Information Assurance Professional National Security Registration Board Version 2.6.

Information Assurance Information Assurance ProfessionalProfessional

National Security Registration National Security Registration Board Board

Version 2.6Version 2.6

Course GoalsCourse Goals

• This presents the fundamental concepts of This presents the fundamental concepts of information assuranceinformation assurance. .

• It is designed to foster a It is designed to foster a masterymastery level level understanding understanding of the IA processof the IA process..

• The intention is to prepare a trained IA The intention is to prepare a trained IA professionalprofessional

Course ApplicationCourse Application

• You learn how to tailor a practical information You learn how to tailor a practical information assurance architecture using this BOK.assurance architecture using this BOK.

• As well as how to deploy an appropriate set of As well as how to deploy an appropriate set of flexible countermeasures. flexible countermeasures.

Three AssumptionsThree Assumptions

• ThreeThree major assumptions underlie this major assumptions underlie this course:course:

• Assumption OneAssumption One– Effective Information security requiresEffective Information security requires

an integrated set of business and an integrated set of business and technological processes.technological processes.

The Three AssumptionThe Three Assumption

• Assumption TwoAssumption Two

• Effective information security programs Effective information security programs must bemust be deliberately designed deliberately designed andand deployed organization-wide deployed organization-wide through a through a strategic planning processstrategic planning process

The Three AssumptionThe Three Assumption

• Assumption ThreeAssumption Three

• Information security programs areInformation security programs are systematic, systematic,

• That is, they embody anThat is, they embody an appropriate set appropriate set of persistent and interacting controls of persistent and interacting controls

• These function seamlessly and as an These function seamlessly and as an integral element of integral element of day-to-day day-to-day operation of the businessoperation of the business

The Importance of PlanningThe Importance of Planning

• All three of these requirements must All three of these requirements must be satisfied be satisfied for the solution to be correct. for the solution to be correct.

• That condition is not arrived at by That condition is not arrived at by chancechance. .

• It is always derived from a It is always derived from a valid set of valid set of common best practices. common best practices.

The IBOKThe IBOK

• The IBOK is a compendium, or The IBOK is a compendium, or body-of-body-of-knowledgeknowledge rather than a standard rather than a standard

• It is an It is an integrationintegration of three existing models of three existing models into a into a single unified concept single unified concept

• The idea is that, a harmonized set of The idea is that, a harmonized set of recommendations is the most recommendations is the most authoritative authoritative statement about best practice.statement about best practice.

Best Practice ModelsBest Practice Models

• There are at least There are at least threethree modelsmodels that are that are used to guide that process, used to guide that process,

– The Generally Accepted System Security The Generally Accepted System Security Principles (Principles (GASSPGASSP), 1999), 1999

– ISO 17799ISO 17799 and and BS 7799:2BS 7799:2 (2002) (2002)

– COBITCOBIT (2006) (2006)


• Each of these embodies a Each of these embodies a fundamental set fundamental set of principlesof principles derived from derived from extensive extensive “lessons learned”“lessons learned”

• Each of these provides a useful set of Each of these provides a useful set of high high level control objectiveslevel control objectives, which can be , which can be tailored, to any organizational need. tailored, to any organizational need.

• And each has the potential to serve as And each has the potential to serve as the basis of an effective solution. the basis of an effective solution.


• This model comprises the Information Security This model comprises the Information Security Body of Knowledge (IBOK).Body of Knowledge (IBOK).

• It also presents a standard It also presents a standard implementation implementation methodologymethodology for this BOK. for this BOK.

Course AssumptionsCourse Assumptions

• Individuals who Individuals who successfully complete this successfully complete this coursecourse can be assumed to be: can be assumed to be:

– Knowledgeable Knowledgeable in the best practices for in the best practices for information assuranceinformation assurance

– Competent to Competent to implement security systems implement security systems that are capable of being accredited by the that are capable of being accredited by the NSRB.NSRB.

TextText

• The following are requiredThe following are required• Information Security Body of Information Security Body of

Knowledge – IBOK Open Standard Knowledge – IBOK Open Standard 2.22.2, International Standards Institution , International Standards Institution of Governors, 2004of Governors, 2004

• Training Guideline, IBOKTraining Guideline, IBOK, National , National Standards Registration Board, 2003Standards Registration Board, 2003

Course DescriptionCourse Description

• You will learn how toYou will learn how to

– Create an information security Create an information security architecturearchitecture

– Establish detailed control procedures Establish detailed control procedures within this frameworkwithin this framework

Course DescriptionCourse Description

– Systematically identify and monitor areas Systematically identify and monitor areas of vulnerability of vulnerability

– Assess the impact of threats as they are Assess the impact of threats as they are identifiedidentified

– Deploy appropriate technological and Deploy appropriate technological and managerial countermeasuresmanagerial countermeasures

Course ObjectivesCourse Objectives

• At the end of this course you will be able to At the end of this course you will be able to – Deploy an appropriate Deploy an appropriate managerial and managerial and

technical control frameworktechnical control framework

– Establish a Establish a correct information security correct information security control setcontrol set within that framework within that framework


• Conduct a capable Conduct a capable threat identificationthreat identification

• Formulate a baseline defense in depth Formulate a baseline defense in depth countermeasure setcountermeasure set


• Be able to Be able to valuate assets and justify the valuate assets and justify the countermeasurescountermeasures based on that valuation based on that valuation

• Be able to Be able to deploy, assess and continuously deploy, assess and continuously maintain operational countermeasuresmaintain operational countermeasures

Course AgendaCourse Agenda

3:00–3:30– 3:00–3:30– Module One: Principles of Information SecurityModule One: Principles of Information Security

3:30–4:00– 3:30–4:00– Module Two: The Information Assurance Module Two: The Information Assurance ProcessProcess

4:00–4:45– 4:00–4:45– Module Three: The Implementation Process Module Three: The Implementation Process

4:45-5:00– 4:45-5:00– Initiate ProjectInitiate Project

5:00-5:30- 5:00-5:30- Prepare SolutionPrepare Solution

5:30-5:45- 5:30-5:45- Report SolutionReport Solution

5:45-6:00- 5:45-6:00- Questions and Lessons LearnedQuestions and Lessons Learned

Module OneModule One

The Five Basic Goals of The Five Basic Goals of the Information the Information Assurance ProcessAssurance Process

The Five Basic Goals of IAThe Five Basic Goals of IA

• Information assurance ensures theInformation assurance ensures the– AvailabilityAvailability– ConfidentialityConfidentiality– IntegrityIntegrity– AuthenticationAuthentication– Non-Repudiation of OriginNon-Repudiation of Origin

- Of information- Of information

Definition: ConfidentialityDefinition: Confidentiality

• ConfidentialityConfidentiality is the condition that insures that is the condition that insures that information is not disclosed to unauthorized information is not disclosed to unauthorized persons, processes or devices. persons, processes or devices.

• This implies the requirement for such discrete This implies the requirement for such discrete functions as functions as – information identification and labeling information identification and labeling – Need-to-know procedures.Need-to-know procedures.

Definition: IntegrityDefinition: Integrity

• Integrity is the condition of assuring trust.Integrity is the condition of assuring trust. • Within the information security universe, Within the information security universe,

integrity is specifically interpreted to mean: integrity is specifically interpreted to mean:

– that a transmission will arrive at its that a transmission will arrive at its destination in exactly the same form as destination in exactly the same form as it was sent.. it was sent..

Definition: IntegrityDefinition: Integrity

• That requires ensuring: That requires ensuring: – the logical correctness and reliability the logical correctness and reliability

of the operating systemof the operating system

– the logical completeness of the the logical completeness of the hardware and software entities hardware and software entities

– the consistency of the data and the consistency of the data and occurrences of the stored data. occurrences of the stored data.

