management of information security - york universitymanagement of information security . ......

CSE 4482 Computer Security Management:

Assessment and Forensics

Instructor: N. Vlajic, Fall 2013

Management of Information Security

Required reading: Management of Information Security (MIS), by Whitman & Mattord Chapter 1, pages 8 – 15

Chapter 4, all pages

Chapter 5, pages 163 - 188

Learning Objectives Upon completion of this material, you should be able to:

• List the key managerial roles and the main types of managerial positions in an organization.

• Describe the POLC project management model.

• List and describe organizational/structural approaches to information security.

• Explain the difference between security policy, standard and procedure.

• Enlist different types of security policy that can be found in an organization.

• Manager – person assigned to handle following roles necessary to achieve desired objective(s)

informational role: collect, process, use, provide information that can affect the completion of the objective

interpersonal role: coordinate and interact with superiors, subordinates, outside stakeholders and other parties that influence or are influenced by the completion of the task

decisional role: select among alternative approaches and and resolve conflicts, dilemmas or challenges

Management: Definitions • Management – process of achieving objectives using a given set of resources

Examples: teacher, student, president, software developer

Management: Definitions (cont.)

http://education-portal.com/academy/lesson/decisional-roles-in-management-types-examples-definition.html

Example: 3 managerial role categories


Example: Mintzberg’s 10 Managerial Roles

http://www.flatworldknowledge.com/node/28989#web-28989

represent organization externally - formal head

provide leadership to his group interact with peers and people outside

receive and collect information

disseminate special information into organization/group

disseminate organization’s information outside

initiate and plan the change – take action to improve existing operation

deal with problems & threats

decide where and how organization’s resources will be allocated

manage organization’s/ group’s main operation

http://www.flatworldknowledge.com/sites/all/files/28982/fwk-carpenter-fig01_004.jpg

Different managerial positions require different balance of the 3/10 managerial roles. at the top-level managerial positions interpersonal roles (e.g., figurehead & leader) are performed more often at the lower-level managerial positions decisional roles (e.g. disturbance handler & negotiator) are preformed more often


Elementary Information Security, R. E. Smith, pp. 580

Basic Management Functions • Four key managerial functions / responsibilities, when dealing with a task, include: POLC Model

Strategy Formulation

Strategy Implementation

1) Planning: deciding what needs to happen in the future and generating adequate plans for action

strategic planning – occurs at the highest levels of organization and for a long period of time (5 or more years)

tactical planning – focuses on production planning and integrates organizational resources for an intermediate duration (1 – 5 years)

operational planning – focuses on day-to-day operations of local resources, and occurs in the present or the short term

Planning process begins with creation of strategic plan for entire organization/group. The resulting plan is then divided up into planning elements for each sub-unit.

In planning, goals and objectives must be adequately set.

goal – ultimate (end) result of a planning process

objective – intermediate point that allows us to measure progress towards the goal

Basic Management Functions (cont.)


Example: Strategic vs. tactical vs. operational plan.

Strategic plan: The company should be 100% immune to DDoS attacks.

Tactical plan: 4 firewall should be purchased and set up in the next year.

Operatonal plan: Identify most problematic traffic and set up the firewall accordingly.


2) Organizing: optimum structuring of resources to enable successful carrying out of the plan; may include

structuring of existing departments and their staff

(new) staffing

purchase and storage of raw materials

collection of additional/specialized information

3) Leading / Directing: determining what specific steps need to be done and getting people to do it; may include

developing direction and motivation for employees

supervising employee behavior, attendance, performance, attitude


4) Monitoring / Controlling: monitor progress towards achieving the goal and make necessary adjustments

ensure sufficient progress is made

ensure plan is adequately implemented

resolve any impediments to task/plan completion

acquire additional resources, when necessary Should the plan be found invalid in light of operational reality of the organization, the manager should take corrective actions.


Example: Control process Plan: develop 100% secure

cryptographic code. ‘Beta version’ produced.

Information Security Management

• Three common groups of managers:

Non-technical General Business Managers – articulate and communicate organizational objectives and policy

IT Managers – support organization’s business objectives by supplying and supporting appropriate IT

Information Security Managers – protect organization’s information assets from many threats they face

Information Security Management

IT Managers

General Managers

Info Sec Managers

Information Security management operates like all other management units, employing common management (POLC) methodology.

However, specific goals and objectives of Info. Sec. management differ from those of IT and general management.

Certain characteristics of Info. Sec. management are unique to this community!

Information Security Management (cont.)

