Академический Документы
Профессиональный Документы
Культура Документы
Security
objectives
Confidentiality
Integrity
– value
• valuable data have to be classified and protected
– age
• with the passage of time, the value of data might decrease
– useful life
• outdated data does not usually need protection at all
– personal association
• data that contains the personal information of individuals need to be
classified for situations arising because of court orders, government contracts,
and senior-level approvals
Protection of data - methods
• encryption
– by public or private key algorithms so that the data can be accessed only by
authorized users
• review and approve
– any change in data is reviewed and approved by an authorized person, and
this person should be different from the person who has performed this
change
• backup and recovery
– all data including critical data should be backed up
• separation of duties
– ensures that no individual has complete control over a process, which avoids
fraudulent activities
• access control
– defines different access levels for different processes such as reading,
updating, altering, and deleting data
– administration defines access rights for protected resources
Information classification roles
• Three major roles that are applicable to any type of
organization:
– Owner
– Custodian
– User
• Depending on the type of organization, an individual
may be required to perform the responsibilities of
multiple roles
• In a small organization, an individual may be required
to perform the tasks of an owner as well as a custodian
• For larger organizations, it is advisable to assign a role
with each level of security
Information classification roles (cont.)
• Owner
– usually part of an organization's management and is responsible
for the protection and use of a particular set of data
– responsibile for :
• deciding the classification levels of data and for altering them
according to changing business needs
• defining security controls as per the data classification to ensure data
protection
• defining the access rights applicable to data as per the data
classification and the value of the data
– delegates these tasks:
• approval of access requests
• backup and recovery tasks
• approval for data disclosure
• security violation notification dealings
Information classification roles (cont.)
• Custodian
– an IT person responsible for maintaining the integrity
and availability of data for the data owner
– responsibile for :
• backing up data regularly according to the backup
specifications provided by the data owner
• restoring lost or corrupted data to provide normal
functioning in case of system failure
• ensuring that data is available for performing business
activities
• maintaining records of activity for the analysis of data to
meet security policies and standards for data protection
Information classification roles (cont.)
• User
– an employee or vendor of a company who uses
data to perform work-related tasks
– responsibile for :
• maintaining the confidentiality of passwords and
ensuring the security of the data used by him
• following all security procedures and guidelines and
promptly reporting any security violation to the
company
• using the data only to perform official duties and not
for any personal gain
Policies, Standards, and
Guidelines
Role of a security group
• The objectives of a security management program implemented by
an organization are defined by the CIA triad
• Various threats affect the objectives of the security management
program of an organization
• A security management program consists of policies, standards,
baselines, and guidelines that help the organization lay down
stringent security measures and secure the organization as a whole
• It is necessary for each employee to understand the corporate
security strategies laid down by the organization
• The responsibility of drafting the security management program of
an organization lies with the security group, led by the information
security officer
Duties of security officer
• Duty of loyalty
– ensures that the senior management (including security officer) of an
organization does not reveal or use the organization's protected information
for personal gain
• Duty of care
– ensures that the organization is responsible for taking care of its employees
and resources by developing and implementing security policies, procedures,
and standards
• Some legal concepts associated with the duty of loyalty and the duty of
care
– conflict of interest
– confidentiality
– duty of fairness
– corporate opportunity (requires an individual not to divulge any company
information related to mergers, acquisitions, or patents for personal gain)
Security management program
• The security officer and the top management need to identify and
evaluate the possible threats and risks within the organization and take
proper remedial action. This process of risk assessment forms a part of
due diligence
• To avoid threats and risks, the security officer and the top management
need to specify functions to address these issues
• Basic functions in most security programs
Risk
Directly affects
Asset
Can damage
Exposure
And causes an
Safeguard
Can be countermeasured by a
H H E E E
5. Almost Certain
M H H E E
4. Likely
Likelihood
L M H E E
3. Possible
L L M H E
2. Unlikely
L L M H H
1. Rare
Performing risk assessment
• Terms
– Exposure Factor (EF)
• expressed as a percent
• represents the magnitude of asset loss caused by the identified
threat
– Single Loss Expectancy (SLE)
• represents the amount of loss incurred because of a single type of
identified threat
– Annualized Rate of Occurrence (ARO)
• represents the annual frequency of the occurrence of a threat
– Annualized Loss Expectancy (ALE)
• gives the value of loss that will be incurred annually in case of a
threat
• this value helps an organization decide the amount it needs to
spend on protection against the threat
Performing risk assessment -
Calculations
• Exposure Factor (EF) (%)
– exposure factor = percentage of asset loss caused by the identified
threat
• Single Loss Expectancy (SLE) ($)
– single loss expectancy = asset value * exposure factor
• Annualized Rate of Occurrence (ARO)
– annualized rate of occurrence = annual frequency of occurrence of a
threat
– The range can be from 0.0 (never) to 1.0 (at least once a year) to
greater than one (several times a year) and anywhere in between
• Annualized Loss Expectancy (ALE)
– annualized loss expectancy = single loss expectancy * annualized rate
of occurrence
Example 1
• Data warehouse has the asset value of $150,000;
it was estimated that if a fire were to occur, 25
percent of the warehouse would be damaged
(and not more, because of a sprinkler system and
other fire controls, proximity of a firehouse, and
so on).
