Information Security

18CSE532
Unit2 chapter 4
Planning for Security

Motiv: “Begin with the end in mind”

By STEPHEN COVEY, AUTHOR OF SEVEN HABITS OF HIGHLY
EFFECTIVE PEOPLE

Faculty: Dr. Sarojadevi H. , dept. of CSE, NMIT

 U II Portions
Planning for Security: Introduction, Information
Security planning and governance, Information
Security policy, standards and practices, the
Information Security blueprint, security
education, training and awareness program,
Continuity strategies. (ch.4)

2
 Motivating example
• One office was ruined because of major fire
hazard; Charlie, the senior manager of the server
administration team will next make some changes
to the company contingency plans.
• The offices were gone, all the computer systems,
servers, and desktops were melted slag, and
Charlie would have to try to rebuild without the
resources he needed. At least he had good
backups, or so he hoped. The backups, network
design diagrams, contact details almost were lost.
3
 Introduction
• An organization’s information security effort succeeds only when it
operates in conjunction with the organization’s information security
policy.
• An information security program begins with policy, standards, and
practices, which are the foundations for the information security
architecture and blueprint.
• The creation and maintenance of these elements require
coordinated planning.
• The role of planning in modern organizations is hard to
overemphasize.
• All organizations have some planning: strategic planning to manage
the allocation of resources and contingency planning to prepare for
the uncertainties of the business environment.
4
 Information Security Planning and
Governance: main terms
• Goals: Sometimes used synonymously with objectives; the
desired end of a planning cycle.
• Objectives: Sometimes used synonymously with goals; the
intermediate states obtained to achieve progress toward a
goal or goals.
• strategic plan: The documented product of strategic planning;
a plan for the organization’s intended strategic efforts over the
next several years.
• strategic planning: The process of defining and specifying the
long-term direction (strategy) to be taken by an organization,
and the allocation and acquisition of resources needed to
pursue this effort.
5
 Strategic planning
• Strategic planning sets the long-term direction to be taken by the
organization and each of its component parts. Strategic planning
should guide organizational efforts and focus resources towards
specific, clearly defined goals.
• After an organization develops a general strategy, it generates an
overall strategic plan by extending that general strategy into plans
for major divisions.
• Each level of each division then translates those plan objectives
into more specific objectives for the level below.
• To execute this broad strategy, the executive team must first define
individual responsibilities. (The executive team is sometimes called
the organization’s C-level, as in CEO, COO, CFO, CIO, and so on.)

6
 Planning Levels: basics

Once the organization’s overall strategic plan is translated into strategic plans for
each major division or operation, the next step is to translate these plans into tactical
objectives that move toward reaching specific, measurable, achievable, and time-
bound accomplishments.
The process of strategic planning seeks to transform broad, general, sweeping
statements into more specific and applied objectives. Strategic plans are used to
create tactical plans, which in turn are used to develop operational plans.

7
 Tactical planning
• This focuses on short-term undertakings that will be completed within
one or two years.
• The process breaks each strategic goal into a series of incremental
objectives. Each objective in a tactical plan should be specific and should
have a delivery date within a year of the plan’s start.
• Budgeting, resource allocation, and personnel are critical components of
the tactical plan.
• Tactical plans often include project plans and resource acquisition
planning documents (such as product specifications), project budgets,
project reviews, and monthly and annual reports.
• The chief information security officer (CISO) and security managers use
the tactical plan to organize, prioritize, and acquire resources necessary
for major projects and to provide support for the overall strategic plan.
• Note: strategic plan -> tactical plan -> operational plan

