Lesson Eight Security Management Copyright © Center for Systems Security and Information Assurance Lesson Objectives • Define security management • Explain in basic terms the function of an organization’s security policy • List the reasons an organization would implement a security policy • Define security standards and explain the different types of standards • Explain the role of standards organizations. • Match the standards organization with its role in the Information Security field Copyright © Center for Systems Security and Information Assurance Introduction Security management entails the identification of an organization’s information assets and the development, documentation, and implementation of policies, standards, procedures and guidelines that ensure confidentiality, integrity, and availability. Copyright © Center for Systems Security and Information Assurance Organization Policies A policy may be defined as 'An agreed approach in theoretical form, which has been agreed to and/or ratified by, a governing body, and which defines direction and degrees of freedom for action.' Copyright © Center for Systems Security and Information Assurance What is a Security Policy? • Informs users and staff members of the need and the responsibility to protect the organization’s technology and critical information. • Defines “acceptable use” (based upon the acceptable risk) of all electronic media within an organization. Copyright © Center for Systems Security and Information Assurance Security Policies • Rules and practices an organization uses for its information resources: management protection allocation • Policies and procedures provide a baseline to: security plans contingency plans procurement plans Copyright © Center for Systems Security and Information Assurance Why a Security Policy? 1. Describes in detail acceptable network activity and penalties for misuse 2. Provides a forum for identifying and clarifying security goals, priorities and objectives to the organization and its members. 3. Illustrates to each employee how they are responsible for helping to maintain a secure environment. 4. Defines responsibilities and the scope of information security in an organization. 5. Provides a legal instrument in the case of litigation Copyright © Center for Systems Security and Information Assurance Why a Security Policy? 6. Provides a good foundation for conducting security audits 7. Establishes a critical asset identifying potential vulnerabilities 8. Provides a reference for incident response handling 9. Communicates organization culture, core values, and ethics 10. Establishes acceptance and conformity Copyright © Center for Systems Security and Information Assurance Management Support • Without management supporting security policies, they might as well be non-existent • Security policies and security in general start off at the bottom of the typical executive’s priority list • A serious security incident or an exceptional sales pitch by the information security professionals help to gain the support of management Copyright © Center for Systems Security and Information Assurance Types of Security Policies • • • • • • • Acceptable Encryption Policy Acceptable Use Policy Analog/ISDN Line Policy Anti-Virus Policy Application Service Provider Policy Application Service Provider Standards Acquisition Assessment Policy Copyright © Center for Systems Security and Information Assurance Types of Security Policies • • • • • • Audit Vulnerability Scanning Policy Automatically Forwarded Email Policy Database Credentials Coding Policy Dial-in Access Policy DMZ Lab Security Policy E-mail Policy Copyright © Center for Systems Security and Information Assurance Helpful Security Policy Links !!!!Read the following documents!!! • http://www.sans.org/resources/policies/ Policy_Primer.pdf • http://www.sans.org/resources/policies/#template • http://www.dir.state.tx.us/security/policies/ templates.htm Copyright © Center for Systems Security and Information Assurance Security Standards • Specify uniform use of specific technologies, parameters, or procedures. • Specify a uniform use of specific technologies, parameters or processes to be used to secure systems. • Contain mandatory statements which can be measured. Copyright © Center for Systems Security and Information Assurance Security Standards Example The Privacy HIPAA Standards requires that "a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information" (CMS, "HIPAA Administrative Simplification - Privacy", Section 164.530 (c)(1) Copyright © Center for Systems Security and Information Assurance Types of Security Standards • Open versus Proprietary • Dejure (by law) versus Defacto Copyright © Center for Systems Security and Information Assurance Security Standards Evolve Copyright © Center for Systems Security and Information Assurance Security Standards Organizations • Government statues (federal, state and local) • Standards organizations (NIST, ISO, IEEE) • Industry requirements (HIPAA, GLB, TIA/EIA) • Manufacture requirements (Cisco, Microsoft) • Internal requirements Copyright © Center for Systems Security and Information Assurance ISO 17799 Description • Most widely recognized security standard—the first version was published in December 2000 • Comprehensive in its coverage of security issues • Contains a substantial number of control requirements • Compliance and certification for even for the most security conscious of organizations can be daunting Copyright © Center for Systems Security and Information Assurance Government Cryptography Standards Copyright © Center for Systems Security and Information Assurance Example • Government Standards: Incident Reporting Computer Security Incident Handling Guide NIST Special Publication 800-61, from National Institute of Standards and Technology, Technology Administration, U.S. Department of Commerce. • A 148-page report describing guidelines for responding to denial-of-service attacks; malicious code, including viruses, worms and Trojan horses; unauthorized access; inappropriate use by authorized users, and incidents incorporating various types of security breaches. http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf Copyright © Center for Systems Security and Information Assurance Security Guidelines • Address intentions and allow for interpretation • Recommendations or best practices • Similar to STANDARDS (not mandated actions) • Assist users, administrators and others in effectively interpreting and implementing the security policy • Data Security and Classification Guidelines http://www.umassp.edu/policy/data/itcdatasec .html Copyright © Center for Systems Security and Information Assurance Security Procedures • The operational processes required to implement institutional security policy • Operating practices can be formal or informal, specific to a department or applicable across the entire institution • Detailed steps or instructions to be followed by users, system administrators, and others to accomplish a particular security-related task • Assist in complying with security policy, standards and guidelines • http://wwwoirm.nih.gov/security/sec_policy.html Copyright © Center for Systems Security and Information Assurance More Examples • Policy - All State of Illinois employee email mailboxes must be protected by a username/password • Standard - The username must follow existing standards and the password must be 8 characters long and have an alpha/numeric combination • Procedure – Setting the administrative properties of the mailbox to require a username and password be set. Auditing the passwords for appropriate password complexity Copyright © Center for Systems Security and Information Assurance Plan, DO, Check, Act Copyright © Center for Systems Security and Information Assurance Hyperlinks to Federal Laws • Federal Computer Intrusion Laws • National Information Infrastructure Protection Act of 1995 • Fraud and Related Activity in Connection with Computers • The Digital Millennium Copyright Act • Software Piracy and the Law • The Computer Fraud and Abuse Act of 1986 Copyright © Center for Systems Security and Information Assurance Hyperlinks to Federal Laws • • • • Electronic Communications Privacy Act Privacy Act of 1974 Communications Act of 1934 Family Educational Rights and Privacy Act of 1974 • CAN-SPAM Act of 2003 • United States Copyright Office Copyright © Center for Systems Security and Information Assurance