Comprehensive Security Assessment Systemization

advertisement
1
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
COMPREHENSIVE SECURITY ASSESSMENT
SYSTEMIZATION
Developed by Jesse C. Schroeder
August 08, 2015
For Western Governors University
Completion of the Masters of Information Security & Assurance
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
2
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
Contents
Introduction .................................................................................................................................... 5
High Level Discussion of the Assessment Model ............................................................................ 6
Review of Multiple Models ......................................................................................................... 6
NIST Special Publications 800-30 rev. 1, 800-37, & 800-115 .................................................. 6
OSSTMM v3 ............................................................................................................................. 9
DISA ACAS ............................................................................................................................. 10
ISSAF ...................................................................................................................................... 11
OWASP Proactive Controls ................................................................................................... 11
ISO 27001 & 27002 ............................................................................................................... 12
COBIT 5 .................................................................................................................................. 13
IBM Security Services ............................................................................................................ 13
PCI v3.1.................................................................................................................................. 14
Identification of Necessary Categories ..................................................................................... 15
Sectional Discussion of the Assessment Model and Implementation.......................................... 17
Comprehensive Policy ............................................................................................................... 17
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
3
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
Documentation Creation ...................................................................................................... 17
Defining Business Requirements .............................................................................................. 18
Identify Assets ....................................................................................................................... 18
Create Risk Tolerance Levels................................................................................................. 18
Mitigation Strategies............................................................................................................. 19
Scheduling ................................................................................................................................. 20
Automated ............................................................................................................................ 20
Manual .................................................................................................................................. 21
Security Assessment Automation ............................................................................................. 22
Creating Security Culture .......................................................................................................... 23
Security Awareness ............................................................................................................... 23
Updating Documentation ......................................................................................................... 24
Third Party Input ................................................................................................................... 25
Staff Education Guidance.............................................................................................................. 25
A Layered Approach .................................................................................................................. 25
Requirements Driven ............................................................................................................ 26
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
4
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
Means Driven ........................................................................................................................ 26
Needs Driven ......................................................................................................................... 27
Creation of Initial Security Baseline .............................................................................................. 28
Initial Implementation .............................................................................................................. 28
Goal Achievement Metrics ....................................................................................................... 28
Application of Practice Metrics ................................................................................................. 29
Successive Implementations ......................................................................................................... 30
Planning..................................................................................................................................... 30
Tracking ..................................................................................................................................... 30
Correcting.................................................................................................................................. 30
Reporting................................................................................................................................... 31
References .................................................................................................................................... 32
Appendix A: RISK ASSESSMENT METHODOLOGY EVALUATION ................................................... 34
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
5
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
Introduction
This is a living document and will be altered to fit the needs of the organization that
utilizes this documentation. The purpose of this documentation creates a comprehensive
security assessment system to fulfill the end-user requirements of Innova Corporation. With
this system, the company can use the documentation to create a security baseline for their
organization and use the provided documentation to repeat the same process at satellite
offices. The creation of this documentation is not site specific and can be used by any large
organization to establish or audit the information security model of their operating
environment.
The security model has been developed for Innova Corporation1, which has over 1000
unique user instances. The functional requirements are that the organization takes the
documentation and utilize the process thoroughly and in the order described to determine the
probability of asset loss or compromise on the information systems of the business.
This documentation reviews various security standards and attempts to create a
comprehensive security assessment system for implementation at Innova Corporation. The
documentation reviewed is:
1

NIST Special Publications 800-30, 800-37, & 800-115

OSSTMM v3

DISA ACAS

ISSAF

OWASP Testing Guide

ISO 27001 & 27002

COBIT 5

PCI v3.1
Hypothetical Company
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
6
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
The following documentation includes:

A high level discussion of the assessment model

A sectional discussion of the assessment model and implementation

Guidance for the creation of documentation during implementation

Guidance for the education of implementation staff

A discussion about the creation of an initial security baseline

A discussion about successive implementations
High Level Discussion of the Assessment Model
Review of Multiple Models
The following is a brief overview of the findings in the various models that have
undergone review for the creation of a comprehensive security assessment system for Innova
Corporation. Listings from the research have been placed under the title of each
documentation. These findings will be utilized to identify and create the necessary categories
for the assessment model systemization.
NIST Special Publications 800-30 rev. 1, 800-37, & 800-115
The National Institute of Standards and Technology (NIST) creates multiple publications
every year for multiple industries and is an agency of the United States Department of
Commerce. The focus in this paper is placed upon three reports chosen from the agency in their
information technology sub-section of their publications.
In the 800-30 rev. 1 publication (National Institute of Standards and Technology, 2012),
the documentation describes three risk tiers for the business to manage. The tiers listed are
Organizational, Business Process, and Information Systems. Within each tier, the business will
need to implement four steps of risk management. These include:

