Stephen S. Yau 1CSE 465-591, Fall 2006 IA Management.

Stephen S. Yau 1CSE 465-591, Fall 2006

IA ManagementIA Management


Why Need IA Why Need IA Management?Management?

IA is an integral part of sound IA is an integral part of sound managementmanagement Many managers tend to overlook or Many managers tend to overlook or

ignore IA since it is not directly related ignore IA since it is not directly related to their revenue in terms of selling to their revenue in terms of selling products (services)products (services)

Two basic factors matter when you can Two basic factors matter when you can compete with your competitors:compete with your competitors: Value of your products (services) to Value of your products (services) to customerscustomers

Cost of making themCost of making them


Why Need IA Why Need IA Management Management (cont.)(cont.)

IA is not an end in itself, but it does provide a IA is not an end in itself, but it does provide a critical service and support function for the critical service and support function for the organizationorganization

Try to minimize cost due to information Try to minimize cost due to information lost/misused lost/misused

-- as important as to come up with some brilliant -- as important as to come up with some brilliant ideas in product designideas in product design

IA management staff needs to persuade senior IA management staff needs to persuade senior managers that IA “magic” comes with a price tag, managers that IA “magic” comes with a price tag, but if handled properly, there is certainly a returnbut if handled properly, there is certainly a return

Outsourcing is more and more popular, but needs Outsourcing is more and more popular, but needs to be carried out carefully since it may bring in to be carried out carefully since it may bring in more threats and vulnerabilitiesmore threats and vulnerabilities


IA Management IA Management PersonnelPersonnel

Information Systems Security Officer (ISSO)Information Systems Security Officer (ISSO) Responsible to designated approving authority who Responsible to designated approving authority who

ensures that security of an information system is ensures that security of an information system is implemented through its design, development, implemented through its design, development, operation, maintenance, and disposal stages.operation, maintenance, and disposal stages.

Operation Security (OPSEC) ManagerOperation Security (OPSEC) Manager Responsible to ISSO who prevents information from Responsible to ISSO who prevents information from

being available to potential adversaries about the being available to potential adversaries about the organization’s capabilities and/or intentionsorganization’s capabilities and/or intentions

System ManagerSystem Manager Responsible for proper operations and management Responsible for proper operations and management

of classified and unclassified Automated Information of classified and unclassified Automated Information System (AIS). System (AIS).

Supervises system staff in implementing AIS security Supervises system staff in implementing AIS security policies, and provides advice and support to ISSO on policies, and provides advice and support to ISSO on AIS security issues.AIS security issues.


IA Management IA Management Personnel Personnel (cont.)(cont.)

Program or Functional ManagerProgram or Functional Manager Responsible for determining, in a coordinated effort Responsible for determining, in a coordinated effort

with system manager, which users have a verified with system manager, which users have a verified need to access their applications. need to access their applications.

Responsible for informing ISSO of any security Responsible for informing ISSO of any security incidents related to the application or the users of incidents related to the application or the users of the application.the application.

Communication Security (COMSEC) CustodianCommunication Security (COMSEC) Custodian Responsible for the receipt, transfer, accounting, Responsible for the receipt, transfer, accounting,

safeguarding and destruction of COMSEC material safeguarding and destruction of COMSEC material assigned to a COMSEC account.assigned to a COMSEC account.

Telecommunications OfficerTelecommunications Officer Responsible for receipt, transfer, accounting, Responsible for receipt, transfer, accounting,

safeguarding telecommunication processes in safeguarding telecommunication processes in organizationorganization


Challenges for IA Challenges for IA ManagementManagement

Increasing complexity of systems, Increasing complexity of systems, networks, and interconnectivitynetworks, and interconnectivity

Profound reliance on information and Profound reliance on information and information systemsinformation systems

Ever-changing internal and external Ever-changing internal and external threatsthreats

Competing demandsCompeting demands Unavailable resourcesUnavailable resources Decreasing assetsDecreasing assets Lack of experienceLack of experience Lack of available trainingLack of available training Lukewarm support from managementLukewarm support from management


IA Management TasksIA Management Tasks IA managers and staff responsible forIA managers and staff responsible for

