session_11_chapter_6_slides

advertisement
Management of Information
Security, 4th Edition
Chapter 6
Security Management Models
Objectives
• Describe the dominant InfoSec blueprints,
frameworks, and InfoSec management models,
including U.S. government-sanctioned models
• Explain why access control is an essential element
of InfoSec management
• Recommend an InfoSec management model and
explain how it can be customized to meet the needs
of a particular organization
• Describe the fundamental elements of key InfoSec
management practices
Management of Information Security, 4th Edition
© Cengage Learning 2014
2
Objectives (continued)
• Discuss emerging trends in the certification and
accreditation of U.S. federal information technology
(IT) systems
Management of Information Security, 4th Edition
© Cengage Learning 2014
3
Blueprints, Frameworks, and Security
Models
• Blueprint - describes existing controls and identifies
other necessary security controls
• Framework - the outline of the more thorough
blueprint
– Sets out the model to be followed in the creation of
the design, selection, and initial implementation of all
subsequent security controls
• Security model - a generic blueprint offered by a
service organization
– Free models are available from the National Institute
of Standards and Technology (NIST)
Management of Information Security, 4th Edition
© Cengage Learning 2014
4
Blueprints, Frameworks, and Security
Models (continued)
• Another way to create a blueprint:
– To look at the paths taken by other organizations
– This is a kind of benchmarking where recommended
practices or industry standards are followed
• Benchmarking: the comparison of two related
measurements
• Benchmarking can provide details on how controls
are working
– Or which new controls should be considered
– Does not provide details on how controls should be
put into action
Management of Information Security, 4th Edition
© Cengage Learning 2014
5
Access Control Models Part 1
• Access controls - regulate the admission of users
into trusted areas of the organization
• Access control is maintained by means of:
– A collection of policies
– Programs to carry out those policies
– Technologies to enforce policies
Management of Information Security, 4th Edition
© Cengage Learning 2014
6
Access Control Models Part 2
• General application of access control comprises
four processes:
– Identification - obtaining identity of the entity
requesting access to a logical or physical area
– Authentication - confirming the identity
– Authorization - determining which actions an
authenticated entity can perform in that physical or
logical area
– Accountability - documenting the activities of the
authorized individual and systems
Management of Information Security, 4th Edition
© Cengage Learning 2014
7
Access Control Models Part 3
• Access control is built on several key principles:
– Least privilege - member of the organization can
access the minimum amount of information for the
minimum amount of time necessary
– Need-to-know - limits a user’s access to the specific
information required to perform the currently
assigned task
– Separation of duties - requires that significant tasks
be split up in such a way that more than one
individual is responsible for their completion
Management of Information Security, 4th Edition
© Cengage Learning 2014
8
Categories of Access Control
• A number of approaches are used to categorize
access control methodologies
• One approach depicts controls by characteristics:
–
–
–
–
–
Deterrent
Preventive
Detective
Corrective
Recovery
Management of Information Security, 4th Edition
© Cengage Learning 2014
9
Categories of Access Control
(continued)
• A second approach categorizes controls based on
their operational impact on the organization:
– Management
– Operational (administrative)
– Technical
• A third approach describes the degree of authority
under which the controls are applied
– Can be mandatory, nondiscretionary, or
discretionary
Management of Information Security, 4th Edition
© Cengage Learning 2014
10
Table 6-1 Categories of access
control
Empty cell
Deterrent
Preventative
Detective
Management
Policies
Registration
procedures
Periodic
Employee or
violation report account
reviews
termination
Operational
Warning
signs
Gates, fences, Sentries.
and guards
CCTVs
Technical
Warning
banners
Login
systems.
