CIS 249 Chapter 8
COBIT 5 is the only business framework for the governance and management of enterprise IT. This evolutionary version incorporates the latest thinking in enter- prise governance and management techniques, and provides globally accepted principles, practices, analytical tools, and models to help increase the trust in, and value from, information systems. COBIT 5 builds and expands on COBIT 4.1 by integrating other major frameworks, standards, and resources, including ISACA's Val IT and Risk IT, Information Technology Infrastructure Library (ITIL®), and related standards from the International Organization for Stan- dardization (ISO).
"Control Objectives for Information and Related Technology" (COBIT)
provides advice about the implementation of sound controls and control objectives for InfoSec. This docu- ment can be used not only as a planning tool for InfoSec but also as a control model. COBIT was created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992. Documentation on COBIT was first published in 1996 and most recently updated in 2012.
"Control Objectives for Information and Related Technology" (COBIT)
A confidentiality model or "state machine reference model" that ensures the confidentiality of the modeled system by using MACs, data classification, and security clearances.
Bell-LaPadula (BLP) confidentiality model:
An access control model that is similar to BLP and is based on the premise that higher levels of integrity are more worthy of trust than lower levels.
Biba integrity model:
commonly known as a "Chinese Wall," is designed to prevent a conflict of interest between two parties. Imagine that a law firm represents two individuals who are involved in a car accident. One sues the other, and the firm has to represent both. To prevent a conflict of interest, the individual attorneys should not be able to access the private information of both litigants. requires users to select one of two conflicting sets of data, after which they cannot access the conflict- ing data.1
Brewer-Nash model
is built on five interrelated components. Again, while COSO is designed to serve as a framework that can describe and analyze inter- nal control systems, some of those internal control systems are on IT systems that incorpo- rate InfoSec controls.
COSO Framework
which is built upon principles of change control rather than integrity levels, was designed for the commercial environment. The change control principles upon which it operates are: • No changes by unauthorized subjects • No unauthorized changes by authorized subjects • The maintenance of internal and external consistency
Clark Wilson Model
Why use an ISO/IEC 27000-series standard?
Cyber attacks are one of the biggest risks an organisation can face. They continue to grow in scale and complexity, making hackers a constant threat to any industry that uses technology. Companies of all sizes are progressively concerned about implementing effective and affordable solutions to protect their corporate and personal data. Although ISO 27001 is the most popular standard (given that it is the standard that provides an independently audited certification), it only sets out the requirements of an ISMS.
The data access principle that ensures no unnecessary access to data exists by regulating members so they can perform only the minimum data manipulation necessary. Least privilege implies a need to know.
Least privilege
"NIST SP 800-30, Rev. 1: Guide for Con- ducting Risk Assessments" provides a foundation for the development of an effective risk management program, and it contains both the definitions and the practical guidance neces- sary for assessing and mitigating risks identified within IT systems. The ultimate goal is to help organizations better manage IT-related mission risks. It is organized into three chapters that explain the overall risk management process as well as preparing for, conducting, and communicating a risk assessment. The original document, SP 800-30, was functionally replaced by "SP 800-53, Rev. 3: Guide for Assessing the Security Controls in Federal Informa- tion Systems and Organizations." The document was substantially revised, and SP 800-30 (Revision 1) became a process document for the subtask of conducting risk assessment.
NIST SP 800-30, Rev. 1
"NIST SP 800-53A, Rev. 4: Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans" is the functional successor to "SP 800-26: Security Self-Assessment Guide for Information Technology Systems." A companion guide to "SP 800-53, Rev. 4: Security and Privacy Controls for Federal Information Systems and Organizations," it provides a systems developmental life cycle (SDLC) approach to security assessment of information systems.27 As shown in Figure 8-3, NIST has a comprehensive security control assessment program that guides organizations through the preparation for, assessment of, and remediation of critical security controls. The controls recommended by NIST in this family of SPs are organized into 17 "families" of controls, as mentioned earlier. These 17 families, along with a managerial family called "Pro- gram Management," are used to structure the protection of information and as part of the NIST security control assessment methodology. The controls are classified according to the three-category system used by NIST and are presented in Table 8-6.
