Lesson 8-Information Security Process

Overview

Introducing information security process.

Conducting an assessment.

Developing a policy.

Implementing security.

Conducting awareness training.

Conducting audits.

Introduction to Information Security Process

The process of information security

Conducting an Assessment

An assessment determines:

The total value of the organization’s information assets.

The size of the threats with respect to confidentiality, integrity,

availability, and accountability.

The vulnerabilities of the information assets and the

organization.

The organization’s overall risk and recommended changes to

current information security policy.

Conducting an Assessment

While conducting an assessment of an organization, examine:

Network.

Physical security measures.

Existing policies and procedures.

Precautions.

Awareness.

Conducting an Assessment

While conducting an assessment of an organization,

examine (continued):

Staff.

Workload and employee attitude.

Adherence.

Business.

Network

The organization’s network is the easiest access point to

information and systems.

A network diagram helps examine each point of

connectivity.

Query network administrators to know the type of network

management system in use.

Perform a vulnerability scan of all systems.

Network

The protection mechanism within a network should include:

Router access control lists and firewall rules on all Internet

access points.

Authentication mechanisms used for remote access.

Protection mechanisms on access points to other

organizations.

Encryption mechanism used to protect portable computers and

to transmit and store information.

Network

The protection mechanism within a network should include

(continued):

Anti-virus systems in place on servers, desktops, and e-mail

systems.

Server security configurations.

Physical Security Measures

Important physical security information includes identifying:

The protection mechanisms to site, buildings, office space,

paper records, and data center.

The personnel responsible for the physical security.

The critical and sensitive areas.

The location of the communication lines within the building.

The types of UPS in place and how long the current UPS will

sustain.

Physical Security Measures

Important physical security information requires knowing:

How power is supplied to the site and data center.

The systems connected to the UPS.

The environment controls attached to the UPS in the data

center.

The type of suppression system in the data center.

The personnel who need to be notified incase of power or

environment control failure.

Policies and Procedures

Policies and procedures must be examined for relevance,

appropriateness, and completeness.

Procedures must define the way tasks are currently performed.

Map requirements with stated goals.

Update policies and procedures on a regular basis.

Assess the organization’s security awareness program.

Examine the recent incident and audit reports.

Precautions

Precautions are used to restore operations when something

goes wrong.

Backup systems and disaster recovery plans are two

components of precautions.

Understand which backup system is used and how often is it

used.

Examine the disaster recovery plan for relevance and

completeness.

Awareness

Determine the staff’s level of awareness of security issues

and policies.

Create awareness of security threats, vulnerabilities, and

signs indicating that a system is compromised.

Ensure that the staff knows how to implement a disaster

recovery plan.

People

Examine whether the staff members have the necessary

skills to implement a security program.

They must understand policy work and latest security

products.

Administrator’s must be able to administer the

organization’s systems and networks.

Workload and Employee Attitude

Overworked employees do not contribute much to the security

environment.

Determine whether the workload is a temporary problem.

Assess management attitude with regard to security issues.

Identify responsible personnel for security within the

organization.

Employees must be aware of the management’s commitment to

security.

Adherence

While determining the intended security environment,

identify the actual security environment.

The intended security environment is defined by policy,

attitudes, and existing mechanisms.

Determine whether adherence to this policy requirement is

lacking.

Business

Identify the cost if confidentiality, integrity, availability, or

accountability of information is compromised.

Measure vulnerabilities in monetary terms, downtime, lost

reputation, or lost business.

Identify the flow of information across the organization.

Business

Identify organizational interdependencies.

Identify which systems and networks are important to the

primary function of the organization.

Identify the back-end systems.

Assessment Results

Analyze the information.

Assess all security vulnerabilities.

Compile a complete set of risks in the order of high to low.

Include a list of recommendations to manage each risk.

Assessment Results

Present potential cost in terms of money, time, resources,

reputation, and lost business.

Develop a security plan.

Allocate and schedule resources to handle security.

Developing a Policy

Policies and procedures define the expected state of an

organization’s security.

It defines the tasks to be performed during implementation.

Create policies for communication, security, system usage,

backup, account management, incident handling, and

disaster recovery plan.

Developing a Policy

Choosing the order of policies to develop, depends on:

The criticality of risks.

The time each will take to complete. Ideally, the information

policy should be completed early in the process.

Developing a Policy

Existing documents require frequent updating.

Use these documents and identify deficiencies.

Involve people who developed the policies.

Implementing Security

Implementation of organizational policies include:

Identification and implementation of technical tools and

physical controls.

