Security Administration

Links to Text

Chapter 8Parts of Chapter 5Parts of Chapter 1

Security Involves:

Technical controlsAdministrative controlsPhysical controls

Major Chapter Topics PlanningRisk analysisPolicyPhysical security

Security PlanWritten document that

describes how an organization will address its security needs

What Should a Security Plan Do?

Identify what (vulnerabilities, threats, and risks)

Specify how they will be handled (controls)

Specify who will handle themSpecify when they will be handled

(timetable)

Issues Listed in TextPolicyCurrent stateRequirementsRecommended controlsAccountabilityTimetableContinuing attention (updates)

OCTAVEOperationally Critical Threat, Asset,

and Vulnerability EvaluationDeveloped at Carnegie Mellon

CERT Coordination CenterFirst published in 1999

The OCTAVE Approach Self-directed Focused on risks to information assets Focused on practice-based mitigation

Best practices from CERT/CC, NIST, laws and regulations (e.g., HIPPA), etc.

Participation by both business and IT personnel

Different Scales

OCTAVE – large organizationsOCTAVE-S – small organizations

OCTAVE Steps 1. Identify enterprise knowledge 2. Identify operational area knowledge 3. Identify staff knowledge 4. Create threat profiles 5. Identify key components 6. Evaluate selected components 7. Conduct a risk analysis 8. Develop a protection strategy

Common Criteria (CC)

Framework for evaluation of IT systems International effort

United States United Kingdom France Germany The Netherlands Canada

Business Continuity Plan

Plan for management of situations which areCatastrophicLong-lasting

A single such incident can put a company out of business (even if handled well)

Identify essential assets and functions

Incident Response Plan

Plan for management of security incidentsMay not be catastrophicMay not be long-lasting

Many incidents will have minor impact on operations

Risk Analysis

Risks closely related to threatsRisk analysis attempts to quantify

and measure problems associated with threats

Many approaches to risk analysis have been developed

Quantifying Risk

Risk probability How likely is the risk?

Risk impact How much do we lose?

Risk control Can the risk be avoided?

Risk Exposure

Probability of Risk X Risk Impact

Risk Impact – $100,000

Risk Probability – 0.5

Risk Exposure – $50,000

Risk Leverage

(Exposure Before – Exposure After)/Risk Control Cost

Original Risk Exposure – $ 50,000Cost of Control – $100Revised Risk Exposure – $20,000Risk Leverage – 300 (note: dimensionless)

Risk Analysis Steps

Identify assetsDetermine vulnerabilitiesEstimate likelihood of exploitationCompute expected annual lossSurvey applicable controls and their costsProject annual savings of control

Difficulties of Risk Analysis

Probabilities hard to estimateHistorical dataExpertsDelphi approach

Some costs hard to quantify

Risk Analysis Approaches

Many risk analysis approachesUsual common features:

Checklists Organizational matrices Specification of procedures

No dominant approach

Security Policy

A written document describing goals for and constraints on a system

Who can access what resources in what manner?

High level management documentShould not change often

Policy Considerations

Stakeholders (beneficiaries)UsersOwnersResources

Security Procedures/Guidelines

Describe how security policy will be implemented

More frequent changes than policy

Physical Security

Protection that does not involve the system as a system

Independent of Hardware Software Data

Possible Problems

Natural disasters Floods Fires

Power lossHuman vandalsInterception of sensitive information

Physical Security Controls

Backups

BackupsBackupsBackups!!!

Natural Disasters

Careful building designSystem placementFire extinguishers

Power Loss

Uninterruptible power supplySurge suppressor

Human Vandals

GuardsLocksAuthenticationReduced portabilityTheft detection

Information Interception

ShreddingOverwriting magnetic dataDegaussing

Destroy magnetic fields

Tempest Prevent or control magnetic emanations

Contingency Plans

BackupOffsite backupNetworked storageCold siteHot site