Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2012

Dr. Bhavani ThuraisinghamThe University of Texas at Dallas (UTD)

June 2012

Information Security Governanceand

Risk Management

Domain Agenda• Information Security Management System ISMS)

– Business drivers– Governance

o Roles and responsibilitieso Security planningo Security administration

• Risk management• Ethics

C. I.A.• Confidentiality: Preventing from unauthorized disclosure• Integrity: Preventing from unauthorized modification• Availability: Preventing denial of service

Security Best Practices• Job Rotation• Separation of Duty• Security Awareness training• Information Classification• Risk Analysis• Ethics Education

Roles and Responsibilities• Specific• General• Communicated at hiring• Verified capabilities and limitations• 3rd party considerations• Good practices• Reinforced via training

Internal Roles• Executive Management• Information Systems Security Professionals• Owners• Custodians• Operations Staff• Security Staff• Data and System Owners• Users• Operations Staff• Security Staff• Data and System Owners• Users

External Roles• Vendors/Suppliers• Contractors• Temporary Employees• Customers• Business Partners• Outsourced Relationships• Outsourced Security

Human Resources and Related Issues• Human Resources

– Employee development– Employee management

• Hiring and Termination– Consult the Human Resources Department– Low-level checks– Termination Procedures

• Hiring New Staff– Background checks/security clearances– Verify references and educational records

• Signed Employment Agreements– Acceptable use– Non-disclosure– Non-compete– Ethics

Personnel andSecurity AwraenessTraining / Good Pratices• Personnel

– Job descriptions / Defined roles and responsibilities– Least privilege– Need to know– Separation of duties– Job rotation– Mandatory vacations

• Security Awareness training– Job training– Professional education

• Good Practices– Be relevant– Scope properly– Address the audience

Security Blueprints and Single Point of Failure

• Documnted Security Program– Focus on the mission– Organizations are different– Cost-effective

• Blueprints– Identify and design security requirements– Infrastructure security blueprints– Holistic

• Single Point of Failure– Identify processes– Identify risks to the plan– Be prepared

ISO/IEC 27000 Series = ISMS Blueprints• 27000 – Glossary of terms• 27001:2005 - Attainment certification• 27002:2005/Cor1:2007 – Code of practice• 27003 – ISMS Implementation guidance under development as of

Sept 08• 27004 – Information security measurement• 27005-2008 – Information security – Risk management• 27006:2007 – Certification vendor process• 27799:2008 – Information Security for Health Care Organizations

Security Management, Administration and Governance

• Information security (ISec) describes activities that relate to the protection of information and information infrastructure assets against the risks of loss, misuse, disclosure or damage. Information security management (ISM) describes controls that an organization needs to implement to ensure that it is sensibly managing these risks.

• The risks to these assets can be calculated by analysis of the following issues:• Threats to your assets. These are unwanted events that could cause the deliberate or

accidental loss, damage or misuse of the assets• Vulnerabilities. How susceptible your assets are to attack• Impact. The magnitude of the potential loss or the seriousness of the event.

Security Management, Administration and Governance

• Standards that are available to assist organizations implement the appropriate programs and controls to mitigate these risks are for example BS7799/ISO 17799, Information Technology Infrastructure Library and COBIT.

• Information Security Governance, Information Security Governance or ISG, is a subset discipline of Corporate Governance focused on information Security systems and their performance and risk management.

• Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations

Security Management, Administration and Governance• Develop the information security strategy in support of business strategy and direction.

• Obtain senior management commitment and support• Ensure that definitions of roles and responsibilities throughout the enterprise include

information security governance activities. • Establish reporting and communication channels that support information security

governance activities. • Identify current and potential legal and regulatory issues affecting information security

and assess their impact on the enterprise. • Establish and maintain information security policies that support business goals and

objectives. • Ensure the development of procedures and guidelines that support information security

policies. • Develop business case for information security program investments.

