This document discusses security management practices, with a focus on information security management. It covers topics such as information classification, security policies, roles and responsibilities, risk management, and security awareness training. Specifically, it provides details on establishing an information classification process, including identifying information assets, analyzing risks, defining classifications, roles for information owners and custodians, and guidelines for classifying information and applications.
2. Security Management Practices
Information Security Management
The Big Three - CIA
The Information Classification process
Security Policy implementation
The roles and responsibilities of Security Administration
Risk Management Assessment tools
Security Awareness training
3. Information Security Management
To protect an organization’s valuable resources, such as
information, hardware, and software
Identification of an organization’s information assets
The development, documentation, and implementation
of policies, standards, procedures, and guidelines
Ensure Availability, Integrity and Confidentiality
4. Information Security Management Cont…
Through the selection and application of appropriate
safeguards, Information Security helps the organization’s
mission by protecting its physical and financial resources,
reputation, legal position, employees, and other tangible and
intangible assets
Information systems are often critical assets that support the
mission of an organization
However, including Information Security considerations in the
management of information systems does not completely
eliminate the possibility that these assets will be harmed.
5. Availability, Integrity and Confidentiality
Availability
Availability is the assurance that a computer system is accessible
by authorized users whenever needed.
The Threat
Denial of Service & Distributed Denial of Service
Natural disasters (e.g., fires, floods, storms, or earthquakes)
Human actions (e.g., bombs or strikes)
6. Availability Cont…
The Action
Contingency planning — which may involve business resumption
planning, alternative-site processing, or simply disaster recovery
planning — provides an alternative means of processing, thereby
ensuring availability.
Physical, Technical, and Administrative controls are important
aspects of security initiatives
The Physical controls
Restrict unauthorized persons from coming into contact with
computing resources and Facilities
7. Availability Cont…
The Technical controls
Fault-tolerance mechanisms (e.g., hardware redundancy, disk
mirroring, and application checkpoint restart)
Electronic vaulting (i.e., automatic backup to a secure, off-site
location)
Access control software to prevent unauthorized users
The Administrative controls
access control policies, operating procedures, contingency
planning, and user training
8. Integrity
Integrity
Protection of Information System or Processes from intentional or
accidental unauthorized changes
Protect the process or program used to manipulate the data from
unauthorized modification.
The Threat
Hackers, Masqueraders, Unauthorized user activity
Unprotected downloaded files, networks, and unauthorized
programs (e.g., Trojan horses and viruses)
Authorized users can corrupt data and programs accidentally or
intentionally
9. Integrity Cont…
The Action
Granting access on a need-to-know (least privilege) basis
Separation of duties
Rotation of duties
Need-to-Know Access (Least Privilege)
Grant access only to those files and programs that they absolutely
need to perform their assigned job functions
Restrict through use of well-formed transactions (recording of data/
program modifications in a log)
10. Integrity Cont…
Separation of Duties
No single employee has control of a transaction from beginning to
end
Rotation of Duties
Change Job assignments periodically
Works well when used in conjunction with a separation of duties
Helps organization when losing a key employee
“The security program must employ a careful balance between ideal
security and practical productivity”
11. Confidentiality
Confidentiality
Protection of information within systems so that unauthorized
people, resources, and processes cannot access that information
The Threat
Hackers, Masqueraders, Unauthorized user activity
Unprotected downloaded files, networks, and unauthorized
programs (e.g., Trojan horses and viruses)
Social Engineering
The Action
Granting access on a need-to-know (least privilege) basis
Well-Formed Transaction
Awareness
12. Risk Analysis and Assessment
Risk Management
The processes of identifying, analyzing and assessing, mitigating,
or transferring risk are generally characterized as Risk Management
Risk Management Process
What could happen (threat event)?
If it happened, how bad could it be (threat impact)?
How often could it happen (threat frequency, annualized)?
How certain are the answers to the first three questions
(recognition of uncertainty)?
What can be done (risk mitigation)?
How much will it cost (annualized)?
Is it cost-effective (cost/benefit analysis)?
