Safeguards Frameworks and Controls
Richard Baskerville
Theory of Secure Information Systems
Features: Safeguards and Controls
T 1 T 2 T 3 T4 Tn . . . F 1 F 2 F 3 Fl . . . O 1 O 2 O 3 Om . . . T F O
Security Functions
•
Loss avoidance
•
Deterrence
•
Loss prevention
•
Loss detection
•
Recovery
•
Vulnerability correction
Parker, D. B. (1984). The Many Faces of Data Vulnerability. IEEE Spectrum, 21(5), 46-49.
Basic Attributes of Security
Baskerville, R., & Sainsbury, R. (2005, 11-12 July). Securing Against the Possibility of an Improbable Event: Concepts for Managing Predictable Threats and Normal Compromises. Paper presented at the European Conference on Information Warfare and Security,
Glamorgan University, UK.
Eliminate serious threats, prevent attacks, limit intrusion scope, e.g. anti-virus, encryption, firewalls, passwords and biometric ID systems.
Respond quickly or actively to unprotected security problems, restoration of system after attack, e.g., data backups, drive images, mirrored servers, extra staff
PREVENTATIVE
Information Security Standards
•
ISO/IEC 27001
•
ISO/IEC 27002 (17799)
•
CobIT
•
ITIL
•
PCI
•
NIST
•
Common Criteria
ISO/IEC
27000
Library of
Standards
Guidance and Standards: Examples
• Quality Standards
–ISO/IEC 27001
• Technical Standards
–ISO/IEC 27002
• Professional Standards
–COBIT (Control Objectives for IT), a generally applicable
and accepted standard for good information technology security and control practices in organizations.
• Industry Practices and Standards
–ITIL (IT Infrastructure Library)
–Payment Card Industry (PCI) Standard
–NIST 800-12 Computer Security Handbook
• Qualification Criteria
–ITSEC, TCSEC, Common Criteria
Quality Standards
ISO/IEC 27001
This standard has evolved toward the
development of management systems for
information security and provides a stronger
basis for third party audit and certification. It
offers a managerially-oriented complement to
operatd the technologically-oriented ISO 27002.
Structure of the Information Security
Management System (ISMS)
ISO 27001
• Leadership - top management must demonstrate leadership and commitment to
the ISMS, mandate policy, and assign information security roles, responsibilities and authorities.
• Planning - outlines the process to identify, analyze and plan to treat information
security risks, and clarify the objectives of information security.
• Support - adequate, competent resources must be assigned, awareness raised,
documentation prepared and controlled.
• Operation - a bit more detail about assessing and treating information security
risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors).
• Performance evaluation - monitor, measure, analyze and evaluate/audit/review
the information security controls, processes and management system in order to make systematic improvements where appropriate.
• Improvement - address the findings of audits and reviews (e.g. nonconformities
and corrective actions), make continual refinements to the ISMS
Technical Standards
ISO/IEC 27002:2005
ISO/IEC 27002
• Security Policy
• Organization of Information Security
• Human Resources Security
• Asset Management
• Access Control
• Cryptography
• Physical And Environmental Security
• Operations security
• Communications Security
• Information Systems Acquisition, Development, Maintenance
• Supplier Relationships
• Information Security Incident management
• Information Security Aspects of Business Continuity
• Compliance
Specimen control from
ISO/IEC 27002:2013
Information Security Policies
Provide management
direction and support for
information security in
accordance with business
requirements and relevant
laws and regulations.
ISO 27002
Organization of Information Security
•
Establishes a management
framework to initiate and control
the implementation and
operation of information security
within the organization
•
Ensure the security of
teleworking and use of mobile
devices.
ISO 27002
Human Resource Security
• Ensure that employees and
contractors understand their responsibilities and are suitable for the roles for which they are considered.
• Ensure that employees and
contractors are aware of and fulfil their information security
responsibilities.
• Protect the organization’s
interests as part of the process of changing or terminating
employment.
Asset Management
• Identify organizational assets and defineappropriate protection responsibilities. • Ensure that information receives an
appropriate level of protection in accordance with its importance to the organization.
• Prevent unauthorized disclosure,
modification, removal or destruction of information stored on media.
ISO 27002
Access Control
• Limit access to information and
information processing facilities.
• Ensure authorized user access and to
prevent unauthorized access to systems and services.
• Make users accountable for
safeguarding their authentication information.
• Prevent unauthorized access to
systems and applications.
ISO 27002
Cryptography
•
Ensure proper and effective use of cryptography to
protect the confidentiality, authenticity and/or
integrity of information.
ISO 27002
Physical and Environmental Security
• Prevent unauthorized physical access, damage and interference to the organization’s information and information processing facilities.
• Prevent loss, damage, theft or compromise of assets and interruption to the organization’s operations.
Operations Security
• Ensure correct and secure operations of
information processing facilities.
• Ensure that information and information
processing facilities are protected against malware.
• Protect against loss of data.
• Record events and generate evidence.
• Ensure the integrity of operational
systems.
• Prevent exploitation of technical
vulnerabilities.
• Minimise the impact of audit activities on
operational systems.
ISO 27002
Communications Security
•
Ensure the protection of
information in networks and its
supporting information
processing facilities.
•
Maintain the security of
information transferred within
an organization and with any
external entity.
