Management of Information Security

advertisement
CSE 4482
Computer Security Management:
Assessment and Forensics
Management of
Information Security
Instructor: N. Vlajic,
Fall 2013
Required reading:
Management of Information Security (MIS), by Whitman & Mattord
Chapter 1, pages 8 – 15
Chapter 4, all pages
Chapter 5, pages 163 - 188
Learning Objectives
Upon completion of this material, you should be
able to:
•
List the key managerial roles and the main types of
managerial positions in an organization.
•
Describe the POLC project management model.
•
List and describe organizational/structural approaches
to information security.
•
Explain the difference between security policy, standard
and procedure.
•
Enlist different types of security policy that can be
found in an organization.
Management: Definitions
• Management – process of achieving
objectives using a given set of resources
• Manager – person assigned to handle following
roles necessary to achieve desired objective(s)



informational role: collect, process, use, provide information
that can affect the completion of the objective
interpersonal role: coordinate and interact with superiors,
subordinates, outside stakeholders and other parties that
influence or are influenced by the completion of the task
decisional role: select among alternative approaches and
and resolve conflicts, dilemmas or challenges
Examples: teacher, student, president, software developer
Management: Definitions (cont.)
Example: 3 managerial role categories
http://education-portal.com/academy/lesson/decisional-roles-in-managementtypes-examples-definition.html
Management: Definitions (cont.)
Example: Mintzberg’s 10
Managerial Roles
represent organization
externally - formal head
provide leadership to his group
interact with peers and people
outside
receive and collect information
disseminate special information
into organization/group
disseminate organization’s
information outside
initiate and plan the change –
take action to improve existing
operation
deal with problems & threats
decide where and how
organization’s resources will be
allocated
manage organization’s/
group’s main operation
http://www.flatworldknowledge.com/node/28989#web-28989
Management: Definitions (cont.)

Different managerial positions require different
balance of the 3/10 managerial roles.


Elementary Information Security, R. E. Smith, pp. 580
at the top-level
managerial positions
interpersonal roles
(e.g., figurehead &
leader) are performed
more often
at the lower-level
managerial positions
decisional roles (e.g.
disturbance handler
& negotiator) are
preformed more often
Basic Management Functions
• Four key managerial functions / responsibilities,
when dealing with a task, include: POLC Model
Strategy
Formulation
Strategy
Implementation
Basic Management Functions (cont.)
1) Planning: deciding what needs to happen in the future
and generating adequate plans for action
 strategic planning – occurs at the highest levels of organization
and for a long period of time (5 or more years)
 tactical planning – focuses on production planning and integrates
organizational resources for an intermediate duration (1 – 5 years)
 operational planning – focuses on day-to-day operations of
local resources, and occurs in the present or the short term


Planning process begins with creation of strategic plan for
entire organization/group. The resulting plan is then divided
up into planning elements for each sub-unit.
In planning, goals and objectives must be adequately set.
 goal – ultimate (end) result of a planning process
 objective – intermediate point that allows us to measure progress
towards the goal
Basic Management Functions (cont.)
Example: Strategic vs. tactical vs. operational plan.
Strategic plan:
The company should be 100% immune
to DDoS attacks.
Tactical plan:
4 firewall should be purchased and set
up in the next year.
Operatonal plan:
Identify most problematic traffic and
set up the firewall accordingly.
Basic Management Functions (cont.)
2) Organizing: optimum structuring of resources to enable
successful carrying out of the plan; may include
 structuring of existing departments and their staff
 (new) staffing
 purchase and storage of raw materials
 collection of additional/specialized information
3) Leading / Directing: determining what specific steps need
to be done and getting people to do it; may include
 developing direction and motivation for employees
 supervising employee behavior, attendance, performance, attitude
Basic Management Functions (cont.)
4) Monitoring / Controlling: monitor progress towards
achieving the goal and make necessary adjustments
 ensure sufficient progress is made
 ensure plan is adequately implemented
 resolve any impediments to task/plan completion
 acquire additional resources, when necessary

Should the plan be found invalid in light of operational
reality of the organization, the manager should take
corrective actions.
Basic Management Functions (cont.)
Example: Control process
Plan: develop
100% secure
cryptographic code.
‘Beta version’
produced.
Information Security
Management
Information Security Management
• Three common groups of managers:



Non-technical General Business Managers – articulate
and communicate organizational objectives and policy
IT Managers – support organization’s business objectives
by supplying and supporting appropriate IT
Information Security Managers – protect organization’s
information assets from many threats they face
General
Managers
IT Managers
Info Sec
Managers
Information Security Management (cont.)