Definition: AuthenticationDefinition: Authentication

• AuthenticationAuthentication is a security service designed is a security service designed to establish the validity of a transmission, to establish the validity of a transmission, message, or originatormessage, or originator

• It is also a means ofIt is also a means of verifying verifying an individual’s an individual’s authorizationsauthorizations to receive specific categories of to receive specific categories of informationinformation


• Authentication ensures that Authentication ensures that the occurrence of the occurrence of false identities is eliminated.false identities is eliminated.

• An individual, an organization, or a computer An individual, an organization, or a computer

has to be able to prove its identity to be has to be able to prove its identity to be properly secured. properly secured.


• This also implies an This also implies an authorizationauthorization function. function.

• AuthorizationAuthorization describes the system’s ability describes the system’s ability to regulate access to resources once the to regulate access to resources once the identity is verified. identity is verified.

Definition: AvailabilityDefinition: Availability

• AvailabilityAvailability implies the ability to provide implies the ability to provide authorized users with timely and reliable authorized users with timely and reliable access to data and information services. access to data and information services.

• It is characterized by best practices such as:It is characterized by best practices such as:– back-up powerback-up power– continuous signal continuous signal – off-site recoveryoff-site recovery


• Availability also describes the overall goal of Availability also describes the overall goal of security management. security management.

• Which is to ensure the requisite level of Which is to ensure the requisite level of trustworthiness in trustworthiness in day-to-day operation day-to-day operation


• In reality, availability is a In reality, availability is a conditioncondition, rather , rather than a than a specific security function. specific security function.

• It is often It is often traded offtraded off against purely security against purely security related conditions, like related conditions, like confidentiality.confidentiality.


• Because availability ensures functioning… Because availability ensures functioning…

• There might be a time when assuring There might be a time when assuring availabilityavailability outweighs procedures that are outweighs procedures that are necessary to secure information. necessary to secure information.


• The judgment to sacrifice any of the other The judgment to sacrifice any of the other security services for the sake of enhanced security services for the sake of enhanced availability is a availability is a risk mitigation decisionrisk mitigation decision

• Which is usually motivated by Which is usually motivated by threatsthreats and and vulnerabilitiesvulnerabilities in the in the business casebusiness case..

Definition: Non-RepudiationDefinition: Non-Repudiation

• Non-repudiation of originNon-repudiation of origin provides the sender provides the sender with proof of deliverywith proof of delivery

• ANDAND

• It underwrites the It underwrites the identity of the sender to identity of the sender to

the recipient.the recipient.

Definition: Non-RepudiationDefinition: Non-Repudiation

• As a result, As a result, neither party can later deny neither party can later deny that the message was legitimately sent that the message was legitimately sent and received. and received.

• Non-repudiation has ramifications for Non-repudiation has ramifications for

everything from purchases on e-bay, to modern everything from purchases on e-bay, to modern battlefield ordersbattlefield orders..

1.1. What are the Five Elements of IA?What are the Five Elements of IA?

2.2. What does integrity ensure?What does integrity ensure?

3.3. What is often traded off against availability?What is often traded off against availability?

4.4. What is the value of non-repudiation to businesses?What is the value of non-repudiation to businesses?

5.5. What does authentication require to work properly? What does authentication require to work properly?

6.6. What is a risk mitigation decision?What is a risk mitigation decision?

6.6. What is non-repudiation based on?What is non-repudiation based on?

7.7. What is availability characterized by?What is availability characterized by?

8.8. What does need-to-know support?What does need-to-know support?

9.9. What basic condition does offsite backup ensure?What basic condition does offsite backup ensure?

Module One: Questions Module One: Questions

Module TwoModule Two

The Information The Information Assurance ProcessAssurance Process

The Information Assurance The Information Assurance ProcessProcess

• Information assuranceInformation assurance is a multifaceted is a multifaceted process composed of process composed of fifteenfifteen elements and one elements and one critical capabilitycritical capability

• Each is a discrete function and each contributes Each is a discrete function and each contributes differently to the overall purposes of differently to the overall purposes of securing securing informationinformation. .

• These fifteen elements comprise a These fifteen elements comprise a lifecycle. lifecycle.


• All fifteen function within that All fifteen function within that lifecycle lifecycle to to ensure an effective level of security. ensure an effective level of security.

• Each element plays its proper Each element plays its proper rolerole at a at a logical logical place place within the process.within the process.


• The The outcome isoutcome is adequate adequate protection of protection of all information assetsall information assets

Adequate protection assumes the Adequate protection assumes the presence of all necessary presence of all necessary

safeguards ! safeguards !

Building a Holistic SolutionBuilding a Holistic Solution

• Electronic assuranceElectronic assurance constitutes just one constitutes just one aspect of that protection. aspect of that protection.

• Full protection has to incorporate all of the Full protection has to incorporate all of the organizational functionsorganizational functions and and human human factorsfactors relevant to security. relevant to security.

Building a Holistic SolutionBuilding a Holistic Solution

• The outcome must constitute a The outcome must constitute a holistic holistic responseresponse. .

• In essence the response must integrate: In essence the response must integrate: – All of the assurance measures All of the assurance measures – To protect all information To protect all information – At all times At all times

The Fifteen PrinciplesThe Fifteen Principles

• The IBOK integrates a common body of The IBOK integrates a common body of knowledge.knowledge.

• That BOK itemizes That BOK itemizes fifteen aspectsfifteen aspects of of security (and one critical process). security (and one critical process).

The Fifteen PrinciplesThe Fifteen Principles

• Each must be addressed in order for a Each must be addressed in order for a security solution to be complete.security solution to be complete.

• These are arrayed in the lifecycle model These are arrayed in the lifecycle model demonstrated on the next set of slidesdemonstrated on the next set of slides

The Information The Information ResourceResource

Asset IdentificationAsset Identification

Is described byIs described by

Risk AssessmentRisk Assessment

Evaluated by aEvaluated by a

IA Lifecycle – Lifecycle ScopeIA Lifecycle – Lifecycle Scope

AND

Access ControlAccess Control

Security of OperationsSecurity of Operations

Which is MaintainedWhich is Maintained by

IA Lifecycle – ManagementIA Lifecycle – Management

Security PolicySecurity Policy

Security InfrastructureSecurity Infrastructure

DefinesDefines

Which EnforcesWhich Enforces

Security Security DisciplinDisciplin

ee

Ethical Ethical ConductConduct

Which is Shaped byWhich is Shaped by

AndAnd

IA Lifecycle – CountermeasuresIA Lifecycle – Countermeasures

ContinuityContinuity

ComplianceCompliance

Process Process AssuranceAssurance

Physical Physical SecuritySecurity

Personnel Personnel SecuritySecurity NETSECNETSEC

Software Software AssuranceAssurance

CryptoCrypto

TechnicalTechnical

CountermeasureCountermeasuress

ManagementManagement


ProcessProcess


Principle One: Asset Principle One: Asset IdentificationIdentification

• The form of the information resource has to be The form of the information resource has to be understood in order to properly secure it. understood in order to properly secure it.

• Thus, everything that is part of that resource Thus, everything that is part of that resource has to be identified, labeled and placed in a has to be identified, labeled and placed in a documented asset baseline. documented asset baseline.

• It is also necessary to establish a system for It is also necessary to establish a system for controlling changes to that baseline. controlling changes to that baseline.

Principle Two: Risk Principle Two: Risk AssessmentAssessment

• Risk assessment defines the form of the security Risk assessment defines the form of the security response. response.

• Current operations as well as prospective ones Current operations as well as prospective ones are systematically evaluated using risk are systematically evaluated using risk assessment assessment

• The goal is to identify potential The goal is to identify potential threats, threats, vulnerabilities and weaknessesvulnerabilities and weaknesses within the within the asset baseasset base

Principle Three: Security Principle Three: Security PolicyPolicy

• Then the organization establishes uniform policies Then the organization establishes uniform policies to guide the assurance process. to guide the assurance process.

• These policies are the basis for the solution. These policies are the basis for the solution.

• The outcome is a rational set of guidelines for The outcome is a rational set of guidelines for information assurance. information assurance.

