Matakuliah Tahun Versi :A0334/Pengendalian Lingkungan Online : 2005 : 1/1 Pertemuan 15 Security Policies 1 Learning Outcomes Pada akhir pertemuan ini, diharapkan mahasiswa akan mampu : • Mahasiswa dapat menyatakan Security Policies 2 Outline Materi • A Multi-Layered Response – – – – – – – – – – People controls Reporting and Recovering from A Scurity Breach Contractual Controls Technology Controls Acts of God or Terrorism Insurance Maintaining Effective Security The Standards-Based Approach The BS 7799 and ISO 17799 Standards Conclusion 3 • Managed Security services – Managed Security pros – Managed Security Cons – Moving to The Managed Model • • • • • • • Written Service-Level Agreements (SLAs) Secure Financial Position Recognised Standards Global Reach Vendor Accreditation Secure NOC (Network Operations Centre) Customer and industry Testimony – Conclusion 4 A Multi-Layered Response • Many of the problems associated with information security arise from the tendency of most organisations to take a ‘sticking plaster’ approach to the issue, in that they identify that a threat exists or that a security incident has occurred and then determine a specific control in order to manage or mitigate the particular threat. The problem with this approach is that it is generally reactive and inconsistent, and it is simply not extensive enough as it does not consider other threats. 5 • A lack of consistency can be a serious problem, as security incidents can take a variety of forms. 6 • Incidents originating from outside the organisation are generally: – Website defacement – Denial of service (DOS) 7 • Incidents originating from inside the organisation are generally: – Web surfing of non-business-related sites resulting in loss of productivity (ie revenue) – Service disruption resulting from unscheduled or untested changes to the environment – Illegal activity such as downloading pornographic material (such as paedophilia) – Unwittingly introducing some form of virus into into the environment, typically through email or or file sharing – Attempted access to systems or information by unauthorised persons (either accidental or malicious) 8 – Leaving classified or sensitive information on screen, visible to unauthorised persons – Leaving systems logged in, unattended and accessible to passing persons – Wrongful disclosure of personal information (in contravention of the Data Protection Act 1988) – Accidental deletion of information 9 • The most serious incidents are rare but can prove very costly, whether they are internally or externally inspired. Internal staff are better positioned to exploit situations as they are typically ‘trusted’, with a good understanding of the systems, applications and architecture. An external hacker needs to be highly skilled,using a combination of analysis skills, code creation and even social engineering (the manipulation of people to obtain information). 10 • These rare types of incidents include: – Theft of information – such as customer details. – Theft of information – such as credit card details. – Theft of information – such as ideas,products or solutions (ie industrial espionage). – Embezzlement – this requires the perpetrator to understand how an organisation’s business operates, specifically in terms of accounting and cash-flow, in order to divert funds (easier for internal staff) 11 People Controls • When considering the controls to be used to address the security issue, we must consider where and how we can influence behaviour. • When considering the external threat, an organisation can exert very little influence over the behaviour or users entering its website, and as such are dependent on utilising technology products or product configurations in order to either make the environment (internet access, servers and applications) robust, or to detect, alert and potentially repel malicious activity. 12 • When considering the internal threat, an organisation has far more influence over the behaviour of users utilising internal systems and information. Users must be made aware of what is acceptable behaviour and of the consequences of unacceptable behaviour. 13 • Another cause of internal security breaches arises from modifications to applications, systems or infrastructure, without adequate consideration for testing, back-up and back-out where these cause down-time and cause the risk for security weaknesses to be brought into the internal infrastructure. This is adequately addressed within an effective change control process that has consideration for security impact. 14 Reporting and Recovering from a Security Breach • In any instance that a security breach occurs, the training and education process should ensure that staff recognise an event and are aware of the process for reporting the event (who has responsibility), and that those persons with responsibility know the process for handling the event. 15 • These policies and procedures would entail such elements as: – Procedures for handling staff who have contravened company security policies – Procedures for detecting security breaches (tools, logs, etc) – Procedures for recovering from specific types of incident (rebuild of operating system, restore from back-up etc) – Communication procedures – Management procedures 16 Contractual Controls • Another element to consider is the potential threat (either accidental or malicious) from third parties with whom there is some formal relationship (such as trading partners or service providers); these may in some instances be considered as trusted, however, the threat still exists. 17 • With a trading partner a sensible approach is to make them responsible for their own action, in addition to providing protective controls. • A contract may state that they must demonstrate that ‘reasonable and considered’ controls are taken relative to the form of communication, sensitivity of the information and the potential threat. • Contractual terms would then seek agreement on an interpretation of these controls and should also provide regular opportunities to have the controls demonstrated to the satisfaction of your organisation. 18 • At the point that the third party enters an organisation, controls should also be implemented. • With a service provider, a contract should not only consider those conditions that apply to a trading partner, but should also consider how loss of the service provided by them would impact the service offered to customers and trading partners. In this respect, the contract should agree service level commitments that can be effectively monitored and proven, and should agree compensation for failure to achieve the service levels. 19 Technology Controls • Where technology controls are used, it is important that they are configured and maintained as effectively as possible. • Many organisations will be dependent upon utilising a specialist security company in order to ensure effective security through technology controls. 