Lecture 1

II. Introduction to Information Security

• Definition: Information security is a “well-informed sense of assurance that the
information risks and controls are in balance.” (Jim Anderson, 2002)
• Core Idea: It is not about eliminating all risk, but about managing risk to an acceptable
level through the implementation of appropriate controls.

III. The History of Information Security

The field evolved directly from the needs of early computing systems.
• Origins (1940s-1950s): Began with the first mainframes used for code-breaking in World
War II (e.g., the Enigma machine).
o Focus was on physical security—controlling access to sensitive military
locations and computers to prevent theft, espionage, and sabotage.
• The 1960s: The Advanced Research Project Agency (ARPA) began researching
redundant networked communications, leading to the development of ARPANET, the
precursor to the internet.
• The 1970s-1980s:
o ARPANET's Popularity & Problems: As ARPANET grew, fundamental
security flaws were identified: no safety procedures for dial-up connections and
nonexistent user identification.
o The Rand Report R-609: A seminal paper that marked the formal beginning
of computer security as a field of study. It expanded the scope beyond physical
security to include:
▪ Safety of data.
▪ Limiting unauthorized access to data.
▪ Involvement of personnel from multiple organizational levels.
o MULTICS (Multiplexed Information and Computing Service): The first
operating system designed with security as a primary goal. Key players from this
project later created UNIX.
• The 1990s: The rise of interconnected networks and the internet. Security was often a
low priority in early deployments.
• 2000 to Present: The internet connects millions of unsecured networks. The security of
any one computer is influenced by the security of all computers it connects to, leading to
a growing need for improved security measures against cyber attacks.
IV. What is Security?
• Fundamental Definition: “The quality or state of being secure—to be free from danger.”
It is fundamentally about protection from adversaries.
• Layered Security: A successful organization employs multiple layers of security:
o Physical security
o Personal security
o Operations security
o Communications security
o Network security
o Information security (the focus of this chapter)
• Information Security Specifics: The protection of information and its critical elements,
including the systems and hardware that use, store, and transmit that information.
o Tools for Security: Policy, awareness, training, education, and technology.
o The C.I.A. Triangle: The traditional standard based on:
▪ Confidentiality: Protection from unauthorized disclosure.
▪ Integrity: Protection from unauthorized modification.
▪ Availability: Assurance that systems and data are accessible when needed.
o This has now been expanded into a broader list of critical characteristics.

V. Key Information Security Concepts

Understanding these terms is crucial for discussing security effectively.
• Asset: A resource of value that needs protection (e.g., data, hardware).
• Threat: A potential danger to an asset.
• Threat Agent: The entity that identifies and exploits a vulnerability (e.g., a hacker, a
natural disaster).
• Vulnerability: A weakness in the system that could be exploited by a threat.
• Attack/Threat Event: The action of a threat agent exploiting a vulnerability.
• Exploit: A technique used to compromise a system.
• Exposure: The condition of being vulnerable.
• Risk: The probability that a threat will exploit a vulnerability and the resulting impact.
 • Control, Safeguard, or Countermeasure: A measure taken to reduce risk.
• Protection Profile/Security Posture: The entire set of controls and the organization's
overall security state.
• Subjects and Objects:
o Subject: An active entity that accesses an object (e.g., a user, a process).
o Object: A passive entity that contains information (e.g., a file, a database).
• Computer as Subject/Object: A computer can be the tool used to conduct an
attack (subject) or the target of an attack (object).

VI. Critical Characteristics of Information

The value of information is derived from these characteristics, which extend beyond the C.I.A.
triad:
1. Availability: Accessible when needed by authorized users.
2. Accuracy: Free from errors.
3. Authenticity: Genuine and verifiable.
4. Confidentiality: Disclosed only to authorized individuals.
5. Integrity: Complete and uncorrupted.
6. Utility: Has value for a particular purpose.
7. Possession: Ownership is controlled.
8. PII (Personally Identifiable Information): A specific category of data requiring high
protection.
The McCumber Cube (CNSS Security Model): A graphical model (like a Rubik's cube) that
evaluates information security across three dimensions: the critical characteristics of information
(e.g., confidentiality), the states in which information exists (storage, transmission, processing),
and the security measures (policy, education, technology) needed to protect it.

VII. Components of an Information System (IS)

An information system is composed of:
• Software
• Hardware
• Data
• People (often the weakest link)
 • Procedures
• Networks
Securing an IS requires protecting all of these components.