Principle Four: InfrastructurePrinciple Four: Infrastructure

• The procedural infrastructure is a tangible The procedural infrastructure is a tangible realization of security policyrealization of security policy

• The organization has to design and enforce a The organization has to design and enforce a logical and consistent set of procedureslogical and consistent set of procedures

• These must be directly traceable to the policies These must be directly traceable to the policies they implement. they implement.

Principle Five: Access ControlPrinciple Five: Access Control

• One of the chief purposes of any security One of the chief purposes of any security scheme is regulating access. scheme is regulating access.

• This principle specifies the need for an This principle specifies the need for an operational structure to enable that. operational structure to enable that.

• Its aim is to grant access to legitimate users Its aim is to grant access to legitimate users while preventing unauthorized persons from while preventing unauthorized persons from gaining access to protected information. gaining access to protected information.

Principle Six: Security of Principle Six: Security of OperationOperation

• This involves continuous enforcement of routine This involves continuous enforcement of routine security procedures. security procedures.

• At its essence this revolves around the incident At its essence this revolves around the incident response capability. response capability.

• It also entails procedures to prevent vital It also entails procedures to prevent vital information from being used by an adversary information from being used by an adversary (called OPSEC). (called OPSEC).

Principle Seven: ContinuityPrinciple Seven: Continuity

• This details a comprehensive strategy to ensure This details a comprehensive strategy to ensure business continuitybusiness continuity

• It defines explicit practices to ensure that the It defines explicit practices to ensure that the business continues to operate if its information is business continues to operate if its information is lost or harmedlost or harmed

• It also establishes the explicit disaster planning It also establishes the explicit disaster planning and recovery capabilityand recovery capability

Principle Eight: CompliancePrinciple Eight: Compliance

• This principle ensures that a comprehensive This principle ensures that a comprehensive mechanism is in place to ensure compliance mechanism is in place to ensure compliance

• It guarantees that the stipulations of all contracts It guarantees that the stipulations of all contracts and regulations are obeyed. and regulations are obeyed.

• It ensures that due diligence is exercised in It ensures that due diligence is exercised in meeting all legal requirements. meeting all legal requirements.

Principle Nine: Physical Principle Nine: Physical SecuritySecurity

• The purpose of physical security is to control The purpose of physical security is to control tangible information and IT assets. tangible information and IT assets.

• It establishes an asset management process and It establishes an asset management process and a realistic physical protection scheme. a realistic physical protection scheme.

• It involves standard operating practices to ensure It involves standard operating practices to ensure the integrity of all workspaces and physical the integrity of all workspaces and physical resources within a secure boundary. resources within a secure boundary.

Principle Ten: Personnel Principle Ten: Personnel SecuritySecurity

• This involves comprehensive procedures to This involves comprehensive procedures to assure worker compliance with security policy. assure worker compliance with security policy.

• It is based around employee screening and the It is based around employee screening and the assignment of roles and responsibilities assignment of roles and responsibilities

• It also monitors the security activities of all It also monitors the security activities of all employees.employees.

Principle Eleven: Process Principle Eleven: Process SecuritySecurity

• This focuses on the development lifecycle. This focuses on the development lifecycle.

• It contains methods to ensure security is It contains methods to ensure security is embedded in all development workembedded in all development work

• It makes certain that security functionality is It makes certain that security functionality is baked into all products during developmentbaked into all products during development

Principle Twelve: Network Principle Twelve: Network SecuritySecurity

• This assures network access to electronic This assures network access to electronic assets. assets.

• It establishes both network access control as It establishes both network access control as well as network monitoring. well as network monitoring.

Principle Twelve: Network Principle Twelve: Network SecuritySecurity

• This is a classic purpose of information This is a classic purpose of information assuranceassurance

• It identifies users, authenticates, authorizes It identifies users, authenticates, authorizes and controls access. and controls access.

• It also includes elements necessary to ensure It also includes elements necessary to ensure the development of secure network the development of secure network architectures. architectures.

Principle Thirteen: Software Principle Thirteen: Software AssuranceAssurance

• This principle ensures continuing integrity of all This principle ensures continuing integrity of all application and system software. application and system software.

• That includes installing software and also That includes installing software and also analyzing and reporting on its performance. analyzing and reporting on its performance.

• It ensures secure operation of all software within It ensures secure operation of all software within the operational environment and resolution of the operational environment and resolution of anomalies and conflicts. anomalies and conflicts.

Principle Fourteen: Security Principle Fourteen: Security DisciplineDiscipline

• Discipline is human centered. Discipline is human centered.

• It ensures that policies and procedures are It ensures that policies and procedures are understood and adhered to in a disciplined way. understood and adhered to in a disciplined way.

• Its purpose is to establish awareness and Its purpose is to establish awareness and motivation and enforce disciplinemotivation and enforce discipline..

Principle Fifteen: EthicsPrinciple Fifteen: Ethics

• This principle delineates a comprehensive code of This principle delineates a comprehensive code of defined ethical practices. defined ethical practices.

• This code accurately reflects community norms This code accurately reflects community norms with respect to ethical behavior with respect to ethical behavior

• It serves as a basis for the rules of conduct as It serves as a basis for the rules of conduct as well as personal accountability. well as personal accountability.

Critical Supporting Process: Critical Supporting Process: CryptologyCryptology

• Cryptology is not a principle as much as it is the Cryptology is not a principle as much as it is the basis for secure message transferbasis for secure message transfer

• It is not a principle because it isn’t at the same It is not a principle because it isn’t at the same level as the others in the IBOKlevel as the others in the IBOK

• It is a necessary foundation requirement to It is a necessary foundation requirement to secure electronic transmission.secure electronic transmission.

Critical Supporting Process: Critical Supporting Process: CryptologyCryptology

• It is a very large topic area because it includes so It is a very large topic area because it includes so many technical aspects many technical aspects

• It entails the technical requirements for It entails the technical requirements for translating plaintext into encrypted translating plaintext into encrypted transmissions. transmissions.

• It also dictates the encryption methods and key It also dictates the encryption methods and key structures that underlie that process. structures that underlie that process.

Application of the PrinciplesApplication of the Principles

• Each principle acts to secure the specific Each principle acts to secure the specific aspect that it is meant to assureaspect that it is meant to assure

• The integrated set forms a mutually The integrated set forms a mutually supporting system that provides the desired supporting system that provides the desired level of assurance. level of assurance.


• All information assurance processes All information assurance processes embody an established collection of embody an established collection of common components, common components,

• Which are designed to work together to Which are designed to work together to produce an optimum solution. produce an optimum solution.

• The overall solution can be understood in The overall solution can be understood in terms of those components and their terms of those components and their logical interactions. logical interactions.


• Moreover, they also represent an implicit Moreover, they also represent an implicit structure for the process. structure for the process.

• This structure has a lifecycle orientation. This structure has a lifecycle orientation.

Institutionalization Institutionalization FactorsFactors

EstablishmentEstablishment

MeansMeans

OversightOversight

EnforcementEnforcement

Overview Overview

• Institutionalization factorsInstitutionalization factors can be used to can be used to determine if these 15 principles and one determine if these 15 principles and one critical function have been properly critical function have been properly establishedestablished..

• Processes Processes must meet the following must meet the following common criteria in order to be judged as common criteria in order to be judged as effectively practicedeffectively practiced

Establishment Establishment

• The organization must document its The organization must document its commitment to each principlecommitment to each principle. Criteria for . Criteria for judging this are: judging this are:

– Explicit Explicit designation of a manager designation of a manager responsible for responsible for controlling ongoing operationcontrolling ongoing operation

– The placement of the manager inThe placement of the manager in a position of a position of authority sufficient to enforce decisionsauthority sufficient to enforce decisions

– The continuous maintenance of that positionThe continuous maintenance of that position in in the organizational decision making structurethe organizational decision making structure

Means Means

• Qualified employeesQualified employees must be must be provided… Criteria for judging this are:provided… Criteria for judging this are:

– The The necessary staff and resources are necessary staff and resources are identifiably designated and deployedidentifiably designated and deployed

– It is possible to document, that It is possible to document, that staff are competentstaff are competent to perform their assigned rolesto perform their assigned roles

– The deployment of staff resources is explicitly The deployment of staff resources is explicitly traceable to individual principles. traceable to individual principles.