Step 1: Frame Risk / Establish Context
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
7
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION

Step 2: Assess Risk

Step 3: Respond to Risk

Step 4: Monitor Risk
The establishment of the three tier system focuses on covering all areas of the business
and utilizes the steps listed above to ensure that each step in the tier is properly documented.
The 800-30 rev.1 publication does not use the tier system to create silos inside the business,
instead all three tiers work together to create a holistic approach.
The NIST 800-30 rev.1 emphasizes living documentation by updating the assessment
framework as needed for each tier of the risk management processes. When it comes to the
conduction of assessments for each tier, there are five steps of the process (National Institute
of Standards and Technology, 2012). These include:
•
Identifying the threat source and events that occur
•
Identifying the vulnerable areas and current operational conditions
•
Determine the likelihood of the exploitation occurrence
•
Determine the magnitude of exploitation impact
•
Determine the risk level for the organization
The previous list creates a model that emphasizes identifying each threat and
determining information about the threat quickly so that the business can recover and mitigate
any damage.
In the 800-37 publication (National Institute of Standards and Technology, 2010), the
documentation focuses on five areas of security for a business to utilize. These areas include:
•
Emphasis Real Time Management
•
Clear cost-effective decision in line with mission
•
Security culture
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
8
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
•
Use tools
•
Emphasis responsibility / accountability
The five areas, identified above, create a model of security that works alongside the
needs of the business. The 800-37 documentation discusses the used vendor tools for
automation and creates a dependence on making discussions in a cost-effective manner to
mitigate risk. This methodology produces the understanding that it is not necessary to reduce
risks to nonexistence, instead business must chose to accept certain risks based upon a cost
benefit analysis of risk level.
In the 800-115 publication (Scarfone, Souppaya, Cody, & Orebaugh, 2008) there is a
detailed set of instruction for creating a security testing and assessment model. This
documentation lists seven major sections that provide technical guidance for completing the
assessment process and remediation activities. An overview includes:
•
Overview of assessments
•
Technical examination techniques
•
Identification of targets and analyzation for potential vulnerabilities
•
Techniques used to validate vulnerabilities
•
Planning security assessment
•
Key factor in execution of assessment
•
Reporting finding and remediation
The 800-115 documentation is extremely detailed with various techniques that can be
utilized in each of the seven sections. An understanding taken from this documentation can be
identified as possibly twelve key areas that have been identified by Yang Xiao (Xiao, 2014):
1.
Identify scope
2.
Roles and responsibilities
3.
Limitation and assumptions
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
9
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
4.
Systems configuration
5.
Network traffic
6.
Network rulesets
7.
Vulnerability scanning
8.
Network discovery
9.
Protocol identification
10.
Password cracking
11.
Social engineering
12.
Penetration testing
13.
Cause identification
14.
Mitigation review
15.
Reporting
This list creates a well-defined shorthand of what the 800-115 publication contains. The
NIST report contains too much information for what is to be applied to the scope of the model
for Innova but does have valid sections that will be utilized.
OSSTMM v3
The Open Source Security Testing Methodology Manual (OSSTMM) version 3 offers a
multipurpose usage in its documentation, suggesting that the information can be used for
ethical hacking, penetration testing, or security assessments. The OSSTMM v3 is very detailed
and emphasizes providing only fact based evidence when using its testing methodology
(ISECOM, 2010). Due to this emphasis, the documentation also highly suggests that individuals
become certified to encourage proper implementation of their model. This leads to decision
making that does not lend itself towards a risk based approach due to the subjective nature of
the business defining its own risk tolerance levels.
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
10
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
However, the OSSTMM v3 does suggest that its model can be adapted for the utilization
of operational security. Innova will be able to implement sections of the OSSTMM v3 into the
mitigation strategies during the creation of the assessment system.
DISA ACAS
The Defense Information Systems Agency (DISA) has released a document called the
Assured Compliance Assessment Solution (ACAS). This documentation can be readily
understood by reading the case study about proper security hygiene documentation release by
Tenable Network Security due to the partnership of the Department of Defense (DoD) and
Tenable.
This case study emphasis five key areas for creating better cyber hygiene in an
organization by utilizing a security hygiene model of network management. These five steps
need to repeat on a regular basis to ensure compliance with the ACAS. These five items include
(Tenable Network Security, 2014):