8
 Operational planning
• Operational planning is derived from tactical planning.
• An operational plan includes the necessary tasks for all relevant
departments as well as communication and reporting requirements,
which might include weekly meetings, progress reports, and other
associated tasks.
• Managers and employees use operational planning to organize the
ongoing, day-to-day performance of tasks.
• These plans must reflect the organizational structure, with each
subunit, department, or project team conducting its own operational
planning and reporting.
• Frequent communication and feedback from the teams to the project
managers and/or team leaders, and then up to the various
management levels, will make the planning process more
manageable and successful.
9
 Planning and the CISO
• The first priority of the CISO (chief information security officer) and
the information security management team is the creation of a
strategic plan to accomplish the organization’s information security
objectives.
• The fundamental elements of planning share characteristics across
all types of enterprises.
• The plan is an evolving statement of how the CISO and various
elements of the organization will implement the objectives of the
information security charter, which is expressed in the enterprise
information security policy (EISP).
• Directed strategy flows from top to bottom, & a systematic
approach is required to translate it into a program that can inform
and lead all members of the organization.
• Strategic plans formed at the highest levels of the organization are
used to create an overall corporate strategy.
10
 Planning & the CISO..
• For lower levels of the organizational hierarchy (moving down the
hierarchy), the plans from higher levels are evolved into more detailed,
more concrete planning.
• So, higher-level plans are translated into more specific plans for
intermediate layers of management. That layer of strategic planning by
function (such as financial, IT, and operations strategies) is then converted
into tactical planning for supervisory managers and eventually provides
direction for the operational plans undertaken by non-management
members of the organization.
• This multi-layered approach has two objectives: general strategy and
overall strategic planning.
• First, general strategy is translated into specific strategy; second, overall
strategic planning is translated into lower-level tactical and operational
planning.
• Information Security group must understand and support the strategic
plans of all business units.
11
 Information Security Governance
• Corporate governance: Executive management’s responsibility
to provide strategic direction, ensure the accomplishment of
objectives, oversee that risks are appropriately managed, and
validate responsible resource use.
• Governance: “The set of responsibilities and practices exercised
by the board and executive management with the goal of
providing strategic direction, ensuring that objectives are
achieved, ascertaining that risks are managed appropriately and
verifying that the enterprise’s resources are used responsibly.”
• Information security governance: The application of the
principles of corporate governance to the information security
function.

12
Governance

13
 Governance..
• The governance of information security is a strategic planning responsibility
whose importance has grown in recent years.
• To secure information assets, management must integrate information
security practices into the fabric of the organization, expanding corporate
governance policies and controls to encompass the objectives of the
information security process.
• Information security objectives must be addressed at the highest levels of an
organization’s management team in order to be effective and sustainable.
• A broader view of information security encompasses all of an organization’s
information assets, including the knowledge managed by those IT assets.
• According to the Information Technology Governance Institute (ITGI),
information security governance includes all of the accountabilities and
methods undertaken by the board of directors and executive management.

14
Information security governance provides..

• Strategic direction
• Establishment of objectives
• Measurement of progress toward those
objectives
• Verification that risk management practices
are appropriate
• Validation that the organization’s assets are
used properly
15
 Responsibilities of various people within an
organization for information security governance

16
 The five goals of information security
governance
Effective communication among stakeholders is critical to the structures
and processes used in governance at every level, especially in information
security governance. This requires the development of constructive relationships, a
common language, and a commitment to the objectives of the organization. Five goals are as
below.

17
Information Security Policy, Standards, and
Practices

18
Policy as the Foundation for Planning: main
terms

19
 Policies
• Policies function like laws in an organization because they dictate
acceptable and unacceptable behavior there, as well as the penalties for
failure to comply.
• Like laws, policies define what is right and wrong, the penalties for
violating policy, and the appeal process.
• Standards, on the other hand, are more detailed statements of what
must be done to comply with policy. They have the same requirements
for compliance as policies.
• Standards may be informal or part of an organizational culture, as in de
facto standards. Or, standards may be published, scrutinized, and
ratified by a group, as informal or de jure standards.
• Practices, procedures, and guidelines effectively explain how to comply
with policy.
• Figure next shows the relationships among policies, standards,
guidelines, procedures, and practices.
20
Relation between Policies, standards, guidelines, and procedures

21
Policy & Practice Relation ..

22
 Guidelines
• Guidelines provide examples and recommendations to
assist users in complying with the new policy. Guidelines:
In order to create strong yet easy-to-remember
passwords, consider the following recommendations from
NIST SP 800-118: Guide to Enterprise Password
Management (Draft), April 2009:
– Mnemonic Method. A user selects a phrase and extracts a letter
of each word in the phrase (such as the first letter or second
letter of each word), adding numbers or special characters or
both.
– Example: “May the force be with you always, young Jedi”
becomes Mtfbwya-yJ

23
 Policy, practice ..
• Altered Passphrases. A user selects a phrase and alters it to form a
derivation of that phrase. This method supports the creation of long,
complex passwords.
• Passphrases can be easy to remember due to the structure of the
password: it is usually easier for the human mind to comprehend and
remember phrases within a coherent structure than a string of random
letters, numbers, and special characters.
• Example: Never Give Up! Never Surrender! becomes Nv.G.Up!-Nv.Surr!
• Combining and Altering Words. A user can combine two or three
unrelated words and change some of the letters to numbers or special
characters.
• Example: Jedi Tribble becomes J3d13bbl
• Finally, procedures are step-by-step instructions for accomplishing the
task specified in the policy.
24
 Relation.. procedures
Procedures: To change your log-in password on our system, perform the following steps:
1) Log in using your current (old) password.
2) On your organizational portal home page, click the [Tools] Menu option.
3) Select [Change Password].
4) Enter your old password in the first field and your new password in the second. The
system will ask you to confirm your new password to prevent you from mistyping it.
5) The system will then report that your password has been updated, and ask you to log
out and log back in with your new password.
Do not write your new password down. If you own a smartphone, you may request that
your department purchase an approved password management application like eWallet
for storing passwords.
As stated earlier, many organizations combine their policy and standards in the same
document, and then provide directions or a Web link to a page with guidelines and
procedures.

