The History of Information Security • Growing threat of cyber attacks has increased the need for

• Began immediately following development first mainframes improved security

• Developed for code-breaking computations During World
War II
• Multiple levels of security were implemented
• Primary threats What is Security?
• Defending against physical theft, espionage, and sabotage • “The quality or state of being secure—to be free from
danger”
The 1960s • A successful organization should have multiple layers of
• Advanced Research Project Agency (ARPA) security in place:
• Examined feasibility of redundant networked • Physical security- To protect the physical items,
communications objects, or areas of an organization from
• Larry Roberts developed ARPANET from its inception unauthorized access and misuse.
• Plan • Personal security - To protect the individual or
• Link computers group of individuals who are authorized to access the
• Resource sharing organization and its operations.
• Link 17 Computer Research Centers • Operations security – To protect the details of a
• Cost 3.4M particular operation or series of activities.
• ARPANET is predecessor to the Internet • Communications security – To protect an
organization’s communications media, technology,
The 1970s and 80s and content.
• ARPANET grew in popularity • Network security – To protect networking
• Potential for misuse grew components, connections, and contents.
• Fundamental problems with ARPANET security  Information security, to protect the confidentiality,
• Individual remote sites were not secure from unauthorized integrity and availability of information assets, whether in
users storage, processing, or transmission.
• Vulnerability of password structure and formats
• No safety procedures for dial-up connections to ARPANET What is Information Security?
• Non-existent user identification and authorization to System • The protection of information and its critical elements,
including systems and hardware that use, store, and transmit
Rand Report R-609 that information
• Paper that started the study of computer security • Necessary tools: policy, awareness, training, education,
• Information Security as we know it began Technology
• Scope of computer security grew from physical security to
include:
• Safety of data
• Limiting unauthorized access to data
• Involvement of personnel from multiple levels of an
organization

MULTICS
• Early focus of computer security research
• System called Multiplexed Information and Computing
Service (MULTICS)
• First operating system created with security as its primary Key Information Security Concepts
goal • Access- a subject or object’s ability to use, manipulate,
• Several MULTICS key players created UNIX modify, or affect another subject or object.
• Late 1970s • Asset- the organizational resource that is being protected.
•Microprocessor expanded computing capabilities • Exposure- a single instance of being open to damage.
•Mainframe presence reduced • Loss- When an organization’s information is stolen, it has
• Expanded security threats suffered a loss.
• Exploit- to take advantage of weaknesses or vulnerability in
The 1990s a system.
• Networks of computers became more common • Attack- an act that is an intentional or unintentional attempt
• Need to interconnect networks grew to cause damage or compromise to the information and/or the
• Internet became first manifestation of a global network of systems that support it.
networks • Control, Safeguard, or Countermeasure- security
• In early Internet deployments, security was treated as a low mechanisms, policies, or procedures that can successfully
priority 2000 to Present counter attacks, reduce risk, resolve vulnerabilities, and
• Millions of computer networks communicate otherwise improve the security within an organization
• Many of the communication unsecured and became more • Hack - Good: to use computers or systems for enjoyment;
exposed to security threats. Bad: to illegally gain access to a computer or system.
• Risk- the probability that something can happen. • Issue policy, procedures, and processes
•Security Blueprint - the plan for the implementation of new • Dictate goals and expected outcomes of project
security measures in the organization. • Determine accountability for each required action
• Security Model - a collection of specific security rules that • Most successful
represents the implementation of a security policy. • Involves formal development strategy
• Subjects and Objects- an active entity that interacts with an • Systems development life cycle
information system and causes information to move through
the system for a specific end purpose. Security Professionals and the Organization
• Threat- a category of objects, persons, or other entities that • Wide range of professionals required to support a diverse
represents a potential danger to an asset. information security program
• Threat Agent - a specific instance or component of a more • Senior management is key component
general threat. • Additional administrative support and technical expertise are
• Vulnerability - weaknesses or faults in a system or required to implement details of IS program
protection mechanism that expose information to attack or
damage. Senior Management
• Chief Information Officer (CIO)
Critical Characteristics of Information • Senior technology officer
• The value of information comes from the characteristics it • Primarily responsible for advising senior executives
possesses: on strategic planning
• Availability- Enables users who need to access • Chief Information Security Officer (CISO)
information to do so without interference or • Primarily responsible for assessment, management,
obstruction and in the required format. and implementation of IS in the organization
• Accuracy- Free from mistake or error and having • Usually reports directly to the CIO
the value that the end user expects
• Authenticity- The quality or state of being genuine Information Security Project Team
or original, rather than a reproduction or fabrication • A number of individuals who are experienced in one or more
• Confidentiality- The quality or state of preventing facets of required technical and nontechnical areas:
disclosure or exposure to unauthorized individuals or • Team leader
systems • Security policy developers
• Integrity- The quality or state of being whole, • Risk assessment specialists
complete, and uncorrupted. • Security professionals
• Possession- The quality or state of having • Systems administrators
ownership or control of some object or item • End users

