Security Management

Module 2: Security Management

Chapter I: Security Management Practices

1. Overview of Security Management
2. Information Classification Process
3. Security Policy
4. Security Procedures and Guidelines.
5. Business Continuity and Disaster Recovery Planning
6. Risk Management
7. Ethics and Best Practices
 Module 2: Security Management

✓ Confidentiality
Terms you’ll need to understand:

✓ Integrity
✓ Availability
✓ Threat
✓ Vulnerability
✓ Public/private data classification
✓ Risk
• Security management addresses the identification of the
organization’s information assets.

• The security-management domain also introduces some critical

documents, such as policies, procedures, and guidelines.

• Senior management helps point out the general direction, and risk-
assessment and risk-analysis activities are used to determine where
protective mechanisms should be placed.
• Finally, it’s important to not forget the employees. Employees need
to be trained on what good security is and what they can do to
ensure that good security is always practiced in the workplace.
Five Broad Categories of Security Management
Practices
Risk assessment
Policy
Implementation
Training and education
Auditing the security infrastructure
 The Risk of Poor Security Management
• Without policies and security management controls in
place, the organization opens to a host of internal and
external risks.
• Examples of internal threats include leakage of
sensitive data, theft, legal liability, and corruption of
data.
• External threats include natural disasters, spyware,
viruses, worms, and Trojan programs .
• Failure to deal with these threats can lead to loss of
information assets, reduced profits, civil or criminal
suits, or even the demise of the company.
 The Role of CIA
• The three fundamental items upon which security is
based together are known as the CIA triad

Fig: CIA Security triad

 Confidentiality
• Confidentiality:- The concept of keeping private information
away from individuals who should not have access.
• Any time there is an unintentional release of information,
confidentiality is lost.
• As an example, if Black Hat Bob can intercept an email
between the CEO and the CIO and learn their latest plans,
confidentiality has been broken and there is a lapse of security.
• Other attacks on confidentiality include sniffing, keystroke
monitoring, and shoulder surfing.
 Integrity
• The concept of integrity means that data is consistent and that
it hasn’t been modified.
• This modification can result from access by an authorized or
unauthorized individual or process.
• Integrity must also prevent modification of data while in
storage or in transit.
• For example, if I could access my bank account and change
the bank balance by adding a few zeroes . . . well, that’s not
such a big deal to me, but the bank might not be happy
because they would suffer a serious lapse of integrity.
 Availability
• The concept of availability is pretty straightforward. You
should have reliable and timely access to the data and
resources you are authorized to use.
• A good example of a loss of availability is a DoS attack. No, it
doesn’t give the perpetrator access, but it does prevent
legitimate users from using the resource.
• A Denial-of-Service (DoS) attack is an attack meant to shut
down a machine or network, making it inaccessible to its
intended users. DoS attacks accomplish this by flooding the
target with traffic, or sending it information that triggers a
crash.
 Risk Assessment
• A risk assessment is the process of identifying and prioritizing
risks to the business.
• Without an assessment, it is impossible to design good
security policies and procedures that will defend your
company’s critical assets.
• Risk assessment requires individuals to take charge of the risk
management process. These can be either senior management
or lower-level employees.
 Risk Management
• Risk management is the act of determining what threats your
organization faces, analyzing your vulnerabilities to assess the
threat level, and determining how you will deal with the risk.
• The following definitions are important to know for risk
management:
• Threat—A natural or man-made event that could have some
type of negative impact on the organization.
• Vulnerability—A flaw, loophole, oversight, or error that can
be exploited to violate system security policy.
• Controls—Mechanisms used to restrain, regulate, or reduce
vulnerabilities. Controls can be corrective, detective,
preventive, or deterrent.
The following figure displays the relationship
among threats, vulnerabilities, and controls.
Identifying the threats and vulnerabilities
 Placing values on Assets

• You need to put value on the organization’s assets. There are two
ways to asses value i.e. quantitative assessment and qualitative
assessment.
• Quantitative Assessment: Quantitative assessment deals with
numbers and dollar amounts. It attempts to assign a cost
(monetary value) to the elements of risk assessment and to the
assets and threats of a risk analysis.
• Qualitative Assessment: Qualitative assessment is scenario
driven and does not attempt to assign dollar values to
components of the risk analysis.
 Handling Risk
Risk can be dealt with in four general ways, either
individually or in combination.
➤ Risk reduction—Implement a countermeasure to alter or
reduce the risk.
➤ Risk transference—Purchase insurance to transfer a portion
or all of the potential cost of a loss to a third party.
➤ Risk acceptance—Deal with risk by accepting the potential
cost and loss if the risk occurs.
➤ Risk rejection—Pretend that the risk doesn’t exist and ignore
it.
Although this is not a prudent course of action, it is one that
some organizations choose to take.
 Policies, Procedures, Standards,
Baselines, and Guidelines
The assessment should help drive policy creation on items
such as these:
➤ Passwords
➤ Patch management
➤ Employee hiring and termination practices
➤ Backup practices and storage requirements
➤ Security awareness training
➤ Antivirus
➤ System setup and configuration
 Security Policy

• Policies are the top tier of formalized security documents. These

high level documents offer a general statement about the
organization’s assets and what level of protection they should have.
• Well-written policies should spell out who’s responsible for security,
what needs to be protected, and what is an acceptable level of risk.
They are much like a strategic plan because they outline what
should be done but don’t specifically dictate how to accomplish the
stated goals.
• Those decisions are left for standards, baselines, and procedures.
• Security policies can be written to meet advisory, informative, and
regulatory needs.
 Advisory Policy
• The job of an advisory policy is to ensure that all employees know
the consequences of certain behavior and actions. Here’s an example
advisory policy:
• Illegal copying: Employees should never download or install any
commercial software, shareware, or freeware onto any network
drives or disks unless they have written permission from the
network administrator.
• Be prepared to be held accountable for your actions, including the
loss of network privileges, written reprimand, probation, or
employment termination if the Rules of Appropriate Use are
violated.
 Informative Policy

• This type of policy isn’t designed with enforcement in mind; it is

developed for education. Its goal is to inform and enlighten
employees. The following is an example informative policy:
• In partnership with Human Resources, the employee ram’s job is to
serve as an advocate for all employees, providing mediation
between employees and management. This job is to help investigate
complaints and mediate fair settlements when a third party is
requested.
 Regulatory Policy

• These policies are used to make certain that the organization

complies with local, state, and federal laws. An example regulatory
policy might state:
• Because of recent changes to Texas State law, The Company will
now retain records of employee inventions and patents for 10 years;
all email messages and any backup of such email associated with
patents and inventions will be stored for one year.
• Standards: Standards are tactical documents
because they lay out specific steps or processes
required to meet a certain requirement.
• Baselines: A baseline is a minimum level of
security that a system, network, or device must
adhere to. Baselines are usually mapped to
industry standards.
• Guidelines: A guideline points to a statement in a
policy or procedure by which to determine a
course of action. It’s a recommendation or
suggestion of how things should be done. It is
meant to be flexible so it can be customized for
individual situations.
• Procedures: A guideline points to a statement in a
policy or procedure by which to determine a
course of action. It’s a recommendation or
suggestion of how things should be done. It is
meant to be flexible so it can be customized for
individual situations.
 Data Classification

• Data classification is a useful way to rank an organization’s informational

assets.
• The two most common data-classification schemes are military and
public/private.
• Companies store and process so much electronic information about their
customers and employees that it’s critical for them to take appropriate
precautions to protect this information.
• When an organization decides which model to use, it can evaluate data
placement by using criteria such as the following:
➤ The value of the data
➤ Its age
➤ Laws
➤ Regulations pertaining to its disclosure
➤ Replacement cost
 Military Data Classification

• The military data-classification system is widely used within the

Department of Defense. This system has five levels of classification:
➤ Unclassified
➤ Sensitive
➤ Confidential
➤ Secret
➤ Top secret
 Public/Private Data Classification

The public or commercial data classification is also built upon a four-

level model:
➤Public—This information might not need to be disclosed, but if it
is, it shouldn’t cause any damage.
➤Sensitive—This information requires a greater level of protection
to prevent loss of confidentiality.
➤Private—This information is for company use only, and its
disclosure would damage the company.
➤Confidential—This is the highest level of sensitivity, and
disclosure could cause extreme damage to the company.
 Roles and Responsibility
The following list highlights some general areas of responsibility
different organizational roles should be held to regarding
organizational security.
➤Data owner—Usually a member of senior management. The data
owner can delegate some day-to-day duties but cannot delegate total
responsibility.
➤Data custodian—This is usually someone in the IT department. The
data custodian does not decide what controls are needed, but he/ she
does implement controls on behalf of the data owner. Other
responsibilities include the day-to-day management of the asset.
Controlling access, adding and removing privileges for individual
users, and ensuring that the proper controls have been implemented
are all part of the data custodian’s daily tasks.
➤ User—This is the end user in an organization. They must comply
with the requirements laid out in policies and procedures. They must
also practice due care.
➤ Security auditor—This is the person who examines an
organization’s security procedures and mechanisms. How often this
process is performed depends on the industry and its related
regulations. As an example, the health care industry is governed by
the Health Insurance Portability and Accountability Act (HIPAA)
regulations and states that audits must be performed yearly.
Regardless of the industry, senior management should document and
approve the audit process.
 Security Controls