Management’s Security Policy• Management’s goals and objectives in writing• Documents compliance• Creates security culture

Define the followingArea IV Buddy System Policy

THIS AREA IV COMMANDER HAS DICTATED THAT ALL MILITARY SERVICE MEMBERS WILL USE THE “BUDDY SYSTEM” AT ALL TIMES, WITH THE EXCEPTION BELOW WHEN OFF A MILITARY

INSTALLATION.

ALL PERSONNEL WILL CARRY S.O.F.A. AND AN EMERGENCY TELEPHONE NUMBER CARD AST ALL TIMES.

LOCAL COMMANDERS MAY ENACT MORE STRINGENT MEASURES.

BY ORDER OF THE AREA IV COMMANDER

Policies, Standards, Guidelines and Procedures

• Policies are the top tier of formalized security documents. These high-level documents offer a general statement about the organization’s assets and what level of protection they should have.

• Well-written policies should spell out who’s responsible for security, what needs to be protected, and what is an acceptable level of risk..

• Standards are much more specific than policies. Standards are tactical documents because they lay out specific steps or processes required to meet a certain requirement. As an example, a standard might set a mandatory requirement that all email communication be encrypted. So although it does specify a certain standard, it doesn’t spell out how it is to be done. That is left for the procedure.

Policies, Standards, Guidelines and Procedures

• A baseline is a minimum level of security that a system, network, or device must adhere to. Baselines are usually mapped to industry standards. As an example, an organization might specify that all computer systems comply with a minimum Trusted Computer System Evaluation Criteria (TCSEC) C2 standard.

• A guideline points to a statement in a policy or procedure by which to determine a course of action. It’s a recommendation or suggestion of how things should be done. It is meant to be flexible so it can be customized for individual situations.

• A procedure is the most specific of security documents. A procedure is a detailed, in-depth, step-by-step document that details exactly what is to be done.

• A security model is a scheme for specifying and enforcing security policies. Examples include: Bell and LaPadula, Biba, Access control lists

Information Classification• It is essential to classify information according to its actual value and level of sensitivity in

order to deploy the appropriate level of security.• A system of classification should ideally be:

– simple to understand and to administer– effective in order to determine the level of protection the information is given.– applied uniformly throughout the whole organization (note: when in any doubt, the

higher, more secure classification should be employed).

Information Classification• With the exception of information that is already in the public domain, information should

not be divulged to anyone who is not authorized to access it or is not specifically authorized by the information owner.

• Violations of the Information Classification Policy should result in disciplinary proceedings against the individual.

• Number of information classification levels in an organization should be a manageable number as having too many makes maintenance and compliance difficult.

Information Classification• Top Secret: Highly sensitive internal documents and data. For example, impending

mergers or acquisitions, investment strategies, plans or designs that could seriously damage the organization if lost or made public. Information classified as Top Secret has very restricted distribution indeed, and must be protected at all times. Security at this level is the highest possible.

• Highly Confidential: Information which is considered critical to the organization’s ongoing operations and could seriously impede or disrupt them if made shared internally or made public. Such information includes accounting information, business plans, sensitive information of customers of banks (etc), patients' medical records, and similar highly sensitive data. Such information should not be copied or removed from the organization’s operational control without specific authority. Security should be very high.

Information Classification• Proprietary: Procedures, project plans, operational work routines, designs and

specifications that define the way in which the organization operates. Such information is usually for proprietary use by authorized personnel only. Security at this level is high.

• Internal Use Only: Information not approved for general circulation outside the organization, where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility/reputation. Examples include: internal memos, internal project reports, minutes of meetings. Security at this level is controlled but normal.

• Public Documents: Information in the public domain: press statements, annual reports, etc. which have been approved for public use or distribution. Security at this level is minimal.