Components of an Information System Data Responsibilities

• Information system (IS) is entire set of components • Data owner: responsible for the security and use of a
necessary to use information as a resource in the organization particular set of information
• Software • Data custodian: responsible for storage, maintenance, and
• Hardware protection of information
• Data • Data users: end users who work with information to perform
• People their daily jobs supporting the mission of the organization
• Procedures
• Networks Communities of Interest
• Group of individuals united by similar interests/values within
Balancing Information Security and Access an organization
• Impossible to obtain perfect security • Information security management and professionals
• Process, not an absolute • Information technology management and professionals
• Security should be considered balance between protection • Organizational management and professionals
and availability
• Must allow reasonable access, yet protect against threats Introduction
• Primary mission of information security is to ensure systems
Approaches to Information Security Implementation: and contents stay the same
Bottom-Up Approach • If no threats existed, resources could be focused on
• Grassroots effort -systems administrators drive improving systems, resulting in vast improvements in ease of
• Key advantage: technical expertise of individual use and usefulness
administrators • Attacks on information systems are a daily Occurrence
• Seldom works
• Lacks number of critical features: Business Needs First
• Participant support • Information security performs four important functions for
• Organizational staying power an organization
Top-Down Approach – Protects the organization’s ability to function
• Initiated by upper management
 – Enables safe operation of applications implemented – Bot
on its IT systems
– Protects data the organization collects and uses Deviations in Quality of Service
– Safeguards technology assets in use • Includes situations where products or services are not
delivered as expected
Protecting the Functionality of an Organization • Information system depends on many interdependent support
• Management (general and IT) responsible for systems
implementation • Internet service, communications, and power irregularities
• Information security is both management issue and people dramatically affect availability of information and systems
issue • Internet service issues
• Organization should address information security in terms of – Internet service provider (ISP) failures can
business impact and cost considerably undermine availability of information
– Outsourced Web hosting provider assumes
Enabling the Safe Operation of Applications responsibility for all Internet services as well as
• Organization needs environments that safeguard applications hardware and Website operating system software
using IT systems • Communications and other service provider issues
• Management must continue to oversee infrastructure once in – Other utility services affect organizations:
place—not relegate to IT department telephone, water, wastewater, trash pickup, etc.
– Loss of these services can affect organization’s
Protecting Data that Organizations Collect and Use ability to function
• Organization, without data, loses its record of transactions • Power irregularities
and/or ability to deliver value to customers – Commonplace
• Protecting data in motion and data at rest are both critical – Organizations with inadequately conditioned power
aspects of information security are susceptible
– Controls can be applied to manage power quality
Safeguarding Technology Assets in Organizations – Fluctuations (short or prolonged)
• Organizations must have secure infrastructure services based • Excesses (spikes or surges) – voltage increase
on size and scope of enterprise • Shortages (sags or brownouts) – low voltage
• Additional security services may be needed as organization • Losses (faults or blackouts) – loss of power
grows
• More robust solutions may be needed to replace security Espionage or Trespass
programs the organization has outgrown • Access of protected information by unauthorized individuals
• Shoulder surfing can occur anywhere a person accesses
THREATS confidential information
• Threat: an object, person, or other entity that represents a • Hackers use skill, guile, or fraud to bypass controls
constant danger to an asset protecting others’ information
• Management must be informed of the different threats facing • Expert hacker
the organization – Develops software scripts and program exploits
– Usually a master of many skills
Compromises to Intellectual Property – Will often create attack software and share with
• Intellectual property (IP): “ownership of ideas and control others
over the tangible or virtual representation of those ideas” • Unskilled hacker
• The most common IP breaches involve software piracy – Many more unskilled hackers than expert hackers
• Two watchdog organizations investigate software abuse: – Use expertly written software to exploit a system
– Software & Information Industry Association – Do not usually fully understand the systems they
(SIIA) hack
– Business Software Alliance (BSA) • Other terms for system rule breakers:
• Enforcement of copyright law has been attempted with – Cracker: “cracks” or removes software protection
technical security mechanisms designed to prevent unauthorized duplication
– Phreaker: hacks the public telephone Network
Deliberate Software Attacks
• Malicious software (malware) designed to damage, destroy, Forces of Nature
or deny service to target systems includes: • Forces of nature are among the most dangerous threats
– Viruses • Disrupt not only individual lives, but also storage,
– Worms transmission, and use of information
– Trojan horses • Organizations must implement controls to limit damage and
– Logic bombs prepare contingency plans for continued operations
– Polymorphic threats
– Rootkit Human Error or Failure
– Man-in-The-Middle • Includes acts performed without malicious intent
– Ransomware • Causes include:
– Adware – Inexperience
 – Improper training – Accomplished by threat agent that damages or steals
– Incorrect assumptions organization’s Information
• Employees are among the greatest threats to an
organization’s data Types of attacks
• Employee mistakes can easily lead to: – Malicious code: includes execution of viruses, worms,
– Revelation of classified data Trojan horses, and active Web scripts with intent to destroy or
– Entry of erroneous data steal information
– Accidental data deletion or modification
– Data storage in unprotected areas – Hoaxes: transmission of a virus hoax with a real virus
– Failure to protect information attached; more devious form of attack.
• Many of these threats can be prevented with Controls
– Back door: gaining access to system or network using
Information Extortion known or previously unknown/newly discovered access
• Attacker steals information from computer system and mechanism
demands compensation for its return or nondisclosure
• Commonly done in credit card number theft – Password crack: attempting to reverse calculate a password