Inventory all devices on the network

Inventory all software on the network

Develop and manage information security configurations

Automate vulnerability assessments and remediation

Actively manage and control the use of admin privileges
The SANS Institute2 has worked directly with Tenable to create a living document that
contains twenty items for security the information network of an organization (SANS Institute,
2015). This documentation suggests that fifteen out of the twenty items needed for security the
network can be automated. Creating a framework of automation, which encourages the usage
2
A private United States company specializing in information security and cyber security training. More
information can be found at http://www.SANS.org
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
11
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
of vendor tools, cuts down on the workload to maintain security and assess the current status
of an information environment.
ISSAF
The Open Information System Security Group (OISSG) has worked to create the
Information System Security Assessment Framework (ISSAF). Section 6 of this documentation
demonstrates an evaluation checklist for assessing the methodology of a risk assessment
(OISSG, 2004). The documentation addresses eight questions to identify and ensure the proper
areas have been created for a risk assessment. The creation of the model for Innova
Corporation will address these questions3 to ensure the proper development of the desired
model.
OWASP Proactive Controls
The Open Web Application Security Project (OWASP) Proactive Controls discusses a
living documentation model of the top ten strategies for securing a network. At the time of this
writing, OWASP list the following as their top ten (OWASP, 2015):
3
1.
Parameterize Queries
2.
Encode Data
3.
Validate All Inputs
4.
Implement Appropriate Access Controls
5.
Establish Identity and Authentication Controls
6.
Protect Data and Privacy
7.
Implement Logging, Error Handling and Intrusion Detection
8.
Leverage Security Features of Frameworks and Security Libraries
9.
Include Security-Specific Requirements
10.
Design and Architect Security Into Infrastructure
See Appendix A.
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
12
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
This list is used by establishing a scope of areas that are associated with higher risk
levels. These items are listed in a hierarchical order and should be followed as listed.
Updates to this list do occur and the list should be monitored on a regular basis to
establish a proper perspective of risk level.
ISO 27001 & 27002
ISO publication 27001 & 27002 are closely linked together in terms of policy
management and scope. These two documents will be addressed together instead of
individually. The implementation of these publications emphasizes the usage of a four stage
model to create a model of comprehensive management. These stages are (Calder & Watkins,
2012):

Plan on how to best implement solutions

Do the work of implementing the solutions discussed

Check to see if the implementations had the desired effect

Act to mitigate any further problems and report on the findings, thus starting the
process again
There are 6 steps in the Plan stage and 5 steps of the Do stage of this model and they
are defined as (Calder & Watkins, 2012):

6 Step Model Plan Stage:
o Define Scope
o Define InfoSec Policy
o Define Systematic Approach to assessment and Criteria
o Implement Approach to discover risks
o Review results and define Mitigation
o Prepare statement of applicability

5 Step Do Stage:
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
13
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
o Create Risk treatment plan
o Implement plan and controls
o Arrange staff training
o Manage resources
o Monitoring procedures
These findings will be used to help create the comprehensive security assessment model
for the Innova Corporation. The planning and doing stages of the ISO 27001 & 27002
documentation will be used in the policy and requirements sections of the model for Innova.
COBIT 5
The Information Systems Audit and Control Association (ISACA) released version 5 of the
Control Objectives for Information and Related Technology (COBIT) in April of 2012 (ISACA,
2012) and has continued to develop this implementation. In the documentation, there is a
listing of five key principles that are needed to comply with the COBIT 5 model. These are:

Meet Stakeholder Needs

Cover All Enterprise

Single Integrated Framework

Holistic Approach

Separate Governance from Management
The COBIT model emphasizes ensuring that the needs of the organization are met on a
business level first and that implementation of the model cover the entire organization in a
single comprehensive framework.
IBM Security Services
IBM has released multiple white papers, one of which discusses four key components
that will help secure large organizations. These are (IBM Corporation, 2013):
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
14
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
1. Prioritize business objectives and set risk tolerance
2. Protect the organization with a proactive security plan
3. Prepare a response for a sophisticated attack
4. Promote and support a culture of security awareness
These four security practices identify the need to create a plan that emphasizes the needs
of the business first and base the security practices on those needs. The previous four
components can further be broken down into IBM’s ten security essentials, which the
documentation identifies as (IBM Corporation, 2013):
1. Build risk aware culture
2. Manage incidents & respond
3. Defend the workplace
4. Security by design
5. Update systems
6. Control access
7. Isolate services
8. Create a culture of security
9. Inventory assets
10. Identify people and monitor them in the operation
PCI v3.1
The Payment Card Industry (PCI) has a Security Standards Council that releases data
security standards for “consistent data security measures globally (PCI Security Standards
Council, LLC, April, 2015).” In their current standard, released April 2015, PCI includes 6 sections
of identification. These include:
•
Build and Maintain a Secure Network and Systems
•
Protect Critical Business Data
•
Maintain a Vulnerability Management Program
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
15
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
•
Implement Strong Access Control Measures
•
Test Networks
•
Maintain an Information Security Policy
The previous sections are then broken down into action steps that organizations can take to
comply with the PCI standard v3.1. The listing below develops a listing that business can
utilized to become PCI compliant.
Configure the following to control network: Proactive Policy (PCI Security Standards Council,
LLC, April, 2015)
1.
Install and maintain a firewall configuration to protect cardholder data
2.
Do not use vendor-supplied defaults for system passwords and other security
parameters
3.
Protect stored business data
4.
Encrypt transmission of cardholder data across open, public networks
5.
Protect all systems against malware and regularly update anti-virus software or
programs
6.
Develop and maintain secure systems and applications
7.
Restrict access to cardholder data by business need to know
8.
Identify and authenticate access to system components
9.
Restrict physical access to cardholder data
10.
Track and monitor all access to network resources and cardholder data
11.
Regularly test security systems and processes
12.
Maintain a policy that addresses information security for all personnel
Identification of Necessary Categories
After a study of the previous documentation, it has been found that similar categories
from the documentation can be identified for the creation of a comprehensive security
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
16
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
assessment system. Many of the papers identify the same categories and emphasize their need
in the creation of the Innova security assessment system. The categories were chosen based
upon the need to cover all information security areas at Innova Corporation and the ability to
reuse the information during any modification or exportation of the documentation.
These categories have been identified as follows:

Identify the needs of the business

Assessment Automation

Create a schedule for testing and comparison of results

Utilize policy for the entire business

Continue to Update the Documentation

Educate Staff

Create Culture of Security
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
17
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
Sectional Discussion of the Assessment Model and Implementation
Comprehensive Policy
The creation of a comprehensive policy to address the security assessment system
includes the four key areas associated with the IBM Security Services. All policies created focus
on an organization wide approach to risk management and all sections of the business need to
work together to promote a culture of security.
1.
Prioritize business objectives and set risk tolerance
2.
Protect the organization with a proactive security plan
3.
Prepare a response for a sophisticated attack
4.
Promote and support a culture of security awareness
Documentation Creation
The creation of documentation for a comprehensive policy needs to be based upon an
assessment template framework. This documentation will act as a checklist for the
implementation of policies created for security assessments. The framework includes:
•
Stakeholder requirements for proper business governance
•
Managed asset categories based upon the identified requirements
o Subcategories listing tools that are used for assessing security
•
Reports returned from security assessments listing risk matrix levels
o Mitigation strategies for identified vulnerabilities
•
Actions taken towards securing the network by the organization
•
Timestamps and professionals responsible for the documentation
Utilizing this framework creates a standard for the comprehensive security assessment
system that can be easily scanned and understood by the professionals working on the
information systems. Also, with the inclusion of timestamps and names of the responsible
parties, this documentation includes the element of nonrepudiation.
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
18
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
Defining Business Requirements
To define the business requirements of Innova Corporation, the assessment team needs
to take a few initial steps before any further documentation can be created. First the team
must identify the assets. Second, risk tolerance levels need to be created. These two step are
associated with the ISSAF, wherein the initial steps are defined for the creation of risk
association.
Identify Assets
The initial step in creating the assessment model for Innova Corporation is to create an
overview of the business. This is done by identifying all of the assets attached to the
information network. Viewing the definition in the DISA ACAS section of the models, it can be
seen that these assets include:
•
Hardware
•
Software
•
Documentation or Multimedia
•
User accounts
•
Permissions
Once established, this information needs to be discussed with company stakeholders to
acquire a definitive governance model for the business. This model establishes the
requirements for the continued success of the business. Only the top stakeholders of the
business understand what is required for the continual success of the business model.
Create Risk Tolerance Levels
The creation of risk tolerance levels allows the organization to manage the risk levels
associated with the assets of the business. This is needed because the business cannot focus on
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
19
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
all risks at once. Therefore, a hierarchy of risks needs to be defined for the organization. This
assessment model create three layers of risk: High, Medium, and Low.
These three layers are based upon the probability of asset exploitation and the impact it
may have on the business. To understand which assets may be at a higher risk level than others,
the OWASP Proactive Controls model has been reviewed.
Innova must now take the assets that are identified as critical to the business and
associate them with the current probable levels of exploitation and associate them with a risk
level. Doing this creates the risk matrix for the organization and prioritizes the risks based upon
these ratings. To be clear, this matrix will not become populated until a risk assessment is
implemented at the organization.
Mitigation Strategies
Once assets have been discovered with unacceptable risk levels, mitigation strategies
need to be implemented. These strategies are based upon the tools used to assess the
information systems. Automated tools return varying mitigation strategies. Therefore, it is
required that the organization use multiple sources for scanning the network to identify
vulnerabilities. When the tools return mitigation strategies, the employees must simply follow
the instructions to close the security holes in the network.
It is suggested, but not required, that the company use vendors that supply proof of the
identified vulnerabilities when selecting tools for the use of scanning the network. This means
that the tools will actively exploit vulnerabilities, one such tool is Netsparker 4. In this way,
Innova security personnel can have proof that the vulnerability can actually damage the system
because these types of tools do not return vulnerabilities that they cannot exploit, ensuring an
very low or nonexistent false positive rate.
4
Information can be found at https://www.netsparker.com/
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
20
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
If Innova employees come across vulnerabilities that they do not understand, the
company should call the vendors of the security tools that the implementation team has chosen
and discuss possible ways to fix the unknown problem. Or, if a vulnerability cannot be fixed,
then a meeting needs to be held with the stakeholders to discuss possible mitigation strategies
