Safeguards Frameworks and Controls. Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5),

Transcription

1 Safeguards Frameworks and Controls Theory of Secure Information Systems Features: Safeguards and Controls Richard Baskerville T 1 F 1 O 1 T 2 F 2 O 2 T 3 F 3 O 3 T 4... T n F l O m T F O Security Functions Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5), Loss avoidance Deterrence Loss prevention Loss detection Recovery Vulnerability correction Basic Attributes of Security Baskerville, R., & Sainsbury, R. (2005, July). Securing Against the Possibility of an Improbable Event: Concepts for Managing Predictable Threats and Normal Compromises. Paper presented at the European Conference on Information Warfare and Security, Glamorgan University, UK. Eliminate serious threats, prevent attacks, limit intrusion scope, e.g. antivirus, encryption, firewalls, passwords and biometric ID systems. PREVENTATIVE Respond quickly or actively to unprotected security problems, restoration of system after attack, e.g., data backups, drive images, mirrored servers, extra staff RESTORATIVE

2 Information Security Standards ISO/IEC ISO/IEC (17799) CobIT ITIL PCI NIST Common Criteria ISO/IEC Library of Standards Guidance and Standards: Examples Quality Standards ISO/IEC Technical Standards ISO/IEC Professional Standards COBIT (Control Objectives for IT), a generally applicable and accepted standard for good information technology security and control practices in organizations. Industry Practices and Standards ITIL (IT Infrastructure Library) Payment Card Industry (PCI) Standard NIST Computer Security Handbook Qualification Criteria ITSEC, TCSEC, Common Criteria Quality Standards Example: ISO/IEC 27001

3 ISO/IEC This standard has evolved toward the development of management systems for information security and provides a stronger basis for third party audit and certification. It offers a managerially-oriented complement to operatd the technologically-oriented. Structure of the Information Security Management System (ISMS) ISO Leadership -top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities. Planning-outlines the process to identify, analyze and plan to treat information security risks, and clarify the objectives of information security. Support-adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled. Operation-a bit more detail about assessing and treating information security risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors). Performance evaluation -monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system in order to make systematic improvements where appropriate. Improvement -address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS Technical Standards ISO/IEC 27002:2005 ISO/IEC Overview of Controls Security Policy Organization of Information Security Human Resources Security Asset Management Access Control Cryptography Physical And Environmental Security Operations security Communications Security Information Systems Acquisition, Development, Maintenance Supplier Relationships Information Security Incident management Information Security Aspects of Business Continuity Compliance

4 Specimen control from ISO/IEC 27002:2013 Information Security Policies Provide management direction and support for information security in accordance with business requirements and relevant laws and regulations. Organization of Information Security Establishes a management framework to initiate and control the implementation and operation of information security within the organization Ensure the security of teleworking and use of mobile devices. Human Resource Security Ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. Ensure that employees and contractors are aware of and fulfil their information security responsibilities. Protect the organization s interests as part of the process of changing or terminating employment.

5 Asset Management Identify organizational assets and define appropriate protection responsibilities. Ensure that information receives an appropriate level of protection in accordance with its importance to the organization. Prevent unauthorized disclosure, modification, removal or destruction of information stored on media. Access Control Limit access to information and information processing facilities. Ensure authorized user access and to prevent unauthorized access to systems and services. Make users accountable for safeguarding their authentication information. Prevent unauthorized access to systems and applications. Cryptography Ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. Physical and Environmental Security Prevent unauthorized physical access, damage and interference to the organization s information and information processing facilities. Prevent loss, damage, theft or compromise of assets and interruption to the organization s operations.

6 Operations Security Ensure correct and secure operations of information processing facilities. Ensure that information and information processing facilities are protected against malware. Protect against loss of data. Record events and generate evidence. Ensure the integrity of operational systems. Prevent exploitation of technical vulnerabilities. Minimisethe impact of audit activities on operational systems. Communications Security Ensure the protection of information in networks and its supporting information processing facilities. Maintain the security of information transferred within an organization and with any external entity. System Acquisition, Development and Maintenance Ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks. Ensure that information security is designed and implemented within the development lifecycle of information systems. Ensure the protection of data used for testing. Supplier Relations To ensure protection of the organization s assets that is accessible by suppliers. Maintain an agreed level of information security and service delivery in line with supplier agreements.

