comparative ratings later in the risk control process
Risk Appetite
Before the organization can or should proceed, it needs to understand whether the current level of controls identified at the end of the risk assessment process results in a level of risk management it can accept • The amount of risk that remains after all current controls are implemented is residual risk • The organization may very well reach this point in the risk management process, examine the documented residual risk, simply state, "Yes, we can live with that," and then document everything for the next risk management review cycle • What is difficult is the process of formalizing exactly what the organization "can live with"; this process is the heart of risk appetite
Alternatives to Feasibility Analysis
Benchmarking • Due care and due diligence • Best business practices • Gold standard • Government recommendations and best practices • Baseline
Managerial Guidance SysSPs
Created by management to guide the implementation and configuration of technology • Applies to any technology that affects the confidentiality, integrity or availability of information • Informs technologists of management intent
CIA Triad figure 1.3 *
Data & services: Confidentiality Integrity Availability
ch 7 five strategy options
Defense, Transference, Mitigation, Acceptance, and Termination
Maintenance Phase
During the maintenance phase, the policy development team monitors, maintains, and modifies the policy as needed to ensure that it remains effective as a tool to meet changing threats • The policy should have a built-in mechanism via which users can report problems with the policy, preferably anonymously • Periodic review should be built in to the process
Identifying Threats
Each threat presents a unique challenge to information security and must be handled with specific controls that directly address the particular threat and the threat agent's attack strategy • Before threats can be assessed in the risk identification process, however, each threat must be further examined to determine its potential to affect the targeted information asset • In general, this process is referred to as a threat assessment
Enterprise information security program policy (EISP)
Enterprise information security policy (EISP) is that high-level information security policy that sets the strategic direction, scope, and tone for all of an organization's security efforts • An EISP is also known as a security program policy, general security policy, IT security policy, high-level InfoSec policy, or simply an InfoSec policy
three types of information security policy
Enterprise information security program policy (EISP) Issue-specific information security policies (ISSP) Systems-specific policies (SysSPs)
Assessing Risk
Estimating risk is not an exact science; thus some practitioners use calculated values for risk estimation, whereas others rely on broader methods of estimation • The goal is to develop a repeatable method to evaluate the relative risk of each of the vulnerabilities that have been identified and added to the list
Guidelines for Effective Policy
For policies to be effective, they must be properly: 1. Developed using industry-accepted practices, and formally approved by management 2. Distributed using all appropriate methods 3. Read by all employees 4. Understood by all employees 5. Formally agreed to by act or affirmation 6. Uniformly applied and enforced
Security in Small Organizations
In a small organization, InfoSec often becomes the responsibility of a jack-of-all-trades, a single security administrator with perhaps one or two assistants for managing the technical components • It is not uncommon in smaller organizations to have the systems or network administrators play these many roles • Because resources are often limited in smaller organizations, the security administrator frequently turns to freeware or open source software to lower the costs of assessing and implementing security • In small organizations, security training and awareness is most commonly conducted on a one-on-one basis, with the security administrator providing advice to users as needed Some feel that small organizations, to their advantage, avoid some threats precisely because of their small size • Threats from insiders are also less likely in an environment where every employee knows every other employee • In general, the less anonymity an employee has, the less likely he or she feels able to get away with abuse or misuse of company assets • Smaller organizations typically have either one individual who has full-time duties in InfoSec or, more likely, one individual who manages or conducts InfoSec duties in addition to those of other functional areas, most likely IT, possibly with one or two assistants
Policy and Revision Date
In some organizations, policies are drafted and published without a date, leaving users of the policy unaware of its age or status • This practice can create problems, including legal ones, if employees are complying with an out-of-date policy • Ideally, the policy document should include its date of origin, along with the dates, if any, of revisions • Some policies may need a "sunset clause," particularly if they govern information use for a short-term association with second-party businesses or agencies
Implementation Phase
In the implementation phase, the team must create a plan to distribute and verify the distribution of the policies • Members of the organization must explicitly acknowledge that they have received and read the policy (compliance) • The simplest way to document acknowledgment of a written policy is to attach a cover sheet that states "I have received, read, understood, and agreed to this policy" - The employee's signature and date provide a paper trail of his or her receipt of the policy
Policy Administrator
