chapter 2 V I C K E R S , Planning for Security You got to be careful if you don’t know where you’re going, T because you might not get there. E YOGI BERRA A wasn’t her first meeting with Mike Edwards, the chief Iris was a little uneasy. While this information officer (CIO), it was R her first planning meeting. Around the table, the other information technology (IT) department heads were chatting, drinking their coffee. Iris D had carefully written “Strategic Planning Meeting” and stared at her notepad, where she nothing else. R Mike entered the room, followed A by his assistants. Stan, his lead executive assistant, was loaded down with stacks of copied documents, which he and the other assistants began handing out. Iris took her copy and scanned the title: Random Widget Works, Inc. (RWW), Strategic Planning Document, Information Technology Division, FY 2014–2018. 1 “As you know, it’s annual planning 1 time again,” Mike began. “You just got your copies of the multiyear IT strategic plan. Last month, you each received your numbered copy of the 9 company strategic plan.” Iris remembered the half-inch-thick document she had carefully read and then locked in her filing 1 cabinet. Mike continued: “I’m going to T go through the IT vision and mission statements, and then review the details of how the IT plan will allow us to meet the objectives articulated in the strategic plan. In 30 days, you’llSsubmit your draft plans to me for review. Don’t hesitate to come by to discuss any issues or questions.” 35 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 36 Chapter 2 Later that day, Iris dropped by Mike’s office to discuss her planning responsibilities. This duty was not something he had briefed her about yet. “I’m sorry, Iris,” Mike said. “I meant to spend some time outlining your role as security manager. I’m afraid I can’t do it this week; maybe we can start next week by reviewing some key points I want you to make sure are in your plan. In the meantime, I suggest you ask the other business section chiefs for copies of their strategic plans and look for areas that don’t overlap with IT’s.” The next day, Iris had lunch with her mentor, Charley Moody. After they ordered, Iris said, “We just started on our strategic planning project and I’m developing a security strategic plan. You know, I’ve never worked up one of these from scratch before. Got any good advice on what to look for?” V I After they finished lunch, the pair went out to the parking lot. Inside Charley’s trunk were C two cardboard boxes marked “BOOKS.” He opened one and rummaged around for a few seconds. “Here,” he said, handing K Iris a textbook. She read the title out loud: “Strategic E Planning.” “This one is from a planning seminar R I did a while back,” Charley explained. “I have a later edition, but there really isn’t much difference between the two. I was cleaning out some of my redundant books. I was going S to donate these to the library book sale. It’s yours if you want it. It might help with your planning project.” , “Sure,” Charley responded. “Actually, I have something for you in my car that might help.” Charley closed the trunk and said, “Read over the first few chapters—that’ll give you the basics. Then sit down with your planning documents from corporate management and from IT. For T think about what your department needs to do to meet each goal stated by the CEO and CIO, it. Write up how you think the company E as a whole, and your team in particular, can satisfy that objective. Then go back and describe the resources you’ll need to make it happen.” A R Charley shook his head. “There’s more to it than that, but this will get you started. Once D of what I know about how to frame your plans and you’ve got that done, I can share some format them for use in the planning Rprocess.” A “That’s it?” Iris asked. LEARNING OBJECTIVES Upon completion of this material, you should be able to: • • • • 1 Identify the roles in organizations 1 that are active in the planning process Explain the principal components 9 of information security (InfoSec) system implementation planning in the organizational planning scheme 1 Differentiate between strategic organization InfoSec planning and specialized T contingency planning (CP) S List and explain the unique considerations and relationships that exist among the types of specialized CP—incident response, disaster recovery, and business continuity planning (BCP) 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Planning for Security 37 Introduction Chapter 1 discussed InfoSec management within the context of general management, covering many of the elements of general and project management as they apply to InfoSec. The broader subject of planning encompasses general organizational planning as well as the specific processes involved with planning for InfoSec. This subject is divided into two chapters (see Figure 2-1). This chapter covers organizational planning—specifically, the process of planning for InfoSec. And Chapter 3 covers a very important topic in InfoSec planning— contingency planning—in greater detail. It is difficult to overstate how essential planning is to business and organizational management. In a setting where there are continual constraints on resources, both human and finanV cial, good planning enables an organization to make the most out of the materials at hand. While a chief information security officer (CISO)—also called a “chief security officer” I (CSO), “director of InfoSec,” or “vice president for InfoSec”—and other InfoSec managers can generate an urgent response C to an immediate threat, they are well advised to utilize a portion of their routinely allocated K resources toward the long-term viability of the InfoSec program. However, some organizations spend too much time, money, and human effort on planE their investment. Each organization must balance the ning with too little return to justify benefits of the chosen degree of planning effort against the costs of the effort. R The Role of Planning S , Planning usually involves many interrelated groups and organizational processes. The groups T three communities of interest discussed in Chapter 1; they involved in planning represent the may be internal or external to E the organization and can include employees, management, Chapter 2 A R Information Security Planning D R A Organizational Planning 1 1 Tactical Planning 9 Operational Planning 1 T Planning for Information Security Programs S Strategic Planning Chapter 3 Contingency Planning Incident Response Planning Disaster Recovery Planning Business Continuity Planning Assembling and Testing Contingency Plans Figure 2-1 Information security and planning Copyright © 2014 Cengage Learning®. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 2 38 Chapter 2 stockholders, and other outside stakeholders. Among the other factors that affect planning are the physical environment, the political and legal environment, the competitive environment, and the technological environment. For the purposes of this text, the term stakeholder is used to describe those entities, whether people or organizations, that have a “stake” or vested interest in a particular aspect of the planning or operation of the organization. In this case, the area of concern is the information assets in use in a particular organization. This is distinctly different from the term “stockholder,” which describes someone who is an owner of the organization via ownership of the organization’s common or preferred stock shares. Stakeholders are typically asked for input whenever strategic decisions affecting their “stake” are planned. When planning, members of the InfoSec community of interest use the same processes and methodologies that the general management and IT management communities of interest use. Because the InfoSec community of interest seeks to influence the entire organization, an effecV tive InfoSec planner should know how the organizational planning process works so that parI ticipation in this process can yield measurable results. Before you can explore the positioning of InfoSec within an organization’sCplanning processes, however, you must first understand the concept of organizational planning. K Planning is the dominant means of managing resources in modern organizations. It entails the Eintended to achieve specific goals during a defined period enumeration of a sequence of actions of time, and then controlling the implementation of these steps. Planning provides direction for R the organization’s future. Without specific and detailed planning, organizational units would S attempt to meet objectives independently, with each unit being guided by its own initiatives and ideas. Such an uncoordinated effort would not only fail to meet objectives, it will result in an inef, ficient use of resources. Organizational planning, when conducted by the various segments of the organization, provides a uniform script that increases efficiency and reduces waste and duplication of effort by each organizational T unit within the individual communities of interest. E use of a top-down process in which the organization’s Organizational planning should make leadership chooses the direction andAinitiatives that the entire organization should pursue. Initially, the organizational plan contains few specific detailed objectives; instead, it outlines genR eral objectives. D planning process is the creation of detailed plans—that The primary goal of the organizational is, systematic directions for how to Rmeet the organization’s objectives. This task is accomplished with a process that begins with the general and ends with the specific. A Precursors to Planning 1 To implement effective planning, 1 an organization’s leaders usually begin from previously developed positions that explicitly state the organization’s ethical, entrepreneurial, and philo9 sophical perspectives. In recent years, the critical nature of the first of these perspectives—the 1 into focus. Widely publicized ethical lapses at such ethical perspective—has come sharply organizations as Enron, WorldCom, T Fannie Mae, IBM, and HP illustrate the importance of solid and well-articulated ethical underpinnings. While ethical failures of this magnitude are, S and regulators have implemented standards and reguone hopes, exceptional, industry groups lations that assess an organization’s ability to achieve compliance with legal requirements and industry-recommended practices. When an organization’s stated positions do not match the demonstrated ethical, entrepreneurial, and philosophical approaches of its management 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Planning for Security 39 teams, the developmental plan—which is guided by the organization’s values, vision, mission, and strategy—becomes unmanageable. Values Statement One of the first positions that management must articulate is the values statement. The trust and confidence of stakeholders and the public are important factors for any organization. By establishing a formal set of organizational principles and qualities in a values statement, as well as benchmarks for measuring behavior against these published values, an organization makes its conduct and performance standards clear to its employees and the public. The quality management movement of the 1980s and 1990s amply illustrated that organizations with strong values can earn greater loyalty from customers and employees. Microsoft has a formal employee Vmission and values statement published on its Web site, as shown in Figure 2-2. I Integrity, honesty, passion, and respectfulness are significant parts of Microsoft’s corporate C philosophy. RWW’s values statement might take the following form: K Random Widget Works values commitment, honesty, integrity, and social E responsibility among its employees and is committed to providing its services in harmony with its corporate, social, legal, and natural environments. R S , T E A R D R A 1 1 9 1 T S Figure 2-2 Microsoft’s mission and values statement Source: Microsoft. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 2 40 Chapter 2 Vision Statement The second underpinning of organizational planning is the vision statement. The vision statement expresses what the organization wants to become. Vision statements should therefore be ambitious; after all, they are meant to express the aspirations of the organization and to serve as a means for visualizing its future. In other words, the vision statement is the bestcase scenario for the organization’s future. Many organizations mix or combine the vision statement and the mission statement. RWW’s vision statement might take the following form: Random Widget Works will be the preferred manufacturer of choice for every business’s widget equipment needs, with an RWW widget in every gizmo in use. V This is a very bold, ambitious vision statement. It may not seem very realistic, but vision I the probable, only the possible. The vision statement is statements are not meant to express a concise statement of where the organization wants to go. C K E The mission statement explicitly declares the business of the organization and its intended areas of operations. It is, in a sense, the organization’s identity card. RWW’s mission stateR ment might take the following form: S Random Widget Works designs and manufactures quality widgets and associated , in modern business environments. equipment and supplies for use Mission Statement Not the 12-page sleeping pill you expected? A mission statement should be concise, should reflect both internal and external operations, and should be robust enough to remain valid T for a period of four to six years. Simply put, the mission statement must explain what the E organization does and for whom. A Many organizations encourage or require each division or major department—including the InfoSec department—to generate itsRown mission statement. These mission statements can be as concise as the example provided, D expressing a strong commitment to the confidentiality, integrity, and availability of information, or they can provide a more detailed description of the InfoSec department’s function,R as shown in the following example. This mission statement appears in Information Security A Roles and Responsibilities Made Easy, by Charles Cresson Wood. The Information Security Department is charged with identifying, assessing, and appropriately managing risks1to Company X’s information and information systems. It evaluates the options 1 for dealing with these risks, and works with departments throughout Company X to decide upon and then implement con9 trols that appropriately and proactively respond to these same risks. The Department is also responsible for1developing requirements that apply to the entire organization as well as external information systems in which Company X partiT cipates (for example, extranets) [these requirements include policies, standards, and procedures]. The focal point S for all matters related to information security, this Department is ultimately responsible for all endeavors within Company X that seek to avoid, prevent, detect, correct, or recover from threats to information or information systems.1 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Planning for Security 41 According to Wood, these threats include: ● Unauthorized access to information ● Unauthorized use of information ● Unauthorized disclosure of information ● Unauthorized diversion of information ● Unauthorized modification of information ● Unauthorized destruction of information ● Unauthorized duplication of information ● Unavailability of information2 2 V The mission statement is the follow-up to the vision statement. If the vision statement states I go, the mission statement describes how it wants to get where the organization wants to there. Taken together, the mission, C vision, and values statements provide the philosophical foundation for planning and guide the creation of the strategic plan. K E R Strategic Planning S Strategic planning lays out the long-term direction to be taken by the organization. It guides organizational efforts and focuses resources toward specific, clearly defined goals in the midst , of an ever-changing environment. As you learned in Chapter 1, a clearly directed strategy flows from top to bottom, and a sysT tematic approach is required to translate it into a program that can inform and lead all members of the organization. As shown in the sample hierarchical chart in Figure 2-3, strategic E plans formed at the highest levels of the organization are translated into more specific strategic plans for intermediate layers ofAmanagement. These plans are then converted into tactical CEO CIO CISO Security Mgr Security Admin Security Tech R D R A 1 1 9 1 T S Organizational Strategy Information Technology Strategy Information Security Strategy Information Security Tactical Planning Information Security Operational Planning Figure 2-3 Top-down strategic planning Copyright © 2014 Cengage Learning®. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 42 Chapter 2 planning for supervisory managers and eventually provide direction for the operational plans undertaken by the nonmanagement members of the organization. This multilayered approach encompasses two key objectives: general strategy and overall strategic planning. First, general strategy is translated into specific strategy; second, overall strategic planning is translated into lower-level tactical and operational planning. Each of these steps is discussed next. Creating a Strategic Plan After an organization develops a general strategy, it must create an overall strategic plan by extending that general strategy into specific strategic plans for major divisions. Each level of each division translates those objectives into more specific objectives for the level below. For example, a CEO might develop the following general statement of strategy: Providing the highest quality V health care service in the industry. To execute this broad strategy andIturn the general statement into action, the executive team (sometimes called the C-level of theCorganization, as in CEO, COO, CFO, CIO, and so on) must first define individual responsibilities. For example, the CIO might respond to the K statement: CEO’s statement with this more specific E information service in support of the highest Providing high-level health care quality health care service in R the industry. The chief operations officer (COO)Smight derive a different strategic goal that focuses more on his or her specific responsibilities: , Providing the highest quality medical services. The CISO might interpret the CIO’s and COO’s goals as follows: T Ensuring that quality health E care information services are provided securely and in compliance with all local, state, and federal information processing, informaA including HIPAA. tion security, and privacy statutes, R The conversion of goals from the strategic level to the next lower level is perhaps more art than science. It relies on the executive’s ability to know and understand the strategic goals D of the entire organization, to know and appreciate the strategic and tactical abilities of each R negotiate with peers, superiors, and subordinates. This unit within the organization, and to mix of skills helps to achieve the proper A balance in articulating goals that fall within performance capabilities. 1 Once the organization’s overall strategic 1 plan is translated into strategic goals for each major division or operation, the next step is to translate these strategies into tasks with specific, 9 measurable, achievable, and time-bound objectives. Strategic planning then begins a transfor1 mation from general, sweeping statements toward more specific and applied objectives. Strategic plans are used to create tactical plans, which are in turn used to develop operational T plans. Figure 2-4 illustrates the various planning levels discussed in this section. S Planning Levels Tactical planning has a more short-term focus than strategic planning—usually one to three years. It breaks down each applicable strategic goal into a series of incremental objectives. Each objective should be specific and ideally will have a delivery date within a year. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Planning for Security Division A Strategic Plan Division A Tactical Plan Division A Operational Plan Division B Strategic Plan Division B Tactical Plan Division B Operational Plan 43 Overall Strategic Plan V I Copyright © 2014 Cengage Learning . C Budgeting, resource allocation, K and personnel are critical components of the tactical plan. Although these components may be discussed in general terms at the strategic planning level, E because they must be in place before the tactical plan can they are crucial at the tactical level be translated into the operational R plan. Tactical plans often include project plans and resource acquisition planning documents (such as product specifications), project budgets, Sannual reports. project reviews, and monthly and , Because tactical plans are often created for specific projects, some organizations call this proFigure 2-4 Strategic planning levels ® cess project planning or intermediate planning. The CISO and the security managers use the tactical plan to organize, prioritize, and acquire resources necessary for the major projects T and to provide support for the overall strategic plan. E Managers and employees use operational plans, which are derived from the tactical plans, to Aperformance of tasks. An operational plan includes clearly organize the ongoing, day-to-day identified coordination activitiesR that span department boundaries, communications requirements, weekly meetings, summaries, progress reports, and associated tasks. These plans are carefully designed to reflect the D organizational structure, with each subunit, department, or project team conducting its ownRoperational planning and reporting components. Frequent communication and feedback from the teams to the project managers and/or team leaders A and then up to the various management levels will make the planning process as a whole more manageable and successful. For example, operational planning 1 within InfoSec may encompass such objectives as the selection, configuration, and deployment of a firewall, or the design and implementation of 1 awareness (SETA) program. Each of these tasks needs a security education, training, and effective tactical planning that covers 9 its entire development life cycle. 1 T The first priority of the CISO and the InfoSec management team should be the structure of a S strategic plan. While each organization may have its own format for the design and distribuPlanning and the CISO tion of a strategic plan, the fundamental elements of planning are the same for all types of enterprises. There are a number of excellent text, trade, and reference books on strategic planning, and the serious InfoSec manager is encouraged to explore this topic. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 2 44 Chapter 2 Here are the basic components of a typical strategic plan: I. Executive Summary II. Mission Statement and Vision Statement III. Organizational Profile and History IV. Strategic Issues and Core Values V. Program Goals and Objectives VI. Management/Operations Goals and Objectives VII. Appendices (optional) [strengths, weaknesses, opportunities, and threats (SWOT) 3 analyses, surveys, budgets, V etc.] You have already learned about Isome of these components. Those areas not previously discussed are very straightforward, such as the organizational profile/history, and the C conducted by the organization or highlight informaappendices. They originate in studies tion about the environment in which K the organization operates. The appendices may help the organization identify new directions or eliminate directions that are less profitable E can consult studies such as the CSI surveys, the than anticipated. InfoSec planners “Threats to Information Security” R studies described in detail later in this chapter, and internal risk assessments to help identify trends of interest or relevance to the organization. S These documents are key resources that can identify areas that should be addressed by the InfoSec strategic plan. , Brian Ward, a principal with Affinity Consulting, offers the following tips for planning: T meaningful vision statement that communicates what 1. Articulate a comprehensive and the organization strives to accomplish. It should attract those persons of a like mind to E join in the effort to achieve that goal. A 2. Endeavor to bring a sense of logical analysis of the objectives and what has been R use a model known as the “balanced scorecard” to accomplished. Many organizations track outcomes against intentions to measure effects against prior actions. D 3. Work from an overarching plan that has been developed with the input from key R stakeholders. 4. Strive for transparency in the A planning process so that inevitable changes to plans are explained to stakeholders. 5. Work to make planning a process 1 that engages all involved to work toward the common objectives. 1 6. Stick with the process over time since results may not always be achieved as quickly as 9 intended. 1 methods of planning that are adopted as part of the 7. Develop consistent and repeatable organization’s culture. T S 8. Explain what is being done so that stakeholders perceive the intentions of the process. 9. Use processes that fit the organization’s culture. 10. Make the process as engaging as possible so that participants are not overwhelmed and feel put upon by the required actions.4 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Planning for Security 45 Information Security Governance Strategic planning and corporate responsibility is best accomplished using an approach many call governance, risk management, and compliance (GRC). GRC seeks to integrate these three, previously separate responsibilities into one holistic approach that can provide sound executive-level strategic planning and management of the InfoSec function. Governance is covered in the following section; risk management is covered in Chapters 8 and 9; compliance to regulations is covered in Chapter 12. The subjects themselves are neither new nor unique to InfoSec; however, the recognition of the need to integrate the three at the executive level is becoming increasingly important to practitioners in the field. The governance of InfoSec is a strategic planning responsibility whose importance has grown V InfoSec practices and sound InfoSec governance a comin recent years. Many consider good ponent of U.S. homeland security. Unfortunately, InfoSec is all too often regarded as a techniI cal issue when it is, in fact, a management issue. In order to secure information assets, an organization’s management mustCintegrate InfoSec practices into the fabric of the organization, expanding corporate governance policies and controls to encompass the objectives of K the InfoSec process. E InfoSec objectives must be addressed at the highest levels of an organization’s management Roffer a sustainable approach. When security programs are team in order to be effective and designed and managed as a technical S specialty in the IT department, they are less likely to be effective. A broader view of InfoSec encompasses all of an organization’s information assets, , including the knowledge being managed by those IT assets. These valuable commodities must be protected regardless of how the information is processed, stored, or transmitted, and with a thorough understanding of the risks to, and the benefits of, the information assets. T According to the Information Technology Governance Institute (ITGI), InfoSec governance E includes all the accountabilities and methods undertaken by the board of directors and executive management to provide strategic A direction, establishment of objectives, measurement of progress toward those objectives, verification that risk management practices are appropriate, R and validation that the organization’s assets are used properly.5 D R Inculcating a culture that recognizes the criticality of information and InfoSec to the A organization According to the ITGI, boards of directors should supervise strategic InfoSec objectives by: ● ● Verifying that management’s investment in InfoSec is properly aligned with organizational strategies and the organization’s risk environment 1 1 Demanding reports from the various layers of management on the InfoSec program’s 6 effectiveness and adequacy9 1 Desired Outcomes T InfoSec governance consists of the leadership, organizational structures, and processes that S safeguard information. Critical to the success of these structures and processes is effective ● Assuring that a comprehensive InfoSec program is developed and implemented ● communication among all parties, which requires constructive relationships, a common language, and shared commitment to addressing the issues. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 2 46 Chapter 2 Done properly, this should result in five basic outcomes of InfoSec governance: ● Strategic alignment of InfoSec with business strategy to support organizational objectives ● Risk management by executing appropriate measures to manage and mitigate threats to information resources ● Resource management by utilizing InfoSec knowledge and infrastructure efficiently and effectively Performance measurement by measuring, monitoring, and reporting InfoSec governance metrics to ensure that organizational objectives are achieved Value delivery by optimizing InfoSec investments in support of organizational objectives ● ● The National Association of Corporate Directors (NACD), the leading membership organizaV United States, recognizes the importance of InfoSec. It tion for boards and directors in the recommends four essential practicesI for boards of directors: 1. Place InfoSec on the board’s C agenda. 2. Identify InfoSec leaders, hold them accountable, and ensure support for them. K 3. Ensure the effectiveness of the corporation’s InfoSec policy through review and approval. E 4. Assign InfoSec to a key committee and ensure adequate support for that committee.7 R Benefits of Information Security Governance S InfoSec governance, if properly implemented, can yield significant benefits, including: ● ● ● ● ● ● ● ● , An increase in share value for organizations Increased predictability and reduced uncertainty of business operations by lowering T to definable and acceptable levels information-security-related risks Protection from the increasing Epotential for civil or legal liability as a result of information inaccuracy or the absence of due care A Optimization of the allocation of limited security resources R Assurance of effective InfoSec policy and policy compliance Dand effective risk management, process improvement, A firm foundation for efficient and rapid incident response R A level of assurance that critical A decisions are not based on faulty information Accountability for safeguarding information during critical business activities, such as mergers and acquisitions, business process recovery, and regulatory response.8 1 When developing an InfoSec governance program, the designers should ensure that the 1 program includes: ● An InfoSec risk management 9 methodology ● A comprehensive security strategy 1 explicitly linked with business and IT objectives ● An effective security organizational structure T ● A security strategy that talks about S the value of information being protected and delivered ● Security policies that address each aspect of strategy, control, and regulation ● A complete set of security standards for each policy to ensure that procedures and guidelines comply with policy 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Planning for Security 47 ● Institutionalized monitoring processes to ensure compliance and provide feedback on effectiveness and mitigation of risk ● A process to ensure continued evaluation and updating of security policies, standards, procedures, and risks Implementing Information Security Governance How can an organization implement effective security governance? According to the Corporate Governance Task Force (CGTF), the organization should engage in a core set of activities suited to their needs: ● Conduct an annual InfoSec evaluation, the results of which the CEO should review with staff and then report to the board of directors ● Conduct periodic risk assessments of information assets as part of a risk management I program C Implement policies and procedures based on risk assessments to secure information assets ● V ● Establish a security management K structure to assign explicit individual roles, responsibilities, authority, and accountability ● Develop plans and initiate actions to provide adequate InfoSec for networks, facilities, systems, and information R Treat InfoSec as an integral Spart of the system life cycle ● ● ● ● ● ● ● E Provide InfoSec awareness,, training, and education to personnel Conduct periodic testing and evaluation of the effectiveness of InfoSec policies and procedures Create and execute a plan T for remedial action to address any InfoSec deficiencies E response procedures Develop and implement incident Establish plans, procedures, Aand tests to provide continuity of operations Use security best practices R guidance, such as the ISO 27000 series, to measure InfoSec performance9 D The CGTF recommends following a governance framework such as the initiating, diagnosR ing, establishing, acting, and learning (IDEAL) model, which is named for its stages, as shown in Figure 2-5. The IDEALAmodel is shown in more detail in Figure 2-6. This framework, discussed in detail in the document “Information Security Governance: A Call to Action,” defines the responsibilities of the board of directors/trustees, the senior organizational executive (i.e., CEO), 1 executive team members, senior managers, and all employees and users. The source document 1 can be found at www.cyber.st.dhs.gov/docs/Information% 20Security%20Governance-%20A%20Call%20to%20Action%20(2004).pdf. Figure 2-7 shows 9 the various responsibilities of these functional roles. The document also outlines the requirements 1 in additional detail in Chapter 6 of this text, and provides for an InfoSec program, discussed recommendations for organizational unit reporting and program evaluation. T Security Convergence S The convergence of security-related governance in organizations has been observed since the broad deployment of information systems began in the 1970s and 1980s. The trade press has discussed the issues surrounding this merging of management accountability in the areas of 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 2 48 Chapter 2 I Initiating Lay the groundwork for a successful improvement effort. D Diagnosing Determine where you are relative to where you want to be. E Establishing Plan the specifics of how you will reach your destination. A Acting Do the work according to the plan. L Learning Learn from