1 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Developed by Jesse C. Schroeder August 08, 2015 For Western Governors University Completion of the Masters of Information Security & Assurance Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 2 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Contents Introduction .................................................................................................................................... 5 High Level Discussion of the Assessment Model ............................................................................ 6 Review of Multiple Models ......................................................................................................... 6 NIST Special Publications 800-30 rev. 1, 800-37, & 800-115 .................................................. 6 OSSTMM v3 ............................................................................................................................. 9 DISA ACAS ............................................................................................................................. 10 ISSAF ...................................................................................................................................... 11 OWASP Proactive Controls ................................................................................................... 11 ISO 27001 & 27002 ............................................................................................................... 12 COBIT 5 .................................................................................................................................. 13 IBM Security Services ............................................................................................................ 13 PCI v3.1.................................................................................................................................. 14 Identification of Necessary Categories ..................................................................................... 15 Sectional Discussion of the Assessment Model and Implementation.......................................... 17 Comprehensive Policy ............................................................................................................... 17 Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 3 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Documentation Creation ...................................................................................................... 17 Defining Business Requirements .............................................................................................. 18 Identify Assets ....................................................................................................................... 18 Create Risk Tolerance Levels................................................................................................. 18 Mitigation Strategies............................................................................................................. 19 Scheduling ................................................................................................................................. 20 Automated ............................................................................................................................ 20 Manual .................................................................................................................................. 21 Security Assessment Automation ............................................................................................. 22 Creating Security Culture .......................................................................................................... 23 Security Awareness ............................................................................................................... 23 Updating Documentation ......................................................................................................... 24 Third Party Input ................................................................................................................... 25 Staff Education Guidance.............................................................................................................. 25 A Layered Approach .................................................................................................................. 25 Requirements Driven ............................................................................................................ 26 Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 4 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Means Driven ........................................................................................................................ 26 Needs Driven ......................................................................................................................... 27 Creation of Initial Security Baseline .............................................................................................. 28 Initial Implementation .............................................................................................................. 28 Goal Achievement Metrics ....................................................................................................... 28 Application of Practice Metrics ................................................................................................. 29 Successive Implementations ......................................................................................................... 30 Planning..................................................................................................................................... 30 Tracking ..................................................................................................................................... 30 Correcting.................................................................................................................................. 30 Reporting................................................................................................................................... 31 References .................................................................................................................................... 32 Appendix A: RISK ASSESSMENT METHODOLOGY EVALUATION ................................................... 