25
 Meaning of Security policy
• The meaning of the term security policy depends on
the context in which it is used.
• Governmental agencies view security policy in terms
of national security and national policies to deal with
foreign states.
• A security policy can also communicate a credit card
agency’s method for processing credit card numbers.
• In general, a security policy is a set of rules that
protects an organization’s assets.
• An information security policy provides rules for
protection of the organization’s information assets.
26
 Three types of Security policy
Management must define three types of
security policy, according to Special Publication
(SP) 800-14 of the National Institute of
Standards and Technology (NIST):
1. Enterprise information security policies (EISP)
2. Issue-specific security policies
3. Systems-specific security policies

27
 Criteria for policy to be for effective and
legally enforceable
• Dissemination (distribution): The organization must be able to demonstrate that the policy
has been made readily available for review by the employee. Common dissemination
techniques include hard copy and electronic distribution.
• Review (reading): The organization must be able to demonstrate that it disseminated the
document in an intelligible form, including versions for employees who are illiterate, reading-
impaired, and unable to read English. Common techniques include
recording the policy in English and other languages.
• Comprehension (understanding): The organization must be able to demonstrate that
the employee understands the requirements and content of the policy. Common techniques
include quizzes and other assessments.
• Compliance (agreement): The organization must be able to demonstrate that the employee
agrees to comply with the policy through act or affirmation. Common techniques include logon
banners, which require a specific action (mouse click or keystroke) to acknowledge agreement,
or a signed document clearly indicating the employee has read, understood, and agreed to
comply with the policy.
• Uniform enforcement (fairness in application): The organization must be able to demonstrate
that the policy has been uniformly enforced, regardless of employee status or assignment.

28
 Enterprise Information Security Policy (EISP)
• This is the high-level information security policy that sets
the strategic direction, scope, and tone for an
organization’s security efforts. An EISP is also known as a
security program policy, general security policy, IT security
policy, high-level InfoSec policy, or simply an InfoSec
policy.
• The EISP is an executive-level document, usually drafted
by or in cooperation with the organization’s CIO. This
policy is usually 2 to 10 pages long and shapes the
philosophy of security in the IT environment.
• The EISP usually needs to be modified only when there is
a change in the strategic direction of the organization.
29
 About EISP
• The EISP guides the development, implementation, and
management of the security program.
• It sets out the requirements for the information security blueprint.
• It defines the purpose, scope, constraints, and applicability of the
security program. It also assigns responsibilities for the various
areas of security, including systems administration, maintenance of
the information security policies, and the practices &
responsibilities of users.
• Finally, it addresses legal compliance.
• According to NIST, the EISP addresses compliance in two areas:
1. General compliance to ensure that an organization meets the requirements for
establishing a program and assigning responsibilities therein to various
organizational components
2. The use of specified penalties and disciplinary action
• EISP guides CISO for security team and for changes in information
security program.
30
 EISP Elements (basic)
Most EISP documents should include the following elements:
• An overview of the corporate philosophy on security
• Information on the structure of the information security
organization and people who fulfill the information security
role
• Fully articulated responsibilities for security that are shared
by all members of the organization (employees,
contractors, consultants, partners, and visitors)
• Fully articulated responsibilities for security that are unique
to each role within the organization

31
Components of Good EISP

32
 Issue-Specific Security Policy (ISSP)
• It is an organizational policy that provides detailed, targeted
guidance to instruct all members of the organization in the use
of a resource, such as one of its processes or technologies. ->
on proper use
• ISSP addresses:
(1) addresses specific areas of technology as listed next
(2) requires frequent updates, and
(3) contains a statement about the organization’s position on a
specific issue