Oversight Oversight

• The organization must provide an The organization must provide an objective objective meansmeans to monitor the fulfillment of the to monitor the fulfillment of the purposes of each principle. Criteria for doing purposes of each principle. Criteria for doing this are:this are:

– Development and use of Development and use of formal measures of formal measures of performanceperformance

– Use of Use of analytic methodsanalytic methods to to support decision support decision makingmaking

– The designation and adherence to The designation and adherence to formal reporting formal reporting lines and follow-up procedureslines and follow-up procedures..

Enforcement Enforcement

• The organization must The organization must assure that assure that each principle is adhered toeach principle is adhered to. Criteria . Criteria for judging this include:for judging this include:

– Designation of a Designation of a person accountable for person accountable for enforcementenforcement

– Regularly Regularly scheduled internal audit, or review of scheduled internal audit, or review of the principle for compliancethe principle for compliance

– Defined procedures for Defined procedures for corrective actioncorrective action..

Module Two ReviewModule Two Review

1.1. Why is cryptology included among the principles?Why is cryptology included among the principles?2.2. How do policy and infrastructure relate?How do policy and infrastructure relate?3.3. Why does information assurance have a lifecycle?Why does information assurance have a lifecycle?4.4. Why is asset identification the first step?Why is asset identification the first step?5.5. Why are there three areas of countermeasure?Why are there three areas of countermeasure?6.6. How do security discipline and operation security How do security discipline and operation security

relate?relate?7.7. What is the role of ethics in policy formulation?What is the role of ethics in policy formulation?8.8. How do continuity and operations security relate?How do continuity and operations security relate?9.9. Why is software assurance important to security?Why is software assurance important to security?10.10. What is the role of compliance in security?What is the role of compliance in security?

Module ThreeModule Three

Implementing the Implementing the Security ResponseSecurity Response

Implementation Overview Implementation Overview

• Security involves Security involves identifying, prioritizing and identifying, prioritizing and managing a responsemanaging a response to to every plausible every plausible threatthreat to the organization’s information assets. to the organization’s information assets.

• This This countermeasure deploymentcountermeasure deployment function is function is not a one-shot “front-end” to the establishment not a one-shot “front-end” to the establishment of a static security solution. of a static security solution.

• It is a It is a constant and organized probing of constant and organized probing of

the environment to sense the presence of the environment to sense the presence of and respond appropriately to any potential and respond appropriately to any potential sources of harmsources of harm to the organization’s to the organization’s information assets. information assets.


• As a consequence, As a consequence, the first step in the first step in formulating a correct security response is formulating a correct security response is threat identificationthreat identification

• That amounts to the identification of That amounts to the identification of ANY ANY threatsthreats in the organization’s technical or in the organization’s technical or operating base that might lead to the loss of operating base that might lead to the loss of ANY information, of ANY valueANY information, of ANY value

• And then the And then the deployment of an effective deployment of an effective set of controlsset of controls to to alleviate each alleviate each vulnerability identifiedvulnerability identified. .

Asset Baseline Asset Baseline Formulation Formulation and Controland Control

Model Model Selection and Selection and Gap Analysis Gap Analysis

Formulation Formulation and Baselining and Baselining of the Control of the Control

SetSet

Asset Asset Valuation Valuation

and Resource and Resource TradeoffTradeoff

Information Gathering and

Chartering

Assessment of Assessment of Control Control

Coverage and Coverage and EffectivenessEffectiveness

Refinement Refinement and and

Finalization Finalization of Control of Control

SetSet

Model of the Implementation Model of the Implementation ProcessProcess


• The activities above the red line are termed The activities above the red line are termed the the “Threat Identification and Response”“Threat Identification and Response” phase phase

• This part of the process drives theThis part of the process drives the resource resource allocation decisionsallocation decisions as well asas well as the the development and refinement of thedevelopment and refinement of the optimum optimum set of controlsset of controls..


• The activities below the red line are aimed at The activities below the red line are aimed at the the definition of the tangible information definition of the tangible information security system.security system.

• We are going to discuss each of these boxes in We are going to discuss each of these boxes in turn in detail.turn in detail.

Threat IdentificationThreat Identification

• Threat identification and response is composed Threat identification and response is composed of four elementsof four elements

– Information Gathering and CharteringInformation Gathering and Chartering

– Asset Baseline FormulationAsset Baseline Formulation

– Model Selection and Gap AnalysisModel Selection and Gap Analysis

– Asset Valuation and Tradeoff. Asset Valuation and Tradeoff.


• The aim of these four activities is to The aim of these four activities is to achieve achieve an understanding of the security an understanding of the security responseresponse that is that is appropriate to the precise appropriate to the precise situation situation

• And which And which fits within the constraints of the fits within the constraints of the organization. organization.

• Properly executed it is conducted in the Properly executed it is conducted in the

background of day-to-day organizational background of day-to-day organizational functioningfunctioning


• In practice, it employs methods and tools to In practice, it employs methods and tools to identify, analyze, plan for, and control any identify, analyze, plan for, and control any potentially harmful or undesirable event. potentially harmful or undesirable event.

• It should be noted that while the overall aim of It should be noted that while the overall aim of

the threat identification and response process is the threat identification and response process is to prevent or minimize the to prevent or minimize the impact of security impact of security losses at the business levellosses at the business level of the of the organizationorganization

• Technical risks are also managedTechnical risks are also managed since they since they often constitute the root cause for business often constitute the root cause for business breaches, or losses. breaches, or losses.


• Threat identification and response approaches Threat identification and response approaches must establish a must establish a disciplined environment disciplined environment for proactive decision-makingfor proactive decision-making. .

• They should regularly assesses what could go They should regularly assesses what could go wrong and then wrong and then determine the approach determine the approach and timing by which each potential threat and timing by which each potential threat will be counteredwill be countered

• This all takes place within the constraints of This all takes place within the constraints of practical business considerations such as practical business considerations such as resources available and time. resources available and time.


• The last part of this process is an important The last part of this process is an important issue in the implementation of a realistic issue in the implementation of a realistic solution since it is solution since it is highly likely that more highly likely that more risks will be identified than can possibly risks will be identified than can possibly be responded tobe responded to. .

• So it is important to at least So it is important to at least address the address the ones that pose the most potential harmones that pose the most potential harm to to the corporation.the corporation.


• Finally, we want to stress that the form of the Finally, we want to stress that the form of the process as well as the scope of the solution is process as well as the scope of the solution is dictated by the dictated by the type of security desiredtype of security desired. .

• Consequently the Consequently the substancesubstance of the of the

identification, analysis, planning and control identification, analysis, planning and control elements and activities required elements and activities required is going to is going to vary. vary.

• As we progress through this guideline it is also As we progress through this guideline it is also important to keep in mind that although the important to keep in mind that although the form of the process is generic, form of the process is generic, the actual the actual considerations vary with the focus and considerations vary with the focus and intent of the organization.intent of the organization.

Information Gathering and Information Gathering and Chartering Chartering

• Operationally, the Operationally, the right setright set of organizational of organizational representatives formulates the representatives formulates the requirements requirements of the security system into a statement of of the security system into a statement of needneed, ,

• Which is then Which is then documented and authorizeddocumented and authorized by the appropriate executive decision makers by the appropriate executive decision makers and published to the business at-large. and published to the business at-large.


• The only purpose of this phase is to serve as a The only purpose of this phase is to serve as a launch pad for the decision-making launch pad for the decision-making regarding the specific security model regarding the specific security model utilized nextutilized next. .