13. Risk Analysis and Assessment Cont…
Risk Analysis
This term represents the process of analyzing a target environment
and the relationships of its risk-related attributes
Qualitative / Quantitative
Quantitative risk analysis attempts to assign independently
objective numeric numbers (i.e., monetary values) to all elements
of the risk analysis
Qualitative risk analysis, on the other hand, does not attempt to
assign numeric values at all, but rather is scenario oriented
14. Risk Analysis and Assessment Cont…
Risk Assessment
This term represents the assignment of value to assets, threat
frequency (annualized), consequence (i.e., exposure factors), and
other elements of chance
Information Asset
Information is regarded as an intangible asset separate from the
media on which it resides
Simple cost of replacing the information
The cost of replacing supporting software
Costs associated with loss of the information’s confidentiality,
availability, and integrity
Supporting hardware and network
15. Risk Analysis and Assessment Cont…
Exposure Factor (EF)
A measure of the magnitude of loss or impact on the value of an
asset
A percent, ranging from 0 to 100%, of asset value loss arising from
a threat event
Single Loss Expectancy
Single Loss Expectancy = Asset Value X Exposure Factor
Annualized Rate of Occurrence (ARO)
The frequency with which a threat is expected to occur
For example, a threat occurring once in ten years has an ARO of
1/10 or 0.1
16. Risk Analysis and Assessment Cont…
Annualized Loss Expectancy (ALE)
Annualized Loss Expectancy = Single Loss Expectancy X
Annualized Rate of Occurrence
Probability
The chance or likelihood that an event will occur
For example, the probability of getting a 6 on a single roll of a die
is 1/6, or 0.16667
The Probability can between 0 to 1
Safeguard
Risk Analysis and Assessment Cont… occurrence of a specified
threat or category of threats
17. Risk Analysis and Assessment Cont…
Safeguard Effectiveness
The degree, expressed as a percent, from 0 to 100%, to which a
safeguard can be characterized as effectively mitigating a
vulnerability and reducing associated loss risks
Uncertainty
The degree, expressed as a percent, from 0.0% to 100%, to which
there is less than complete confidence in the value of any element
of the risk assessment
18. Tasks of Information Risk Management
Establish Information Risk Management Policy
IRM policy should begin with a high-level policy statement and supporting
objectives, scope, constraints, responsibilities, and approach
Communicate and Enforce
Establish an IRM Team
Top Down Approach will work well
Establish IRM Methodology and Tools
Determine current status of Information Security
Plan Strategic risk assessment
Identify and Measure Risk
Perform Risk Assessment based on the IRM policy and IRM methodology &
tools
19. Information Protection Environment
Threat Analysis
Asset Identification and Valuation
Vulnerability Analysis
Risk Evaluation
Risk Evaluation
Interim Reports and Recommendations
Establish Risk Acceptance Criteria
Example : do not accept more than a 1 in 100 chance of losing
$1,000,000
Mitigate Risk
Safeguard Selection and Risk Mitigation Analysis
Cost/Benefit Analysis
Final Report
Monitor Information Risk Management Performance
20. Security Technology and Tools
Qualitative versus Quantitative Approach
The Qualitative Approach is much more subjective approach to the
valuation of information assets and the scaling of risk
In General the risks are described as “low,” “medium,” or “high”
The Quantitative is talks about real numbers
Uses Algorithms
ALE=ARO X (Asset Value X Exposure Factor = SLE)
Assume the asset value is $1M, the exposure factor is 50%, and
the annualized rate of occurrence is 1/10 (once in ten years)
($1M X 50% = $500K) X 1/10 = $50K
21. Pros an Cons of Qualitative Approach
Pros
Calculations, if any, are simple
Usually not necessary to determine the monetary value of Information
(CIA)
Not necessary to determine quantitative threat frequency and impact data
Not necessary to estimate the cost of recommended risk mitigation
measures and calculate cost/benefit because the process is not
quantitative.
A general indication of significant areas of risk
Cons
The risk assessment and results are essentially subjective in both process
and metrics
The perception of value may not realistically reflect actual value at risk
Only subjective indication of a problem
It is not possible to track risk management performance objectively when
all measures are subjective
22. Pros and Cons of Quantitative Approach
Pros
Meaningful statistical analysis is supported
The value of information (CIA), as expressed in monetary terms with
supporting rationale, is better understood. Thus, the basis for expected
loss is better understood
Information security budget decision making is supported
Risk management performance can be tracked and evaluated.
Risk assessment results are derived and expressed in management’s
language, monetary value, percentages, and probability annualized. Thus,
risk is better understood.
Cons
Calculations are complex.
Not practical to execute a quantitative risk assessment without using a
recognized automated tool and associated knowledge bases,
A substantial amount of information gathering is required
Standard, independent Threat population and threat frequency
knowledgebase not yet developed and maintained, so vendor dependent
23. Information Classification
Information Protection Requirements
Data confidentiality, integrity, and availability are improved because
appropriate controls are used for all data across the enterprise
The organization gets the most for its information protection dollar
because protection mechanisms are designed and implemented where
they are needed most, and less costly controls can be put in place for
non-critical information
The quality of decisions is improved because the data upon which the
decisions are made can be trusted
The company is provided with a process to review all business
functions and informational requirements on a periodic basis to
determine appropriate data classifications
24. Data Classification
Classification is part of a mandatory access control model
to ensure that sensitive data is properly controlled and
secured
DoD multi-level security policy has 4 classifications:
Top Secret
Secret
Confidential
Unclassified
Other levels in use are:
Eyes only
Officers only
Company confidential
Public
25. Data Classification Cont…
Top Secret - applies to the most sensitive business information
which is intended strictly for use within the organization. Unauthorized
disclosure could seriously and adversely impact the company,
stockholders, business partners, and/or its customers
Secret - Applies to less sensitive business information which is
intended for use within a company. Unauthorized disclosure could
adversely impact the company, its stockholders, its business partners,
and/or its customers
Confidential - Applies to personal information which is intended for
use within the company. Unauthorized disclosure could adversely
impact the company and/or its employees
Unclassified - Applies to all other information which does not clearly
fit into any of the above three classifications. Unauthorized disclosure
isn’t expected to seriously or adversely impact the company
26. Information Classification Cont…
Information Protection Environment
Getting started: questions to ask
• Is there an executive sponsor for this project?
