You are on page 1of 95

Introduction to

Cyber/Information Security
Module 2: Security Management

Module 2: Security Management


Chapter I: Security Management Practices
1.
2.
3.
4.
5.
6.
7.

Overview of Security Management


Information Classification Process
Security Policy
Risk Management
Security Procedures and Guidelines
Business Continuity and Disaster Recovery
Ethics and Best Practices

Module 2: Security Management


Chapter 2: Security Laws and Standards

1.
2.
3.
4.
5.
6.

Security Assurance
Security Laws
IPR
International Standards
Security Audit
SSE-CMM / COBIT etc

Security Principles
Identification:
To have proper identification of a user.
Authentication:
To authenticate identity of the user
Authorization:
To authorize authenticated user.
Privacy:
User will use the data for authorized purpose.
Non-Repudiation:
User cannot deny doing a particular thing.

Information Security

Information is an integral part of any


business and managing it correctly rests on
three basic pillars(CIA Triangle)

Confidentiality: the information must only


be accessible to its predefined recipients.
Integrity: the information must be correct
and complete.
Availability: the information must be
accessible when it is needed.

Information Security
Security

Management must ensure that


the information is correct and complete,
that it is always available for business
purposes and that it is only used by the
people who are authorized to do so.

Information Security
Information

Security (InfoSec) includes


three components:
Management

of Information Security
Network Security
Computer and Data Security

Security Management

The main benefits of proper Security


Management are:
Interruptions to service caused by viruses,
computers being hacked into, etc. are avoided.
The number of incidents is minimized.
Information is accessible when it is needed and
data integrity is preserved.
Data confidentiality, and the privacy of customers
and users, is preserved.
Regulations on data protection are complied with.
customers and users will have the quality of
service, and their confidence in it, is improved.

Security Management

The main difficulties when implementing Security


Management may be summarised as:

There is insufficient commitment to the process from


all the members of the IT organisation.
Excessively restrictive security policies are established,
with a negative effect on the business.
The tools needed to monitor and guarantee the
security of the service (firewalls, antivirus software,
etc.) are not available.
Staff are not given adequate training to be able to
apply security protocols.
There is a lack of coordination between the different
processes, making it impossible to evaluate the risks
properly.

Information Security Management


Principles

of Information Security
Management
Planning
Policy
Programs
Protection
People
Project

Management

Principles of Information Security


Management
Planning
InfoSec

planning model includes the activities


essential to support the design, creation and
implementation of InfoSec strategies with the
IT environment.
Various plans-incident response plan,
business continuity plan, disaster recovery
plan, policy plan, personnel plan, risk
management plan, education training
awareness plan.

Principles of Information Security


Management
Policy
It

is a set of organizational guidelines that lists


out certain rules of organizational behavior.
Three general categories:
General Program Policy(Enterprise security policy)
Issue specific security policy
System specific policies

Principles of Information Security


Management
Programs
It

includes specific entities managed in the


InfoSec domain such as
SETA(security education training & Awareness),
physical security program and
guards program.

Principles of Information Security


Management
Protection
It

includes risk management activities such as

risk assessment and control ,


protection mechanisms ,
technologies and tools.

Principles of Information Security


Management
People
People

play key role in the organisation and it


is important that managers recognise the key
role that people play.
Includes the information security personnel ,
security of personnel as well as aspects of
SETA program.

Principles of Information Security


Management
Project
This

Management

is present through out all the phases of


InfoSec program .
It involves identifying and controlling project
resources, measuring success and making
required changes.

Need of ISMS
InfoSec

achieved through technical means


is limited.
InfoSec also depends on people, policies,
processes and procedures.
Limited resources
It is an ongoing activity.

Benefits of ISMS
Manages

risk to suit the business activity


Manages incident handling activities
Builds a security culture-increases trust
and customer confidence and business
opportunity
Conforms to the requirements of the
standard.

Applications of ISMS
Banks
Insurance

companies
Manufacturing companies
Hospitals
BPOs
Software developments

Information Classification

Information Classification
Organizations like to classify their information
for suitable treatment.
All organizations government, public, private,
defense need to classify their information.
Reason for classification: not all
data/information have the same level of
importance or same level of relevance/criticality
to an organization.
Eg: trade secrets ,formulae, new product
information loss can create significant loss to the
organization

Information Classification
Benefits

of information Classification

information

classification is a demonstration
toward an organizations commitment to
security protections.
It helps identify which information is most
sensitive or vital to an organization.
It supports the tenets of CIA as it pertains to
data.
it helps identify which protections apply to
which information.
It fulfils statutory requirements towards
regulatory, compliance or legal mandates.

