ISSeG Integrated Site Security for Grids

Project No: 06745 ISSeG Integrated Site Security for Grids Specific Support Action Information Society and Media METHODOLOGY FOR SECURITY AUDITING OF NEW SITES EU DELIVERABLE: D3. Document identifier: Due date of deliverable: End of Month (3/0/007) Actual Submission Date: 06//007 Lead Partner for this deliverable: Document status: STFC FINAL Abstract: Risk assessment is an essential part of the site security process and should be performed on a regular basis. The methodology described in this document is based on (ISO and NIST) security standards and is tailored to Grid sites. Through the completion of a risk assessment questionnaire downloadable from www.isseg.eu, site personnel can identify their assets and the strength of their existing security controls. The questionnaire s answers are used to produce risk assessment results in the form of weak/missing security controls and a prioritised list of threats. Both the weak/missing security controls and the threats can be mapped to recommended countermeasures for improving site security. Project co-funded by the European Commission as a Specific Support Action within the 6th Framework Programme. ISSeG began in February 006 and will run for 6 months. Copyright Members of the ISSeG Collaboration, 006. Project no: 06745 PUBLIC / 33

Copyright Members of the ISSeG Collaboration, 006. See http://www.isseg.eu for details on the copyright holders. ISSeG ( Integrated Site Security for Grids ) is a project co-funded by the European Commission as a Specific Support Action within the 6th Framework Programme. ISSeG began in February 006 and will run for 6 months. For more information on ISSeG, its partners and contributors please see http://www.isseg.eu You are permitted to copy and distribute, for non-profit purposes, verbatim copies of this document containing this copyright notice. This includes the right to copy this document in whole or in part, but without modification, into other documents if you attach the following reference to the copied elements: Copyright Members of the ISSeG Collaboration 006. See http://www.isseg.eu for details. Using this document in a way and/or for purposes not foreseen in the paragraph above requires the prior written permission of the copyright holders. The information contained in this document represents the views of the copyright holders as of the date such views are published. THE INFORMATION CONTAINED IN THIS DOCUMENT IS PROVIDED BY THE COPYRIGHT HOLDERS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE MEMBERS OF THE ISSEG COLLABORATION, INCLUDING THE COPYRIGHT HOLDERS, OR THE EUROPEAN COMMISSION BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THE INFORMATION CONTAINED IN THIS DOCUMENT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. All trademarks (registered or unregistered) mentioned in this document are the property of their respective owners. Their use in this document is not intended in any way to infringe on the rights of the trademark holders. Their use herewith is to merely describe the goods or services to which the mark relates. Delivery Slip Name Partner Date Authored by Christophe Duisit Capgemini 8/06/007 Edited by Kate Bradshaw CERN 4/0/007 Reviewed by Judy Richards, Kate Bradshaw, David Myers, Lionel Cons, Denise Heagerty Ursula Epting, Tobias Koenig David Jackson CERN FZK STFC Dates up to 06//007 Approved by Project Board 06//007 Project no: 06745 PUBLIC / 33

TABLE OF CONTENTS Executive summary...4 Introduction...5 3 Risk assessment methodology...6 3. Likelihood...6 3. Impact...6 3.3 Top threats and recommendations...7 4 Questionnaire based on the ISO standard...8 4. Questionnaire overview...8 4. Security policy (ISO Clause 5)...0 4.3 Organization of information security (ISO Clause 6)...0 4.4 Asset management (ISO Clause 7)... 4.5 Human resources security (ISO Clause 8)... 4.6 Physical and environmental security (ISO Clause 9)... 4.7 Communications and operations (ISO Clause 0)...3 4.8 Access control (ISO Clause )...6 4.9 IS acquisition, development and maintenance (ISO Clause )...7 4.0 Information security incident management (ISO Clause 3)...9 4. Business continuity management (ISO Clause 4)...9 4. Compliance (ISO Clause 5)...9 5 The methodology for security auditing of new sites within the ISSeG project... 6 References... A Acronyms and Abbreviations... A Security questionnaire example...3 A. Top threat identification (resulting from above answers)...3 A3 Summary of the ISO standard s security clauses and categories...33 Project no: 06745 PUBLIC 3 / 33

Executive summary This document describes a methodology that allows new and existing Grid sites to perform a security risk assessment of their site. The methodology is supported by a questionnaire, downloadable from www.isseg.eu, which is used to identify assets to be protected and the strength of existing security controls at a site. Risk assessment results are produced based on the questionnaire answers. They identify weak/missing security controls and a prioritised list of threats for a site. These results can then be mapped to recommendations on the ISSeG web site for improving site security. For a successful site assessment, it is recommended that the site security officer completes the questionnaire with the involvement of relevant personnel within network security, office automation, desktop systems, IT operations and software development. Unanswered questions will result in a partial assessment, which may impact the reliability of the results. The methodology used for this questionnaire is based on a simplified version of the NIST [R] risk analysis methodology, which is divided into four steps: Assets => Threats => Impacts and likelihoods (risks) => Countermeasures. The questionnaire, currently implemented as an Excel spreadsheet, is divided into two parts: The first part identifies site security requirements based on site assets and services. The second part assesses security measures that are in place to mitigate risks. In the first part of the questionnaire, Security requirements identification, the user declares a criticality level from 0 (not applicable, or null criticality) to 3 (highly critical) for each of 5 asset types or services. For each asset type, the relevance of each threat in the threat list is indicated using a built-in asset/threat matrix. The second part of the questionnaire (Security measure implementation and effectiveness assessment) is based on a subset of the ISO/IEC 7799:005 standard [R3], covering areas considered relevant to the scope of the ISSeG project. For each security measure, the user attributes a mark from 0 (measure not implemented, or totally ineffective) to 3 (measure is very effective). The user may also choose to exclude the measure from the scope (mark N/A). For each measure, the relevance of each threat in the threat list is indicated using a built-in measure/threat matrix. After completing the questionnaire, a user can launch the top threat calculation, or review questionnaire answers or threat descriptions. The threats are sorted by decreasing risk level (highest risk first) and are colour-coded according to the level of risk. The risk level calculation is performed by determining the likelihood and impact for each threat, based on the answers provided by the user: The likelihood is determined using the marks given for each measure with the weights given in the measure/threat matrix The impact is obtained using the marks given for each asset type or service. The questionnaire results (top threats, weakest measures) may subsequently be used to link to recommendations on www.isseg.eu allowing threat mitigation. Now renumbered ISO/IEC 700:005, see http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=5097 Project no: 06745 PUBLIC 4 / 33

