Management of Information Security, 4th Edition Chapter 6 Security Management Models Objectives • Describe the dominant InfoSec blueprints, frameworks, and InfoSec management models, including U.S. government-sanctioned models • Explain why access control is an essential element of InfoSec management • Recommend an InfoSec management model and explain how it can be customized to meet the needs of a particular organization • Describe the fundamental elements of key InfoSec management practices Management of Information Security, 4th Edition © Cengage Learning 2014 2 Objectives (continued) • Discuss emerging trends in the certification and accreditation of U.S. federal information technology (IT) systems Management of Information Security, 4th Edition © Cengage Learning 2014 3 Blueprints, Frameworks, and Security Models • Blueprint - describes existing controls and identifies other necessary security controls • Framework - the outline of the more thorough blueprint – Sets out the model to be followed in the creation of the design, selection, and initial implementation of all subsequent security controls • Security model - a generic blueprint offered by a service organization – Free models are available from the National Institute of Standards and Technology (NIST) Management of Information Security, 4th Edition © Cengage Learning 2014 4 Blueprints, Frameworks, and Security Models (continued) • Another way to create a blueprint: – To look at the paths taken by other organizations – This is a kind of benchmarking where recommended practices or industry standards are followed • Benchmarking: the comparison of two related measurements • Benchmarking can provide details on how controls are working – Or which new controls should be considered – Does not provide details on how controls should be put into action Management of Information Security, 4th Edition © Cengage Learning 2014 5 Access Control Models Part 1 • Access controls - regulate the admission of users into trusted areas of the organization • Access control is maintained by means of: – A collection of policies – Programs to carry out those policies – Technologies to enforce policies Management of Information Security, 4th Edition © Cengage Learning 2014 6 Access Control Models Part 2 • General application of access control comprises four processes: – Identification - obtaining identity of the entity requesting access to a logical or physical area – Authentication - confirming the identity – Authorization - determining which actions an authenticated entity can perform in that physical or logical area – Accountability - documenting the activities of the authorized individual and systems Management of Information Security, 4th Edition © Cengage Learning 2014 7 Access Control Models Part 3 • Access control is built on several key principles: – Least privilege - member of the organization can access the minimum amount of information for the minimum amount of time necessary – Need-to-know - limits a user’s access to the specific information required to perform the currently assigned task – Separation of duties - requires that significant tasks be split up in such a way that more than one individual is responsible for their completion Management of Information Security, 4th Edition © Cengage Learning 2014 8 Categories of Access Control • A number of approaches are used to categorize access control methodologies • One approach depicts controls by characteristics: – – – – – Deterrent Preventive Detective Corrective Recovery Management of Information Security, 4th Edition © Cengage Learning 2014 9 Categories of Access Control (continued) • A second approach categorizes controls based on their operational impact on the organization: – Management – Operational (administrative) – Technical • A third approach describes the degree of authority under which the controls are applied – Can be mandatory, nondiscretionary, or discretionary Management of Information Security, 4th Edition © Cengage Learning 2014 10 Table 6-1 Categories of access control Empty cell Deterrent Preventative Detective Management Policies Registration procedures Periodic Employee or violation report account reviews termination Operational Warning signs Gates, fences, Sentries. and guards CCTVs Technical Warning banners Login systems. Kerberos Management of Information Security, 4th Edition Log monitors and IDPSs Corrective Recovery Compensating Disaster recovery plan Separation of duties, job rotation Fire suppression systems Disaster recovery procedures Defense in depth Forensics procedures Data backups Key logging and keystroke monitoring © Cengage Learning 2014 11 Mandatory Access Controls • A mandatory access control (MAC) - is required and is structured and coordinated within a data classification scheme that rates each collection of information – As well as each user • Ratings are often referred to as sensitivity or classification levels • When MACs are implemented: – Users and data owners have limited control over access to information resources Management of Information Security, 