SECURITY THROUGH PROCESS MANAGEMENT



Similar documents
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

University of Central Florida Class Specification Administrative and Professional. Information Security Officer

State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

UTech Services Compliance, Auditing, Risk, and Security (CARS) Team Charter

Supplier Security Assessment Questionnaire

R345, Information Technology Resource Security 1

LogRhythm and HIPAA Compliance

SRA International Managed Information Systems Internal Audit Report

Systems Programmer/Analyst (12203) ( )

WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

Why you need an Automated Asset Management Solution

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

General HIPAA Implementation FAQ

Information Security Awareness Training and Phishing

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

CISM (Certified Information Security Manager) Document version:

SUPPLIER SECURITY STANDARD

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

FISH AND WILDLIFE SERVICE INFORMATION RESOURCES MANAGEMENT. Chapter 7 Information Technology (IT) Security Program 270 FW 7 TABLE OF CONTENTS

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

This policy shall be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment.

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Wright State University Information Security

AUDIT REPORT WEB PORTAL SECURITY REVIEW FEBRUARY R. D. MacLEAN CITY AUDITOR

LogRhythm and NERC CIP Compliance

Standard: Information Security Incident Management

Business Case. for an. Information Security Awareness Program

Managing IT Security with Penetration Testing

KEY STEPS FOLLOWING A DATA BREACH

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Data Center Assistance Group, Inc. DCAG Contact: Tom Bronack Phone: (718) Fax: (718)

Prepared by: OIC OF SOUTH FLORIDA. May 2013

Title: DISASTER RECOVERY/ MAJOR OUTAGE COMMUNICATION PLAN

HIPAA COMPLIANCE PLAN. For. CHARLES RETINA INSTITUTE (Practice Name)

Knowledge Base Data Warehouse Methodology

IT Risk & Security Specialist Position Description

Question: 1 Which of the following should be the FIRST step in developing an information security plan?

CA Process Automation for System z 3.1

II. Supports the department in implementing the strategy established by management.

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

How does IBM deliver cloud security? An IBM paper covering SmartCloud Services 1

SECURITY AND PRIVACY ISSUES IN A KNOWLEDGE MANAGEMENT SYSTEM

FEDERAL FAMILY EDUCATION LOAN PROGRAM (FFELP) SYSTEM

How To Audit The Mint'S Information Technology

BlackBerry Mobile Voice System

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector

A Performance Audit of the State s Purchasing Card Program

How To Manage Information Security At A University

CHIEF POSTAL INSPECTOR. Management Alert Watch Desk Notifications (Report Number HR-MA )

INFORMATION SYSTEMS ANALYST III

Information Technology Operational Audit DEPARTMENT OF STATE. Florida Voter Registration System (FVRS) Report No July 2015

CITY UNIVERSITY OF HONG KONG. Information System Acquisition, PUBLIC Development and Maintenance Standard

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Provide access control with innovative solutions from IBM.

Best Practices for Building a Security Operations Center

Payment Card Industry Data Security Standard

Contents QUALIFICATIONS PACK - OCCUPATIONAL STANDARDS FOR TELECOM INDUSTRY. Introduction. Qualifications Pack- Telecom Network Security Technician

OCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION:

Data Security Incident Response Plan. [Insert Organization Name]

INFORMATION TECHNOLOGY POLICY

Organizational Issues of Implementing Intrusion Detection Systems (IDS) Shayne Pitcock, CISSP First Data Corporation

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Infrastructure Information Security Assurance (ISA) Process

933 COMPUTER NETWORK/SERVER SECURITY POLICY

System Security Plan University of Texas Health Science Center School of Public Health

Exhibit to Data Center Services Service Component Provider Master Services Agreement

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

CENG Information Technology Services University of North Texas

REQUEST FOR PROPOSAL-INFORMATION TECHNOLOGY SUPPORT SERVICES

How To Manage Security On A Networked Computer System

Managing a 24x7x365 Support Center and Network Engineering for a Government Agency QUICK FACTS

Software Development Processes

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Attachment A. Identification of Risks/Cybersecurity Governance

Unit Specific Questions Administrative

Feature. Log Management: A Pragmatic Approach to PCI DSS

HIPAA: Compliance Essentials

Security. Tiffany Trent-Abram VP, Global Product Management. November 6 th, One Connection - A World of Opportunities

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

II. Compliance Examinations - Compliance Management System. Compliance Management System. Introduction. Board of Directors and Management Oversight

APHIS INTERNET USE AND SECURITY POLICY

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

Functional Area 3. Skill Level 301: Applications Systems Analysis and Programming Supervisor (Mercer 1998 Job 011)

Transcription:

SECURITY THROUGH PROCESS MANAGEMENT Jennifer L. Bayuk Price Waterhouse, LLP Headquarters Plaza North Morristown, NJ 07962 jennifer_bayuk@notes.pw.com Overview This paper describes the security management process which must be in place to implement security controls. An effective security management process comprises six subprocesses: policy, awareness, access, monitoring, compliance, and strategy. management relies on policy to dictate organizational standards with respect to security. Without policy, no person in the organization is responsible for securing information or is accountable for not having done so. A fundamental component of security management is a process for the production of security policy. However, the resulting policy has value only if it is followed. A person who is not aware of an information security policy is not necessarily accountable for violating it. In the case of a system administrator configuring system security, ignorance of policy certainly provides an excuse to use personal judgment. Effective security management relies on an awareness process to provide accountability. The policy process dictates what must be done to provide an acceptable level of assurance that systems are secure. The awareness process ensures that people know what must be done. To achieve assurance that policy is being followed uniformly throughout the organization, security management must also address how policy is to be realized. How-to solutions are effected via access and monitoring processes. Access and monitoring processes constitute the daily operational activities of security management. They provide guidelines on how to securely configure information systems and how to recognize a security incident. Once a security incident has been recognized, a security management process requires methods to ensure that known security vulnerabilities are closed and open security issues are resolved. These methods are part of a compliance process. In addition, foresighted security management will include a strategy process to ensure that security management stays abreast of changes in the information technology environment which it seeks to secure. Hence, an effective security management process comprises six subprocesses: Policy Awareness Access Monitoring Compliance Strategy

The Policy Process A security policy is needed to establish a framework for the development of security procedures and practices. It also provides a vehicle with which to communicate roles and responsibilities with respect to securing information. A policy framework should specify the minimum security standards to be applied to all information systems, and more stringent standards for systems which contain highly sensitive or proprietary data. A security policy should address the following: Scope of the policy, including the facilities, systems, and personnel to which it applies Objectives of the security management process and descriptions of subprocesses Accountability and responsibility for subprocesses at all levels of the organization Minimum requirements for the secure configuration of all systems within the scope Definition of violations and consequences of noncompliance A user statement of responsibility with respect to the information to which he or she is granted access A security policy is a dynamic document. Its design should be flexible to allow frequent updates as technology and/or management changes require. policy development is not a project with a beginning and an end. A security policy coordinator should have responsibility for maintaining a policy team which is knowledgeable in both security techniques and the target information systems operating environment. The team leader must maintain open communications channels between the policy team, the management team who approves the policy, and those to which the policy applies. An example security policy process is depicted in Figure 1. The Awareness Process Though security personnel are arguably the best source of information concerning an individual s responsibilities with respect to information security, there are usually not enough of them to explain those responsibilities to everyone who falls within the scope of information security policy. It is enough that each department within scope designate an individual as a security liaison. personnel should create a security awareness program that may be implemented by department liaisons. This program needs to be flexible, comprehensive, clearly communicated, and understandable by department liaisons. Minimum security requirements for system configuration may contain standards which apply to only a subset of the facilities or organizations within the scope of the policy. For example, a security policy dedicated to a PC LAN environment will not make sense to implement on an IBM Mainframe. Designating specific sections or appendices to apply only to specific platforms enables the security policy as a whole to apply equally to all facilities, systems, and personnel within its scope.

1 Identify assets to be secured 2 Identify organizations which perform security functions for those assets Form team Draft a one-page policy statement and high level outline of security requirements Policy Team Review and approve high level policy statement Executive & Senior N Approved? Y 8 5 Assign subteams for review of each section of policy document Policy Team 6 Draft policy document, revise as per changes in technology or organization Policy Team 7 Review and approve detailed policy document Executive & Senior N Approved? Y 9 Suggest policy changes Publish approved documents Anyone Figure 1: Example Policy Process

1 Develop a security Awareness program 2 Approve Awareness Program Develop or sponsor secrity training courses Provide mailing lists of employees and contractors by department Executive & Senior Human Resources 5 6 Identify department security liaison Identify candidates for security training 9 Execute Awareness Program 7 Publish periodic security status reports 8 Initiate Corrective action to improve security policy compliance Executive & Senior Figure 2: Example Awareness Process