Just as information systems and InfoSec projects must have a champion and a manager, so must policies • The policy champion position combined with the manager position is called the policy administrator • Typically, this person is a mid-level staff member who is responsible for the creation, revision, distribution, and storage of the policy
Policy Development and Implementation Using the SecSDLC
Like any major project, a policy development or redevelopment project should be well planned, properly funded, and aggressively managed to ensure that it is completed on time and within budget • One way to accomplish this goal is to use a systems development life cycle (SDLC)
Likelihood
Likelihood is the overall rating - a numerical value on a defined scale - of the probability that a specific vulnerability will be exploited • Using the information documented during the risk identification process, you can assign weighted scores based on the value of each information asset, i.e. 1- 100, low-med-high, etc. • Whatever rating system you employ for assigning likelihood, use professionalism, experience, and judgment to determine the rating—and use it consistently • Whenever possible, use external references for likelihood values, after reviewing and adjusting them for your specific circumstances
Information Aggregation
Many organizations collect, swap, and sell personal information as a commodity
Security in Medium-Sized Organizations
Medium-sized organizations may still be large enough to implement the multi-tiered approach to security described for large organizations, though perhaps with fewer dedicated groups and more functions assigned to each group • In a medium-sized organization, more of the functional areas are assigned to other departments within IT but outside the InfoSec department, especially the central authentication function • The medium-sized organization only have one full-time security person, with perhaps three individuals with part-time InfoSec responsibilities
Microsoft Risk Management Approach
Microsoft Corp. also promotes a risk management approach • Four phases in the MS InfoSec risk management process: - Assessing risk - Conducting decision support - Implementing controls - Measuring program effectiveness
Common law, case law, and precedent
Originates from a judicial branch or oversight board and involves the interpretation of law based on the actions of a previous and/or higher court or board
Security Managers
Security managers are accountable for the day-to-day operations of the InfoSec program • They accomplish objectives identified by the CISO, to whom they and they resolve issues identified by technicians, administrators, analysts, or staffers whom they supervise • Managing security requires an understanding of technology but not necessarily technical mastery
Security Staffers and Watchstanders
Security staffer is a catchall title that applies to those who perform routine watchstanding or administrative activities • The term "watchstander" includes the people who watch intrusion consoles, monitor e-mail accounts, and perform other routine yet critical roles that support the mission of the InfoSec department • Security watchstanders are often entry-level InfoSec professionals responsible for monitoring some aspect of the organization's security posture, whether technical or managerial • In this position, new InfoSec professionals have the opportunity to learn more about the organization's InfoSec program before becoming critical components of its administration
Security Technician
Security technicians are the technically qualified individuals who configure firewalls and IDPSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technology is properly implemented • A security technician is usually an entry-level position, but one that requires strong technical skills, which can make this job challenging for those who are new to the field, given that it is difficult to get the job without experience and yet experience comes with the job • Security technicians who want to move up in the corporate hierarchy must expand their technical knowledge horizontally, gaining an understanding of the general organizational issues of InfoSec as well as all technical areas
Security Training
Security training involves providing members of the organization with detailed information and hands-on instruction to enable them to perform their duties securely • Management can either develop customized training or outsource all or part of the training program • There are two methods for customizing training for users by functional background or skill level - Functional background: • General user • Managerial user • Technical user - Skill level: • Novice • Intermediate • Advanced
Analysis Phase
The Analysis phase should include the following activities: - A new or recent risk assessment or IT audit documenting the current InfoSec needs of the organization - The gathering of key reference materials—including any existing policies
FAIR Approach
The Factor Analysis of Information Risk (FAIR) framework includes: - A taxonomy for information risk - Standard nomenclature for information risk terms - A framework for establishing data collection criteria - Measurement scales for risk factors - A computational engine for calculating risk - A modeling construct for analyzing complex risk scenarios Basic FAIR analysis is comprised of ten steps in four stages: Stage 1 - Identify scenario components: 1. Identify the asset at risk 2. Identify the threat community under consideration Stage 2 - Evaluate Loss Event Frequency (LEF): 3. Estimate the probable Threat Event Frequency (TEF) 4. Estimate the Threat Capability (TCap) 5. Estimate Control strength (CS) 6. Derive Vulnerability (Vuln) 7. Derive Loss Event Frequency (LEF) Stage 3 - Evaluate Probable Loss Magnitude (PLM) 8. Estimate worst-case loss 9. Estimate probable loss Stage 4—Derive and articulate Risk 10. Derive and articulate Risk • Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low
ISO 27005 Standard for InfoSec Risk Management