Missing, Inadequate, or Incomplete Organizational Policy – Brute force: trying every possible combination of options of
or Planning and Controls a password
• Can make organizations vulnerable to loss, damage, or
disclosure of information assets – Dictionary: selects specific accounts to attack and uses
• Can make an organization more likely to suffer losses when commonly used passwords to guide guesses
other threats lead to attacks
Sabotage or Vandalism – Denial-of-service (DoS): attacker sends large number of
• Threats can range from petty vandalism to organized connection or information requests to a target
sabotage • Target system cannot handle successfully along with
• Web site defacing can erode consumer confidence, dropping other, legitimate service requests
sales and organization’s net worth • May result in system crash or inability to perform
• Threat of hacktivist or cyber-activist operations rising ordinary functions
• Cyberterrorism: much more sinister form of hacking – Distributed denial-of-service (DDoS): coordinated stream
of requests is launched against target from many locations
Theft simultaneously
• Illegal taking of another’s physical, electronic, or intellectual
property – Spoofing: technique used to gain unauthorized access;
• Physical theft is controlled relatively easily intruder assumes a trusted IP address
• Electronic theft is more complex problem; evidence of crime
not readily apparent – Man-in-the-middle: attacker monitors network packets,
modifies them, and inserts them back into network
Technical Hardware Failures or Errors
• Occur when manufacturer distributes equipment containing – Mail bombing: also a DoS; attacker routes large quantities
flaws to users of e-mail to target
• Can cause system to perform outside of expected parameters,
resulting in unreliable or poor service. – Sniffers: program or device that monitors data traveling
• Some errors are terminal; some are Intermittent over network; can be used both for legitimate purposes and for
stealing information from a network
Technical Software Failures or Errors
• Purchased software that contains unrevealed faults. – Phishing: an attempt to gain personal/financial information
• Combinations of certain software and hardware can reveal from individual, usually by posing as legitimate entity
new software bugs.
• Entire Web sites dedicated to documenting bugs. – Pharming: redirection of legitimate Web traffic (e.g.,
browser requests) to illegitimate site for the purpose of
Technological Obsolescence obtaining private information
• Antiquated/outdated infrastructure can lead to unreliable,
untrustworthy systems – Social engineering: using social skills to convince people to
• Proper managerial planning should prevent technology reveal access credentials or other valuable information to
obsolescence attacker
• IT plays large role – “People are the weakest link. You can have the best
technology; firewalls, intrusion-detection systems,
Attacks biometric devices ... and somebody can call an
– Acts or actions that exploits vulnerability (i.e., an identified unsuspecting employee. That's all she wrote, baby.
weakness) in controlled system They got everything.” — Kevin Mitnick
– Timing attack: relatively new; works by exploring contents –Uniform enforcement – The organization must be able to
of a Web browser’s cache to create malicious cookie demonstrate that the policy has been uniformly enforced,
regardless of employee status or assignment.
Laws: rules that mandate or prohibit certain societal behavior
Ethics: define socially acceptable behavior Types of Law (CCPP)
Cultural mores: fixed moral attitudes or customs of a • Civil: governs nation or state; manages
particular group; ethics based on these relationships/conflicts between organizational entities
 Laws carry sanctions of a governing authority; ethics do and people.
not • Criminal: addresses violations harmful to society;
actively enforced by the state
Organizational Liability and the Need for Counsel • Private: regulates relationships between individuals
(LRDDJL) and organizations.
 Liability: legal obligation of an entity extending • Public: regulates structure/administration of
beyond criminal or contract law; includes legal government agencies and relationships with citizens,
obligation to make restitution employees, and other governments
 Restitution: to compensate for wrongs committed by
an organization or its employees Civil Cases
 Due care: insuring that employees know what • According to the Michigan Association of Townships, “If
constitutes acceptable behavior and know the you decide to sue another person, an organization or a
consequences of illegal or unethical actions business, your case is a civil case. Private individuals,
 Due diligence: making a valid effort to protect businesses or the government can sue other people and
others; continually maintaining level of effort organizations. The person who is suing is called the plaintiff
 Jurisdiction: court's right to hear a case if the wrong and the person who is being sued is called the defendant.
was committed in its territory or involved its Some examples of civil cases are:
citizenry  A person who is hurt in a car accident sues the
 Long arm jurisdiction: right of any court to impose driver of the other car;
its authority over an individual or organization if it • A worker sues his employer after the worker hurts
can establish jurisdiction his back at work and can never work again;
Policy versus Law • A homeowner who has hired a builder to build a
• Policies: body of expectations that describe acceptable and new kitchen sues the builder when the kitchen is
unacceptable employee behaviors in the workplace badly built and has to be fixed;
• Policies function as laws within an organization; must be • A family sues their doctor when the doctor does not
crafted carefully to ensure they are complete, appropriate, discover that the mother has cancer in time for the
fairly applied to everyone cancer to be treated.
• Difference between policy and law: ignorance of a policy is
an acceptable defense
Criteria for policy enforcement: (DRCCU) Criminal Cases (MRTRK)
– Dissemination (distribution) - – The organization must be • Murder.
able to demonstrate that the relevant policy has been made • Robbery.
readily available for review by the employee. Common • Treason.
dissemination techniques include hard copy and electronic • Rape.
distribution. • Kidnapping.
– Review (reading) - The organization must be able to
demonstrate that it disseminated the document in an Private cases
intelligible form, including versions for illiterate, nonEnglish • Divorce and Infidelity Investigations. The end of a
reading, and reading-impaired employees. Common marriage often involves the loss of trust between
techniques include recordings of the policy in English and spouses. ...
alternate languages. • Child Custody Disputes. ...
–Comprehension (understanding) - – The organization must • Finding Missing Loved Ones. ...
be able to demonstrate that the employee understood the • Serving Legal Papers. ...
requirements and content of the policy. Common techniques • Trial Preparation. ...
include quizzes and other assessments • Social Media Investigations. ...
– Compliance (agreement) - – The organization must be able • Background Investigations.
to demonstrate that the employee agrees to comply with the Relevant U.S. Laws
policy, through act or affirmation. Common techniques • United States has been a leader in the development and
include logon banners which require a specific action (mouse implementation of information security legislation
click or keystroke) to acknowledge agreement, or a signed • Implementation of information security legislation
document clearly indicating the employee has read, contributes to a more reliable business environment and a
understood, and agreed to comply with the policy. stable economy
• U.S. has demonstrated understanding of problems facing the
information security field; has specified penalties for
individuals and organizations failing to follow requirements – Federal Trade Commission: “occurring when someone
set forth in U.S. civil statutes uses your personally identifying information, like your name,
Social Security number, or credit card number, without your
General Computer Crime Laws permission, to commit fraud or other crimes”
• Computer Fraud and Abuse Act of 1986 (CFA Act): – Fraud And Related Activity In Connection With
cornerstone of many computer-related federal laws and Identification Documents, Authentication Features, And
enforcement efforts Information (Title 18, U.S.C. § 1028)
– The CFAA prohibits intentionally accessing a computer If someone suspects identity theft
without authorization or in excess of authorization, but fails to – Report to the three dominant consumer reporting
define what “without authorization” means. companies that your identity is threatened
 National Information Infrastructure Protection Act of – Account
1996 - Revises Federal criminal code provisions • Close compromised account
regarding fraud and related activity in connection with • Dispute accounts opened without permission
computers. Sets penalties with respect to anyone who – Register your concern with the FTC
having knowingly accessed a computer without – Report the incident to either your local police or
authorization or exceeding authorized access, obtains police in the location where the identity theft
specified restricted information or data, and, with reason occurred
to believe that such information could be used to the
injury of the United States or to the advantage of any Health Insurance Portability and Accountability Act of
foreign nation, willfully communicates, delivers, or 1996 (HIPAA)
transmits it to any person not entitled to receive it (or • Protects the confidentiality and security of health care data
causes or attempts such communication) by establishing and enforcing standards and by standardizing
• National Information Infrastructure Protection Act of 1996: electronic data interchange
– Modified several sections of the previous act and • Consumer control of medical information
increased the penalties for selected crimes • Boundaries on the use of medical information
– Severity of penalties judged on the purpose • Accountability for the privacy of private information
• For purposes of commercial advantage • Balance of public responsibility for the use of medical
• For private financial gain information for the greater good measured against impact to
• In furtherance of a criminal act the individual
 USA PATRIOT Act of 2001: provides law enforcement • Security of health information
agencies with broader latitude in order to combat
terrorism-related activities Export and Espionage Laws
• USA PATRIOT Improvement and Reauthorization Act: • Economic Espionage Act of 1996 (EEA)
made permanent fourteen of the sixteen expanded powers of • Security And Freedom Through Encryption Act of 1999
the Department of Homeland Security and the FBI in (SAFE)
investigating terrorist activity • The acts include provisions about encryption that:
• Computer Security Act of 1987: one of the first attempts to – Reinforce the right to use or sell encryption
protect federal computer systems by establishing minimum algorithms, without concern of key registration
acceptable security practices – Prohibit the federal government from requiring it
Privacy – Make it not probable cause in criminal activity
• One of the hottest topics in information security – Relax export restrictions
• Is a “state of being free from unsanctioned intrusion” - – Additional penalties for using it in a crime
lacking effective or authoritative approval or consent
• Ability to aggregate data from multiple sources allows Economic Espionage Act of 1996 (EEA)
creation of information databases previously impossible • Economic espionage is the unlawful or clandestine targeting
• The number of statutes addressing an individual’s right to or acquisition of sensitive financial, trade or economic policy
privacy has grown information; proprietary economic information; or