What is the value of single loss expectancy (SLE) ?
• If the frequency of a fire taking place has an
annualized rate of occurrence (ARO) value of 0.1
(indicating once in ten years), then what is the
value of annualized loss expectancy (ALE) ?
Answer
• SLE = asset value * EF
• SLE = $150,000 * 0.25 = $37,500
Management
RISK MITIGATION
•Control selection
RISK AVOIDANCE
•Implementation
•Discontinue activity
•Monitoring
• Individuals
• Stewards (Application owners)
• Custodians
Individuals
– Each individual in an organization is responsible for
protecting the organization's assets
– An individual can perform different roles within the
organization
– data owner
• usually part of the senior management who is responsible
for
– classifying data
– reviewing data to meet changing business needs
– ensuring the implementation of security controls
– determining access rights, security, and backup requirements for
data
– acting on security violation notifications
Individuals (cont.)
• security administrator
– responsible for
• configuring security access controls according to data environments
• creating or deleting system user accounts and issuing passwords
• assigning access control privileges
• implementing and testing security software and patches
• security professional
– holds the functional responsibility of security and performs the sensitive operations stated by
his immediate manager
• security analyst
– is not part of the implemention team for security but determines the strategies and guidelines
for the overall security design of the organization
• senior manager
– holds the responsibility of multiple departments for protecting the company's assets by
performing a cost/benefit analysis of the security practices followed by the company.
Stewards
• The user is any person who uses data for performing job-related
activities
• The user is responsible for protecting the data by adhering to the
security policies and maintaining the confidentiality, integrity, and
availability of data
• Steward
– senior business managers responsible for the creation, maintenance,
and performance of information systems related to specific business
units
– responsibilities
• categorizing data based on the data-classification scheme
• classifying critical data effectively to meet contingencies
• defining validation rules for correct data input
• ensuring the training of data users
• understanding the uses and risks associated with data in order to provide
appropriate data access permissions
Custodians
• Custodian
– IT personnel responsible for the security and maintenance
of the information provided to them by stewards
• Responsibilities
– protecting information from unauthorized access and
modifications
– performing backups or restoring data according to the
requirements specified by the organization
– monitoring information systems to ensure compliance with
company policies and standards
– providing stewards with reports about information system
usage
Other roles in an organization
• change control analyst
– takes care of all the changes that take place in the organization's information
system
– responsibilities
• approving or rejecting change requests
• analyzing the impact of changes
• ensuring that changes do not lead to vulnerabilities
• testing all changes before they are rolled out
• data analyst
– ensures that an organization's data is properly structured and comprehensible
– responsibilities
• designing data structures and data models in compliance with business objectives
• designing the physical database structure
• helping the data owner develop data architectures
• recording metadata to manage databases
Other roles in an organization (cont.)
• process owner
– ensures that all processes in an organization are well defined to meet business
needs
– responsibilities
• defining data requirements and improving data quality for business processes
• defining, improving, and monitoring processes to make the processes effective
• resolving the data issues related to complex processes and the processes associated with
different application types
C. A company can have one specific data owner or different data owners who
have been delegated the responsibility of protecting specific sets of data. One
of the responsibilities that goes into protecting this information is properly
classifying it.