34 Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 5 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Introduction This is a living document and will be altered to fit the needs of the organization that utilizes this documentation. The purpose of this documentation creates a comprehensive security assessment system to fulfill the end-user requirements of Innova Corporation. With this system, the company can use the documentation to create a security baseline for their organization and use the provided documentation to repeat the same process at satellite offices. The creation of this documentation is not site specific and can be used by any large organization to establish or audit the information security model of their operating environment. The security model has been developed for Innova Corporation1, which has over 1000 unique user instances. The functional requirements are that the organization takes the documentation and utilize the process thoroughly and in the order described to determine the probability of asset loss or compromise on the information systems of the business. This documentation reviews various security standards and attempts to create a comprehensive security assessment system for implementation at Innova Corporation. The documentation reviewed is: 1 NIST Special Publications 800-30, 800-37, & 800-115 OSSTMM v3 DISA ACAS ISSAF OWASP Testing Guide ISO 27001 & 27002 COBIT 5 PCI v3.1 Hypothetical Company Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 6 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION The following documentation includes: A high level discussion of the assessment model A sectional discussion of the assessment model and implementation Guidance for the creation of documentation during implementation Guidance for the education of implementation staff A discussion about the creation of an initial security baseline A discussion about successive implementations High Level Discussion of the Assessment Model Review of Multiple Models The following is a brief overview of the findings in the various models that have undergone review for the creation of a comprehensive security assessment system for Innova Corporation. Listings from the research have been placed under the title of each documentation. These findings will be utilized to identify and create the necessary categories for the assessment model systemization. NIST Special Publications 800-30 rev. 1, 800-37, & 800-115 The National Institute of Standards and Technology (NIST) creates multiple publications every year for multiple industries and is an agency of the United States Department of Commerce. The focus in this paper is placed upon three reports chosen from the agency in their information technology sub-section of their publications. In the 800-30 rev. 1 publication (National Institute of Standards and Technology, 2012), the documentation describes three risk tiers for the business to manage. The tiers listed are Organizational, Business Process, and Information Systems. Within each tier, the business will need to implement four steps of risk management. These include: Step 1: Frame Risk / Establish Context Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 7 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Step 2: Assess Risk Step 3: Respond to Risk Step 4: Monitor Risk The establishment of the three tier system focuses on covering all areas of the business and utilizes the steps listed above to ensure that each step in the tier is properly documented. The 800-30 rev.1 publication does not use the tier system to create silos inside the business, instead all three tiers work together to create a holistic approach. The NIST 800-30 rev.1 emphasizes living documentation by updating the assessment framework as needed for each tier of the risk management processes. When it comes to the conduction of assessments for each tier, there are five steps of the process (National Institute of Standards and Technology, 2012). These include: • Identifying the threat source and events that occur • Identifying the vulnerable areas and current operational conditions • Determine the likelihood of the exploitation occurrence • Determine the magnitude of exploitation impact • Determine the risk level for the organization The previous list creates a model that emphasizes identifying each threat and determining information about the threat quickly so that the business can recover and mitigate any damage. In the 800-37 publication (National Institute of Standards and Technology, 2010), the documentation focuses on five areas of security for a business to utilize. These areas include: • Emphasis Real Time Management • Clear cost-effective decision in line with mission • Security culture Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 8 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION • Use tools • Emphasis responsibility / accountability The five areas, identified above, create a model of security that works alongside the needs of the business. The 800-37 documentation discusses the used vendor tools for automation and creates a dependence on making discussions in a cost-effective manner to mitigate risk. This methodology produces the understanding that it is not necessary to reduce risks to nonexistence, instead business must chose to accept certain risks based upon a cost benefit analysis of risk level. In the 800-115 publication (Scarfone, Souppaya, Cody, & Orebaugh, 2008) there is a detailed set of instruction for creating a security testing and assessment model. This documentation lists seven major sections that provide technical guidance for completing the assessment process and remediation activities. An overview includes: • Overview of assessments • Technical examination techniques • Identification of targets and analyzation for potential vulnerabilities • Techniques used to validate vulnerabilities • Planning security assessment • Key factor in execution of assessment • Reporting finding and remediation The 800-115 documentation is extremely detailed with various techniques that can be utilized in each of the seven sections. An understanding taken from this documentation can be identified as possibly twelve key areas that have been identified by Yang Xiao (Xiao, 2014): 1. Identify scope 2. Roles and responsibilities 3. Limitation and assumptions Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 9 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION 4. Systems configuration 5. Network traffic 6. Network rulesets 7. Vulnerability scanning 8. Network discovery 9. Protocol identification 10. Password cracking 11. Social engineering 12. Penetration testing 13. Cause identification 14. Mitigation review 15. Reporting This list creates a well-defined shorthand of what the 800-115 publication contains. The NIST report contains too much information for what is to be applied to the scope of the model for Innova but does have valid sections that will be utilized. OSSTMM v3 The Open Source Security Testing Methodology Manual (OSSTMM) version 3 offers a multipurpose usage in its documentation, suggesting that the information can be used for ethical hacking, penetration testing, or security assessments. The OSSTMM v3 is very detailed and emphasizes providing only fact based evidence when using its testing methodology (ISECOM, 2010). Due to this emphasis, the documentation also highly suggests that individuals become certified to encourage proper implementation of their model. This leads to decision making that does not lend itself towards a risk based approach due to the subjective nature of the business defining its own risk tolerance levels. Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 10 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION However, the OSSTMM v3 does suggest that its model can be adapted for the utilization of operational security. Innova will be able to implement sections of the OSSTMM v3 into the mitigation strategies during the creation of the assessment system. DISA ACAS The Defense Information Systems Agency (DISA) has released a document called the Assured Compliance Assessment Solution (ACAS). This documentation can be readily understood by reading the case study about proper security hygiene documentation release by Tenable Network Security due to the partnership of the Department of Defense (DoD) and Tenable. This case study emphasis five key areas for creating better cyber hygiene in an organization by utilizing a security hygiene model of network management. These five steps need to repeat on a regular basis to ensure compliance with the ACAS. These five items include (Tenable Network Security, 2014): Inventory all devices on the network Inventory all software on the network Develop and manage information security configurations Automate vulnerability assessments and remediation Actively manage and control the use of admin privileges The SANS Institute2 has worked directly with Tenable to create a living document that contains twenty items for security the information network of an organization (SANS Institute, 2015). This documentation suggests that fifteen out of the twenty items needed for security the network can be automated. Creating a framework of automation, which encourages the usage 2 A private United States company specializing in information security and cyber security training. More information can be found at http://www.SANS.org Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 11 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION of vendor tools, cuts down on the workload to maintain security and assess the current status of an information environment. ISSAF The Open Information System Security Group (OISSG) has worked to create the Information System Security Assessment Framework (ISSAF). Section 6 of this documentation demonstrates an evaluation checklist for assessing the methodology of a risk assessment (OISSG, 2004). The documentation addresses eight questions to identify and ensure the proper areas have been created for a risk assessment. The creation of the model for Innova Corporation will address these questions3 to ensure the proper development of the desired model. OWASP Proactive Controls The Open Web Application Security Project (OWASP) Proactive Controls discusses a living documentation model of the top ten strategies for securing a network. At the time of this writing, OWASP list the following as their top ten (OWASP, 2015): 3 1. Parameterize Queries 2. Encode Data 3. Validate All Inputs 4. Implement Appropriate Access Controls 5. Establish Identity and Authentication Controls 6. Protect Data and Privacy 7. Implement Logging, Error Handling and Intrusion Detection 8. Leverage Security Features of Frameworks and Security Libraries 9. Include Security-Specific Requirements 10. Design and Architect Security Into Infrastructure See Appendix A. Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 12 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION This list is used by establishing a scope of areas that are associated with higher risk levels. These items are listed in a hierarchical order and should be followed as listed. Updates to this list do occur and the list should be monitored on a regular basis to establish a proper perspective of risk level. ISO 27001 & 27002 ISO publication 27001 & 27002 are closely linked together in terms of policy management and scope. These two documents will be addressed together instead of individually. The implementation of these publications emphasizes the usage of a four stage model to create a model of comprehensive management. These stages are (Calder & Watkins, 2012): Plan on how to best implement solutions Do the work of implementing the solutions discussed Check to see if the implementations had the desired effect Act to mitigate any further problems and report on the findings, thus starting the process again There are 6 steps in the Plan stage and 5 steps of the Do stage of this model and they are defined as (Calder & Watkins, 2012): 6 Step Model Plan Stage: o Define Scope o Define InfoSec Policy o Define Systematic Approach to assessment and Criteria o Implement Approach to discover risks o Review results and define Mitigation o Prepare statement of applicability 5 Step Do Stage: Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 13 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION o Create Risk treatment plan o Implement plan and controls o Arrange staff training o Manage resources o Monitoring procedures These findings will be used to help create the comprehensive security assessment model for the Innova Corporation. The planning and doing stages of the ISO 27001 & 27002 documentation will be used in the policy and requirements sections of the model for Innova. COBIT 5 The Information Systems Audit and Control Association (ISACA) released version 5 of the Control Objectives for Information and Related Technology (COBIT) in April of 2012 (ISACA, 2012) and has continued to develop this implementation. In the documentation, there is a listing of five key principles that are needed to comply with the COBIT 5 model. These are: Meet Stakeholder Needs Cover All Enterprise Single Integrated Framework Holistic Approach Separate Governance from Management The COBIT model emphasizes ensuring that the needs of the organization are met on a business level first and that implementation of the model cover the entire organization in a single comprehensive framework. IBM Security Services IBM has released multiple white papers, one of which discusses four key components that will help secure large organizations. These are (IBM Corporation, 2013): Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 14 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION 1. Prioritize