The ISO 27000 series includes a standard for the performance of Risk Management, ISO 27005 (http://www.27000.org/iso-27005.htm) • The 27005 document includes five-stage a risk management methodology: 1. Risk Assessment 2. Risk Treatment 3. Risk Acceptance 4. Risk Communication 5. Risk Monitoring and Review
Risk Identification
The Risk Management project should be well organized and funded, with a clear champion, a statement of work, and all needed support. • Risk identification begins with the process of self-examination • Managers: - Identify the organization's information assets - Classify and categorize them into useful groups - Prioritize them by overall importance
Chief Information Security Officer (CISO) or Chief Security Officer (CSO)
The chief information security officer (CISO), or in some cases, the CSO, is primarily responsible for the assessment, management, and implementation of the program that secures the organization's information • The senior executive responsible for security may also be called the director of security, senior security manager, or some similar title • The CISO usually reports directly to the CIO, although in larger organizations one or more additional layers of management may separate the two officers
Cost Benefit Analysis (CBA)
The criterion most commonly used when evaluating a project that implements InfoSec controls and safeguards is economic feasibility • Organizations can begin this type of economic feasibility analysis by valuing the information assets and determining the loss in value if those information assets became compromised • This decision-making process is called a cost benefit analysis or an economic feasibility study
Prioritizing (Rank Ordering) Information Assets
The final step in the risk identification process is to prioritize, or rank order, the assets • This goal can be achieved by using a weighted table analysis
Identification and Prioritization of Information Assets
The risk identification process begins with the identification of information assets, including people, procedures, data and information, software, hardware, and networking elements • This step should be done without pre-judging the value of each asset; values will be assigned later in the process
Security Administrators and Analysts
The security administrator is a hybrid of a security technician and a security manager, with both technical knowledge and managerial skill • The security analyst is a specialized security administrator that, in addition to performing security administration duties, must analyze and design security solutions within a specific domain • Security analysts must be able to identify users' needs and understand the technological complexities and capabilities of the security systems they design
Project Management Tools
There are many tools that support the management of the diverse resources in complex projects - Most project managers combine software tools that implement one or more of the dominant modeling approaches • Projectitis occurs when the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than accomplishing meaningful project work prjectlibre libreplan openproject project-open redmine agilefant
PMBoK Knowledge Areas
To apply project management to InfoSec, you must first identify an established project management methodology • While other project management approaches exist, the PMBoK, promoted by the Project Management Institute (PMI) is considered the industry best practice
Acceptance
Understanding the consequences of choosing to leave a risk uncontrolled and then properly acknowledging the risk that remains without an attempt at control The acceptance risk control strategy is the decision to do nothing to protect an information asset from risk, and to accept the outcome from any resulting exploitation • It may or may not be a conscious business decision. • Unconscious acceptance of risk is not a valid approach to risk control • An organization that decides on acceptance as a strategy for every identified risk of loss may in fact be unable to conduct proactive security activities and may have an apathetic approach to security in general
Organizational feasibility
analysis examines how well the proposed information security alternatives will contribute to efficiency, effectiveness, and overall operation of an organization
guidelines figure 4-2
are "Non-mandatory recommendations the employee may use as a reference in complying with a policy"
procedure figure 4-2
are "Step-by-step instructions designed to assist employees in following policies, standards and guidelines"
General business
articulates and communicates organizational policy and objectives and allocates resources to the other groups
behavioral types of leaders
autocratic democratic laissez-faire
components of info sec figure 1.1 *
computer security data security network security
organization's information assets
data, hardware, software, procedures, people
Political feasibility
defines what can and cannot occur based on the consensus and relationships between the communities of interest, especially given that the budget allocation decisions can be politically charged
Technical feasibility
determines whether or not the organization has or can acquire the technology and expertise to implement, support and manage the new safeguards
standard figure 4-2
is "A detailed statement of what must be done to comply with policy, sometimes viewed as the rules governing policy compliance"
ch 4 information security policy Policy figure 4-2
is a set of "Organizational guidelines that dictate certain behavior within the organization" Policies define what you can do and not do, whereas the other documents focus on the how
Information Security
is about identifying, measuring and mitigating the risk associated with operating information assets
other methods
mitre european network and informantion secury agency (enisa) new zealand's isecTLtd.