Information Classification
The

information produced or processed by


an organization must be classified
according to organizations sensitivity to its
loss or disclosure.
The data owners are responsible for
defining the sensitivity level of data.
Enables security controls to be properly
implemented as per the classification.

Terms for information


Classification
The

following definitions describe several


schemes used for levels of
data/information classification
Unclassified
Sensitive

but unclassified(SBU)
Confidential
Secret
Top Secret

Information Classification
Unclassified: information is neither sensitive
not classified. The public release of this
information does not violate confidentiality.
Sensitive but unclassified(SBU): information
designated as minor secret, but may not
create serious damage if disclosed. Eg: health
care, answers to tests.
Confidential: information is designated to be
of a confidential nature. The unauthorised
disclosure of this information could cause
some damage to security. Eg: teacher
feedback

Information Classification
Secret:

Information that is designated to


be of a secret nature. The unauthorized
disclosure of this nature could cause
serious damage to the security. Eg:
contract
Top Secret: this the highest level of
information classification. (eg: normally in
defense organisations) any unauthorised
disclosure of top secret information will
cause exceptionally grave damage to
security

Information Classification
It

is not a good practice to deal with too


much data or to provide employees /other
business entities with all the data.
Organizations make data available to
concerned people on a need to know
basis.
Following classification is also prevalent in
most private organizations.
Public
Sensitive
Private

Information Classification
Public: information similar to unclassified
information. All of organizations information
that doesnt fit into any to the categories is
considered to be public. This information
probably should not be discussed. But even if
it is disclosed it is not expected to seriously or
adversely impact the organization/
Sensitive: information that requires higher
level of classification than normal data. This
information is protected from a loss of
confidentiality as well as loss of integrity
owing to an unauthorized alteration.

Information Classification
Private:

this information is considered as


personal nature and is intended for
company use only. Its disclosure can
adversely affect the company or its
employees. Eg: salary levels, medical
information.

Criteria for classification of data


and information

Classification of an Information Object


Value: Most common criteria for classifying data
in private sector. If information is valuable to its
organization or its competitors than it need to be
classified.
Age: the classification of information may be
lowered if information value decreases over time.
Useful Life: If the information has become
obsolete owing to new information, substantial
changes in the company, the information can be
declassified.
Personal Association: If information is personally
associated with specific individuals or addressed
by privacy law ,it may be classified.

How do organizations classify


data and information
Primary

procedural steps

Identify

owner/administrator/custodian for
data information which are considered to be
important.
Specify criteria for information to be classified
and labeled.
Classify data by owner
Specify and document any exceptions to the
classification policy.

How do organizations classify


data and information
Primary

procedural steps

Depending

on its classification specify who is


authorized to access the data/information.
Specify the termination procedures for
declassifying the information.
Create an enterprise awareness program about
the data/information classification controls.

Information classification: Roles


The

roles and responsibilities of all the


participants in the information
classification program must be clearly
defined.
Owner
Custodian
User

Information classification: Roles


Owner:
responsible

for information asset that


must be protected
Making original decision about the level
of classification of information based on
the business need.
Reviewing the classification assignment
periodically and making alterations if
required.
Delegating the responsibility of
protection.

Information classification: Roles


Custodian
Running

regular backups and


routinely testing for validity.
Performing data restoration from
backups
Maintaining the retained records in
accordance with legal requirements.

Information classification: Roles


User:
Its

is mandatory for users to follow


the operating procedures that are
defined in an organizations security
policy.
Prevent open view
Take necessary care to maintain
companys security policy.

Data Obfuscation
It

is one of solution for data theft.


Data obfuscation is that data which is
rendered unusable by some means but is
not considered as serious form of
encryption.
It is not very difficult to decipher
obfuscation scheme given enough data.
Effective method involves chopping text
into segments, re-arranging as well as
obfuscating it.

Business Classification Systems


Critical:

functions supported by systems


cannot be performed unless replaced by
identical capabilities. Tolerance to
interruption is low. Cost of interruption is
high.
E.g.

Entry to High security vault using Finger


print reader. If reader gets damaged,
functionality halts.

Business Classification Systems


Vital:

functions can be performed


manually but only for a brief period of
time. Higher tolerance to interruption than
critical systems. Cost of interruption is
low. (if restoration is within time limit)
E.g.