Introduction This document describes a methodology that allows new and existing Grid sites to perform a security risk assessment of their site. The methodology is supported by a risk assessment questionnaire, downloadable from www.isseg.eu, which is used to identify assets 3 to be protected and the strength of existing security controls at a site. In order to complete the questionnaire, it is necessary to have a clear understanding of: Assets present on site (see section 4.. Security requirements) Security management, including policies, procedures, system and network security, incident management For a successful site assessment, it is recommended that people with the following profiles be involved in completing the questionnaire: site security officer, network security, office automation, desktop systems, IT operations and software development. Unanswered questions will result in a partial assessment, which may impact the reliability of the results. A risk is the potential that some threat may use or exploit a vulnerability to compromise your site and cause you harm. Risk is often ranked based on a combination of the likelihood of a given threat exercising a particular potential vulnerability and the resulting impact of that adverse event on the organisation. 3 An asset is anything that has a value to an organisation. Typically examples are: computer hardware, buildings, data, communication systems, software and reputation. Project no: 06745 PUBLIC 5 / 33

3 Risk assessment methodology The proposed methodology is based on a simplified version of the NIST risk analysis methodology [R]. As shown in the following diagram, this methodology is divided into four steps, and uses inputs from ISO/IEC 7799:005 [R3]. Figure : risk analysis methodology and ISO-7799 inputs The information provided in the questionnaire is used to determine the likelihood and impact for each threat 4, in order to identify the top threats for the site. These threats may subsequently be linked to recommendations available from www.isseg.eu for threat mitigation 5. 3. Likelihood The likelihood is determined by how effectively the relevant security measures 6 are implemented. For example, the likelihood will be lowest for a given threat if all of the relevant measures for that threat have been implemented effectively. 3. Impact The impact is determined by how a threat can impact the various asset security requirements. For example, if several high-impact asset types are affected by the threat, the global impact will be higher than if only one low-impact resource is affected. 4 A threat is a potential cause of an unwanted incident, which may result in harm to a system or an organisation. The threat could come from a person (or an event) with the motivation and capability to cause harm to an asset (or group of assets) at your site. 5 Mitigation is a means of managing risk. It can include policies, procedures, guidelines, practices or organizational structures, which may be of an administrative, technical, managerial or legal nature. The term mitigation is also used as a synonym for a safeguard, countermeasure or control. 6 Security measure is synonym for mitigation (see footnote above). Project no: 06745 PUBLIC 6 / 33

3.3 Top threats and recommendations In addition, the likelihood and impact determined previously for each threat are used to determine the top threats, which may subsequently be linked to recommendations for threat mitigation. These top threats are presented on the Top Threats tab of the questionnaire [Annex A.], where the risk level may be reviewed threat by threat with the help of colour codes, and sorted by decreasing risk level. The weakest measures will also be identified and may be used to link to recommendations allowing threat mitigation. The following subsections 4. to 4. explain in more detail the areas covered by the questionnaire. Please note that each ISO clause begins with a summary of the security categories defined in the ISO standard [R3]. Security categories that have not been retained in the questionnaire have been greyed out. The reasons that they have not been retained are provided in the corresponding subsections. A complete list of ISO 7799:005 clauses and categories is provided in Annex A3. Project no: 06745 PUBLIC 7 / 33

4 Questionnaire based on the ISO standard 4. Questionnaire overview The site security assessment questionnaire [Annex A] contains two types of questions: Identification of security requirements relevant to the site (Part ) Assessment of security measure implementation (Part ). 4.. Security requirements The questions in the first part of the questionnaire are used to identify the site s security requirements [R], including requirements relative to baseline assets (assumed to be present on all sites) and requirements relative to specific assets, as defined below. Baseline security requirements include: Desktop computers (Windows/Linux PCs, Mac ) Network (LAN, WAN, Internet access) Backups (e.g. tape drive on server) Office servers (file and print) Application servers Centralized authentication (directory, or server-based authentication) Grid resources 7 Specific security requirements include: Expensive and/or dangerous equipment Services provided across the Internet Local email service (managed on site) Confidential information stored on site Confidential data exchanged with off-site partners Services with high availability requirements Visitor access services (i.e. allowing visitors to access local resources such as file & print, applications, etc.) External user access services (i.e. access site resources from a remote network) Centralized backup service. The questionnaire seeks to determine if specific asset types or services are present, and the criticality level of each asset type/service (both baseline and specific). A mark is attributed on a scale of 3, as follows: 0 No, our site does not have such assets or needs We can achieve our mission without these assets or services (low criticality) We cannot achieve our mission efficiently without these assets or services (medium criticality) 3 We cannot achieve our mission at all without these assets or services (high criticality). Part is also used to map assets to threats. For each asset type, a numeric value indicates the relevance of each threat to that asset type. These coefficients are static and. not normally 7 A Grid resource is any equipment, software or data required to run a service on the Grid. Project no: 06745 PUBLIC 8 / 33

