- Security management includes: Risk management, security practices and security education.
- Security management practices focuses on the continual protection of company assets.
- Management support is one of the most important pieces of a security program.
Three types of control are used to achieve management’s goals:
Administrative: Policies, procedures, guidelines, awareness training, personnel screening, system activity monitoring, change control and configuration management.
Technical: Logical access control mechanisms, password & resource management, identification and authentication, security devices, network configuration.
Physical: Physical access control, locking systems, removing unnecessary media, guards, environmental control, perimeter security.
Management (the information owner) creates security directives and classifies data. The security team implements and enforces the directives.
Some commonly used security definitions are:
Vulnerability: Software, hardware of procedural weakness that may provide an attacker the open door he is looking for. Absence or weakness of a safeguard.
Threat: Any potential danger to information or systems.
Risk: Likelihood of a threat agent taking advantage of a vulnerability.
Exposure: An instance of being exposed to losses from a threat agent.
Countermeasure: Hardware, software or procedure that eliminates a vulnerability, or, reduces the risk of a threat agent being able to exploit it. Is also called a safeguard.
Risk Analysis is a method of identifying risks and assessing the possible damage that could be caused in order to justify security safeguards.
Risk management addresses 3 fundamental questions:
Identify assets – What am I trying to protect?
Identify threats – What am I trying to protect against?
Calculating risks – How much time, effort & money am I willing to spend on adequate protection.
The following issues should be considered when assigning value to information safeguards:
- Cost to acquire and develop
- Cost to maintain and protect
- Value to owners and users
- Value to adversaries
- Value of intellectual property
- Price that others would pay for the asset
- Cost to replace if lost
- Operational and productivity affected if asset is lost.
- Liability issues if asset is compromised.
- Usefulness of the asset.
There are 4 basic elements to risk management:
- Quantitative risk analysis
- Qualitative risk analysis
- Asset valuation process
- Safeguard selection
Quantitative risk analysis:
- Estimate value of assets to be protected.
- Identify each threat and corresponding risk
- Estimate loss potential of each risk
- Estimate possible frequency of threat
- Recognize and recommend remedial measures
Quantitative risk analysis involves the following definitions and calculations:
SLE – Single loss expectancy: Dollar amount of potential loss to an organization if a specific threat too place.
EF – Exposure factor: Percentage of loss a realized threat could have of an asset.
Asset value * Exposure factor (EF) = SLE
ARO – Annualized rate of occurrence: Estimated possibility of a specific threat taking place in a one year timeframe.
ALE – Annual loss expectancy:
Single loss expectancy (SLE) * Annualized rate of occurrence (ARO) = ALE
Safeguard value: (ALE before safeguard) – (ALE after safeguard) – (Annual cost of safeguard) = Safeguard value to the company.
Residual Risk: Amount of risk remaining after a safeguard is implemented:
threats * vulnerability * asset value = total risk.
(threats *vulnerability * asset value) * control gap = residual risk.
Asset: Resource, process, product, infrastructure and any other object that an organization has determined should be protected.
Qualitative risk analysis:
- Walk through different scenarios and rank seriousness of threats or sensitivity of assets.
- Techniques include judgment, intuition and experience.
- Some methods are Delphi, brainstorming, story boarding, focus groups, surveys, questionnaires, one-on-one meetings and interviews.
Transferring : Insurance
Rejecting : Deny or ignore the risk.
Reducing : Implementing countermeasures.
Accepting : Live with the risk.
Policies, Procedures, Standards and Guidelines
Security Policy: General statement produced by senior management.
Issue specific: For example, email, PDA.
System specific: Approved software lists, database standards.
Standards: Specify how hardware and software are to be used. Usually mandatory.
Baseline: Minimum level of security necessary throughout the organization. Standards are usually developed from baselines.
Guidelines: Recommended actions and operational guides. Not mandatory. Provide direction in policy grey areas.
Procedures: Detailed step by step actions to achieve the tasks necessary for compliance with standards. Standards as also known as “practices”.
To be effective, each of these needs high visibly, which can be helped be awareness training, manuals, presentations, legal banners. Can also help with due care and diligence issues.
The primary purpose of data classification is to indicate the level of confidentiality, integrity and availability that is required for each type of information.
Confidential Top Secret
Public Sensitive but unclassified
(Note: Commercial ‘confidential’ information is exempt from FOAI).
Layers of Responsibility:
Data Owner: Senior management, ultimately responsible for protection and use of data. Determines data classification.
Data Custodian: Responsibility for maintenance and protection of data. Usually IT department. Makes backups, performs restores, etc.
User: Any individual who routinely uses the data for work related purposes. Also considered “consumer” of the data.
The necessary pieces that fit together for effective security management practices are:
- Data classification
- Operational activities
- Safeguard selection
- Separation of duties
- Management security responsibilities
- Guidelines and procedures
- Risk assessment
- Policies and standards
- Security awareness.
The three pillars of security awareness training are: Awareness, Training, Education.
Separation of Duties:
“The principle of separation of duties is that an organization should carefully separate duties, so that people involved with checking for inappropriate use are not also capable of making such inappropriate use. No person should be responsible for completing a task involving sensitive, valuable or critical information from beginning to end. Likewise, a single person must not be responsible for approving their own work”.
Some examples of things that should be separated are:
- development / production
- security / audit
- account payable / accounts receivable
- encryption key management / changing of keys
- Name the 5 general procedures to implement change control:
- Applying to introduce a change
- Cataloging the intended change
- Scheduling the change
- Implementing the change
- Reporting the change to appropriate parties