Information Security management operates like all
other management units, employing common
management (POLC) methodology.
However, specific goals and objectives of Info. Sec.
management differ from those of IT and general
management.
Certain characteristics of Info. Sec. management
are unique to this community!
Information Security Management (cont.)
• Goals of Info. Sec. vs. Goals of IT – not always in
complete alignment; sometimes in conflict

IT professionals focus on:





cost of system creation & operation [ freeware vs. paid-softw. ]
timelines of system creation
[ web-server with no DMZ ]
ease of system use for end-user
[ single-factor authentic. ]
quality of system performance (speed, delay, …)
[ no firewall ]
Info. Sec. professionals focus on:
 protection of organization’s information systems at all
cost necessary
Information Security Management (cont.)
Example: placing Information Security within
an organization – Option 1
Information Security Management (cont.)
Example: placing Information Security within
an organization – Option 1 (cont.)
Most common organizational structure: in 50% of companies.
Info. Sec. under (reports to & shares budget with) IT depart.

pros:
 to whomever Info. Sec. manager reports to, understands
technological issues
 security staff and IT staff collaborate on day-to-day basis
 there is only ‘one person’ between Info. Sec. manager and CEO

cons:
 CEO are likely to discriminate against Info. Sec. function, as
other IT objectives (e.g. computer performance ⇒ time to market)
often take precedence
Information Security Management (cont.)
Example: placing Information Security within
an organization – Option 2
Information Security Management (cont.)
Example: placing Information Security within
an organization – Option 2
Info. Sec. reports to Administrative Services Dep. – performs
services for workers throughout the organization, much like HR.

pros:
 acknowledges that info. and info. systems are found everywhere
throughout the organization – all employees are expected to
‘work with’ Info. Sec. department
 supports efforts to secure information no matter its form (paper,
verbal, etc.) rather than viewing info. sec. function as strictly
computer- & network- related issues

cons:
 Administrative Services VP often does not know much about IT
and Info. Sec. – may not be effective in communicating with CEO
 often subject to cost-cutting measures
Information Security Management (cont.)
Example: placing Information Security within
an organization – Option 3
Information Security Management (cont.)
Example: placing Information Security within
an organization – Option 3
Info. Sec. reports to Insurance & Risk Management Department.
This approach typically involves assessing the extent/likelihood
of potential losses in case of weakened info. Sec. function.

pros:
 brings greater resources and management attention to Info. Sec.
 Chief Risk Manager (CRM) is likely to be prevention oriented and
adopt a longer-term viewpoint

cons:
 CRM are often not familiar with information system technology
 may over-emphasize strategic issues, and overlook operational
and administrative aspects of info. sec. (e.g. change of access
privileges when people change jobs)
Information Security Management (cont.)
Example: Info. Sec. in different companies
Which of the three discussed organizational models
would you deploy in which of the three companies?
Info. Sec.
within Risk
Management
should be employed when
company’s revenues critically
depend on CIA of information – if
information CIA gets jeopardized,
company looses money
Amazon
Info. Sec.
within IT
should be employed in companies
where it is critical to obtain/use
latest technology, and bulk of
work done by Info. Sec.
department is related to that
(new) technology
Hospital
Info. Sec.
within Admin.
Services
should be employed in companies
that may not worry about using the
latest technology, but rather about
properly securing existing data and
whatever technology (info.
infrastructure) is currently in place
IBM
Information Security
Structure / Organization
IS Organization / Structure / Program
• Factors Impacting Info. Sec. Organization:

Organization Culture:
 if upper management & staff believe that info. sec. is waste
of time and resources, the info. sec. program will remain
small, poorly supported and have difficulty operating