• What are you trying to protect, and from what?
• Are there any regulatory requirements to consider?
• Has the business accepted ownership responsibilities for the data?
Policy
• An essential tool in establishing a data classification scheme
• Define information as an asset of the business unit
• Declare local business managers as the owners of information
• Establish IT as the custodians of corporate information
• Clearly define roles and responsibilities of those involved in the ownership
and classification of information
• Define the classifications and criteria that must be met for each
• Determine the minimum range of controls to be established for each
classification
27. Information Classification Cont…
Risk Analysis
Identify major functional areas of information
Analyze the classification requirements
Determine the risk associated
Determine the effect of loss
Build a table
Establishing classifications
Public: information that, if disclosed outside the company, would
not harm the organization, its employees, customers, or business
partners.
Internal Use Only: information that is not sensitive to disclosure
within the organization, but could harm the company if disclosed
externally.
Company Confidential: sensitive information that requires “need-
toknow” before access is given
28. Information Classification Cont…
Defining roles and responsibilities
Information owner - A business executive or business
manager who is responsible for a company business
information asset
Information custodian - The information custodian, usually an
information technology or operations person, is the system
administrator or operator for the Information Owner, with
primary responsibilities dealing with running the program for
the owner and backup and recovery of the business
information
Application owner - Manager of the business unit who is fully
accountable for the performance of the business function
served by the application
User manager - The immediate manager or supervisor of an
employee
29. Information Classification Cont…
Defining roles and responsibilities
Security administrator - Any company employee who owns an
“administrative” user ID that has been assigned attributes or
privileges that are associated with any type of access control
system
Security analyst - Person responsible for determining the data
security directions (strategies, procedures, guidelines) to
ensure information is controlled and secured based on its
value, risk of loss or compromise, and ease of recoverability
Change control analyst - Person responsible for analyzing
requested changes to the Information Technology
infrastructure and determining the impact on applications
Data analyst - This person analyzes the business
requirements to design the data structures and recommends
data definition standards and physical platforms
30. Information Classification Cont…
► Defining roles and responsibilities
Solution provider - Person who participates in the solution
(application) development and delivery processes in
deploying business solutions
End user - Any employee, contractor, or vendor of the
company who uses information systems resources as part of
their job
Process owner - This person is responsible for the
management, implementation, and continuous improvement
of a process that has been defined to meet a business need
Product line manager - Person responsible for understanding
business requirements and translating them into product
requirements, working with the vendor/user area
31. Information Classification Cont…
Identifying owners
The proper owner must be from the business
Senior management support is a key success factor
Information owners must be given the necessary authority
Classifying information and applications
Collect the metadata about their business functions
Review the definitions for the information classifications
Ongoing monitoring
Ensure compliance with policy and established procedures
periodically review the data to ensure they are still
appropriately classified
32. Policies, Procedures, Standards, Baselines
Policy - An information security policy contains senior
management’s directives to create an information security
program, establish its goals, measures, and target and assign
responsibilities
Standards - Standards are mandatory activities, actions, rules,
or regulations designed to provide policies with the support
structure and specific direction they require to be meaningful
and effective
Procedures - Procedures spell out the step-by-step specifics of
how the policy and the supporting standards and guidelines will
actually be implemented in an operating environment
Guidelines - Guidelines are more general statements designed
to achieve the policy’s objectives by providing a framework
within which to implement controls not covered by procedures
34. Awareness Program
Security policies, standards, procedures, baselines, and
guidelines
Threats to physical assets and stored information
Threats to open network environments
Laws and regulations they are required to follow
Specific organization or department policies they are required
to follow
How to identify and protect sensitive (or classified)
information
How to store, label, and transport information
Who they should report security incidents to, regardless of
whether it is just a suspected or an actual incident
Email/Internet policies and procedures
Social engineering
35. Implementation (Delivery) Options
Posters
Posting motivational and catchy slogans
Videotapes
Classroom instruction
Computer-based delivery, such as CD-ROM, DVD, intranet
access, Web-based access, etc.
Brochures/flyers
Pens/pencils/keychains (any type of trinket) with motivational
slogans
Post-it notes with a message on protecting the Information
Technology system
Stickers for doors and bulletin boards
36. Implementation (Delivery) Options Cont…
Cartoons/articles published monthly or quarterly in an in-
house newsletter or specific department notices
Special topical bulletins (security alerts in this instance)
Monthly email notices related to security issues or email
broadcasts of security advisories
Security banners or pre-logon messages that appear on the
computer monitor
Distribution of items as an incentive