accessible when completing the questionnaire. They are subsequently used to perform the risk analysis (see section 3: Risk assessment methodology). The potential impact for each threat is obtained using the marks given by the user for each asset type, and an asset/threat weight matrix that determines how each threat is relevant to an asset type. 4.. Security measures The second part of the questionnaire (Security measure implementation and effectiveness assessment) is based on a subset of the ISO/IEC 7799:005 standard [R3], covering areas considered relevant to the scope of the ISSeG project. Information on areas that are out of scope and have not been retained in the questionnaire is provided in the detailed description (subsections 4. to 4.) of this document. Note: In the remainder of this document, ISO/IEC 7799:005 [R3] will be referred to as the ISO standard. The ISO standard is composed of eleven security clauses, which are respectively described in subsections 4. to 4. 8. Each clause is organized according to security categories, each containing: A security measure objective stating what is to be achieved One or more security measures 9 that can be applied to achieve the objective. The questionnaire seeks to determine for the security measures (subsections 4. to 4.) whether they are implemented or not and, if so, their efficiency. A mark is attributed on a scale of 3, as follows: 0 Measure not implemented, or totally ineffective Measure is sometimes effective (considered a weakness) Measure is reasonably effective 3 Measure is very effective (considered a strength) N/A Measure not part of the assessment (declared out of scope) A Comments field is provided for additional explanations, as required (the comments are not evaluated during risk calculation). The questionnaire is assessed using a measure/threat matrix, which defines the effectiveness of the measure against each threat in the threat list (many of the measures address specific threats). For threats that require several measures to be present for maximum protection, each measure is given a weight reflecting its effectiveness against that threat (e.g. 0. for 0 % effectiveness). These weights are static and not normally accessible when completing the questionnaire. The likelihood of each threat is determined by combining the marks given by the user for each measure with the weights given in the measure/threat matrix. It is subsequently used to perform the risk analysis (see section 3: Risk assessment methodology). 8 The ISO clause numbering starts with 5, so Section 4. of this document maps to ISO Clauses 5. etc. 9 Security measure is a means of managing risk, including policies, procedures, guidelines, practices or organizational structures, which can be of administrative, technical, management, or legal nature. NOTE: Security measure is also used as a synonym for safeguard or countermeasure. (as defined in ISO/IEC 7799-005 [R3]) Project no: 06745 PUBLIC 9 / 33

The questionnaire Part may subsequently be linked to recommendations available from www.isseg.eu for threat mitigation. 4. Security policy (ISO Clause 5) In the ISO standard this clause consists of one security category: 4.. Information security policy. 4.. Information security policy The objective of an information security policy is to provide management direction and support for information security in accordance with the organization s requirements and relevant laws and regulations. 4.. Information security policy document This measure seeks to determine: The existence of an information security policy document, or set of documents, approved by management Whether this policy is published and communicated to all employees and relevant external parties The scope of the information security policy. 4..3 Review of the information security policy This measure seeks to determine whether the information security policy is reviewed at planned intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness. 4.3 Organization of information security (ISO Clause 6) In the ISO standard this clause consists of two security categories: 4.3. Internal organization 4.3. External parties. 4.3. Internal organization Allocation of information security responsibilities All information security responsibilities should be clearly defined, for specific roles: Security officers Managers IT operations and development teams Users Contractors and partners Confidentiality agreements Requirements for confidentiality or non-disclosure agreements reflecting the organisation s needs for the protection of information should be identified and regularly reviewed. Contact with special interest groups Appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained. Project no: 06745 PUBLIC 0 / 33

4.3. External parties This security category has not been retained, as the relationship with external parties is sufficiently well covered in other clauses to suit the needs of the research communities (e.g. third party users in Clauses 8 and 3; exchange policies, procedures and agreements in Clause 0). 4.4 Asset management (ISO Clause 7) In the ISO standard this clause consists of two security categories: 4.4. Responsibility for assets 4.4. Information classification. 4.4. Responsibility for assets The objective of this security category is to achieve and maintain appropriate protection of organizational assets. Inventory of assets All assets should be clearly identified and an inventory of all important assets drawn up and maintained. The focus here is mainly on IT-related assets, such as information, processing and communication facilities. Ownership of assets All information and assets associated with information processing facilities should be owned by a designated part of the organization, and the owner should be accountable for the security of these assets. Acceptable use of assets Rules for the acceptable use of information and assets associated with information processing facilities should be identified, documented and implemented. 4.4. Information classification The objective of this security category is to ensure that information receives an appropriate level of protection. Classification guidelines Information should be classified in terms of its value, legal requirements, sensitivity, and criticality to the organization. Information labelling and handling An appropriate set of procedures for information labelling and handling should be developed and implemented in accordance with the classification scheme adopted by the organization. 4.5 Human resources security (ISO Clause 8) Human resources security aims to ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities. In the ISO standard this clause consists of two security categories: 4.5. Prior to employment 4.5. During employment Project no: 06745 PUBLIC / 33

4.5.3 Termination or change of employment. 4.5. Prior to employment The objective of this security category is to ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities. Terms and conditions of employment As part of their contractual obligation, employees, contractors and third party users should agree and sign the terms and conditions of their employment contract, which should state their and the organisation s responsibilities for information security. 4.5. During employment The objective of this security category is to ensure that employees, contractors and third party users are aware of information security threats and concerns, their responsibilities and liabilities, and are equipped to support organizational security policy in the course of their normal work, and to reduce the risk of human error. Information security awareness, education, and training All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function. 4.5.3 Termination or change of employment The objective of this security category is to ensure that employees, contractors and third party users exit an organization or change employment in an orderly manner. 4.6 Physical and environmental security (ISO Clause 9) Even though physical and environmental security is not the primary focus the ISSeG project, this clause has been retained for aspects that can directly impact security of IT-related assets. In the ISO standard this clause consists of two security categories: 4.6. Secure areas 4.6. Equipment security. 4.6. Secure areas The objective of this security category is to prevent unauthorized physical access, damage, and interference to the organization s premises and information. Physical security perimeter Security perimeters (barriers such as walls, card controlled entry gates or manned reception desks) should be used to protect areas that contain information and information processing facilities. Physical entry controls Secure areas should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access. Project no: 06745 PUBLIC / 33

