Addis Ababa University Faculty of Science Department of Computer Science COSC 6301 – Computer Security Chapter 1 - Overview By Girum Ketema (PhD) Girumk@gmail.com Girum.ketema@ju.edu.et Outline • Course Outline • Basics • Computer Security Elements • Roles and Responsibilities Outline • Course Outline • Basics • Computer Security Elements • Roles and Responsibilities Outline • Course Outline • Basics • Computer Security Elements • Roles and Responsibilities Definition – Computer Security • Measures and controls that ensure confidentiality, integrity, and availability of information system assets (includes hardware, software, firmware, information being processed, stored and communicated). (NIST 2013) Hardware Software Firmware CIA Triad Data Telecommunications Objectives Information System Resources NIST 2013 – The National Institute of Standards and Technology (NIST) Internal Report 7298 (May 2013 Confidentiality • Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. • A loss of confidentiality is the unauthorized disclosure of information. Data Confidentiality Assures that private or confidential information is not made available or disclosed to unauthorized individuals. Privacy Assures that individuals control or influence information related to them: • Collection • Storage • Disclosure – By Whom, to Whom Integrity • Guarding against improper information modification or destruction, including ensuring information nonrepudiation and authenticity. • A loss of integrity is the unauthorized modification or destruction of information. Data Integrity Assures that information and programs are changed only in a specified and authorized manner. System Integrity Assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. Availability • Ensuring timely and reliable access to and use of information. • A loss of availability is the disruption of access to or use of information or an information system. Security Impact Levels Low Moderate High Security Impact Levels Low Moderate High • Limited adverse effect • Degradation in mission capability but can perform primary functions • Minor damage to organizational assets • Minor financial loss • Minor harm to individuals Security Impact Levels Low Moderate High • Serious adverse effect • Significant degradation in mission capability but can perform primary functions with reduced effectiveness • Significant damage to organizational assets • Significant financial loss • Significant harm to individuals Security Impact Levels Low Moderate High • Sever or catastrophic adverse effect • Severe degradation or loss in mission capability • Major damage on organizational assets • Major financial loss • Major harm to individuals (may include loss of life) Examples – Loss of Confidentiality • Grade information should only be available to students, their parents, and employees that require the information to do their job. • Low Impact → Disclosure of directory list of students and staff • Moderate → Disclosure of enrolment information • High → Disclosure of student grade information Example – Loss of Integrity • Low Impact → Anonymous online poll • Moderate → Falsified information on a website may damage the reputation of the website • High → Inaccurate allergy information in a hospital database may result in death or serious injury Example – Loss of Availability • Critical systems have more availability requirements • Low Impact → Online telephone directory • Moderate → Public website of an organization • High → Authentication service for other systems Definition … Authenticity: The property of being genuine and being able to be verified and trusted Accountability: The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. Nonrepudiation Deterrence Fault isolation Intrusion detection and prevention Legal action Outline • Course Outline • Basics • Computer Security Elements • Roles and Responsibilities Computer Security Elements (NIST Handbook) Computer security should support the mission of the organization. Computer security is an integral element of sound management. Computer security should be cost-effective. Computer security responsibilities and accountability should be made explicit. System owners have computer security responsibilities outside their own organizations. Computer security requires a comprehensive and integrated approach. Computer security should be periodically reassessed. Computer security is constrained by societal factors Computer Security Elements (NIST Handbook) Security rules and procedures should not negatively impact the mission of the organization Computer security should support the mission of the organization. Security is a means to and end and ont an end in itself Security shall explicitly be stated in terms of the organization’s mission In inter-organizational systems, each organization benefits from securing their systems. Computer Security Elements (NIST Handbook) Management personnel are ultimately responsible for determining the level of acceptable risk for a specific system and the organization as a whole, taking into account the cost of security controls. Computer security is an integral element of sound management Security breaches can’t be avoided completely. The management shall find a balance between protecting the information and utilizing available