Ref: Information Security Policies Made Easy by Charles Cresson

Wood

33
Technology areas of ISSP (Issue specific security policy)

34
 Approaches to create and manage ISSP
1. Independent ISSP documents, each tailored
to a specific issue
2. A single comprehensive ISSP document that
covers all issues
3. A modular ISSP document that unifies policy
creation and administration while maintaining
each specific issue’s requirements
1. The independent ISSP document typically has a scattershot effect.
Each department responsible for a particular application of technology
creates a policy governing its use, management, and control. This approach
may fail to cover all of the necessary issues and can lead to poor policy
distribution, management, and enforcement.
35
 ISSP..
2. The single comprehensive ISSP is centrally managed and controlled. With formal
procedures for the management of ISSPs in place, the comprehensive policy
approach establishes guidelines for overall coverage of necessary issues and clearly
identifies processes for the dissemination, enforcement, and review of these
guidelines.
• Usually, these policies are developed by the people responsible for managing
the information technology resources. These policies tend to overgeneralize the
issues and skip vulnerabilities.
3. Modular method: It provides the optimal balance between the independent and
comprehensive ISSP.
• It is also centrally managed and controlled, but it is tailored to individual
technology issues.
• The modular approach provides a balance between issue orientation and policy
management. The policies created with this approach comprise individual
modules, each created and updated by people responsible for the issues
addressed. These people report to a central policy administration group that
incorporates specific issues into an overall comprehensive policy.
36
37
 ISSP Components discussed..
1. Statement of Policy: The policy should begin with a clear statement of purpose (what to
accomplish) . Consider a policy that covers the issue of fair and responsible Internet use.
The introductory section of this policy should address the these questions:
What is the scope of this policy? Who is responsible and accountable for policy implementation? What
technologies and issues does it address?
2. Authorized Access and Usage of Equipment : This section of the policy statement
addresses who can use the technology governed by the policy, and what it can be used
for. An organization’s information systems are its exclusive property; users have no
particular rights of use. Each technology and process is provided for business operations.
Use for any other purpose constitutes misuse of equipment. This section defines “fair
and responsible use” of equipment and other organizational assets and should address
key legal issues, such as protection of personal information and privacy.
3. Prohibited Use of Equipment : Unless a particular use is clearly prohibited, the
organization cannot penalize its employees for misuse. For example, these can be
prohibited => personal use, disruptive use or misuse, criminal use, offensive or harassing
materials, and infringement of copyrighted, licensed, or other intellectual property. As an
alternative approach, categories 2 and 3 above can be collapsed into a single category
called. “Appropriate Use.” Many organizations use such an ISSP section to cover both
categories.
38
 ISSP components…
• Systems Management: The systems management
section of the ISSP policy statement focuses on the users’
relationship to systems management. Specific rules from
management include regulating the use of e-mail, the
storage of materials, the authorized monitoring of
employees, and the physical and electronic scrutiny of e-
mail and other electronic documents.
• It is important that all such responsibilities are assigned
either to the systems administrator or the users;
otherwise, both parties may infer that the responsibility
belongs to the other.
39
 ISSP Components..
• Violations of Policy : The people to whom the policy applies must
understand the penalties and repercussions of violating it.
Violations of policy should carry penalties that are appropriate—
neither draconian nor overly lenient.
• This section of the policy statement should contain specific
penalties for each category of violation; and instructions for how
people in the organization can report observed or suspected
violations.
• Many people think that powerful employees in an organization
can retaliate against someone who reports violations. Allowing
anonymous submissions is often the only way to convince users to
report the unauthorized activities of more influential employees.

40
 ISSP components..
• Policy Review and Modification: Because any document is only useful if it is up
to date, each policy should contain procedures and a timetable for periodic
review. As the organization’s needs and technologies change, so must the
policies that govern their use.
• This section should specify a methodology for reviewing and modifying the
policy to ensure that users do not begin circumventing it as it grows obsolete.
• Limitations of Liability : If an employee is caught conducting illegal activities
with the organization’s equipment or assets, management does not want the
organization held liable.
• The policy should state that if employees violate a company policy or any law
using company technologies, the company will not protect them, and the
company is not liable for their actions. In fact, many organizations assist in the
prosecution of employees who violate laws when their actions violate policies.
It is assumed that such violations occur without knowledge or authorization by
the organization.
ISSPs are formalized as written documents readily identifiable as
policy. 41
Systems-Specific Security Policy (SysSP):
main terms

42
 SysSPs
• SysSPs function as standards or procedures to be
used when configuring or maintaining systems.
• For example, a SysSP might describe the
configuration and operation of a network firewall.
• This document could include a statement of
managerial intent; guidance to network engineers
on the selection, configuration, operation of
firewalls; and an access control list that defines
levels of access for each authorized user.

43
 SysSPs
• SysSPs can be separated into two groups:

1)managerial guidance SysSPs and

2)technical specifications SysSPs, or

• they can also be combined into a single policy

document that contains elements of both –
Combination SysSP.