Organization Size (and Budget):
 large organizations tend to have large(r) information security
programs; smaller organizations may have a single security
administrator
Although the size of an organization determines the
makeup of its information security program, certain
basic functions should be found in every organization.
IS Organization / Structure / Program (cont.)
• Functions Related to Info. Sec. Program:
software
testing
IS Organization / Structure / Program (cont.)
• Functions Related to Info. Sec. Program (cont.):
Op. Sys.
Administr.
IS Organization / Structure / Program (cont.)
‘hands on’
deal with
information and IT
infrastructure
‘conceptually’
http://dcvizcayno.wordpress.com/2012/02/16/what-is-information-security-governance/
IS Organization / Structure / Program (cont.)
• Correlation between different Info. Sec. functions
http://www.jirasekonsecurity.com/2011/10/security-model-business-oriented.html
IS Organization / Structure / Program (cont.)
• Security in Large Organizations – with more
than 1000 devices requiring security management

functions performed by non-technology business units:
 legal
 training

functions performed by IT groups outside Info. Sec. depart.:
 systems/OS security administration
 network security administration
 centralized authentication

functions performed by Info. Sec. department - technical:






risk management
systems testing
incident response
planning
measurement
vulnerability assessment
IS Organization / Structure / Program (cont.)

functions performed by Info. Sec. department – compliance
enforcement obligation:
 policy
 compliance / audit
 risk assessment
performed by different people
to avoid ‘conflict of interest’ !!!
IS Organization / Structure / Program (cont.)
• Security in Mid- to Small- size Organizations –
under 1000 devices

some of identified functions are ignored, and multiple
functions are assigned to the same group/person
More on different specific security roles
later …
IS Organization / Structure / Program (cont.)
Example: Test your knowledge of security functions
http://academy.delmar.edu/Courses/ITSY2430/Labs/SecurityPolicyQuiz.html
Security Policy
Policy, Standard, Procedure
Example: Policy
http://www.yorku.ca/secretariat/policies/document.php?document=127
Policy, Standard, Procedure (cont.)
• Security Policy – foundation of an effective info.
security system/program


What is it?

concise and easy to understand statement

defines a set of conditions that are critical for protecting
organization’s assets, and its ability to conduct business

defines security practices that management expects
employees and other stakeholders to follow
Why do we need it?

helps organizations demonstrate their commitment to
protecting their vital information assets

heightens security awareness of company personnel or
third-party users/customers
Policy, Standard, Procedure (cont.)
Policies specifies WHY something should be done,
not WHAT exactly and HOW.
Although least expensive security protection,
Policies are often
most difficult to implement/enforce.
To ensure effectiveness,
failure to comply with a Policy
should imply a disciplinary action.
Policy, Standard, Procedure (cont.)
Example: Organization without policy
Consider scenario:
An employee (A) behaves inappropriately at the work
place, by reading another employee’s email.
Another employee (B) is aggrieved by this behavior and
sues the company. The company does not have policy
that prohibits such behavior, hence no legal action against
offender (A) can be taken …
Nevertheless, company may be
legally obliged to protect the privacy
of employee B.
The company loses the lawsuit, and
lots of money  …
Policy, Standard, Procedure (cont.)
Example: Policy that is hard to implement
“Employees are not allowed to take out of the company’s
premise any IP-related documentation.”
Policy, Standard, Procedure (cont.)
Why?
What?
How?
http://mindfulsecurity.com/2009/02/03/policies-standards-and-guidelines/
http://christodonte.com/2009/05/relationship-between-a-policy-standard-guideline-and-procedure/
Policy, Standard, Procedure (cont.)
• Security Standard – more specific directives that
are mandatory



describe how to comply with the policy
also, extension of the policy into the real world –
specifies technology settings, platforms or behaviors
it is important to audit adherence to standards to ensure
their implementation
• Security Procedure – specify actual steps of what
needs to be done to comply with a standard

example:
 specific instructions on how to download and install centrally
managed antivirus software
Policy, Standard, Procedure (cont.)
Example: Policy vs. Standard vs. Procedure
Many Info. Sec. departments have specific protocols for
performing backups of server hard drives.
Policy: Describes the need for backups, for storage
off-site, and for safeguarding the backup media.
Standard: Defines the software to be used to perform
backups and how to configure this software (e.g. Acronis,
SmartSync, etc.)
Procedure: Describes how to use the backup software,
the timing for making backups, and other ways that
humans interact with the backup system.
Policy, Standard, Procedure (cont.)
Example: Backup and Recovery Policy
Why?
http://technology.iusm.iu.edu/security-policies-procedures-and-standards/backup-and-recovery-policy/
Policy, Standard, Procedure (cont.)
• Security Guideline – discretionary set of directions
designed to achieve a policy/security objectives
 needed in complex & uncertain situations for which rigid
standards cannot be specified
 examples:
 company might have a guideline that each new employee should
have a background check
 however, in an emergency, department head might be allowed to
hire a person before a background check is completed
• Security Recommended Practices – set of policies /
standards / procedures /guidelines recommended
by trade associations and government agencies
• Security Best Practices – descriptions of what best
firms in the industry are doing about security
Policy, Standard, Procedure (cont.)
Example: Microsoft – Best Security Practices
http://technet.microsoft.com/en-us/library/dd277328.aspx
Security Policies
• Important rule to follow when shaping a policy:

Policy should never conflict with law.

Policy must be able to stand up in court if challenged.

Policy must be properly supported and administered.
• For policies to be effective, they must be:
A. Developed using industry-accepted practices.
B. Distributed or disseminated using all appropriate methods.
C. Read by all employees.
D. Comprehended by all employees.
E. Formally agreed / complied to by act or affirmation.
F. Enforced and applied uniformly.
Security Policies (cont.)
A. Development of Security Policy: 5 stage process

A.1 Investigation Phase.
 Form the right policy design team consisting of representatives
from groups that will be affected by new policy (e.g. legal dept.,
HR, end users of various IT systems covered by policy)
 Make an outline of the scope and goals of the policy,
as well as the cost and scheduling of its implementation.
 Obtain general support from senior management. Without
enough attention, any policy has a reduced chance of success –
mid-management and users not likely to implement it.

A.2 Analysis Phase.
 Obtain all recent & relevant information - risk assessment,
IT audits, … - as well as other references (e.g. past law suits)
concerning positive / negative outcome of similar policies.
Security Policies (cont.)
Why is Analysis Phase performed
after Investigation Phase?
Wouldn’t it be beneficial to approach the
management with already gathered
legal/audit (reference) information?
Sometimes policy documents that affect information
security is housed in the HR department, as well as
accounting, finances, legal, or corporate
security departments.
Security Policies (cont.)
A. Development of Security Policy: 5 stage process (cont.)

A.3 Design (Distribution Planning) Phase.
 Create a plan on how to distribute and verify the distribution
of the policy.

A.4 Implementation Phase.
 Design team actually writes the policy.
 Can rely on existing policies found on the Web, Government
Sites, Professional Literature.

A.5 Maintenance Phase.
 Monitor, maintain, and modify the policy to ensure that it
remains effective as a tool against ever changing threats.
Security Policies (cont.)
Example: Policy templates
http://www.sans.org/security-resources/policies/
Security Policies (cont.)
B. Policy Distribution


Getting the policy document into the hands of all
employees may require a substantial effort / investment.
Techniques of distribution:
 hard-copy distribution
 bulletin-board distribution
 distribution via email
 distribution via intranet (in html or PDF form)

Organization must be able to prove distribution of the
policy document, e.g. via auditing log in case of electronic
distribution.
Security Policies (cont.)
Security Policies (cont.)
C. & D. Policy Reading and Comprehension

Policy must be written/presented in a way that all
employees can read and comprehend.
 illiterate or low-literate workers
 ESL workers
 visually impaired, etc.
Example: Importance of policy reading & comprehension
Assume an employee is fired for failure to comply with a
policy.
If the organization cannot verify that the employee was in
fact properly educated on the policy, the employee could
sue the organization for wrongful termination.
Security Policies (cont.)
E. Policy Compliance



Failure to agree to or follow a policy may jeopardize
organization’s interests and, thus, be sufficient to decide
on termination.
However, the legal system may not support such
decision.
Organization can incorporate ‘policy confirmation’
statement into employment contract or annual evaluation.
Security Policies (cont.)
F. Policy Enforcement

Because of potential scrutiny during legal proceedings,
organizations must establish high standards of policy
implementation.
 example: if policy mandates that all employees wear ID badges
in a clearly visible location, and some management members
decide not to follow this policy, any action taken against other
employees will not withstand legal challenges
Security Policies (cont.)
• Three types of security policies found in most
organizations:
1) Enterprise Information Security Policy (EISP)
2) Issue-specific Security Policy (ISSP)
3) System-specific Security Policy (SysSP)
Security Policies: EISP
1) Enterprise Information Security Policy (EISP)