• Goals of Info. Sec. vs. Goals of IT – not always in complete alignment; sometimes in conflict IT professionals focus on:

cost of system creation & operation [ freeware vs. paid-softw. ] timelines of system creation [ web-server with no DMZ ] ease of system use for end-user [ single-factor authentic. ] quality of system performance (speed, delay, …) [ no firewall ] Info. Sec. professionals focus on:

protection of organization’s information systems at all cost necessary


Example: placing Information Security within an organization – Option 1


Example: placing Information Security within an organization – Option 1 (cont.)


Most common organizational structure: in 50% of companies. Info. Sec. under (reports to & shares budget with) IT depart.

pros:

to whomever Info. Sec. manager reports to, understands technological issues

security staff and IT staff collaborate on day-to-day basis

there is only ‘one person’ between Info. Sec. manager and CEO

cons:

CEO are likely to discriminate against Info. Sec. function, as other IT objectives (e.g. computer performance ⇒ time to market) often take precedence



Info. Sec. reports to Administrative Services Dep. – performs services for workers throughout the organization, much like HR.

pros:

acknowledges that info. and info. systems are found everywhere throughout the organization – all employees are expected to ‘work with’ Info. Sec. department

supports efforts to secure information no matter its form (paper, verbal, etc.) rather than viewing info. sec. function as strictly computer- & network- related issues

cons:

Administrative Services VP often does not know much about IT and Info. Sec. – may not be effective in communicating with CEO

often subject to cost-cutting measures


Example: placing Information Security within an organization – Option 3 Info. Sec. reports to Insurance & Risk Management Department. This approach typically involves assessing the extent/likelihood of potential losses in case of weakened info. Sec. function.

pros:

brings greater resources and management attention to Info. Sec.

Chief Risk Manager (CRM) is likely to be prevention oriented and adopt a longer-term viewpoint

cons:

CRM are often not familiar with information system technology

may over-emphasize strategic issues, and overlook operational and administrative aspects of info. sec. (e.g. change of access privileges when people change jobs)


Example: Info. Sec. in different companies

Which of the three discussed organizational models would you deploy in which of the three companies?

Amazon Hospital IBM

Info. Sec. within IT

Info. Sec. within Risk

Management

Info. Sec. within Admin.

Services should be employed when

company’s revenues critically depend on CIA of information – if information CIA gets jeopardized,

company looses money

should be employed in companies that may not worry about using the latest technology, but rather about properly securing existing data and

whatever technology (info. infrastructure) is currently in place

should be employed in companies where it is critical to obtain/use latest technology, and bulk of

work done by Info. Sec. department is related to that

(new) technology

Information Security Structure / Organization

IS Organization / Structure / Program

• Factors Impacting Info. Sec. Organization:

Organization Culture:

if upper management & staff believe that info. sec. is waste of time and resources, the info. sec. program will remain small, poorly supported and have difficulty operating Organization Size (and Budget):

large organizations tend to have large(r) information security programs; smaller organizations may have a single security administrator

Although the size of an organization determines the makeup of its information security program, certain

basic functions should be found in every organization.

IS Organization / Structure / Program (cont.)

• Functions Related to Info. Sec. Program:

software testing


• Functions Related to Info. Sec. Program (cont.):

Op. Sys. Administr.


http://dcvizcayno.wordpress.com/2012/02/16/what-is-information-security-governance/

deal with information and IT

infrastructure ‘conceptually’

‘hands on’

• Correlation between different Info. Sec. functions


http://www.jirasekonsecurity.com/2011/10/security-model-business-oriented.html


• Security in Large Organizations – with more than 1000 devices requiring security management

functions performed by non-technology business units: legal training

functions performed by IT groups outside Info. Sec. depart.: systems/OS security administration network security administration centralized authentication

functions performed by Info. Sec. department - technical: risk management systems testing incident response planning measurement vulnerability assessment


functions performed by Info. Sec. department – compliance enforcement obligation:

policy compliance / audit risk assessment

performed by different people to avoid ‘conflict of interest’ !!!


• Security in Mid- to Small- size Organizations – under 1000 devices

some of identified functions are ignored, and multiple functions are assigned to the same group/person

More on different specific security roles later …

http://academy.delmar.edu/Courses/ITSY2430/Labs/SecurityPolicyQuiz.html

Example: Test your knowledge of security functions


Security Policy

Policy, Standard, Procedure Example: Policy

http://www.yorku.ca/secretariat/policies/document.php?document=127

• Security Policy – foundation of an effective info. security system/program

What is it?

concise and easy to understand statement

defines a set of conditions that are critical for protecting organization’s assets, and its ability to conduct business

defines security practices that management expects employees and other stakeholders to follow Why do we need it?

helps organizations demonstrate their commitment to protecting their vital information assets

heightens security awareness of company personnel or third-party users/customers

Policy, Standard, Procedure (cont.)


To ensure effectiveness, failure to comply with a Policy

should imply a disciplinary action.

Policies specifies WHY something should be done, not WHAT exactly and HOW.