and a business level.
Scheduling
Two types of scheduling have been identified for creating the assessment system based
upon the NIST 800-37 documentation, automated and manual scheduling. The main purpose of
scheduling the implementations and mitigation strategies of the assessment model are to verify
the implementation procedures and validate mitigation events.
Automated
The automated scheduling is based upon the tools used for implementing part of the
security assessment model. Automation occurs when enabling processes that can be run
without oversight. These processes are the tools selected by the organization for scanning the
network and searching for vulnerabilities. The automated process are maintained by third
parties and the tools develop reports for Innova based upon the settings that are enabled in the
tools.
Creating a list of automated settings that the scanning tools can use will be created
based upon the policies created during the creation of the business requirements and
management policies. Selecting and purchasing tools for the organization will be a joint process
between the stakeholders of the organization and the management team that is implementing
their requirements. Tools change and are updated all the time. However, at the time of this
writing, the tools that Tenable Network Security has created, in conjunction with the identified
requirements from the DoD, are top of class for automatically scanning information networks.
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
21
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
Manual
Manual scheduling for the security assessment system is used to implement the defined
policies by employees of Innova Corporation. This strategy is used when there are changes to
the network and systems at the business, a review needs to be undergone to ensure the
automated tools are running properly, or a security assessment needs to occur.
When implementing a security assessment, it is necessary to schedule the required
working hours to completing the tasks documented in the management section of the
comprehensive policy. Without the proper human resources dedicated to completing the
assessment, there is an unknown chance of successfully securing the information network. If a
secure network cannot be guaranteed, then there is no point in undergoing a partial security
assessment implementation.
The business undergoes a shift in the risk matrix when changes to the network and
systems at the business occur. This is due to implementing a different set of variables into the
network. Depending on what is implemented, huge shifts may occur and leave the critical
resources of the business vulnerable to assault. The only way to ensure the security of the
network is to undergo a security assessment and use the successive implementation model
discussed in this document.
A schedule for reviewing the automated reports from the scanning tools is a
requirement for the completion of security assessment implementation. The staff that is
accountable for implementing and overseeing the tools utilized in the security assessment must
be able to complete their tasks. In this way, the vendors can be held accountable for their tools
that are implemented on the Innova network. If the employees are not allowed the necessary
resources for the completion of their tasks, then the chain of accountability falls apart and,
therefore, the security model.
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
22
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
Security Assessment Automation
As described in the DISA ACAS section of the high level review, multiple sections of the
security assessment model can be automated. This automation is continuous and reports to the
team assign to review this documentation. The main benefits of utilizing automated tools are:

Reduction in labor and reporting error
•
Minimize vulnerability exposure
•
Shift responsibility
•
Constant monitoring
•
Consistent report forms
A multitude of automated monitoring tools exist to assess the security posture of an
organization and is beyond the scope of this paper. However, the need for such tools is obvious
due to the benefits described above. When automated tools are used, the reporting error of
humans is reduced to the levels automated in the software. This creates a minimal amount of
error that is shifted to the vendors that supply the tools implemented because those companies
are responsible for the training of Innova employees that are managing their product.
The reduction in labor is justified by the reduction in work hours necessary to
implement the security assessment. Varying tools need a differing amount of oversight and will
cut the workload at a rate based upon that oversight. Also, it is required that Innova choose
tools that utilize constant monitoring of the network for quick identification of vulnerabilities
and risk mitigation. This method reduces the risk of long term vulnerability exposure time to a
minimal level by delivering consistent reporting forms on a scheduled basis to the security
assessment implementation team.
The implementation team will need to review the automated reports and add them to
the living documentation of the security assessment framework. The team will also need to use
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
23
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
these reports when the mitigation procedures take place and add their own documentation
about the results of their work to the assessment documentation.
Creating Security Culture
Developing a security culture at Innova Corporation requires the establishment of trust
in the business and the employees that work there. The consequences of creating a culture of
security at a business involve the prevention of fraud and misuse of information resources
(Ross, 2011). In order to create this culture, the implementation of strategic drivers at the
organization. These drivers include:

Establishing leaders of security

Ensuring a budgetary establishment for security

Utilizing policy to ensure responsibility

Creating security awareness and education programs
The leader of information security at the organization are established through the
creation of the three tier staff education guidance section of this paper. These leaders work
directly with stakeholders to establish security requirements for the organization. The
stakeholders ensure the budgetary requirements for the policies are met due to the security
assessment policies being based upon the business requirements during the creation of policy.
The policies created hold the individuals who implement them responsible. This is one of the
requirements of the comprehensive security assessment system.
Security Awareness
Creating a security awareness and education program for employees at Innova involves:

Input from the stakeholders about the needs of the business

Concise actionable steps employees can take to enact security requirements

Development of a security reporting model for the organization
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
24
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION

A hold harmless doctrine for reporting to enable the development of trust in the
organization.
All staff members need to attend a minimum of one training session to understand the
requirements being placed upon them by the organization. This will ensure the accountability
of all employees at Innova and allow additional documentation in to the living model of the
security assessment.
Updating Documentation
The documentation of the comprehensive security assessment system will need to be
updated when new information is discovered about the assessment process. This discovery will
come from the implementation of the model, third party documentation, acquiring new
software or hardware services, or other unforeseen sources. Due to the design of the living
document assessment model, versioning control can be implemented
To control the various version of the documentation, a numbering strategy is used for
maintaining the versioning process. Three decimal versions are used (0.0.0), thus creating A, B,
and C. These columns are used as follows:
•
Column A: Major revisions to the assessment model, thus creating the need to
deprecate the previous model.
•
Column B: Yearly review and update of the assessment model with reports appended to
the documentation.
•
Column C: Each successive implementations with reports appended to the
documentation.
The initial documentation is known as the prototype model and has a versioning number of
0.0.0. Each revision, whether major or minor, needs to be kept for a minimum of five years,
starting at the time of release of the documentation.
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
25
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
Third Party Input
During the lifetime of the security assessment model for Innova Corporation, there will
be reports released from vendors and researchers that will need to be addressed and added to
the assessment model for Innova. When this occurs, Innova may choose to address the issue
immediately or wait until the appropriate time. However, this information cannot be ignored
and needs to be compared to the threat matrix of the business. Once assessed against the
matrix, Innova can more easily find the appropriate time scale for addressing the newly release
information.
Staff Education Guidance
A Layered Approach
The staff of Innova Corporation will need education and guidance during the stages of
the security assessment life cycle. Understanding the needs of a fully developed education
model comes from understanding the three tiers of an appropriate education program (Roper,
Grau, & Fischer, 2006). These three tiers are each driven by the needs of the assessment
program and each have clearly defined responsibilities for the individuals that are
implementing them.
Each tier is designed to target a specified sector of the security assessment system with
defined performance objectives. Innova needs to develop content specific to each tier and
define communication channels for information to flow throughout the organization without
hindrance. After the education program has been developed and implemented, this
information will be added to the security assessment as a vector for evaluation to ensure
effectiveness.
When evaluations are undertaken, the results of the observations need to be added to
the comprehensive security assessment system documentation as part of the security baseline.
Ensuring the staff executing the management process is directly correlative with the success of
business security.
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
26
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
Requirements Driven
The requirements driven approach to staff education utilizes the business requirements.
This tier of the education model is used to implement policies of protection for the identified
assets. The team implementing this tier has the responsibility to:

Create policy for the assessment system that covers business assets

Maintain the policies created by utilizing the living documentation model

Act as leaders towards the other two tiers

Communicate with all teams involved to ensure all needs are met and
understood
Using this list to hold the Requirements Driven tier accountable will ensure that the
business needs are being achieved. Developing an education platform from the list of questions
enables the business to guarantee the understanding of the employees who will be dedicated
to executing the list.
Means Driven
The means driven approach to staff education focuses on the scheduled operations of
the comprehensive security assessment system. These scheduled operations are:

Implementation of the security assessment policies

Review of the reports generated by the tools utilized during assessment

Mitigation of the vulnerabilities discovered during assessment

Reporting the results to the Requirements Driven tier

Works with a dedicated scheduling process for assessment implementations
Developing an education platform that utilizes the above list will require discussions with
the Requirements team and the vendors of the tools utilized during implementation. The
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
27
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
Means Driven tier has the heaviest burden of technical education and will need to be given the
appropriate amount of time to develop the skills needed for implementation.
Once the Means Driven team has achieved the skills necessary to properly implement the
desired actions of the above list, only then can that team be held responsible for the
completion of their tasks.
Needs Driven
The needs driven approach to staff education creates a team that will respond to high
risk critical situations that need to be handled immediately. This team is a subdivision of the
Means Driven tier and consists of individuals that have the ability to respond under pressure.
The requirements of the Needs Driven tier are:

On call for an immediate response of critical risk mitigation

Works out of band from the Means Driven scheduling

Communicates directly with company stakeholders and Requirements Driven tier

Consist of the leaders of both the Requirements and Means tiers.