7 Information Security Incident Management Ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weakness Information Security Aspects of Business Continuity Management Information security continuity should be embedded in the organization s business continuity management systems. Ensure availability of information processing facilities. Compliance Essential Safeguards Avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements Ensure that information security is implemented and operated in accordance with the organizational policies and procedures.

8 Essential Safeguards Essential Safeguards ITIL Industry Practices & Standards Examples: ITIL PCI NIST 800 IT Infrastructure Library Best practices and guidelines for managing information technology services Integrated, process-based approach Originated as a 1980's UK government drive Focus on quality, efficient, cost-effective delivery of IT services

9 Major ITIL Volumes ITIL Structure Software asset management Service support Service delivery Planning to implement service management ICT infrastructure management Application management Security management The business perspective Security Management Products Policies Processes Procedures Work instructions Initial Security Effort: Risk Analysis Minimum Security Baseline Security Requirements Modify Report ITIL Securiity Requirements Feasibility Analysis adapted from Weil, Steven, (2004) "How ITIL Can Improve Information Security" Security Focus ( Negotiate & Define SLA SLA Negotiate & Define OLA Customer IT Service Org. Payment Card Industry Data Security Standard Build and Maintain a Secure Network Install and maintain a firewall configuration to protect data Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks Maintain a Vulnerability Management Program Use and regularly update anti-virus software Develop and maintain secure systems and applications Implement Strong Access Control Measures Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Track and monitor all access to network resources and cardholder data Regularly test security systems and processes. Maintain an Information Security Policy Maintain a policy that addresses information security Monitor Implement OLA

10 NIST Computer Security Handbook Special Publication NIST Computer Security Division SP An Introduction to Computer Security: The NIST Handbook, October 1995 SP Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996 SP Guide for Developing Security Plans for Information Technology Systems, December 1998 SP Security Self-Assessment Guide for Information Technology Systems, November 2001 SP Risk Management Guide for Information Technology Systems, July 2002 SP Underlying Technical Models for Information Technology Security, December 2001 SP Contingency Planning Guide for Information Technology Systems, June 2002 SP Security Metrics Guide for Information Technology Systems, July 2003 SP Integrating Security into the Capital Planning and Investment Control Process, January 2005 NIST SP Reference Model OECD's Guidelines for the Security of Information Systems Accountability -The responsibilities and accountability of owners, providers and users of information systems and other parties...should be explicit. Awareness -Owners, providers, users and other parties should readily be able, consistent with maintaining security, to gain appropriate knowledge of and be informed about the existence and general extent of measures...for the security of information systems. Ethics -The Information systems and the security of information systems should be provided and used in such a manner that the rights and legitimate interest of others are respected. Multidisciplinary -Measures, practices and procedures for the security of information systems should take account of and address all relevant considerations and viewpoints... Proportionality -Security levels, costs, measures, practices and procedures should be appropriate and proportionate to the value of and degree of reliance on the information systems and to the severity, probability and extent of potential harm... Integration -Measures, practices and procedures for the security of information systems should be coordinated and integrated with each other and other measures, practices and procedures of the organization so as to create a coherent system of security. Timeliness -Public and private parties, at both national and international levels, should act in a timely coordinated manner to prevent and to respond to breaches of security of information systems. Reassessment -The security of information systems should be reassessed periodically, as information systems and the requirements for their security vary over time. Democracy -The security of information systems should be compatible with the legitimate use and flow of data and information in a democratic society. Qualification Criteria Example: Common Criteria

11 Common Criteria The CC philosophy is to provide assurance based upon an evaluation (active investigation) of the IT product or system that is to be trusted. Evaluation has been the traditional means of providing assurance and is the basis for prior evaluation criteria documents. In aligning the existing approaches, the CC adopts the same philosophy. The CC proposes measuring the validity of the documentation and of the resulting IT product or system by expert evaluators with increasing emphasis on scope, depth, and rigor. (Common Criteria v 2.1, Part 3 p. 2) ISO/IEC Participants Common Criteria Canada: Communications Security Establishment France: Service Central de la Sécurité des Systèmes d'information Germany: Bundesamt für Sicherheit in der Informationstechnik Netherlands: Netherlands National Communications Security Agency United Kingdom: Communications-Electronics Security Group United States: National Institute of Standards and Technology United States: National Security Agency Context Model Common Criteria Goal Model Common Criteria

12 Common Criteria Structure Safeguards Frameworks and Controls Richard Baskerville