Working in secure areas Physical protection and guidelines for working in secure areas should be designed and applied. 4.6. Equipment security The objective of this security category is to prevent loss, damage, theft or compromise of assets and interruption to the organization s activities. Supporting utilities Equipment should be protected from power failures and other disruptions caused by failures in supporting facilities. Secure disposal or re-use of equipment All items of equipment containing storage media should be checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal. 4.7 Communications and operations (ISO Clause 0) In the ISO standard the Communications and operations clause includes the following security categories: 4.7. Operational procedures and responsibilities 4.7. Third party service delivery management 4.7.3 System planning and acceptance 4.7.4 Protection against malicious and mobile code 4.7.5 Backup 4.7.6 Network security management 4.7.7 Media handling 4.7.8 Exchange of information 4.7.9 Publicly available information (originally Electronic commerce services) 4.7.0 Monitoring. 4.7. Operational procedures and responsibilities The objective of this security category is to ensure the correct and secure operation of information processing facilities. Documented operating procedures Operating procedures should be documented, maintained, and made available to all users who need them. Change management Changes to information processing facilities and systems should be controlled. Separation of development, test, and operational facilities Development, test, and operational facilities should be separated to reduce the risks of unauthorized access or changes to the operational system. Project no: 06745 PUBLIC 3 / 33

4.7. Third party service delivery management This security category has not been retained, as the focus is mostly on third party-provided service levels. Security-related aspects are addressed in other security categories, such as 4.7.6 (Network security management) and 4.7.0 (Monitoring). 4.7.3 System planning and acceptance The objective of this security category is to minimize the risk of system failures. Capacity management The use of resources should be monitored, tuned, and projections made of future capacity requirements to ensure the required system performance. 4.7.4 Protection against malicious code and mobile code The objective of this security category is to protect the integrity of software and information. Measures against malicious code Detection, prevention, and recovery measures to protect against malicious code and appropriate user awareness procedures should be implemented. Measures against mobile code Where the use of mobile code is authorized, the configuration should ensure that the authorized mobile code operates according to a clearly defined security policy, and unauthorized mobile code should be prevented from executing. Examples of mobile code include: Scripts (JavaScript, VBScript) Java applets ActiveX controls Flash animations Shockwave movies (and Xtras) Macros embedded within Office documents. 4.7.5 Backup This security category has not been retained, as service continuity is not a main priority. However, the questionnaire addresses certain related aspects in other security categories, such as 4.7. (Operational procedures and responsibilities). 4.7.6 Network security management The objective of this security category is to ensure the protection of information in networks, and the protection of the supporting infrastructure. Network security measures Networks should be adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit. Project no: 06745 PUBLIC 4 / 33

Security of network services Security features, service levels, and management requirements of all network services should be identified and included in any network services agreement, whether these services are provided in-house or outsourced. 4.7.7 Media handling This security category has not been retained, as service continuity is not a main priority. However, the questionnaire addresses certain related aspects in other security categories, such as 4.7. (Operational procedures and responsibilities). 4.7.8 Exchange of information The objective of this security category is to maintain the security of information and software exchanged within an organization and with any external entity. Information exchange policies and procedures Formal exchange policies, procedures, and security measures should be in place to protect the exchange of information through the use of all types of communications facilities. Exchange agreements Agreements should be established for the exchange of information and software between the organization and external parties. Electronic messaging Information involved in electronic messaging should be appropriately protected. 4.7.9 Publicly available information The objective of this security category, named Electronic commerce services in the ISO standard, is to ensure the security of electronic commerce services, and their secure use, but also covers the integrity and availability of information electronically published through publicly available systems. For this questionnaire, only this last part has been retained as an objective, as electronic commerce services are out of scope. Publicly available information The integrity of information being made available on a publicly available system should be protected to prevent unauthorized modification. This is important to research organizations, whose public image may suffer if the integrity of public information is compromised. 4.7.0 Monitoring The objective of this security category is to detect unauthorized information processing activities. Audit logging Audit logs recording user activities, exceptions, and information security events should be produced and kept for an agreed period to assist in future investigations and access control monitoring. Project no: 06745 PUBLIC 5 / 33

Monitoring system use Procedures for monitoring use of information processing facilities should be established and the results of the monitoring activities reviewed regularly. Protection of log information Logging facilities and log information should be protected against tampering and unauthorized access. Administrator and operator logs System administrator and system operator activities should be logged. 4.8 Access control (ISO Clause ) The purpose of the Access control clause is to control access to information, information processing facilities, and business processes on the basis of business and security requirements. Access control rules should take into account any policies for information dissemination and authorization. In the ISO standard the Access control clause includes the following security categories: 4.8. Business requirements for access control 4.8. User access management 4.8.3 User responsibilities 4.8.4 Network access controls 4.8.5 Operating system access control 4.8.6 Application and information access control 4.8.7 Mobile computing and teleworking. 4.8. Business requirements for access control The objective of this security category is to control access to information. Access control policy An access control policy should be established, documented, and reviewed based on business and security requirements for access. 4.8. User access management The objective of this security category is to ensure authorized user access and to prevent unauthorized access to information systems. User registration There should be a formal user registration and de-registration procedure in place for granting and revoking access to all information systems and services. Privilege management The allocation and use of privileges should be restricted and controlled. User password management The allocation of passwords should be controlled through a formal management process. Project no: 06745 PUBLIC 6 / 33