20 • This will often encompass multi-layer security (security in depth) to exploit and combine: – – – – Tight access controls Strong authentication Protection of information in transit (encryption) Hardened operating systems, services and applications – High availability – Quality of service – Performance 21 Acts of God or Terrorism • In the event that an incident occurs that is considered exceptional, such as flooding, lightning, vehicle crash, bomb explosion or significant loss of key staff (to lottery win, for example), an organisation must have plans in place to minimise the impact to the business by restoring a level of service within a pre-determined time-frame and managing the communications process between staff, partners and customers (ie business continuity). 22 Insurance • When all reasonable measures have been taken, an organisation should also consider insurance. In the case of a significant security incident, insurance funds will limit the damage to the business by providing some element of (or all of) the revenue to recover the business to the point of normal operation. • This form of insurance is often referred to as cyber-liability insurance. Some insurance companies specialise in such policies, but will often require some evidence that adequate controls have been implemented before policy can be obtained. 23 Maintain Effective Security • A management process for information security (policy-based controls) needs to encompass a mechanism for review. This mechanism should consist of an audit process to regularly review the business opertions, the risks and the controls in order to ensure the policy-based controls remain effective. 24 • The technology controls also need to encompass a mechanism for review. This mechanism should consist of a regular audit of the complete technology infrastructure to review the technology operations, the risks and controls, and, importantly, to ensure that the technology controls remain effective. In addition, this review should encompass regular vulnerability and penetration testing. 25 • In both cases the primary purpose is to refine the controls each time the review is performed, thus optimising the controls, or ensuring that the controls are the most appropriate through experience. The process also ensures that information security adapts with changes to the organisation and changes with the way business is performed. 26 The Standards-Based Approach • Any organisation that undertakes an exercise to implement ‘information security’ using the management approach to achieve consistent, extensive and comprehensive security will normally need to look for guidance. • An own ‘best efforts approach’ has obvious limitations; it is far better to utilise an approach based upon best practice that has some form of track record – the obvious being an existing standard that specifically addresses the requirement. Several such standards exist that address the requirements to varying degrees. 27 The BS 7799 and ISO 17799 Standards • The ISO 17799 standard started life as the British Standard BS 7799 Part I Code of Practice for Information Security in 1995. 28 Conclusion • Thismethodology is suitable for any organisation that aims to utilise a dual approach to the provision of information security that is extensive, consistent and effective – ie ‘security in depth and security in breadth’. 29 Managed Security Services • Economic and staff resourcing factors are further driving the trend for strategic outsourcing of specialist business areas – a fact noted by Allan Carey, senior analyst for IDC: ‘The managed security services market is being driven primarily by resource constraints to capital and security expertise.’ 30 • This model however is not new; companies have previously outsourced functions such as legal matters, HR, recruitment, accounting and front desk security to outside specialists. The management of a company IT security infrastructure can be seen simply as an extension of this. 31 Managed Security Pros • The benefits of outsourcing managed security include: – Leveraging the talents and experience of security and privacy experts to protect brand, intellectual property and revenues – Supplementing existing security resources costeffectively – Implementing sophisticated security solutions – Focusing resources on building core business, not on building a security centre or on trying to constantly stay on top of changing security threats 32 – Controlling and managing security spending – Accessing a trusted advisor during security incidents – Obtaining third-party validation and verification of the appropriateness of your security policies – Benefiting from cutting-edge security research and development. 33 Managed Security Cons • Amongst the disadvantages of outsourcing security solutions we find: – Allowing a third party access to the ‘keys to the safe’ – Long term-inflexible contract terms – That several companies in the managed security area are start-ups with an uncertain economic future – Trust as the main barrier 34 Moving to The Managed Model • Once a decision is taken to embrace managed security how do you select a service provider? 35 Written Service-Level Agreements (SLAs) • The primary objective of a managed security service is to provide security services that meet the agreed business and technical requirements of the client. To facilitate this, the service provider needs to understand these requirements and translate them into measurable criteria. This allows the service provider to measure the service. 36 Secure Financial Position • After taking the time to select a suitable supplier of managed services, the last thing you want to happen is that they go bankrupt after a few months of the contract, leaving you ‘high and dry’. Secure finances is perhaps the most important area to consider, even more so in the current economic climate. Part of the selection process here should be a check on the customer base and the length of time the company has operated within the managed service arena. 37 Recognised Standards • If a company, particularly a service provider in this case, is awarded an ISO 9000 certificate, it can demonstrate to its customers that it is in possession of a documented quality system that is being observed and continually followed. 38 Global Reach • A correctly scaled managed firewall or VPN (Virtual Private Network) service allows companies to take advantage of the inherent benefits of a well-designed, secure firewall deployment gives us the flexibility to expand outside of our home country without the headache of understanding the creation of a secure communications platform. 39 Vendor Accreditation • The vendor accreditation aspect again links back to an MSP’s investment in the service they supply. 40 Secure NOC (Network Operations Centre) • When outsourcing the management of your firewalls/intrusion detection systems to an MSP, a minimum component must be that they have a secure operations centre from which they con monitor,manage and administer your firewalls. 41 Customer and Industry Testimony • An MSP that conforms to most, if not all, of the points raised above is likely to have a mature installed user base that con vouch for its competence. Any managed service organisations that receive glowing references from both customers and industry peers are likely to make full use of them in corporate literature, websites and advertisements. 42 Conclusion • Outsourcing security technologies is an increasing trend and one that seems set to continue. 43 The End 44