six ps
planning policy programs protection people project management
Communications securtity
protection of all communications media, technology and content
cyber (computer) Security
protection of computerized information processing systems
operations security
protection of details of an organizations operations
Physical security
protection of physical objects
network security
protection of voice and data networking componets
ch 1 InfoSec
protects the organization's information assets from the many threats they face
Operational feasibility
refers to user acceptance and support, management acceptance and support, and the system's compatibility with the requirements of the organization's stakeholders - User acceptance and support can be achieved by means of communication, education, and involvement
SP 800-18, Rev.1: Guide for Developing Security Plans for Federal Information Systems
reinforces a business process centered approach to policy management
ch 6 Risk Management
risk identification, risk assessment, risk appetite risk control the process of identifying risk assessing its relative magnitude and taking steps to reduce it to an acceptable level is the process of discovering and assessing the risks to an organization's operations and determining how those risks can be controlled or mitigated
behavioral feasibility
same as operational feasibility
IT
supports the business objectives of the organization by supplying and supporting IT appropriate to the business' needs
Defense
—Applying safeguards that eliminate or reduce the remaining uncontrolled risk The defense risk control strategy attempts to prevent the exploitation of the vulnerability • This is the preferred approach and is accomplished by means of countering threats, removing vulnerabilities in assets, limiting access to assets, and adding protective safeguards • This approach is sometimes referred to as "avoidance". • Three common methods of risk defense are: - Application of policy - Application of training and education - Implementation of technology
Access Control Lists (ACLs)
• Include the user access lists, matrices, and capability tables that govern the rights and privileges • A capability table specifies which subjects and objects that users or groups can access • These specifications are frequently complex matrices, rather than simple lists or tables • In general ACLs enable administrations to restrict access according to user, computer, time, duration, or even a particular file In general ACLs regulate: - Who can use the system - What authorized users can access - When authorized users can access the system - Where authorized users can access the system from - How authorized users can access the system
Delivery Methods
• Selection of the training delivery method is not always based on the best outcome for the trainee • Often other factors — budget, scheduling, and needs of the organization — come first - One-on-One - Formal Class - Computer-Based Training (CBT) - Distance Learning/Web Seminars - User Support Group - On-the-Job Training - Self-Study (Noncomputerized)
Technical Specifications SysSPs
System administrators directions on implementing managerial policy • Each type of equipment has its own type of policies • There are two general methods of implementing such technical controls: - access control lists - configuration rules
compromises to intellectual property
ex Piracy, copyright infringement
Information Extortion
ex blackmail, information disclosure
Sabotage or Vandalism
ex destruction of systems or information
Technical Hardware Failures
ex equipment failure
Forces of Nature
ex fire, floods, earthquakes, lightning
Deviations in quality of service
ex internet service provider(ISP), power, or WAN service problems
technological obsolenscence
ex antiquated or outdated technologies
Technical Software Failure
ex bugs, code problems, unknown loopholes
Espionage or Trespass
ex unauthorized access and/or data collection
Software Attacks
ex viruses, worms, macros, denial of service
Confidentiality
"An attribute of information that describes how data is protected from disclosure or exposure to unauthorized individuals or systems" Limiting access to information only to those who need it, and preventing access by those who don't To protect the confidentiality of information, a number of measures are used: - Information classification - Secure document (and data) storage - Application of general security policies - Education of information custodians and end users - Cryptography (encryption)
Availability
"An attribute of information that describes how data is accessible and correctly formatted for use without interference or obstruction" Availability of information means that users, either people or other systems, have access to it in a usable format Availability does not imply that the information is accessible to any user; rather, it means it can be accessed when needed by authorized users
Accountability
"the access control mechanism that ensures all actions on a system authorized or unauthorized—can be attributed to an authenticated identity. Also known as auditability"
Human Error or Failure
ex accidents, employee mistakes
Review Procedures and Practices
• To facilitate policy reviews, the policy administrator should implement a mechanism by which individuals can easily make recommendations for revisions to the policies and other related documentation • Recommendation methods could include e-mail, office mail, or an anonymous drop box • Once the policy has come up for review, all comments should be examined and management-approved changes should be implemented
Authentication
"The access control mechanism that requires the validation and verification of an unauthenticated entity's purported identity" It is the process by which a control establishes whether a user (or system) has the identity it claims to have Individual users may disclose a personal identification number (PIN), a password, or a passphrase to authenticate their identities to a computer system