44
45
46
The level of detail in ACL, access control list

• The level of detail may differ from system to system,

but in general ACLs can restrict access for a particular
user, computer, time, or duration—even a particular
file.
• This specificity provides powerful control to the
administrator. In general, ACLs regulate the following:
• Who can use the system
• What authorized users can access
• When authorized users can access the system
• Where authorized users can access the system

47
 Microsoft Windows use of ACLs

Microsoft Windows translates

ACLs into sets of configurations
that administrators use to
control access to their systems. 48
Linux use of ACL

49
 ACL access
• The who of ACL access may be determined by a person’s identity or
membership in a group. Restricting what authorized users are
permitted to access—whether by type (printers, files, communication
devices, or applications), name, or location—is achieved by adjusting
the resource privileges for a person or group to Read, Write, Create,
Modify, Delete, Compare, or Copy. To control when access is allowed,
some organizations implement time-of-day and day-of-week
restrictions for certain network or system resources.
• To control where resources can be accessed, many network-
connected assets block remote usage and have some levels of access
that are restricted to locally connected users, such as restrictions by
computer MAC address or network IP address.
• When these various ACL options are applied concurrently, the
organization can govern how its resources can be used.

50
 Configuration Rule Policies
• Configuration rules (or policies) govern how a security system
reacts to the data it receives.
• Rule-based policies are more specific to the operation of a system
than ACLs, and they may or may not deal with users directly.
• Many security systems—for example, firewalls, intrusion
detection and prevention systems (IDPSs), and proxy servers—use
specific configuration scripts that represent the configuration rule
policy to determine how the system handles each data element
they process.
• The examples in Figures next show how network security policy
has been implemented by a Check Point firewall’s rule set and by
Ionx Verisys (File Integrity Monitoring) in a host-based IDPS rule
set.
51
Check Point VPN-1/Firewall-1 Policy Editor

52
Ionx Verisys (File Integrity Monitoring) use of rules

If files are altered in any way, Verisys will detect it.

53
 Verisys File Integrity Monitoring
https://www.ionx.co.uk/products/verisys
Detect Unauthorised
Changes
Verisys is an
advanced system
and file integrity
monitoring solution
for Windows, Linux
and network devices
that allows you to
maintain the
integrity of business
critical files and data
by detecting
unauthorised
changes.

https://www.ionx.co.uk/static/verisys/user-guide/ 54
 Combination SysSPs
• Many organizations create a single document that combines the
managerial guidance SysSP and the technical specifications SysSP.
• While this document can be somewhat confusing to casual users, it
is practical to have the guidance from managerial and technical
perspectives in a single place.
• If this approach is used, care should be taken to clearly articulate
the required actions. Some might consider this type of policy
document a procedure, but it is actually a hybrid that combines
policy with procedural guidance to assist implementers of the
system being managed.
• This approach is best used by organizations that have multiple
technical control systems of different types, and by smaller
organizations that want to document policy and procedure in a
compact format.
55
 Policy management
• policy administrator: An employee responsible for the creation,
revision, distribution, and storage of a policy in an organization.
• sunset clause: A component of policy or law that defines an
expected end date for its applicability.
• Policies are living documents that must be managed. It is
unacceptable to create such an important set of documents and
then shelve them.
• These documents must be properly distributed, read,
understood, agreed to, uniformly applied, and managed.
• How they are managed should be specified in the policy
management section of the issue-specific policy described
earlier.
56
 Good management practices
• Good management practices for policy development and maintenance make
for a more resilient organization.
• For example, all policies, including security policies, undergo tremendous
stress when corporate mergers and divestitures occur.
• In such situations, employees are faced with uncertainty and many
distractions. System vulnerabilities can arise, for instance, if incongruent
security policies are implemented in different parts of a newly merged
organization.
• When two companies merge but retain separate policies, the difficulty of
implementing security controls increases. Likewise, when one company with
unified policies splits in two, each new company may require different
policies.
• To remain viable, security policies must have a responsible manager, a
schedule of reviews, a method for making recommendations for reviews, and
a policy issuance and revision date.
57
58
 Schedule of reviews
• Policies can only retain their effectiveness in a changing
environment if they are periodically reviewed for currency and
accuracy and then modified accordingly.
• Policies that are not kept current can become liabilities as outdated
rules are enforced (or not) and new requirements are ignored. To
demonstrate due diligence, an organization must actively seek to
meet the requirements of the market in which it operates.
• This applies to government, academic, and nonprofit organizations
as well as private, for-profit organizations. A properly organized
schedule of reviews should be defined and published as part of the
document.
• Typically, a policy should be reviewed at least annually to ensure
that it is still an effective control.
59
60
 Automated Policy management
• It is a new category of software for the management of
information security policies.
• This type of software was developed in response to the needs
of information security practitioners.
• Software now can automate some of the busywork of policy
management. Automation can streamline the repetitive steps
of writing policy, tracking the workflow of policy approvals,
publishing policy once it is written and approved, and tracking
when employees have read the policy.
• Using techniques from computer-based training and testing,
an organization can train staff members and improve its
awareness program.
61
Quotes from VigilEnt Policy Center’s user’s guide
from NetIQ Corporation
• Effective security policies are the cornerstone of any security effort. This effort includes writing
policies, as well as communicating them to everyone who has access to and uses company
information.
• Once you communicate the policies, you should measure how well the policies are
communicated and understood by each employee. VigilEnt Policy Center (VPC) helps automate
this entire process of security policy management.
• Keeping policies up to date and making sure employees are aware of these changes is a complex
but necessary procedure.
• As businesses grow and expand to include new companies, products, and regions, each with
their own set of policies and standards, information security officers often ask themselves
serious questions.
• VigilEnt Policy Center helps educate employees about current policies and
tests their knowledge through customized policy quizzes.
• You can easily update any existing policy document or create new policies as
technology and regulations change throughout your company’s life.
• Using a company’s intranet, you can instantly send news items and alert users
of sudden events.
• VPC lets you easily distribute policies around the world and verify that your users have received, read, and
understood the current documents.
• VigilEnt Policy Center is the first product to address these issues with a comprehensive security
management solution. 62
The Information Security Blueprint
Main terms:
• information security blueprint: In information security, a
framework or security model customized to an organization,
including implementation details.
• information security framework: In information security, a
specification of a model to be followed during the design,
selection, and initial and ongoing implementation of all
subsequent security controls, including information security
policies, security education and training programs, and
technological controls; also known as a security model.
• information security model: See information security
framework.
63
 IS Blue print
• Armed with a general idea of vulnerabilities in the organization’s information
technology systems, the security team develops a design blueprint that is used
to implement the security program.
• This information security blueprint is the basis for the design, selection, and
implementation of all security program elements, including policy
implementation, ongoing policy management, risk management programs,
education and training programs, technological controls, and program
maintenance.
• The security blueprint builds on top of the organization’s information security
policies. It is a detailed implementation of an information security framework.
• The blueprint specifies tasks and the order in which they are to be
accomplished.
• The framework (also known as an information security model) is the
philosophical foundation from which the blueprint is designed, like the style or
methodology in which an architect was trained.
64
 Blue print..
• To develop an information security blueprint, you should
adapt or adopt a recognized or widely accepted
information security model supported by an established
security organization or agency.
• This exemplar framework can outline steps for designing
and implementing information security in the organization.
• Because each information security environment is unique,
the security team may need to modify or adapt pieces
from several frameworks.
• Experience teaches that what works well for one
organization may not precisely fit another.
65
The ISO 27000 Series