VIII. Balancing Information Security and Access

• Perfect Security is Impossible: Security is a process, not an absolute state.
• The Balance: The goal is to find a balance where security controls provide adequate
protection without making the system so cumbersome that it hinders legitimate access
and productivity.
• Risk Management: The process of identifying, assessing, and prioritizing risks,
followed by applying resources to minimize or control the impact of unfortunate events.

IX. Approaches to Information Security Implementation

1. Bottom-Up Approach:
o Initiated by systems administrators trying to improve their own systems.
o Advantage: Leverages technical expertise.
o Disadvantage: Often fails due to lack of organizational support, funding, and
staying power. It is reactive and uncoordinated.
2. Top-Down Approach:
o Initiated by upper management.
o Advantage: Most successful approach. It provides strong support, clear policies,
defined accountability, and aligns security with business goals.
o Methodology: Typically uses a formal Systems Development Life Cycle
(SDLC).

X. The Systems Development Life Cycle (SDLC)

A structured methodology for designing and implementing systems. The traditional "waterfall"
model has six phases:
1. Investigation: Define the problem, objectives, and scope. Perform a preliminary cost-
benefit and feasibility analysis.
2. Analysis: Study the organization's current systems and needs. Document requirements
and update the feasibility analysis.
3. Logical Design: Create a blueprint based on business needs. Select applications and data
structures.
 4. Physical Design: Select specific technologies. Evaluate make-or-buy options. Present the
solution for approval.
5. Implementation: Build, purchase, test, and deploy the system. Train users.
6. Maintenance and Change: The longest phase. Involves ongoing support, modifications,
and updates until the system is replaced.
Software Assurance (SA): An approach that seeks to build security into the SDLC from the
beginning, creating software that is inherently more secure.

XI. The Security Systems Development Life Cycle (SecSDLC)

A specialized version of the SDLC focused on implementing security controls. The phases are
similar but security-centric:
1. Investigation: Starts with the Enterprise Information Security Policy (EISP). Defines
security project goals and constraints.
2. Analysis: Analyze existing security policies, current threats, and controls. Begin risk
management.
3. Logical Design: Plan for incidents (response, disaster recovery, continuity). Develop
security blueprints.
4. Physical Design: Select and evaluate security technologies.
5. Implementation: Acquire, test, and deploy security solutions. Train personnel.
6. Maintenance and Change: Constantly adapt to the evolving threat landscape. Monitor,
respond to incidents, and update controls.

XII. Security Professionals and the Organization

Implementing information security requires a team with diverse skills.
• Senior Management:
o Chief Information Officer (CIO): Senior technology officer focused on strategic
planning.
o Chief Information Security Officer (CISO): Responsible for the organization's
information security program. Reports to the CIO.
• Information Security Project Team:
o Champion: Senior manager who supports the project.
o Team Leader: Manages the project.
o Security Policy Developers, Risk Assessment Specialists, Security
Professionals, Systems Administrators, End Users.
 • Data Responsibilities:
o Data Owner: Senior manager responsible for the data's security and use.
o Data Custodian: Responsible for the safe handling, storage, and backup of data
(e.g., a database administrator).
o Data Users: End users who work with the data daily.
• Communities of Interest: Groups within the organization that must collaborate:
o Information Security Management and Professionals
o Information Technology Management and Professionals
o Organizational Management and Professionals

XIII. Is Information Security an Art or a Science?

It is a combination of three disciplines:
• Art: There are no absolute manuals. Solutions often require creativity and experience
("security artisans").
• Science: Technology operates on predictable principles. Faults and vulnerabilities are the
result of specific, identifiable interactions between hardware and software.
• Social Science: The most critical element is people. Understanding human behavior is
essential, as security begins and ends with the individuals who interact with systems.
Effective training and policy can mitigate human error.

Lecture 2
II. Introduction: The Core Mission of Information Security
• The primary mission of an Information Security (IS) program is to ensure systems and
their contents remain unchanged, available, and confidential—in other words, to
maintain the integrity, availability, and confidentiality of information assets.
• In an ideal world without threats, resources could be focused solely on improving system
usability and functionality. However, attacks on information systems are a daily
occurrence, making security a necessary priority.