4.8.3 User responsibilities The objective of this security category is to prevent unauthorized user access, and compromise or theft of information and information processing facilities. Password use Users should be required to follow good security practices in the selection and use of passwords. Unattended user equipment Users should ensure that unattended equipment has appropriate protection. 4.8.4 Network access controls The objective of this security category is to prevent unauthorized access to network services. Policy on the use of network services Users should only be provided with access to the services that they have been specifically authorized to use. User authentication for external connections Appropriate authentication methods should be used to control access by remote users. 4.8.5 Operating system access control This security category has not been retained, as the needs were considered to be sufficiently covered by other security categories, such as 4.4. (Information classification), 4.7.0 (Monitoring), 4.8. (Business requirements for access control), and 4.8. (User access management). 4.8.6 Application and information access control This security category has not been retained, as a detailed analysis of application and information access control would be beyond the scope of this questionnaire, considering the number and diversity of applications and information systems. 4.8.7 Mobile computing and teleworking The objective of this security category is to ensure information security when using mobile computing and teleworking facilities. Mobile computing and communications A formal policy should be in place, and appropriate security measures should be adopted to protect against the risks of using mobile computing and communication facilities. Teleworking A policy, operational plans and procedures should be developed and implemented for teleworking activities. 4.9 IS acquisition, development and maintenance (ISO Clause ) In the ISO standard this clause consists of the following security categories: 4.9. Security requirements of information systems 4.9. Correct processing in applications Project no: 06745 PUBLIC 7 / 33

4.9.3 Cryptographic security measures 4.9.4 Security of system files 4.9.5 Security in development and support processes 4.9.6 Technical vulnerability management. 4.9. Security requirements of information systems This security category has not been retained, as it involves security specifications for specific projects and goes into too much detail. Security requirements analysis and specification Statements of business requirements for new information systems, or enhancements to existing information systems should specify the requirements for security measures. 4.9. Correct processing in applications The objective of this security category is to prevent errors, loss, unauthorized modifications or misuse of information in applications. Input data validation Data input to applications should be validated to ensure that this data is correct and appropriate. Control of internal processing Validation checks should be incorporated into applications to detect any corruption of information through processing errors or deliberate acts. Message integrity Requirements for ensuring authenticity and protecting message integrity in applications should be identified, and appropriate security measures identified and implemented. Output data validation Data output from an application should be validated to ensure that the processing of stored information is correct and appropriate to the circumstances. 4.9.3 Cryptographic security measures This security category has not been retained, as cryptographic issues are sufficiently covered by security category 4.7.8 (Exchange of information). 4.9.4 Security of system files This security category has not been retained, as configuration and change management issues are sufficiently covered by security category 4.7. (Operational procedures and responsibilities). 4.9.5 Security in development and support processes This security category has not been retained, as is for the most part already covered elsewhere, in particular by security categories 4.7. (Operational procedures and responsibilities) regarding change management and the separation of environments, and by security category 4.9. (Correct processing in applications) regarding secure programming practices. Project no: 06745 PUBLIC 8 / 33

4.9.6 Technical vulnerability management The objective of this security category is to reduce risks resulting from exploitation of published technical vulnerabilities. Control of technical vulnerabilities Timely information about technical vulnerabilities of information systems being used should be obtained, the organization s exposure to such vulnerabilities evaluated, and appropriate measures taken to address the associated risk. 4.0 Information security incident management (ISO Clause 3) In the ISO standard the Access control clause includes the following security categories: 4.0. Reporting information security events and weaknesses 4.0. Management of information security incidents and improvements 4.0. Reporting information security events and weaknesses The objective of this security category is to ensure information security events and weaknesses associated with information systems are communicated in a manner allowing timely corrective action to be taken. Reporting security weaknesses All employees, contractors and third party users of information systems and services should be required to note and report any observed or suspected security weaknesses in systems of services. 4.0. Management of information security incidents and improvements Management of information security incidents and improvements The objective of this security category is to ensure a consistent and effective approach is applied to the management of information security incidents. Learning from information security incidents There should be mechanisms in place to enable the types, volumes, and costs of information security incidents to be quantified and monitored. 4. Business continuity management (ISO Clause 4) In the ISO standard, this clause consists of the following security categories: 4.. Information security aspects of business continuity management 4.. Information security aspects of business continuity management This security category has not been retained, as continuity is not considered a high priority. 4. Compliance (ISO Clause 5) In the ISO standard, this clause consists of the following security categories: 4.. Compliance with legal requirements 4.. Compliance with security policies and standards, and technical compliance 4..3 Information systems audit considerations Project no: 06745 PUBLIC 9 / 33

4.. Compliance with legal requirements The objective of this security category is to avoid breaches of any law, statutory, regulatory of contractual obligations, and of any security requirements. Intellectual property rights (IPR) Appropriate procedures should be implemented to ensure compliance with legislative, regulatory, and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products. Protection of organizational records Important records should be protected from loss, destruction, and falsification, in accordance with statutory, regulatory, contractual, and business requirements. Data protection and privacy of personal information Data protection and privacy should be ensured as required in relevant legislation, regulations, and, if applicable, contractual clauses. Prevention of misuse of information processing facilities Users should be deterred from using information processing facilities for unauthorized purposes. 4.. Compliance with security policies and standards, and technical compliance This security category has not been retained, as it involves policy reviews and audits, which are sufficiently covered by other parts of the questionnaire, in particular by category 4..3 (Review of the information security policy). 4..3 Information systems audit considerations This security category has not been retained, as audit considerations are sufficiently well covered elsewhere, in particular by security categories 4.7.0 (Monitoring), and 4.0. (Management of information security incidents and improvements). Project no: 06745 PUBLIC 0 / 33

