225
Certified Information Systems Security Professional (CISSP) Course 1 - Information Security and Risk Management
Certified Information Systems
Security Professional (CISSP)
Course 1 - Information Security and
Risk Management
Slide 1
© Logical Security
Logical Security
9316 Yorktown St.
McKinney, TX 75071
www.LogicalSecurity.com
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 2
© Logical Security
Logical Security Offers…
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 3
© Logical Security
Holistic Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 4
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 5
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 6
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 7
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 8
© Logical Security
Think of Us…
Risk Management
Enterprise Security Architect
Security Governance
Regulatory Compliance
Vulnerability Management
Data Leakage Protection
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 9
© Logical Security
Holistic Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 10
© Logical Security
Shon Harris CISSP®
Logical Security’s
CISSP Course
Logical Security
www.LogicalSecurity.com
Copyright © 2007. All rights reserved.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 11
© Logical Security
Common Body of Knowledge
Access Control
Application Security
Business Continuity and Disaster Recovery Planning
Cryptography
Information Security and Risk Management
Legal, Regulations, Compliance, and Investigation
Operations Security
Physical (Environmental) Security
Security Architecture and Design
Telecommunications and Network Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 12
© Logical Security
Exam Specifics
CISSP Exam
250 questions
225 questions graded
25 questions are for research purposes
6 hours given to complete test
Average is 4 ½ hours
Passing grade is 700 points
Questions are weighted
Multiple choice – one answer is correct
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 13
© Logical Security
Your Instructor
Recognized as one of the top 25 women in the security field by Information Security Magazine
Author of best-selling book CISSP All-In-One Study Guide and CISSP Passport
Gray Hat Hacking book 2nd edition
Former engineer in the Information Warfare unit for the Air Force
Security Consultant
President Logical Security
Security writer for Information Security Magazine and Windows 2000Shon Harris
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 14
© Logical Security
What Have You Heard?
Do you know others who have taken this exam?
Why is it seen as such a difficult test?
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 15
© Logical Security
Some Reasons Why the Exam Is Difficult
Covers a wide range of information
Many people may have experience in one or two domains of the CBK, but not in all
The types of questions
Very cognitive questions
You must understand the concepts deeply to answer the questions properly
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 16
© Logical Security
We Will Cover It All!Access Control
Physical Security
Cryptography
Operations Security
Telecommunications and Network Security
Business Continuity and Disaster Recovery Planning
Security Architecture and Design
Legal, Regulations,
Compliance, and
Investigation
Information Security
and Risk Management
Application Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 17
© Logical Security
CISSP Exam Tips
Requirements
Minimum of 4 years of relevant experience or 3 years plus a degree
Registration letter from (ISC)2
Candidate ID is required for day of the exam
You can write in booklets; pencils will be supplied
If English is NOT your native language…
You can bring a non-technical dictionary
Sponsor must sign off vouching for your experience
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 18
© Logical Security
CISSP Associate
Do not have the experience to take the exam?
No problem – you can be an “associate” and take the exam.
Once you have enough experience, submit it to (ISC)2 and join the ranks of CISSPs.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 19
© Logical Security
No Other World Exists Now
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 20
© Logical Security
This Will Be Trickier than You Think
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 21
© Logical Security
Question 1 Example
Which of the following is a reason to place security elements
in a lower layer of the system architecture?
a. Increases performance and provides a wider range of protection
b. Increases performance and provides a more granular approach to access
c. Allows for multitasking to not interfere or be affected by the restrictions of the security elements
d. Provides more control and flexibility in configuration for the user
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 22
© Logical Security
Architecture Components
Granularity
Process
Intensive
Motherboard Components
BIOS and Firmware
Processor
OS Kernel
OS
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 23
© Logical Security
Question 2 Example
Clipping levels come in many different forms. Which of the
following best describes a benefit of the use of clipping
levels?
a. Detection of IP spoofing and resetting of configurations
b. Alerting IT staff of attacks
c. Reducing the amount of unauthorized users from logging onto a system
d. Reduction in investigation by IT members
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 24
© Logical Security
Information Security and Risk Management
Security Definitions and Goals
Control Types
Risk Management and Analysis
Components of a Security Program
Roles and Responsibilities in Security
Information Classification
Employee Management
Awareness Training
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 25
© Logical Security
Where did We Come From?
In 1945, huge computers could not even do what our small
calculators do today – but it was a start!
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 26
© Logical Security
Mainframe Days
And we evolved……
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 27
© Logical Security
In the Good Old Days – Who Knew?
Network Configuration
TCP/IP
Ethernet
Sniffers
Layer 3ICMP
Hacking
Ports
APIs
Phishing
Protocols
Buffer Overflows
OSI
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 28
© Logical Security
Today’s Environment
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 29
© Logical Security
Agenda
Security Definitions and Components
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 30
© Logical Security
Security Definitions
Vulnerability
Weakness in a mechanism that can threaten the
confidentiality, integrity, or availability of an asset
Lack of a countermeasure
Threat
Someone uncovering a vulnerability and exploiting it
Risk
Probability of a threat becoming real, and the corresponding potential damages
Exposure
When a vulnerability exists in an environment
Countermeasure
A control put into place to mitigate potential losses
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 31
© Logical Security
Vulnerabilities
Not just open ports …
No policies or not following them
Poorly configured remote access server
No control over PDAs and smart phones
Lack of security awareness training
Etc., etc., etc.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 32
© Logical Security
Examples of Some Vulnerabilities that Are Not Always Obvious
Lack of security understanding
Real security requires real knowledge
Technical to the C-level in companies
Misuse of access by authorized users
Authorization creep
Can now be a criminal offense according to specific laws
Concentration of responsibilities
Separation of duties
Not being able to react quickly
No response team or procedures
Lack of communication structure
Lack of ways to detect fraud
Rotation of duties
Technologies and processes
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 33
© Logical Security
Risk – What Does It Really Mean?