Although least expensive security protection, Policies are often

most difficult to implement/enforce.


Example: Organization without policy Consider scenario:

An employee (A) behaves inappropriately at the work place, by reading another employee’s email.

Another employee (B) is aggrieved by this behavior and sues the company. The company does not have policy that prohibits such behavior, hence no legal action against offender (A) can be taken …

Nevertheless, company may be legally obliged to protect the privacy of employee B.

The company loses the lawsuit, and lots of money …

Example: Policy that is hard to implement “Employees are not allowed to take out of the company’s premise any IP-related documentation.”


http://mindfulsecurity.com/2009/02/03/policies-standards-and-guidelines/

Why?

What?

How?


http://christodonte.com/2009/05/relationship-between-a-policy-standard-guideline-and-procedure/


• Security Standard – more specific directives that are mandatory

describe how to comply with the policy

also, extension of the policy into the real world – specifies technology settings, platforms or behaviors

it is important to audit adherence to standards to ensure their implementation

• Security Procedure – specify actual steps of what needs to be done to comply with a standard

example:

specific instructions on how to download and install centrally managed antivirus software


Example: Policy vs. Standard vs. Procedure Many Info. Sec. departments have specific protocols for performing backups of server hard drives.

Policy: Describes the need for backups, for storage off-site, and for safeguarding the backup media.

Standard: Defines the software to be used to perform backups and how to configure this software (e.g. Acronis, SmartSync, etc.)

Procedure: Describes how to use the backup software, the timing for making backups, and other ways that humans interact with the backup system.


Example: Backup and Recovery Policy Why?

http://technology.iusm.iu.edu/security-policies-procedures-and-standards/backup-and-recovery-policy/


• Security Guideline – discretionary set of directions designed to achieve a policy/security objectives

needed in complex & uncertain situations for which rigid standards cannot be specified

examples:

company might have a guideline that each new employee should have a background check

however, in an emergency, department head might be allowed to hire a person before a background check is completed

• Security Recommended Practices – set of policies / standards / procedures /guidelines recommended by trade associations and government agencies

• Security Best Practices – descriptions of what best firms in the industry are doing about security


Example: Microsoft – Best Security Practices

http://technet.microsoft.com/en-us/library/dd277328.aspx

Security Policies

• For policies to be effective, they must be:

A. Developed using industry-accepted practices.

B. Distributed or disseminated using all appropriate methods.

C. Read by all employees.

D. Comprehended by all employees.

E. Formally agreed / complied to by act or affirmation.

F. Enforced and applied uniformly.

• Important rule to follow when shaping a policy:

Policy should never conflict with law.

Policy must be able to stand up in court if challenged.

Policy must be properly supported and administered.

Security Policies (cont.)

A. Development of Security Policy: 5 stage process

A.1 Investigation Phase.

Form the right policy design team consisting of representatives from groups that will be affected by new policy (e.g. legal dept., HR, end users of various IT systems covered by policy)

Make an outline of the scope and goals of the policy, as well as the cost and scheduling of its implementation.

Obtain general support from senior management. Without enough attention, any policy has a reduced chance of success – mid-management and users not likely to implement it.

A.2 Analysis Phase.

Obtain all recent & relevant information - risk assessment, IT audits, … - as well as other references (e.g. past law suits) concerning positive / negative outcome of similar policies.


Why is Analysis Phase performed after Investigation Phase?

Wouldn’t it be beneficial to approach the management with already gathered legal/audit (reference) information?

Sometimes policy documents that affect information security is housed in the HR department, as well as

accounting, finances, legal, or corporate security departments.


A. Development of Security Policy: 5 stage process (cont.) A.3 Design (Distribution Planning) Phase.

Create a plan on how to distribute and verify the distribution of the policy. A.4 Implementation Phase.

Design team actually writes the policy.

Can rely on existing policies found on the Web, Government Sites, Professional Literature. A.5 Maintenance Phase.

Monitor, maintain, and modify the policy to ensure that it remains effective as a tool against ever changing threats.


Example: Policy templates http://www.sans.org/security-resources/policies/


B. Policy Distribution

Getting the policy document into the hands of all employees may require a substantial effort / investment.

Techniques of distribution:

hard-copy distribution

bulletin-board distribution

distribution via email

distribution via intranet (in html or PDF form)

Organization must be able to prove distribution of the policy document, e.g. via auditing log in case of electronic distribution.


C. & D. Policy Reading and Comprehension

Policy must be written/presented in a way that all employees can read and comprehend.

illiterate or low-literate workers

ESL workers

visually impaired, etc.

Example: Importance of policy reading & comprehension

Assume an employee is fired for failure to comply with a policy.

If the organization cannot verify that the employee was in fact properly educated on the policy, the employee could sue the organization for wrongful termination.