4th Edition © Cengage Learning 2014 12 Data Classification Model • The U.S. military uses a five-level classification scheme: – – – – – Unclassified data Sensitive but unclassified (SBU) data Confidential data Secret data Top secret data • Compartmentalization - the restriction of information to the very fewest people possible (Need-to-know) Management of Information Security, 4th Edition © Cengage Learning 2014 13 Data Classification Model (continued) • An organization can protect its sensitive information with a simple scheme like the following: – Public - for general public dissemination – For official use only - not for public release but not sensitive – Sensitive - important information that , if compromised, could embarrass the organization – Classified - essential and confidential information • Disclosure of which could severely damage the wellbeing of the organization Management of Information Security, 4th Edition © Cengage Learning 2014 14 Security Clearances • Security clearance structure - each user of an information asset is assigned an authorization level that identifies the level of information classification he or she can access • Usually accomplished by assigned each employee to a named role – Data entry clerk, InfoSec analyst, etc. • Most organizations have developed a set of roles and a corresponding security clearance Management of Information Security, 4th Edition © Cengage Learning 2014 15 Managing Classified Information Assets • Managing an information asset includes all aspects of its life cycle – From specification to design, acquisition, implementation, use, storage, distribution, backup, recovery, retirement, and destruction • Classified documents must be accessible only to authorized individuals – Usually requires locking file cabinets, safes, etc. • “Clean desk policy” - requires each employee to secure all information in its appropriate storage container at the end of every business day. Management of Information Security, 4th Edition © Cengage Learning 2014 16 Managing Classified Information Assets (continued) • Documents should be destroyed by means of shredding, burning, or transferred to a third-party document destruction service • Dumpster diving - the retrieval of information from refuse or recycling bins • Lattice-based access control - assigns users a matrix of authorizations for particular areas of access – Level of authorization may vary depending on classification authorizations Management of Information Security, 4th Edition © Cengage Learning 2014 17 Nondiscretionary Controls • Nondiscretionary controls - determined by a central authority in the organization and can be based on: – Role-based controls - tied to the role that a user performs – Task-based controls - tied to a particular assignment or responsibility • Both controls make it easier to maintain controls and restrictions – Rights are assigned to the role, not the person Management of Information Security, 4th Edition © Cengage Learning 2014 18 Discretionary Access Controls • Discretionary access controls (DACs) implemented at the discretion or option of the data user – The ability to share resources in a peer-to-peer configuration allows users to control and possibly provide access to information or resources at their disposal • Role-based models can be implemented under DAC – If an individual system owner wants to create the rules Management of Information Security, 4th Edition © Cengage Learning 2014 19 Other Forms of Access Control • Other models of access control include: – Content-dependent access controls - access may be dependent on its content – Constrained user interfaces - designed specifically to restrict what information an individual user can access – Temporal (time-based) isolation - access to information is limited by a time-of-day constraint Management of Information Security, 4th Edition © Cengage Learning 2014 20 Security Architecture Models • Security architecture models - illustrate InfoSec implementations and can help organizations quickly make improvements through adaptation • Some models are: – – – – Implemented into computer hardware and software Implemented as policies and practices Focused on the confidentiality of information Focused on the integrity of the information as it is being processed Management of Information Security, 4th Edition © Cengage Learning 2014 21 Trusted Computing Base Part 1 • Trusted Computer System Evaluation Criteria (TCSEC) - an older DoD standard that defines the criteria for assessing the access controls in a computer system • TCSEC defines a trusted computing base (TCB) as the combination of all hardware, firmware, and software responsible for enforcing security policy • Within TCP is a conceptual object known as the reference monitor – It is the piece of the system that manages access controls Management of Information Security, 4th Edition © Cengage Learning 2014 22 Trusted Computing Base Part 2 • Covert channels - unauthorized or unintended methods of communications hidden inside a computer system • TCSEC defines two kinds of covert