the experience and improve your ability to adopt new improvements in the future. Figure 2-5 General governance framework V I C K E R S , Source: Software Engineering Institute. This publication incorporates portions of “IDEALISM: A User’s Guide for Software Process Improvement” by Bob McFeeley, Copyright 1996 Carnegie Mellon University, with special permission from its Software Engineering Institute. Any material of Carnegie Mellon University and/or its Software Engineering Institute contained herein is furnished on an “as-is” basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied, as to any matter, including, but not limited to, warranty of fitness for purpose or merchant ability, exclusivity, or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. This publication has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software Engineering Institute. IDEALSM is a service mark of Carnegie Mellon University. The IDEALSM Model Stimulus for Change Learning Propose Future Actions Analyse and Validate Implement Solution T E Set Build Charter Content Sponsorship Infrastructure A R Initiating Characterize Current & D Desired States R Develop Diagnosing A Recommendations Set Priorities Acting Refine Solution Pilot ∕ Test Solution Create Solution Plan Actions Develop 1 Approach 1 Establishing 9 1 framework Figure 2-6 The IDEAL model governance Source: Software Engineering Institute. This publication T incorporates portions of “IDEALISM: A User’s Guide for Software Process Improvement” by Bob McFeeley, Copyright 1996 Carnegie Mellon University, with special permission from its Software Engineering Institute. S Engineering Institute contained herein is furnished on an “as-is” basis. Carnegie Any material of Carnegie Mellon University and/or its Software Mellon University makes no warranties of any kind, either expressed or implied, as to any matter, including, but not limited to, warranty of fitness for purpose or merchant ability, exclusivity, or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. This publication has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software Engineering Institute. IDEALSM is a service mark of Carnegie Mellon University. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Planning for Security Responsibilities 49 Functional Role Examples • Oversee overall “Corporate Security Posture” (Accountable to Board) • Chief Executive Officer • Brief board, customers, public • Set security policy, procedures, program, training for Company • Respond to security breaches (investigate, mitigate, litigate) • • • • Chief Security Officer Chief Information Officer Chief Risk Officer Department ∕Agency Head V I • Implement/audit/enforce/assess compliance C • Mid-Level Manager K • Communicate policies, program (training) E • Implement policy; report security • Enterprise Staff ∕ Employees R vulnerabilities and breaches S Figure 2-7 Information security governance responsibilities , • Responsible for independent annual audit coordination Source: Software Engineering Institute. This publication incorporates portions of “IDEALISM: A User’s Guide for Software Process Improvement” by Bob McFeeley, Copyright 1996 Carnegie Mellon University, with special permission from its Software Engineering Institute. Any material of Carnegie Mellon University and/or its Software Engineering Institute contained herein is furnished on an “as-is” basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied, as to any matter, including, but not limited to, warranty of fitness for purpose or merchant ability, exclusivity, or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. This publication has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software Engineering Institute. IDEALSM is a service mark of Carnegie Mellon University. T E A R D risk management, computer security, network security, corporate (physical) security, corporate and InfoSec as such trends waxed Rand waned over the years. More formal discussion has also occurred, such as a 2005 report titled “Convergence of Enterprise Security Organizations,” which the consulting firm Booz A Allen Hamilton issued in conjunction with the professional organizations ASIS, ISACA, and ISSA.10 The report looked at industry practices in the areas of security convergence at U.S.-based global organizations with annual revenues from $1 to $100 1 toward more convergence, including how organizations billion. And it identified key drivers seek to reduce costs and gain improved results as they reduce their reliance on physical assets 1 and make increased use of logical assets. This is occurring as organizations face increasing com9 as well as ongoing pressures to reduce costs. The report pliance and regulatory requirements concluded that while convergence1is a driving force, the real value remains in aligning security functions (whether converged or diverged) with the business mission. T A 2007 report prepared by the consulting firm Deloitte, which was commissioned by the S Alliance for Enterprise Security Risk Management, further explored the topic of convergence and identified enterprise risk management (ERM) as a value-adding approach that can gain superior alignment of security functions with the business mission while offering opportunities to lower costs.11 While that report limits its perspective to the two traditional facets of ERM 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 2 50 Chapter 2 control elements (i.e., IT security and physical security), it does identify the key approaches organizations are using to achieve unified ERM, including: ● Combining physical security and InfoSec under one leader as one business function ● Using separate business functions (each with a separate budget and autonomy) that report to a common senior executive ● Using a risk council approach to provide a collaborative approach to risk management where representatives from across the organization work collectively to set policy about assuming risk to the organization The Deloitte report proposes the risk council approach as the preferred mechanism and goes on to explore what makes effective ERM and how risk councils can be used to best effect. In 2007, the Open Compliance andVEthics Group commissioned a report to explore some of the complexities of GRC and howI these key functions might best be executed.12 The key finding of this report is that GRC functions (including those defined as part of ERM) are C often fragmented and often not integrated to the degree needed for streamlined operations. The report also identified the benefits K of increased levels of ERM along with integration and convergence of governance and compliance business functions. E The current accepted industry practices are toward achieving a synthesis of these approaches to reap R the benefits of ERM. This could mean the degree to which an organization integrates managerial S risk control facilities within that organization in order to command and control over the multiple address the business mission requirements , to manage risk and conform to compliance objectives. Today, most organizations of appreciable size have moved toward the maximum degree of convergence suitable for their form of governance while working within the limits of geoT We can therefore assume that there is a natural incligraphic and organizational dispersion. nation toward more security convergence. E A Planning for InformationRSecurity Implementation The CIO and CISO play importantDroles in translating overall strategic planning into tactical and operational InfoSec plans. Depending on the InfoSec function’s placement within the R organizational chart (discussed in detail in Chapter 5), the objectives of the CIO and A the CISO reports directly to the CIO. In that case, the the CISO may differ. Most commonly, CIO charges the CISO and other IT department heads with creating and adopting plans that are consistent with and supportive of the entire organizational strategy. The CIO must also 1 ensure that the various IT functional areas in the organization provide broad support for the plan and that no areas are omitted 1 or ignored. The CISO plays a more active role9in the development of the planning details than the CIO does. Consider the following job1description for the InfoSec department manager from Charles Cresson Wood’s Information Security Roles and Responsibilities Made Easy: ● T Creates a strategic InfoSec plan with a vision for the future of InfoSec at S InfoSec technology, this vision meets a variety Company X (utilizing evolving of objectives such as management’s fiduciary and legal responsibilities, customer expectations for secure modern business practices, and the competitive requirements of the marketplace) 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Planning for Security 51 View Point The Role of the Chief Security Officer By Robert Lang, Assistant Vice President for Strategic Security and Safety at Kennesaw State University The evolution of the role of the CSO should instead be called a “revolution” of the role of the CSO since that role has seen great change in recent years, to the betterment of all concerned. In prior years, the CSO position was usually dedicated to InfoSec, focusing mainly on the ever-present disaster recovery issue, which every company V using IT faces. In that role, the CSO’s primary concern was to maintain a continuity of I However, some CSOs also focused on physical secuoperations for the IT department. rity (personnel as well as the C physical plant and critical infrastructure), leading them to an interest in the IT needed to maintain those operations. K The main weakness in putting one person in charge of both the IT infrastructure E and the physical security of people and buildings is the inherent tendency to point fingers when incidents occur.RIf controls to mitigate loss fail or the plans to optimize incident response come up short, the situation usually devolves into nameS calling and accusations of professional malfeasance toward the other half of the , security program. Many people use the term “convergence” to describe the effort to merge the IT protection role and the physical asset protection and personnel safety role. This T trend has progressed rapidly in recent years. This is particularly noticeable in the convergence of the technical E means of control used by each side merging into common systems. For example, A video surveillance using security cameras and central monitoring stations is often implemented over the common networking infrastrucR ture from the IT department. As physical security programs using security guards D to optimize costs, they rely on advanced and inteand even sworn officers seek grated IT systems. This convergence is resisted by some, with claims of specialized R expertise or incompatible objectives. However, the trend toward security converA gence continues. By accepting the emerging reality that a CSO is no longer limited to being the chief physical security officer,1 the door is now open to enable more organizations to navigate their way to a security convergence that is the right way for them to 1 organize their efforts. Done properly, this will result in a seamless program that embraces the concept that 9all organization members—employee or contractor, security guard or secretary,1 salesman or manager—are responsible for what happens within the facility. T Best practices in business, government, and nonprofit organizations alike require a S collective responsibility for InfoSec, incident response, disaster recovery, and business (Continued) 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 2 52 Chapter 2 continuity. Most organizations resisting the convergence of these practices