resources When an organization's information and systems are linked with external systems, management’s responsibilities extend beyond organizational boundaries. Computer Security Elements (NIST Handbook) The costs and benefits of security should be carefully examined in both monetary and nonmonetary terms to ensure that the cost of controls does not exceed expected benefits. Computer security should be cost-effective. By investing in security measures, an organization can reduce the frequency and severity of computer security-related losses. Security benefits do have both direct and indirect costs. Solutions to security problems should not be chosen if they cost more, directly or indirectly, than simply tolerating the problem. Computer Security Elements (NIST Handbook) The responsibilities and accountability of owners, providers, and users of computer systems and other parties concerned with the security of computer systems should be explicit. Computer security responsibilities and accountability should be made explicit If the responsibilities are not made explicit, management may find it difficult to hold personnel accountable for future outcomes. Documenting information security responsibilities is not dependent on the size of the organization. All organizations, irrespective of size, must have security policy Computer Security Elements (NIST Handbook) System owners have computer security responsibilities outside their own organizations. If a system has external users, its owners have a responsibility to share appropriate knowledge about the existence and general extent of security measures so that other users can be confident that the system is adequately secure. Managers should act in a timely, coordinated manner to prevent and to respond to breaches of security" to help prevent damage Computer Security Elements (NIST Handbook) A comprehensive approach that considers a variety of areas both within and outside of the computer security field shall be in place. Computer Security Requires a Comprehensive and Integrated Approach. Interdependencies of Security Controls: security controls often depend upon the proper functioning of other controls. Other Interdependencies: The effectiveness of security controls also depends on such factors as system management, legal issues, quality assurance, and internal and management controls. Computer Security Elements (NIST Handbook) Computer Security is not a static process. It requires continuous monitoring and management Computer security should be periodically reassessed. Organizations must ensure that new vulnerabilities and evolving threats are quickly identified and responded to accordingly Understanding of organizational risk tolerance to assist officials in setting priorities and managing risk throughout the organization in a consistent manner is required. Computer Security Elements (NIST Handbook) The ability of security to support the mission of the organization(s) may be limited by various factors, such as social issues. For example, security and workplace privacy can conflict Computer security is constrained by societal and Cultural factors Organizations shall make information security functions transparent, easy to use, and understandable. Organizations shall find a balance between information security requirements and usability Outline • Course Outline • Basics • Computer Security Elements • Roles and Responsibilities Roles and Responsibilities SECURITY JOB INVOLVES ACTIVITIES THAT SPAN ACROSS THE ENTERPRISE CLEAR DESIGNATION OF ROLES AND RESPONSIBILITIES IS CRUCIAL IN SMALL ORGANIZATIONS, AN EMPLOYEE MAY TAKE MORE THAN ONE RESPONSIBILITY Risk Executive Function (Senior Management) Defining a holistic approach to addressing risk across the entire organization; Developing an organizational risk management strategy; Supporting informationsharing amongst authorizing officials and other senior leaders in the Organization • Overseeing risk management related activities across the organization. Chief Executive Officer (CEO) Ensuring Ensuring the integration of information security management processes with strategic and operational planning processes; Making Making sure that the information and systems used to support organizational operations have proper information security safeguards; Confirming Confirming that trained personnel are complying with related information security legislation, policies, directives, instructions, standards, and guidelines. Chief Information Officer (CIO) Allocating Allocating resources dedicated to the protection of the systems supporting the organization’s mission and business functions; Ensuring Ensuring that systems are protected by approved security plans and are authorized to operate; Making Making sure that there is an organization-wide information security program that is being effectively implemented. Information Owner Establishing Providing Establishing the rules for the appropriate use and protection of the subject information; Providing input to system owners regarding the security requirements and security controls needed to adequately protect the subject information Chief Information Security Officer Managing Managing and implementing an organization-wide information security and program; implementing Assuming Assuming