III. Key Terminology

Understanding these terms is crucial for discussing security needs effectively:
• Data: Raw numbers, facts, and words collected by an organization (e.g., individual quiz
scores).
 • Information: Data that has been organized, structured, and given context to provide
insight and value (e.g., a student's class average presented as a letter grade).
• Information Asset: The information that has value to the organization, plus the systems
that store, process, and transmit it. This is the primary focus of information security.
• Media: A subset of information assets; the physical and logical systems and networks
that handle information.
• Data Security: The practice of protecting data in all its states: at rest (in storage), in
processing, and in transit (over networks).

IV. The Business Need for Information Security

Information security is not just a technical issue; it is a critical business function that performs
four key roles:
1. Protects the Organization's Ability to Function:
o Security is fundamentally a management and people issue, not just a technology
problem.
o All levels of management (general, IT, IS) are responsible for its implementation.
o Solutions must be evaluated in terms of business impact and cost, not just
technical merit.
2. Protects the Data an Organization Collects and Uses:
o Data is the lifeblood of a modern organization. Without it, an organization loses
its transaction records and ability to deliver value.
o Effective information security ensures the Confidentiality, Integrity, and
Availability (CIA) of this critical data.
3. Enables the Safe Operation of Applications:
o Organizations need a secure environment to run the applications built on their IT
systems.
o Management must maintain oversight of this infrastructure; it cannot be delegated
entirely to the IT department.
4. Safeguards Technology Assets:
o Organizations must implement a secure infrastructure appropriate to their size and
scope.
o As an organization grows, its security needs evolve, requiring more robust
solutions to replace outgrown programs.
V. Threats to Information Security
A Threat is any object, person, or other entity that represents a constant danger to an asset.
Management must understand the various threats they face. The text outlines 12 major
categories of threats:
1. Compromises to Intellectual Property (IP):
o IP Definition: "The creation, ownership, and control of original ideas" (e.g., trade
secrets, copyrights, patents).
o Primary Concern: Software piracy—the unauthorized duplication or
distribution of copyrighted software. Watchdog organizations like the Software &
Information Industry Association (SIIA) and Business Software Alliance
(BSA) investigate such abuse.
o Protection Mechanisms: End-User License Agreements (EULAs), online
registration, and technical controls.
2. Deliberate Software Attacks (Malware):
o Malicious software (malware) designed to damage, destroy, or deny service.
o Includes viruses, worms, Trojan horses, logic bombs, back doors,
polymorphic threats, and ransomware.
3. Deviations in Quality of Service:
o Failure of critical support systems to perform as expected.
o Internet Service: ISP failures can undermine availability.
o Power Irregularities: Fluctuations (spikes, sags), excesses (surges), shortages
(brownouts), and losses (blackouts) can disrupt operations. Controls like UPS
(Uninterruptible Power Supplies) are essential.
o Service Level Agreements (SLAs): Define expected performance. For example,
99.9% availability ("three nines") allows for approximately 9 hours of downtime
per year.
4. Espionage or Trespass:
o Unauthorized access to protected information.
o Competitive Intelligence (gathering information legally) vs. Industrial
Espionage (illegal acquisition).
o Shoulder Surfing: Observing someone entering confidential information.
o Hacker Profiles:
▪ Expert Hacker: Highly skilled; develops attack tools.
▪ Unskilled Hacker (Script Kiddie): Uses pre-written software to exploit
systems without deep understanding.
 o Other terms: Cracker (removes software protection), Phreaker (hacks telephone
networks).
5. Forces of Nature:
o Natural disasters (floods, earthquakes, fires) pose significant dangers.
Organizations must have contingency plans for business continuity.
6. Human Error or Failure:
o The Greatest Threat? Acts performed without malicious intent due to
inexperience, improper training, or incorrect assumptions.
o Consequences: Can lead to exposure of sensitive data, incorrect data entry,
accidental deletion, or failure to protect information. These are often preventable
with better training and controls.
7. Information Extortion:
o An attacker steals information and demands compensation for its return or non-
disclosure (e.g., ransomware attacks, theft of credit card numbers).
8. Missing, Inadequate, or Incomplete Controls:
o Weaknesses in organizational policy, planning, or implementation of controls
make an organization vulnerable to other threats.
9. Sabotage or Vandalism:
o Ranges from petty vandalism to organized sabotage.
o Website Defacing: Can erode consumer confidence and impact an organization's
net worth.
o Hacktivism/Cyberactivism: Politically or socially motivated attacks.
o Cyberterrorism: A more severe form with the potential for large-scale
disruption.
10. Theft:
o Illegal taking of physical, electronic, or intellectual property. Electronic theft is
complex because the evidence is not always apparent.
11. Technical Hardware Failures or Errors:
o Equipment flaws distributed by manufacturers can cause unreliable service or
system failure.
12. Technical Software Failures or Errors:
o Bugs or faults in purchased software. Certain combinations of software and
hardware can reveal new vulnerabilities.
13. Technological Obsolescence:
 o Antiquated or outdated infrastructure leads to unreliable systems. Proper IT
planning is required to avoid this threat.