• The objective of security controls is to enforce the security

mechanisms the organization has developed.
• Security controls can be administrative, technical, or physical.
• With effective controls in place, risks and vulnerabilities can
be reduced to a tolerable level.
• Security controls are put in place to protect confidentiality, integrity,
and availability.
 Security Controls : Administrative
Administrative controls are composed of the policies, procedures, guidelines, and
baselines an organization develops.
Administrative controls also include the mechanisms put in place to enforce and
control employee activity and access, such as the following:
➤Applicant screening—A valuable control that should be used during the hiring
process. Background checks, reference checks, verification of educational records,
should all be part of the screening process.
➤Employee controls—Some common employee controls include detailed job
descriptions with defined roles and responsibilities. These are procedures that
mandate the rotation of duties, the addition of dual controls, and mandatory
vacations.
➤ Termination procedures—A form of administrative control that should be in place
to address the termination of employees. Termination procedures should include
exit interviews, reviews, suspension of network access, and checklists verifying that
employees have returned all equipment they had in their care, such as remote-access
tokens, keys, ID cards, cellphones, pagers, credit cards, laptops, and software.
 Security Controls : Technical

• Technical controls are the logical mechanisms used to control

access, authenticate users, identify unusual activity, and restrict
unauthorized access.
• Some of the devices used as technical controls include firewalls,
IDS systems, and authentication devices such as biometrics.
Technical controls can be hardware or software.
 Security Controls : Physical

•Physical controls are the controls which are most typically seen.
•Examples of physical controls include gates, guards, fences, locks,
CCTV systems, turnstiles, and mantraps.
•Because these controls can be seen, it’s important to understand that
people might attempt to find ways to bypass them.
 Training and Education

•Right or wrong, employees believe that it is up to employers to

provide training.
•Without proper training, employees are generally unaware of how
their actions or activities can affect the security of the organization.
One of the weakest links in security is the people who work for the
company.
•Social engineering attacks prey on the fact that users are uneducated in
good security practices; therefore, the greatest defense against these
types of attacks is training, education, and security awareness (see
Figure 3.5).
Regardless of which program your company decides it needs, you can
use seven steps to help determine what type of security training to
sponsor:
1. Establish organizational technology objectives.
2. Conduct a needs assessment.
3. Find a training program that meets these needs.
4. Select the training methods and mode.
5. Choose a means of evaluating.
6. Administer training.
7. Evaluate the training.
Types of Training include the following:
➤ In-house training ➤ Web-based training
➤ Classroom training ➤ Vendor training
➤ On-the-job training ➤ Apprenticeship programs
➤ Degreed programs ➤ Continuing education programs
 Security Awareness
Awareness programs can be effective in increasing employee
understanding of security. Security awareness training must be
developed differently for the various groups of employees that make up
the organization. Not only will the training vary, but the topics and
types of questions you’ll receive from the participants will also vary.
Successful employee awareness programs tailor the message to fit the
audience. These are three of the primary groups that security awareness
training should be targeted to
➤ Senior management—Don’t try presenting an in-depth technical
analysis to this group. They want to know the costs, benefits, and
ramifications if good security practices are not followed.
➤ Data custodians—This group requires a more structured
presentation on how good security practices should be implemented,
who is responsible, and what the individual and departmental cost is
for noncompliance.
➤ Users—This must align with an employee’s daily tasks and map
to the user’s specific job functions.
 Auditing Your Security Infrastructure

• After all the previous items discussed in this chapter have been
performed, the organization’s security-management practices will
need to be evaluated periodically. This comes in the form of an audit
process. This is the only way you can verify that the controls put is
place are working, that the policies that were written are being
followed, and that the training provided to the employees actually
works. The audit process can also be used to verify that each
individual’s responsibility is clearly defined. Employees should
know their amount of accountability and what is considered their
assigned duties.
Business Continuity and Disaster Recovery Planning

• Plans must be made to preserve business in case of disaster or

disruption of service.
There are two types of planning to recover from such cases:
Business Continuity Plan (BCP)
Disaster Recovery Plan (DRP)

• What is Disaster?
• The events in which no contingency plan exist are called
disaster.
 Ethics

• Laws: Set of rules that mandate or prohibit certain societal

behavior
• Ethics: define socially acceptable behavior
 Importance of Ethics to Security

Information Security professionals are entrusted with the

crown jewels of an organization.
Ethical behavior, both on and off-the-job, is the
assurance that we are worthy of that trust.
IS sets and upholds a standard
Promote uniform adherence to policy through example
Ethics and Information Security
 Ethical Challenges in InfoSec
• Misrepresentation of certifications, skills
• Abuse of privileges
• Inappropriate monitoring
• Withholding information
• Divulging information inappropriately
• Overstating issues
• Conflicts of interest
• Management / employee / client issues