• 2. Which group causes the most risk of fraud
and computer compromises?
– A. Employees
– B. Hackers
– C. Attackers
– D. Contractors
D. The key to this question is the use of the word “ultimately.” Though
management can delegate tasks to others, it is ultimately responsible for
everything that takes place within a company. Therefore, it must continually
ensure that data and resources are being properly protected.
• 6. What is a procedure?
– A. Rules on how software and hardware must be
used within the environment
– B. Step-by-step directions on how to accomplish a
task
– C. Guidelines on how to approach security
situations not covered by standards
– D. Compulsory actions
B. Standards are rules that must be followed; thus, they are compulsory.
Guidelines are recommendations, while procedures are step-by-step
instructions.
• 7. Which factor is the most important item
when it comes to ensuring security is
successful in an organization?
– A. Senior management support
– B. Effective controls and implementation methods
– C. Updated and relevant security policies and
procedures
– D. Security awareness by all employees
D. Companies may decide to live with specific risks they are faced with if the
cost of trying to protect themselves would be greater than the potential loss
if the threat were to become real. Countermeasures are usually complex to a
degree, and there are almost always political issues surrounding different
risks, but these are not reasons to not implement a countermeasure.
• 9. What are security policies?
– A. Step-by-step directions on how to accomplish
security tasks
– B. General guidelines used to accomplish a specific
security level
– C. Broad, high-level statements from the
management
– D. Detailed documents explaining how security
incidents should be handled
C. A security policy captures senior management’s perspectives and
directives
on what role security should play within the company. Security policies are
usually general and use broad terms so they can cover a wide range of items.
• 10. Which is the most valuable technique
when determining if a specific security control
should be implemented?
– A. Risk analysis
– B. Cost/benefit analysis
– C. ALE results
– D. Identifying the vulnerabilities and threats
causing the risk
B. Although the other answers may seem correct, B is the best answer here.
This is because a risk analysis is performed to identify risks and come up with
suggested countermeasures. The ALE tells the company how much it could
lose if a specific threat became real. The ALE value will go into the
cost/benefit analysis, but the ALE does not address the cost of the
countermeasure and the benefit of a countermeasure. All the data captured
in answers A, C, and D are inserted into a cost/benefit analysis.
• 11. Which best describes the purpose of the
ALE calculation?
– A. Quantifies the security level of the environment
– B. Estimates the loss possible for a
countermeasure
– C. Quantifies the cost/benefit result
– D. Estimates the loss potential of a threat in a span
of a year
D. The ALE calculation estimates the potential loss that can affect one asset
from a specific threat within a one-year time span. This value is used to figure
out the amount of money that should be earmarked to protect this asset
from this threat.
• 12. Tactical planning is:
– A. Midterm
– B. Long term
– C. Day-to-day
– D. Six months
C. The functionality describes how a mechanism will work and behave. This
may have nothing to do with the actual protection it provides. Assurance
is the level of confidence in the protection level a mechanism will provide.
When systems and mechanisms are evaluated, their functionality and
assurance should be examined and tested individually.
• 16. Which statement is true when looking at security
objectives in the private business sector versus the
military sector?
– A. Only the military has true security.
– B. Businesses usually care more about data integrity and
availability, whereas the military is more concerned with
confidentiality.
– C. The military requires higher levels of security because
the risks are so much higher.
– D. The business sector usually cares most about data
availability and confidentiality, whereas the military is
most concerned with integrity.
A. The other three answers are the main reasons to carry out a risk analysis.
An analysis is not carried out to delegate responsibilities. Management will
take on this responsibility once the results of the analysis are reported to it
and it understands what actually needs to be carried out.
• 19. Which of the following is not a
management role in the process of
implementing and maintaining security?
– A. Support
– B. Performing risk analysis
– C. Defining purpose and scope
– D. Delegating responsibility
C. An analysis is only as good as the data that goes into it. Data pertaining to
risks the company faces should be extracted from the people who
understand
best the business functions and environment of the company. Each
department understands its own threats and resources, and may have
possible solutions to specific threats that affect its part of the company.