• So logically, this element should generally So logically, this element should generally define both the define both the scope and extent of the scope and extent of the desired solution. desired solution.


• In practice, this stage is probably the In practice, this stage is probably the least least substantivesubstantive aspect of any implementation aspect of any implementation project in the sense that it does not really project in the sense that it does not really touch on any of the details of the actual touch on any of the details of the actual protection scheme. protection scheme.

• Nonetheless, it might be the Nonetheless, it might be the single likeliest single likeliest point of failure. point of failure.

• That is because everything that will happen That is because everything that will happen

downstream downstream originates from this one pointoriginates from this one point. .


• As a consequence, it is important for As a consequence, it is important for everybody who will have anything to do with everybody who will have anything to do with the system to the system to understand and agree on the understand and agree on the type and degree of protectiontype and degree of protection at the at the beginning of the process. beginning of the process.

• In effect this agreement should accomplish two In effect this agreement should accomplish two critical purposes. critical purposes.

• From a functional system standpoint it has to From a functional system standpoint it has to

ensure that the problem is properly ensure that the problem is properly targeted. targeted.


• More importantly, More importantly, it should also support the it should also support the education and buy-in of the people who education and buy-in of the people who are actually going to be actively involvedare actually going to be actively involved in formulating the system. in formulating the system.

• That is because it is well documented that the That is because it is well documented that the long-term success of any solution is directly long-term success of any solution is directly dependent on the level of support for the dependent on the level of support for the process. process.

• This not an inconsequential exercise and it can This not an inconsequential exercise and it can be resources intensive. be resources intensive.


• The execution of this process is generally based The execution of this process is generally based on the generic on the generic systems analysissystems analysis approaches approaches that have populated the organizational that have populated the organizational development body of knowledge for the past fifty development body of knowledge for the past fifty years. years.

• There are numerous recognized ways of actually There are numerous recognized ways of actually conducting this. conducting this.

• However there is only one absolute requirement, However there is only one absolute requirement,

which is that which is that the eventual outcome has to be the eventual outcome has to be sponsored at the highest levels of the sponsored at the highest levels of the companycompany


• There have been a number of studies to support There have been a number of studies to support the idea that the ownership security the idea that the ownership security should be should be at the level of theat the level of the Board of Directors or CEO Board of Directors or CEO (the best of these are summarized in DTI, 2002). (the best of these are summarized in DTI, 2002).

• Notwithstanding that, the literature is Notwithstanding that, the literature is unanimous in stressing that effective unanimous in stressing that effective information assurance solutions have to be information assurance solutions have to be thoroughly embedded in the organization thoroughly embedded in the organization and that requires across-the-board and that requires across-the-board acceptance, acceptance,

• which can only be enforced through which can only be enforced through executive executive sponsorship.sponsorship.


• One final point also must be stressed, which is One final point also must be stressed, which is that the information gathering function should that the information gathering function should not degenerate into a not degenerate into a detailed technical detailed technical problem solving process. problem solving process.

• The only objective of this first stage is to The only objective of this first stage is to define the general form of the problem define the general form of the problem for the purpose of determining an explicit for the purpose of determining an explicit strategic directionstrategic direction..


• There are many reasons why a complete There are many reasons why a complete framework solution may not be appropriate, framework solution may not be appropriate, ranging from a lack of resources all the way to ranging from a lack of resources all the way to knowledge of a specific targeted need. knowledge of a specific targeted need.

• These must all be identified, brought forward These must all be identified, brought forward and agreed on in order to choose a proper and agreed on in order to choose a proper scope and appropriate model for the eventual scope and appropriate model for the eventual response.response.


• Since the players are usually busy executives, Since the players are usually busy executives, they are never interested in the details only in they are never interested in the details only in the assurance that the correct target will be the assurance that the correct target will be hit. hit.

• As such the first phase has to be conducted As such the first phase has to be conducted with that single goal in mind. with that single goal in mind.

• Once the direction is chosen the form of Once the direction is chosen the form of the rest of the process is dependent on the rest of the process is dependent on the modelthe model selected and that activity selected and that activity constitutes the rest of this stage.constitutes the rest of this stage.


• The selection of an The selection of an appropriate modelappropriate model is is crucial. crucial.

• Since the only way that the protection Since the only way that the protection scheme will work is if the model it is based scheme will work is if the model it is based on on fits the organization’s security fits the organization’s security needsneeds

• The final point that we need to make before The final point that we need to make before we leave this section however, is that there we leave this section however, is that there is is no one model for information no one model for information protection. protection.


• The only rule is that whatever is selected The only rule is that whatever is selected should fit the exact requirements of the should fit the exact requirements of the situation. situation.

• This is both an This is both an intelligent design process intelligent design process as well as a political one.as well as a political one.

• As such the As such the outcomes of the, outcomes of the,

information gathering process, must be information gathering process, must be rigorously adhered torigorously adhered to in order to guide in order to guide that decision-making processthat decision-making process


• And the eventual model selected should And the eventual model selected should always meet the requirements that have always meet the requirements that have been “bought into” by the whole been “bought into” by the whole organization through the chartering process. organization through the chartering process.

• Since the next phase of the process starts Since the next phase of the process starts the tactical implementation of the security the tactical implementation of the security solution this initial stage is the point where solution this initial stage is the point where the strategy is set. the strategy is set.

Asset Baseline Formulation Asset Baseline Formulation

• This second stage is probably the least commonly This second stage is probably the least commonly understood in that with most protection schemes the understood in that with most protection schemes the form of the assets to be protected is known. form of the assets to be protected is known.

• As the user knows, in the case of information security As the user knows, in the case of information security the asset base is an abstract constructthe asset base is an abstract construct, which , which could legitimately have many forms. could legitimately have many forms.

• As such, before protection schemes can be devised As such, before protection schemes can be devised

the boundaries and material form of the assetthe boundaries and material form of the asset

must be characterizedmust be characterized. .


• That involves gathering all of the pertinent That involves gathering all of the pertinent information necessary to information necessary to define the complete define the complete form of the assets that will be protectedform of the assets that will be protected. .

• Which involves the meticulous Which involves the meticulous identification and identification and labelinglabeling of every item under control of the security of every item under control of the security system. system.

– This is not a trivial exerciseThis is not a trivial exercise. . • It is a prerequisite for subsequent assessment of risk It is a prerequisite for subsequent assessment of risk

because it establishes the because it establishes the "day one" state of the "day one" state of the organization’s total set of information assetsorganization’s total set of information assets. .


• In practice, In practice, the aggregate set of assets the aggregate set of assets is termed a “baseline”.is termed a “baseline”.

• The individual components that constitute The individual components that constitute this baseline must be this baseline must be explicitly identified explicitly identified and labeledand labeled as part of the asset as part of the asset identification process. identification process.

• A precisely defined information asset A precisely defined information asset

baseline is an baseline is an absolute prerequisiteabsolute prerequisite for for the conduct of the rest of the process, the conduct of the rest of the process, since since it is this explicit configuration that is it is this explicit configuration that is maintained by the security system. maintained by the security system.


• And because it is a tangible structure, the And because it is a tangible structure, the classification and tagging of the asset classification and tagging of the asset elementselements that constitute it is that constitute it is usually based on usually based on their logical interrelationships with each othertheir logical interrelationships with each other. .

• This is maintained as a This is maintained as a hierarchy of elementshierarchy of elements that ranges from a view of the information that ranges from a view of the information asset as a single entity down to the explicit asset as a single entity down to the explicit items that constitute that resource. items that constitute that resource.

• The baseline scheme that emerges at the The baseline scheme that emerges at the lowestlowest level of decomposition represents the level of decomposition represents the concrete concrete architecture of the target architecture of the target information assetinformation asset. .


• The decisions that determine what this asset The decisions that determine what this asset base looks like are normally made base looks like are normally made using the using the input of a number of different input of a number of different participants.participants.