Reports are given to the Requirements tier to be placed in the living documentation
This list creates a safety net for the organization in times of critical risk. The training for the
Needs Driven tier utilizes the training from both previous tiers and also includes its own
dedicated training material. The education program for the Needs Driven tier requires a crisis
management training course, which ensures the employees will be able to focus on the
immediate problem, understand the longer term consequences of the decisions that are made
during a time of crisis, and clearly communicate with all necessary parties at the time of crisis.
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
28
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
Creation of Initial Security Baseline
Initial Implementation
The initial implementation of the comprehensive security assessment system can be
easily understood by three key practices: 1. following the guidance of practices from the
discussions in previous sections of the documentation, 2. comparing the implementation
testing to identified goal achievement metrics, and 3. comparing the implementation testing to
the desired application of practice from the initial documentation. Areas 2 & 3 described above
have been researched in the COBIT 5 (2012) model from ISACA.
This implementation will create a security baseline for Innova that will be used for
successive implementations. The security baseline is the state of the information network after
the first complete cycle of the security system, including mitigation, as defined by this security
system. The initial mitigation process is critical for ensuring that the company has closed major
security holes and the onboarding process of the security culture has begun to take hold at
Innova Corporation.
Goal Achievement Metrics
The goal achievement metrics for the creation of the initial security baseline are defined
before the baseline is created. These metrics are the definitions of what a successful
implementation involves and are therefore designated by the policies that were created at the
beginning of the security assessment. Goal achievement metrics for the Innova Corporation are
listed as questions and include:
•
Did the business fix security issues based upon the guidance of the automated
controls?
•
Did the company properly log the policies and results of the security assessment?
•
Did the organization create policies that enveloped the entire organization?
•
Did Innova place priority on completing the assessment process?
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
29
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
All of these questions can be answered after the initial implementation of the security
assessment model is complete and the questions may be reused, if appropriate, during any
subsequent implementations.
Application of Practice Metrics
The application of practice metrics involved with the creation of the initial security
baseline is also a set of questions that need to be checked against the work complete. In this
case, the metrics are associated with the implementation of the methods used to discover and
mitigate the vulnerabilities on the network. The questions are:
•
Did the implementation team use the governance model created by the stakeholders to
create a management model for mitigating those risks?
•
Did the employees follow the policies created for implementing the management
strategies?
•
Where the reports from the tools reviewed and utilized for mitigating the risks
discovered during the automated scanning practice?
•
Where the documents filed in the living documentation of the comprehensive security
assessment system for storage and future review or comparison?
•
If any problems were discovered during the security assessment that could not be
properly mitigated, was there a meeting held to discuss other mitigation strategies with
stakeholders or tool vendors?
Once all of the above questions are answered, then Innova has assessed, responded to the
risks associated with their information system, and is in a position to continue to monitor the
network for abnormal activities until the next security event takes place. This is a minimal set of
questions and should be added to during the lifetime of the security assessment system.
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
30
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
Successive Implementations
The following categories have been identified to be used with each successive
implementation of the comprehensive security assessment system. The four categories are
based upon the ISO 27001 & 27002 model and NIST 800-30 rev.1. These create a cyclical
approach to security management.
Planning
After the initial implementation of the comprehensive security assessment system,
Innova will need to plan successive implementations. In order to plan those implementations,
Innova will review the previous implementations of the security system and discover the areas
that need to be addressed inside the network.
These areas are based upon the creation of the security baseline and the living
documentation of the security model. The security assessment team will need to set a schedule
of work and base the schedule upon a yearly cycle, unless major changes to the information
system occur in the interim.
Tracking
The tracking of successive implementations will be placed in the living documentation,
noted with the proper implementation label. The tracking utilizes the framework for
documentation created in the comprehensive policy section.
Correcting
In the correction section of successive implementations, the business identifies areas of
mitigation and completes the processes necessary to protect the network. By protecting the