ISO 27002
System Acquisition, Development and
Maintenance
• Ensure that information security is an
integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.
• Ensure that information security is
designed and implemented within the development lifecycle of information systems.
• Ensure the protection of data used for
testing.
ISO 27002
Supplier Relations
•
To ensure protection of the
organization’s assets that is
accessible by suppliers.
•
Maintain an agreed level of
information security and service
delivery in line with supplier
agreements.
Information Security Incident
Management
Ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weakness
ISO 27002
Information Security Aspects of Business
Continuity Management
• Information security continuity should be embedded in the organization’s business continuity management systems.
• Ensure availability of information processing facilities.
ISO 27002
Compliance
• Avoid breaches of legal, statutory,
regulatory or contractual obligations related to information security and of any security requirements
• Ensure that information security is
implemented and operated in accordance with the organizational policies and procedures.
ISO 27002
Essential Safeguards
Essential Safeguards
Industry Practices & Standards
Examples:
ITIL
PCI
NIST 800
ITIL
•
Best practices and guidelines for managing
information technology services
•
Integrated, process-based approach
•
Originated as a 1980's UK government drive
•
Focus on quality, efficient, cost-effective delivery
of IT services
Major ITIL Volumes
•
Software asset management
•
Service support
•
Service delivery
•
Planning to implement service management
•
ICT infrastructure management
•
Application management
•
Security management
•
The business perspective
ITIL Structure
ITIL Securiity
Initial Security Effort: Risk Analysis Security Requirements Minimum Security Baseline Requirements Feasibility Analysis Negotiate & Define SLA SLA Negotiate & Define OLA Customer IT Service Org. OLA Implement Monitor Report Modifyadapted from Weil, Steven, (2004) "How ITIL Can Improve Information Security" Security Focus
(http://www.securityfocus.com/infocus/1815)
▪Security Management Products
▸Policies
▸Processes
▸Procedures
▸Work instructions
Payment Card Industry
Data Security Standard
• Build and Maintain a Secure Network
– Install and maintain a firewall configuration to protect data
– Do not use vendor-supplied defaults for system passwords and other security parameters
• Protect Cardholder Data
– Protect stored data
– Encrypt transmission of cardholder data and sensitive information across public networks
• Maintain a Vulnerability Management Program
– Use and regularly update anti-virus software
– Develop and maintain secure systems and applications
• Implement Strong Access Control Measures
– Restrict access to data by business need-to-know
– Assign a unique ID to each person with computer access
– Restrict physical access to cardholder data
• Regularly Monitor and Test Networks
– Track and monitor all access to network resources and cardholder data
– Regularly test security systems and processes.
• Maintain an Information Security Policy
NIST Computer Security Handbook
Special Publication 800-12
NIST Computer Security Division
• SP 800-12 An Introduction to Computer Security: The NIST Handbook, October1995
• SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996
• SP 800-18 Guide for Developing Security Plans for Information Technology Systems, December 1998
• SP 800-26 Security Self-Assessment Guide for Information Technology Systems, November 2001
• SP 800-30 Risk Management Guide for Information Technology Systems, July 2002 • SP 800-33 Underlying Technical Models for Information Technology Security,
December 2001
• SP 800-34 Contingency Planning Guide for Information Technology Systems, June 2002
• SP 800-55 Security Metrics Guide for Information Technology Systems, July 2003 • SP 800-65 Integrating Security into the Capital Planning and Investment Control
Process, January 2005
http://csrc.nist.gov/publications/nistpubs/
NIST SP 800-14 Reference Model
• Accountability - The responsibilities and accountability of owners, providers and users of information systems and other parties...should be explicit.
• Awareness - Owners, providers, users and other parties should readily be able, consistent with maintaining security, to gain appropriate knowledge of and be informed about the existence and general extent of measures...for the security of information systems.
• Ethics - The Information systems and the security of information systems should be provided and used in such a manner that the rights and legitimate interest of others are respected.
• Multidisciplinary - Measures, practices and procedures for the security of information systems should take account of and address all relevant considerations and viewpoints....
• Proportionality - Security levels, costs, measures, practices and procedures should be appropriate and proportionate to the value of and degree of reliance on the information systems and to the severity, probability and extent of potential harm....
• Integration - Measures, practices and procedures for the security of information systems should be coordinated and integrated with each other and other measures, practices and procedures of the organization so as to create a coherent system of security.
• Timeliness - Public and private parties, at both national and international levels, should act in a timely coordinated manner to prevent and to respond to breaches of security of
information systems.
• Reassessment - The security of information systems should be reassessed periodically, as information systems and the requirements for their security vary over time.
• Democracy - The security of information systems should be compatible with the legitimate use and flow of data and information in a democratic society.
OECD's Guidelines for the Security of Information Systems
Qualification Criteria
Common Criteria
The CC philosophy is to provide assurance based
upon an evaluation (active investigation) of the IT
product or system that is to be trusted. Evaluation
has been the traditional means of providing
assurance and is the basis for prior evaluation
criteria documents. In aligning the existing
approaches, the CC adopts the same philosophy. The
CC proposes measuring the validity of the
documentation and of the resulting IT product or
system by expert evaluators with increasing
emphasis on scope, depth, and rigor.
(Common Criteria v 2.1, Part 3 p. 2)
ISO/IEC 15408