5 The methodology for security auditing of new sites within the ISSeG project The methodology, as well as the questionnaire to support it, builds upon the top threats, categorizations and security requirements provided by D. [R]. The questionnaire itself was developed during the site assessments of the three partners of the ISSeG project, within D.3r [R4]. It was also reviewed by a wider multi-disciplinary list for feedback, using the projects connections with EGEE s Operational Security Coordination Team (OSCT) and Joint Security Policy Group (JSPG). The security assessment questionnaire identifies the top threats for a given site as well as the weakest security controls. These can subsequently be linked to recommendations on the ISSeG website www.isseg.eu for threat mitigation. 6 References [R] Deliverable D. Comparative analysis of user community s requirements, ISSeG EU Project no: 06745 [R] NIST publication 800-30 Risk Management Guide for Information Technology Systems http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf [R3] ISO/IEC 700:005 (formerly ISO/IEC 7799:005) Information technology Security Techniques Code of practice for information security management. http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=5097 [R4] Deliverable D.3r Comparative Auditing report (restricted), ISSeG EU Project no: 06745 Project no: 06745 PUBLIC / 33

A Acronyms and Abbreviations Acronym/ Abbreviation CERN EGEE FZK ISO ISSeG JSPG NIST OSCT STFC Name/Definition European Organization for Nuclear Research Enabling Grids for E-sciencE Forschungszentrum Karlsruhe (Research Centre Karlsruhe) International Organization for Standardization Integrated Site Security for Grids Joint Security Policy Group National Institute of Standards and Technology Operational Security Coordination Team Science and Technology Facilities Council A Glossary of information security terms related to the ISSeG project is available from the Security Terms section of www.isseg.eu. Project no: 06745 PUBLIC / 33

A Security questionnaire example The questionnaire has been filled in with example answers hereafter. The example answers have been used to calculate top threats listed after the questionnaire. The online version of this questionnaire can be downloaded from www.isseg.eu. Questions Answers Comments PART : Security requirement identification Q00 What is the criticality of your desktop computers (Windows/Linux, Mac)? Default answer proposed by ISSeG Q00 What is the criticality of your network (LAN, WAN)? 3 Default answer proposed by ISSeG Q003 What is the criticality of your backup facilities? Default answer proposed by ISSeG Q004 What is the criticality of your office servers (file and print)? 3 Default answer proposed by ISSeG Q005 What is the criticality of your application servers? 3 Default answer proposed by ISSeG Q006 What is the criticality of your centralized authentication/authorization service? 3 Default answer proposed by ISSeG Q007 What is the criticality of your Grid resources? 3 Default answer proposed by ISSeG Q008 Do you have expensive and/or dangerous equipment on site? (such as a particle 3 accelerator) Q009 Does your site provide services across Internet? (ex: Web servers hosted in an on-site 3 DMZ) Q00 Do you have a local e-mail service? (i.e. one or more mail servers on site, or managed 3 by site personnel) Q0 Do you store critical data (i.e. with specific confidentiality and/or integrity requirements) on site? Q0 Do you exchange critical data with external parties? 3 Q03 Do you provide services with high availability requirements? 3 Q04 Do you allow visitors to access internal resources? Q05 Do you support accessing internal resources from external networks? Q06 Do you have a centralized backup service on site? 3 PART : Security measure implementation and effectiveness assessment Q07 Does your organization have an information security policy document? Project no: 06745 PUBLIC 3 / 33

Questions Answers Comments Q08 Is the information security policy reviewed and approved by management? (management shall be understood here as the organization primary mission management, not only as IT management) Q09 Is the information security policy published and communicated to all employees and relevant external parties? Q00 Does the information security policy cover the following topics? - Security organization/roles and responsibilities - Human resources - Asset management - Physical & environmental security - Access control - Communications and operation - Application development & maintenance - Organization activity continuity - Compliance with legal requirements - Incident management Q0 Is the information security policy reviewed at planned intervals? Q0 Is the information security policy reviewed if significant changes occur? Q03 Is there any indicator to reflect the information security policy's adequacy and effectiveness, including risk analysis and incident statistics? Q04 Are all information security responsibilities clearly defined for each specific role? - Security officers - Managers - IT operation and development teams - Users - Contractors and partners Q05 Does your organization identify and regularly review requirements for confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information? Q06 Do users sign an appropriate confidentiality or non-disclosure agreement? Q07 Are internal security committees involving security officers and IT teams periodically organized in order to manage security issues? Project no: 06745 PUBLIC 4 / 33

Questions Answers Comments Q08 Are the security officer(s) and IT teams are regularly in contact with external security communities (public security forums, security teams from other academic sites, professional associations )? Q09 Are all assets clearly identified and an inventory of all important assets, including information and processing / communication facilities, drawn up and maintained? Q030 Are the security requirements of important assets clearly identified and quantified? (e.g. financial impact of equipment unavailability, legal impact of breach of confidentiality, or of lack of accountability) Q03 Are all information and assets associated with information processing facilities owned by a designated part of the organization? Q03 Is the owner accountable for the security of assets? Q033 Are rules for the acceptable use of information and assets associated with information processing facilities identified, documented and implemented? Q034 Is information classified in terms of its value, legal requirements, sensitivity, and criticality to the organization? Q035 Has an appropriate set of procedures for information labelling and handling been developed and implemented in accordance with the classification scheme adopted by the organization? Q036 As part of their contractual obligation, do employees, contractors and third party users agree and sign the terms and conditions of their employment contract, which should states their and the organization's responsibilities for information security? Q037 Do all employees of the organization and, where relevant, contractors and third party users receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function? Q038 Are the access rights of all employees, contractors and third party users to information and information processing facilities removed upon termination of their employment, contract or agreement, or adjusted upon change? Q039 Are security perimeters (barriers such as walls, card controlled entry gates or manned reception desks) used to protect areas that contain information and information processing facilities? Q040 Are secure areas protected by appropriate entry controls to ensure that only authorized personnel are allowed access? Project no: 06745 PUBLIC 5 / 33