Managing resourcesManaging resources: Security business is : Security business is dynamic, IA manager must effectively use time dynamic, IA manager must effectively use time and manpowerand manpower

CoordinationCoordination: Communication is critical for IA : Communication is critical for IA manager to successfully manage an IA program. manager to successfully manage an IA program. IA manager must be effective communicator to IA manager must be effective communicator to facilitate coordination among various offices, facilitate coordination among various offices, departments and personnel within organizationdepartments and personnel within organization

BudgetingBudgeting: Ideally, IA manager will have a line : Ideally, IA manager will have a line item within organization’s annual budget in order item within organization’s annual budget in order to plan and execute IA programto plan and execute IA program

Outsourcing is more and more popular, but need to be Outsourcing is more and more popular, but need to be evaluated carefully before making any decision.evaluated carefully before making any decision.


IA Management Tasks IA Management Tasks (cont.)(cont.)

Selling the needSelling the need: Senior management often views IA : Senior management often views IA as overhead expense. IA manager needs to convey as overhead expense. IA manager needs to convey the idea “security comes with a price tag” and sell the idea “security comes with a price tag” and sell senior managers on the merits of any resources senior managers on the merits of any resources invested in IAinvested in IA

Dispensing technical guidanceDispensing technical guidance: A written regulation : A written regulation or directive or policy can ensure consistency between or directive or policy can ensure consistency between process and standard operating procedure process and standard operating procedure itit implementsimplements

Dealing with legal issuesDealing with legal issues: IA manager should be : IA manager should be familiar with applicable legal issues in order to know familiar with applicable legal issues in order to know when it is appropriate and necessary to contact a law when it is appropriate and necessary to contact a law enforcement agency in the event of security incident.enforcement agency in the event of security incident.


Life-cycle ManagementLife-cycle Management IA is involved in each stage of the system’s life-IA is involved in each stage of the system’s life-

cycle:cycle: InitiationInitiation: To determine how a required operational : To determine how a required operational

function can be accomplished in a secure mannerfunction can be accomplished in a secure manner DefinitionDefinition: The function of the system will determine : The function of the system will determine

the security requirementsthe security requirements DesignDesign: Security requirements, including risk, cost, : Security requirements, including risk, cost,

operations, must be integrated in the system designoperations, must be integrated in the system design AcquisitionAcquisition: IA manager must ensure only reliable : IA manager must ensure only reliable

sources are used for software procurementsources are used for software procurement DevelopmentDevelopment: Security controls are built into the : Security controls are built into the

systemsystem


Life-cycle Management Life-cycle Management (cont.)(cont.)

ImplementationImplementation: Following tasks need to be done:: Following tasks need to be done: Risk ManagementRisk Management C&A process: Certification and AccreditationC&A process: Certification and Accreditation Approval to operate (ATO): Upon successful security Approval to operate (ATO): Upon successful security

evaluation of the system, IA manager recommends to the evaluation of the system, IA manager recommends to the appropriate designated accreditation authority (DAA) that appropriate designated accreditation authority (DAA) that ATO or Interim approval to operate (IATO) should be ATO or Interim approval to operate (IATO) should be granted. IATO is a temporary approval pending an granted. IATO is a temporary approval pending an accreditation decision. accreditation decision.

Operation and MaintenanceOperation and Maintenance: Once the system has : Once the system has been turned on for operation, security of the been turned on for operation, security of the system must be scrutinized to verify that it system must be scrutinized to verify that it continues to meet requirementscontinues to meet requirements

Destruction and DisposalDestruction and Disposal: IA manager must ensure : IA manager must ensure that information processed and stored in the that information processed and stored in the system is not inadvertently compromised because system is not inadvertently compromised because of improper destruction and disposal.of improper destruction and disposal.


Security Review and Testing

Security review and testing should be conducted throughout the system life-cycle: Incident, threat, and vulnerability data

collection and review Testing of infrastructure, externally and

internally Baseline establishments for future

review


Security Review and Testing (cont.)

