L
2:
P
S
You got to be careful if you don’t know where you’re going, because you might not get there. – Yogi Berra

Outline and Review
• Introduction to Information Security
• CIA Triangle and Extensions
• Principles of Information Security Management
• Planning for Information Security

Include the following characteristics that will be the focus of the current course (six P’s):
1. Planning
Chapters 2 & 3
2. Policy
3. Programs
4. Protection
5. People
6. Project Management http://csrc.nist.gov/publications/PubsTC.html

Figure 2-1 Information Security and Planning
Source: Course Technology/Cengage Learning

The Role of Planning
• Successful organizations utilize planning
• Planning involves
– Employees
– Management
– Stockholders
– Other outside stakeholders
– The physical and technological environment
– The political and legal environment
– The competitive environment

The Role of Planning (cont’d.)
• Strategic planning includes:
– Vision statement
– Mission statement
– Strategy
– Coordinated plans for sub units

Precursors to Planning
• Values Statement
• Establishes organizational principles
• Vision Statement
• What the organization wants to become
• Mission Statement
• what the organization does and for whom
The values, vision, and mission statements together provide the foundation for planning

Strategic Planning
• Strategy is the basis for long-term direction
• Strategic planning guides organizational efforts

Planning Levels
• Strategic goals are translated into tasks
• Objectives should be SMART
• Strategic planning then begins a transformation from general to specific objectives

Planning Levels (cont’d.)
Strategic Planning
Tactical Planning
Operational Planning

Planning and the CISO
• Elements of a strategic plan
– Executive summary
– Mission statement and vision statement
– Organizational profile and history
– Strategic issues and core values
– Program goals and objectives
– Management/operations goals and objectives
– Appendices (optional)

Information Security Governance
• Governance of information security is a strategic planning responsibility
– Importance has grown in recent years
• Information security objectives must be addressed at the highest levels of an organization's management team
– To be effective and offer a sustainable approach

Desired Outcomes
Strategic alignment
Risk management
Resource management
Performance measurement
Value delivery

Implementing Information Security Governance
Figure 2-6 General Governance Framework
Source: IDEAL is a service mark of Carnegie Mellon
University

Implementing Information Security Governance
(cont’d.)
Figure 2-7 The IDEAL model governance framework
Source: IDEAL is a service mark of Carnegie Mellon
University

GRC Article 1: Forrestor’s Framework
• Lines of Defense
• Stakeholder Contributions and Expectations

Planning for Information Security Implementation
Source: Information Security Governance: A Call to
Action

Planning For Information Security Implementation
• Implementation can begin
– After plan has been translated into IT and information security objectives and tactical and operational plans
• Methods of implementation
– Bottom-up
– Top-down

Planning For Information Security Implementation
(cont’d.)
Source: Course Technology/Cengage learning

• Drivers of Resolving Vulnerabilities
• CEO Questions about cyber risks

• A methodology for the design/implementation of an information system
• SecSDLC methodology is similar to SDLC

Identification of specific threats and the risks they represent
Design and implementation of specific controls to counter those threats and manage risks posed to the organization

Phase begins with directive from management specifying the process, outcomes, and goals of the project and its budget
Feasibility analysis
• Determines whether the organization has the resources and commitment to conduct a successful security analysis and design

Prepare analysis of existing security policies and programs, along with known threats and current controls
Analyze relevant legal issues that could affect the design of the security solution

Prepare analysis of existing security policies and programs, along with known threats and current controls
Analyze relevant legal issues that could affect the design of the security solution
Table 2-1 Threats to Information Security

Exploit
Vulnerability Attack
Ex. Java Vulnerability Patch
….and a week later

– Malicious code
– Hoaxes
– Back doors
– Password crack
– Brute force
– Dictionary
– Denial-of-service (DoS) and distributed denialof-service (DDoS)
–
–
–
–
–
–
–
–
Spoofing
Man-in-the-middle
Spam
Mail bombing
Sniffer
Social engineering
Buffer overflow
Timing

• Prioritize the risk posed by each category of threat
• Identify and assess the value of your information assets
– Assign a comparative risk rating or score to each specific information asset

• Design in the SecSDLC
– Create and develop a blueprint for security
– Examine and implement key policies
– Evaluate the technology needed to support the security blueprint
– Generate alternative solutions
– Agree upon a final design
• Security models may be used to guide the design process

• A critical design element of the information security program is the information security policy
• Management must define the types of security policy
• Integral part of design: SETA program
– Consists of: Security education, security training, and security awareness
– Purpose: enhance security

• Design controls and safeguards
– Used to protect information from attacks by threats
• Design controls and safeguards (Categories):
1.
Managerial controls
2.
Operational controls
3.
Technical controls

• Contingency planning (Chapter 3)
– Prepare, react and recover from circumstances that threaten the organization
• Types of contingency planning
– Incident response planning (IRP)
– Disaster recovery planning (DRP)
– Business continuity planning (BCP)

• Physical security
– Design, implementation, and maintenance of countermeasures that protect the physical resources of an organization
• Physical resources include
– People
– Hardware
– Supporting information system elements

Security solutions are acquired, tested, implemented, and tested again
Personnel issues are evaluated and specific training and education programs conducted

Once program is implemented, it must be:
• Operated
• Properly managed
• Timely (i.e. up to date using established procedures)
If the program is not adjusting adequately to the changes in the internal or external environment, it may be necessary to begin the cycle again

• Aspects of a maintenance model
– External monitoring
– Internal monitoring
– Planning and risk assessment
– Vulnerability assessment and remediation
– Readiness and review
– Vulnerability assessment
Figure 2-11 Maintenance model

• Security program management (Chapter 6)
– A formal management standard can provide some insight into the processes and procedures needed
– Examples include the BS7799 / ISO17799 / ISO27xxx model or the
NIST models described earlier

• GRC in an increasingly complex, information-centric world
• Challenges
• Suggestions
• Building a GRC Platform

Summary
• Information security governance
• Planning for information security implementation
• Introduction to the security systems development life cycle