• That could range from the technical staff all That could range from the technical staff all the way up to executive owners of a given the way up to executive owners of a given information item. information item.

• The items defined at any level in the hierarchy are The items defined at any level in the hierarchy are

given given unique and appropriate labelsunique and appropriate labels that are that are explicitly associated with the overall organization of explicitly associated with the overall organization of the information asset itself. the information asset itself.


• That is, these That is, these labels designate and relatelabels designate and relate the position of any given item in the the position of any given item in the overall overall "family tree" of the asset base. "family tree" of the asset base.

• Once established, the formal information asset Once established, the formal information asset baseline is kept in a “baseline is kept in a “ledgerledger”, which is fully ”, which is fully accounted for and accounted for and maintained throughout maintained throughout the lifecycle of the security systemthe lifecycle of the security system. .

• Since, security systems are evolutionary Since, security systems are evolutionary formal formal procedures also have to be put in place to procedures also have to be put in place to systematically manage the inevitable changessystematically manage the inevitable changes to the form of the information asset baseline. to the form of the information asset baseline.


• In the real-world most corporate information In the real-world most corporate information asset baselines are maintained in an asset baselines are maintained in an electronic ledger, which is generically electronic ledger, which is generically termed a “Baseline Management Ledger”, termed a “Baseline Management Ledger”, or BML. or BML.

• Changes at any level in the basic structure Changes at any level in the basic structure of the information asset baseline are of the information asset baseline are maintained at all relevant levels in that maintained at all relevant levels in that ledger and ledger and must correctly and accurately must correctly and accurately reflect the changed status of the actual reflect the changed status of the actual information item.information item.

Notification/ Notification/ Request for Request for

ChangeChange

Information Information Asset Asset

Baseline Baseline ManagerManager

Authorization by

Appropriate Decision Maker

Verification Verification of Changeof Change

Implementation Implementation of Changeof ChangeBaseline

Management Ledger

Generic Change Generic Change ManagementManagement


• If this is not done in a systematic and If this is not done in a systematic and disciplined fashion the painfully constructed disciplined fashion the painfully constructed understanding of the understanding of the form of the information form of the information asset will move out of the organization’s asset will move out of the organization’s grasp grasp

• Leaving it securing things that don’t exist and Leaving it securing things that don’t exist and not securing things that do. not securing things that do.

• Baseline management would be a time Baseline management would be a time

consuming task if it were not for consuming task if it were not for commercial commercial utilitiesutilities that do this record keeping that do this record keeping automatically. automatically.

Model Selection and Risk Model Selection and Risk Assessment Assessment

• Once the asset baseline is established the Once the asset baseline is established the next step is usually termed next step is usually termed “risk “risk assessmentassessment”. ”.

• It is in reality a It is in reality a gap analysisgap analysis conducted conducted against a model of correct practice and the against a model of correct practice and the literature is full of methodologies for carrying literature is full of methodologies for carrying out that task. out that task.

• These can be divided into two types, These can be divided into two types, those those that are based on a commonly accepted that are based on a commonly accepted standardstandard model and those that are model and those that are based on based on a set of unique criteria. a set of unique criteria.


• Whatever the approach the actual execution Whatever the approach the actual execution always starts at the model, which implies always starts at the model, which implies the importance of selecting an appropriate the importance of selecting an appropriate standard as the benchmark. standard as the benchmark.

• Thus the first step in the gap analysis is to Thus the first step in the gap analysis is to gather enough information about the gather enough information about the situation to select the right model. situation to select the right model.

• By necessity this activity must be guided by By necessity this activity must be guided by

and referenced to the and referenced to the project charterproject charter obtained in the first phase of this process. obtained in the first phase of this process.


• The other essential piece is the The other essential piece is the asset asset baselinebaseline definitions formulated in the prior definitions formulated in the prior phase. phase.

• Using these two factors for guidance, it Using these two factors for guidance, it should be possible to find the appropriate should be possible to find the appropriate model. model.

• Essentially the participants in the selection Essentially the participants in the selection process process decide what must be protected and decide what must be protected and what type of solution is appropriatewhat type of solution is appropriate to those to those implicit requirements. implicit requirements.


• The requirement for a The requirement for a gap analysis is common gap analysis is common across all models of information securityacross all models of information security. .

• That is, a gap analysis is always done the That is, a gap analysis is always done the same way for the same purpose no matter same way for the same purpose no matter what . what .

• In professional settings the gap analysis is In professional settings the gap analysis is

usually called a “usually called a “risk assessmentrisk assessment”. ”. • That is because the point of the activity is to That is because the point of the activity is to

identify RISKS created by gaps in operating identify RISKS created by gaps in operating procedures. procedures.


• This risk assessment activity is arguably the This risk assessment activity is arguably the most important element in formulation of a most important element in formulation of a proper security response because it proper security response because it – identifies the potential threats identifies the potential threats – assesses the harm that might ensue from assesses the harm that might ensue from

eacheach– analyzes and categorizes options for analyzes and categorizes options for

response.response.

• Operationally this process is carried out by Operationally this process is carried out by comparing the form of the current operation to comparing the form of the current operation to the comprehensive set of ideal best practice the comprehensive set of ideal best practice requirementsrequirements specified in the framework model. specified in the framework model.


• This is done to This is done to identify theidentify the gaps gaps that exist that exist. .

• These gaps represent the These gaps represent the vulnerabilities vulnerabilities and weaknesses that must be and weaknesses that must be addressedaddressed by new procedures. by new procedures.

• Since a particular threat may not necessarily Since a particular threat may not necessarily

have much impact for a given situation, have much impact for a given situation, once the risk exposures are all identified once the risk exposures are all identified they are assessed to distinguish only they are assessed to distinguish only those that would create specific and those that would create specific and undesirable vulnerabilitiesundesirable vulnerabilities. .


• Next, these vulnerabilities are carefully Next, these vulnerabilities are carefully analyzed with respect to the particular analyzed with respect to the particular organizational situation in order to organizational situation in order to identify identify the specific weaknesses that the security the specific weaknesses that the security system needs to target directly. system needs to target directly.

• These weaknesses areThese weaknesses are prioritized prioritized so that so that the ones with the most critical impacts are the ones with the most critical impacts are dealt with first.dealt with first.


• The process can best be described by The process can best be described by looking at it from the standpoint of the looking at it from the standpoint of the documentation that is utilized to carry it out. documentation that is utilized to carry it out.

• In fact the tangible documentation set is so In fact the tangible documentation set is so important that it is generally the only thing important that it is generally the only thing that an auditor uses to verify that a selected that an auditor uses to verify that a selected model has been implemented properly. model has been implemented properly.

IBOK Control IBOK Control ObjectivesObjectives

Explicit Set of Explicit Set of Identified Identified

Vulnerabilities Vulnerabilities and Weaknessesand Weaknesses

Outcomes - Outcomes - Degree of Degree of

Conformance Conformance to Control to Control ObjectivesObjectives

Operational Operational Charter for Charter for

Security Security SystemSystem

Elements of the Gap Analysis


• The first of these are The first of these are the inputs to the the inputs to the assessment processassessment process. .

• These inputs represent the set of ideal best These inputs represent the set of ideal best practices that are itemized in the IBOK and practices that are itemized in the IBOK and their concomitant controls. their concomitant controls. – That ideal is used as the point of That ideal is used as the point of

reference for the ensuing assessment.reference for the ensuing assessment.

• The organization describes its The organization describes its degree of degree of conformanceconformance with the relevant benchmark with the relevant benchmark criteria selected from the IBOK model to criteria selected from the IBOK model to document this.document this.


• The box in the center represents the The box in the center represents the detailed assessment outcomesdetailed assessment outcomes that the that the organization will obtain as a consequence of organization will obtain as a consequence of this comparison. this comparison.

• As we said earlier the point is to As we said earlier the point is to explicitly explicitly characterize the level of compliancecharacterize the level of compliance between a particular operation and the ideal between a particular operation and the ideal specified in the IBOK. specified in the IBOK.


