Chief Information Officers Chief Information Officers (CIO) (CIO)

Information SecurityModule 9

Objectives of Module 9

To present and discuss the basic concepts and tools for security of information, data and IT infrastructure in the context of the E-Government Program of Iraq

Information Security Concept

Protecting Information Resources and Systems From

•Unauthorized Use and Access•Unauthorized Disclosure and Modification•Damage and Destruction

Sources of Likely Threat for Information Systems and Resources of the Government • Insiders for fun or revenge• Enemies of the Nation• Faults and Malfunction• Insiders and Outsiders for Profit• Acts of God

Possible Impact • System Not available• Privacy of Data violated• Information modified/ misused with consequential public and private loss• Systems /information Damaged and Destroyed • with consequential private and public loss.

ISO 27001 Code of Practice on Information Security Management•Information Security Policy•Organization of Information Security•Asset Management•Human Resources Security•Physical and Environmental Security•Communications & Operations Management•Access Control•Information Systems Acquisition, Development & Maintenance•Incident Management•Business Continuity Management•Compliance

Information Security Standards ISO27001PCI DSSBS 25999 (Business Continuity Management System)Other Standards

OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability

Evaluations)

Suite of tools, techniques, and methods for risk-based information security strategic assessment and planning

Identify Your Adversaries

•Internet Hacker•Insider•Thief•Terrorist•Industrial Spy

Which are likely targets•Information Systems•Networks and IT Infrastructure•Servers/ Computers/ Devices•Databases and Information Repositories•Information Applications• Websites

Risk Assessment• The “Risk Equation”• Likelihood• Impact

Addressing Risk• Establish Policy• Implement Countermeasures• Maintain Vigilance

Vulnerability Driven Analysis•Search for known vulnerabilities•Tabulate and estimate severity•Determine what assets are affected•Assign impact value•Consider adversaries and their motivations•Assign likelihood•Tabulate and report

Risk Assessment and Management

The Risk Equation Impact x Likelihood= Risk

•Universal: Applies to all types of risk•Uniform: Enables comparison•Objective: Track over time

Measures the level of “pain” to the organization

Examples:•Financial: Loss or cost to repair•Operational: Lost time, production or delivery•Reputation: Loss of customer or consumer confidence• Competitive: Reduction of market advantage•Regulatory: Legal liability•Fiduciary: Fiduciary liability

Vulnerability Driven Analysis

1.Search for known vulnerabilities2.Tabulate and estimate severity3.Determine what assets are likely to be affected4.Assign impact value5.Consider adversaries and their motivations6.Assign likelihood7.Tabulate and report

Network and System VulnerabilitiesNetwork:• Unnecessary pathways• Unsecured data-streams

System:• Unhardened systems• Unprotected administrator logon• Exposed management interfaces

Asset Driven Analysis1.Inventory information assets2.Estimate impact3.Trace information back to technology4.Analyze for vulnerabilities5.Consider adversaries and their motivations6.Assignlikelihoods7.Tabulate and report

• Initiate Risk Assessment• Prioritize Security Areas Needing Attention – Pareto

Principle• Seek Input in Developing and Implementing a Campus

Unit Security Plan• Implement Security Plan• Annually Review Security Plan• Keep Up to Date with Security News

Information Security Roadmap

Security Provisions for BFB IS-3•Authentication & Authorization•Background Checks•Control Administrative Accounts•Data Backup/Retention/Storage and Transit Encryption•Disaster Recovery Plan•Incident Response/Notification Plan•Physical Security Controls & Media Controls

Policy Statements Most corporate policies must be translated to concrete statements

Major elements:•Information Classification•System Criticality•Operational Context

Information Classification

• Information classification streamlines policy statement and enforcement.

• CAVEAT: Over-classification leads to excessive cost and added Overhead.

• CAVEAT: Some collections of unclassified data become sensitive when aggregated.

Criticality

Criticality is a quality of operational systems.It depends upon the importance of a network system or application.Criticality motivates reliability measures.

Policy•Policy defines classification and rules for access/exchange

• Policy defines criticality.

•Policy hierarchy defines security services and quality of mechanisms.

Implement Countermeasures

Cost vs Risk

Level of Vigilance Vs Frequency of Attacks

Balance Security Activities

Security Plan Consider:• Future business needs• Changing threat -scape• Tolerance to residual risk

• Establish policy• Design security infrastructure• Develop security procedures

Execute Plan

• Implement according to design• Operate according to procedures• Continually improve

AppraiseAppraise the plan:• Does it meet the expected threats?• Will it protect business interests?• Are there flaws in the design?• Is policy adequate or overly burdensome?Appraise the execution:• Is the design implemented correctly?• Has the configuration changed?• Do procedures cover all events?• Are operators alert?