VI. Attacks on Information Security

An Attack is the act or action that exploits a vulnerability (a weakness) in a system. It is carried
out by a threat agent. It's important to differentiate the threat (the potential danger) from
the attack (the action itself).
Common Types of Attacks:
• Malicious Code: Execution of viruses, worms, etc.
• Hoaxes: Often a fake warning about a virus that itself contains a real virus.
• Back Door: Using a known or unknown mechanism to bypass normal authentication.
• Password Crack:
o Brute Force: Trying every possible password combination.
o Dictionary Attack: Using a list of common passwords.
• Denial-of-Service (DoS) / Distributed Denial-of-Service (DDoS): Overwhelming a
target with requests to crash it or make it unusable for legitimate users.
• Spoofing: Assuming a trusted IP address or identity to gain unauthorized access.
• Man-in-the-Middle (MitM): Intercepting and potentially altering communication
between two parties without their knowledge.
• Spam / Mail Bombing: Unsolicited email; mail bombing is a DoS attack using email.
• Sniffers: Monitoring network traffic to steal information.
• Phishing: Deceptive attempts (e.g., via email) to steal personal/financial information by
posing as a legitimate entity.
• Pharming: Redirecting legitimate web traffic to an illegitimate site to steal information.
• Social Engineering: Manipulating people into breaking security procedures (e.g.,
pretending to be an IT support technician to get a password). "People are the weakest
link." — Kevin Mitnick
• Timing Attack: Exploiting the time it takes a system to perform operations to deduce
sensitive information.

VII. Secure Software Development

Many security issues stem from vulnerabilities in software. Developing secure software requires
integrating security into the development process.
 • Software Assurance (SA): An approach that seeks to build security into the Systems
Development Life Cycle (SDLC) from the beginning, rather than adding it as an
afterthought.
• SwA Common Body of Knowledge (CBK): A guide supported by US DoD and DHS
for developing secure applications. (Note: The slide asks about an equivalent in Pakistan,
"PSS?").
Software Design Principles for Security:
• Keep the design simple and small.
• Base access decisions on permission, not exclusion (default-deny).
• Check every access to every object for authority.
• Design systems that rely on keys/passwords.
• Implement least privilege: programs/users should have only the permissions they
absolutely need.
• Make the human interface easy to use so that security becomes routine.
Common Software Development Security Problems:
• Buffer Overruns: When a program writes data beyond the allocated memory buffer.
• Injection Attacks: Command Injection, SQL Injection, where untrusted data is
interpreted as commands.
• Cross-Site Scripting (XSS): Injecting malicious scripts into webpages viewed by others.
• Failure to Handle Errors: Can reveal sensitive system information.
• Failure to Protect Data: In transit (e.g., not using SSL/TLS) or at rest (e.g., weak
encryption).
• Information Leakage: Accidentally exposing system details.
• Race Conditions: Unpredictable behavior when the system's output depends on the
sequence of events.

Lecture 3
II. Introduction: The Legal and Ethical Landscape
• Information security professionals must understand the scope of their organization's legal
and ethical responsibilities to minimize liability and reduce risk.
• This requires:
o Understanding the current legal environment.
o Staying current with laws and regulations.
o Watching for new and emerging issues.
III. Fundamental Concepts: Law vs. Ethics
• Laws: Rules that mandate or prohibit certain behavior in society. They are enforced by a
governing authority and carry explicit sanctions (e.g., fines, imprisonment).
• Ethics: Define socially acceptable behavior. They are based on cultural mores (the fixed
moral attitudes or customs of a particular group). Ethics do not carry legal sanctions but
are guided by moral principles.

IV. Organizational Liability and Key Legal Terms

• Liability: An organization's legal obligation or responsibility for its actions or failures to
act.
• Restitution: The legal requirement to compensate for a loss or injury.
• Due Care: The measures an organization takes to ensure that every employee knows
what is acceptable and unacceptable behavior. It's about acting responsibly.
• Due Diligence: The reasonable steps an organization takes to meet its legal obligations.
It's a continuous process of ensuring that due care is being exercised.
• Jurisdiction: The power of a court or agency to make legal decisions within a specific
geographic or topical area.
o Long Arm Jurisdiction: The right of a court to impose its authority over an out-
of-state individual or organization if it can establish a sufficient connection (e.g.,
doing business online with residents of that state).

V. Policy vs. Law

• Policies: Guidelines that dictate behavior within an organization. They function as "laws"
within the company.
• Key Difference from Law: Ignorance of an organizational policy can be an acceptable
defense, whereas "ignorance of the law is no excuse."
• For a Policy to be Enforceable, it must meet certain criteria:
o Dissemination (distributed to all).
o Review (employees must read it).
o Comprehension (employees must understand it).
o Compliance (employees must agree to abide by it).
o Uniform Enforcement (applied consistently to everyone).
VI. Types of Law
• Civil Law: Governs relationships and conflicts between organizational entities and
people.
• Criminal Law: Addresses violations harmful to society; actively enforced by the state.
• Private Law: Regulates relationships between individuals and organizations.
• Public Law: Regulates the structure and administration of government agencies.

VII. Relevant Laws by Country

A. United States Laws
1. General Computer Crime Laws:
• Computer Fraud and Abuse Act (CFA Act) of 1986: The cornerstone of U.S. federal
computer crime law.
• National Information Infrastructure Protection Act of 1996: Amended the CFA Act,
increasing penalties for crimes committed for commercial advantage, financial gain, or in
furtherance of a criminal act.
• USA PATRIOT Act (2001) & Reauthorization Act: Expanded the powers of law
enforcement agencies (like the FBI) to investigate terrorism-related activities.
• Computer Security Act of 1987: One of the first laws to establish minimum security
practices for federal computer systems.
2. Privacy Laws:
• Federal Privacy Act of 1974
• Electronic Communications Privacy Act of 1986
• Health Insurance Portability and Accountability Act (HIPAA) of 1996: Protects the
confidentiality and security of healthcare data.
• Gramm-Leach-Bliley Act (GLBA) of 1999: Governs the handling of financial
information.
• Identity Theft: Criminalized under Title 18, U.S.C. § 1028. The FTC defines it as the
unauthorized use of personally identifying information to commit fraud.
3. Export and Espionage Laws:
• Economic Espionage Act (EEA) of 1996
• Security And Freedom Through Encryption (SAFE) Act of 1999: Affirms the right to
use and sell encryption without mandatory key registration to the government.
4. Copyright Law:
 • U.S. Copyright Law protects intellectual property, including electronic formats. The U.S.
Copyright Office ([Link]) is the governing body.
5. Financial Reporting:
• Sarbanes-Oxley Act (SOX) of 2002: Mandates strict reforms to improve financial
disclosures from corporations and prevent accounting fraud. Non-compliance carries
severe penalties.
6. Freedom of Information:
• Freedom of Information Act (FOIA) of 1966: Allows for the full or partial disclosure
of previously unreleased information and documents controlled by the U.S. government.

B. Pakistani Laws
1. General Computer Crime and Cybersecurity Laws:
• Prevention of Electronic Crimes Act (PECA) 2016: The primary law combating
cybercrime. It addresses:
o Cyber terrorism, hacking, electronic fraud and forgery.
o Cyber stalking, hate speech, child pornography.
o Unauthorized access to data and critical infrastructure.
o Enforced by: The National Counter Terrorism Authority (NCTA) and other
agencies.
• National Cybersecurity Policy (NCSP) 2021: A framework to secure Pakistan's
cyberspace, focusing on governance, infrastructure protection, capacity building, and
public-private partnerships.
• Example Institutional Policies: The slides reference NUCES/FAST policies on code of
conduct, sexual harassment, and drug abuse.
2. Privacy Laws:
• Pakistan does not yet have a comprehensive, enacted data protection law equivalent to
the GDPR.
• Proposed Law: The Personal Data Protection Bill/Act, 2023 is under consideration.
• Current Relevant Laws:
o PECA 2016 contains some privacy-related provisions.
o Payment Systems and Electronic Fund Transfers Act, 2007 (Regulated by the
State Bank of Pakistan).
o Telecom Consumer Protection Regulations, 2009 (Issued by the Pakistan
Telecommunication Authority - PTA).
 • Advisories: PK-CERT (Pakistan Computer Emergency Response Team) issues
advisories on emerging threats.
3. Export and Espionage Laws:
• The Official Secrets Act, 1923: The primary anti-espionage law, protecting official state
information.
• Export Control Act, 2004: Regulates the export of goods, technologies, and materials
related to nuclear and biological weapons.
4. Copyright Law:
• Pakistan Copyright Ordinance, 1962: Protects original works, including electronic data
and recognizing computer programs as literary works. Pakistan is also a signatory to
international agreements like the Berne Convention.
5. Freedom of Information:
• Right of Access to Information Act, 2017: The Pakistani equivalent to the U.S. FOIA. It
gives effect to the constitutional right to information (Article 19-A) and outlines
procedures for obtaining information from federal public bodies.