• the state or condition of being free from being observed or technological information.
disturbed by other people • An Act to punish acts of interference with the foreign
relations, and the foreign commerce of the United States, to
US Regulations punish espionage, and better to enforce the criminal laws of
– Privacy of Customer Information Section of the common the United States, and for other purposes.
carrier regulation Security and Freedom Through Encryption (SAFE) Act
– Federal Privacy Act of 1974 • Establishes in the Department of Justice (DOJ) a
– Electronic Communications Privacy Act of 1986 National Electronic Technologies (NET) Center to:
– Health Insurance Portability and Accountability Act of 1996 (1) serve as a center for Federal, State, and local law
(HIPAA), aka Kennedy-Kassebaum Act enforcement authorities for information and assistance
– Financial Services Modernization Act, or GrammLeach- regarding decryption and other access requirements and for
Bliley Act of 1999 industry and Government entities to exchange information and
methodology regarding information security techniques and
Identity Theft technologies;
(2) examine encryption techniques and methods to facilitate • First significant international effort to protect intellectual
the ability of law enforcement to gain efficient access to property rights
plaintext of communications and electronic information; • Outlines requirements for governmental oversight and
(3) develop efficient methods and improve the efficiency of legislation providing minimum levels of protection for
existing methods of accessing such plaintext; intellectual property
(4) investigate techniques and technologies to facilitate access Agreement covers five issues:
to communications and electronic information; and – Application of basic principles of trading system and
(5) obtain information regarding the most current hardware, international intellectual property agreements
software, telecommunications, and other capabilities to – Giving adequate protection to intellectual property rights
understand how to access information transmitted across – Enforcement of those rights by countries in their own
networks. territories
U.S. Copyright Law – Settling intellectual property disputes
• Intellectual property recognized as protected asset in the – Transitional arrangements while new system is being
U.S.; copyright law extends to electronic formats introduced
• With proper acknowledgment, permissible to include Ethics and Information Security
portions of others’ work as reference • Many Professional groups have explicit rules governing
• U.S. Copyright Office Web site: www.copyright.gov ethical behavior in the workplace
Financial Reporting • IT and IT security do not have binding codes of ethics
• Sarbanes-Oxley Act of 2002 • Professional associations and certification agencies work to
• Affects executive management of publicly traded establish codes of ethics
corporations and public accounting firms – Can prescribe ethical conduct
• Seeks to improve reliability and accuracy of financial – Do not always have the ability to ban violators
reporting and increase the accountability of corporate from practice in field
governance Ethical Differences Across Cultures
• Penalties for noncompliance range from fines to jail terms • Cultural differences create difficulty in determining what is
• Reliability assurance will require additional emphasis on and is not ethical
confidentiality and integrity • Difficulties arise when one nationality’s ethical behavior
Freedom of Information Act of 1966 (FOIA) conflicts with ethics of another national group
• Allows access to federal agency records or information not • Scenarios are grouped into:
determined to be matter of national security – Software License Infringement
• U.S. government agencies required to disclose any requested – Illicit Use
information upon receipt of written request – Misuse of Corporate Resources
• Some information protected from disclosure • Cultures have different views on the scenarios
State and Local Regulations Ethics and Education
• Restrictions on organizational computer technology use exist • Overriding factor in levelling ethical perceptions within a
at international, national, state, local levels small population is education
• Information security professional responsible for • Employees must be trained in expected behaviors of an
understanding state regulations and ensuring organization is ethical employee, especially in areas of information security
compliant with regulations • Proper ethical training is vital to creating informed, well
International Laws and Legal Bodies prepared, and low-risk system user
• When organizations do business on the Internet, they do Deterring Unethical and Illegal Behavior
business globally • Three general causes of unethical and illegal behavior:
• Professionals must be sensitive to laws and ethical values of ignorance, accident, intent
many different cultures, societies, and countries • Deterrence: best method for preventing an illegal or
• Because of political complexities of relationships among unethical activity; e.g., laws, policies, technical controls
nations and differences in culture, there are few international • Laws and policies only deter if three conditions are present:
laws relating to privacy and information security – Fear of penalty
• These international laws are important but are limited in their – Probability of being caught
enforceability – Probability of penalty being administered
European Council Cyber-Crime Convention Codes of Ethics and Professional Organizations
• Establishes international task force overseeing Internet • Several professional organizations have established codes of
security functions for standardized international technology conduct/ethics
laws • Codes of ethics can have positive effect; unfortunately, many
• Attempts to improve effectiveness of international employers do not encourage joining these professional
investigations into breaches of technology law organizations
• Well received by intellectual property rights advocates due to • Responsibility of security professionals to act ethically and
emphasis on copyright infringement prosecution according to policies of employer, professional organization,
• Lacks realistic provisions for enforcement and laws of society
Agreement on Trade-Related Aspects of Intellectual Major IT Professional Organizations (AISI)
Property Rights • Association of Computing Machinery (ACM)
• Created by World Trade Organization (WTO) – Established in 1947 as “the world's first educational
and scientific computing society”
 – Code of ethics contains references to protecting • Risk management: process of identifying and
information confidentiality, causing no harm, controlling risks facing an organization
protecting others’ privacy, and respecting others’ • Risk identification: process of examining an
intellectual property organization’s current information technology
 International Information Systems Security Certification security situation
Consortium, Inc. (ISC)2 • Risk control: applying controls to reduce risks to an
– Nonprofit organization focusing on development and organization’s data and information systems
implementation of information security certifications and
credentials Security Risk Management
– Code primarily designed for information security • the ongoing process of identifying these security risks
professionals who have certification from (ISC)2 and implementing plans to address them.
– Code of ethics focuses on four mandatory canons • Risk is determined by considering the likelihood that
 System Administration, Networking, and Security known threats will exploit vulnerabilities and the
Institute (SANS) impact they have on valuable assets.
– Professional organization with a large membership
dedicated to protection of information and systems An Overview of Risk Management
– SANS offers set of certifications called Global • Know yourself: identify, examine, and understand
Information Assurance Certification (GIAC) the information and systems currently in place
 Information Systems Audit and Control Association • Know the enemy: identify, examine, and understand
(ISACA) threats facing the organization
– Professional association with focus on auditing, control, • Responsibility of each community of interest within
and security an organization to manage risks that are encountered
– Concentrates on providing IT control practices and
standards
– ISACA has code of ethics for its professionals
Information Systems Security Association (ISSA)
– Nonprofit society of information security (IS)
professionals
– Primary mission to bring together qualified IS
practitioners for information exchange and educational
development
– Promotes code of ethics similar to (ISC)2, ISACA, and
ACM
The Roles of the Communities of Interest
Key U.S. Federal Agencies (DFNU) • Information security, management and users, and
• Department of Homeland Security (DHS) information technology all must work together
– Made up of five directorates, or divisions • Communities of interest are responsible for:
– Mission is to protect the people as well as the – Evaluating the risk controls
physical and informational assets of the US – Determining which control options are cost
• Federal Bureau of Investigation’s National InfraGard effective for the organization
Program – Acquiring or installing the needed controls
– Maintains an intrusion alert network – Ensuring that the controls remain effective
– Maintains a secure Web site for communication
about suspicious activity or intrusions Risk Identification
– Sponsors local chapter activities • Risk management involves identifying, classifying,
– Operates a help desk for questions and prioritizing an organization’s assets
 National Security Agency (NSA) • A threat assessment process identifies and quantifies
– Is the Nation’s cryptologic organization the risks facing each asset
– Protects US information systems • Components of risk identification
– Produces foreign intelligence information – People
– Responsible for signal intelligence and information – Procedures
system security – Data
• U.S. Secret Service – Software
– In addition to protective services, charged with the detection – Hardware
and arrest of persons committing a federal office relating to
computer fraud or false identification Plan and Organize the Process
• First step in the Risk Identification process is to
Introduction follow your project management principles
• Organizations must design and create safe • Begin by organizing a team with representation
environments in which business processes and across all affected groups
procedures can function • The process must then be planned out
 – Periodic deliverables • Automated tools can identify system elements for
– Reviews hardware, software, and network components
– Presentations to management
• Tasks laid out, assignments made and timetables Data Classification and Management
discussed • Variety of classification schemes used by corporate
and military organizations
• Information owners responsible for classifying their
information assets
• Information classifications must be reviewed
periodically
• Most organizations do not need detailed level of
classification used by military or federal agencies;
however, organizations may need to classify data to
provide protection
Figure 4-2 Components of Risk Identification • Security clearance structure
– Each data user assigned a single level of
Asset Identification and Inventory authorization indicating classification level
• Iterative process; begins with identification of assets, – Before accessing specific set of data,
including all elements of an organization’s system employee must meet need-to-know
(people, procedures, data and information, software, requirement
hardware, networking) • Management of Classified Data
• Assets are then classified and categorized • Storage, distribution, portability, and destruction of
classified data
• Clean desk policy
• Dumpster diving

