Security Architecture

Why?

• Initially majority of businesses operated closed processing environments(Glass House).

• Networks and a distributed client/server processing environment.

• Decentralized processing. • Increase the exposure of sensitive information.• We require:– Confidentiality– Integrity– Availability

Confidentiality

• Confidentiality relates to the protection of information from unauthorized access, regardless of where the information resides or how it is stored.

• Are only the appropriate personnel viewing or using the organization’s information assets?

• Authentication and authorization• Framework for classifying the confidentiality

Integrity

• Integrity is the protection of information, applications, systems, and networks from intentional, unauthorized, or accidental changes.

• Is the information correct and are the applications processing the appropriate files?

Availability

• Availability is the assurance that information and resources are accessible by authorized users as needed.– Denial of services caused by a lack of security

controls– Loss of services from information resources due to

natural disasters• Are the network resources, applications, and

data accessible when needed?

Five components of the ISA

• Security Organization / Infrastructure• Security policies, standards, and procedures• Security baselines/risk assessments• Security awareness and training programs• Compliance

Information Security Architecture Components

Case Study

• Network Security

Infrastructure

• Firewall

Policies, standards, and procedures

• Who is permitted to use the application• What types of services will be provided by the system• How users will request access to the system• Who will grant access to the system• How often access logs will be reviewed• What procedures will be taken for inappropriate use of the

system• How security incidences will be reported, recorded, and

handled• Who will be responsible for investigating suspicious activity

Security baselines/risk assessments

• Once the configuration is complete, an attempt to thwart the system should be performed so that both the capabilities and weaknesses are known, documented, and improved.

• Automated vulnerability testing software• Testing software's must be updated frequently

Security awareness and training programs

• All users of the system must be made aware of what they can and cannot do.

• Proper knowledge of policies.• Personal business are restricted on

organization infrastructure.• It needs to be made clear what the

consequences will be if the policies related to the Internet are not followed.

Compliance

• Procedures need to be established to ensure that all parties responsible for the Internet access and firewall configuration are in compliance with the security policy, standards, and procedures that have been developed, and that the programs developed to enforce the policies are effective.

• Regular, depends on risk level.

Piecemealing

• As an organization grows, the tendency is to add to the existing environment to meet current requirements without planning for future growth.

• This can occur due to lack of knowledge on available technology, lack of communication between departments, or nonexistent technology standards within the organization.

The Threat

• A threat is an act of coercion wherein an act is proposed to elicit a negative response.

• Corporate information can be easily accessed, compromised, or destroyed by intentional, unintentional, or natural threats.

Intentional threats

• Unauthorized users who inappropriately access data and information that they are not granted permission to view or use.

• Can be external or internal.

Unintentional threats

• Caused by untrained or careless employees.• Also include programmers or data processing

personnel

Natural threats

• Equipment failures, or disasters such as fire, floods, and earthquakes that can result in the loss of equipment and data

The Risks

• There are many events that can result if a breach of confidentiality, integrity, or availability occurs.

Threat/Concern/Risk Matrix

Overview of Security Controls

• To apply appropriate controls to an operating environment, it is necessary to understand who or what poses a threat to the processing environment and then to understand what could happen (risk or danger) from that threat.

Risk versus controls implementation.

The Controls

• Control requirements are not uniform for all systems.– Administrative controls• Security policies and procedures

– Physical controls• Direct physical access to equipment

– Technical controls• Logical controls

– Access controls• Non-repudiation

Physical Controls

Administrative Controls

Technical Controls

The Strategic Information Technology (IT) Plan

• The business plan answers the who, what, where, when, why, and how of the business.

The Strategic Information Technology (IT) Plan

Strategic IT Plan should be broken intosix parts

• Introduction• Description of the IT Organization• Scope, Viability, and Modification of the Plan• Relationship to the Organization’s Strategic

Business Plan• Strategic Goals for Information Technology• Summary and Conclusion

Introduction

• Introduction is an overview or executive summary that describes the background, origination, and intent of the document.

Description of the IT Organization

• Description of the IT Organization, should include a definition of the roles and responsibilities of individuals within the IS department, an organization chart and description of supporting staff, and a vision for the use of IT.

Scope, Viability, and Modification of the Plan

• Scope, Viability, and Modification of the Plan, defines the scope of the document.

Relationship to the Organization’s Strategic Business Plan

• Relationship to the Organization’s Strategic Business Plan, refers back to the business plan and provides a discussion of how the plan is integrated with and supports the Strategic Business Plan.

Strategic Goals for Information Technology

• Strategic Goals for Information Technology, lists the specific objectives from the business plan that relate to IT.

Strategic IT Plan: Sample Table of Contents

Table of Contents1. Introduction2. Information Technology at XXXX Organization (Mission Statement)2.1 The CIO and Information Systems & Technology Roles2.2 The Information Systems & Technology Institutional-Level Organization2.3 Local Information Technology Support Staff2.4 The Evolving Information Technology Support Role2.5 A Vision for Information Technology Effectiveness

3. Scope, Viability, and Modification of This Plan4. Relationship to the XXXX Corporation’s Strategic Plan5. Strategic Goals for Information Technology5.1 A Corporate Goal: Information Accessibility5.1.1 Enhance and Extend the Network Infrastructure5.1.2 Ensure Appropriate Off-Site Network Access5.1.3 Ensure Effective Delivery of Information Technology Support5.1.4 Evaluate Services and Customer Satisfaction

5.1.5 Establish Corporate wide Standards5.1.6 Effectively Manage and Distribute Servers5.1.7 Enhance Support of Library Initiatives5.1.8 Enhance Internal and External Communications5.2 A Corporate Goal: Technology-Enabled Management, Staff, and Business Partners5.2.1 Ensure Management and Staff Development in Technology

5.2.2 Provide Appropriate Workstation Support for Management and Staff5.2.3 Promote Effective Research Computing5.2.4 Foster Technology Experimentation5.2.5 Provide Effective Information Technology Services for Clients5.3 A Corporate Goal: Technology-Enhanced Business5.3.1 Establish Appropriate Levels of Technology in Business Operations

5.3.2 Ensure Availability of Information Technology Resources for Employees5.3.3 Engage the Corporate Community in the Use of Technology5.4 A Corporate Goal: Business Process Effectiveness5.4.1 Improve Efficiency of Operations5.4.2 Establish an Effective Data Warehouse System5.4.3 Replace Business-Process Software Systems

5.5 A Corporate Goal: Information Security Architecture5.5.1 Establish an Organization that Supports the Security Function5.5.2 Establish Security Policies and Procedures5.5.3 Conduct Baseline Risk Assessments for Each Component of theOperating Environment5.5.4 Develop a User Awareness Program and Conduct Training for Employeesand Individuals with Security Responsibility5.5.5 Develop a Comprehensive Compliance Program6. Summary and Conclusion