Questions Answers Comments Q04 Have physical protection and guidelines for working in secure areas been designed 0 and applied? Q04 Is important IT equipment (servers, network devices ) protected from power failures and other disruptions caused by failures in supporting facilities? Q043 Are all items of equipment containing storage media checked to ensure that any sensitive data and licensed software has been removed or securely overwritten prior to disposal? Q044 Are operating procedures (system shutdown, startup/recovery, job execution, backup ) documented, maintained, and made available to all users who need them? Q045 Are changes to operational systems and software applications controlled? - Identification and recording of changes - Impact assessment - Planning and testing of changes - Formal approval procedure for proposed changes - Communication of change details to relevant persons - Fallback procedures Q046 Are development, test, and operational facilities separated to reduce the risks of unauthorized access or changes to the operational system? Q047 Is the use of resources monitored and tuned, and projections made of future capacity requirements to ensure the required system performance? Q048 Are all Windows PCs connected to the organization's network protected by an antivirus system, including an auto-update feature? Q049 Is there a configuration management tool tracking antivirus versions of PCs connected to the network? Q050 Do mobile users have a way to update their antivirus when connected to external networks? Q05 Do users receive appropriate awareness training regarding the dangers and propagation means of malicious code? Q05 Is there a process in place to prevent or control the installation of private software copies? 0 0 Project no: 06745 PUBLIC 6 / 33

Questions Answers Comments Q053 Where the use of mobile code is authorized, does the configuration ensure that the 0 authorized mobile code operates according to a clearly defined security policy? Q054 Is unauthorized mobile code prevented from executing? Q055 Are incoming SMTP gateways equipped with antivirus systems? 3 Q056 Are all connections with external networks protected by a firewall? 3 Q057 Are the authorized inbound connections clearly identified and inventoried (protocols, source/dest IP)? Q058 Are all authorized inbound connections from the Internet or any insecure network relayed by a proxy hosted in a network DMZ, especially for HTTP, FTP and SMTP traffic? Q059 Are there procedures, tools, and resources to analyze network data passing the firewall on a regular basis? Q060 Are the firewall configurations regularly reviewed and updated? Q06 Is there a network management tool to monitor network devices? Q06 Is network traffic monitored, including statistics about bandwidth, top protocol bandwidth consumers, and top IP bandwidth consumers? Q063 Do local networks include RTC/ADSL modems or WiFi Access points not protected by 3 a firewall and a strong encryption and/or authentication mechanism? Q064 Are the network devices well protected in terms of physical access (equipment room with restricted access) and network access (strong passwords )? Q065 Does the network implementation deter users from intercepting data in transit, for example by using dedicated switch ports for network connections, VLANs, etc? Q066 Have formal exchange policies, procedures, and controls been established to protect the exchange of information through the use of various communication facilities? (written correspondence, fax machines, information in transit, printing of confidential documents) Q067 Are agreements established for the exchange of information and software between the organization and external parties (ex: non disclosure, protection of confidential information)? Q068 Does the e-mail system have digital signature capability (including attachments) and are users informed of this? 3 Project no: 06745 PUBLIC 7 / 33

Questions Answers Comments Q069 Does the e-mail system have digital encryption capability (including attachments) and are users informed of this? Q070 Is the integrity of information being made available on publicly available systems 0 protected to prevent unauthorized modification (e.g. using digital signatures)? Q07 Are publicly accessible systems hardened and tested against weaknesses and failures prior to information being made available? Q07 Are audit logs recording user activities, exceptions, and information security events produced and kept for an agreed period to assist in future investigations and access control monitoring? Q073 Have procedures for monitoring use of information processing facilities been established and the results of the monitoring activities reviewed regularly? - Privileged operations (system shutdown, I/O devices ) - Unauthorized access attempts (rejected actions, policy violations, IDS alerts...) Q074 Are the sensitive network areas (DMZ, data centres) monitored by Network Intrusion Detection Systems? Q075 Are logging facilities and log information protected against tampering and unauthorized access? - Editing log files - Altering message types - Failure to log events due to saturation of log file media Q076 Are system administrator and system operator activities logged? Q077 Has an access control policy been established, documented, and reviewed based on functional and security requirements for access? Q078 Is there a formal user registration and de-registration procedure in place for granting 3 and revoking access to all information systems and services? Q079 Are the allocation and use of privileges restricted and controlled? Q080 Is the allocation of passwords controlled through a formal management process? Q08 Are users required to follow good security practices in the selection and use of passwords? Q08 Do users ensure that unattended equipment has appropriate protection? Q083 Are users only provided with access to the services that they have been specifically authorized to use? 0 Project no: 06745 PUBLIC 8 / 33

Questions Answers Comments Q084 Are appropriate authentication methods used to control access by remote users? 3 Q085 Is there a formal policy in place, and have appropriate security measures been adopted to protect against the risks of using mobile computing and communication facilities (wireless network connections)? Q086 Have a policy, operational plans and procedures been developed and implemented for teleworking activities, requiring remote network access? Q087 Do applications using external data as input data have suitable data integrity and authenticity check mechanisms implemented? (examples : SSL for peer authentication, protocol or application level checksum,...) Q088 For custom applications (home made or developed by a contractor), do technical specifications commonly include basic security features like logging, exception management, access control, input data validation? Q089 Is there a formal integration/qualification process followed before moving any application to production? Q090 Are requirements for ensuring authenticity and protecting message integrity in applications identified, and appropriate security measures identified and implemented? Q09 Is data output from an application validated to ensure that the processing of stored information is correct and appropriate to the circumstances? Q09 Are there procedures and resources to keep the organization informed about new technical vulnerabilities, and to evaluate the exposure to such vulnerabilities? Q093 Is there a procedure for tracking and implementing new security patches? Q094 Are there procedures in place for reporting information security events through 3 appropriate management channels? Q095 Are all employees, contractors and third party users of information systems and 0 services required to note and report any observed or suspected security weaknesses in systems of services? Q096 Have management responsibilities and procedures been established to handle information security events and weaknesses effectively once they have been reported? Q097 In addition to the reporting of security events, is the monitoring of systems, alerts, and vulnerabilities used to detect information security incidents? 0 0 0 Project no: 06745 PUBLIC 9 / 33