Classifying and Prioritizing Information Assets

• Many organizations have data classification schemes
(e.g., confidential, internal, public data)
• Classification of components must be specific to
allow determination of priority levels
• Categories must be comprehensive and mutually
exclusive
Table 4-1 Categorizing the Components of an Information
System Information Asset Valuation
• Questions help develop criteria for asset valuation
People, Procedures, and Data Asset Identification • Which information asset:
• Human resources, documentation, and data – Is most critical to organization’s success?
information assets are more difficult to identify – Generates the most revenue/profitability?
• Important asset attributes: – Would be most expensive to replace or
– People: position name/number/ID; protect?
supervisor; security clearance level; special – Would be the most embarrassing or cause
skills greatest liability if revealed?
– Procedures: description; intended purpose; • Information asset prioritization
what elements it is tied to; storage location – QQCreate weighting for each category
for reference; storage location for update based on the answers to questions
– Data: classification; owner/creator/ – Calculate relative importance of each asset
manager; data structure size; data structure using weighted factor analysis
used; online/offline; location; backup – List the assets in order of importance using a
procedures employee weighted factor analysis worksheet
Hardware, Software, and Network Asset Identification Identifying and Prioritizing Threats
• What information attributes to track depends on: • Realistic threats need investigation; unimportant
– Needs of organization/risk management threats are set aside
efforts • Threat assessment:
– Preferences/needs of the security and – Which threats present danger to assets?
information technology communities – Which threats represent the most danger to
• Asset attributes to be considered are: name; IP information?
address; MAC address; element type; serial number; – How much would it cost to recover from
manufacturer name; model/part number; software attack?
version; physical or logical location; controlling – Which threat requires greatest expenditure
entity to prevent?
 Documenting the Results of Risk Assessment
• Final summary comprised in ranked vulnerability risk
• Worksheet details asset, asset impact, vulnerability,
vulnerability likelihood, and risk-rating factor
• Ranked vulnerability risk worksheet is initial
working document for next step in risk management
process: assessing and controlling risk

Table 4-3 Threats to Information Security5

Vulnerability Identification
• Specific avenues threat agents can exploit to attack
an information asset are called vulnerabilities
• Examine how each threat could be perpetrated and
list organization’s assets and vulnerabilities Risk Control Strategies
• Process works best when people with diverse • Once ranked vulnerability risk worksheet complete,
backgrounds within organization work iteratively in a must choose one of five strategies to control each
series of brainstorming sessions risk:
• At end of risk identification process, list of assets and – Defend
their vulnerabilities is achieved – Transfer
– Mitigate - Lessening the likelihood and/or
Risk Assessment impact of the risk, but not fixing it entirely.
• Risk assessment evaluates the relative risk for each – Accept
vulnerability – Terminate
• Assigns a risk rating or score to each information Defend
asset • Attempts to prevent exploitation of the vulnerability
• The goal at this point: create a method for evaluating • Preferred approach
the relative risk of each listed vulnerability • Accomplished through countering threats, removing
asset vulnerabilities, limiting asset access, and adding
Likelihood protective safeguards
• The probability that a specific vulnerability will be • Three common methods of risk avoidance:
the object of a successful attack – Application of policy
• Assign numeric value: number between 0.1 (low) and – Training and education
1.0 (high), or a number between 1 and 100 – Applying technology
• Zero not used since vulnerabilities with zero Transfer
likelihood are removed from asset/vulnerability list • Control approach that attempts to shift risk to other
• Use selected rating model consistently assets, processes, or organizations
• Use external references for values that have been • If lacking, organization should hire individuals/firms
reviewed/adjusted for your circumstances that provide security management and administration
Risk Determination expertise
• For the purpose of relative risk assessment: • Organization may then transfer risk associated with
– Risk EQUALS management of complex systems to another
– Likelihood of vulnerability occurrence organization experienced in dealing with those risks
– TIMES value (or impact) Mitigate
– MINUS percentage risk already controlled • Attempts to reduce impact of vulnerability
– PLUS an element of uncertainty exploitation through planning and preparation
• Approach includes three types of plans
Identify Possible Controls – Incident response plan (IRP): define the
• For each threat and associated vulnerabilities that actions to take while incident is in progress
have residual risk, create preliminary list of control – Disaster recovery plan (DRP): most
ideas common mitigation procedure
• Residual risk is risk that remains to information asset – Business continuity plan (BCP):
even after existing control has been applied encompasses continuation of business
• There are three general categories of controls: activities if catastrophic event occurs
– Policies Accept
– Programs • Doing nothing to protect a vulnerability and
– Technologies accepting the outcome of its exploitation
 • Valid only when the particular function, service, – CBA most easily calculated using ALE from
information, or asset does not justify cost of earlier assessments, before implementation
protection of proposed control:
Terminate • CBA = ALE(prior) – ALE(post) –
• Directs the organization to avoid those business ACS
activities that introduce uncontrollable risks – ALE(prior) is annualized loss expectancy of
• May seek an alternate mechanism to meet customer risk before implementation of control
needs – ALE(post) is estimated ALE based on
control being in place for a period of time
Selecting a Risk Control Strategy – ACS is the annualized cost of the safeguard
• Level of threat and value of asset play major role in
selection of strategy Evaluation, Assessment, and Maintenance of Risk Controls
• Rules of thumb on strategy selection can be applied: • Selection and implementation of control strategy is
– When a vulnerability exists not end of process
– When a vulnerability can be exploited • Strategy and accompanying controls must be
– When attacker’s cost is less than potential monitored/reevaluated on ongoing basis to determine
gain effectiveness and to calculate more accurately the
– When potential loss is substantial estimated residual risk
• Process continues as long as organization continues
to function