NIST SP 800-53A, Rev. 4
NIST Special Publication 800-12 "SP 800-12: Computer Security Handbook" is an excellent reference and guide for routine management of InfoSec. It provides little guidance, however, on the design and implementation of new security systems; use it as a supplement to gain a deeper understanding of the background and terminology of security. The follow- ing excerpt gives an idea of the kind of information found in SP 800-12: SP 800-12 draws upon the OECD's Guidelines for the Security of Information Systems, which was endorsed by the United States. It provides for: • Accountability—The responsibilities and accountability of owners, providers, and users of information systems and other parties [...] should be explicit. • Awareness—Owners, providers, users, and other parties should readily be able, consis- tent with maintaining security, to gain appropriate knowledge of and be informed about the existence and general extent of measures [...] for the security of information systems. • Ethics—The information systems and the security of information systems should be provided and used in such a manner that the rights and legitimate interests of others are respected. • Multidisciplinary—Measures, practices, and procedures for the security of information systems should address all relevant considerations and viewpoints. [...] • Proportionality—Security levels, costs, measures, practices, and procedures should be appropriate and proportionate to the value and degree of reliance on theinformation systems, and to the severity, probability, and extent of potential harm. [...] • Integration—Measures, practices, and procedures for the security of information sys- tems should be coordinated and integrated with each other and other measures, prac- tices, and procedures of the organization so as to create a coherent system of security. • Timeliness—Public and private parties, at both national and international levels, should act in a timely, coordinated manner to prevent and to respond to breaches of security of information systems. • Reassessment—The security of information systems should be reassessed periodically, as information systems and the requirements for their security vary over time. • Democracy—The security of information systems should be compatible with the legiti- mate use and flow of data and information in a democratic society.24 SP 800-12 also lays out NIST's philosophy on security management by identifying 17 con- trols organized into the three categories discussed earlier: • Management controls • Operational controls • Technical controls The 17 specific areas of control were adapted into control "families" by the newer NIST SP 800-53, as discussed later in this chapter.
NIST Special Publication 800-12
"SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems" describes recommended practices and provides information on commonly accepted InfoSec principles that can direct the secu- rity team in the development of a security blueprint. It also describes the philosophical prin- ciples that the security team should integrate into the entire InfoSec process, expanding on the components of SP 800-12. The more significant points made in NIST SP 800-14 are as follows: Security Supports the Mission of the Organization—The implementation of InfoSec is not independent of the organization's mission. On the contrary, it is driven by it. An InfoSec system that is not grounded in the organization's mission, vision, and culture is guaranteed to fail. The InfoSec program must support and further the organization's mission, which means that it must include elements of the mission in each of its policies, procedures, and training programs. • Security Is an Integral Element of Sound Management—Effective management includes planning, organizing, leading, and controlling activities. Security supports the planning function when InfoSec policies provide input into the organization initiatives, and it supports the controlling function when security controls enforce both managerial and security policies. • Security Should Be Cost-Effective—The costs of InfoSec should be considered part of the cost of doing business, much like the cost of the computers, networks, and voice communications systems. None of these systems generates any profit, and they may notlead to competitive advantages. As discussed in Chapter 5, however, InfoSec should justify its own costs. Security measures whose costs outweigh their benefits must be rationalized based on other business reasons (such as legal requirements). • Systems Owners Have Security Responsibilities Outside Their Own Organizations— Whenever systems store and use information from customers, patients, clients, partners, or others, the security of such data becomes a serious responsibility for the owners of the systems. Also, the owners have the general duty to protect information assets on behalf of all stakeholders of the organization. These stakeholders may include share- holders in publicly held organizations, and the government and taxpayers in the case of public agencies and institutions. • Security Responsibilities and Accountability Should Be Made Explicit—Policy documents should clearly identify the security responsibilities of users, administrators, and managers. To be legally binding, such documents must be disseminated, read, understood, and agreed to. As discussed in Chapter 5, ignorance of the law is no excuse, but ignorance of policy can be. Any relevant legislation must also become part of the security program. • Security Requires a Comprehensive and Integrated Approach—As emphasized throughout this book, security is everyone's responsibility. Throughout each stage of the SecSDLC, the three communities of interest—IT management and professionals, InfoSec management and professionals, and the nontechnical general business man- agers and professionals of the broader organization—should participate in all aspects of the InfoSec program. • Security Should Be Periodically Reassessed—InfoSec that is implemented and then ignored lacks due diligence and is considered negligent. Security is an ongoing process. To remain effective in the face of a constantly shifting set of threats and a constantly changing user base, the security process must be periodically repeated. Continuous anal- yses of threats, assets, and controls must be conducted and new blueprints developed. • Security Is Constrained by Societal Factors—Many factors influence the implementa- tion and maintenance of security. Legal demands, shareholder requirements, and even business practices affect the implementation of security controls and safeguards. While security professionals prefer to isolate information assets from the Internet—the major source of threats to those assets—the business requirements of the organization may preclude this control measure.
NIST Special Publication 800-14
"NIST SP 800-18, Rev. 1: Guide for Developing Security Plans for Federal Information Systems" provides detailed methods for assessing, designing, and implementing controls and plans for applications of various sizes. It serves as a guide for the security planning activities described later and for the overall InfoSec planning process. In addition, this document includes templates for major applica- tion security plans. As with any publication of this scope and magnitude, SP 800-18 must be customized to fit the particular needs of the organization.
NIST Special Publication 800-18, Rev. 1
The principle of limiting users' access privileges to only the specific information required to perform their assigned tasks.
Need-to-know
The information security principle that requires significant tasks to be split up so that more than one individual is required to complete them.
Separation of duties
is a managerial model provided by an industry working group, National Cyber Security Partnership (www.cyberpartnership.org), and is the result of developmental efforts by the National Cyber Security Summit Task Force.36 The framework provides guidance in the development and implementation of an organizational InfoSec governance structure and recommends the responsibilities that various members should have toward an organization,
The Information Security Governance Framework
•Board of Directors/Trustees—Provide strategic oversight regarding InfoSec •Senior Executives—Provide oversight of a comprehensive InfoSec program for the entire organization •Executive Team Members Who Report to a Senior Executive—Oversee the organization's security policies and practices •Senior Managers—Provide InfoSec for the information and information systems that support the operations and assets under their control •All Employees and Users—Maintain security of information and information systems accessible to them
The Information Security Governance Framework
is a collection of methods and practices for managing the development and operation of IT infrastructures. It has been pro- duced as a series of books, each of which covers an IT management topic. The names "ITIL" and "IT Infrastructure Library" are registered trademarks of the United Kingdom's Office of Government Commerce (OGC). Since ITIL includes a detailed description of many significant IT-related practices, it can be tailored to many IT organizations.
The Information Technology Infrastructure Library
What is ISO 27000
This standard sets out the requirements that an organisation's information security management system (ISMS) can be audited and certified against. ISO 27001 certification enables organisations of any size and in any industry to prove that they meet critical legislative and regulatory requirements related to information security. It demonstrates that the organisation has a framework for securing and protecting confidential, personal and sensitive data.
An older DoD system certification and accreditation standard that defines the criteria for assessing the access controls in a computer system. Also known as the rainbow series due to the color coding of the individual documents that made up the criteria.
Trusted Computer System Evaluation Criteria (TCSEC):
Access controls that are implemented at the discretion or option of the data user.
discretionary access controls (DACs):
A required, structured data classification scheme that rates each collection of information as well as each user. These ratings are often referred to as sensitivity or classification levels.
mandatory access control (MAC):
Access controls that are implemented by a central authority.
nondiscretionary controls
Under TCSEC, the combination of all hardware, firmware, and software responsible for enforcing the security policy.
trusted computing base (TCB):