Disaster Management &

Business Continuity

What is a Disaster?

Any unplanned event that requires immediate redeployment of limited resources

Any unplanned event that requires immediate redeployment of limited resources

Natural Forces• Fire• Environmental Hazards• Flood / Water Damage• Extreme Weather

Technical Failure• Power Outage• Equipment Failure• Network Failure• Software Failure

Human Interference• Criminal Act• Human Error• Loss of Users• Explosions

Sample Disasters

What is a Disaster Recovery Plan?

A management document for how and when to utilize resources needed to maintain selected functions when disrupted by agreed upon incidents

A management document for how and when to utilize resources needed to maintain selected functions when disrupted by agreed upon incidents

• Business Continuity Plan• Contingency Plans• Continuity Plans• Emergency Response Plans• Business Recovery Plans• Recovery Plans

Other names commonly used:

AssessDamage

RestorePrimary

Site

PrepareNew Site

ConfirmResponseStrategy

ExecuteRequiredFunctions

Transfer &Execute atNew Site

Transfer toAlternateLocation

Incident

Return to Normal Operations

Transfer &Execute at

Primary Site

GenerateChange

Requests

Assess DRPEffectiveness

When an incident occurs, the Disaster Recovery response activities are likely to be the following (at a high level)

Disaster Recovery Response

• Regional Area• Local Area• Within 3 Blocks• To The Building• Within 3 Floors• On The Floor• Within The Room

What is the magnitude of an incident?

Depending upon the magnitude of an incident, possible alternative sites include:

• Within The Room• Within the Building• Within the Region• Outside the Region

Avoidance Strategy• Redundant configuration

to avoid incidents• Site harden facilities to r

esist incidents• Redundant utilities and

hardware• Automated operation re

covery plan

Mitigation Strategy• Early warning detection• Contractual agreements

with vendors• Mirrored data and docu

ments• Detailed migration recov

ery plan

Recovery Strategy• High level recovery plan• Off-site data storage• Very responsive vendor

relationships• Very knowledgeable em

ployees

Types of Strategy Options• Hot site• Cold site• Self Backup• Service Bureau• Reciprocal Agreement

Types of Strategies

What is a Critical Business Function? A specific entity management has decided is so significant to the business mission, that without it, the organization cannot successful

ly operate after an identified time period

A specific entity management has decided is so significant to the business mission, that without it, the organization cannot successful

ly operate after an identified time period

Financial Loss• Lost Revenue• Lost Sales• Lost Market Share• Lost Opportunity

Extra Expense• Labor Cost

—Recreate Lost Business

—Recreate Lost Data—Use Manual Process

• Equipment Cost—Hardware / softwar

e—Telephones

• Money Cost—Delayed Receivable—Delayed Orders—New Interest—New Investments

Human Interference• Management Control• Employee Relations• Stockholder Relations • Public Image• Legal Exposure• Contractual Liability• Competitive Advantage

Types of ImpactTypes of Impact

Timing Requirements• Minutes• Hours• Days• Weeks• Quarters• Special Situations

Interdependencies• Inputs and Outputs

Criteria for a Critical Business Function

Cost of Impact $

Impact

Cost

Cost of Control $

Cost of Control vs. Impact

PlanningThe primary objective for the Planning Phase is to gain management consensus on the focus areas and scope of a Disaster Recovery Plan that will address major business risks

Implementation

Scoping & Risk

Assessment

Planning

Recovery Strategy

Development

Disaster Recovery

PlanApproval

Training&

Testing

Implementation

The primary objective for the Implementation Phase is to develop, test, and rollout a Disaster Recovery plan. The implementation phase could be longer or shorter, depending upon scope, approach, and staffing defined during the Scoping and Risk Assessment phase

Disaster Recovery Approach

An Example of Disaster Recovery Team

AdministrativeSupport

Customer Liaison

System Softwareand Database

Administration

ComputerOperation andOff-site Storage

Network Delivery

ApplicationSupport

Services

Delivery

ProductionApplication

Disaster Recovery

CoordinatorSite Restoration

Disaster Recovery Director

DRP Management Team

DR Team Organization

Security

Example: Disaster Recovery ServicesEducation Classes

Creating a base of common knowledge for the business continuity/disaster recovery planning industry through education, assistance, and the promotion of international standards

On-Site Recovery Facilities

Manage the mobilization of an on-call response team, prepare pre-designated site, erect temporary pre-engineered structures, install mechanical and electrical systems and coordinate move-in activities