Questions Answers Comments Q098 Is there a process in place to quantify and monitor the types, volumes, and costs of information security incidents that have been detected or reported? Q099 Is there a continual improvement process in place in response to recurring and/or high-impact incidents? Q00 Have appropriate procedures been implemented to ensure compliance with legislative, regulatory, and contractual requirements on the use of material in respect of which there may be intellectual property rights and on the use of proprietary software products? Q0 Are important records categorized into record types (e.g. accounting records, database records, transaction logs, audit logs, operational procedures), each with details of retention periods and type of storage media (e.g. paper, microfiche, magnetic, optical)? Q0 Have appropriate guidelines and procedures been issued regarding the retention, storage, handling, and disposal of records and information, to protect them from loss, destruction, and falsification? Q03 Has an organizational data protection and privacy policy been developed and implemented regarding personal information, as required in relevant legislation, regulations, and, if applicable, contractual ISO Clauses? Q04 Is the data protection and privacy policy communicated to all persons involved in the processing of personal information? Q05 Do all persons involved in the handling of personal information receive appropriate guidance and awareness training regarding data protection principles? Q06 Is there a policy approved by management regarding the acceptable use of information processing facilities? Q07 Are users deterred from using information processing facilities for unauthorized purposes? 0 3 0 3 Project no: 06745 PUBLIC 30 / 33

A. Top threat identification (resulting from above answers) Risk Action HIGH Immediate actions required MEDIUM Actions have to be planned LOW No immediate action required 07 questions / 07 answered / 0 unanswered unknown Missing answers Id Threat description Impact Likelihood Risk level [0-3] [0-3] [0-9] T07 Exploiting software vulnerabilities,7,8 5,0 T3 Software alteration (time bomb, worm, trojan, virus ),8,8 4,9 T4 Absent/insufficient staff,7,4 3,8 T5 Users lacking guidance,8,4 3,8 T0 Password compromising,7,4 3,6 T06 Fraudulent connection,7,3 3,6 T Saturation of resources (intentional - denial of service),,7 3,5 T8 Intentional abuse of access rights,7,3 3,5 T0 Faulty access rights management,7,3 3,5 T Environmental, power or network supply failure,6,9,9 T04 Intrusion (unauthorized network access),7,0,7 T6 Use of insecure/unauthorized software,6,6,5 T7 Lack of security awareness or job training,8,4,5 T8 Hardware malfunction,4,8,5 T03 Intrusion (by scanning techniques),7 0,9,5 T0 Network failure (cabling, network device ),3,9,5 T7 Hardware failure (computer, storage device, network equipment ),4,8,4 T08 Fraudulent use of systems (misappropriation ),0,,4 T Saturation of resources (accidental),8,3,3 T6 Data entry or utilization error,3,7, T9 Software malfunction,3,5,9 T09 Repudiation (system usage),5,,8 Project no: 06745 PUBLIC 3 / 33

Id Threat description Impact Likelihood Risk level T05 Data interception techniques (sniffing/man in the middle attacks,...),3,,5 T35 Insufficient building access control 0,7,7, T5 Propagation of false or misleading information 0,8,4, T9 Dissemination of information (fraudulent) 0,7,5,0 T33 Usurpation of rights through masquerading 0,6,5 0,9 T0 Repudiation (sending/receiving of data) 0,6,4 0,9 T30 Dissemination of information (accidental) 0,5,4 0,7 T34 Extreme conditions (cold, heat, humidity ) 0,4,7 0,6 T3 Theft of fixed equipment 0,,9 0,4 T3 Software or data pirating 0,,4 0,3 T4 Theft of mobile equipment or media 0,,9 0, Project no: 06745 PUBLIC 3 / 33

A3 Summary of the ISO standard s security clauses and categories The following list is a summary of security clauses and categories provided in the ISO 7999:005 standard. Security clauses not retained for the questionnaire are greyed out. Clause 5 Security policy 5. Information security policy Clause 6 Organization of information security 6. Internal organization 6. External parties Clause 7 Asset management 7. Responsibility for assets 7. Information classification. Clause 8 Human resources security 8. Prior to employment 8. During employment 8.3 Termination or change of employment. Clause 9 Physical and environmental security 9. Secure areas 9. Equipment security. Clause 0 Communications and operations 0. Operational procedures and responsibilities 0. Third party service delivery management 0.3 System planning and acceptance 0.4 Protection against malicious and mobile code 0.5 Backup 0.6 Network security management 0.7 Media handling (not retained) 0.8 Exchange of information 0.9 Publicly available information (originally Electronic commerce services) 0.0 Monitoring. Clause Access control. Business requirements for access control. User access management.3 User responsibilities.4 Network access controls.5 Operating system access control.6 Application and information access control.7 Mobile computing and teleworking. Clause IS acquisition, development and maintenance. Security requirements of information systems. Correct processing in applications.3 Cryptographic security measures.4 Security of system files.5 Security in development and support processes.6 Technical vulnerability management. Clause 3 Information security incident management 3. Reporting information security events and weaknesses 3. Management of information security incidents and improvements Clause 4 Business continuity management 4. Information security aspects of business continuity management Clause 5 Compliance 5. Compliance with legal requirements 5. Compliance with security policies and standards, and technical compliance 5.3 Information systems audit considerations Project no: 06745 PUBLIC 33 / 33