Roles and Responsibilities• Internal Roles

– Executive Management; Information System Security Professionals; Owners: Data and System Owners; Custodians

– Operational Staff; Users; Legal, Compliance and Privacy Officers; Internal Auditors; Physical Security Officers

• External Roles– Vendors and Supplies; Contractors; Temporary Employees; Customers; Business

Partners; Outsourced Relationships; Outsourced Security• Human Resources

– Employee development and management; Hiring and termination; Signed employee agreements; Education

Risk Management and Analysis• Risk is the likelihood that something bad will happen that causes harm to an informational

asset (or the loss of the asset). A vulnerability is a weakness that could be used to endanger or cause harm to an informational asset. A threat is anything (man made or act of nature) that has the potential to cause harm.

• The likelihood that a threat will use a vulnerability to cause harm creates a risk. When a threat does use a vulnerability to inflict harm, it has an impact. In the context of information security, the impact is a loss of availability, integrity, and confidentiality, and possibly other losses (lost income, loss of life, loss of real property). It should be pointed out that it is not possible to identify all risks, nor is it possible to eliminate all risk. The remaining risk is called residual risk.

Risk Managementg and Analysis• A risk assessment is carried out by a team of people who have knowledge of specific areas

of the business. Membership of the team may vary over time as different parts of the business are assessed.

• The assessment may use a subjective qualitative analysis based on informed opinion (scenarios), or where reliable dollar figures and historical information is available, the analysis may use quantitative analysis

• For any given risk, Executive Management can choose to accept the risk based upon the relative low value of the asset, the relative low frequency of occurrence, and the relative low impact on the business. Or, leadership may choose to mitigate the risk by selecting and implementing appropriate control measures to reduce the risk. In some cases, the risk can be transferred to another business by buying insurance or out-sourcing to another business.

Risk Management and Analysis• Identification of assets and estimating their value. Include: people, buildings, hardware,

software, data supplies.• Conduct a threat assessment. Include: Acts of nature, accidents, malicious acts originating

from inside or outside the organization.• Conduct a vulnerability assessment, and for each vulnerability, calculate the probability

that it will be exploited. Evaluate policies, procedures, standards, training, physical security, - - -

• Calculate the impact that each threat would have on each asset. Use qualitative analysis or quantitative analysis.

• Identify, select and implement appropriate controls. Provide a proportional response. Consider productivity, cost effectiveness, and value of the asset.

• Evaluate the effectiveness of the control measures. Ensure the controls provide the required cost effective protection without discernible loss of productivity.

Risk Management and Analysis• Step 1: Estimate Potential Loss

– SLE = AV ($) x EF (%)– SLE: Single Loss Expectancy, AV: Asset Value. EF: Exposure Factor (percentage of asset

value)• Step 2: Conduct Threat Likelihood Analysis

– ARO Annual Rate of Occurrence– Number of times per year that an incident is likely to occur

• Step 3: Calculate ALE– ALE: Annual Loss Expectancy– ALE = SLE x ARO

Risk Management• Identifying and reducing total risks• Choosing mitigation strategies• Setting residual risk at an acceptable level• Integrating risk management processes into the organization

Risk Management• The principal goal of an organization’s risk management process

should be to protect the organization and its ability to perform its mission, including but not limited to its IT assets.

• Risk is a function of the likelihood of a given threat-source’s exercising a particular vulnerability, and the resulting impact of that adverse event on the organization.

Risk Management Benefits• Focuses policy and resources• Identifies areas with specific risk requirements• Directs budget• Supports

– Business continuity process– Insurance and liability decisions– Legitimizes security awareness programs

Risk Management Definitions• Assets• Threat-source/agent• Threat• Exposure• Vulnerability• Likelihood

• Attack• Controls• Countermeasures• Safeguards• Total risk• Residual risk

Risk Assessment / Analysis Steps: SP 800-30

1. System Characterization2. Threat Identification3. Vulnerability Identification4. Control Analysis5. Likelihood Determination6. Impact Analysis7. Risk Determination8. Control Recommendations9. Results Documentation