Integrity
"an attribute of information that describes how data is whole, complete, and uncorrupted" integrity of information is threatened when it is exposed to corruption, damage, destruction, or other disruption of its authentic state Corruption can occur while information is being entered, stored, or transmitted
Privacy
"in the context of information security, the right of individuals or groups to protect themselves and their information from unauthorized access, providing confidentiality" information that is collected, used, and stored by an organization is to be used only for the purposes stated to the data owner at the time it was collected
Authorization
"the access control mechanism that represents the matching of an authenticated entity to a list of information assets and corresponding access levels" After the identity of a user is authenticated, authorization defines what the user (whether a person or a computer) has been specifically and explicitly permitted by the proper authority to do, such as access, modify, or delete the contents of an information asset
Identification
"the access control mechanism whereby unverified entities who seek access to a resource provide a label by which they are known to the system" An information system possesses the characteristic of identification when it is able to recognize individual users Identification and authentication are essential to establishing the level of access or authorization that an individual is granted Identification is typically performed by means of a user name or other ID
Security Officers and Investigators
Occasionally, the physical security and InfoSec programs are blended into a single, converged functional unit • When that occurs, several roles are added to the pure IT security program, including physical security officers and investigators • Sometimes referred to as the guards, gates, and guns (GGG) aspect of security, these roles are often closely related to law enforcement and may rely on employing persons trained in law enforcement and/or criminal justice
Classifying and Categorizing Information Assets
Once the initial inventory is assembled, determine whether its asset categories are meaningful to the risk managementprogram • Inventory should also reflect sensitivity and security priority assigned to each information asset • A data classification scheme categorizes these information assets based on their sensitivity and security needs • Each of these categories designates the level of protection needed for a particular information asset • Some asset types, such as personnel, may require an alternative classification scheme that would identify the clearance needed to use the asset type • Classification categories must be comprehensive and mutually exclusive
Ch 5 Security in Large Organizations
One recommended approach is to separate the functions into those: 1. Performed by nontechnology business units outside the IT area of management control, such as: Legal and Training 2. Performed by IT groups outside the InfoSec area of management control, such as: Systems security administration; Network security administration and Centralized authentication 3. Performed within the InfoSec department as a customer service to the organization and its external partners, such as: Risk assessment; Systems testing; Incident response planning; Disaster recovery planning; Performance measurement and Vulnerability assessment 4. Performed within the InfoSec department as a compliance enforcement obligation, such as: Policy; Compliance/audit and Risk management • It remains the CISO's responsibility to see that information security functions are adequately performed somewhere within the organization • The deployment of full-time security personnel depends on a number of factors, including sensitivity of the information to be protected, industry regulations and general profitability • The more money the company can dedicate to its personnel budget, the more likely it is to maintain a large information security staff
Statutory law
Originates from a legislative branch specifically tasked with the creation and publication of laws and statutes
Regulatory or administrative law
Originates from an executive branch or authorized regulatory agency, and includes executive orders and regulations
ch2 Constitutional law
Originates with the U.S. Constitution, a state constitution, or local constitution, by laws, or charter
Specialized areas of security
Physical security Operations security Communications security Cyber (or computer)security Network security
Termination
Removing or discontinuing the information asset from the organization's operating environment Like acceptance, the termination risk management strategy is based on the organization's need or choice not to protect an asset; - Here, however, the organization does not wish the information asset to remain at risk and so removes it from the environment that represents risk • The cost of protecting an asset may outweigh its value, or, it may be too difficult or expensive to protect an asset, compared to the value or advantage that asset offers the company • In either case, termination must be a conscious business decision, not simply the abandonment of an asset, which would technically qualify as acceptance
Transference
Shifting risks to other areas or to outside entities The transference risk control strategy attempts to shift risk to another entity • This goal may be accomplished by rethinking how services are offered, revising deployment models, outsourcing to other organizations, purchasing insurance, or implementing service contracts with providers • When an organization does not have adequate security management and administration experience, it should hire individuals or firms that provide expertise in those areas (outsourcing)
Security Education