In case of failure of List in 30 floored


building, one can use staircase for time being

Business Classification Systems


Sensitive:

functions can be performed


manually at a tolerable cost for an
extended period of time.
E.g.

Due to non-functioning of in-house


printing machine, Paper printing is
outsourced.

Non-critical

: functions may be
interrupted for an extended period of time,
at little or no cost to the company.
E.g.

non-functioning of Coffee machine

Event Classification

Events that can result in damage to


Information Systems are typically classified
as:
Disaster: an event that causes permanent and
substantial damage or destruction to the property,
equipment, information, staff or services of the
business. E.g. natural disasters
Crisis: an abnormal situation the presents some
extraordinary risks to a business and that will
develop into a disaster. E.g. server getting hacked
Catastrophe: major disruptions resulting from the
destruction of critical equipment in processing.
E.g. Hard disk crash

Security Policy

Policy (in general)


A

policy is a principle or protocol to guide


decisions and achieve rational outcomes.
It is a statement of intent, and is
implemented as a procedure or protocol.
Policies are generally adopted by senior
management.
Policies can assist in both subjective and
objective decision making.

Policy (in general)


During

subjective decision making, policy


assists mgmt to consider the relative
merits of a number of factors before
making decision. E.g. work life balance
policy
Objective decision making are usually
operational in nature and can be
objectively tested. e.g. password policy

Types of Policies (in general)


In general, Policy can be following types
Regulatory Policy
Advisory Policy
Informative Policy

Regulatory Policy
These

kind of policies are must for an


organization owing to compliance,
regulation or other legal requirements as
prevalent in the organizations operating
environment.
E.g.

Staff teaching for PG course must have


certain qualification

These

are very detailed and specific to


the industry in which the business
organization operates.

Regulatory Policy
Purposes

of the regulatory policy are

Ensuring

that an organization follows the


standard procedure or base practices of an
operation in its specific industry
Giving an organization the confidence that it is
following the standard and accepted industry
policy.

Advisory Policy (good to follow)


These

are not the mandatory but are


strongly recommended
Normally consequences of not following
them are defined.
E.g.

Business Conduct guidelines policy, if not


followed may result into job termination

Organizations

expects employees to treat


these as mandatory policies.
Many policies fall under this broad
category.

Informative policy
These

are simply to inform reader.


There are no implied or specified
requirements.
Audience can be internal entity or external
party

Information Security Policy

Need of the Policy


A

quality information security program, is


all about having good policies in place i.e.
from start to end.
Policies contribute to the success of
organization.
Policies form an important reference
documents for
Conducting

internal audits
Resolving legal disputes about the
management

Information Security Policy


A security policy is a preventative mechanism for
protecting important company data and
processes.
It communicates a coherent (logical) security
standard to users, management and technical
staff.

A policy can be used to measure the relative security


of current systems.
A policy is important for defining interfaces to
external partners.
There are mandatory legal requirements as regards
protection of customer and employee data.
A policy is a prerequisite to quality control (ISO 900x).

Information Security Policy


ISP

sets the strategic direction and scope


for all the organization's security efforts.
It assigns responsibilities for information
security such as
maintenance

of information security policies

practices

and
responsibilities of other users.
ISP

states the importance of InfoSec to


achieve organizations mission and
objectives.

Information Security Policy


A

good ISP must include

Statement

of purpose:

Outlines scope and applicability


i.e. what is the purpose of this Policy and who is
responsible for implementation.
Security

elements
Need for information Security
Roles and Responsibilities
Reference to Other Standards and Guidelines

Information Security Policy


Success

of Information Security program


lies in policy development.
i.e.

depending on how policies are defined and


how they are implemented.

What

is Policy??

Policies

are statements of managements


intentions and their goals.
Policy is a plan or course of action intended to
influence and determine decisions, actions and
other matters.

Information Security Policy


This can be an organizations email policy
1. Email-Policy coverage:

2.

Confidentiality of information disclosed through email communication.


Senders responsibility for the contents of the e-mails
Disclosure of sensitive information such as password,
PIN and credit card.

Appropriate use of e-mails:

Employees working for the organization should use


the email facility for business purpose only
No Obscene or profane message should be sent
through emails.
Size of the attachment should be restricted within
approved limit

Information Security Policy


This can be an organizations email policy
1. Managements authority on email

The management reserves the rights to


monitor the use of email.
The management could store email for
retrieval at a later date for legal purpose

Password policy
The policy on password can define multiple
attributes like
1. Whether user ID and password can match
2. Maximum occurrences of consecutive
characters
3. Maximum Lifetime of the password
4. Minimum length of password
5. Whether users previous password can be
used.