E. Policy Compliance

Failure to agree to or follow a policy may jeopardize organization’s interests and, thus, be sufficient to decide on termination.

However, the legal system may not support such decision.

Organization can incorporate ‘policy confirmation’ statement into employment contract or annual evaluation.


F. Policy Enforcement

Because of potential scrutiny during legal proceedings, organizations must establish high standards of policy implementation.

example: if policy mandates that all employees wear ID badges in a clearly visible location, and some management members decide not to follow this policy, any action taken against other employees will not withstand legal challenges

• Three types of security policies found in most organizations:

1) Enterprise Information Security Policy (EISP)

2) Issue-specific Security Policy (ISSP)

3) System-specific Security Policy (SysSP)


Security Policies: EISP 1) Enterprise Information Security Policy (EISP)

Aka as general security policy – sets strategic direction, scope, and tone for all security matters and efforts.

Short (2 – 10 page) executive-level document usually drafted by chief IT officer of the organization.

Common components of a good EISP:

Statement of purpose – explains the intent of the document.

States info. sec. philosophy for the given enterprise.

Explains the importance of info. sec. for the enterprise.

Defines the info. sec. organization/structure of the enterprise.

Lists other standards that influence and are influenced by this document.

2) Issue-Specific Security Policy (ISSP)

Provides detailed, targeted guidance concerning the use of a particular process, technology or a system. ISSP may cover one or more of the following:

use of electronic mail

use of the Internet and WWW

use of company-owned computer equipment

use of personal equipment on company networks

specific minimum configuration of computers to defend against worms and viruses

prohibitions against hacking or testing organization security control

Security Policies: ISSP

2) Issue-Specific Security Policy (ISSP) (cont.)

Components of a typical ISSP :

1) Statement of Purpose what is the scope of the policy what technology and issue it addresses who is responsible and accountable for policy implementation

2) Authorized Access and Usage who can use the technology governed by the policy what the technology can be used for what constitutes ‘fair and responsible’ use of technology and it may impact ‘personal information and privacy’

3) Prohibitive Use of Equipment - unless a particular use is clearly prohibited, the company cannot penalize its employees for misuse

what constitutes disruptive use, misuse, criminal use what other possible restrictions may apply

Security Policies: ISSP (cont.)


2) Issue-Specific Security Policy (ISSP) (cont.)

Components of a typical ISSP :

4) Systems Management what / which kind of authorized employer monitoring is involved (e.g. electronic scrutiny of email and other electronic documents)

5) Violation of Policy what specific penalties, for each category of violation, will apply how to report observed or suspected violations – openly or anonymously

6) Policy Review and Modifications how is the review and modification of the policy performed, so as to keep as ‘current’ as possible

7) Limitation of Liability – company does not want to be liable if an employee is caught conducting illegal activity with company’s asset

how is liable if an employee violates a company policy or any law


Example: ISSP examples York University: www.eecs.yorku.ca/teaching/prism/policy/prismPolicy.html www.yorku.ca/secretariat/policies/document.php?document=127

3) System-Specific Security Policy (SysSP) Both EISP and ISSP are formalized as written documents readily identifiable as policy. SysSP has a look of a standard or a procedure to be used when configuring / maintaining a system Managerial Guidance SysSP – created by management to guide implementation / configuration of technology as well as to address people behavior in ways to support EISP and ISSP. Technical Specifications SysSP – in some cases system administrators need to create / implement their own policy in order to enforce EISP, ISSP or managerial policy.

Security Policies: SysSP

Security Policies: SysSP (cont.)

Example: EISP vs. ISSP vs. Managerial SysSP

EISP: Company’s IT system should only be used to access corporate information.

ISSP 1: Email server should discard/quarantine all emails with non-corporate sender/receivr email addresses.

Managerial SysSP: All outgoing IP packets carrying HTTP content and port numbers x, y, z should be dropped.

ISSP 2: Firewall should be set in a way to prevent access to outside web-sites.


Example: EISP vs. ISSP vs. Technical SysSP

EISP: Only authorized users should obtain access company’s IT system.

Managerial SysSP: Passwords should be strong (hard to break) and should be periodically renewed.

ISSP: Central server that manages user accounts will implement reliable password-based authentication.

Technical SysSP: Windows 2003 server will be set to require password renewal every 4 months.


Example: Password SysSP on a Server

Final Note on Policy

• Policy Administrator – must ensure that policy documents and its subsequent revisions are appropriately distributed

a three-ring binder sitting on a manager’s book case not likely to achieve the goal

• Policy Review – to remain relevant and effective security policies should be reviewed annually

input from all affected parties should be sought

policy, and its revisions, should always be dated!

management of information security - york universitymanagement of information security . ......

Documents