Quantitative versus Qualitative Risk Control Practices

• Performing the previous steps using actual values or
estimates is known as quantitative assessment
Feasibility Studies
• Possible to complete steps using evaluation process
• Before deciding on strategy, all information about
based on characteristics using nonnumerical
economic/noneconomic consequences of
measures; called qualitative assessment
vulnerability of information asset must be explored
• Utilizing scales rather than specific estimates relieves
• A number of ways exist to determine advantage of a
organization from difficulty of determining exact
specific control
values
Cost Benefit Analysis (CBA)
Benchmarking and Best Practices
• Begun by evaluating worth of assets to be protected
• An alternative approach to risk management
and the loss in value if they are compromised
• Benchmarking: process of seeking out and studying
• The formal process to document this is called cost
practices in other organizations that one’s own
benefit analysis or economic feasibility study
organization desires to duplicate
• Items that affect cost of a control or safeguard
• One of two measures typically used to compare
include: cost of development or acquisition; training
practices:
fees; implementation cost; service costs; cost of
– Metrics-based measures
maintenance
– Process-based measures
• Benefit: value an organization realizes using controls
• Standard of due care: when adopting levels of
to prevent losses from a vulnerability
security for a legal defense, organization shows it has
• Asset valuation: process of assigning financial value
done what any prudent organization would do in
or worth to each information asset
similar circumstances
• Process result is estimate of potential loss per risk
• Due diligence: demonstration that organization is
• Expected loss per risk stated in the following
diligent in ensuring that implemented standards
equation:
continue to provide required level of protection
• Annualized loss expectancy (ALE) =
• Failure to support standard of due care or due
single loss expectancy (SLE) ×
diligence can leave organization open to legal
annualized rate of occurrence (ARO)
liability
• SLE = asset value × exposure factor (EF)
• Best business practices: security efforts that provide a
superior level of information protection
The Cost Benefit Analysis (CBA) Formula
• When considering best practices for adoption in an
• CBA determines if alternative being evaluated is
organization, consider:
worth cost incurred to control vulnerability
 – Does organization resemble identified target • At minimum, each information asset-threat pair
with best practice? should have documented control strategy clearly
– Are resources at hand similar? identifying any remaining residual risk
– Is organization in a similar threat • Another option: document outcome of control
environment? strategy for each information asset-vulnerability pair
• Problems with the application of benchmarking and as an action plan
best practices • Risk assessment may be documented in a topic-
– Organizations don’t talk to each other specific report
(biggest problem)
– No two organizations are identical Recommended Risk Control Practices
– Best practices are a moving target • Convince budget authorities to spend up to value of
– Knowing what was going on in information asset to protect from identified threat
security industry in recent years through • Final control choice may be balance of controls
benchmarking doesn’t necessarily prepare providing greatest value to as many asset-threat pairs
for what’s next as possible
• Baselining • Organizations looking to implement controls that
– Analysis of measures against established don’t involve such complex, inexact, and dynamic
standards calculations
– In information security, baselining is
comparison of security activities and events Summary
against an organization’s future performance • Risk identification: formal process of examining and
– Useful during baselining to have a guide to documenting risk in information systems
the overall process • Risk control: process of taking carefully reasoned
steps to ensure the confidentiality, integrity, and
Other Feasibility Studies availability of components of an information system
• Organizational: examines how well proposed IS • Risk identification
alternatives will contribute to organization’s – A risk management strategy enables
efficiency, effectiveness, and overall operation identification, classification, and
• Operational: examines user and management prioritization of organization’s information
acceptance and support, and the overall requirements assets
of the organization’s stakeholders – Residual risk: risk remaining to the
• Technical: examines if organization has or can information asset even after the existing
acquire the technology necessary to implement and control is applied
support the control alternatives • Risk control: five strategies are used to control risks
• Political: defines what can/cannot occur based on that result from vulnerabilities:
consensus and relationships – Defend, Transfer, Mitigate, Accept,
Terminate
Risk Management Discussion Points • Selecting a risk control strategy
• Organization must define level of risk it can live with 1. Cost Benefit Analysis 2. Feasibility Study
• Risk appetite: defines quantity and nature of risk that • Qualitative versus Quantitative Risk Control
organizations are willing to accept as trade-offs – Best Practices and Benchmarks
between perfect security and unlimited accessibility – Organizational Feasibility, Operational
• Residual risk: risk that has not been completely Feasibility, Technical Feasibility, and
removed, shifted, or planned for Political Feasibility
• Risk Appetite: organizational risk tolerance
• Residual risk: risk remaining after application of risk
controls