VIII. International Laws and Legal Bodies

• European Council Cyber-Crime Convention: Aims to create standardized international
technology laws and improve investigative cooperation. It is well-regarded but lacks
strong enforcement mechanisms.
• Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS): A
World Trade Organization (WTO) agreement that sets minimum standards for intellectual
property protection and enforcement.
• Digital Millennium Copyright Act (DMCA) - U.S.: A U.S. law that prohibits
circumventing anti-piracy measures and trafficking in devices that do so. While a U.S.
law, it has global impact. Pakistan's compliance with similar standards is driven by
international treaties like TRIPS.

IX. Ethics in Information Security

• The Challenge: Unlike some professions, IT and information security often lack
universally binding codes of ethics. Professional associations fill this gap, but they
typically cannot ban individuals from practicing.
• Culture and Ethics: What is considered ethical can vary significantly across cultures,
especially concerning:
o Software license infringement.
o Illicit use of systems.
 o Misuse of corporate resources.
• Ethics and Education: Education is the key to leveling ethical perceptions. Employees
must be trained on expected ethical behaviors to become informed, low-risk users.
• Deterring Unethical Behavior: Deterrence is the best prevention. For laws and policies
to be effective deterrents, three conditions must be present:
1. Fear of the penalty.
2. Probability of being caught.
3. Probability of the penalty being administered.

X. Professional Organizations
A. Major International Organizations:
• Association of Computing Machinery (ACM): One of the first computing societies
with a strong code of ethics.
• (ISC)²: Offers certifications like CISSP and has a strict code of ethics (e.g., "Protect
society, the common good, necessary public trust and confidence...").
• ISACA: Focuses on IT governance, risk, and compliance (e.g., COBIT framework).
Offers CISA and CISM certifications.
• SANS Institute: A large cooperative for security professionals, offering research and
certifications (GIAC).
• Information Systems Security Association (ISSA): A society for information security
professionals to share knowledge.
B. Key Pakistani Professional and Government Bodies:
• Government & Policy: Ministry of IT and Telecommunication (MoITT), Pakistan
Software Export Board (PSEB), Ignite (National Technology Fund).
• Industry Associations: Pakistan Software Houses Association (P@SHA).
• Scientific Bodies: Pakistan Science Foundation (PSF), National Engineering & Scientific
Commission (NESCOM), Pakistan Atomic Energy Commission (PAEC).

XI. Key Government Agencies

A. United States:
• Department of Homeland Security (DHS): Protects people and physical/informational
assets.
• FBI's National InfraGard Program: A public-private partnership for sharing
information on threats and vulnerabilities.
 • National Security Agency (NSA): Responsible for signals intelligence (SIGINT) and
protecting U.S. government information systems.
• U.S. Secret Service: Investigates computer fraud and false identification crimes.
B. Pakistan:
• Intelligence & Security: Inter-Services Intelligence (ISI), Intelligence Bureau (IB),
Federal Investigation Agency (FIA), National Counter Terrorism Authority (NCTA),
National Accountability Bureau (NAB).
• Financial: State Bank of Pakistan (SBP), Pakistan Customs.
• Key Ministries: Ministry of Interior, Ministry of Defence, Ministry of Finance, Ministry
of Science and Technology.

Lecture 4
I. Introduction to Security Documentation Hierarchy
An effective information security program is built on a foundation of clear, layered
documentation. This hierarchy ensures that security intentions are translated from broad
principles into specific, actionable steps. The key components, from most general to most
specific, are: Policy, Standard, Practice, Guideline, and Procedure.

