Security Management
includes risk management, information security policies, procedures, standards, guidelines, baselines, information classification, security organization, and security education.
Security Management Responsibilities: Who is in charge and why?
Analogy: Building a house
The Top-Down Approach to security is ideal. It means that the initiation, support, and direction come from top management and work their way down through middle management ant then to staff members
Bottom-Up Approach to security is the exact opposite. It refers to a situation in which the IT department tries to develop a security program without getting proper management support and direction.
Security Administration and Supporting Controls
- Administrative controls - developing and publishing of policies, standards, procedures, and guidelines; the screening of personnel; training and implementing change control procedures.
- Technical controls (logical controls) - implementing and maintaining access control mechanisms, password and resource management, identification and authentication methods, security devices and configuration of infrastructure.
- Physical controls - controlling individual access into facility, locking systems and removing unnecessary drives from computers, etc...
Fundamental Principles of security
The main three principles in all programs are:
- Availability - "ensures reliability and timely access to data and resources to authorized individuals"
- Integrity - "upheld when the assurance of accuracy and reliability of information and systems is provided, and unauthorized modification is prevented."
- Confidentiality - "ensures that the necessary level of secrecy is enforced at each junction of data processing and prevents unauthorized disclosure.
Terms
Shoulder surfing - when a person looks over another persons shoulder and watches their keystrokes or views data as it appears on the screen
Social engineering - when one person tricks another person into sharing confidential information by posing as someone authorized to have access to that information.
Security Definitions
A big part of this chapter are the words vulnerability, risk, and exposure. They are often used to represent the same thing however, they are all unique and related.
A vulnerability is a software, hardware, or procedural weakness that may provide and attacker the open door into a computer or network.
A threat is any potential danger to information or systems.
A risk is the likelihood of a threat agent taking advantage if a vulnerability and the corresponding business impact.
An exposure is an instance of being exposed to losses from a threat agent.
ISO 17799 Domains
- Information security policy for the organization
- Creation of information security infrastructure
- Asset classification and control
- Personnel security
- Physical and environmental security
- Communications and operations management
- Access control
- System development and maintenance
- Business continuity management
- Compliance
The text goes into further detail about Information Risk Management. Preventing from physical damage, human interaction, equipment malfunction, inside and outside attacks, misuse of data, loss of data, and application error. Risk analysis has four main goals
- Identify assets and their values
- Identify vulnerabilities and threats
- Quantify the probability and business impact of these potential threats
- Provide an economic balance between the impact of the threat and the cost of the countermeasure
Risk analysis provides a cost/benefit comparison, which compares the annualized cost of safeguards to the potential cost of loss.
Quantitative vs. Qualitative Risk Analysis
Delphi Methods
Defining Policies, Standards, Baselines, Guidelines, and Procedures.
A security policy is an overall general statement produced by senior management that dictates what role security plays within the organization. Standards refer to mandatory activities, actions, rules, or regulations. A baseline can refer to a point in time that is used as a comparison for future changes or it can be defined as the minimum level of protection that is required. Guidelines are recommended actions and operational guides to users, IT staff, operations staff, and others when a specific standard does not apply. Procedures are detailed step-by-step tasks that should be performed to achieve a certain goal.
Private Business vs. Military Classifications
Commercial Business
- Confidential
- Private
- Sensitive
- Public
Military
- Top Secret
- Secret
- Confidential
- Sensitive but unclassified
- Unclassified
Layers of Responsibility
Data Owner
Data Custodian
System Owner
Security Administrator
Security Analyst
Application Owner
Supervisor
Change Control Analyst
Data Analyst
Process Owner
Solution Provider
User
Product Line Manager
No comments:
Post a Comment