business objectives and set risk tolerance 2. Protect the organization with a proactive security plan 3. Prepare a response for a sophisticated attack 4. Promote and support a culture of security awareness These four security practices identify the need to create a plan that emphasizes the needs of the business first and base the security practices on those needs. The previous four components can further be broken down into IBM’s ten security essentials, which the documentation identifies as (IBM Corporation, 2013): 1. Build risk aware culture 2. Manage incidents & respond 3. Defend the workplace 4. Security by design 5. Update systems 6. Control access 7. Isolate services 8. Create a culture of security 9. Inventory assets 10. Identify people and monitor them in the operation PCI v3.1 The Payment Card Industry (PCI) has a Security Standards Council that releases data security standards for “consistent data security measures globally (PCI Security Standards Council, LLC, April, 2015).” In their current standard, released April 2015, PCI includes 6 sections of identification. These include: • Build and Maintain a Secure Network and Systems • Protect Critical Business Data • Maintain a Vulnerability Management Program Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 15 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION • Implement Strong Access Control Measures • Test Networks • Maintain an Information Security Policy The previous sections are then broken down into action steps that organizations can take to comply with the PCI standard v3.1. The listing below develops a listing that business can utilized to become PCI compliant. Configure the following to control network: Proactive Policy (PCI Security Standards Council, LLC, April, 2015) 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters 3. Protect stored business data 4. Encrypt transmission of cardholder data across open, public networks 5. Protect all systems against malware and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know 8. Identify and authenticate access to system components 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security for all personnel Identification of Necessary Categories After a study of the previous documentation, it has been found that similar categories from the documentation can be identified for the creation of a comprehensive security Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 16 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION assessment system. Many of the papers identify the same categories and emphasize their need in the creation of the Innova security assessment system. The categories were chosen based upon the need to cover all information security areas at Innova Corporation and the ability to reuse the information during any modification or exportation of the documentation. These categories have been identified as follows: Identify the needs of the business Assessment Automation Create a schedule for testing and comparison of results Utilize policy for the entire business Continue to Update the Documentation Educate Staff Create Culture of Security Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 17 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Sectional Discussion of the Assessment Model and Implementation Comprehensive Policy The creation of a comprehensive policy to address the security assessment system includes the four key areas associated with the IBM Security Services. All policies created focus on an organization wide approach to risk management and all sections of the business need to work together to promote a culture of security. 1. Prioritize business objectives and set risk tolerance 2. Protect the organization with a proactive security plan 3. Prepare a response for a sophisticated attack 4. Promote and support a culture of security awareness Documentation Creation The creation of documentation for a comprehensive policy needs to be based upon an assessment template framework. This documentation will act as a checklist for the implementation of policies created for security assessments. The framework includes: • Stakeholder requirements for proper business governance • Managed asset categories based upon the identified requirements o Subcategories listing tools that are used for assessing security • Reports returned from security assessments listing risk matrix levels o Mitigation strategies for identified vulnerabilities • Actions taken towards securing the network by the organization • Timestamps and professionals responsible for the documentation Utilizing this framework creates a standard for the comprehensive security assessment system that can be easily scanned and understood by the professionals working on the information systems. Also, with the inclusion of timestamps and names of the responsible parties, this documentation includes the element of nonrepudiation. Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 18 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Defining Business Requirements To define the business requirements of Innova Corporation, the assessment team needs to take a few initial steps before any further documentation can be created. First the team must identify the assets. Second, risk tolerance levels need to be created. These two step are associated with the ISSAF, wherein the initial steps are defined for the creation of risk association. Identify Assets The initial step in creating the assessment model for Innova Corporation is to create an overview of the business. This is done by identifying all of the assets attached to the information network. Viewing the definition in the DISA ACAS section of the models, it can be seen that these assets include: • Hardware • Software • Documentation or Multimedia • User accounts • Permissions Once established, this information needs to be discussed with company stakeholders to acquire a definitive governance model for the business. This model establishes the requirements for the continued success of the business. Only the top stakeholders of the business understand what is required for the continual success of the business model. Create Risk Tolerance Levels The creation of risk tolerance levels allows the organization to manage the risk levels associated with the assets of the business. This is needed because the business cannot focus on Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 19 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION all risks at once. Therefore, a hierarchy of risks needs to be defined for the organization. This assessment model create three layers of risk: High, Medium, and Low. These three layers are based upon the probability of asset exploitation and the impact it