network, it is understood that these goals are based upon the needs of the business in the
planning stage of the successive implementation.
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
31
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
Reporting
The reports from the automated tools and the manual mitigation reports should be
added to the living document of the assessment system. These documents should be reviewed
and compared to the current security baseline to monitor any unwarranted changes. If anything
unusual is noticed during the review of the reporting phase, further investigation in to the
system will be needed and if the anomaly is not comprehensible, then another security
implementation is warranted.
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
32
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
References
Calder, A., & Watkins, S. (2012). IT Governance—An International Guide to Data Security and
ISO27001/ ISO27002 (5th ed.). Philadelphia, PA: Kogan Page.
IBM Corporation. (2013). Responding to and recovering from sophisticated security attacks: The
four things you can do now to help keep your organization safe. Somers, NY: IBM Global
Services.
ISACA. (2012). COBIT 5: A Business Framework for the Governance and Management of
Enterprise IT. Rolling Meadows, IL: ISACA.
ISECOM. (2010). Open Source Security Testing Methodology Manual. Cardedeu, Spain: ISECOM.
National Institute of Standards and Technology. (2010). Guide for Applying the Risk
Management Framework to Federal Information Systems. Gaithersburg, MD: National
Institute of Standards and Technology.
National Institute of Standards and Technology. (2012). Guide for Conducting. Gaithersburg,
MD: National Institute of Standards and Technology.
OISSG. (2004, August 10). Information Systems Security Assessment Framework Draft 1.0.
Retrieved from Sourceforge: http://sourceforge.net/projects/isstf/
OWASP. (2015, August 7). OWASP Proactive Controls. Retrieved from OWASP:
https://www.owasp.org/index.php/OWASP_Proactive_Controls
PCI Security Standards Council, LLC. (April, 2015). Payment Card Industry (PCI) Data Security
Standard Version 3.1. Wakefield, MA: PCI Security Standards Council, LLC.
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
33
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
Roper, C., Grau, J., & Fischer, L. (2006). Security Education, Awareness and Training: From
Theory to Practice. Burlington, MA: Elsevier Inc.
Ross, S. (2011). Creating a Culture of Security. Rolling Meadows, IL: ISACA.
SANS Institute. (2015, August 15). Critical Security Controls: Guidelines. Retrieved from SANS:
https://www.sans.org/critical-security-controls/guidelines
Scarfone, K., Souppaya, M., Cody, A., & Orebaugh, A. (2008). Technical Guide to Information
Security Testing and Assessment. Gaithersburg, MD: National Institute of Standards and
Technology.
Tenable Network Security. (2014). Tenable Solutions for the Cyber Hygiene Campaign.
Columbia, MD: Tenable Network Security, Inc.
Xiao, Y. (2014). Vulnerability Assessment for Substation Automation Systems. In Y. Xiao,
Security and Privacy in Smart Grids (p. Chapter 8). Boca Raton, FL: Taylor & Francis
Group, LLC.
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
34
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
Appendix A: RISK ASSESSMENT METHODOLOGY EVALUATION5
The process for periodic risk assessment for information security in the Organization
environment identifies the follow up actions, after the risk assessment has been completed, to
manage the newer risks that have been realized in the environment.
1.
Does the risk assessment exercise at minimum include the following?
1.1.
Identification of all business critical information assets. (E.g., Data, paper
documents, software, hardware etc.) ?
1.2.
Vulnerabilities assessment for the identified assets?
1.3.
Identifying the risk scenarios for compromise of the assets via the vulnerabilities
identified?
2.
1.4.
Assessing a probability of the risk scenario to come to pass on a rate scale?
1.5.
Assessing the impact on the business if the risk scenario were to come to pass?
1.6.
Calculating the risk rating by multiplying the probability by the impact?
1.7.
Prioritizing the risks based on the risk ratings?
Does the Organization conduct a comprehensive organization wide risk assessment
exercise to reassess the threats, vulnerabilities and business impact for information security &
5
See Reference OISSG.
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
35
COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION
is the Chief Information Security Officer (CISO) duly assisted by the respective Information
Security Officers (ISOs) during this periodical risk assessment exercise?
3.
Is there a Risk Assessment Template which is used as a general framework for the
conduct of the risk assessment?
4.
Is there a risk management plan developed to minimize the exposure of the company to
the high risks that are identified?
5.
Are the controls implementation instructions issued on the basis of the risk
management plan, which will clearly identify responsibilities and timelines for implementation?
6.
Does the CISO with assistance from the ISOs verify and validate the desired
implementation actions within the stipulated time?
7.
Are the details of the risk assessment, risk management plan and implementation will
be preserved for a stipulated period? (3- 5 years)
8.
Apart from the yearly risk assessment is a risk assessment carried out whenever there is
a major change to the P&O network and systems such as addition of a new business
application, relocation or redeployment of an existing application system, major changes to
network architecture?
Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY
Download