66
67
 ISO / IEC 27000 series & 2013
• The ISO/IEC 27000 series is becoming increasingly important in the field,
especially among global organizations. Many certification bodies and
corporate organizations are complying with it or will someday be expected
to comply with it.
• ISO/IEC 27002:2013 is focused on a broad overview of the various areas of
security. It provides information on 14 security control clauses and
addresses 35 control objectives and more than 110 individual controls. Its
companion document, ISO/IEC 27001:2013, provides information for how
to implement ISO/IEC 27002 and set up an information security
management system (ISMS). ISO/IEC 27001’s primary purpose is to be used
as a standard; so organizations can adopt it to obtain certification and build
an information security program.
• ISO 27001 serves better as an assessment tool than as an implementation
Ref: ISO 27000
framework. ISOSeries
27002Current andorganizations
is for Planned Standards
that (table
wantininformation
page 200) about
implementing security controls; it is not a standard used for certification.
68
ISO/IEC 27001:2013 major process steps

69
ISO 27000 Series Current and Planned
Standards

70
ISO roadmap ..

71
72
Identified future standards

73
 NIST security models

SP: special
publication

Next examine these documents as they apply to the blueprint for

information security. 74
NIST security models : Certain Details

75
Some of the significant points of NIST SP 800-14

76
NIST SP 800-14..

77
 NIST SP 800-14..
2.7 Security should be periodically reassessed: Information security that is
implemented and then ignored is considered negligent because the organization
has not demonstrated due diligence.
Security is an ongoing process. To be effective against a constantly shifting set of
threats and a changing user base, the security process must be periodically
repeated. Continuous analyses of threats, assets, and controls must be
conducted and new blueprints developed.
Only thorough preparation, design, implementation, vigilance, and ongoing
maintenance can secure the organization’s information assets.

2.8 Security is constrained by societal factors: Several factors influence the

implementation and maintenance of security controls and safeguards, including
legal demands, shareholder requirements, and even business practices. For
example, security professionals generally prefer to isolate information assets
from the Internet, which is the leading avenue of threats to the assets, but the
business requirements of the organization may preclude this control measure.