Aka as general security policy – sets strategic direction,
scope, and tone for all security matters and efforts.
Short (2 – 10 page) executive-level document usually
drafted by chief IT officer of the organization.
Common components of a good EISP:
 Statement of purpose – explains the intent of the document.
 States info. sec. philosophy for the given enterprise.
 Explains the importance of info. sec. for the enterprise.
 Defines the info. sec. organization/structure of the enterprise.
 Lists other standards that influence and are influenced by this
document.
Security Policies: ISSP
2) Issue-Specific Security Policy (ISSP)


Provides detailed, targeted guidance concerning the use
of a particular process, technology or a system.
ISSP may cover one or more of the following:
 use of electronic mail
 use of the Internet and WWW
 use of company-owned computer equipment
 use of personal equipment on company networks
 specific minimum configuration of computers to defend against
worms and viruses
 prohibitions against hacking or testing organization security
control
Security Policies: ISSP (cont.)
2) Issue-Specific Security Policy (ISSP) (cont.)

Components of a typical ISSP :
1) Statement of Purpose
 what is the scope of the policy
 what technology and issue it addresses
 who is responsible and accountable for policy implementation
2) Authorized Access and Usage
 who can use the technology governed by the policy
 what the technology can be used for
 what constitutes ‘fair and responsible’ use of technology and
it may impact ‘personal information and privacy’
3) Prohibitive Use of Equipment - unless a particular use is clearly
prohibited, the company cannot penalize its employees for misuse
 what constitutes disruptive use, misuse, criminal use
 what other possible restrictions may apply
Security Policies: ISSP (cont.)
2) Issue-Specific Security Policy (ISSP) (cont.)

Components of a typical ISSP :
4) Systems Management
 what / which kind of authorized employer monitoring is involved
(e.g. electronic scrutiny of email and other electronic documents)
5) Violation of Policy
 what specific penalties, for each category of violation, will apply
 how to report observed or suspected violations – openly or
anonymously
6) Policy Review and Modifications
 how is the review and modification of the policy performed, so
as to keep as ‘current’ as possible
7) Limitation of Liability – company does not want to be liable if an
employee is caught conducting illegal activity with company’s asset
 how is liable if an employee violates a company policy or any law
Security Policies: ISSP (cont.)
Example: ISSP examples
York University:
www.eecs.yorku.ca/teaching/prism/policy/prismPolicy.html
www.yorku.ca/secretariat/policies/document.php?document=127
Security Policies: SysSP
3) System-Specific Security Policy (SysSP)




Both EISP and ISSP are formalized as written documents
readily identifiable as policy.
SysSP has a look of a standard or a procedure to be used
when configuring / maintaining a system
Managerial Guidance SysSP – created by management
to guide implementation / configuration of technology as
well as to address people behavior in ways to support
EISP and ISSP.
Technical Specifications SysSP – in some cases system
administrators need to create / implement their own policy
in order to enforce EISP, ISSP or managerial policy.
Security Policies: SysSP (cont.)
Example: EISP vs. ISSP vs. Managerial SysSP
EISP: Company’s IT system should only be used to
access corporate information.
ISSP 1: Email server should discard/quarantine all
emails with non-corporate sender/receivr
email addresses.
ISSP 2: Firewall should be set in a way to prevent
access to outside web-sites.
Managerial
SysSP: All outgoing IP packets carrying HTTP content
and port numbers x, y, z should be dropped.
Security Policies: SysSP (cont.)
Example: EISP vs. ISSP vs. Technical SysSP
EISP: Only authorized users should obtain access
company’s IT system.
ISSP: Central server that manages user accounts will
implement reliable password-based authentication.
Managerial
SysSP: Passwords should be strong (hard to break)
and should be periodically renewed.
Technical
SysSP: Windows 2003 server will be set to require
password renewal every 4 months.
Security Policies: SysSP (cont.)
Example: Password SysSP on a Server
Final Note on Policy
• Policy Administrator – must ensure that policy
documents and its subsequent revisions are
appropriately distributed

a three-ring binder sitting on a manager’s book case
not likely to achieve the goal
• Policy Review – to remain relevant and effective
security policies should be reviewed annually

input from all affected parties should be sought

policy, and its revisions, should always be dated!
Download