Introduction
• Creation of information security program begins with
creation and/or review of an organization’s
information security policies, standards, and practices
• Then, selection or creation of information security
architecture and the development and use of a
detailed information security blueprint creates a plan
for future success
• Without policy, blueprints, and planning, an
organization is unable to meet information security
needs of various communities of interest
Documenting Results
Information Security Planning and Governance
• Planning levels
 • Planning and the CISO
• Information Security Governance Enterprise Information Security Policy (EISP)
– Governance: • Sets strategic direction, scope, and tone for all
• Set of responsibilities and practices security efforts within the organization
exercised by the board and • Executive-level document, usually drafted by or with
executive management CIO of the organization
• Goal to provide strategic direction, • Typically addresses compliance in two areas
ensuring that objectives are – Ensure meeting requirements to establish
achieved program and responsibilities assigned
• Ascertaining that risks are managed therein to various organizational
appropriately and verifying that the components
enterprise’s resources are used – Use of specified penalties and disciplinary
responsibly action
• Information Security Governance outcomes • EISP elements
– Five goals
• Strategic alignment EISP Elements
• Risk management • An overview of the corporate philosophy on security
• Resource management • Information on the structure of the information
Performance measures security organization and individuals who fulfill the
• Value delivery information security role
• Governance framework • Fully articulated responsibilities for security that are
shared by all members of the organization
Information Security Policy, Standards, (employees, contractors, consultants, partners, and
and Practices visitors)
• Communities of interest must consider policies as the • Fully articulated responsibilities for security that are
basis for all information security efforts unique to each role within the organization
• Policies direct how issues should be addressed and Organizational Specific Policy
technologies used • Every organization should have an organizational (or
• Policies should never contradict law master) security policy. This policy is a strategic plan
• Security policies are the least expensive controls to that presents the value of security to the organization
execute but most difficult to implement properly and discusses the importance of security in all of the
• Shaping policy is difficult various activities within the organization. Features of
an organizational security policy include defining
Definitions roles, audit requirements, enforcement procedures,
• Policy: course of action used by organization to compliance requirements, and acceptable risk levels.
convey instructions from management to those who
perform duties Issue Specific Security Policy
• Policies are organizational laws • An issue-specific security policy focuses on a
• Standards: more detailed statements of what must be function or service within the organization that has
done to comply with policy - distinct security requirements. Examples of issue-
• Practices, procedures, and guidelines effectively specific policies include an email policy, a media
explain how to comply with policy disposal policy, or a physical security policy.
• For a policy to be effective, it must be properly
disseminated, read, understood, and agreed to by all System Specific Security Policy
members of organization and uniformly enforced • A system-specific security policy is concerned with
specific systems or types of system. It describes
Standard in IS hardware and software approved for that system and
• ISO/IEC 27001 is used worldwide as a yardstick to how that system is to be protected.
indicate effective information security management.
It is the only generally recognized certification Issue-Specific Security Policy (ISSP)
standard for information and cyber security. • The ISSP:
– Addresses specific areas of technology
– Requires frequent updates
– Contains statement on organization’s
position on
specific issue
• Three approaches when creating and managing
ISSPs:
– Create a number of independent ISSP
documents
– Create a single comprehensive ISSP
document
 – Create a modular ISSP document – SP 800-14, Generally Accepted Principles
• Components of the policy and Practices for Securing IT Systems
– Statement of Policy – SP 800-18, The Guide for Developing
– Authorized Access and Usage of Equipment Security Plans for IT Systems
– Prohibited Use of Equipment – SP 800-26, Security Self-Assessment Guide
– Systems Management for Information Technology Systems
– Violations of Policy – SP 800-30, Risk Management Guide for
– Policy Review and Modification Information Technology Systems
– Limitations of Liability
NIST Special Publication 800-14
Systems-Specific Policy (SysSP) • Security supports mission of organization; is an
• SysSPs frequently function as standards and integral element of sound management
procedures used when configuring or maintaining • Security should be cost effective; owners have
systems security responsibilities outside their own
• Systems-specific policies fall into two groups organizations
– Managerial guidance • Security responsibilities and accountability should be
– Technical specifications made explicit; security requires a comprehensive and
• ACLs can restrict access for a particular user, integrated approach
computer, time, duration—even a particular file • Security should be periodically reassessed; security is
• Configuration rule policies constrained by societal factors
• Combination SysSPs • 33 principles for securing systems

Policy Management IETF Security Architecture

• Policies must be managed as they constantly change • Security Area Working Group acts as advisory board
• To remain viable, security policies must have: for protocols and areas developed and promoted by
– Individual responsible for the policy (policy the Internet Society
administrator) • RFC 2196: Site Security Handbook covers five basic
– A schedule of reviews areas of security with detailed discussions on
– Method for making recommendations for development and implementation
reviews
– Specific policy issuance and revision date Baselining and Best Business Practices
– Automated policy management • Baselining and best practices are solid methods for
collecting security practices, but provide less detail
The Information Security Blueprint than a complete methodology
• Basis for design, selection, and implementation of all • Possible to gain information by baselining and using
security policies, education and training programs, best practices and thus work backwards to an
and technological controls effective design
• More detailed version of security framework (outline • The Federal Agency Security Practices (FASP) site
of overall information security strategy for (http://csrc.nist.gov/groups/SMA/fasp ) is designed to
organization) provide best practices for public agencies and is
• Should specify tasks to be accomplished and the adapted easily to private institutions
order in which they are to be realized
• Should also serve as scalable, upgradeable, and Design of Security Architecture
comprehensive plan for information security needs • Spheres of security: foundation of the security
for coming years framework
• Levels of controls
The ISO 27000 Series – Management controls : cover security
• One of the most widely referenced and often processes designed by strategic planners and
discussed security models performed by security administration
• Framework for information security that states – Operational controls deal with operational
organizational security policy is needed to provide functionality of security in organization
management direction and support – Technical controls address tactical and
• Purpose is to give recommendations for information technical implementations related to
security management designing and implementing security in
• Provides a common basis for developing organization
organizational security