channels: – Storage channels - communicate by modifying a stored object – Timing channels - transmit information by managing the relative timing of events Management of Information Security, 4th Edition © Cengage Learning 2014 23 Bell-LaPadula Confidentiality Model • Bell-LaPadula (BLP) confidentiality model - a model of an automated system that is able to manipulate its state or status over time • BLP ensures confidentiality by using MACs, data classification, and security clearances • Access modes can be one of two types: – Simple security - prohibits a subject of lower clearance form reading an object of higher clearance – * (Star) property - prohibits a high-level subject from sending messages to a lower-level object Management of Information Security, 4th Edition © Cengage Learning 2014 24 Biba Integrity Model • Biba integrity model - is based on the premise that higher levels of integrity are more worthy of trust than lower ones • Biba model assigns integrity levels to subjects and objects using two properties: – Simple integrity property (read) - permits a subject to have read access to an object only if its security level is lower or equal to that object – Integrity * property (write) - permits a subject to have write access to an object if its security level is equal to or higher than that object Management of Information Security, 4th Edition © Cengage Learning 2014 25 The ISO 27000 Series • Information Technology - Code of Practice for Information Security Management - one of the most widely referenced InfoSec management models – The Code of Practice was adopted as an international standard framework for InfoSec by the ISO and the IEC as ISO/IEC 17799 – It was revised in 2005 and in 2007 was renamed ISO 27002 – Was intended to provide a common basis for developing organizational security standards Management of Information Security, 4th Edition © Cengage Learning 2014 26 Table 6-2 Sections of the ISO/IEC 27002 • • • • • • • • • • • • • Structure Risk Assessment and Treatment Security Policy Organization of Information Security Asset Management Human Resource Security Physical and Environmental Security Communications and Operations Access Control Information Systems Acquisition, Development, and Maintenance Information Security Incident Management Business Continuity Management Compliance Source: 27000.org Management of Information Security, 4th Edition © Cengage Learning 2014 27 Figure 6-2 ISO/IEC 27001 major process steps Management of Information Security, 4th Edition © Cengage Learning 2014 28 NIST Security Models • Advantages of NIST (National Institute of Standards and Technology) security models over many other sources of security information: – They are publicly available at no charge – They have been available for some time and have been broadly reviewed by the government and industry professionals Management of Information Security, 4th Edition © Cengage Learning 2014 29 NIST Special Publication 800-12 • SP 800-12: Computer Security Handbook - an excellent reference and guide for routine management of InfoSec • SP 800-12 provides for: – – – – – – Accountability Awareness Ethics Multidisciplinary Proportionality Integration Management of Information Security, 4th Edition © Cengage Learning 2014 30 NIST Special Publication 800-12 (continued) • SP 800-12 organizes controls into three categories: – Management controls – Operational controls – Technical controls Management of Information Security, 4th Edition © Cengage Learning 2014 31 NIST Special Publication 800-14 Part 1 • SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems - describes recommended practices and provides information on commonly accepted InfoSec principles – Can direct the security team in the development of a security blueprint – Also describes the philosophical principles that the security team should integrate into the entire InfoSec process Management of Information Security, 4th Edition © Cengage Learning 2014 32 NIST Special Publication 800-14 Part 2 • Significant points made in NIST SP 800-14: – Security supports the mission of the organization – Security is an integral element of sound management – Security should be cost-effective – Systems owners have security responsibilities outside their own organizations – Security responsibilities and accountability should be made explicit – Security requires a comprehensive and integrated approach Management of Information Security, 4th Edition © Cengage Learning 2014 33 NIST Special Publication 800-18 Rev. 1 • NIST Special Publication 800-18 Rev.1: Guide for Developing Security Plans for Federal Information Systems - provides detailed methods for assessing, designing, and implementing controls and plans for applications of various sizes – Serves as a guide for security planning activities and for the overall InfoSec planning process – Includes templates for major application security plans Management of Information Security, 4th Edition © Cengage Learning 2014 34 NIST Special Publication 800-30 Rev. 1 • NIST SP 800-30, Rev. 1: Guide for Conducting Risk