Hiring of security staff.

Examination of each implementation and its interactions with

other controls.

Implementing Security

Security reporting systems.

Authentication systems.

Internet security.

Intrusion detection systems.

Encryption.

Physical security.

Staff.

Security Reporting Systems

It is a mechanism to track adherence to policies and

procedures.

It tracks the overall state of vulnerabilities within the

organization.

It can use manual or automated systems.

Security Reporting Systems

Enforce computer use policies such as:

Tracking Internet use.

Restricting access while maintaining login attempts.

Removing unwanted applications from the desktop

installations.

Security Reporting Systems

System vulnerability scans include:

Tracking the number of systems on the network.

Tracking the number of vulnerabilities on these systems.

Providing vulnerability reports to system administrators for

correction or explanation.

Security Reporting Systems

Policy adherence is a time-consuming security task.

It can be automated or manual.

The automated checks require more time to set up and

configure. They provide complete results in a timely

manner.

In manual system, a security personnel examines and

monitors all facets of the security policy.

Authentication Systems

Authentication systems are used to prove the identity of

users accessing a network.

These systems identify authorized users and grant them

physical access to a facility.

They should be implemented with proper planning.

Password restrictions, smart cards, and biometrics are few

examples of authenticated systems.

Internet Security

The implementation of Internet security includes:

Placing an access control device such as a firewall.

Setting up virtual private networks (VPN).

Changing network architecture.

Intrusion Detection Systems (IDS)

IDS are designed to detect any unwarranted entry into a

protected area.

Choice of IDS depends on overall organization risks and

available resources.

Anti-virus software, manual and automated log

examination, host-based and network-based intrusion

detection software are a few IDS.

Encryption

Encryption can be used to protect information in transit or

while residing in storage.

Choose well-known and well-reviewed algorithm. Private

key encryption is faster than public key encryption.

Include an effective key management technique such as

link encryptors. A system must change keys periodically.

Physical Security

Ensure that a proper procedure for authenticating users is in

place.

Restrict access to data center.

Protect the data center from fire, high temperature, and power

failure.

Remodel the data center to implement fire suppression and

temperature control.

Plan for disruptions due to implementation of an UPS.

Staff

Hire skilled staff:

Who can handle the security implementation.

To conduct awareness training programs.

Who will be responsible for the security of the organization.

Conducting Awareness Training

Conduct awareness training to provide necessary

information to:

Employees.

Administrators.

Developers.

Executives.

Security staff.

Employees

Employees should know the importance of security.

They must be trained to identify and protect sensitive

information.

Ensure that the employees are aware of the organization

policy, password selection, and prevention of attacks.

Administrators

System administrators must be updated on the latest

hacker techniques, security threats, and security patches.

Include updates in regular administration staff meetings.

Send updates to administrators as and when they are

prepared.

Developers

Developers should know proper programming techniques to

reduce security vulnerabilities.

They should have a proper understanding of the security

department’s role during the development process.

Security issues must be addressed in the design phase.

Executives

Management must be informed of the state of security and

the progress of the program.

Periodic presentations must include the results of recent

assessments, and the status of various security projects.

Metrics that indicate the risks to the organizations must be

a part of such reports.

Security Staff

Security staff must be kept up-to-date to help them provide

appropriate services to the organization.

Conduct both internal and external training programs.

Include security-related topics in the training sessions.

Conducting Audits

Audit is the final step in the information security process.

It ensures that controls are configured correctly and map to

the policy.

Types/Components of Audits

Policy adherence audits.

Periodic and new project assessments.

Penetration tests.

Policy Adherence Audits

The audit policy determines whether or not the system

configurations adhered to the policy.

They are the traditional audit function.

Any variations are recorded as violations.

Conduct periodic audits on implementation of information

policy and storage of sensitive documents.

Periodic and New Project Assessments

Changes in computer and network environments results in

change in risks and assessments.

Full assessment of the organization should be performed

periodically.

Major audits and assessment must be done by an external

firm.

Penetration Tests

Penetration test attempts to exploit an identified

vulnerability to gain access to systems and information.

Test effectiveness of controls using penetration tests.

Physical penetration tests include individuals who attempt

to gain unauthorized access to a facility.

Social engineering tests include testing employees to

divulge classified information.

Summary

Conducting an information security assessment involves

determining the value of an organization’s information

assets.

Policies and procedures define the work to be performed

during implementation.

The implementation of policy involves identification and

implementation of tools and controls.

Summary

Awareness training provides necessary security information

to employees.

Audits ensure that policies are being implemented and

followed.