78
NIST SP 800-18 rev.1

79
Princip
les for
Securi
ng
Inform
ation
Techn
ology
Syste
ms

80
81
The NIST Framework consists of three fundamental
components:
1) The Framework core; 2) The Framework tiers; 3) The Framework profile 82
 The Framework core
This is a set of information security activities an organization expected
to perform, as well as their desired results. These core activities are:
• “Identify: Develop the organizational understanding to manage
cybersecurity risk to systems, assets, data, and capabilities.
• Protect: Develop and implement the appropriate safeguards to
ensure delivery of critical infrastructure services.
• Detect: Develop and implement the appropriate activities to identify
the occurrence of a cybersecurity event.
• Respond: Develop and implement the appropriate activities to take
action regarding a detected cybersecurity event.
• Recover: Develop and implement the appropriate activities to
maintain plans for resilience and to restore any capabilities or services
that were impaired due to a cybersecurity event.”

83
The Framework tiers

84
 The Framework Profile
• Organizations are expected to identify which tier
their security programs most closely match and then
use corresponding recommendations within the
Framework to improve their programs and prepare
profile.
• This Framework profile is then used to perform a gap
analysis—comparing the current state of information
security and risk management to a desired state,
identifying the difference, and developing a plan to
move the organization towards the desired state.

85
The risk management and information security programs by NIST

86
87
Design of Security Architecture

88
 Components of Security architecture

1. Spheres of Security
2. Levels of Controls
3. Defense in Depth
4. Security Perimeter

89
 Overview of Security architecture components
Spheres of Security: The spheres of security, shown in fig. next are
the foundation of the security framework.
• Generally speaking, the spheres of security illustrate how
information is under attack from a variety of sources.
• The sphere of use, on the left side of fig. illustrates the ways in
which people access information. For example, people read hard
copies of documents and access information through systems.
• Information is at the center of the sphere. Information is always
at risk from attacks whenever it is accessible by people or
computer systems. Networks and the Internet are indirect
threats, as exemplified by the fact that a person attempting to
access information from the Internet must traverse local
networks.

90
 Spheres of Security
The sphere of protection, as shown by the shaded bands on the right side illustrates that a
layer of protection must exist between each layer of the sphere of use.

IR DR and BC plan : Incident response; Disaster Recovery and Business continuity plan
IDPS: Intrusion detection and prevention system 91
 Contd..
Ex. of layer of protection: “Policy and law” and “Education and training” are
protections placed between people and the information. Controls are also
implemented between systems and the information, between networks and
the computer systems, and between the Internet and internal networks.
This reinforces the concept of defense in depth. A variety of controls can be
used to protect the information. The items of control shown in the figure are
not intended to be comprehensive, but they illustrate some of the
safeguards that can protect the systems closer to the center of the sphere.
Because people can directly access each ring as well as the information at
the core of the model, the side of the sphere of protection that attempts to
control access by relying on people (right side) requires a different approach
to security than the side that uses technology (left).
The members of the organization must be safeguarded and are effectively
trained, implemented, and maintained, or they too will present a threat to
the information.

92
Three layers of information technology
• Information security is designed and implemented in
three layers: policies, people (education, training,
and awareness programs), and technology.
• These layers are commonly referred to as PPT. Each
layer contains controls and safeguards to protect the
information and information system assets that the
organization values. But, before any technical controls
or other safeguards can be implemented, the policies
that define the management philosophies behind the
security process must be in place.

93
Levels of controls

94
95
Defense in depth

96
 Security perimeter
• A security perimeter is the border of security that protects all internal
systems from outside threats, as pictured in fig. next.
• The perimeter does not protect against internal attacks from employee
threats or onsite physical threats.
• In addition, the emergence of mobile computing devices, telecommuting,
and cloud-based functionality has made the definition and defense of the
perimeter increasingly more difficult.
• Some security experts therefore declare the security perimeter extinct and
ask for an increased focus on improved system-level security and active
policing of networked assets.
• An organization can have both an electronic security perimeter, usually at
the exterior network or Internet connection, and a physical security
perimeter, usually at the entrance to the organization’s offices. Both
require perimeter security.

97
 Security perimeter..
• Security perimeters can effectively be implemented as multiple technologies
that segregate the protected information from potential attackers.
• Within security perimeters the organization can establish security domains,
each with differing levels of security, between which traffic must be screened.
• The assumption is that if people have access to one system within a security
domain, they have authorized access to all systems within that domain.
• The security perimeter is an essential element of the overall security
framework, and its implementation details are the core of the completed
security blueprint.
• The key components of the security perimeter are firewalls, DMZs
(demilitarized zones), proxy servers, and IDPS (intrusion detection &
prevention system)s.