NIST Security Models

• Documents available from Computer Security
Resource Center of NIST
– SP 800-12, The Computer Security
Handbook
 designed to prepare them to perform their duties
securely
• Management of information security can develop
customized in-house training or outsource the
training program
• Alternatives to formal training include conferences
and programs offered through professional
organizations
Security Awareness
• One of least frequently implemented but most
beneficial programs is the security awareness
program
• Designed to keep information security at the forefront
• Defense in depth of users’ minds
– Implementation of security in layers • Need not be complicated or expensive
– Requires that organization establish • If the program is not actively implemented,
sufficient security controls and safeguards employees begin to “tune out” and risk of employee
so that an intruder faces multiple layers of accidents and failures increases
controls
• Security perimeter Continuity Strategies
– Point at which an organization’s security • Incident response plans (IRPs); disaster recovery
protection ends and outside world begins plans (DRPs); business continuity plans (BCPs)
– Does not apply to internal attacks from • Primary functions of above plans
employee threats or on-site physical threats – IRP focuses on immediate response; if
• Firewall: device that selectively discriminates against attack escalates or is disastrous, process
information flowing in or out of organization changes to disaster recovery and BCP
• DMZs: no-man’s land between inside and outside – DRP typically focuses on restoring systems
networks where some place Web servers after disasters occur; as such, is closely
• Proxy servers: performs actions on behalf of another associated with BCP
system – BCP occurs concurrently with DRP when
• Intrusion detection systems (IDSs): in effort to detect damage is major or long term, requiring
unauthorized activity within inner network, or on more than simple restoration of information
individual machines, organization may wish to and information resources
implement an IDS • Before planning can actually begin, a team has to
plan the effort and prepare resulting documents
Security Education, Training, and Awareness Program • Champion: high-level manager to support, promote,
• As soon as general security policy exists, policies to and endorse findings of project
implement security education, training, and • Project manager: leads project and makes sure sound
awareness (SETA) program should follow project planning process is used, a complete and
• SETA is a control measure designed to reduce useful project plan is developed, and project
accidental security breaches resources are prudently managed
• Security education and training builds on the general • Team members: should be managers, or their
knowledge the employees must possess to do their representatives, from various communities of
jobs, familiarizing them with the way to do their jobs interest: business, IT, and information security
securely
• The SETA program consists of: security education;
security training; and security awareness
Business Impact Analysis (BIA)
Security Education • Investigation and assessment of the impact that
• Everyone in an organization needs to be trained and various attacks can have on the organization
aware of information security; not every member • Assumes security controls have been bypassed, have
needs formal degree or certificate in information failed, or have proven ineffective, and attack has
security succeeded
• When formal education for individuals in security is • Stages of BIA
needed, an employee can identify curriculum – Threat attack identification and prioritization
available from local institutions of higher learning or – Business unit analysis
continuing education – Attack success scenario development
• A number of universities have formal coursework in – Potential damage assessment
information security – Subordinate plan classification
Security Training
• Involves providing members of organization with Incident Response Planning
detailed information and hands-on instruction
• Incident response planning covers identification of, documentation from incident response; and
classification of, and response to an incident results of detailed assessment of systems and
• Attacks classified as incidents if they: data storage
– Are directed against information assets – Computer evidence must be carefully
– Have a realistic chance of success collected, documented, and maintained to be
– Could threaten confidentiality, integrity, or acceptable in formal or informal
availability of information resources proceedings
• Incident response (IR) is more reactive than – Individuals who assess damage need special
proactive, with the exception of planning that must training
occur to prepare IR teams to be ready to react to an • Automated response
incident – New systems can respond to incident threat
• Incident Planning autonomously
– First step in overall process of incident – Downsides of current automated response
response planning systems may outweigh benefits
– Predefined responses enable organization to • Legal liabilities of a counterattack
react quickly and effectively to detected • Ethical issues
incident if:
• Organization has IR team Disaster Recovery Planning
• Organization can detect incident • Disaster recovery planning (DRP) is planning the
– IR team consists of individuals needed to preparation for and recovery from a disaster
handle systems as incident takes place • The contingency planning team must decide which
– Planners should develop guidelines for actions constitute disasters and which constitute
reacting to and recovering from incident incidents
• Incident response plan • When situations classified as disasters, plans change
– Format and content as to how to respond; take action to secure most
– Storage valuable assets to preserve value for the longer term
– Testing • DRP strives to reestablish operations at the primary
• Incident detection site
– Most common occurrence is complaint
about technology support, often delivered to Business Continuity Planning
help desk • Outlines reestablishment of critical business
– Careful training needed to quickly identify operations during a disaster that impacts operations
and classify an incident • If disaster has rendered the business unusable for
– Once attack is properly identified, continued operations, there must be a plan to allow
organization can respond business to continue functioning
• Incident reaction • Development of BCP is somewhat simpler than IRP
– Consists of actions that guide organization or DRP
to stop incident, mitigate the impact of – Consists primarily of selecting a continuity
incident, and provide information for strategy and integrating off-site data storage
recovery from incident and recovery functions into this strategy
– Actions that must occur quickly: • Continuity strategies
• Notification of key personnel – There are a number of strategies for
• Documentation of incident planning for business continuity
• Incident containment strategies – Determining factor in selecting between
– First the areas affected must be determined options is usually cost
– Organization can stop incident and attempt – Dedicated recovery site options
to recover control through a number or • Hot sites – fully operational sites
strategies • Warm sites – fully operational
• Incident recovery hardware but software may not be
– Once incident has been contained and present
control of systems regained, the next stage is • Cold sites – rudimentary services
recovery and facilities
– First task is to identify human resources • Shared site options: time-share, service bureaus, and
needed and launch them into action mutual agreements
– Full extent of the damage must be assessed • Time-share - A hot, warm, or cold site that is leased
– Organization repairs vulnerabilities, in conjunction with a business partner or sister
addresses any shortcomings in safeguards, organization
and restores data and services of the systems • Service Bureaus – An agency that provides a service
• Damage assessment for a fee.
– Several sources of information on damage, • Mutual agreement - A contract between two or more
including system logs; intrusion detection organizations that specifies how each will assist the
logs; configuration logs and documents; other in the event of a disaster.
 • Off-Site disaster data storage – When should law enforcement involved?
– To get sites up and running quickly, an – What level of law enforcement agency
organization must have the ability to port should be involved (local, state, federal)?
data into new site’s systems – What happens when law enforcement
– Options for getting operations up and agency is involved?
running include: • Some questions are best answered by the legal
• Electronic vaulting department
• Remote journaling
• Database shadowing Benefits and Drawbacks of Law Enforcement Involvement
• Involving law enforcement agencies has advantages:
Crisis Management – Agencies may be better equipped at
• Actions taken during and after a disaster that focus on processing evidence
people involved and address viability of business – Organization may be less effective in
• What may truly distinguish an incident from a convicting suspects
disaster are the actions of the response teams – Law enforcement agencies are prepared to
• Disaster recovery personnel must know their roles handle any necessary warrants and
without any supporting documentation subpoenas
– Preparation – Law enforcement is skilled at obtaining
– Training witness statements and other information
– Rehearsal collection
• Crisis management team is responsible for managing • Involving law enforcement agencies has
event from an enterprise perspective and covers: disadvantages:
– Supporting personnel and families during – Once a law enforcement agency takes over
crisis case, organization cannot control chain of
– Determining impact on normal business events
operations and, if necessary, making disaster – Organization may not hear about case for
declaration weeks or months
– Keeping the public informed – Equipment vital to the organization’s
– Communicating with major customers, business may be tagged as evidence
suppliers, partners, regulatory agencies, – If organization detects a criminal act, it is
industry organizations, the media, and other legally obligated to involve appropriate law
interested parties enforcement officials

Model for a Consolidated Contingency Plan Summary

• Single document set approach supports concise • Management has essential role in development,
planning and encourages smaller organizations to maintenance, and enforcement of information
develop, test, and use IR and DR plans security policy, standards, practices, procedures, and
• Model is based on analyses of disaster recovery and guidelines
incident response plans of dozens of organizations • Information security blueprint is planning document
• The planning document that is basis for design, selection, and implementation
• Six steps in contingency planning process of all security policies, education and training
• Identifying mission- or business-critical programs, and technological controls
functions • Information security education, training, and
• Identifying resources that support critical awareness (SETA) is control measure that reduces
functions accidental security breaches and increases
• Anticipating potential contingencies or organizational resistance to many other forms of
disasters attack
• Selecting contingency planning strategies • Contingency planning (CP) made up of three
• Implementing contingency strategies components: incident response planning (IRP),
• Testing and revising strategy disaster recovery planning (DRP), and business
continuity planning (BCP)

Law Enforcement Involvement

• When incident at hand constitutes a violation of law,
organization may determine involving law
enforcement is necessary
• Questions: