Chapter 3

Chapter 3

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2nd ed. 3 Security Policies, Standards, and Planning By Whitman, Mattord, & Austin 2008 Course Technology Learning Objectives Upon completion of this material, you should be able to: Define managements role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and

guidelines Describe an information security blueprint, identify its major components, and explain how it is used to support a network security program Discuss how an organization institutionalizes policies, standards, and practices using education, training, and awareness programs Explain contingency planning and describe the relationships among incident response planning, disaster recovery planning, business continuity planning, and contingency planning Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 2 Introduction

To secure its network environment, organization must establish a functional and well-designed information security program Information security program begins with creation or review of organizations information security policies, standards, and practices Selection or creation of information security architecture and development and use of detailed information security blueprint will create plan for future success Without policy, blueprints, and planning, organizations security needs will not be met Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 3

Information Security Policy, Standards, and Practices Management must consider policies as basis for all information security efforts Policies direct how issues should be addressed and technologies used Security policies are the least expensive control to execute but the most difficult to implement Shaping policy is difficult because policy must: Never conflict with laws Stand up in court, if challenged Be properly administered through dissemination and documented acceptance Firewalls & Network Security, 2nd ed. - Chapter 3

Slide 4 Information Security Policy, Standards, and Practices (continued) For a policy to be considered effective and legally enforceable: Dissemination (distribution): organization must be able to demonstrate that relevant policy has been made readily available for review by employee Review (reading): organization must be able to demonstrate that it disseminated document in intelligible form, including versions for illiterate, non-English reading, and reading-impaired employees Firewalls & Network Security, 2nd ed. - Chapter 3

Slide 5 Information Security Policy, Standards and Practices (continued) For a policy to be considered effective and legally enforceable: (continued) Comprehension (understanding): organization must be able to demonstrate that employees understand requirements and content of policy Compliance (agreement): organization must be able to demonstrate that employees agree to comply with policy through act or affirmation Uniform enforcement: organization must be able to demonstrate policy has been uniformly enforced Firewalls & Network Security, 2nd ed. - Chapter 3

Slide 6 Definitions Policy is set of guidelines or instructions an organizations senior management implements to regulate activities of members of organization who make decisions, take actions, and perform other duties Policies are organizational laws Standards, on the other hand, are more detailed statements of what must be done to comply with policy Practices, procedures, and guidelines effectively explain how to comply with policy

Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 7 Figure 3 -1 Policies, Standards, & Practices Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 8 Enterprise Information Security Policy (EISP) EISP is also known as general security policy, IT security policy, or information security policy Sets strategic direction, scope, and tone for all

security efforts within the organization Executive-level document, usually drafted by or with CIO of the organization and usually 2 to 10 pages long Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 9 Enterprise Information Security Policy (EISP) (continued) Typically addresses compliance in two areas: General compliance to ensure meeting requirements to establish program and responsibilities assigned therein to various organizational components

Use of specified penalties and disciplinary action Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 10 Enterprise Information Security Policy (EISP) Elements Overview of corporate philosophy on security Information on structure of information security organization and individuals who fulfill the information security role Fully articulated security responsibilities that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors)

Fully articulated security responsibilities that are unique to each role within the organization Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 11 Issue-Specific Security Policy (ISSP) Guidelines needed to use various technologies and processes properly The ISSP: Addresses specific areas of technology Requires frequent updates Contains issue statement on the organizations position on an issue Three approaches:

Create several independent ISSP documents Create a single comprehensive ISSP document Create a modular ISSP document Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 12 Components of An Effective ISSP 1. Statement of policy a. Scope and applicability b. Definition of technology addressed c. Responsibilities 2. Authorized access and usage a. User access b. Fair and responsible use

c. Protection of privacy 3. Prohibited usage a. Disruptive use or misuse b. Criminal use c. Offensive or harassing materials d. Copyrighted, licensed, or other intellectual property e. Other restrictions Firewalls & Network Security, 2nd ed. - Chapter 3 4. Systems management a. Management of stored materials b. Employer monitoring c. Virus protection d. Physical security

e. Encryption 5. Violations of policy a. Procedures for reporting violations b. Penalties for violations 6. Policy review and modification a. Scheduled review of policy and procedures for modification 7. Limitations of liability a. Statements of liability or disclaimers Slide 13 Systems-Specific Policy (SysSP) SysSPs frequently codified as standards and

procedures used when configuring or maintaining systems SysSPs fall into two groups: Managerial guidance SysSPs: created by management to guide implementation and configuration of technology as well as to regulate behavior of people in the organization Technical specifications SysSPs: technical policy or set of configurations to implement managerial policy Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 14 Systems-Specific Policy (SysSP) (continued)