Information Valuation Considerations• Exclusive possession• Utility• Cost to acquire or create• Liability• Convertibility• Operational impact• Timing• Methods

– Modified – Delphi– Facilitated sessions– Survey– Interview– Checklist

Quantitative Risk Analysis• Assign monetary values• Labor and time intensive• Difficult to achieve• Steps1. Estimate potential losses2. Conduct a threat likelihood analysis3. Calculate annual loss expectancy

Step One: Estimate Potential LossesSINGLE LOSS EXPECTANCY

SLE = AV ($) x EF (%)AV (Asset Value)

EF (Exposure Factor)

Step Two: Conduct ThreatLikelihood AnalysisARO - Annual Rate of Occurrence• Number of exposures or incidents

that can be expected in a given year

• Likelihood of an unwanted event occurring

Step Three: Calculate ALE

ALE –Annual Loss ExpectancyALE = SLE x ARO

• Magnitude of risk = ALE• Purpose: Justify security

countermeasures

Quantitative and Hybrid Risk Analysis• Quantitative

– Scenario-oriented– No $ values– Rank seriousness of threats and sensitivity of assets– Perform a carefully reasoned risk assessment

• Hybrid– Quantitative– Qualitative– FMEA (Failure Modes and Effect Analysis)– FTA (Fault Tree Analysis)

Risk Mitigation and Assurance• Risk Mitigation

– Acceptance = Absorb the effect of an incident– Reduction = Implement controls– Transference = Insurance– Avoidance = Stop it

• Risk Assurance– Cyclical nature– Liability

Countermeasure Selection Principles• Cost/benefit analysis• Accountability• Absence of design secrecy• Audit capability• Vendor trustworthiness• Independence of control and subject• Universal application• Compartmentalization• Defense in depth• Isolation, economy and least common mechanism• Acceptance and tolerance by personnel• Minimum human intervention• Sustainability• Reaction and recovery• Override and fail-safe defaults• Residuals and reset

Ethical Environments and Reponsibilities

• Ethics are difficult to define• Begin with senior management• “Set the example”• Encourage adoption of ethical guidelines and standards• Inform users about ethical responsibilities through security

awareness training• Responsibilities

– Global responsibility– National– Organizational– Personal

Basis and Origin of Ethics• Religion• Law• National interest• Individual rights• Common good/interest• Enlightened self-interest• Professional ethics/practices• Standards of good practice• Tradition/culture• Formal Ethical Theories

– Teleology• Ethics in terms of goals, purposes or ends

– Deontology• Ethical behavior is a duty

Relevant Professional Codes of Ethics• (ISC)2

• RFC 1087– Access and use of the Internet is a PRIVILEGE and should be treated as such by all users– RFC 1087 refers to “Negligence in the conduct of Internet-wide experiments” as

“irresponsible and unacceptable”, but does not specifically label such conduct as “unethical”.

• Internet Architecture Board• ISC2 Code of Ethics and Cannons

– “Safety of the commonwealth, duty to our principals and to each other requires that we adhere and be seen to adhere, to the highest ethical standards of behavior”

– “Therefore, strict adherence to this code is a condition of certification”.– “Protect society, the commonwealth and the infrastructure”– “Act honorably, honestly, justly, responsibly and legally”– “Provide diligent and competent service to principals”– “Advance and protect the profession”

Internet Architecture Board (IAB)

• Seeks to gain unauthorized access to Internet resources

• Disrupts the intended use of the Internet

• Waste resources (people, capacity, computer) through such actions

• Destroys the integrity of computer-based information

• Compromises the privacy of users

• Involves negligence in the conduct of Internet-wide experiments

Any activity is unethical and unacceptable that purposely:

Domain Summary• Information Security Management System ISMS)




Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2012

Documents

Transcript of Dr. Bhavani Thuraisingham The University of Texas at Dallas (UTD) June 2012