Blueprints, Frameworks, and Security Models

Blueprints, Frameworks, and Security Models

Management of Information Security, 4th Edition Chapter 6 Security Management Models Objectives Describe the dominant InfoSec blueprints, frameworks, and InfoSec management models, including U.S. government-sanctioned models Explain why access control is an essential element of InfoSec management Recommend an InfoSec management model and explain how it can be customized to meet the needs of a particular organization Describe the fundamental elements of key InfoSec management practices Management of Information Security, 4th Edition Cengage Learning 2014

2 Objectives (continued) Discuss emerging trends in the certification and accreditation of U.S. federal information technology (IT) systems Management of Information Security, 4th Edition Cengage Learning 2014 3 Blueprints, Frameworks, and Security Models Blueprint - describes existing controls and identifies other necessary security controls Framework - the outline of the more thorough blueprint

Sets out the model to be followed in the creation of the design, selection, and initial implementation of all subsequent security controls Security model - a generic blueprint offered by a service organization Free models are available from the National Institute of Standards and Technology (NIST) Management of Information Security, 4th Edition Cengage Learning 2014 4 Blueprints, Frameworks, and Security Models (continued) Another way to create a blueprint: To look at the paths taken by other organizations This is a kind of benchmarking where recommended practices or industry standards are followed

Benchmarking: the comparison of two related measurements Benchmarking can provide details on how controls are working Or which new controls should be considered Does not provide details on how controls should be put into action Management of Information Security, 4th Edition Cengage Learning 2014 5 Access Control Models Part 1 Access controls - regulate the admission of users into trusted areas of the organization Access control is maintained by means of: A collection of policies Programs to carry out those policies

Technologies to enforce policies Management of Information Security, 4th Edition Cengage Learning 2014 6 Access Control Models Part 2 General application of access control comprises four processes: Identification - obtaining identity of the entity requesting access to a logical or physical area Authentication - confirming the identity Authorization - determining which actions an authenticated entity can perform in that physical or logical area Accountability - documenting the activities of the authorized individual and systems Management of Information Security, 4th Edition

Cengage Learning 2014 7 Access Control Models Part 3 Access control is built on several key principles: Least privilege - member of the organization can access the minimum amount of information for the minimum amount of time necessary Need-to-know - limits a users access to the specific information required to perform the currently assigned task Separation of duties - requires that significant tasks be split up in such a way that more than one individual is responsible for their completion Management of Information Security, 4th Edition Cengage Learning 2014

8 Categories of Access Control A number of approaches are used to categorize access control methodologies One approach depicts controls by characteristics: Deterrent Preventive Detective Corrective Recovery Management of Information Security, 4th Edition

Cengage Learning 2014 9 Categories of Access Control (continued) A second approach categorizes controls based on their operational impact on the organization: Management Operational (administrative) Technical A third approach describes the degree of authority under which the controls are applied Can be mandatory, nondiscretionary, or discretionary Management of Information Security, 4th Edition Cengage Learning 2014

10 Table 6-1 Categories of access control Empty cell Deterrent Preventative Detective Management Policies Registration procedures

Operational Warning signs Technical Warning banners Recovery Compensating Periodic Employee or violation report account reviews termination

Disaster recovery plan Separation of duties, job rotation Gates, fences, and guards Sentries. CCTVs Fire suppression systems Disaster

recovery procedures Defense in depth Login systems. Kerberos Log monitors and IDPSs Forensics procedures Data backups Key logging

and keystroke monitoring Management of Information Security, 4th Edition Corrective Cengage Learning 2014 11 Mandatory Access Controls A mandatory access control (MAC) - is required and is structured and coordinated within a data classification scheme that rates each collection of information As well as each user Ratings are often referred to as sensitivity or classification levels

When MACs are implemented: Users and data owners have limited control over access to information resources Management of Information Security, 4th Edition Cengage Learning 2014 12 Data Classification Model The U.S. military uses a five-level classification scheme: Unclassified data Sensitive but unclassified (SBU) data

Confidential data Secret data Top secret data Compartmentalization - the restriction of information to the very fewest people possible (Need-to-know) Management of Information Security, 4th Edition Cengage Learning 2014 13 Data Classification Model (continued) An organization can protect its sensitive information with a simple scheme like the following: Public - for general public dissemination For official use only - not for public release but not sensitive Sensitive - important information that , if

compromised, could embarrass the organization Classified - essential and confidential information Disclosure of which could severely damage the wellbeing of the organization Management of Information Security, 4th Edition Cengage Learning 2014 14 Security Clearances Security clearance structure - each user of an information asset is assigned an authorization level that identifies the level of information classification he or she can access Usually accomplished by assigned each employee to a named role Data entry clerk, InfoSec analyst, etc. Most organizations have developed a set of roles

and a corresponding security clearance Management of Information Security, 4th Edition Cengage Learning 2014 15 Managing Classified Information Assets Managing an information asset includes all aspects of its life cycle From specification to design, acquisition, implementation, use, storage, distribution, backup, recovery, retirement, and destruction Classified documents must be accessible only to authorized individuals Usually requires locking file cabinets, safes, etc.

Clean desk policy - requires each employee to secure all information in its appropriate storage container at the end of every business day. Management of Information Security, 4th Edition Cengage Learning 2014 16 Managing Classified Information Assets (continued) Documents should be destroyed by means of shredding, burning, or transferred to a third-party document destruction service Dumpster diving - the retrieval of information from refuse or recycling bins Lattice-based access control - assigns users a matrix of authorizations for particular areas of access Level of authorization may vary depending on

classification authorizations Management of Information Security, 4th Edition Cengage Learning 2014 17 Nondiscretionary Controls Nondiscretionary controls - determined by a central authority in the organization and can be based on: Role-based controls - tied to the role that a user performs Task-based controls - tied to a particular assignment or responsibility Both controls make it easier to maintain controls and restrictions Rights are assigned to the role, not the person Management of Information Security, 4th Edition

Cengage Learning 2014 18 Discretionary Access Controls Discretionary access controls (DACs) implemented at the discretion or option of the data user The ability to share resources in a peer-to-peer configuration allows users to control and possibly provide access to information or resources at their disposal Role-based models can be implemented under DAC If an individual system owner wants to create the rules Management of Information Security, 4th Edition Cengage Learning 2014

19 Other Forms of Access Control Other models of access control include: Content-dependent access controls - access may be dependent on its content Constrained user interfaces - designed specifically to restrict what information an individual user can access Temporal (time-based) isolation - access to information is limited by a time-of-day constraint Management of Information Security, 4th Edition Cengage Learning 2014 20 Security Architecture Models

Security architecture models - illustrate InfoSec implementations and can help organizations quickly make improvements through adaptation Some models are: Implemented into computer hardware and software Implemented as policies and practices Focused on the confidentiality of information Focused on the integrity of the information as it is being processed Management of Information Security, 4th Edition Cengage Learning 2014 21

Trusted Computing Base Part 1 Trusted Computer System Evaluation Criteria (TCSEC) - an older DoD standard that defines the criteria for assessing the access controls in a computer system TCSEC defines a trusted computing base (TCB) as the combination of all hardware, firmware, and software responsible for enforcing security policy Within TCP is a conceptual object known as the reference monitor It is the piece of the system that manages access controls Management of Information Security, 4th Edition Cengage Learning 2014 22 Trusted Computing Base Part 2

Covert channels - unauthorized or unintended methods of communications hidden inside a computer system TCSEC defines two kinds of covert channels: Storage channels - communicate by modifying a stored object Timing channels - transmit information by managing the relative timing of events Management of Information Security, 4th Edition Cengage Learning 2014 23 Bell-LaPadula Confidentiality Model Bell-LaPadula (BLP) confidentiality model - a model of an automated system that is able to manipulate its state or status over time BLP ensures confidentiality by using MACs, data

classification, and security clearances Access modes can be one of two types: Simple security - prohibits a subject of lower clearance form reading an object of higher clearance * (Star) property - prohibits a high-level subject from sending messages to a lower-level object Management of Information Security, 4th Edition Cengage Learning 2014 24 Biba Integrity Model Biba integrity model - is based on the premise that higher levels of integrity are more worthy of trust than lower ones Biba model assigns integrity levels to subjects and objects using two properties: Simple integrity property (read) - permits a subject to have read access to an object only if its security

level is lower or equal to that object Integrity * property (write) - permits a subject to have write access to an object if its security level is equal to or higher than that object Management of Information Security, 4th Edition Cengage Learning 2014 25 The ISO 27000 Series Information Technology - Code of Practice for Information Security Management - one of the most widely referenced InfoSec management models The Code of Practice was adopted as an international standard framework for InfoSec by the ISO and the IEC as ISO/IEC 17799 It was revised in 2005 and in 2007 was renamed ISO 27002 Was intended to provide a common basis for

developing organizational security standards Management of Information Security, 4th Edition Cengage Learning 2014 26 Table 6-2 Sections of the ISO/IEC 27002

Structure Risk Assessment and Treatment Security Policy Organization of Information Security Asset Management Human Resource Security Physical and Environmental Security Communications and Operations Access Control Information Systems Acquisition, Development, and Maintenance Information Security Incident Management Business Continuity Management Compliance Source: 27000.org Management of Information Security, 4th Edition

Cengage Learning 2014 27 Figure 6-2 ISO/IEC 27001 major process steps Management of Information Security, 4th Edition Cengage Learning 2014 28 NIST Security Models Advantages of NIST (National Institute of Standards and Technology) security models over many other sources of security information: They are publicly available at no charge They have been available for some time and have been broadly reviewed by the government and

industry professionals Management of Information Security, 4th Edition Cengage Learning 2014 29 NIST Special Publication 800-12 SP 800-12: Computer Security Handbook - an excellent reference and guide for routine management of InfoSec SP 800-12 provides for:

Accountability Awareness Ethics Multidisciplinary Proportionality Integration Management of Information Security, 4th Edition Cengage Learning 2014 30 NIST Special Publication 800-12 (continued) SP 800-12 organizes controls into three categories: Management controls Operational controls Technical controls

Management of Information Security, 4th Edition Cengage Learning 2014 31 NIST Special Publication 800-14 Part 1 SP 800-14: Generally Accepted Principles and Practices for Securing Information Technology Systems - describes recommended practices and provides information on commonly accepted InfoSec principles Can direct the security team in the development of a security blueprint Also describes the philosophical principles that the security team should integrate into the entire InfoSec process Management of Information Security, 4th Edition

Cengage Learning 2014 32 NIST Special Publication 800-14 Part 2 Significant points made in NIST SP 800-14: Security supports the mission of the organization Security is an integral element of sound management Security should be cost-effective Systems owners have security responsibilities outside their own organizations Security responsibilities and accountability should be made explicit Security requires a comprehensive and integrated approach Management of Information Security, 4th Edition Cengage Learning 2014

33 NIST Special Publication 800-18 Rev. 1 NIST Special Publication 800-18 Rev.1: Guide for Developing Security Plans for Federal Information Systems - provides detailed methods for assessing, designing, and implementing controls and plans for applications of various sizes Serves as a guide for security planning activities and for the overall InfoSec planning process Includes templates for major application security plans Management of Information Security, 4th Edition Cengage Learning 2014 34

NIST Special Publication 800-30 Rev. 1 NIST SP 800-30, Rev. 1: Guide for Conducting Risk Assessments Provides a foundation for the development of an effective risk management program Contains both the definitions and the practical guidance necessary for assessing and mitigating risks identified within IT systems Organized into three chapters that explain the overall risk management process As well as preparing for, conducting, and communicating a risk assessment Management of Information Security, 4th Edition Cengage Learning 2014 35

NIST Special Publications 800-53 Rev. 3 and 800-53A Rev. 1 Both publications cover recommended security controls for Federal Information Systems SP 800-53, Revision 3 provides a systems development life cycle (SDLC) approach to security assessment of information systems NIST has a comprehensive security control assessment program that guides organizations through the: Preparation for, assessment of, and remediation of critical security controls Management of Information Security, 4th Edition Cengage Learning 2014 36 Control Objectives for Information and

Related Technology Control Objectives for Information and Related Technology (COBIT) Provides advice about the implementation of sound controls and control objectives for InfoSec COBIT was created by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI) in 1992 There have been many updates Latest version is COBIT 5 released in 2012 Management of Information Security, 4th Edition Cengage Learning 2014 37 Control Objectives for Information and Related Technology (continued)

COBIT 5 provides five principles focused on the governance and management of IT: Meeting Stakeholder Needs Covering the Enterprise End-to-End Applying a Single, Integrated Framework Enabling a Holistic Approach Separating Governance (very senior level like board of directors) from Management Management of Information Security, 4th Edition Cengage Learning 2014 38

Committee of Sponsoring Organizations Committee of Sponsoring Organizations (COSO) of the Treadway Commission Another control-based model Major objective of COSO is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence COSO helps organizations comply with critical regulations like the Sarbanes-Oxley Act of 2002 Management of Information Security, 4th Edition Cengage Learning 2014 39 COSO Definitions and Key Concepts

According to COSO internal control is a process designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations Management of Information Security, 4th Edition Cengage Learning 2014 40 Committee of Sponsoring Organizations (continued) The COSO framework is built on five interrelated components:

Control environment Risk assessment Control activities Information and communication Monitoring Management of Information Security, 4th Edition Cengage Learning 2014 41 Information Security Governance Framework The Information Security Governance Framework is a managerial model provided by an industry

working group National Cyber Security Partnership The framework provides guidance in the development and implementations of an organizational InfoSec governance structure The framework also specifies that each independent organizational unit should develop, document, and implement in InfoSec program consistent with accepted security practices Management of Information Security, 4th Edition Cengage Learning 2014 42 Summary Part 1 A framework is the outline of a more thorough blueprint, used in the creation of the InfoSec environment Access controls regulate the admission of users into

trusted areas of the organization Access control is built on the principles of least privilege, need-to-know, and separation of duties Approaches to access control include preventive, deterrent, detective, corrective, recovery, and compensating Mandatory access controls (MACs) are required by the system that operate within a data classification and personnel clearance scheme Management of Information Security, 4th Edition Cengage Learning 2014 43 Summary Part 2 Nondiscretionary controls are determined by a central authority in the organization and can be based on roles or on a specified set of tasks Security architecture models illustrate InfoSec

implementations and can help organizations make quick improvements through adaptation One of the most widely referenced security models is ISO/IEC 27001: 2005 Information Technology - Code of Practice for InfoSec Management Designed to give recommendations for InfoSec management Management of Information Security, 4th Edition Cengage Learning 2014 44 Summary Part 3 Control Objectives for Information and Related Technology (COBIT) provides advice about the implementation of sound controls and control objectives for InfoSec The Information Security Governance Framework is a managerial model provided by an industry working

group that provides guidance in the development and implementation of an organizational InfoSec governance structure Management of Information Security, 4th Edition Cengage Learning 2014 45

Recently Viewed Presentations

  • Multinational Financial Management Alan Shapiro 7th Edition J.Wiley

    Multinational Financial Management Alan Shapiro 7th Edition J.Wiley

    - the speed of adjustment COUNTRY RISK ANALYSIS IN INTERNATIONAL BANKING The Government's Cost/Benefit Calculus - debt to wealth ratio - cost of default - fluctuations in the terms of trade COUNTRY RISK ANALYSIS IN INTERNATIONAL BANKING Lessons from the...
  • Human Trafficking - Indiana

    Human Trafficking - Indiana

    IPATHIndiana Protection of Abused and Trafficked Humans Task ForcePREVENTION, PROTECTION, PROSECUTION. The Indiana Protection of Abused Trafficked Humans task force (IPATH) is one of 42 task forces nationwide funded by the Department of Justice's Office of Victims of Crime and...
  • OpenCV Tutorial - UCCS VAST Lab

    OpenCV Tutorial - UCCS VAST Lab

    Create a "Win32 Console Project" Make it an "Empty Project" by selecting the box under "Application Settings" A project is initially created by selecting: File -> New -> Project Creating the Project Right Click the "Source Files" Folder under the...
  • Ókori irodalom VI.

    Ókori irodalom VI.

    Leláncolt Prométheus Aischylos Eumenisek a trilógia konfliktusának feloldása Athéna vezetésével összeül a bíróság Erynnisek - Orestés elítélése Apollón - Orestés védelme Új rend - régi rend (új istenek - régiek) föloldás: eumenisek kultusza Sophoklés 497-ben született Kolonos apja: Sophilos (kocsikészítő...
  • Mobile Tracking Using Forward Link in Cellular Networks

    Mobile Tracking Using Forward Link in Cellular Networks

    Aristotle's speaker-centered model . Received perhaps its fullest development in the hands of Roman educator Quintilian (ca. 35-95 A.D.), whose . Institutio Oratoria. was filled with advice on the training of a "good" speaker-statesman.
  • الترجمة وألعاب فتجنشتين اللغوية

    الترجمة وألعاب فتجنشتين اللغوية

    Western Histories:Charles Tripp - History of Iraq (Cambridge,2007) - oil/patrimony plot. - three influential factors: patrimonialism in which the state is the sponsor to a network of beneficiaries, the political economy of oil and its role in concentrating authority in...
  • Flinders Univ Cancer 11th July 2014 - Intranet

    Flinders Univ Cancer 11th July 2014 - Intranet

    Personally Controlled eHealth Record (PCEHR) across all sectors (Health, Education Australia Wide Personal Identifier across all sectors (Health, Education, Justice, Immigration and Community Services domains) to enable and 'control' timely and efficient Linkage and Record Matching References Population Health Research...
  • CS 2104 - Prog. Lang. Concepts

    CS 2104 - Prog. Lang. Concepts

    Constructing L3, even when L3Tail = Non-determinism A prog. lang is deterministic if For any point in program execution always exactly one next step (command) A Prolog procedure (predicate) may have multiple definitions (clauses). The applicability of these definitions is...