Policy Mapping
Policies include procedures, standards, guidelines, baselines
Laws, Regulations, Requirements, Organizational goals, Objectives

General Organizational Policies

Functional Policies

Procedures

Standards

Guidelines

Baselines

Policy Mapping
Procedures are the detailed steps required to
perform a specific task.
Standards describe the uniform use of specific
technologies throughout the organization.

Guidelines are recommended methods (not


compulsory) to perform specific task.

E.g. Use of OS, router configuration, application

E.g. Using Malware, Antivirus software on all


machines

Baselines, similar to standards but give an in


details description about diff. OS and versions.

E.g. Windows 2007, Windows 2008, Red HAT


Enterprise Linux 5.

Security Policy Life Cycle


Investigate
Analyze

Design
blueprint for security
Design
planning for continuity

Implement
Maintain

Security Policy Life Cycle


Investigation
It

Phase

has the support from senior management


Has Support and active involvement of IT
management
Defines clear articulation of goals
Includes the participation of the affected
communities of interest.
Defines detailed outline of the scope of the
policy development project

Security Policy Life Cycle

Analysis phase produces following:


A new Risk assessment or
IT audit document specifying the Info. Security
needs
Key reference materials that includes existing
policies

Design Phase
It contains initial design framework, after
refinement it turns into blueprint.
Users or organization members acknowledge what
they have received by making signature and date
on a form

Security Policy Life Cycle


Implementation

Phase

Policy

development team writes policies by


using various resources:

The Web
Government sites such as NIST
Professional literature
Peer networks
Professional consultants

Maintenance
Policy

phase

development team is responsible for


monitoring, maintaining and modifying the
policy.

Types of Information Security


Policies
Management defines three types of policies
1. General or Security program policies
2. Issue-specific security policies
3. System-specific security policies

Types of Information Security


Policies
General
SPP

or Security Program policy (SPP)

is also called as general security policy or


IT security policy or information security
policy.
SPP is used to set the strategic direction, scope
and tone for all security tasks within
organization.
The Chief Inspection Officer (CIO) has the
responsibility of drafting the executive-level
document.
Normally 2 to 10 pages long

Types of Information Security


Policies
Issue-specific
This

security policies (ISSP)

contains the issue statement on the


organizations position on an issue.
It addresses specific areas of technology and
requires frequent updates.
ISSP ensures a common understanding about
the purposes for which as employee can and
can not use a technology.

Types of Information Security


Policies
Issue-specific
Protects

security policies (ISSP)

both employee and organization from


facing the inefficiency and ambiguity.
It motivates the use of technology- based
systems.
It protects the organization against liability for
an employees illegal use of the system.
E.g. Non Disclosure Agreement

Types of Information Security


Policies
Three

approaches for creating/managing


ISSP are:
Create

number of independent issue specific


documents tailored for specific issues.
Create single comprehensive document
covering all issues.
Create a modular document unifying overall
policy creation/ management while addressing
specific details with respect to individual
issues.

Components of ISSP

Policy Statement
this outlines the scope and applicability i.e. what
is the purpose and who is responsible for
implementation.
It also defines technologies used.

Authorized access and usage of Equipment


It states user has no particular rights of use apart
from the specified in the policy.
Specifies who can use the technology mentioned
in policy and for what purpose it can be used. E.g.
cameras provided by college can not be used for
personal usage.
Users have no general rights to use other than for
organization's purpose.

Components of ISSP
Prohibited

usage of Equipment

Specifies

common prohibitions such as for


criminal use, personal use, disruptive use of
computer, use of copy righted licensed data

Systems
Defines

Management

the responsibilities of users and


administrators
This includes management of stored material,
managing employees, virus protection,
encryption of data, physical security

Components of ISSP
Policy

violations

Specifies

penalties for each kind of policy

violation
Also mentions procedures for reporting policy
violation
Policy

Review and Modification

Specifies

procedures and timetable for policy


review i.e. how frequently it should be
modified.

Components of ISSP
Limitations
It

of Liability

includes statement of liability or disclaimers


E.g. employee is caught doing illegal activities
with organizations data or any other assets, he
will not be protected by the organization for
violating the company policy.