Technical SysSPs are further divided into: Access control lists (ACLs) consist of access control lists, matrices, and capability tables governing rights and privileges of a particular user to a particular system Configuration rule policies comprise specific configuration codes entered into security systems to guide execution of the system Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 15 Policy Management Policies are living documents that must be managed and are constantly changing

Special considerations should be made for organizations undergoing mergers, takeovers, and partnerships To remain viable, security policies must have: An individual responsible for reviews A schedule of reviews A specific policy issuance and revision date Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 16 Frameworks and Industry Standards With general idea of vulnerabilities in IT systems, security team develops security blueprint, which is used to implement security program

Security blueprint is basis for design, selection, and implementation of all security program elements including policy implementation, ongoing policy management, risk management programs, education and training programs, technological controls, and maintenance of security program Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 17 Frameworks and Industry Standards (continued) Security framework is outline of overall information security strategy and roadmap for planned changes to the organizations

information security environment Number of published information security frameworks, including ones from government sources Because each information security environment is unique, security team may need to modify or adapt pieces from several frameworks Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 18 ISO 27000 Series One of the most widely referenced security models is Information Technology Code of Practice for Information Security Management, originally published as British Standard 7799

This Code of Practice was adopted as international standard ISO/IEC 17799 in 2000 and renumbered to ISO/IEC 27002 in 2007 Stated purpose of ISO/IEC 27002 is to give recommendations for information security management for use by those who are responsible for initiating, implementing, or maintaining security in their organization Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 19 ISO 27000 Series Current and Planned Standards Firewalls & Network Security, 2nd ed. - Chapter 3

Slide 20 Figure 3-2 BS7799:2 Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 21 NIST Security Models Another approach available is described in documents available from csrc.nist.gov: SP 800-12: An Introduction to Computer Security: The NIST Handbook SP 800-14: Generally Accepted Security Principles and Practices for Securing Information Technology

Systems SP 800-18 Rev 1: The Guide for Developing Security Plans for Federal Information Systems SP 800-26: Security Self-Assessment Guide for Information Technology Systems SP 800-30: Risk Management for Information Technology Systems Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 22 IETF Security Architecture While no specific architecture is promoted through the Internet Engineering Task Force, Security Area Working Group acts as advisory board for protocols and areas developed and

promoted through the Internet Society RFC 2196: Site Security Handbook provides an overview of five basic areas of security with detailed discussions on development and implementation Chapters on such important topics as security policies, security technical architecture, security services, and security incident handling Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 23 Benchmarking and Best Practices Benchmarking and best practices are reliable methods used by some organizations to assess security practices

Possible to gain information by benchmarking and using best practices and thus work backwards to effective design Federal Agency Security Practices Site (fasp.nist.gov) designed to provide best practices for public agencies and is adapted easily to private organizations Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 24 Figure 3-4 Spheres of Security Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 25

Design of Security Architecture Defense in depth One of the foundations of security architectures is requirement to implement security in layers Requires that the organization establish sufficient security controls and safeguards so an intruder faces multiple layers of controls Security perimeter Point at which an organizations security protection ends and the outside world begins Unfortunately, perimeter does not apply to internal attacks from employee threats or on-site physical threats Firewalls & Network Security, 2nd ed. - Chapter 3

Slide 26 Security Education, Training, and Awareness As soon as policies exist, policies to implement security education, training, and awareness (SETA) should follow SETA is a control measure designed to reduce accidental security breaches Supplement general education and training programs to educate staff on information security Security education and training builds on general knowledge that employees must possess to do their jobs, familiarizing them with

the way to do their jobs securely Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 27 SETA Elements SETA program consists of three elements: Security education Security training Security awareness Organization may not be capable or willing to undertake all elements but may outsource them Purpose of SETA is to enhance security by: Improving awareness of the need to protect system resources

Developing skills and knowledge so computer users can perform their jobs more securely Building in-depth knowledge, as needed, to design, implement, operate security programs Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 28 Table 3-6 Comparative SETA Framework Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 29 Security Education

Everyone in an organization needs to be trained and aware of information security, but not every member of the organization needs a formal degree or certificate in information security When formal education for appropriate individuals in security is needed, an employee can identify curriculum available from local institutions of higher learning or continuing education A number of universities have formal coursework in information security (See, for example, http://infosec.kennesaw.edu) Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 30

Security Training Involves providing members of the organization with detailed information and hands-on instruction designed to prepare them to perform their duties securely Management of information security can develop customized in-house training or outsource the training program Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 31 Security Awareness One of the least frequently implemented but most beneficial programs is the security

awareness program Designed to keep information security at forefront of users minds Need not be complicated or expensive If program is not actively implemented, employees begin to tune out, and the risk of employee accidents and failures increases Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 32 Continuity Strategies Managers must provide strategic planning to assure continuous information systems availability when an attack occurs

Plans for events of this type are referred to in a number of ways: Business continuity plans (BCPs) Disaster recovery plans (DRPs) Incident response plans (IRPs) Contingency plans Large organizations may have many types of plans and small organizations may have one simple plan, but most have inadequate planning Firewalls & Network Security, 2nd ed. - Chapter 3

Slide 33 Contingency Planning Contingency Planning (CP): Incident response planning (IRP) Disaster recovery planning (DRP) Business continuity planning (BCP) Primary functions of these three types: IRP focuses on immediate response, but if attack escalates or is disastrous, the process changes to disaster recovery and BCP DRP typically focuses on restoring operations at primary site after disasters occur, and, as such, is closely associated with BCP

BCP occurs concurrently with DRP when damage is major or long term, requiring establishment of operations at alternate site Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 34 Figure 3-9 Contingency Planning Timeline Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 35 Contingency Planning Team Before any planning begins, a team has to plan

the effort and prepare resulting documents Champion: high-level manager to support, promote, and endorse findings of the project Project manager: leads project and makes sure a sound project planning process is used, a complete and useful project plan is developed, and project resources are prudently managed Team members: should be managers or their representatives from various communities of interest (business, IT, and information security) Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 36 Figure 3-10 Major Steps in

Contingency Planning Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 37 Business Impact Analysis Begin with business impact analysis (BIA) If the attack succeeds, what do we do then? CP team conducts BIA in the following stages:

Threat attack identification Business unit analysis Attack success scenarios Potential damage assessment Subordinate plan classification Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 38 Threat Attack Identification and Prioritization Update threat list with latest developments and add the attack profile Attack profile is the detailed description of

activities during an attack Must be developed for every serious threat the organization faces Used to determine the extent of damage that could result to business unit if attack were successful Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 39 Table 3-7 Attack Profile Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 40

Business Unit Analysis Second major task within the BIA is analysis and prioritization of business functions within the organization Identify functional areas of the organization and prioritize them as to which are most vital Focus on prioritized list of various functions that the organization performs Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 41 Attack Success Scenario Development Next, create series of scenarios depicting the

impact a successful attack from each threat could have on each prioritized functional area with: Details on method of attack Indicators of attack Broad consequences Attack success scenario details are added to attack profile, including best, worst, and most likely outcomes Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 42 Potential Damage Assessment

From previously developed attack success scenarios, BIA planning team must estimate cost of best, worst, and most likely cases Costs include actions of response team This final result is referred to as an attack scenario end case Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 43 Subordinate Plan Classification Once potential damage has been assessed, subordinate plan must be developed or identified Subordinate plans will take into account

identification of, reaction to, and recovery from each attack scenario Each attack scenario end case is categorized as disastrous or not Qualifying difference is whether or not an organization is able to take effective action during the event to combat the effect of the attack Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 44 Incident Response Planning Incident response planning covers identification of, classification of, and response to an incident Incident is attack against an information asset

that poses clear threat to the confidentiality, integrity, or availability of information resources Attacks are only classified as incidents if they have the following characteristics: Are directed against information assets Have a realistic chance of success Could threaten the confidentiality, integrity, or availability of information resources IR is more reactive than proactive, with exception of planning and preparation of IR teams Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 45

Incident Planning Predefined responses enable organization to react quickly and effectively to detected incident This assumes the organization has an IR team and can detect the incident IR team consists of those individuals needed to handle systems as incident takes place IR consists of the following four phases: Planning Detection Reaction

Recovery Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 46 Incident or Disaster When does an incident become a disaster? The organization is unable to mitigate the impact of an incident during the incident The level of damage or destruction is so severe that the organization is unable to quickly recover Difference may be subtle Up to the organization to decide which incidents are to be classified as disasters and thus

receive the appropriate level of response Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 47 Disaster Recovery Planning Disaster recovery planning (DRP) is planning the preparation for and recovery from a disaster Contingency planning team must decide which actions constitute disasters and which constitute incidents When situations are classified as disasters, plans change as to how to respond; take action to secure the systems most valuable assets to preserve value for the longer term even at the

risk of more disruption in the immediate term DRP strives to reestablish operations at the primary site Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 48 DRP Steps There must be a clear establishment of priorities There must be a clear delegation of roles and responsibilities Someone must initiate the alert roster and notify key personnel Someone must be tasked with the documentation of the disaster If and only if it is possible, some attempts must

be made to mitigate the impact of the disaster on the operations of the organization Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 49 Crisis Management Crisis management occurs during and after a disaster and focuses on the people involved and addressing the viability of the business Crisis management team responsible for managing event from enterprise perspective by: Supporting personnel and families during crisis Determining impact on business operations and, if necessary, making disaster declaration Keeping public informed

Communicating with major customers, suppliers, partners, regulatory agencies, industry organizations, media, other interested parties Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 50 Business Continuity Planning Business continuity planning outlines reestablishment of critical business operations during a disaster that impacts operations If disaster has rendered the business unusable for continued operations, there must be a plan to allow the business to continue to function BCP is somewhat simpler than an IRP or DRP Consists primarily of selecting continuity

strategy and integrating off-site data storage and recovery functions into this strategy Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 51 Summary To effectively secure networks, an organization must establish functional, well-designed information security program Information security program creation requires information security policies, standards, and practices; an information security architecture; and a detailed information security blueprint Management must make policy the basis for all

information security planning, design, and deployment in order to direct how issues are addressed and how technologies are used Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 52 Summary (continued) Policy must never conflict with laws but should stand up in court if challenged To be effective and legally enforceable, policy must be disseminated, reviewed, understood, complied with, and uniformly enforced Information security team identifies vulnerabilities and then develops security blueprint that is used to implement security

program Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 53 Summary (continued) Security framework is outline of steps to take to design and implement information security Purpose of security education, training, and awareness (SETA) is to enhance security by improving awareness of need to protect system resources and teaching users to perform jobs more securely, and to build knowledge to design, implement, or operate security programs

Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 54 Summary (continued) IT and InfoSec managers must assure continuous availability of information systems Achieved with various contingency plans: incident response (IR), disaster recovery (DR), business continuity (BC) IR plan addresses identification, classification, response, and recovery from incident DR plan addresses preparation for and recovery from disaster BC plan ensures that critical business functions

continue if catastrophic event occurs Firewalls & Network Security, 2nd ed. - Chapter 3 Slide 55

Recently Viewed Presentations

  • Activator Scale Factor For similar figures, scale factor

    Activator Scale Factor For similar figures, scale factor

    Scale Factor Scale Factor is the relationship of size between two figures. To find scale factor write sizes as a ratio of 2nd : 1st or new : original Three types of Scale Factor: length, area, and volume. 3 in...
  • Core Content Coaching Social Studies Grade 7

    Core Content Coaching Social Studies Grade 7

    Explain the location of important places in Texas before the Civil War using absolute and relative location. Create and annotate a map of Texas showing important antebellum locations. 7.13 Economics. The student understands the interdependence of the Texas economy with...
  • George Ritchie supposedly died from a case of

    George Ritchie supposedly died from a case of

    * * * * * George Ritchie supposedly died from a case of Pneumonia in 1943, at 20 years of age in the army. He revived after 9 minutes, and actually claimed to be in the presence o
  • Finding Regulatory Signals in Genomes The Biological Problem

    Finding Regulatory Signals in Genomes The Biological Problem

    Boffelli, Nobrega and Rubin (2004) "Comparative genomics at the Vertebrate Extremes" Nature Review Genetics 5.6.456- Blanchette,M, B.Schwikowski and M.Tompa (2002) "Algorithms for Phylogenetic Footprinting" J. Comp.Biol.9.2.211- Blanchette and Tompa (2003) "FootPrinter: a program designed for phylogenetic footprinting" NAR 31.13.3840- D.Che,...
  • Indiana University Finance P.O.O.P. Session September 29, 1998

    Indiana University Finance P.O.O.P. Session September 29, 1998

    Types of Investment Banks Investment Banking Career Path Investment Banking Analyst Responsibilities include: Assessing the valuation of public and private companies based on various valuation methodologies Creating models of financial forecasts Analyzing historical & projected financial performance Developing & participating...
  • Thinking about thinking about thinking: Investigating the developmental

    Thinking about thinking about thinking: Investigating the developmental

    Lyons and Ghetti (2011) certainty score: sure and correct responses minus sure and incorrect responses. SELF OTHER
  • Cscd 218 : Data Communications and Networking 1

    Cscd 218 : Data Communications and Networking 1

    campus network. A . Metropolitan. Area Network (MAN), consists of a computer network across an entire city, college campus or small region. A MAN is larger than a LAN, which is typically limited to a single building or site. Depending...
  • Comparations with STATA, RATS and PC-Give

    Comparations with STATA, RATS and PC-Give

    Stata's capabilities: Model Specification and Estimation Capabilities PcGive STATA RATS Malcom Automatic Seasonal Dummies yes no yes Maximum lag yes yes yes Trend polynomial yes yes yes Cointegration ranks yes yes yes Exogenous variables yes yes yes VAR estimation yes...