The awareness program must clearly specify the actions required of employees and contractors and the seriousness of the actions that will be taken for non-compliance or violation of security policy. The awareness program should address the following key issues: Display high-level support Teach people how to obtain and comply with policy Point out the business risks in security policy violations Address the widest possible audience Allocate responsibility An effective security awareness process will have executive and senior management play a formal role in improving security awareness by endorsing the security awareness program and by setting high priorities for security compliance. It will be integrated with personnel hiring and contracting practices to ensure completeness of coverage. The expected level of participation is evident in the example of a security awareness process depicted in Figure 2. The Access Process A security access process helps ensure that access decisions are made in a controlled manner, and that information concerning access is securely communicated between those that have a need to know. An access process should address: Identification of those who require access Authorization procedures for system access Automatic authentication of those identified and authorized for access Separation of duties between authorization and authentication Separation of access environments for distinct job responsibilities Though security policy may dictate the details of how access should be administered, decisions concerning who should have access to production systems must rest solely with department managers responsible for the systems smooth operation. In many organizations, the department facilitates the actual creation and maintenance of access, but it may be performed by anyone as long as it is done in accordance with policy and a separation of duties between authorization and authentication is maintained. An example access process is depicted in Figure. The Monitoring Process monitoring is required to detect both unauthorized system access and attempts at unauthorized system access. Left unmonitored, unauthorized access attempts may become unauthorized access. A security monitoring process includes three basic activities: configuring system security profiles and frequently reviewing system security logs identifying the root cause of security alerts using the information derived from the first two activities to devise ever more meaningful system security profiles

1 Sign statement requesting access and affirming security policy 2 Create a repositiory for signed access request and policy awareness statements Create user groups & access strategy, approve requests according to strategy Create and maintain user access according to Policy User Human Resources 5 6 7 8 Create and enforce emergency access procedures for vendor access Notify when employee or contract terminates Human Resources Instruct to terminate user access due to change in status or other security reason Terminate access at request of Figure : Example Access Process

1 Create and maintain systems inventory 2 Select & approve security monitoring mechanisms for new systems & Monitor Alerts Forward critical & unresolved security alarms to 5 Monitor Alerts 6 Assist in resolving security alerts & Figure : Example Monitoring Process

1 2 Identify security vulnerability or security policy violation Anyone Enter issue in Tracking Database Assign and recieve department management acceptance of item accountability May vulnerability be closed with no service impact? Y N Fix vulnerability 5 Perform risk asssessment and develop plan to close vulnerability 6 Periodically review all risk acceptance statements Support efforts to close vulnerabilities Executive & Senior N Fixed? 7 Target sets of outstanding vulnerabilities for technology improvement Y 8 Record issue resolution in Tracking Database Figure 5: Example Compliance Process

monitoring is most cost-effective when merged with other monitoring processes such as performance or activity monitoring. However, where the root cause of a security alert cannot be determined or is determined to be a computer intrusion, system monitoring responsibilities should be shared with. should help ensure that all necessary operational and legal requirements for intrusion containment are met. should also track security alerts over time to determine if there are patterns. An example security monitoring process is depicted in Figure. The Compliance Process The extent to which there exists a formal compliance process is the extent to which security management efforts are effective in establishing a uniform level of security controls. Because compliance activities must be distributed among those who are responsible for the secure operation of information systems, departmental management must manage with reference to policies established by. However, there will be instances of non-compliance for many reasons, including: the technical architecture of a system does not support a required security function resources required to maintain compliance are unavailable a security incident reveals a security vulnerability which is not yet addressed by policy routine security audits or security reviews reveal previously unnoticed risks In any case, the instance of noncompliance must be: reported to the assigned to appropriate management supported by a risk acceptance until resolved The security compliance process must track all such security issues to ensure that steady progress is made toward their resolution. An example of a compliance process is depicted in Figure 5. The Strategy Process The security of information services is a reflection of the quality of information services. Developers of new products must recognize the strategic importance of integrating security mechanisms into the product itself. The security strategy process should aim to bring security expertise into long-range systems planning. The security strategy process may facilitate the integration of security into system design by: Developing risk assessment methods that quantify levels of operational risks in new products Contributing to business cases for including security mechanisms in architecture budgets Reviewing and testing new security features and products

1 Periodically review outstanding risk assessments 2 Maintain current knowledge of security tools, techniques, & best practices Periodically discuss possible new security strategies for new & existing services & Test security mechanisms for prototype services Figure 6: Example Strategy Process Policy Strategy Awareness Compliance Access Monitoring Figure 7: The Process

To facilitate the secure deployment of new and prototype services, the technical sophistication of the security department must equal that of the new service or prototype developer. must be an equal partner at every stage in the planning of services which require the use new technology. An example security strategy process is depicted in Figure 6. Summary This document describes the security management process which must be in place to implement security controls. The security management process includes six functions, each of which may be viewed as a distinct sub-process: Policy: to establish a framework for the development of organizational standards with respect to security Awareness: to educate those affected by security policy on their roles and responsibilities Access: to limit dissemination and modification of customer data and other sensitive information Monitoring: to detect policy violations and other security vulnerabilities Compliance: to track security issues and help ensure that resources facilitate the resolution of security issues Strategy: to meet the security challenges presented by new information technologies Taken together, these six processes form one high-level security management process, displayed in Figure 7.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information