the role of authorizing official designated representative or security control assessor when needed. Authorizing Official (AO) Approving Ensuring Approving security plans, memorandums of agreement or understanding, plans of action and milestones, as well as determining whether significant changes in the system or environments of operation require reauthorization; Ensuring that authorizing official designated representatives carry out all activities and functions associated with security authorization. Authorizing Official Designated Representative Carrying out the duties of the Authorizing Official as assigned; Making decisions with regard to planning and resourcing of the security authorization process, approval of the security plan, approving and monitoring the implementation of plans of action and milestones, and the assessment and/or determination of risk; Preparing the final authorization package, obtaining the authorizing official’s signature on the authorization decision document, and transmitting the authorization package to appropriate organizational officials. Senior Agency Official for Privacy Overseeing, coordinating, and facilitating the agency’s privacy compliance efforts; Reviewing the agency’s information privacy procedures to ensure that they are comprehensive and up-to-date; Ensure the agency’s employees and contractors receive appropriate training and education programs regarding the information privacy laws, regulations, policies, and procedures governing the agency’s handling of personal information. Common Control Provider Documenting the organization-identified common controls in a security Documenting plan (or equivalent document prescribed by the organization); Ensuring Ensuring that required assessments of common controls are carried out by qualified assessors with an appropriate level of independence defined by the organization. System Owner Addressing Ensuring Developing and maintaining Addressing the operational interests of the user community (i.e., users who require access to the system to satisfy mission, business, or operational requirements); Ensuring compliance with information security requirements; and Developing and maintaining the system security plan and ensuring that the system is deployed and operated in accordance with the agreed-upon security controls. System Security Officer (SSO) OVERSEEING THE DAY-TO-DAY SECURITY OPERATIONS OF A SYSTEM ASSISTING IN THE DEVELOPMENT OF THE SECURITY POLICIES AND PROCEDURES AND ENSURING COMPLIANCE WITH THOSE POLICIES AND PROCEDURES. Information Security Architect Serving Serving as the liaison between the enterprise architect and the information security engineer Coordinating with system owners, common control providers, Coordinating and system security officers on the allocation of security controls as system-specific, hybrid, or common controls. System Security Engineer (SSE) Designing and developing Designing and developing organizational systems or upgrading legacy systems Coordinating security-related activities with information security Coordinating architects, senior agency information security officers, system owners, common control providers, and system security officers. Security Control Assessor Providing Providing an assessment to identify weaknesses or deficiencies in the system and its environment of operation Recommending Recommending corrective actions to address identified vulnerabilities Preparing Preparing a security assessment report containing the results and findings from the assessment. System Administrator 1 Installing, configuring, and updating hardware and software 2 Establishing and managing user accounts 3 Overseeing backup and recovery tasks 4 Implementing technical security controls. User Adhering Using Reporting Adhering to policies that govern acceptable use of organizational systems Using the organization-provided IT resources for defined purposes only Reporting anomalies or suspicious system behavior Supporting Roles - Auditor Check whether the system is meeting stated security requirements and organization policies Check whether security controls are appropriate. Informal audits can be performed by those operating the system under review or by impartial third-party auditors. Support - Physical Security Staff The physical security office is responsible for developing and enforcing appropriate physical security controls, often in consultation with information security management, program and functional managers, and others. Physical security addresses central system installations, backup facilities, and office environments. In the government, this office is often responsible for processing personnel background checks and security clearances. Disaster Recovery/Contingency Planning Staff Some organizations have a separate disaster recovery/contingency planning staff. The staff is typically responsible for contingency planning for the entire organization and works with other teams to obtain additional contingency planning support, as needed Assignment Instruction • Write A Short Essay on the Ethiopian Security Roles and Responsibilities in your organizations. • Comment on missing gaps by comparing to the NIST recommendation Pages • Max 5 pages. Min 2 pages. Due Date • Next Wednesday (December 01, 2021).