• Finally, the documentation produced is a precise Finally, the documentation produced is a precise statement of the vulnerabilities that the statement of the vulnerabilities that the identified areas of non-compliance identified areas of non-compliance represent.represent.

• This documentation will drive the activity in This documentation will drive the activity in subsequent stages where the organization will subsequent stages where the organization will make decisions about the make decisions about the actions that must be actions that must be taken to address each identified weaknesstaken to address each identified weakness

• As well as how it will document the security As well as how it will document the security

system for the purposes of management system for the purposes of management oversight and audit.oversight and audit.

Asset Valuation and Tradeoff Asset Valuation and Tradeoff

• The product of this phase is a The product of this phase is a concrete concrete security strategy. security strategy.

• The input is derived from the outcomes of The input is derived from the outcomes of the prior three stages. the prior three stages.

• The boundary setting element is The boundary setting element is particularly important to this particularly important to this considerationconsideration since there is a direct since there is a direct relationship between resources required to relationship between resources required to establish a security level specified and the establish a security level specified and the extent of the territory that must be secured. extent of the territory that must be secured.


• Operational factors that enter into the Operational factors that enter into the development of this strategy include… development of this strategy include…

– What is the level of criticality of each What is the level of criticality of each particular information asset that particular information asset that falls into the asset baselinefalls into the asset baseline

– What is the specific degree of What is the specific degree of resource commitment required to resource commitment required to assure it? assure it?

• Thus the most important aspect of this Thus the most important aspect of this

might lie in the might lie in the simple simple valuation of the valuation of the assets themselves. assets themselves.


• This is the case because in the real world there This is the case because in the real world there are never enough resources to absolutely are never enough resources to absolutely secure every element of the information asset secure every element of the information asset baseline. baseline.

• And since that baseline is overwhelmingly And since that baseline is overwhelmingly composed of abstract entities, the value of that composed of abstract entities, the value of that asset base is also abstract, meaning not known. asset base is also abstract, meaning not known.

• Therefore it is Therefore it is essential for each essential for each organization to adopt a uniform organization to adopt a uniform methodology to systematically value and methodology to systematically value and prioritize its information assetsprioritize its information assets so that the so that the most important assets are targeted first. most important assets are targeted first.


• As a consequence it is our assumption that As a consequence it is our assumption that the the critical success factors are defined critical success factors are defined at the business levelat the business level

• And any form of operational asset valuation And any form of operational asset valuation must be rooted in and reflect the vision, must be rooted in and reflect the vision, strategies and purposes of that part of the strategies and purposes of that part of the organization.organization.

• There are numerous ways of going about There are numerous ways of going about

asset valuation. asset valuation.


• The training manual uses the The training manual uses the Balanced Balanced ScorecardScorecard approach simply because it is approach simply because it is arguably one of the easiest and most popular of arguably one of the easiest and most popular of these. these.

• Using a tailored scorecard the organization can Using a tailored scorecard the organization can assign a quantitative value for each of the assign a quantitative value for each of the identified itemsidentified items entered in the security baseline. entered in the security baseline.

• And it can confidently allocate a And it can confidently allocate a security security priority to it based on its relative value,priority to it based on its relative value, as as determined by the data obtained through one determined by the data obtained through one (or all) of these relevant categories. (or all) of these relevant categories.


• The benefit of this approach is that the The benefit of this approach is that the organization will know with certainty which organization will know with certainty which item to secure and in what orderitem to secure and in what order

• In addition it will have In addition it will have demonstrates that due demonstrates that due diligence was donediligence was done in making that in making that determination. determination.

• The best part of this approach is that as data The best part of this approach is that as data is collected and refined over time the is collected and refined over time the organization is able to increase its valuation organization is able to increase its valuation effectiveness, and thus sharpen its control effectiveness, and thus sharpen its control over its asset base. over its asset base.


• The process that ensues is a political one, The process that ensues is a political one, however it is necessary. however it is necessary.

• That is the That is the actual tradeoff processactual tradeoff process that is that is the fundamental element of strategic the fundamental element of strategic planning. planning.

• This is not a scientific activity although with This is not a scientific activity although with precisely targeted information decision precisely targeted information decision makers can move ahead with some assurance makers can move ahead with some assurance that they are that they are basing their strategies on basing their strategies on the realities of the situationthe realities of the situation. .


• The assumption is that the actual deployment The assumption is that the actual deployment of the security function will meet the of the security function will meet the requirements of the organization’s security requirements of the organization’s security charter.charter.

• That decision-making is based on That decision-making is based on – knowledge of the financial, equipment knowledge of the financial, equipment

and personnel resources available to and personnel resources available to implement the desired level of implement the desired level of securitysecurity

– the pressing business concerns and the pressing business concerns and the relative value of the asset.the relative value of the asset.


• It is It is driven by the model that will be used to driven by the model that will be used to implement the actual security solutionimplement the actual security solution

• However the point is to have a clear fix on However the point is to have a clear fix on the asset base so that the particulars of the the asset base so that the particulars of the deployment can be planned with precision. deployment can be planned with precision.

• This should be both tangibly documented This should be both tangibly documented and publicized to the organization at large. and publicized to the organization at large.

• This also effectively concludes the threat This also effectively concludes the threat

identification and response phase of the identification and response phase of the formal information security protection formal information security protection process. process.

Control Selection Control Selection

• The next step in this process is the actual The next step in this process is the actual selection and validation of the control selection and validation of the control set.set.

• Since this is model specific we are going to Since this is model specific we are going to

focus the discussion in terms of the generic focus the discussion in terms of the generic steps required. steps required.

Control SelectionControl Selection

• This phase involves tailoring, deploying and This phase involves tailoring, deploying and validating an appropriate control set. validating an appropriate control set.

• This is almost always based on some sort of This is almost always based on some sort of standard model of correct practice. standard model of correct practice.

• And that is 99.9% of the time the same And that is 99.9% of the time the same model employed to do the gap analysis…model employed to do the gap analysis…– Although not absolutely the requiredAlthough not absolutely the required

Control SelectionControl Selection

• The outcome is unique in the sense that the The outcome is unique in the sense that the deployment is determined by the situation. deployment is determined by the situation.

• However there are elements that must be However there are elements that must be carried out no matter which model is carried out no matter which model is selected; selected; – Assignment of controls to a security Assignment of controls to a security

baseline baseline – Assessment of the effectiveness of Assessment of the effectiveness of

those controlsthose controls– The formulation of the final control The formulation of the final control

set into a security system. set into a security system.

Formulating the Control Set Formulating the Control Set

• The The necessary security controlsnecessary security controls are are deployed once the information asset baseline deployed once the information asset baseline has been established and prioritized. has been established and prioritized.

• This requires an This requires an item-by-item assessment item-by-item assessment of the information resource baselineof the information resource baseline in in order to design and formalize the appropriate order to design and formalize the appropriate control set. control set.

• Nonetheless in order to devise the appropriate Nonetheless in order to devise the appropriate and correct set of control procedures and correct set of control procedures it is it is necessary to return to the risk analysisnecessary to return to the risk analysis to to better understand the nature of the threat. better understand the nature of the threat.


• Basically threats can be characterized as Basically threats can be characterized as physical, or logical, from internal, or physical, or logical, from internal, or external sources.external sources.

• Thus the analysis considers the safeguards Thus the analysis considers the safeguards or or controls that are necessary to suitably controls that are necessary to suitably address any and all anticipated threatsaddress any and all anticipated threats. .


• That includes steps to detect a threat That includes steps to detect a threat as as close to the time that it occurs close to the time that it occurs (threat (threat response) response)

• And a procedure And a procedure to ensure that it will be to ensure that it will be either attended to by subsequent corrective either attended to by subsequent corrective actionaction, or that the loss that may arise from , or that the loss that may arise from it will be effectively contained. it will be effectively contained.