98
Security perimeters & domains

99
 Security perimeter in the emerging era
• With the dramatic growth in popularity of cloud-based
computing and data storage, and the continued use of mobile
computing devices, there is a viewpoint that there is no
“inside” or “outside” to organizations’ networks anymore.
• With the extensive use of cloud-based services to deliver key
systems capability, including security-related functions, there is
a growing movement toward realizing that a security perimeter
is the entirety of an organization’s network presence, anywhere
and everywhere the company’s data is.
• The use of defense in depth is still a valid approach to
protecting it.
• The responsibility for protecting the organization’s data using
every available resource is still valid & needed.
100
 Security Education, Training, and
Awareness Program
• Security Education, Training, and Awareness (SETA) : It is a managerial program designed
to improve the security of information assets by providing targeted knowledge, skills, and
guidance for an organization’s employees.
• Once an organization has defined the policies that will guide its security program and
selected an overall security model by creating or adapting a security framework and a
corresponding detailed implementation blueprint, it is time to implement a SETA program.
• The SETA program is the responsibility of the CISO and is a control measure designed to
reduce incidents of accidental security breaches by employees. Employee errors are among
the top threats to information assets, so it is well worth developing programs to combat
this threat.
• SETA programs are designed to supplement the general education and training programs
that many organizations use to educate staff about information security.
• For example, if an organization detects that many employees are opening questionable e-
mail attachments, those employees must be retrained. As a matter of good practice,
systems development life cycles must include user training during the implementation
phase. Practices used to take control of the security and privacy of online data are
sometimes called cyber hygiene.

101
 Elements of SETA & the purpose
• The SETA program consists of three elements:
security education, security training, and security
awareness.
• An organization may not be able or willing to undertake all
three of these elements, and it may outsource elements to
local educational institutions.
• The purpose of SETA is to enhance security with these:
• Improving awareness of the need to protect system resources
• Developing skills and knowledge so computer users can perform
their jobs more securely
• Building in-depth knowledge as needed to design, implement, or
operate security programs for organizations and systems
102
 Comparative Framework of SETA
Comparison of the features of security education, training,
and awareness within an organization is as below.

103
 Security Education
• Everyone in an organization needs to be trained and made aware of
information security, but not everyone needs a formal degree or certificate in
information security.
• When management agrees that formal education is appropriate, an employee
can investigate courses in continuing education from local institutions of higher
learning. Several universities have formal coursework in information security.
• Formal information security programs, resources are available, such as the
DHS/NSA-identified National Centers of Academic Excellence program (ref.
www.iad.gov/NIETP/index.cfm).
• This program identifies universities that offer coursework in information
security and an integrated view of information security in the institution itself.
• Other local resources can also provide information on security education, such
as Kennesaw State’s Center for Information Security Education
(http://infosec.kennesaw.edu).

104
 Security training
• Security training provides employees with detailed information and
hands-on instruction to prepare them to perform their duties securely.
• Management of information security can develop customized in-house
training or outsource the training program.
• Alternatives to formal training programs are industry training
conferences and programs offered through professional agencies such
as SANS (www.sans.org), (ISC) (www.isc2.org), and ISSA (www.issa.org).
• Many of these programs are too technical for the average employee,
but they may be ideal for the continuing education requirements of
information security professionals.
• Several resources for conducting SETA programs offer assistance in the
form of sample topics and structures for security classes. For
organizations, the Computer Security Resource Center at NIST provides
several useful documents free of charge in its special publications area.
(http://csrc.nist.gov).
105
 Security awareness
• A security awareness program is one of the least frequently implemented but most
beneficial programs in an organization.
• A security awareness program is designed to keep information security at the
forefront of users’ minds.
• These programs don’t have to be complicated or expensive. Good programs can
include newsletters, security posters (ref. fig. ), videos, bulletin boards, flyers, and
trinkets. Trinkets can include security slogans printed on mouse pads, coffee cups, T-
shirts, pens, or any object frequently used during the workday that reminds
employees of security.
• In addition, a good security awareness program requires a dedicated person who is
willing to invest time and effort to promoting the program, and a champion willing to
provide the needed financial support.
• The security newsletter is the most cost-effective method of disseminating security
information and news to employees. Newsletters can be distributed via hard copy, e-
mail, or intranet. Topics can include new threats to the organization’s information
assets, the schedule for upcoming security classes, and the addition of new security
personnel.
• The goal of newsletter is to keep the idea of information security in users’ minds and
to stimulate users to care about security. 106
 Information security awareness at Kennesaw State University

If a security
awareness program
is not actively
implemented,
employees may
neglect security
matters and the risk
of employee
accidents and
failures is likely to
increase.
107
 Summary of the topics covered
• Information Security planning and governance
• Information Security policy, standards and
practices
• The Information Security blueprint
• Security education, training and awareness
program

108