Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Chapter 2 Planning for Security

advertisement 
Chapter 2
Planning for Security
Presented by:
Ryan Horvath, Jennifer Kaufman, Sergey Morozov &
Kalagee Shah
Outline
• The Role of Planning
• Precursors to Planning
– Values Statement
– Vision Statement
– Mission Statement
• Strategic Planning
– Creating a Strategic Plan
– Planning Levels
– Planning and the CISO(Chief Info Security Officer)
• Planning for Information Security Implementation
2
Chapter Objectives
• Identify the roles in organizations that are
active in the planning process
• Grasp the principal components of
information security system implementation
planning in the organizational planning
scheme.
3
Chapter Organization
4
Planning Influences
•
•
•
•
•
•
•
•
Employees
Management
Stockholders
Outside stakeholders
Physical environment
Political and legal environment
Competitive environment
Technological environment
5
Information Security
Professionals
• Professionals that support the information
security program
–
–
–
–
–
–
–
Chief Information Officer (CIO)
Chief Information Security Office (CISO)
Security Managers
Security Technicians
Data Owners
Data Custodians
Data Users
6
Slide 6
Planning Definition
• Planning is creating action steps toward goals
and then controlling them
–
–
–
–
Provides direction for the organization’s future
Allows managing resources
Optimizes the use of the resources
Coordinates the effort of independent
organizational units
7
Precursors to Planning
• Values Statement
• Vision Statement
• Mission Statement
8
Values Statement
•
•
•
•
•
Principles
Qualities
Benchmarks
What your company is?
Microsoft: Integrity, honesty, passion, and
respectfulness are significant parts of
Microsoft’s corporate philosophy
9
Vision Statement
•
•
•
•
•
Ambitious
Best-case scenario
Future goals
Where your company wants to be?
Microsoft: A personal computer in every home
running Microsoft software
10
Mission Statement
• Organization’s business
• Areas of operation
– Internal
– External
• How your company is going to get there?
• Google: Organize the world's information and
make it universally accessible and useful.
11
Strategic Planning
• Strategy lays out the long-term direction to be
taken by organization
• It guides organizational efforts, and focuses
resources toward specific, clearly defined
goals.
• Strategic planning includes
–
–
–
–
Mission statement
Vision statement
Values statement
Coordinated plans for sub units
12
Creating a Strategic Plan
• Organization
– Develops a general strategy
– Creates specific strategic plans for major divisions
• Each level of translates those objectives into
more specific objectives for the level below
13
Top-Down Strategic Planning
14
Creating a Strategic Plan
• Strategic goals are translated into tasks
–
–
–
–
–
Specific
Measurable
Achievable
Realistic
Timely
15
Planning Levels
• Strategic Planning
– Five or more year focus
– Strategic plan separated into strategic goals for
each department
• Tactical Planning
– One to three year focus
– Breaks strategic goals into a series of incremental
objectives
16
Planning Levels
• Operational Planning
– Organize the ongoing, day-to-day performance of
tasks
– Includes clearly identified coordination activities
across department boundaries
• Communications requirements
• Weekly meetings
• Summaries
• Progress reports
17
Planning Levels
18
Strategic Plan Elements
•
•
•
•
•
•
•
•
Introduction by senior executive
Executive Summary
Mission Statement and Vision Statement
Organizational Profile and History
Strategic Issues and Core Values
Program Goals and Objectives
Management/Operations Goals and Objectives
Appendices (optional)
– Strengths, weaknesses, opportunities and threats
(SWOT) analyses, surveys, budgets &etc
19
10 Tips For Strategic Planning
1. Create a compelling vision statement
2. Embrace the use of balanced
scorecard approach
3. Deploy a draft high level plan early,
and get input from stakeholders
4. Make the evolving plan visible
20
10 Tips For Planning (cont.)
5. Make the process invigorating for
everyone
6. Be persistent
7. Make the process continuous
8. Provide meaning
9. Be yourself
10. Have fun
21
Planning For InfoSec
Implementation
• Commonly the CISO directly reports to the
CIO.
• The CIO and CISO play important roles in
translating overall strategic planning into
tactical and operational information security
plans
• CISO plays a more active role planning the
details
22
CISO Job Description
• Creates strategic information security plan with a
vision for the future of information security
• Understands fundamental business activities
performed by the company
– Suggests appropriate information security solutions that
uniquely protect these activities
• Improves status of information security by developing
–
–
–
–
–
action plans
schedules
budgets
status reports
top management communications
23
Planning for Information Security
• CIO: translates strategic plan into departmental and
InfoSec objectives
• CISO: translates InfoSec objectives into tactical and
operational objectives
• Implementation can now begin
• Implementation of information security can be
accomplished in two ways
– Bottom-up
– Top-down
24
Bottom-Up Approach
• Grass-roots effort
• Individual administrators try to improve
security
• No coordinated planning from upper
management
• No coordination between departments
• Unpredictable funding
25
Top-Down Approach
•
•
•
•
•
Strong upper management support
A dedicated champion
Assured funding
Clear planning and implementation process
Ability to influence organizational culture
26
Approaches to Security
Implementation
27
Joint Application Development
• Outcome of the objective directly affects
the end users
• Key end users assigned to development
teams
• Processes documented and integrated
into organizational culture
• Ensures continuation of Application
• Seldom found in bottom-up initiatives
28
The Systems Development Life
Cycle (SDLC)
• Methodology for the design and
implementation of an information
system
• SDLC-based projects may be initiated
by events or planned
• Each phase concludes with a review or
a feasibility analysis
29
Phases of an SecSDLC
30
Investigation Phase for
SecSDLC
• Identifies problem to be solved
• Begins with the objectives, constraints, and
scope of the project
• A preliminary cost/benefit analysis is then
developed
• Ends with a feasibility analysis
31
Feasibility
32
SDLC vs. SecSDLC:
Investigation
Common steps
Steps unique to SecSDLC
• Outline project
scope/goals
• Estimate costs
• Evaluate existing
resources
• Analyze feasibility
• Define project process and
goals and document them
in the program security
policy
33
Analysis in the SecSDLC
34
Analysis in SecSDLC
• A preliminary analysis of
– Existing security polices
– Current threats and attacks
– Legal issues
• Risk management
– Process of identifying, assessing & evaluation of
levels of risks facing the organization
35
Threats
Know your enemy: It's the first step in
mounting an effective defense
Enemy = Threats
• Threat is an object, person or other entities
that represents constant danger to
information asset
• Well-understood and well-researched
• Grouped by activities
36
Threats
37
Attacks
• Attack is an event that exploits the
vulnerability
• Attack is accomplished by threat agent
• A vulnerability is an identified weakness of
controlled information asset
• An exploit is a technique use to compromise
an information asset
38
Types of attacks
•
•
•
•
•
•
•
•
Back doors
Brute force
Dictionary
Man-in-middle
Password crack
Social engineering
Spear phishing
Phishing
39
Types of attacks (cont.)
•
•
•
•
•
•
•
Buffer overflow
• Sniffers
DoS & DDoS
• Spoofing
Hoaxes
• Timing
Mail bombing
Spam
Malicious code
DNS Cache poisoning
40
Risk Analysis
• Asset valuation
– Identify the categories to assign to each asset
•
•
•
•
•
•
Most critical to the success of the organization
The most revenue
The highest profitability
The most expensive to replace
The most expensive to protect
Liability of organization if revealed
41
Risk Analysis (cont.)
• Categories must be comprehensive and
mutually exclusive
• Rank the components based on criteria of
categorization of assets
• Review each information assets for each
threats it faces
• Create a list of vulnerabilities
• Assign a rank for comparative risk to each
information asset
42
SDLC vs. SecSDLC : Analysis
Common steps
Steps unique to SecSDLC
• Assess current system
against plan developed
in phase 1
• Develop system
requirements
• Study integration of new
system
• Update feasibility
analysis
• Analyze existing security
policies and programs
• Analyze current threats and
attacks
• Examine legal issues
• Risk analysis
43
Design in SecSDLC
44
Design in SecSDLC
• Logical design phase
– Create and develop a security blueprint
– Implement key policies
– Feasibility analysis – develop or outsource
• Physical design phase
– Evaluate technology to support security blueprint
– Generate alternative solutions
– Agree on final design
45
Security models
• Security team often use established security
models to adapt or adopt.
• Security models provide framework
• Addresses all areas of security
• Computer Security Resource Center of NIST
• Information Technology Code of Practice for
Information Security Management- ISO/IEC
17799 – International standard
46
Design elements
• Information security policy
• Management must define
– General security policy
– Issue-specific security policy
– Systems-specific security policy
47
Design elements (cont.)
• SETA – Security education, training and
awareness program contains
– Security education
– Security training
– Security awareness
• Purpose
– Improving awareness
– Developing skills & knowledge
– Building in-depth knowledge
48
Design elements (cont.)
• Controls and Safeguards
– Managerial controls
– Operational controls
– Technical controls
49
Managerial Control
• Address the design, scope and
implementation of the security planning
process & security program
• Addresses risk management and security
control overview
• Addresses scope of legal compliance
50
Operational Controls
• Manages functions and lower-level planning
–
–
–
–
–
Disaster recovery
Incident response planning
Personal security
Physical security
Protection of production inputs and output
51
Technical controls
• Addresses tactical issues & technical issues
related to design and implementing security
• Reviews the technologies necessary to
protect information assets
52
Contingency planning
• Contingency planning is planning to prepared
for, react to, recover from event of security
breach and restoration of normal business
operations.
– Incident Response Planning (IRP)
– Disaster Recovery Planning (DSP)
– Business Continuity Planning (BCP)
53
Physical security
• Design, implementation and maintenance of
countermeasures that protect the physical
resources of an organization
• Physical resources include
– People
– Hardware
– Supporting information system elements
54
SDLC vs. SecSDLC : Logical
Design
Common steps
• Assess current
business needs against
developed plan
• Select application, data
support and structures
• Generate multiple
solutions
• Update feasibility
analysis
Steps unique to SecSDLC
• Develop security
blueprint
• Plan incident response
action
• Plan business response
to disaster
• Feasibility of continuing
or outsourcing of project
55
SDLC vs. SecSDLC : Physical
Design
Common steps
• Select technologies to
support solutions
• Select the best
solutions
• Decide whether to
make or buy
components
• Update feasibility
analysis
Steps unique to SecSDLC
• Select technologies needed
to support security blueprint
• Develop definition of
successful solution
• Design physical security
measures to support
technological solutions
• Approve the project
56
Implementation in SecSDLC
• Acquire, test, implement, and retest security
solutions
• Evaluate personnel issues and conduct
specific training and education programs
• Present tested package to management for
approval
57
Management of Information Security, 2nd ed. - Chapter 2
Slide 57
Management of the Project
Plan
• Planning the project
• Supervising tasks and action steps within the
project plan
• Wrapping up the plan
58
Management of Information Security, 2nd ed. - Chapter 2
Slide 58
Project Team
• Should consist of individuals experienced in one
or multiple technical and non-technical areas
including
–
–
–
–
–
–
–
–
Champion
Team leader
Security policy developers
Risk assessment specialists
Security professionals
Security professionals
System administrators
End users
59
Management of Information Security, 2nd ed. - Chapter 2
Slide 59
Staffing the Information Security
Function
• Organizations should examine the options for
staffing the information security function
– Decide how to position and name the function
– Plan for proper staffing of the function
– Understand impact of information security across
every role in IT
– Integrate information security concepts into
personnel management
60
Management of Information Security, 2nd ed. - Chapter 2
Slide 60
Professional Security
Certifications
• Professional security certifications that can
help organizations more easily identify the
proficiency of applicants
–
–
–
–
–
–
–
CISSP & SSCP
GIAC, GSE, GISO
MCSE
CNE
SCNP and SCNA
Security+
CISM & CISA
61
Management of Information Security, 2nd ed. - Chapter 12
Slide 61
SDLC vs. SecSDLC :
Implementation
Common steps
Steps unique to
SecSDLC
• Develop or buy
software
• Order components
• Document system
• Train users
• Update feasibility
analysis
• Present to users
• Test system and review
performance
• Buy or develop security
solutions
• Present tested package to
management for approval
62
Maintenance in the SecSDLC
• Maintenance models focus organization effort
on system maintenance
–
–
–
–
–
External monitoring
Internal monitoring
Planning and risk assessment
Vulnerability assessment and remediation
Readiness and review
63
Management of Information Security, 2nd ed. - Chapter 1
Slide 63
64
Management of Information Security, 2nd ed. - Chapter 2
Slide 64
ISO Management Model
• SecSDLC includes selecting a systems
management model
• ISO management model focus areas
–
–
–
–
–
Fault management
Configuration and change management
Accounting and auditing management
Performance management
Security program management
65
Management of Information Security, 2nd ed. - Chapter 2
Slide 65
Security Management Model
• Fault Management: Identify and address faults
• Configuration and Change Management:
Administration and change of the security
program
• Accounting and Auditing Management:
Chargeback accounting and systems monitoring
• Performance Management: Monitor system
performance for intended use
• Security Program Management: Operation and
management of the security program
66
Management of Information Security, 2nd ed. - Chapter 2
Slide 66
SDLC vs. SecSDLC :
Maintenance
Common steps
Steps unique to SecSDLC
• Support and modify
system for its useful life
• Test periodically for
compliance with
business needs
• Upgrade and patch
• Constantly monitor, test,
modify, update and repair to
respond to changing threats
67
Conclusions
• Roles and responsibilities of the security
planning process
• Security System Development Life Cycle
phases
68
Questions?
69
Related documents
Planning for Security
Planning for Security
Chapter 2
Chapter 2
Introduction to information security
Introduction to information security
Chapter 1
Chapter 1
Introduction
Introduction
OOSAD Chapter 14
OOSAD Chapter 14
Introduction to Information Security
Introduction to Information Security
Chapter 1
Chapter 1
Business Plan Scope Sheet - Cleveland Clinic Academy
Business Plan Scope Sheet - Cleveland Clinic Academy
Chapter 1:
Chapter 1:
Download
advertisement