Some organizations may have employees within the InfoSec department who are not prepared by their background or experience for the InfoSec roles they are supposed to perform • When tactical circumstances allow and/or strategic imperatives dictate, these employees may be encouraged to use a formal education method • Local and regional resources might also provide information and services in educational areas
7 steps to Implement Training
Step 1: Identify program scope, goals, and objectives Step 2: Identify training staff Step 3: Identify target audiences Step 4: Motivate management and employees Step 5: Administer the program Step 6: Maintain the program Step 7: Evaluate the program
Solving Problems
Step 1: Recognize and Define the Problem Step 2: Gather Facts and Make Assumptions Step 3: Develop Possible Solutions Step 4: Analyze and Compare Possible Solutions (Feasibility analyses) Step 5: Select, Implement, and Evaluate a solution
Systems-specific policies (SysSPs)
Systems-Specific Security Policies (SysSPs) sometimes have a different look and may seem more like procedures to some readers • They may often function as standards or procedures to be used when configuring or maintaining systems • SysSPs can be separated into: - Managerial guidance - Technical specifications Or combined in a single unified SysSP document
Security Consultants
The InfoSec consultant is typically an independent expert in some aspect of InfoSec • He or she is usually brought in when the organization makes the decision to outsource one or more aspects of its security program • While it is usually preferable to involve a formal security services company, qualified individual consultants are available for hire
The OCTAVE Methods
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Method defines the essential components of a comprehensive, systematic, context-driven, self-directed information security risk evaluation • By following the OCTAVE Method, an organization can make information-protection decisions based on risks to the confidentiality, integrity, and availability of critical information technology assets • The operational or business units and the IT department work together to address the information security needs of the organization There are three variations of the OCTAVE Method: - The original OCTAVE method, which forms the basis for the OCTAVE body of knowledge, and which was designed for larger organizations (300 or more users) - OCTAVE-S, for smaller organizations of about 100 users - OCTAVE-Allegro, a streamlined approach for information security assessment and assurance
Implementing Security Education, Training, and Awareness Programs
The SETA program is designed to reduce accidental security breaches by members of the organization • SETA programs offer three major benefits: - They can improve employee behavior - They can inform members of the organization about where to report violations of policy - They enable the organization to hold employees accountable for their actions • The purpose of SETA is to enhance security: - By building in-depth knowledge, as needed, to design, implement, or operate security programs for organizations and systems - By developing skills and knowledge so that computer users can perform their jobs while using IT systems more securely - By improving awareness of the need to protect system resources Management of Info
Design Phase
The first task in the design phase is the drafting of the actual policy document • While this task can be done by a committee, it is most commonly done by a single author - There are a number of references and resources available on the Web, through professional literature and from peers and consultants • Next, the development team or committee reviews the work of the primary author and makes recommendations about its revision • Once the committee approves the document, it goes to the approving manager or executive for sign-off
Investigation Phase
The policy development team should attain: - Support from senior management, - Support and active involvement of IT management, specifically the CIO - Clear articulation of goals - Participation of the correct individuals from the communities of interest affected by the policies • Be composed from Legal, Human Resources and end-users • Assign a project champion with sufficient stature and prestige • Acquire a capable project manager - A detailed outline of the scope of the policy development project and sound estimates for the cost and scheduling of the project
NIST Risk Management Framework
• National Institute for Standards and Technology (NIST) has modified its fundamental approach to systems management and certification/ accreditation to one that follows the industry standard of effective risk management • As discussed in "Special Publication 800-39: Managing Information Security Risk: Organization, Mission, and Information System View" The first component of risk management addresses how organizations frame risk or establish a risk context—that is, describing the environment in which risk-based decisions are made • The risk frame establishes a foundation for managing risk and delineates the boundaries for risk-based decisions within organizations • Establishing a realistic and credible risk frame requires that organizations identify: (i) risk assumptions (ii) risk constraints (iii) risk tolerance; and (iv) priorities and tradeoffs
Automated Tools
• The need for effective policy management has led to the emergence of a class of software tools that supports policy development, implementation, and maintenance • Tools like Vigilent Policy Center (VPC) keep policies confidential, behind password-protected intranets, and generate periodic reports indicating which employees have and have not read and acknowledged the policies • Tools such as VPC also make it clear which manager was responsible for the policy, as his or her name is prominently displayed on the policy, along with the date of approval