focus on one at the expense of the others. Eventually, the imperative to converge will become obvious. In the meantime, organizations that seek to “put on a show” of physical security, with security officers stationed at the front door, but that don’t try to integrate their physical and InfoSec are essentially waiting for the next crisis or incident to forced them to account for their lack of preparation. In each organization, the CSO’s new role awaits the emergence of a manager who has the power to invoke change, who looks at the broad view of the organization, and who is motivated to institutionalize control programs to limit the risk from the broad spectrum of security concerns. This new vision for converged security goes Vsign-in procedures. It seeks to integrate the best of well beyond guards, badges, and physical security and asset protection with InfoSec processes. Thus, it spans disaster I recovery, password protection, identity management, and all of the solutions that C risk from the myriad threats all organizations are deployed to manage operational face. The best organizations achieve K an integrated ERM program in which business continuity is not just a programE or a check box on an audit report, but an organizational culture making all processes in the organization seamlessly resilient and R recoverable. The CSO’s new role is that of S an agent of change. Without easing up on the roles they’ve been playing in physical security and safety, CSOs must integrate , those aspects that come from information protection. Finding the change agent needed to make this a reality is challenging. That person must have skills and understanding that embrace physical security and InfoSec while also having a T deep understanding of the threat environment. Creating an ERM and business E continuity culture will require definition or redefinition of the many processes A but with an understanding that no real change and procedures already in place, can occur until all the people R in the organization know what to do, how to do it, and are comfortable with reacting swiftly and diligently during any untoward D event. Does this new CSO have to beRequipped with all the detailed expertise and all the experience to perform each andAevery aspect of the job? In a perfect world, probably. In this world, the knowledge and experience may not need to be as deep or as detailed. The more important ability is a vision that transcends the arbitrary division 1 keeping an organization from being able to plan, of security responsibilities that are react, and recover from any untoward event. This person must do all that while 1 maintaining a security posture that, though unobtrusive, maintains an effective 9 degree of security and safety presence at all times. The CSO’s role is undergoing1significant change. Every new threat that emerges, each new risk that is identified,Tand every new technology that emerges will continue to change the role. A better tile for this role might therefore be “chief resilS ience officer,” since the quest for resilience is a key element of every successful organization and the key characteristic of the new CSO. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Planning for Security 53 Top-down approach— initiated by top management 2 CEO CFO CIO CISO VPSystems COO VPNetworks V Systems Network Mgr Mgr I Security Systems Network C Admin Admin Admin K Systems Network Security Tech Tech Tech E Bottom-up approach—initiated by R administrators and technicians S Figure 2-8 Approaches to security , implementation Security Mgr Copyright © 2014 Cengage Learning®. ● ● Understands the fundamental business activities performed by Company X T and, based on this understanding, suggests appropriate InfoSec solutions that E uniquely protect these activities A Develops action plans, schedules, budgets, status reports, and other top management communications intended to improve the status of InfoSec at Company X13 R Once the organization’s overallDstrategic plan has been translated into IT and InfoSec departmental objectives by the CIO, and then further translated into tactical and operational R plans by the CISO, the implementation of InfoSec can begin. A Implementation of InfoSec can be accomplished in two ways: bottom-up or top-down. These two basic approaches are illustrated in Figure 2-8. The bottom-up approach might 1 begin as a grass-roots effort in which systems administrators attempt to improve the security of 1 their systems. The key advantage of this approach is that it utilizes the technical expertise of the individual administrators who work with the information systems on a daily basis. System 9 and network administrators possess in-depth knowledge that can greatly enhance the state of1InfoSec in the organization. These professionals know and understand many of the threats to their systems and the mechanisms needed to protect them successfully. Unfortunately, this T approach seldom works, as it lacks a number of critical features, such as coordinated planning S from upper management, coordination between departments, and the provision of sufficient resources. The top-down approach, in contrast, features strong upper-management support, a dedicated champion, usually assured funding, a clear planning and implementation process, and the 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 54 Chapter 2 ability to influence organizational culture. High-level managers provide resources; give direction; issue policies, procedures, and processes; dictate the goals and expected outcomes of the project; and determine who is accountable for each of the required actions. The most successful top-down approach also incorporates a formal development strategy referred to as the systems development life cycle (SDLC). For any top-down approach to succeed, high-level management must buy into the effort and provide its full support to all departments. Such an initiative must have a champion—ideally, an executive with sufficient influence to move the project forward, ensure that it is properly managed, and push for its acceptance throughout the organization. Typically, the champion of a far-reaching InfoSec program is the CIO or another senior executive such as the vice president of information technology (VP-IT). Without this high-level support, many mid-level administrators fail to dedicate enough V resources to the project or dismiss it as a low priority. Involvement and support of end users I is also critical to the success of this type of effort. Because the process and outcome of the initiative most directly affect these individuals, they C process. Key end users should be assigned to design must be included in the InfoSec planning teams, known as joint application K design (JAD)—teams. A successful JAD must be able to survive employee turnover; it should not be vulnerable to changes in personnel. For this reaE be documented and integrated into organizational culson, the processes and procedures must ture. They must be adopted and promoted by the organization’s management. These attriR butes are seldom found in projects that begin as bottom-up initiatives. In order for the JAD S approach to be successful, the following key steps are recommended: , 1. Identify project objectives and limitations. 2. Identify critical success factors. T E activities. Define the schedule of workshop Select the participants. A Prepare the workshop material. R Organize workshop activities and D exercises. Prepare, inform, and educate the R14 workshop participants. Coordinate workshop logistics. A 3. Define project deliverables. 4. 5. 6. 7. 8. 9. The success of InfoSec plans can be enhanced by using the processes of system analysis and design, a discipline that is an integral part of most academic curricula in the field of IT. The 1 following sections offer a brief overview of this topic but do not replace a more detailed study of the discipline. 1 9 Systems Development Life Cycle Introduction to the Security 1 for the design and implementation of an information In general, an SDLC is a methodology system in an organization. A methodology is a formal approach to solving a problem based T on a structured sequence of procedures. Using a methodology ensures a rigorous process and S the desired final objective. Organizations often reuse a increases the likelihood of achieving successful methodology as they gain experience with it. This tried-and-true approach is combined with sound project management practices to develop key project milestones, allocate resources, select personnel, and perform the tasks needed to accomplish a project’s objectives. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Planning for Security 55 Sometimes, the SDLC is used to develop custom applications or deploy a purchased solution. A variation of this methodology, used to create a comprehensive security posture, is called the security systems development life cycle (SecSDLC). System projects may be initiated in response to specific conditions or combinations of conditions. The impetus to begin an SDLC-based project may be event-driven—that is, a response to some event in the business community, inside the organization, or within the ranks of employees, customers, or other stakeholders. Alternatively, it could be plan-driven—that is, the result of a carefully developed planning strategy. Either way, once an organization recognizes the need for a project, the use of a methodology can ensure that development proceeds in an orderly, comprehensive fashion. At the end of each phase, a structured review or reality check takes place, during which the team and its management-level reviewers decide whether the project should be continued, V discontinued, outsourced, or postponed until additional expertise or organizational knowledge is acquired. I The following sections illustrate an approach to the SecSDLC that uses a traditional waterfall C model” indicates that the work products of each phase fall model SDLC. The term “waterfall into the next phase to serve as its Kstarting point. While the SecSDLC may differ from the traditional SDLC in several specific activities, the overall methodology is the same. The SecSDLC E of specific threats and the risks that they represent as well process involves the identification as the subsequent design and implementation of specific controls to counter those threats and R manage the risk. The process turns InfoSec into a coherent program rather than a series of S responses to individual threats and attacks. Figure 2-9 shows the phases in the SecSDLC. , While there are a number of other models besides the waterfall model, the intent is to use the waterfall as an illustrative method of understanding the base requirements. The current recommended practice is to use a methodology that has a specific set of stages, which also T requires periodic review of previous efforts, and can, as needed, revert or redirect to a previous stage if progress is currentlyEunsatisfactory. The waterfall model is not intended as the definitive approach, nor is it represented as the only approach. Organizations may prefer A other models, like the Spiral, agile development, or rapid application development. Here, however, the waterfall approachR will serve as a basis for discussion. D R A Investigation Analysis 1 1 Physical Design 9 Implementation 1 Repeat when system no longer viable Maintenance T and Change S Logical Design Figure 2-9 SDLC Waterfall methodology Copyright © 2014 Cengage Learning®. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 2 56 Chapter 2 Investigation in the SecSDLC The investigation phase of the SecSDLC begins with a directive from upper management specifying the process, outcomes, and goals of the project as well as its budget and other constraints. Frequently, this phase begins with the affirmation or creation of security policies on which the security program of the organization is or will be founded. Teams of managers, employees, and consultants are assembled to investigate problems, define their scope, specify goals and objectives, and identify any additional constraints not covered in the enterprise security policy. (A more detailed treatment of InfoSec policy is presented in Chapter 4.) Finally, an organizational feasibility analysis determines whether the organization has the resources and commitment to conduct a successful security analysis and design. Unfortunately, many InfoSec projects are initiated in response to a significant security breach within an organization. While these circumstances may not be the ideal conditions under which to begin work on an V organization’s InfoSec posture, the SecSDLC team should emphasize that improvement is now under way. I Analysis in the SecSDLC In C the analysis phase, the team studies the documents from the investigation phase. The development team that was assembled during the investigation phase K conducts a preliminary analysis of existing security policies or programs along with documented current threats and associated controls. E This phase also includes an analysis of relevant legal issues that could affect the design of the security solution. Increasingly, privacy laws are a R major consideration when making decisions about information systems that manage personal S information. Recently, many state legislatures have made certain computer-related activities that were once unregulated illegal, so a detailed understanding of these issues is vital. , The risk management task also begins in this stage. Risk management is the process of identifying, assessing, and evaluating the levels of risk an organization faces—specifically, the threats to T information stored and processed by the organization. In the organization’s security and to the this context, it is helpful to ponder the E words of the famous Chinese general Sun Tzu: If you know the enemy and know A yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.RIf you know neither the enemy nor yourself, you will succumb in every battle.15 D The analysis process begins by getting R to know your adversary. In InfoSec, the adversary is the entire set of threats and attacks that your systems face as they provide services to your A organization and its customers. To better understand the analysis phase of the SecSDLC, you should know something about 1 the kinds of threats facing organizations in the modern, connected world of IT. In this context, a threat is an object, person, or other entity that represents a constant danger to an 1 asset. While each enterprise’s categorization of threats will vary, threats are relatively well researched and consequently fairly9 well understood. To better understand the numerous threats facing an organization, a 1scheme has been developed to group threats by their respective activities. This model consists of 12 general categories that represent real and T information and systems. Table 2-1 lists and briefly present dangers to an organization’s describes these 12 categories, which Sare discussed in the following sections. Compromises to Intellectual Property The owner of intellectual property has the right to control proprietary ideas as well as their tangible or virtual representations. Information 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Planning for Security Threat Description/Example Compromises to intellectual property Software piracy or other copyright infringement Deviations in quality of service from service providers Fluctuations in power, data, and other services Espionage or trespass Unauthorized access and/or data collection Forces of nature Fire, flood, earthquake, lightning, etc. Human error or failure Accidents, employee mistakes, failure to follow policy Information extortion Blackmail threat of information disclosure Sabotage or vandalism Software attacks Technical hardware failures or errors Technical software failures or errors Technological obsolescence Theft Table 2-1 V I C K E R S , 57 Damage to or destruction of systems or information Malware: viruses, worms, macros, denial-of-services, or script injections Hardware equipment failure Bugs, code problems, loopholes, back doors Antiquated or outdated technologies Illegal confiscation of equipment or information Threats to information security16 Copyright © 2014 Cengage Learning®. T about an organization’s intellectual E property can be of great interest to its competitors and can be accidentally or deliberately disseminated to those outside the organization. A R Deviations in Quality of Service by Service Providers Sometimes, a product or service is not delivered as expected. The organization’s information system depends on the successful D operation of many interdependent support systems, including power grids, telecommunications networks, parts suppliers, service R vendors, and even the janitorial staff and garbage haulers. The threat of irregularities from A power utilities is common. When they occur they can lead to several types of power fluctuations: ● A voltage-level spike (a momentary increase) 1 ● A surge (a prolonged increase) 1 ● A momentary low voltage or sag ● A more prolonged drop in voltage, called a brownout ● ● 9 1 A complete loss of power for a moment, called a fault T A more lengthy loss, known as a blackout S Espionage or Trespass This category encompasses a broad array of electronic and human activities that can breach the confidentiality of information. When an unauthorized 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 2 58 Chapter 2 individual gains access to information that an organization is trying to protect, that access is categorized as a deliberate act of espionage or trespass. Forces of Nature Forces of nature (known as “force majeure”) or acts of God pose some of the most dangerous threats imaginable because they can occur with very little warning. These include fire, flood, earthquake, and lightning, as well as volcanic eruption and insect infestation. Human Error or Failure When people use information systems, mistakes sometimes happen. Inexperience, improper training, the making of incorrect assumptions, and other circumstances can cause these problems. People also fail to follow policy, whether through ignorance or intentionally. Such failures can also threaten an organization’s information assets. V I Information Extortion Information C extortion occurs when an attacker or formerly trusted insider steals information from a computer system and then demands compensation for its K return or for an agreement to not disclose the information. This practice is common in credit card number theft. E R Sabotage or Vandalism Individuals or groups may attempt to sabotage the operations of a computer system or business, S or they may perform acts of vandalism, either to destroy an asset or damage the organization’s , image. These threats range from petty vandalism by employees to Web page defacement by outside persons or groups. T E or software, or malware—to attack a vulnerable syssoftware—often called malicious code tem. Some of the more common types of malicious code are viruses, worms, Trojan horses, A logic bombs, and back doors. R Technical Hardware Failures D or Errors Technical hardware failures or errors occur when a manufacturer distributes equipment containing a known or unknown flaw. These R defects can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability. A Software Attacks Deliberate software attacks occur when an individual or group designs Technical Software Failures 1or Errors Technical software failures or errors occur when a developer distributes software with known or unknown hidden faults. These faults 1 conditions. may range from bugs to untested failure 9 1 Technological Obsolescence When the infrastructure becomes antiquated or outdated, it leads to unreliable and untrustworthy systems that may be difficult to maintain without T extensive investment of resources. S Theft Theft is the illegal taking of another’s property, whether physical, electronic, or intellectual. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Planning for Security 59 The preceding list of threats may be manifested as attacks against the assets of the organization. An attack is an act or event that exploits a vulnerability. A vulnerability is an identified weakness of a controlled information asset and is the result of absent or inadequate controls. An attack is accomplished by a threat agent—the specific instance of a threat—that damages or steals an organization’s information or physical assets. An exploit is a technique or mechanism used to compromise an information asset. A technical attack may use an exploit to compromise a controlled system, whereas a nontechnical attack may result from natural events or less sophisticated approaches. Here are some types of technical attacks: ● Back door—A feature left behind by system designers or maintenance staff or installed by malicious code to allow quick access at a later time, bypassing access controls V ● Brute force—The application of computing and network resources to try every possiI ble combination of values in order to compromise a control, read encrypted data, or C crack a password ● ● Buffer overflow—An application error that occurs when more data is sent to a K buffer than it can handle, often performed intentionally to force a system E to interpret data as system commands or to overwhelm a system’s ability to R process input Denial-of-service (DoS) and S distributed denial-of-service (DDoS)—The transmission of a large number of connection or information requests to a target, thereby blocking , other, legitimate traffic; called a DDoS when multiple systems are organized into a simultaneous attack ● Dictionary—An attempt to T narrow the field of possible password values by selecting specific accounts as targets and/or using a list of common values E (the dictionary) with which to guess, rather than simply trying random combinations A ● DNS cache poisoning—The Rreplacement of legitimate information in a DNS server with a Web site or other Internet location the attacker wants the user to view; also D known as a “redirect attack” ● ● R or attack, resulting in a waste of time and resources Hoax—False report of a threat A of large quantities of e-mail to the target in an effort to Mail bombing—The routing overwhelm the system ● Malicious code—The execution of viruses, worms, Trojan horses, and active Web 1 scripts with the intent to destroy, steal, or deny access to information assets ● Man-in-the-middle—The commandeering of a network connection session so that an attacker can read and perhaps 9 modify the data transferred in that connection; one approach to this end is also known as a “TCP hijacking attack” ● Password crack—An attempt to reverse-calculate or guess a password; includes T attacks, and man-in-the-middle attacks dictionary attacks, brute force 1 1 ● S engineering attack in which the attacker uses an e-mail Phishing—A specialized social or forged Web site to attempt to extract personal information from a user 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 2 60 Chapter 2 ● Sniffer—A program or device that can monitor and intercept data traveling over a network; a legal tool when used by the network owners to regulate traffic, an illegal tool when used as part of an attack ● Social engineering—The use of social skills to convince people to reveal access credentials or other valuable information ● Spam—Unsolicited commercial e-mail, the electronic equivalent of junk mail; often used as a denial of service effort, an element of a compromise that introduces a malware attack, or an effort to waste organizational resources ● Spear phishing—A targeted social engineering attack in which the attacker crafts an individualized letter or e-mail to attempt to extract personal information from an unsuspecting user ● Spoofing—A technique used to gain unauthorized access to computers, whereby the I intruder sends network-level messages to a computer with an IP address indicating that the message is coming from aCtrusted host ● Timing—An attack that enables an attacker to extract secrets maintained in a security K system by observing the time it takes the system to respond to various queries V E The last step in “knowing the enemy” is to find some method of prioritizing the risk posed by each category of threat and its R related methods of attack. This can be done by adopting threat levels from an existing study S of threats or by creating your own categorization of threats for your environment, based on scenario analyses. , The next task in the analysis phase is to assess the relative risk for each of the information assets via a process called risk assessment or risk analysis, both of which are components of risk management. Risk management T is the part of the SecSDLC analysis phase that identifies vulnerabilities in an organization’s information system and takes carefully reasoned steps to assure the confidentiality, integrity,Eand availability of all components in the organization’s information system. Risk management A is covered in detail in Chapter 9. Risk assessment assigns a comparative R risk rating or score to each specific information asset. While this number does not mean anything in absolute terms, it is useful in gauging the relaD information asset and allows you to make comparative risk introduced by each vulnerable tive ratings later in the risk control R process. Risk assessment is covered in detail in Chapter 8. Design in the SecSDLC The A SecSDLC design phase consists of two distinct phases: the logical design and the physical design. In the logical design phase, team members create and develop the blueprint for security, and they examine and implement key policies that influence later decisions. At this stage, 1 critical contingency plans for incident response are developed. Next, a feasibility analysis determines whether the project should continue in-house or 1 should be outsourced. 9 In the physical design phase, team members evaluate the technology needed to support the 1 solutions, and agree on a final design. The security security blueprint, generate alternative blueprint may be revisited to keep T it synchronized with the changes needed when the physical design is completed. Criteria for determining the definition of successful solutions are S also prepared during this phase, as are designs for physically securing the technological solutions. At the end of this phase, a feasibility study should determine the readiness of the organization for the proposed project, and then the champion and users should be presented 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Planning for Security 61 with the design. At that point, the interested parties have a chance to approve (or not approve) the project before implementation begins. During the logical and physical design phases, a security manager may seek to use established security models to guide the design process. Security models provide frameworks for ensuring that all areas of security are addressed; organizations can adapt or adopt a framework to meet their own InfoSec needs. A number of InfoSec frameworks have been published; several are discussed in detail in Chapters 5 and 6 and in the appendix. One of the design elements (or, in some projects, redesign elements) of the InfoSec program is the organization’s InfoSec policy. The meaning of the term “security policy” differs depending on the context in which it is used. Governmental agencies, for example, discuss security policy in terms of national security and interaction with foreign states. In another context, a security policy can beVpart of a credit card agency’s method of processing credit card numbers. In general, a security policy consists of a set of rules that protects an organiI zation’s assets. An information security policy provides rules for the protection of the inforCAs stated in Chapter 1, the task of the InfoSec program is mation assets of an organization. to protect the confidentiality, integrity, and availability of information and information sysK tems, whether in transit, storage, or processing. This task is accomplished by the application of policy, education and trainingEprograms, and technology. Management must define three types of security policies, as specified R in the National Institute of Standards and Technology’s (NIST’s) “Special Publication 800-100”: general or enterprise InfoSec policy (EISP), issueS and systems-specific security policies (SysSPs). Each of specific security policies (ISSPs), these is covered in detail in Chapter , 4. Another integral part of the InfoSec program is the SETA program, discussed in detail in Chapter 5. Part of the CISO’s responsibilities, the SETA program is a control measure designed to reduce accidentalTsecurity breaches by employees. As mentioned earlier, employee errors represent one of Ethe top threats to information assets; for this reason, it is well worth expending resources to develop programs to combat this problem. SETA proA grams are designed to supplement the general InfoSec education and training programs that R dictates that the SDLC include user training during the are already in place. Good practice implementation phase. Employee training should be managed to ensure that all employees D are trained properly. R The design phase continues with the formulation of the controls and safeguards used to proA threats. The terms control and safeguard are often used tect information from attacks by interchangeably. There are three categories of controls: managerial controls, operational controls, and technical controls. 1 Managerial controls cover security processes that are designed by the strategic planners and 1 executed by the security administration of the organization. They set the direction and scope of the security process and provide 9 detailed instructions for its conduct. Managerial controls address the design and implementation of the security planning process and security pro1 gram management. They also address risk management and security controls reviews (discussed in detail in Chapters 8 and T 9). Management controls further describe the necessity and scope of legal compliance and the maintenance of the entire security life cycle. S Operational controls deal with the operational functionality of security in the organization. They cover detailed/tactical management functions and lower-level planning, such as disaster recovery and incident response planning (IRP). In addition, these controls address personnel 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 2 62 Chapter 2 security, physical security, and the protection of production inputs and outputs. Operational controls also provide structure to the development of education, training, and awareness programs for users, administrators, and management. Finally, they address hardware and software systems maintenance and the integrity of data. Technical controls address technical approaches used to implement security in the organization. Operational controls address specific operational issues, such as control development and integration into business functions, while technical controls must be selected, acquired (made or bought), and integrated into the organization’s IT structure. Technical controls include logical access controls, such as those used for identification, authentication, authorization, and accountability. Another element of the design phase is the creation of essential preparedness documents. Managers in the IT and InfoSec communities engage in strategic planning to assure the conV tinuous availability of the organization’s information systems. In addition, managers of the organization must be ready to respond when an attack occurs. The various plans for hanI dling attacks, disasters, or other types of incidents include business continuity plans, disaster C response plans (IR plans). These are often known recovery plans (DRPs), and incident collectively as contingency plans. K In large, complex organizations, each of these named plans may represent separate but related planning functions, differing in scope, applicability, E the security administrator (or systems administrator) and design. In a small organization, may have one simple plan, whichRconsists of a straightforward set of media backup and recovery strategies and a few service agreements from the company’s service providers. The S sad reality is that many organizations have a level of response planning that is woefully deficient. , Incident response, disaster recovery, and BCP are all components of CP. CP is the overall planning conducted by the organization to prepare for, react to, and recover from events T that threaten the security of information assets in the organization, and to provide for the E subsequent restoration to normal business operations. Organizations need to develop DRPs, IR plans, and business continuity plans as subsets of the overall CP. IRP is the planning proA cess associated with the identification, classification, response, and recovery from an incident. DRP is the planning process R associated with the preparation for and recovery from a disaster, whether natural or human-made. BCP is the planning process associated with D ensuring that critical business functions continue if a catastrophic incident or disaster occurs. R These critical building blocks of response planning are presented in Chapter 3. A The design phase next addresses physical security, which requires the design, implementation, and maintenance of countermeasures to protect the physical resources of an organization. Physical resources include people, hardware, and the supporting system elements and 1 resources associated with the management of information in all its states—transmission, storage, and processing. Many technology-based controls can be circumvented if an attacker 1 gains physical access to the devices being controlled. For example, when employees fail to 9 secure a server console, the operating system running on that computer becomes vulnerable to attack. Some computer systems 1are constructed in such a way that it is easy to steal the hard drive and the information it contains. As a result, physical security should receive as T much attention as logical security in the security development life cycle. For further discussions on the dimension of physicalS security, consult one of the many fine text, trade, or reference books on the subject. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Planning for Security 63 Implementation in the SecSDLC The SecSDLC implementation phase is similar to the corresponding phase of the traditional SDLC. Security solutions are acquired (made or bought), tested, implemented, and retested. Personnel issues are evaluated and specific training and education programs are conducted. Finally, the entire tested package is presented to upper management for final approval. The InfoSec systems software or application systems selection process is not appreciably different from that for general IT needs. Vendors should be provided with detailed specifications, and they should in turn provide detailed information about products and costs. As in IT system implementation, it is essential to establish clear specifications and rigorous test plans to assure a high-quality implementation. Perhaps the most important element of the implementation phase is the management of the V is a process that underlies all phases of the SecSDLC. The project plan. Project management execution of the project plan proceeds in three steps: I 1. Planning the project C 2. Supervising the tasks and action K steps within the project plan 3. Wrapping up the project plan E The project plan can be developed R in any number of ways. Each organization must determine its own project management methodology for IT and InfoSec projects. Whenever posS the organizational practices of project management. For sible, InfoSec projects should follow organizations that have not established clearly defined project management practices, the , following pages supply general guidelines on recommended practices. Project management and its relationship to InfoSec were described in detail in Chapter 1. T of technical and nontechnical requirements. For this reason, InfoSec is a field with a vast array the project team should include individuals who are experienced in one or more requirements of E both the technical and nontechnical areas. Many of the same skills needed to manage and impleA ment security are needed to design it. Members of the development team fill the following roles: R ● Champion—A senior executive who promotes the project and ensures its support, both D at the highest levels of the organization financially and administratively, ● Team leader—A project manager (perhaps a departmental line manager or staff unit R manager) who understands project management, personnel management, and InfoSec A technical requirements ● Security policy developers—Individuals who understand the organizational culture, existing policies, and requirements for developing and implementing successful policies 1 ● Risk assessment specialists—Individuals who understand financial risk assessment 1 techniques, the value of organizational assets, and the security methods to be used ● Security professionals—Dedicated, trained, and well-educated specialists in all aspects 1 and nontechnical standpoints of InfoSec from both technical ● 9 T Systems administrators—Individuals with the primary responsibility for administering the systems that house the information used by the organization S ● End users—The individuals whom the new system will most directly affect; ideally, a disparate group of users from various departments and levels, and with varying 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 2 64 Chapter 2 degrees of technical knowledge, to assist the team in applying realistic controls in ways that do not disrupt the essential business activities they seek to safeguard Just as each potential employee and each potential employer looks for the best fit during the hiring process, so each organization should thoroughly examine its options when staffing the InfoSec function. When implementing InfoSec in an organization, many human resource issues must be addressed. First, the entire organization must decide how to position and name the security function within the organization. Second, the InfoSec community of interest must plan for the proper staffing (or adjustments to the staffing plan) for the InfoSec function. Third, the IT community of interest must understand how InfoSec affects every role in the IT function and adjust job descriptions and documented practices accordingly. Finally, the general management community of interest must work with the InfoSec professionals to integrate solid InfoSec concepts into the personnel management practices V of the organization as a whole. It takes a wide range of professionals I to support a diverse InfoSec program. Because a good security plan is initiated from the top down, senior management is the key component and C vital force driving the successful implementation of an InfoSec program. To develop and execute specific security policies and procedures, K additional administrative support is required. Finally, technical expertise is necessary to implement the details of the security operation. E R Chief information officer (CIO)—Senior technology officer responsible for aligning the S strategic efforts of the organization and integrating them into action plans for the information systems or data-processing division of the organization , Here are more precise descriptions of the various roles involved in InfoSec: ● ● ● Chief security officer (CSO)—This job title may be used in lieu of “CISO”; however, when it is used to refer to a role that is superior to the CISO, this is the individual responsiT and information resources within the organization ble for the protection of all physical E (CISO)—The individual responsible for the assessChief information security officer ment, management, and implementation of information-protection activities in the A organization R ● Security managers—The individuals accountable for ensuring the day-to-day operation D of the InfoSec program, accomplishing the objectives identified by the CISO and resolving issues identified by R technicians ● Security technicians—Technically A qualified individuals who are tasked with configuring firewalls and intrusion detection systems (commonly referred to as IDSs), implementing security software, diagnosing and troubleshooting problems, and coordinating with systems and network administrators to1ensure that security technology is properly implemented ● Data owners—Individuals who 1 control (and are therefore responsible for) the security and use of a particular set of information. Data owners may rely on custodians for the practical aspects of protecting9their information, specifying which users are authorized to access it, but they are ultimately responsible for it 1 ● Data custodians—Individuals who work directly with data owners and are responsible T for the storage, maintenance, and protection of the information ● Data users—Systems users who work with the information to perform their daily jobs supporting the mission of the organization, everyone in the organization being responsible for the security of data (and thus playing an InfoSec role) S 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. Planning for Security 65 All these roles are presented in greater depth in Chapter 11. Many organizations seek employees or contractors who have professional certifications so that they can more easily identify these individuals’ proficiency. A thorough discussion of InfoSec industry certification approaches and programs is also provided in Chapter 11. Maintenance in the SecSDLC The maintenance and change phase, though last, is perhaps the most important, given the flexibility and persistence of many of the threats facing the modern organization. Today’s InfoSec systems need constant monitoring, testing, modifying, updating, and repairing. Traditional applications systems that are developed within the framework of the SDLC are not designed to anticipate a vicious attack that requires some degree of application reconstruction as a normal course of operation. In security, the battle for stable, reliable Vsystems is a defensive one. As new threats emerge and old threats evolve, the InfoSec profile of an organization requires constant adaptation to prevent I sensitive data. threats from successfully penetrating C Once the InfoSec program is implemented, it must be operated, properly managed, and kept up-to-date by means of established K procedures. If the program is not adjusting adequately to the changes in the internal or external environment, it may be necessary to begin the cycle E R S INTERNAL MONITORING , EXTERNAL MONITORING Fingerprinting Architectural Review Boards T E Internal Environment A Monitoring R D Information Security ProgramR Planning AInformation Security Footprinting IT Change Control READINESS AND REVIEW Public Internet Sources External Environment Monitoring IDS Vendors CERT Organizations Projects IRP-DRP-BCP Readiness and Review PLANNING AND RISK1 ASSESSMENT 1 IT Projects Rehearsals and War Games 9 1 T S Operational Risk Assessments Remediation VULNERABILITY ASSESSMENT AND REMEDIATION Vulnerability DB Policy Review Risk, Threat, and Attack DB Internet Vulnerability Assessment Intranet Vulnerability Assessment Platform Security Validation Wireless Vulnerability Assessment Modem Vulnerability Assessment Figure 2-10 Maintenance model Copyright © 2014 Cengage Learning®. 9781305147263, Management of Information Security, Fourth Edition, Whitman/Mattord - © Cengage Learning. All rights reserved. No distribution allowed without express authorization. 2 66 Chapter 2 again. The CISO determines whether the InfoSec group can adapt adequately and maintain the InfoSec profile of the organization, or whether the macroscopic process of the SecSDLC must start anew to redevelop a fundamentally different InfoSec profile. It is less expensive and more effective when an InfoSec program is able to deal with change. Even when an InfoSec program is adapting and growing, those processes of maintenance and change mirror the overall process of the SecSDLC, differing only in scope. As deficiencies are found and vulnerabilities pinpointed, projects to maintain, extend, or enhance the program follow the SecSDLC steps. Therefore, for maintenance, the steps include investigation, analysis, design, and implementation. Whereas a systems management model is designed to manage and operate systems, a maintenance model is intended to complement a systems management model and focus those ongoing maintenance efforts that are neededVto keep systems useable and secure. Figure 2-10 presents one recommended approach for dealing with InfoSec. The model consists of five subject areas I or domains, as described in the following sections. C K awareness of new and emerging threats, threat agents, shown in Figure 2-10 is to provide early vulnerabilities, and attacks, thereby E enabling the creation of an effective and timely defense. R objective of internal monitoring is to maintain an Internal Monitoring The primary informed awareness of the state of S all the organization’s networks, information systems, and InfoSec defenses. This status must be communicated and documented, especially the status of , the parts of information systems that are connected to the external network. External Monitoring The objective of external monitoring within the maintenance model Planning and Risk AssessmentT The primary objective of planning and risk assessment is to keep a wary eye on the entire InfoSec program. This is achieved in part by identifying and planning ongoing InfoSec activitiesEthat further reduce risk. Also, the risk assessment group identifies and documents risks introduced by both IT projects and InfoSec projects. FurtherA more, it identifies and documents risks that may be latent in the present environment. R D Vulnerability Assessment and Remediation The primary objective of vulnerability assessment and remediation is the R identification of specific, documented vulnerabilities and their timely remediation. This is accomplished by: A ● ● ● Using documented vulnerability assessment procedures to safely collect intelligence about networks (internal and public-facing), platforms (servers, desktops, and process control), dial-in modems, and1wireless network systems 1 Documenting background information and providing tested remediation procedures for the reported vulnerabilities 9 Tracking, communicating, and reporting to management the itemized facts about the dis1 covered vulne...
Purchase answer to see full attachment