may have on the business. To understand which assets may be at a higher risk level than others, the OWASP Proactive Controls model has been reviewed. Innova must now take the assets that are identified as critical to the business and associate them with the current probable levels of exploitation and associate them with a risk level. Doing this creates the risk matrix for the organization and prioritizes the risks based upon these ratings. To be clear, this matrix will not become populated until a risk assessment is implemented at the organization. Mitigation Strategies Once assets have been discovered with unacceptable risk levels, mitigation strategies need to be implemented. These strategies are based upon the tools used to assess the information systems. Automated tools return varying mitigation strategies. Therefore, it is required that the organization use multiple sources for scanning the network to identify vulnerabilities. When the tools return mitigation strategies, the employees must simply follow the instructions to close the security holes in the network. It is suggested, but not required, that the company use vendors that supply proof of the identified vulnerabilities when selecting tools for the use of scanning the network. This means that the tools will actively exploit vulnerabilities, one such tool is Netsparker 4. In this way, Innova security personnel can have proof that the vulnerability can actually damage the system because these types of tools do not return vulnerabilities that they cannot exploit, ensuring an very low or nonexistent false positive rate. 4 Information can be found at https://www.netsparker.com/ Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 20 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION If Innova employees come across vulnerabilities that they do not understand, the company should call the vendors of the security tools that the implementation team has chosen and discuss possible ways to fix the unknown problem. Or, if a vulnerability cannot be fixed, then a meeting needs to be held with the stakeholders to discuss possible mitigation strategies and a business level. Scheduling Two types of scheduling have been identified for creating the assessment system based upon the NIST 800-37 documentation, automated and manual scheduling. The main purpose of scheduling the implementations and mitigation strategies of the assessment model are to verify the implementation procedures and validate mitigation events. Automated The automated scheduling is based upon the tools used for implementing part of the security assessment model. Automation occurs when enabling processes that can be run without oversight. These processes are the tools selected by the organization for scanning the network and searching for vulnerabilities. The automated process are maintained by third parties and the tools develop reports for Innova based upon the settings that are enabled in the tools. Creating a list of automated settings that the scanning tools can use will be created based upon the policies created during the creation of the business requirements and management policies. Selecting and purchasing tools for the organization will be a joint process between the stakeholders of the organization and the management team that is implementing their requirements. Tools change and are updated all the time. However, at the time of this writing, the tools that Tenable Network Security has created, in conjunction with the identified requirements from the DoD, are top of class for automatically scanning information networks. Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 21 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Manual Manual scheduling for the security assessment system is used to implement the defined policies by employees of Innova Corporation. This strategy is used when there are changes to the network and systems at the business, a review needs to be undergone to ensure the automated tools are running properly, or a security assessment needs to occur. When implementing a security assessment, it is necessary to schedule the required working hours to completing the tasks documented in the management section of the comprehensive policy. Without the proper human resources dedicated to completing the assessment, there is an unknown chance of successfully securing the information network. If a secure network cannot be guaranteed, then there is no point in undergoing a partial security assessment implementation. The business undergoes a shift in the risk matrix when changes to the network and systems at the business occur. This is due to implementing a different set of variables into the network. Depending on what is implemented, huge shifts may occur and leave the critical resources of the business vulnerable to assault. The only way to ensure the security of the network is to undergo a security assessment and use the successive implementation model discussed in this document. A schedule for reviewing the automated reports from the scanning tools is a requirement for the completion of security assessment implementation. The staff that is accountable for implementing and overseeing the tools utilized in the security assessment must be able to complete their tasks. In this way, the vendors can be held accountable for their tools that are implemented on the Innova network. If the employees are not allowed the necessary resources for the completion of their tasks, then the chain of accountability falls apart and, therefore, the security model. Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 22 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Security Assessment Automation As described in the DISA ACAS section of the high level review, multiple sections of the security assessment model can be automated. This automation is continuous and reports to the team assign to review this documentation. The main benefits of utilizing automated tools are: Reduction in labor and reporting error • Minimize vulnerability exposure • Shift responsibility • Constant monitoring • Consistent report forms A multitude of automated monitoring tools exist to assess the security posture of an organization and is beyond the scope of this paper. However, the need for such tools is obvious due to the benefits described above. When automated tools are used, the reporting error of humans is reduced to the levels automated in the software. This creates a minimal amount of error that is shifted to the vendors that supply the tools implemented because those companies are responsible for the training of Innova employees that are managing their product. The reduction in labor is justified by the reduction in work hours necessary to implement the security assessment. Varying tools need a differing amount of oversight and will cut the workload at a rate based upon that oversight. Also, it is required that Innova choose tools that utilize constant monitoring of the network for quick identification of vulnerabilities and risk mitigation. This method reduces the risk of long term vulnerability exposure time to a minimal level by delivering consistent reporting forms on a scheduled basis to the security assessment implementation team. The implementation team will need to review the automated reports and add them to the living documentation of the security assessment framework. The team will also need to use Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 23 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION these reports when the mitigation procedures take place and add their own documentation about the results of their work to the assessment documentation. Creating Security Culture Developing a security culture at Innova Corporation requires the establishment of trust in the business and the employees that work there. The consequences of creating a culture of security at a business involve the prevention of fraud and misuse of information resources (Ross, 2011). In order to create this culture, the implementation of strategic drivers at the organization. These drivers include: Establishing leaders of security Ensuring a budgetary establishment for security Utilizing policy to ensure responsibility Creating security awareness and education programs The leader of information security at the organization are established through the creation of the three tier staff education guidance section of this paper. These leaders work directly with stakeholders to establish security requirements for the organization. The stakeholders ensure the budgetary requirements for the policies are met due to the security assessment policies being based upon the business requirements during the creation of policy. The policies created hold the individuals who implement them responsible. This is one of the requirements of the comprehensive security assessment system. Security Awareness Creating a security awareness and education program for employees at Innova involves: Input from the stakeholders about the needs of the business Concise actionable steps employees can take to enact security requirements Development of a security reporting model for the organization Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 24 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION A hold harmless doctrine for reporting to enable the development of trust in the organization. All staff members need to attend a minimum of one training session to understand the requirements being placed upon them by the organization. This will ensure the accountability of all employees at Innova and allow additional documentation in to the living model of the security assessment. Updating Documentation The documentation of the comprehensive security assessment system will need to be updated when new information is discovered about the assessment process. This discovery will come from the implementation of the model, third party documentation, acquiring new software or hardware services, or other unforeseen sources. Due to the design of the living document assessment model, versioning control can be implemented To control the various version of the documentation, a numbering strategy is used for maintaining the versioning process. Three decimal versions are used (0.0.0), thus creating A, B, and C. These columns are used as follows: • Column A: Major revisions to the assessment model, thus creating the need to deprecate the previous model. • Column B: Yearly review and update of the assessment model with reports appended to the documentation. • Column C: Each successive implementations with reports appended to the documentation. The initial documentation is known as the prototype model and has a versioning number of 0.0.0. Each revision, whether major or minor, needs to be kept for a minimum of five years, starting at the time of release of the documentation. Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 25 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Third Party Input During the lifetime of the security assessment model for Innova Corporation, there will be reports released from vendors and researchers that will need to be addressed and added to the assessment model for Innova. When this occurs, Innova may choose to address the issue immediately or wait until the appropriate time. However, this information cannot be ignored and needs to be compared to the threat matrix of the business. Once assessed against the matrix, Innova can more easily find the appropriate time scale for addressing the newly release information. Staff Education Guidance A Layered Approach The staff of Innova Corporation will need education and guidance during the stages of the security assessment life cycle. Understanding the needs of a fully developed education model comes from understanding the three tiers of an appropriate education program (Roper, Grau, & Fischer, 2006). These three tiers are each driven by the needs of the assessment program and each have clearly defined responsibilities for the individuals that are implementing them. Each tier is designed to target a specified sector of the security assessment system with defined performance objectives. Innova needs to develop content specific to each tier and define communication channels for information to flow throughout the organization without hindrance. After the education program has been developed and implemented, this information will be added to the security assessment as a vector for evaluation to ensure effectiveness. When evaluations are undertaken, the results of the observations need to be added to the comprehensive security assessment system documentation as part of the security baseline. Ensuring the staff executing the management process is directly correlative with the success of business security. Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 26 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Requirements Driven The requirements driven approach to staff education utilizes the business requirements. This tier of the education model is used to implement policies of protection for the identified assets. The team implementing this tier has the responsibility to: Create policy for the assessment system that covers business assets Maintain the policies created by utilizing the living documentation model Act as leaders towards the other two tiers Communicate with all teams involved to ensure all needs are met and understood Using this list to hold the Requirements Driven tier accountable will ensure that the business needs are being achieved. Developing an education platform from the list of questions enables the business to guarantee the understanding of the employees who will be dedicated to executing the list. Means Driven The means driven approach to staff education focuses on the scheduled operations of the comprehensive security assessment system. These scheduled operations are: Implementation of the security assessment policies Review of the reports generated by the tools utilized during assessment Mitigation of the vulnerabilities discovered during assessment Reporting the results to the Requirements Driven tier Works with a dedicated scheduling process for assessment implementations Developing an education platform that utilizes the above list will require discussions with the Requirements team and the vendors of the tools utilized during implementation. The Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 27 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Means Driven tier has the heaviest burden of technical education and will need to be given the appropriate amount of time to develop the skills needed for implementation. Once the Means Driven team has achieved the skills necessary to properly implement the desired actions of the above list, only then can that team be held responsible for the completion of their tasks. Needs Driven The needs driven approach to staff education creates a team that will respond to high risk critical situations that need to be handled immediately. This team is a subdivision of the Means Driven tier and consists of individuals that have the ability to respond under pressure. The requirements of the Needs Driven tier are: On call for an immediate response of critical risk mitigation Works out of band from the Means Driven scheduling Communicates directly with company stakeholders and Requirements Driven tier Consist of the leaders of both the Requirements and Means tiers. Reports are given to the Requirements tier to be placed in the living documentation This list creates a safety net for the organization in times of critical risk. The training for the Needs Driven tier utilizes the training from both previous tiers and also includes its own dedicated training material. The education program for the Needs Driven tier requires a crisis management training course, which ensures the employees will be able to focus on the immediate problem, understand the longer term consequences of the decisions that are made during a time of crisis, and clearly communicate with all necessary parties at the time of crisis. Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 28 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Creation of Initial Security Baseline Initial Implementation The initial implementation of the comprehensive security assessment system can be easily understood by three key practices: 1. following the guidance of practices from the discussions in previous sections of the documentation, 2. comparing the implementation testing to identified goal achievement metrics, and 3. comparing the implementation testing to the desired application of practice from the initial documentation. Areas 2 & 3 described above have been researched in the COBIT 5 (2012) model from ISACA. This implementation will create a security baseline for Innova that will be used for successive implementations. The security baseline is the state of the information network after the first complete cycle of the security system, including mitigation, as defined by this security system. The initial mitigation process is critical for ensuring that the company has closed major security holes and the onboarding process of the security culture has begun to take hold at Innova Corporation. Goal Achievement Metrics The goal achievement metrics for the creation of the initial security baseline are defined before the baseline is created. These metrics are the definitions of what a successful implementation involves and are therefore designated by the policies that were created at the beginning of the security assessment. Goal achievement metrics for the Innova Corporation are listed as questions and include: • Did the business fix security issues based upon the guidance of the automated controls? • Did the company properly log the policies and results of the security assessment? • Did the organization create policies that enveloped the entire organization? • Did Innova place priority on completing the assessment process? Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 29 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION All of these questions can be answered after the initial implementation of the security assessment model is complete and the questions may be reused, if appropriate, during any subsequent implementations. Application of Practice Metrics The application of practice metrics involved with the creation of the initial security baseline is also a set of questions that need to be checked against the work complete. In this case, the metrics are associated with the implementation of the methods used to discover and mitigate the vulnerabilities on the network. The questions are: • Did the implementation team use the governance model created by the stakeholders to create a management model for mitigating those risks? • Did the employees follow the policies created for implementing the management strategies? • Where the reports from the tools reviewed and utilized for mitigating the risks discovered during the automated scanning practice? • Where the documents filed in the living documentation of the comprehensive security assessment system for storage and future review or comparison? • If any problems were discovered during the security assessment that could not be properly mitigated, was there a meeting held to discuss other mitigation strategies with stakeholders or tool vendors? Once all of the above questions are answered, then Innova has assessed, responded to the risks associated with their information system, and is in a position to continue to monitor the network for abnormal activities until the next security event takes place. This is a minimal set of questions and should be added to during the lifetime of the security assessment system. Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 30 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Successive Implementations The following categories have been identified to be used with each successive implementation of the comprehensive security assessment system. The four categories are based upon the ISO 27001 & 27002 model and NIST 800-30 rev.1. These create a cyclical approach to security management. Planning After the initial implementation of the comprehensive security assessment system, Innova will need to plan successive implementations. In order to plan those implementations, Innova will review the previous implementations of the security system and discover the areas that need to be addressed inside the network. These areas are based upon the creation of the security baseline and the living documentation of the security model. The security assessment team will need to set a schedule of work and base the schedule upon a yearly cycle, unless major changes to the information system occur in the interim. Tracking The tracking of successive implementations will be placed in the living documentation, noted with the proper implementation label. The tracking utilizes the framework for documentation created in the comprehensive policy section. Correcting In the correction section of successive implementations, the business identifies areas of mitigation and completes the processes necessary to protect the network. By protecting the network, it is understood that these goals are based upon the needs of the business in the planning stage of the successive implementation. Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 31 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Reporting The reports from the automated tools and the manual mitigation reports should be added to the living document of the assessment system. These documents should be reviewed and compared to the current security baseline to monitor any unwarranted changes. If anything unusual is noticed during the review of the reporting phase, further investigation in to the system will be needed and if the anomaly is not comprehensible, then another security implementation is warranted. Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 32 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION References Calder, A., & Watkins, S. (2012). IT Governance—An International Guide to Data Security and ISO27001/ ISO27002 (5th ed.). Philadelphia, PA: Kogan Page. IBM Corporation. (2013). Responding to and recovering from sophisticated security attacks: The four things you can do now to help keep your organization safe. Somers, NY: IBM Global Services. ISACA. (2012). COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. Rolling Meadows, IL: ISACA. ISECOM. (2010). Open Source Security Testing Methodology Manual. Cardedeu, Spain: ISECOM. National Institute of Standards and Technology. (2010). Guide for Applying the Risk Management Framework to Federal Information Systems. Gaithersburg, MD: National Institute of Standards and Technology. National Institute of Standards and Technology. (2012). Guide for Conducting. Gaithersburg, MD: National Institute of Standards and Technology. OISSG. (2004, August 10). Information Systems Security Assessment Framework Draft 1.0. Retrieved from Sourceforge: http://sourceforge.net/projects/isstf/ OWASP. (2015, August 7). OWASP Proactive Controls. Retrieved from OWASP: https://www.owasp.org/index.php/OWASP_Proactive_Controls PCI Security Standards Council, LLC. (April, 2015). Payment Card Industry (PCI) Data Security Standard Version 3.1. Wakefield, MA: PCI Security Standards Council, LLC. Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 33 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Roper, C., Grau, J., & Fischer, L. (2006). Security Education, Awareness and Training: From Theory to Practice. Burlington, MA: Elsevier Inc. Ross, S. (2011). Creating a Culture of Security. Rolling Meadows, IL: ISACA. SANS Institute. (2015, August 15). Critical Security Controls: Guidelines. Retrieved from SANS: https://www.sans.org/critical-security-controls/guidelines Scarfone, K., Souppaya, M., Cody, A., & Orebaugh, A. (2008). Technical Guide to Information Security Testing and Assessment. Gaithersburg, MD: National Institute of Standards and Technology. Tenable Network Security. (2014). Tenable Solutions for the Cyber Hygiene Campaign. Columbia, MD: Tenable Network Security, Inc. Xiao, Y. (2014). Vulnerability Assessment for Substation Automation Systems. In Y. Xiao, Security and Privacy in Smart Grids (p. Chapter 8). Boca Raton, FL: Taylor & Francis Group, LLC. Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 34 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION Appendix A: RISK ASSESSMENT METHODOLOGY EVALUATION5 The process for periodic risk assessment for information security in the Organization environment identifies the follow up actions, after the risk assessment has been completed, to manage the newer risks that have been realized in the environment. 1. Does the risk assessment exercise at minimum include the following? 1.1. Identification of all business critical information assets. (E.g., Data, paper documents, software, hardware etc.) ? 1.2. Vulnerabilities assessment for the identified assets? 1.3. Identifying the risk scenarios for compromise of the assets via the vulnerabilities identified? 2. 1.4. Assessing a probability of the risk scenario to come to pass on a rate scale? 1.5. Assessing the impact on the business if the risk scenario were to come to pass? 1.6. Calculating the risk rating by multiplying the probability by the impact? 1.7. Prioritizing the risks based on the risk ratings? Does the Organization conduct a comprehensive organization wide risk assessment exercise to reassess the threats, vulnerabilities and business impact for information security & 5 See Reference OISSG. Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY 35 COMPREHENSIVE SECURITY ASSESSMENT SYSTEMIZATION is the Chief Information Security Officer (CISO) duly assisted by the respective Information Security Officers (ISOs) during this periodical risk assessment exercise? 3. Is there a Risk Assessment Template which is used as a general framework for the conduct of the risk assessment? 4. Is there a risk management plan developed to minimize the exposure of the company to the high risks that are identified? 5. Are the controls implementation instructions issued on the basis of the risk management plan, which will clearly identify responsibilities and timelines for implementation? 6. Does the CISO with assistance from the ISOs verify and validate the desired implementation actions within the stipulated time? 7. Are the details of the risk assessment, risk management plan and implementation will be preserved for a stipulated period? (3- 5 years) 8. Apart from the yearly risk assessment is a risk assessment carried out whenever there is a major change to the P&O network and systems such as addition of a new business application, relocation or redeployment of an existing application system, major changes to network architecture? Jesse C. Schroeder | WESTERN GOVERNORS UNIVERSITY