II. The Components of the Security Documentation Hierarchy

1. Policy
• Definition: A high-level, formal statement of management's intent, philosophy, and
overall direction regarding security. It outlines what needs to be achieved and why.
• Purpose: To establish a framework for security within the organization and assign
overall responsibilities.
• Characteristic: Broad, strategic, and mandatory. It is the "law" within the organization.
• Example:
o Policy Statement: "Employees must use strong passwords on their accounts.
Passwords must be changed regularly and protected against disclosure."
2. Standard
• Definition: A mandatory, specific requirement that provides detailed, quantifiable rules
to support and enforce a policy. It defines exactly how the policy will be implemented in
a uniform way.
• Purpose: To ensure consistency and measurability across the organization. There is
typically little room for deviation from a standard.
• Characteristic: Specific, detailed, and compulsory.
 • Example (Supporting the Password Policy):
o Standard: "Passwords must be at least 10 characters long and incorporate at least
one lowercase letter, one uppercase letter, one numerical digit (0–9), and one
special character permitted by our system (&%$#@!). Passwords must be
changed every 90 days, and must not be written down or stored on insecure
media."
3. Practice (or Best Practice)
• Definition: Recommendations and guidance from authoritative external sources (e.g.,
US-CERT, NIST, ISO). Practices are often adopted or adapted by an organization to
inform the creation of its own standards and guidelines.
• Purpose: To leverage industry knowledge and proven methods to enhance the
organization's security posture.
• Characteristic: Not mandatory internally but represents a consensus on effective
security measures.
• Example (From US-CERT):
o Use a minimum password length of 15 characters for administrator accounts.
o Require the use of alphanumeric passwords and symbols.
o Enable password history limits to prevent the reuse of previous passwords.
4. Guideline
• Definition: Non-mandatory, flexible recommendations intended to help users comply
with policies and standards. They suggest methods but allow for discretion based on
specific situations.
• Purpose: To assist users in making secure choices, especially when a strict rule isn't
practical. They often provide helpful tips or examples.
• Characteristic: Advisory and flexible.
• Example (Guidelines for Creating Memorable, Strong Passwords from NIST):
o Mnemonic Method: Use the first letters of a phrase. E.g., "May the force be with
you always, young Jedi" becomes Mtfbwya-yJ.
o Altered Passphrases: Modify a known phrase. E.g., "Never Give Up! Never
Surrender!" becomes [Link]!-[Link]!.
o Combining and Altering Words: Merge and modify unrelated words. E.g., "Jedi
Tribble" becomes J3d13bbl.
5. Procedure
• Definition: Step-by-step, detailed instructions that outline the exact sequence of actions
required to accomplish a specific task in compliance with a policy.
 • Purpose: To ensure tasks are performed consistently, correctly, and securely by all
personnel.
• Characteristic: Highly detailed, specific, and instructional.
• Example (Procedure for Changing a Password):
1. Log in using your current (old) password.
2. On your organizational portal home page, click the [Tools] Menu option.
3. Select [Change Password].
4. Enter your old password in the first field and your new password in the second.
Re-enter the new password to confirm.
5. Log out and log back in with your new password.

III. Types of Security Policies

The hierarchy of documents (Policy, Standard, Guideline, Procedure) is used to create different
types of security policies that target various levels of the organization.
1. Enterprise Information Security Policy (EISP):
o Also known as a Security Program Policy or Master Policy.
o Purpose: A very high-level policy that sets the strategic direction, scope, and tone
for all security efforts within the entire organization. It defines the security
program's purpose, objectives, and assigns overall responsibilities.
2. Issue-Specific Security Policy (ISSP):
o Purpose: Addresses specific areas of technology or use. It provides detailed
guidance on the acceptable use of systems and information for a particular issue.
o Examples: An Acceptable Use Policy (AUP) for internet and email, a Password
Policy, a Remote Access Policy.
3. Systems-Specific Security Policy (SysSP):
o Purpose: The most granular type of policy. It provides mandatory guidance
specifically for the configuration and management of individual systems or types
of systems (e.g., firewalls, servers, network devices). SysSPs often combine
statements of policy with specific standards and procedures.
o Examples: A Web Server Security Standard, a Firewall Access Control List
(ACL) Configuration Procedure.