Common steps: Review policies Develop security matrix summarizing threats

and protected assets Review security documentation Review audit capability and use Review security patches and updates Run analysis tools Correlate all information Develop report Make recommendation to correct problems


Identify Weaknesses in a System

Vulnerability scanning: Scan for unused ports, uncontrolled, unauthorized software

Discovery scanning: Inventory and classification about information on OS and available ports, identify running applications to determine device function

Workstation scanning: Make sure standard software configuration is current with latest security patches, locate uncontrolled or unauthorized software

Server scanning: Make sure the software stored on server are updated with latest security patches, locate uncontrolled or unauthorized software

Port scanning: Scan various active ports used for communication (TCP/UDP) Stealth scans: also called spoofed scans


Identify Weaknesses in a System (cont.)

Issues with vulnerability testing False positives: legitimate software using

ports registered to other software Heavy traffic: adverse affect on WAN links,

even disable slow links False negatives: exhaust resources on

scanning machine, not properly identifying vulnerabilities

System crash Unregistered port numbers: port numbers

in use are not registered, unable to identify those software


Security Awareness and Education

Understand how actions can greatly affect overall security position of the organization

Computer security awareness and education enhance security through the following: Make users aware of their security

responsibilities and teaching them correct practices, help change behaviour

Develop skills and knowledge Build in-depth knowledge to design,

implement, or operate security programs


Security Awareness & Education (cont.)

Often overlooked by proactive or reactive administration of security practices

Effective program requires proper planning, implementation, maintenance, and periodic evaluation. Identify program scope, goals, and objectives Identify training staff Identify target audience Motivate management and employees Administer the program Maintain the program Evaluate the program


Methods to Promote Awareness

Management commitment necessary Integrating awareness

Periodic awareness sessions to orient new employees and refresh senior employees which are direct, simple and clear

Live/interactive presentations thorough lectures, videos

Publishing/distribution posters, company newsletters

Incentives: awards and recognition for security-related achievement

Reminders


TrainingTraining Training is different from awareness which is

often held in specific classroom or through one-on-one training

InfoSec example: Security-related job training for operators and

specific users Awareness training for specific departments or

personnel groups with security-sensitive positions Technical security training for IT support personnel

and system administrators Advanced InfoSec training for security practitioners

and AIS auditors Security training for senior managers, functional

managers


SummarySummary IA Management within an organization IA Management within an organization

should:should: Ensure that security is planned and developed into Ensure that security is planned and developed into

any prospective new systemany prospective new system Certify that security features are performing Certify that security features are performing

properly before allowing the system to operateproperly before allowing the system to operate Approve and track configuration changes to IA Approve and track configuration changes to IA

baseline, verifying that changes do not affect the baseline, verifying that changes do not affect the terms of the system’s accreditation.terms of the system’s accreditation.

Assess the status of security features and system Assess the status of security features and system vulnerabilities through manual and automated vulnerabilities through manual and automated reviewsreviews

Destroy and dispose of hardcopy printouts and Destroy and dispose of hardcopy printouts and nonvolatile storage media in a way that eliminates nonvolatile storage media in a way that eliminates possible compromise of sensitive or classified datapossible compromise of sensitive or classified data


Summary Summary (cont.)(cont.)

Keep system documentation current, Keep system documentation current, reflecting patches, version upgrades, reflecting patches, version upgrades, and other baseline changesand other baseline changes

Track hardware and software changes Track hardware and software changes through a process that ensures changes through a process that ensures changes are approved and tested before are approved and tested before installation and operation; ensure that installation and operation; ensure that IA manager or representative is part of IA manager or representative is part of approval processapproval process

Control privileges and authority for Control privileges and authority for modifying software.modifying software.


ReferencesReferences

J. G. Boyce, D. W. Jennings, J. G. Boyce, D. W. Jennings, Information Assurance: Managing Information Assurance: Managing Organizational IT Security RisksOrganizational IT Security Risks. . Butterworth Heineman, 2002, ISBN Butterworth Heineman, 2002, ISBN 0-7506-7327-30-7506-7327-3

Stephen S. Yau 1CSE 465-591, Fall 2006 IA Management.

Documents

Transcript of Stephen S. Yau 1CSE 465-591, Fall 2006 IA Management.