System-specific security policies


While

ISP are known for writing


documents and making users aware of
them, SysSP specify the standards and
procedures used for configuring and
maintaining system.
SysSPs are mostly technical.
It provides guidance and states procedures
for configuring some specific system,
technologies and application.

System-specific security policies


System

configuration includes

Intrusion

detection systems configuration


Firewall configuration
Workstation configuration

System-specific security policies


SysSPs

can be categorized into two groups:

Access

Control List (ACLs)


This consists of Access control lists, matrices
and capability tables controlling the rights and
privileges of a particular user to a particular
system

Access Control List

Access Control List

System-specific security policies


2. Configuration Rules:

This consists of specific configuration codes


entered into security systems, which govern
the system execution.
Configuration rules are more specific to the
system operation than ACLs
These rules define specific configuration
scripts, which guides Operating System for
what actions to perform on each set of
information they process.

Policy Infrastructure
Foundations

for information Security is


Information Security Policy and
Standards.
The major information security functions
are:
1.
2.
3.

Information protection
Control the access to information
Administer (monitor) the users

Policy Infrastructure

Information
Protection

Control
access

Administer
Users

Manage Security
Information Security Policies and Standards

Policy Design Life Cycle


First,

identify the information security


goals and Cabinet goals. Then form the
policy.
Policy should include standards,
procedures and guidelines.
Make users aware of all these so that they
can do their job securely.
Once the users actions are secured then
only complete Information Security can be
achieved.

Policy Design Life Cycle


Cabinet
Goal

IS Goal
Policy

Standards

Procedures

Awareness

Action

InfoSec

Guidelines

Design Processes
Policy

life cycle can be designed by using


10 -step approach, each step allows the
designing of policy.

Policy Design Processes


Policy life cycle can be designed by using 10 -step
approach, each step allows the designing of
policy.
1. Collect Background Information
2. Perform Risk Assessment
3. Create a Policy Review Board
4. Develop the Information Security Plan
5. Develop IS Policies, Standards and guidelines
6. Implement Policies and Standards
7. Awareness and Training
8. Monitor for Compliance
9. Evaluate policy Effectiveness
10. Modify the Policy

Policy Design 10 step approach


1.

Collect Background Information

Based on existing policy, Identify what


procedures and guidelines to be included in
the new policy.
Determine different levels of control which
will need access to the confidential
information.
Decide who should design the policy e.g.
top management or anyone related to law.

Policy Design 10 step approach


2. Perform Risk Assessment

Validate the policy against any possible risks.


Indentify the risky and complex functions
Identify the difficult processes
Identify the confidential data and possible
risks associated with it.
Analyze the possible vulnerabilities.

Policy Design - 10 step approach


3. Create a Policy Review Board

Determine the policy Development Process


Write the initial draft
Send the draft to Review Board for their
Comments and Suggestions
Modify draft to incorporate the suggestions
Resolve the issues (if any) face to face.
Submit the updated Draft Policy to the
Cabinet for approval

Policy Design - 10 step approach


4. Develop Information Security Plan
Determine

the organizational goals


Define the various Roles and
Responsibilities
Notify users of Information about the
directions specified in the policy.
Establish a foundation for compliance, risk
assessment and audit of information security.

Policy Design - 10 step approach


5. Develop IS policies , Standard and
Guidelines
Policies

Standard

These are high level statement written by Board


of Directors that notifies workers about who
are responsible to make any type of decision.
These are requirement statement that depicts
specific technical specifications.

Guidelines

These are recommendations which can be


included in policy

Policy Design - 10 step approach


6. Implement Policies and Standards
Notify and distribute the policy amongst users
Make an agreement with a policy before accessing
the confidential system.
Enforce the control to meet the policy.

7. Awareness and Training


Make the system user aware of their expected
behavior
Train user about how and when
Training will help to minimize the information loss
and theft
It also reduces the need of strict controls

Policy Design - 10 step approach


8. Monitor for compliance
Security

management is required for


establishing controls on information
Security management must review the status
of control regularly
Implement the user contracts (i.e. code of
conduct)
Establish effective authorization approval
Conduct internal review process
Conduct internal audit reviews

Policy Design - 10 step approach


9. Evaluate Policy Effectiveness
Evaluate the policy if any problems
Document the policy regularly
Report it to management

10. Modify the Policy

Modifications are necessary to incorporate the


changes like

Upcoming technology
New threats
New goals or modified existing goals
Changes in the standard
Changes in law
Un success in existing policy

Sample Policy
Sample

Policy

You might also like