Kerberos
Management of Information Security, 4th Edition
Log monitors
and IDPSs
Corrective
Recovery
Compensating
Disaster
recovery
plan
Separation of
duties, job
rotation
Fire
suppression
systems
Disaster
recovery
procedures
Defense in
depth
Forensics
procedures
Data
backups
Key logging and
keystroke
monitoring
© Cengage Learning 2014
11
Mandatory Access Controls
• A mandatory access control (MAC) - is required
and is structured and coordinated within a data
classification scheme that rates each collection of
information
– As well as each user
• Ratings are often referred to as sensitivity or
classification levels
• When MACs are implemented:
– Users and data owners have limited control over
access to information resources
Management of Information Security, 4th Edition
© Cengage Learning 2014
12
Data Classification Model
• The U.S. military uses a five-level classification
scheme:
–
–
–
–
–
Unclassified data
Sensitive but unclassified (SBU) data
Confidential data
Secret data
Top secret data
• Compartmentalization - the restriction of
information to the very fewest people possible
(Need-to-know)
Management of Information Security, 4th Edition
© Cengage Learning 2014
13
Data Classification Model (continued)
• An organization can protect its sensitive
information with a simple scheme like the following:
– Public - for general public dissemination
– For official use only - not for public release but not
sensitive
– Sensitive - important information that , if
compromised, could embarrass the organization
– Classified - essential and confidential information
• Disclosure of which could severely damage the wellbeing of the organization
Management of Information Security, 4th Edition
© Cengage Learning 2014
14
Security Clearances
• Security clearance structure - each user of an
information asset is assigned an authorization level
that identifies the level of information classification
he or she can access
• Usually accomplished by assigned each employee
to a named role
– Data entry clerk, InfoSec analyst, etc.
• Most organizations have developed a set of roles
and a corresponding security clearance
Management of Information Security, 4th Edition
© Cengage Learning 2014
15
Managing Classified Information
Assets
• Managing an information asset includes all aspects
of its life cycle
– From specification to design, acquisition,
implementation, use, storage, distribution, backup,
recovery, retirement, and destruction
• Classified documents must be accessible only to
authorized individuals
– Usually requires locking file cabinets, safes, etc.
• “Clean desk policy” - requires each employee to
secure all information in its appropriate storage
container at the end of every business day.
Management of Information Security, 4th Edition
© Cengage Learning 2014
16
Managing Classified Information
Assets (continued)
• Documents should be destroyed by means of
shredding, burning, or transferred to a third-party
document destruction service
• Dumpster diving - the retrieval of information from
refuse or recycling bins
• Lattice-based access control - assigns users a
matrix of authorizations for particular areas of
access
– Level of authorization may vary depending on
classification authorizations
Management of Information Security, 4th Edition
© Cengage Learning 2014
17
Nondiscretionary Controls
• Nondiscretionary controls - determined by a central
authority in the organization and can be based on:
– Role-based controls - tied to the role that a user
performs
– Task-based controls - tied to a particular
assignment or responsibility
• Both controls make it easier to maintain controls
and restrictions
– Rights are assigned to the role, not the person
Management of Information Security, 4th Edition
© Cengage Learning 2014
18
Discretionary Access Controls
• Discretionary access controls (DACs) implemented at the discretion or option of the data
user
– The ability to share resources in a peer-to-peer
configuration allows users to control and possibly
provide access to information or resources at their
disposal
• Role-based models can be implemented under
DAC
– If an individual system owner wants to create the
rules
Management of Information Security, 4th Edition
© Cengage Learning 2014
19
Other Forms of Access Control
• Other models of access control include:
– Content-dependent access controls - access may be
dependent on its content
– Constrained user interfaces - designed specifically to
restrict what information an individual user can
access
– Temporal (time-based) isolation - access to
information is limited by a time-of-day constraint
Management of Information Security, 4th Edition
© Cengage Learning 2014
20
Security Architecture Models
• Security architecture models - illustrate InfoSec
implementations and can help organizations
quickly make improvements through adaptation
• Some models are:
–
–
–
–
Implemented into computer hardware and software
Implemented as policies and practices
Focused on the confidentiality of information
Focused on the integrity of the information as it is
being processed
Management of Information Security, 4th Edition
© Cengage Learning 2014
21
Trusted Computing Base Part 1
• Trusted Computer System Evaluation Criteria
(TCSEC) - an older DoD standard that defines the
criteria for assessing the access controls in a
computer system
• TCSEC defines a trusted computing base (TCB)
as the combination of all hardware, firmware, and
software responsible for enforcing security policy
• Within TCP is a conceptual object known as the
reference monitor
– It is the piece of the system that manages access
controls
Management of Information Security, 4th Edition
© Cengage Learning 2014
22
Trusted Computing Base Part 2
• Covert channels - unauthorized or unintended
methods of communications hidden inside a
computer system
• TCSEC defines two kinds of covert channels:
– Storage channels - communicate by modifying a
stored object
– Timing channels - transmit information by
managing the relative timing of events
Management of Information Security, 4th Edition
© Cengage Learning 2014
23
Bell-LaPadula Confidentiality Model
• Bell-LaPadula (BLP) confidentiality model - a
model of an automated system that is able to
manipulate its state or status over time
• BLP ensures confidentiality by using MACs, data
classification, and security clearances
• Access modes can be one of two types:
– Simple security - prohibits a subject of lower
clearance form reading an object of higher clearance
– * (Star) property - prohibits a high-level subject from
sending messages to a lower-level object
Management of Information Security, 4th Edition
© Cengage Learning 2014
24
Biba Integrity Model
• Biba integrity model - is based on the premise
that higher levels of integrity are more worthy of
trust than lower ones
• Biba model assigns integrity levels to subjects and
objects using two properties:
– Simple integrity property (read) - permits a subject to
have read access to an object only if its security
level is lower or equal to that object
– Integrity * property (write) - permits a subject to have
write access to an object if its security level is equal
to or higher than that object
Management of Information Security, 4th Edition
© Cengage Learning 2014
25
The ISO 27000 Series
• Information Technology - Code of Practice for
Information Security Management - one of the most
widely referenced InfoSec management models
– The Code of Practice was adopted as an
international standard framework for InfoSec by the
ISO and the IEC as ISO/IEC 17799
– It was revised in 2005 and in 2007 was renamed
ISO 27002
– Was intended to provide a common basis for
developing organizational security standards
Management of Information Security, 4th Edition
© Cengage Learning 2014
26
Table 6-2 Sections of the ISO/IEC
27002
•
•
•
•
•
•
•
•
•
•
•
•
•
Structure
Risk Assessment and Treatment
Security Policy
Organization of Information Security
Asset Management
Human Resource Security
Physical and Environmental Security
Communications and Operations
Access Control
Information Systems Acquisition, Development, and Maintenance
Information Security Incident Management
Business Continuity Management
Compliance
Source: 27000.org
Management of Information Security, 4th Edition
© Cengage Learning 2014
27
Figure 6-2 ISO/IEC 27001 major
process steps
Management of Information Security, 4th Edition
© Cengage Learning 2014
28
NIST Security Models
• Advantages of NIST (National Institute of
Standards and Technology) security models over
many other sources of security information:
– They are publicly available at no charge
– They have been available for some time and have
been broadly reviewed by the government and
industry professionals
Management of Information Security, 4th Edition
© Cengage Learning 2014
29
NIST Special Publication 800-12
• SP 800-12: Computer Security Handbook - an
excellent reference and guide for routine
management of InfoSec
• SP 800-12 provides for:
–
–
–
–
–
–
Accountability
Awareness
Ethics
Multidisciplinary
Proportionality
Integration
Management of Information Security, 4th Edition
© Cengage Learning 2014
30
NIST Special Publication 800-12
(continued)
• SP 800-12 organizes controls into three categories:
– Management controls
– Operational controls
– Technical controls
Management of Information Security, 4th Edition
© Cengage Learning 2014
31
NIST Special Publication 800-14
Part 1
• SP 800-14: Generally Accepted Principles and
Practices for Securing Information Technology
Systems - describes recommended practices and
provides information on commonly accepted
InfoSec principles
– Can direct the security team in the development of a
security blueprint
– Also describes the philosophical principles that the
security team should integrate into the entire InfoSec
process
Management of Information Security, 4th Edition
© Cengage Learning 2014
32
NIST Special Publication 800-14
Part 2
• Significant points made in NIST SP 800-14:
– Security supports the mission of the organization
– Security is an integral element of sound
management
– Security should be cost-effective
– Systems owners have security responsibilities
outside their own organizations
– Security responsibilities and accountability should be
made explicit
– Security requires a comprehensive and integrated
approach
Management of Information Security, 4th Edition
© Cengage Learning 2014
33
NIST Special Publication 800-18
Rev. 1
• NIST Special Publication 800-18 Rev.1: Guide for
Developing Security Plans for Federal Information
Systems - provides detailed methods for
assessing, designing, and implementing controls
and plans for applications of various sizes
– Serves as a guide for security planning activities and
for the overall InfoSec planning process
– Includes templates for major application security
plans
Management of Information Security, 4th Edition
© Cengage Learning 2014
34
NIST Special Publication 800-30
Rev. 1
• NIST SP 800-30, Rev. 1: Guide for Conducting
Risk Assessments
– Provides a foundation for the development of an
effective risk management program
• Contains both the definitions and the practical
guidance necessary for assessing and mitigating
risks identified within IT systems
• Organized into three chapters that explain the
overall risk management process
– As well as preparing for, conducting, and
communicating a risk assessment
Management of Information Security, 4th Edition
© Cengage Learning 2014
35
NIST Special Publications 800-53
Rev. 3 and 800-53A Rev. 1
• Both publications cover recommended security
controls for Federal Information Systems
• SP 800-53, Revision 3 provides a systems
development life cycle (SDLC) approach to security
assessment of information systems
• NIST has a comprehensive security control
assessment program that guides organizations
through the:
– Preparation for, assessment of, and remediation of
critical security controls
Management of Information Security, 4th Edition
© Cengage Learning 2014
36
Control Objectives for Information and
Related Technology
• “Control Objectives for Information and Related
Technology” (COBIT)
– Provides advice about the implementation of sound
controls and control objectives for InfoSec
• COBIT was created by the Information Systems
Audit and Control Association (ISACA) and the IT
Governance Institute (ITGI) in 1992
– There have been many updates
– Latest version is COBIT 5 released in 2012
Management of Information Security, 4th Edition
© Cengage Learning 2014
37
Control Objectives for Information and
Related Technology (continued)
• COBIT 5 provides five principles focused on the
governance and management of IT:
–
–
–
–
–
Meeting Stakeholder Needs
Covering the Enterprise End-to-End
Applying a Single, Integrated Framework
Enabling a Holistic Approach
Separating Governance (very senior level like board
of directors) from Management
Management of Information Security, 4th Edition
© Cengage Learning 2014
38
Committee of Sponsoring
Organizations
• Committee of Sponsoring Organizations (COSO) of
the Treadway Commission
– Another control-based model
• Major objective of COSO is to identify the factors
that cause fraudulent financial reporting and to
make recommendations to reduce its incidence
• COSO helps organizations comply with critical
regulations like the Sarbanes-Oxley Act of 2002
Management of Information Security, 4th Edition
© Cengage Learning 2014
39
COSO Definitions and Key Concepts
• According to COSO internal control is a process
designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories:
– Effectiveness and efficiency of operations
– Reliability of financial reporting
– Compliance with applicable laws and regulations
Management of Information Security, 4th Edition
© Cengage Learning 2014
40
Committee of Sponsoring
Organizations (continued)
• The COSO framework is built on five interrelated
components:
–
–
–
–
–
Control environment
Risk assessment
Control activities
Information and communication
Monitoring
Management of Information Security, 4th Edition
© Cengage Learning 2014
41
Information Security Governance
Framework
• The Information Security Governance Framework
is a managerial model provided by an industry
working group
– National Cyber Security Partnership
• The framework provides guidance in the
development and implementations of an
organizational InfoSec governance structure
• The framework also specifies that each
independent organizational unit should develop,
document, and implement in InfoSec program
consistent with accepted security practices
Management of Information Security, 4th Edition
© Cengage Learning 2014
42
Summary Part 1
• A framework is the outline of a more thorough blueprint,
used in the creation of the InfoSec environment
• Access controls regulate the admission of users into
trusted areas of the organization
• Access control is built on the principles of least privilege,
need-to-know, and separation of duties
• Approaches to access control include preventive,
deterrent, detective, corrective, recovery, and
compensating
• Mandatory access controls (MACs) are required by the
system that operate within a data classification and
personnel clearance scheme
Management of Information Security, 4th Edition
© Cengage Learning 2014
43
Summary Part 2
• Nondiscretionary controls are determined by a central
authority in the organization and can be based on
roles or on a specified set of tasks
• Security architecture models illustrate InfoSec
implementations and can help organizations make
quick improvements through adaptation
• One of the most widely referenced security models is
“ISO/IEC 27001: 2005 Information Technology - Code
of Practice for InfoSec Management”
– Designed to give recommendations for InfoSec
management
Management of Information Security, 4th Edition
© Cengage Learning 2014
44
Summary Part 3
• “Control Objectives for Information and Related
Technology” (COBIT) provides advice about the
implementation of sound controls and control
objectives for InfoSec
• The Information Security Governance Framework is a
managerial model provided by an industry working
group that provides guidance in the development and
implementation of an organizational InfoSec
governance structure
Management of Information Security, 4th Edition
© Cengage Learning 2014
45
Download