TechnicalFoundations of Information Security Series

Vicente Aceituno @vaceituno

(c)Inovement Europe 2014

Vicente Aceituno

vac@zenobia.es - Skype: vaceituno

Linkedin - linkedin.com/in/vaceitunoInovement Europe - inovement.esVideo Blog - youtube.com/user/vaceitunoBlog - ism3.comTwitter - twitter.com/vaceitunoPresentations - slideshare.net/vaceituno/presentationsArticles - slideshare.net/vaceituno/documents

Foundations of Information Security Series

Needs

Secrecy Intellectual Property you Own

Intellectual Property you Use

Privacy

Availability

Retention

Expiration

Quality

Obligations

Technical

Compliance

Legal

What is Information Security?

“Information Security” is an emergent property of people using information.

People have expectations about information.

If there is no people or no information, “Information Security” is meaningless, as there are no expectations to meet.

What is Information Security?

When expectations about information are met, there is “Security”.

When expectations about information are not met, there is an “Incident”.

What is Information Security?

Some expectations are things people (or organizations) want to happen for their own reasons. These are Needs.

Some expectations are things people (or organizations) want to happen in order to meet technical, legal or standard compliance requirements. These are Obligations.

Technical Obligations

Press Any Key to Continue

Technical Obligations

Information systems based on the Von-Neumann architecture have inherent technical limitations that lead to weaknesses. This weaknesses can be exploited and lead to failing to meet other, more important, expectations. This is why organizations have the expectation that: Information systems are kept free of weaknesses. Information systems that need to be visible from not trusted

systems are the least visible possible. That information systems run trusted software only. That electricity, temperature and humidity within controlled

limits necessary for the operation of information systems.

Technical Obligations

If these expectations are met or not is independentof the observer.

Technical related incidents

When an information system presents a weakness.

When an information system is visible from not trusted systems.

When an information system runs not trusted software.

When electricity, temperature or humidity are out of controlled limits.

Achieving Technical Security

In order to achieve Technical Security, normally architecture, design, and specific software and appliances are used.

The related O-ISM3 process are: OSP-5: IT Managed Domain Patching

OSP-7: IT Managed Domain Hardening

OSP-8: Software Development Lifecycle Control

OSP-16: Segmentation and Filtering Management

OSP-17: Malware Protection Management

OSP-14: Physical Environment Protection Management

OSP-19: Internal Technical Audit

OSP-22: Alerts Monitoring

OSP-23: Internal Events Detection and Analysis

Technical Obligations

Press Any Key to Continue

The O-ISM3 Challenge

This was an exercise designed to throw into sharp relief the inadequacy of traditional information security concepts.

Check the exercise in full at tiny.cc/indepth

A summary of conclusions from the exercise, in relation to Technical Obligations, follow.

Secrecy

Business Needs

Intellectual

Property

PrivacyBusiness

Obligations

Availability

Retention

Quality

Expiration

Technical Obligations

Security and Technical Obligations

Security and Technical Obligations are not equivalent.

Technical Obligations and Security are not synonymous.

Technical Obligations is not useful to understand Security.

Follow the Foundations of Information Security Series by joining the Linkedin O-ISM3 Group at: tiny.cc/osim3LG

Learn Advanced Information Security Management, joining us at an O-ISM3 Course: tiny.cc/osim3