• Since adverse impacts of threats also Since adverse impacts of threats also inevitably fall into the financial arena it is inevitably fall into the financial arena it is important to consider the important to consider the applicable ROI applicable ROI issuesissues. .

• One obvious example, is that it ought to be One obvious example, is that it ought to be known whether the cost of the control (on known whether the cost of the control (on an annual basis) would be less than any an annual basis) would be less than any anticipated (dollar) losses. anticipated (dollar) losses.


• Another consideration is the Another consideration is the frequencyfrequency with which the threat occurs.with which the threat occurs.

• If the historical rate of occurrence is high If the historical rate of occurrence is high than even a low ROI (per incident) item than even a low ROI (per incident) item could prove to be a good investment.could prove to be a good investment.


• The other issue is the The other issue is the PROBABILITYPROBABILITY that a that a threat might occur. threat might occur.

• Probability should never be confused with Probability should never be confused with frequency. frequency.

• In essence the question has to be asked In essence the question has to be asked what the what the probabilities are that harm probabilities are that harm might ensue if it DOES occur. might ensue if it DOES occur.


• For instance, For instance, burglars might very burglars might very infrequently visit your house but when they infrequently visit your house but when they DO the likelihood is high that they will take DO the likelihood is high that they will take somethingsomething. .

• Thus these two related factors have to be Thus these two related factors have to be balanced with each other when doing a balanced with each other when doing a threat assessment. threat assessment.


• In essence the question that has to be In essence the question that has to be answered for a particular control answered for a particular control is how is how likely is it that a given occurrence will likely is it that a given occurrence will produce mischief.produce mischief.

• That is because in reality, some threats may That is because in reality, some threats may occur many times within the period of a occur many times within the period of a year’s time, especially those associated with year’s time, especially those associated with unintentional actions of users or employees.unintentional actions of users or employees.


• Finally, it must be recognized that there is Finally, it must be recognized that there is always an uncertainty in all of these always an uncertainty in all of these casescases that dictates that baseline control that dictates that baseline control formulation should always be an formulation should always be an iterative iterative functionfunction. .

• Basically uncertainty can be estimated as a Basically uncertainty can be estimated as a level of confidence, from zero to 100 level of confidence, from zero to 100 percent on any control. percent on any control.


• What this expresses is the What this expresses is the necessity, or necessity, or usefulness of the associated controlusefulness of the associated control (e.g., this should be considered to be 91% (e.g., this should be considered to be 91% necessary). necessary).

• It should be noted that the failure to It should be noted that the failure to

integrate uncertainty factors into the risk integrate uncertainty factors into the risk analysis will reduce the overall level of trust analysis will reduce the overall level of trust in the effectiveness of the resultant control in the effectiveness of the resultant control baseline.baseline.

Assessment of Control CoverageAssessment of Control Coverage

• It is necessary to It is necessary to validate the selected validate the selected control setcontrol set in order to assure the in order to assure the effectiveness as well as confirm the effectiveness as well as confirm the accuracy of the defensive scheme. accuracy of the defensive scheme.

• This always takes place This always takes place after it is after it is operationally deployed. operationally deployed.

• That is, it is formulated into an active That is, it is formulated into an active baseline and placed under effective baseline baseline and placed under effective baseline control. control.


• From an IT management standpoint this From an IT management standpoint this activity is a standard activity is a standard beta testbeta test function function

• in the sense that the essence of the process in the sense that the essence of the process

is the is the ongoing comparison of expected ongoing comparison of expected performance with the actual result of performance with the actual result of executing the processexecuting the process. .


• The assessment process is planned, The assessment process is planned, implemented and monitored in the same implemented and monitored in the same fashion as any other testing activity. fashion as any other testing activity.

• It normally embodies the criteria and factors It normally embodies the criteria and factors

considered during the threat analysis and considered during the threat analysis and baseline formulation process, but baseline formulation process, but operational operational issues can be added at this point as well.issues can be added at this point as well.

• The intention is to be able to say with The intention is to be able to say with

assurance that the assurance that the aggregate control set is aggregate control set is effective given the aims of the protection effective given the aims of the protection schemescheme. .


• Operationally, this should be done within a Operationally, this should be done within a specified time-frame as well as a defined specified time-frame as well as a defined reporting and decision making structure. reporting and decision making structure.

• Because the overall purpose of this step is to Because the overall purpose of this step is to produce a produce a finalized baselinefinalized baseline the the organization must treat it exactly like a organization must treat it exactly like a projectproject

• In the sense that the outcome of the process In the sense that the outcome of the process

is a fully functioning security control set. is a fully functioning security control set.


• Once the project purposes and timelines are Once the project purposes and timelines are set, generally speaking set, generally speaking each control must each control must have a set of performance assessment have a set of performance assessment criteriacriteria assigned. assigned.

• The purpose of this is to underwrite precise The purpose of this is to underwrite precise monitoring of the effectiveness of each monitoring of the effectiveness of each component of the security baseline. component of the security baseline.

• Therefore these criteria must be both Therefore these criteria must be both measurablemeasurable and able to be and able to be recordedrecorded. .


• Then on execution of the process Then on execution of the process the the outcomes associated with each control are outcomes associated with each control are recordedrecorded. .

• The organization uses the ongoing outcomes The organization uses the ongoing outcomes of the operational use of the control, to of the operational use of the control, to assess assess its effectiveness. its effectiveness.

• This assessment is based on the performance This assessment is based on the performance

criteria set for that particular control as well criteria set for that particular control as well as the assumptions about cost and as the assumptions about cost and occurrence that were part of the baseline occurrence that were part of the baseline formulation process. formulation process.

Control Objective Beta Test Control Objective Beta Test ProcessProcess

PerformanPerformance Criteria ce Criteria Control Control

Objective Objective Performance Performance in in Operational Operational EnvironmentEnvironment

Baseline Baseline FormulatioFormulation n AssumptioAssumptionsns

Recorded Recorded OutcomesOutcomes

Assessment Assessment of Control of Control EffectivenesEffectivenesss

Aggregation of Aggregation of control objective control objective

test resultstest results

Final Implementation Final Implementation of Control Baselineof Control Baseline

Assessment of Assessment of Baseline Baseline

EffectivenessEffectiveness


• Then, once the testing step is complete the Then, once the testing step is complete the aggregate set of results for the control aggregate set of results for the control baseline is assessed for the purposes of baseline is assessed for the purposes of formalizing a finalized set of security formalizing a finalized set of security control objectivescontrol objectives. .

• These These controls represent the controls represent the operational realization of the security operational realization of the security systemsystem and their baseline representation is and their baseline representation is maintained under strict change control by maintained under strict change control by the configuration management system. the configuration management system.


• The The released versionreleased version of this baseline of this baseline is is managed by that function in the same managed by that function in the same manner as a software releasemanner as a software release

• That is, no changes are allowed without That is, no changes are allowed without authorization and subsequent verification of authorization and subsequent verification of the correctness and effectiveness of the the correctness and effectiveness of the change. change.

Module Three Review Module Three Review

1.1. Why are two baselines needed?Why are two baselines needed?

2.2. What is the reason for tradeoffs?What is the reason for tradeoffs?

3.3. What is the reason for top-down sponsorship?What is the reason for top-down sponsorship?

4.4. What are the criteria for determining feasibility?What are the criteria for determining feasibility?

5.5. What is the purpose of the beta test of controls? What is the purpose of the beta test of controls?

6.6. Why are the final baselines strictly controlled?Why are the final baselines strictly controlled?

6.6. Why is buy-in a success factor?Why is buy-in a success factor?

7.7. What is the role of risk assessment?What is the role of risk assessment?

8.8. What is the purpose of asset valuation?What is the purpose of asset valuation?

9.9. Why must system boundaries be decided? Why must system boundaries be decided?

End of Personal Instruction

Information Assurance Professional National Security Registration Board Version 2.6.

Documents

Transcript of Information Assurance Professional National Security Registration Board Version 2.6.