Assessments – Provides a foundation for the development of an effective risk management program • Contains both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems • Organized into three chapters that explain the overall risk management process – As well as preparing for, conducting, and communicating a risk assessment Management of Information Security, 4th Edition © Cengage Learning 2014 35 NIST Special Publications 800-53 Rev. 3 and 800-53A Rev. 1 • Both publications cover recommended security controls for Federal Information Systems • SP 800-53, Revision 3 provides a systems development life cycle (SDLC) approach to security assessment of information systems • NIST has a comprehensive security control assessment program that guides organizations through the: – Preparation for, assessment of, and remediation of critical security controls Management of Information Security, 4th Edition © Cengage Learning 2014 36 Control Objectives for Information and Related Technology • “Control Objectives for Information and Related Technology” (COBIT) – Provides advice about the implementation of sound controls and control objectives for InfoSec • COBIT was created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992 – There have been many updates – Latest version is COBIT 5 released in 2012 Management of Information Security, 4th Edition © Cengage Learning 2014 37 Control Objectives for Information and Related Technology (continued) • COBIT 5 provides five principles focused on the governance and management of IT: – – – – – Meeting Stakeholder Needs Covering the Enterprise End-to-End Applying a Single, Integrated Framework Enabling a Holistic Approach Separating Governance (very senior level like board of directors) from Management Management of Information Security, 4th Edition © Cengage Learning 2014 38 Committee of Sponsoring Organizations • Committee of Sponsoring Organizations (COSO) of the Treadway Commission – Another control-based model • Major objective of COSO is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence • COSO helps organizations comply with critical regulations like the Sarbanes-Oxley Act of 2002 Management of Information Security, 4th Edition © Cengage Learning 2014 39 COSO Definitions and Key Concepts • According to COSO internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories: – Effectiveness and efficiency of operations – Reliability of financial reporting – Compliance with applicable laws and regulations Management of Information Security, 4th Edition © Cengage Learning 2014 40 Committee of Sponsoring Organizations (continued) • The COSO framework is built on five interrelated components: – – – – – Control environment Risk assessment Control activities Information and communication Monitoring Management of Information Security, 4th Edition © Cengage Learning 2014 41 Information Security Governance Framework • The Information Security Governance Framework is a managerial model provided by an industry working group – National Cyber Security Partnership • The framework provides guidance in the development and implementations of an organizational InfoSec governance structure • The framework also specifies that each independent organizational unit should develop, document, and implement in InfoSec program consistent with accepted security practices Management of Information Security, 4th Edition © Cengage Learning 2014 42 Summary Part 1 • A framework is the outline of a more thorough blueprint, used in the creation of the InfoSec environment • Access controls regulate the admission of users into trusted areas of the organization • Access control is built on the principles of least privilege, need-to-know, and separation of duties • Approaches to access control include preventive, deterrent, detective, corrective, recovery, and compensating • Mandatory access controls (MACs) are required by the system that operate within a data classification and personnel clearance scheme Management of Information Security, 4th Edition © Cengage Learning 2014 43 Summary Part 2 • Nondiscretionary controls are determined by a central authority in the organization and can be based on roles or on a specified set of tasks • Security architecture models illustrate InfoSec implementations and can help organizations make quick improvements through adaptation • One of the most widely referenced security models is “ISO/IEC 27001: 2005 Information Technology - Code of Practice for InfoSec Management” – Designed to give recommendations for InfoSec management Management of Information Security, 4th Edition © Cengage Learning 2014 44 Summary Part 3 • “Control Objectives for Information and Related Technology” (COBIT) provides advice about the implementation of sound controls and control objectives for InfoSec • The Information Security Governance Framework is a managerial model provided by an industry working group that provides guidance in the development and implementation of an organizational InfoSec governance structure Management of Information Security, 4th Edition © Cengage Learning 2014 45