Risk Definition
Probability of a vulnerability being exploited by a threat and the resulting business impact
Vulnerability or risk management?
Goal of risk management
Optimal security at minimal cost
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 34
© Logical Security
Relationships
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 35
© Logical Security
Who Deals with Risk?
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 36
© Logical Security
Overall Business Risk
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 37
© Logical Security
Who?
“Who deals with risk in our company?”
Response: “We don’t really understand it, so we ignore it.”
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 38
© Logical Security
AIC TriadAvailability
Usability, timeliness Prevents disruption of services Protects production and
productivity
Integrity Accuracy, completeness
Prevents unauthorized modification
Protects data and production environment
Confidentiality Secrecy, sensitivity, privacy
Prevents unauthorized disclosure of data
Protects sensitive data and processes
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 39
© Logical Security
Availability Manmade, technical, or natural disaster
Failure of components or a device
Denial-of-service attacks
Redundant technologies
Failover devices
Backup technologies
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 40
© Logical Security
Integrity
Modifying data or configurations
Changing security log information
Software configurations
Hash algorithms and message authentication code
Authentication, logging, auditing
Change control, configuration management
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 41
© Logical Security
Confidentiality
Unauthorized access
Protection of sensitive data or equipment
Access control
Encryption
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 42
© Logical Security
Who Is Watching?
Shoulder surfing - different types
Think about ALL of the people who have access!
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 43
© Logical Security
Social Engineering
In every security system, people are the weakest link.
Some of the most effective reconnaissance techniques target people.
People want to be helpful.
Nobody wants to get into trouble.
If you sound legitimate, most people will think you are.
Confidence and a clipboard will get you into a lot of places.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 44
© Logical Security
Social Engineering
To effectively collect information from human subjects, you
may need to gather background information first.
Organization’s website
Company directory
Other employees
Address and phone numbers
Background on the organization
News articles/press releases
Footprinting!
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 45
© Logical Security
What Security People Are Really Thinking
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 46
© Logical Security
Security Concepts
Security through Obscurity
Control Types
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 47
© Logical Security
Security through Obscurity
The idea that the opponent will always be less
intelligent than the defender:
Designers think that if the flaws are not known then they will not be exploited
Some feel as though compiled code is more secure than open source code, because it is more difficult to identify flaws
Some algorithms are not publicly released, which is an example of security through obscurity
Usually used in replace of a robust security framework
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 48
© Logical Security
Another Approach
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 49
© Logical Security
Security?
Designers think that if the flaws are not known then they
will not be exploited.
Vendors do not release information on flaws.
Once found out – then patches have to be released.
A needle in haystack is hard to find, but someone will find it!
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 50
© Logical Security
Security?
Some feel as though compiled code is more secure than open
source code, because it is more difficult to identify flaws.
Two camps continue to debate.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 51
© Logical Security
The Bad Guys Are Motivated
Do not rely on other’s ignorance or lack of interest.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 52
© Logical Security
If Not Obscurity – Then What?
Industry best practices
Standardization of protocols and communication
Interoperability in a safe manner
Everyone practicing security responsibly
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 53
© Logical Security
Open Standards
Publicly available specifications to allow for interoperability.
Some of the organizations that develop open standards:
International Organization for Standardization (ISO) International Telecommunication Union (ITU)
The Institute of Electrical and Electronics Engineers Standards Association (IEEE - SA)
Structured security
programs and enterprise
architectures!
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 54
© Logical Security
Common Open StandardsExamples of Some Open Standards:
TCP/IP
OSI Model
HTML, XML, SOAP
IEEE standards
802.3, 802.5, 802.11, etc.
ISO 1799
NIST
Risk Management
Formal frameworks
SABSA
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 55
© Logical Security
Without Standards
If technology and security were not standardized…
Proprietary solutions and solution wars
Everyone can now try to make the best widget, it just has to be able to talk to all the other widgets out there
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 56
© Logical Security
“Soft” Controls
Administrative Controls
Policies, procedures, standards, guidelines
Employee management
Testing and drills
Risk management and analysis
Information classification
Awareness training
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 57
© Logical Security
Logical Controls
Technical Controls
Firewalls
IDS
Encryption
Protocols
Authentication mechanisms
Auditing
Access control technologies
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 58
© Logical Security
Physical Controls
Physical Controls
Doors, windows, walls
Security guards and dogs
Fencing and lighting
Locks
Environmental controls
Intrusion detection systems
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 59
© Logical Security
Are There Gaps?
Do the departments responsible for these different types of
security communicate and work well together in your
company?
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 60
© Logical Security
Understanding Drivers
Legal requirements
Regulation requirements
Business objectives
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 61
© Logical Security
Holistic Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 62
© Logical Security
Not Always So Easy
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 63
© Logical Security
What Is First?
Specific issues must be understood before the required
security program can be built.
Legal requirements
Regulation requirements
Business drivers
Threat profile
Acceptable risk levels
These are the “whys” and then we will get to the controls,
which are the “hows”.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 64
© Logical Security
Different Types of Law
Legal Issues
Federal laws
State laws
Administrative laws (mainly regulations)
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 65
© Logical Security
How Is Liability Determined?
Due Diligence
Researching and identifying threats and risks
Due Care
Acting upon findings to mitigate risks
What are some examples of management carrying out
due diligence and due care?
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 66
© Logical Security
Examples of Due Diligence
Due Diligence
Uncovering potential dangers
Carrying out assessments
Performing analysis on assessment data
Implementing risk management
Researching and understanding the environment’s vulnerabilities, threats, and risks
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 67
© Logical Security
Examples of Due Care
Due Care
Doing the right thing
Implementing solutions based on analysis data
Properly protecting the company and its assets
Acting responsibly
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 68
© Logical Security
Prudent Person Rule
Way of Determining Liability
Understanding activities and reactions of a reasonable and responsible person
Comparing your activities and reactions to this responsible person
Judging the rationale of your actions
Determining if you were negligent or not
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 69
© Logical Security
Prudent Person
We have to ask ourselves if we were responsible and
reasonable in our actions – can be subjective.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 70
© Logical Security
Taking the Right Steps
Might need to start off slow and deliberate to ensure each
risk is properly identified and dealt with.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 71
© Logical Security
Regulations
Regulations – security professional’s best friend!
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 72
© Logical Security
Why Do We Need Regulations?
Corporate and
security governance
is now all the rage!
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 73
© Logical Security
Risk Management
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 74
© Logical Security
Why Is Risk Management Difficult?
Risk Management
Trying to predict the future
Incredible number of variables to identify
Surmising all possible threats and providing solutions to them
Gathering data from many sources
Dealing with many unknowns
Quantifying qualitative items
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 75
© Logical Security
Necessary Level of Protection Is Different for Each Organization
Need to strike a balance between potential loss, acceptable risk level, and cost to protect assets
To help determine “how much is enough security” the following items must be understood:
Adversaries and their motivation and means to cause damage
Assets values
Vulnerabilities and threats
Acceptable risk and resulting residual risk
Countermeasure costs and benefits
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 76
© Logical Security
Security Team/Committee
Team Members Security
Internal audit
Administrators
Business process and data owners
Operations
HR, Legal
Custodian
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 77
© Logical Security
Review
3 control categories
Type of control – auditing
Due diligence versus due care
Definition of risk
What is security through obscurity?
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 78
© Logical Security
Risk Management Process
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 79
© Logical Security
Planning Stage – Team
Risk Assessment Team
Should represent different departments of a company
IT department
Auditors
Management
Security department
Physical security
Business unit leaders
Advisors
Legal, human resources, management, safety officers
Management will help decide upon team members
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 80
© Logical Security
Analysis Paralysis
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 81
© Logical Security
Planning Stage – Scope
Scope of Project
Is just one facility being assessed?
Is it an enterprise-wide assessment?
What type of assets will be assessed?
Tangible and intangible assets
What type of threats will be considered?
Manmade, natural disasters, technical
Scope creep will be expensive and timely.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 82
© Logical Security
Planning Stage – Analysis Method
Quantitative
Assigning numeric and monetary values to risk components
Asset value, business impact, frequency, countermeasure costs and values, uncertainty
Difficult to fully achieve complete quantitative analysis requires a lot of resources and time
Qualitative Opinion-based with the use of a rating system
Scenario-based
Purely qualitative analysis is possible and not as time consuming
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 83
© Logical Security
Risk Management Tools
Tools of the Trade
Automated tools require less repetitive data input
Can run same data through several scenarios
Analysis is still a time-consuming task
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 84
© Logical Security
Defining Acceptable Levels
The risk acceptance level is the maximum overall exposure to risk that should be accepted, based on the benefits and costs involved.
If the responses to risk cannot bring the risk exposure to below this level, the activity will probably need to be stopped.
Hence the level must be agreed with the appropriate level of management.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 85
© Logical Security
Acceptable Risk Level
Each organization will have its own acceptable risk level, which is derived from its legal and regulatory compliancy responsibilities and their threat profile.
Management must set this acceptable risk level and then it is the responsibility of the designated risk management roles to ensure that this level is not exceeded.
The objective of this stage is to determine the overall level of risk which the organization can tolerate for the given situation.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 86
© Logical Security
Collecting and Analyzing Data Methods
Data Collection
Surveys
Interviews
Vulnerability tests
Penetration tests
You must understand the business to understand risk in the correct context!
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 87
© Logical Security
What Is a Company Asset?
What are you trying to protect?
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 88
© Logical Security
Data Collection – Identify Assets
Tangible
Equipment
Facilities
Intangible
Data
Trade secrets
Reputation
Customer database
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 89
© Logical Security
Data Collection – Assigning Values
An asset’s value is calculated by
reviewing: Cost of acquisition
Replacement cost
Cost of developing the asset
Role of the asset in the company
Amount adversaries are willing to pay for the asset
Cost of maintaining and protecting the asset
Production and productivity losses resulting from compromise of asset
Liability if asset is not properly protected
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 90
© Logical Security
Asset ValueThe value of an asset consists of its intrinsic value and the
near-term impacts and long-term consequences of its
compromise.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 91
© Logical Security
Data Collection – Identify Threats
Common Threats
Errors and omissions
Fraud and theft
Employee sabotage
Loss of physical or infrastructure support
Malicious hackers
Industrial espionage
Malicious code
Threats to privacy
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 92
© Logical Security
Review
Two types of approaching risk
Acceptable risk level
Prudent man rule
Security through obscurity
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 93
© Logical Security
Data Collection – Calculate Risks
From here the team will carry out qualitative analysis
steps or quantitative analysis steps.
Quantitative
Assigning numeric and monetary values
Qualitative
Opinion and scenario-based
Use of a rating system
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 94
© Logical Security
Scenario Based – Qualitative
Create scenarios and identify threats
Identify the range of threats possible
Write a scenario for each large threat identified
Functional managers review to make sure the scenarios are credible
Evaluate security controls to address threats
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 95
© Logical Security
Risk Approach
Probability of Occurrence
Con
se
qu
en
ce
of
Occu
rre
nce
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 96
© Logical Security
Qualitative Analysis StepsSteps to Qualitative
Analysis
1. Gather company “experts”
2. Present risk scenarios
3. Rank seriousness of threats
4. Rank countermeasures
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 97
© Logical Security
Want Real Answers?
Delphi Method
Anonymous input
More honest data collected
Helps ensure no intimidation
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 98
© Logical Security
Qualitative Risk Analysis Ratings
Organizations can develop internal qualitative risk ratings:
A-F
1-10
Low, medium, high
Highly likely, likely, unlikely, highly unlikely
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 99
© Logical Security
Qualitative Risks
The following is an example of the Australia/New Zealand Standard approach to qualitative ratings.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 100
© Logical Security
Quantitative Analysis Steps
1. Calculate estimated potential losses
2. Carry out a threat analysis
3. Calculate annual loss expectancy
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 101
© Logical Security
Quantitative Analysis
Step 1 = Estimate potential loss
Single Loss Expectancy
Asset Value x Exposure Factor (EF) = SLE
Exposure factor = the percentage of loss that could be experienced
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 102
© Logical Security
How Often Will This Happen?Step 2 = Threat analysis
ARO (annual
rate of
Occurrence) =
Number of
expected
incidents
annually
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 103
© Logical Security
ARO Values and Their Meaning
One time in a 12-month period
ARO = 1.0
Once in 10 years
ARO = 0.1
Once in 100 years
ARO = 0.01
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 104
© Logical Security
Calculate ALE
Step 3 = Calculate annual loss expectancy
Annualized Loss Expectancy
SLE x Annualized Rate of Occurrence (ARO) = ALE
Annualized rate of occurrence (ARO) = frequency of
threat taking place
What is the ALE value used for?
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 105
© Logical Security
ALE Value Uses
Categorize risks
Build a security budget
Amount to spend on risk mitigation
Use to understand business risk overall
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 106
© Logical Security
Relationships
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 107
© Logical Security
Calculate Risks – ALE Example
1. If an e-commerce site is attacked (value = $300,000), it is estimated to cause 40% in damages to a company based on:
Liability costs
Confidential data being corrupted
Loss in revenue
Asset Value EF = SLE
300,000 .4 = 120,000
2. Based on current safeguards, this threat is estimated to happen once in 12 months.
SLE ARO = ALE
120,000 1.0 = 120,000
3. Management should not spend over this amount to protect this asset.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 108
© Logical Security
Your Turn!
A facility has a value of $650,000. It is estimated that a
tornado would hit once in ten years. If 35% of the facility
would be damaged, what would the ALE be?
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 109
© Logical Security
ALE Calculation
SLE = $227,500
$650,000 x 0.35 = $227,500
ALE = $22,750
$227,500 x 0.1 = $22,750
What does the company do with this value?
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 110
© Logical Security
Can a Purely Quantitative Analysis Be Accomplished?
NO!
A quantitative analysis requires quantifying many
qualitative items.
How do you assign a value to a reputation?
How can you know the potential customers that will be lost?
How can you properly predict market share loss?
All of these questions are difficult, but are required in a
quantitative analysis.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 111
© Logical Security
Risk Types
Risks
Potential loss
Ramifications of exposure
Delayed loss
Secondary ramifications of exposure
Much harder to identify and calculate
List Examples of…
Potential losses
Delayed losses
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 112
© Logical Security
Examples of Types of Losses
Potential Losses
Loss in production and productivity
Cost of repairing damages
Cost of consultants’ or experts’ services
Loss in revenue
Loss of customers
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 113
© Logical Security
Delayed Loss
Delayed Losses
Loss in reputation
Loss of potential customers
Late fees or penalty fees
Loss in market share
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 114
© Logical Security
Review – Steps of Analysis
Identify a company’s assets
Assign values to assets
Identify the assets’ vulnerabilities and threats
Calculate their associated risks
Estimate potential loss and damages
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 115
© Logical Security
Review
ALE formula
SLE formula
What is ARO?
If an event will potentially occur once in 100 years, what is the ARO?
Steps of a qualitative analysis
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 116
© Logical Security
Cost/Benefit Analysis
Cost/Benefit Analysis
The annualized cost of countermeasures should not be more than potential losses
If a server is worth $3,000, a countermeasure that costs $4,000 should not be used
Not as cut and dried as it may seem
How do you determine the cost of a countermeasure?
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 117
© Logical Security
Cost of a Countermeasure
Some of the items that can go into the calculation:
Purchase amount
Maintenance amount
Negative effects on production environment
Man-hours to maintain
IDS is an expensive countermeasure in this respect
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 118
© Logical Security
Cost/Benefit Analysis Countermeasure Criteria
A Countermeasure Should …
Mitigate the identified risk
Be cost-effective
(ALE before implementing countermeasure) – (ALE after implementing countermeasure) – (annual cost of countermeasure) = value of the countermeasure to the company
If ALE for a specific asset is $78,000, and after implementation of the control the new ALE is $20,000 and the annual cost of the control is $60,000, what is the value of the control to the company?
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 119
© Logical Security
Calculating Cost/Benefit
If ALE for a specific asset is $78,000, and after
implementation of the control the new ALE is $20,000 and
the annual cost of the control is $60,000, what is the value of
the control to the company?
$78,000 – $20,000 = $58,000
$58,000 – $60,000 = -$2,000
Company should not implement this control.
Not cost-beneficial.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 120
© Logical Security
Controls
“How do we decide what controls we buy within the company?”
Response: “We follow industry buzz words and buy the next silver bullet. They must be right – they are the industry.”
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 121
© Logical Security
Control Selection Requirements
Modular in nature
Provides uniform protection
Provides override functionality
Defaults to least privilege
Independence of safeguard and the asset it is protecting
Flexibility and security
Clear distinction between user and administrator
Minimum human intervention
Easily upgraded
Does not panic personnel
Identifies suspect
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 122
© Logical Security
Control Selection Requirements
Auditing functionality
Minimizes dependence on other components
Easily useable, acceptable, and tolerated by personnel
Must produce output in usable and understandable format
Must be able to reset safeguard
Testable
Does not introduce other compromises
System and user performance
Proper alerting
Does not negatively affect asset
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 123
© Logical Security
Quantitative Analysis
Quantitative Advantages:
Results are based on independently objective processes and metrics
Cost/benefit assessment is possible
Risk management can be tracked and evaluated
Results can be expressed in monetary value, percentages, probabilities
Very useful for management to understand risks and create new security budgets
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 124
© Logical Security
Quantitative Analysis Disadvantages
Quantitative Disadvantages
Requires a large amount of preliminary work
Hard to carry out manually
Formulas are usually complex and inflexible
No real standard on how to carry this out
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 125
© Logical Security
Qualitative Analysis Approach
Qualitative Advantages
Assigning rating values are simplistic
Allows for flexibility in processes and reporting results
Requires less preliminary work
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 126
© Logical Security
Qualitative Analysis Disadvantages
Qualitative Disadvantages
Very subjective
No use of independent objective metrics or processes
Difficult to map to security budget needs
Cost/benefit analysis not possible
Cannot track risk management performance objectively
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 127
© Logical Security
Can You Get Rid of All Risk?Total Risk versus Residual Risk
Amount of risk that exists before a safeguard is put into place is total risk.
After a safeguard is implemented, the remaining risk is called residual risk.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 128
© Logical Security
Calculating Residual Risk
Threats x Vulnerability x Asset Value = Total Risk
(Threats x Vulnerability x Asset Value) x Control Gap =
Residual Risk
(Control Gap = What the control cannot protect against)
Total Risk – Controls = Residual Risk
Analysis team needs to determine if residual risk is within the
acceptable risk level of the company. Management will have
to sign off on accepting this risk.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 129
© Logical Security
Uncertainty Analysis
There are primary sources of uncertainty in the risk
management process:
A lack of sufficient information to determine the exact value of the elements of the risk model, such as threat frequency, safeguard effectiveness, or consequences
Relative magnitude of uncertainties and their implications on the assessment results
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 130
© Logical Security
Dealing with Risk
Team presents the analysis results to management.
Management makes the decisions about the next steps.
Management has several choices when dealing with risk.
Management knows how to deal with business risk, which is different from security risk.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 131
© Logical Security
Deal with Risk
“How do we deal with risk in the organization?”
Response: “We create a lot of paperwork and then we just ignore it.”
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 132
© Logical Security
Management’s Response to Identified Risks
Risk mitigation
Implement countermeasures
Risk transference
Third-party involvement purchase insurance
Risk acceptance
Informed decision – no action taken
Risk avoidance
Decide to stop activity
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 133
© Logical Security
Risk Acceptance
Cost decision
Potential loss is lower than control cost
Pain decision
Ability to deal with related security incidents
Visibility decision
Reputation can take it
Not a surprise decision
Risk should not be accepted without knowing it
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 134
© Logical Security
Risk Analysis Process Summary
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 135
© Logical Security
Review
3 types of control categories
Due diligence
Separation of duties is what type of control?
4 ways of dealing with risk
Formula for residual risk
Formula to calculate the value of a countermeasure
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 136
© Logical Security
Now What?
We understand the legal requirements of the company.
We understand the regulation requirements of the company.
We understand the acceptable risk level.
We have identified critical assets.
We have carried out risk assessments to understand the current security posture.
Now we need to build a security program with all of these ingredients.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 137
© Logical Security
Components of Security Program
Layered Approach
Security Program Steps
Organizational Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 138
© Logical Security
A Layered Approach
Defense in Depth
Providing layers of defense that an attacker must compromise before accessing an asset
Not relying upon just one control
Understanding that compromises in one layer may take place and having back up to compensate for this
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 139
© Logical Security
In Security, You Never Want Any Surprises
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 140
© Logical Security
Building Foundation
Security Program
Blueprint for a security program
A framework for administrative, technical, and physical controls to work within
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 141
© Logical Security
Security Roadmap
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 142
© Logical Security
Functional and Assurance Requirements
The security controls, systems, and overall program need to
have both requirements covered.
“What is it that we want it to do?”
Defining before buying
“How are we making sure it is doing what it is supposed to be doing?”
Testing, logging, auditing
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 143
© Logical Security
Building Foundation
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 144
© Logical Security
Most Organizations
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 145
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 146
© Logical Security
Silo Security Structure
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 147
© Logical Security
Islands of Security Needs and Tools
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 148
© Logical Security
Get Out of a Silo Approach
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 149
© Logical Security
Security Is a Process
Security is a process, not a product.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 150
© Logical Security
Approach to Security Management
Top-Down Approach
Security is directed, driven, and supported by senior management
Bottom-Up Approach
Staff member or group drives initiative
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 151
© Logical Security
Result of Battling Management
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 152
© Logical Security
Industry Best Practices Standards
BS/ISO I7799
Comprehensive guidelines on range of controls for implementing security
Companies can be certified against this standard
Divided into 10 sections
Security policy
Security organization
Assets classification and control
Personnel security
Physical and environmental security
Computer and network management
System access control
System development and maintenance
Business continuity planning
Compliance
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 153
© Logical Security
ISO/IEC 17799
The ISO/IEC 17799 is a set of best practices for organizations to follow to implement and maintain a security program.
It started out as British Standard 7799 (BS7799). BS7799 was published in the United Kingdom and became a de facto standard in the industry that was used to provide guidance to organizations, in the practice of information security.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 154
© Logical Security
Pieces and Parts
BS7799 Part 1 outlines control objectives and a range of controls that can be used to meet those objectives.
BS7799 Part II outlines how a security program can be setup and maintained.
BS7799 Part II serves as a baseline which organizations could be certified against.
An organization would choose to be certified against the BS7799 standard to provide confidence to their customer base and partners
The organization could be certified against all of BS7799 Part II or just a portion of the standard.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 155
© Logical Security
Numbering
ISO/IEC 17799:2005 is the newest version of BS7799 Part 1
Provides a list of controls that can be used within the framework
Will be ISO/IEC 27002:yr
ISO/IEC 27001:2005 is the newest version of BS7799 Part II
Steps for setting up and maintaining a security program
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 156
© Logical Security
New ISO Standards
ISO/IEC 27000 - a vocabulary or glossary of terms
ISO/IEC 27002 - the proposed re-naming of existing standard ISO 17799
ISO/IEC 27003 - a new ISMS implementation guide
ISO/IEC 27004 - a new standard for information security measurement and metrics
ISO/IEC 27005 - a proposed standard for risk management, potentially related to the current British Standard BS 7799 part 3
ISO/IEC 27006 - a guide to the certification/registration process
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 157
© Logical Security
COBIT
What is COBIT?
Control Objectives for Information and related Technology (COBIT) was created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI).
It is a set of best practices (framework) for information (IT) management
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 158
© Logical Security
Inside of COBIT
4 domains are groupings
of processes that map to
the following organizational
responsibilities;
Planning and Organization
Acquisition and Implementation
Delivery and Support
Monitoring
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 159
© Logical Security
COBIT – Control Objectives
5.1 Management of IT Security
Manage IT Security at the highest appropriate organizational level …
5.2 IT Security Plan
Translate business information requirements, IT configuration, information risk action plans, and information security culture …
5.3 Identity Management
All users (internal, external, and temporary) and their activity on IT systems (business application, system operation…)
5.4 User Account Management
Ensure that requesting, establishing, issuing, suspending, modifying, and closing user accounts and related user privileges …
5.5 Security Testing, Surveillance, and Monitoring
Ensure that IT security implementation is tested and monitored proactively. IT security should be reaccredited periodically …
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 160
© Logical Security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 161
© Logical Security
Measurements
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 162
© Logical Security
Information Technology Infrastructure Library (ITIL)
It is considered the de facto standard for IT service
management and concentrates on how to provide consistent,
documented, and repeatable processes to ensure quality.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 163
© Logical Security
3rd Party Governance
Today’s business environment is increasingly dependent on third party relationships as organizations concentrate on their core competencies and outsource many non-core services.
In turn, the heightened security expected by customers and a growing global emphasis on legal and regulatory compliance requires evidence of adequate governance measures.
Thus, the twin issues of due diligence and due care over third parties have become critical to business success.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 164
© Logical Security
3rd Party Governance (Cont.)
There are 6 elements to consider:
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 165
© Logical Security
Security Governance
“Security governance is the set of responsibilities and
practices exercised by the board and executive management
with the goal of providing strategic direction, ensuring that
objectives are achieved, ascertaining that risks are managed
appropriately and verifying that the enterprise’s resources are
used responsibly.”
- IT Governance Institute
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 166
© Logical Security
All security activity takes place within the security department, thus security works within a silo and is not integrated throughout the organization.
Executive management holds business unit managers responsible for carrying out risk management activities for their specific business units.
CISO took some boilerplate security policies, inserted his company’s name, then had the CEO sign them.
Executive management sets an acceptable risk level that is the basis for the company’s security policies and all security activities.
CEO, CFO and business unit managers feel as though information security is the responsibility of the CIO, CISO and IT department and do not get involved.
CEO, CFO, CIO and business unit managers participate in a risk management committee that meets each month and information security is always one topic on the agenda to review.
Board members do not understand that information security is in their realm of responsibility and focus solely on corporate governance and profits.
Board members understand that information security is critical to the company and demand to be updated quarterly on security performance and breaches.
Company BCompany A
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 167
© Logical Security
The organization does not analyze its performance for improvement, but does continually march forward and makes the same mistakes over and over again.
The organization is continuing to review its business processes, including security, with the goal of continued improvement.
Security products, managed services, and consultants are purchased and deployed without any real research or performance metrics to be able to determine the return on investment or effectiveness. Company has a false sense of security because it is using products, consultants, and/or managed services.
Security products, managed services, and consultants are purchased and deployed in an informed manner. They are also constantly reviewed to ensure they are cost effective.
Policies and standards are developed, but no enforcement or accountability practices have been envisioned or deployed.
Employees are held accountable for any security breaches they participate in, either maliciously or accidentally.
Business processes are not documented and are not analyzed for potential risks that can affect operations, productivity, and profitability.
Critical business processes are documented along with the risks that are inherent at the different steps within the business processes.
Company BCompany A
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 168
© Logical Security
Security Program Components
Policies
Standards
Baselines
Guidelines
Roles
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 169
© Logical Security
Policy Framework
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 170
© Logical Security
Policy Types
Organizational Policy
Management’s directives on the role of security within company
Organizational policy is created to address:
Business needs
Laws
Regulations
Standards of due care
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 171
© Logical Security
Organizational Policy
Policy should have the following goals:
Define security program
Set strategic directions
Assign responsibilities
Address all compliancy issues
Identify assets
Provides personal responsibility
Give authority
Tool to resolve conflicts
Define security team
Address exceptions and discipline
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 172
© Logical Security
Policy Approved – Now What?
Once policies are approved by governing body, control objectives should be defined.
The objectives of management are used as the framework for developing and implementing controls.
What do we need our controls to do before we buy and/or implement them?
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 173
© Logical Security
Issue-Specific PoliciesAlso called functional policies.
Issue-Specific Policies can be created for:
Protection of confidential/proprietary information
Unauthorized software
Employees working from home
Rights of privacy
Responsibility for correctness of data
Suspected malicious code
Physical emergencies
Risk management and contingency planning
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 174
© Logical Security
ASP Policy Example
Source: www.sans.org
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 175
© Logical Security
System-Specific Policies
Policy should have the following characteristics:
Express management’s decisions pertaining to systems
Content is based on technical analysis of stated systems
Map to specific system objectives and requirements
Strictly enforced
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 176
© Logical Security
System-Specific Policy
Concentrates directly on the use and maintenance of
computers and devices
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 177
© Logical Security
Standards
Organizational Standards Compulsory rules
Employee behavior
Computer and device use
Organizational standards (not to be confused with American National
Standards, FIPS, Federal Standards, or other national or international
standards) specify uniform use of specific technologies, parameters, or
procedures when such uniform use will benefit an organization.
Standardization of organization wide identification badges is a typical
example, providing ease of employee mobility and automation of
entry/exit systems.
- NIST
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 178
© Logical Security
Standard Example
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 179
© Logical Security
Baseline
Baselines
A minimum level of security required
Abstraction of the standards
Ensure acceptable risk level is met
Required configuration of systems
Metrics representation
Unauthorized access incidents
Unpatched systems
Users with too much access
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 180
© Logical Security
Data Collection for MetricsDifferent data collected is compared to set baselines to
validate compliance.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 181
© Logical Security
Guidelines
Guidelines
Recommendations on actions in different situations
Operational guides where standards do not apply
Industry or internal guidelines
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 182
© Logical Security
Procedures
Procedures
Detailed activities to be taken to achieve a specific task
Step-by-step instructions
Implementation of standards
Standardization
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 183
© Logical Security
Tying Them Together
Policy = Unauthorized users should not have access to sensitive data
Standard = Users must be authorized with a smart card and PIN before accessing the database
Baseline = Number of unauthorized accesses allowed
Guideline = Explanation of identification and authorization and smart card use
Procedures = How to configure the database
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 184
© Logical Security
Program Support
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 185
© Logical Security
Entity Relationships
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 186
© Logical Security
Senior Management’s Role
Senior Management
Defines the scope, objectives, priorities, and strategies of the company’s security program
Provides vision, funds, visibility, and enforcement
Ultimately liable
Without management’s support, efforts can be doomed from start
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 187
© Logical Security
Security Roles
Data Owner
Responsible for subset(s) of data and data classification
Sets security requirements for data protection
Usually process owners or business VPs or department heads
Business accountability
Not ITs job
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 188
© Logical Security
Custodian
Custodian
Is delegated data maintenance tasks
Required to implement and maintain controls to provide the protection level dictated by data owner
Usually a technical security staff or IT
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 189
© Logical Security
Auditor
Ensuring independent assurance to management and shareholders on the appropriateness of security objectives
Determines if controls (administrative, technical, physical) comply with security objectives
Internal and external auditing
Third-party reviews
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 190
© Logical Security
Access
“Who determines the level of access employees have and
who configures the technology and who validates it all?”
Response: “Fred, the IT guy.”
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 191
© Logical Security
Information Classification
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 192
© Logical Security
Information Classification Program
Classification goals
Availability, integrity, and confidentiality are provided at the necessary levels for all identified assets
Return on investment by implementing controls where they are needed the most
Map data protection levels with organizational needs
Mitigate threats of unauthorized access and disclosure
Comply with legal and regulation requirements
Maintain competitive status
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 193
© Logical Security
Data LeakageData is the gold of our times that must be protected.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 194
© Logical Security
Do You Want to End Up in the News?
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 195
© Logical Security
Types of Classification Levels
Commercial
Confidential
Private
Sensitive
For internal use only
Military
Top secret
Secret
Confidential
Sensitive but unclassified
Unclassified
PublicCompanies need to decide what levels
they will use and
what those levels mean.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 196
© Logical Security
Data Protection Levels
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 197
© Logical Security
Classification Program Steps
1. Compile an inventory of all information assets
2. Define levels of protection for information assets
3. Define a classification criteria
4. Develop information classification policy
5. Define information handling and labeling procedures
6. Assign responsibility for classification to the owner of information
7. Assign a security classification to all information assets
8. Classify information according to sensitivity and how much protection is required
9. Integrate into security awareness and training programs
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 198
© Logical Security
Information Classification Components
A policy should outline:
Information as an asset of individual business units
Declare business unit managers as information owners
Declare IT as data custodians
Classification scheme
Definitions for each classification
Criteria for each classification
Roles and responsibilities of classification
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 199
© Logical Security
Procedures and Guidelines
Procedures and guidelines should outline:
How to classify information
How to change classification level if needed
How to communicate classification change to IT
How to declassify and destroy material
Periodic review of:
Current classification levels and mapping to business needs
Current access rights and privileges
Protection levels that current controls are using
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 200
© Logical Security
Classification Levels
Once the organization understands the different levels of
protection that must be provided, it can develop the
necessary classification levels.
Too many classification levels are impractical and add confusion.
Too few classification levels gives the perception of little value and use.
There should be no overlap between classification levels.
Classification levels should be developed for data and software.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 201
© Logical Security
Information Classification Criteria
Criteria Items
Usefulness and value of information
How long information will hold this protection requirement
The level of damage possible if the data was disclosed, modified, or corrupted
Laws, regulations, or liability responsibilities pertaining to the data
Lost opportunity costs
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 202
© Logical Security
Criteria Example
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 203
© Logical Security
Or Not
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 204
© Logical Security
Information Owner Requirements
To properly classify information, the information owner must:
Understand the organization’s classification scheme and criteria
Be familiar with legal and regulation requirements
Carry out classification processes in a consistent manner
Have classification processes reviewed and monitored
Carry out declassifying procedures when necessary
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 205
© Logical Security
Clearly Labeled
All classified items need to be clearly labeled
Handling of data in different formats (paper, digital, video, audio, facsimile)
Marking should be on cover and inside of documents
Magnetic or optical media must be labeled
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 206
© Logical Security
Testing Classification Program
Are documents in open view?
Is sensitive information viewable on computer screen?
Is data physically protected and not just logically protected?
How is sensitive data destroyed?
Review users’ access levels
Review an information flow matrix
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 207
© Logical Security
Who Is Always Causing Problems?
Not birds
– PEOPLE are always a security headache.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 208
© Logical Security
Employee Management
Hiring and Firing
Termination
Training
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 209
© Logical Security
Employee Management
Weakest link in security is people
80/20 rule
Proper management of employees is very important
Communication structure needs to be in place
Constructing and enforcing policies
Culture
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 210
© Logical Security
Employee Position and Management
Employee Management
Position definition
Determining position sensitivity
Filling the position - screening and selecting
Employee training and awareness
User account management
Audit and management reviews
Detecting unauthorized/illegal activities
Temporary assignments and in-house transfers
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 211
© Logical Security
Hiring and Firing Issues
Pre-employment
Background check
Drug screening
Security clearance
Credit check
Termination Procedures
Complete an exit interview
Review the non-disclosure agreement
Individual must be immediately escorted out of the facility
Individual must surrender ID badges, keys, and company assets
User’s accounts must be disabled
User’s passwords must be changed
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 212
© Logical Security
A Few More Items
When hiring be alert about future checks that may be necessary if the individual moves to a higher classification level in the company.
Hiring and firing practices should follow pre-determined checklists developed by HR.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 213
© Logical Security
Unfriendly Termination
Security and Safety Steps
1. System access should be terminated as quickly as possible.
2. System access should be removed at the same time (or just before) the employees are notified of their dismissal.
3. System access should be immediately terminated.
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 214
© Logical Security
Security Awareness and Training
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 215
© Logical Security
Training CharacteristicsAwareness Training Education
Attribute: “What” “How” “Why”
Level: Information Knowledge Insight
Learning Objective:
Recognition and Retention
Skill Understanding
Example Teaching Method:
Media
-Videos
-Newsletters
-Posters
Practical Instruction
-Lecture and/or demo
-Case study
-Hands-on practice
Theoretical Instruction
-Seminar and discussion
-Reading and study
-Research
Test Measure:
True/False
Multiple Choice
(Identify learning)
Problem Solving, i.e.,
Recognition and Resolution
(Apply learning)
Essay
(Interpret learning)
Impact Timeframe:
Short-term Intermediate Long-term
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 216
© Logical Security
Awareness
Security Awareness Program
Employees must know what’s expected of them, as well as the ramifications of non-compliance
This is part of due care and can be used in liability cases if not performed
Banners, employee handbooks, posters
Should be performed annually
Policies, standards, baselines, guidelines
Incident reporting, malware, social engineering, hazards
Different training for different employee groups
Technical = IT
Liability, laws, regulations = management levels
Basic security and usability issues = users
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 217
© Logical Security
Security Enforcement IssuesImportance
Not just lip service
Support directly from upper management
Ensures required baseline of security is met
Realized ramifications for actions
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 218
© Logical Security
Answer This Question
A company needs to be concerned about an asset’s reliability,
confidentiality, and integrity. What is used to enforce the
protection of integrity?
a. Controlling physical security
b.Using access controls
c. Enforcing the rules of confidentiality
d.Using logical security
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Slide 219
© Logical Security
Answer This Question
The risk management team process for identifying,
controlling, eliminating, and/or minimizing uncertain events
can be assisted by what aid?
a. Qualitative risk assessment processes
b.Automated information system security tools
c. Internal security controls
d.Risk mitigation
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Review Questions:
1. Which of the following is an example of an ultimate data owner?
A. Front-line employee
B. Customer accessing information via the extranet
C. IT administrator
D. CIO
2. What is the term that defines when senior management initiates and sponsors a
company’s security program?
A. Bottom-up approach
B. Top-down approach
C. Steering committee
D. Middle-driven approach
3. Which of the following would not be part of an organizational security policy?
A. Security program goals
B. E-mail security policy
C. Responsibilities assignments
D. Enforcement information
4. A technique used in qualitative risk analysis that uses the anonymous opinions of
all individuals is called what?
A. Consensus approach
B. Delphi technique
C. Group mentality
D. Group discussion phase
5. Which of the following terms is a recommendation to an employee on how to act?
A. Baseline
B. Rule
C. Guideline
D. Standard
6. Which is not an example or characteristic of qualitative risk analysis?
A. Delphi technique
B. Storyboarding
C. SLE calculations
D. Opinion-based
7. A policy that is more technically focused and outlines the directives dictated by
management is which of the following?
A. System-specific
B. Technical-specific
C. Organizational
D. Issue-specific
8. Which is not an example of security awareness?
A. Security training
B. Security bulletin board notes
C. Security ACLs
D. Security objectives in an employee’s performance review
9. A common omission in security programs by many companies is which of the
following?
A. Responsibility assignments
B. Penalties for non-compliance
C. Risk analysis
D. Awareness
10. What step should happen first when an employee is terminated if it is an
unfriendly separation?
A. Escorted off premises
B. Network and system access privileges removed
C. Facility ID badges handed out
D. Employees personal items should be boxed
11. Third party governance is used to accomplish what aspect of security?
A. Taking control of a third party’s IT department
B. Ensuring that a third party partner has met a certain level of compliance
and security
C. Allowing a third party entity to take over security of your organization’s IT
department
D. Hiring a contractor to do an internal audit
Answer Key:
1. D
The key here is the word ultimate. Employees and the administrator can be data owners
in some situations, but senior management is ultimately the owner of business-oriented
data. Data owners are legally bound to the protection of data within a company.
Because of this required responsibility, data owners should be members of senior
management. These individuals practice due care with data classifications and
associated security policies.
2. B
A top-down approach to security management is the ideal method because it is typically
more successful than the bottom-up approach. A top-down approach means that
management is driving a project, and bottom-up means that a lower level employee is
driving a project. The most important factor in security management is obtaining the
support of upper management.
3. B
An organizational security policy covers the entire program at a high level. Typically this
will cover how the program is set up, goals and objectives, who is responsible for what,
and how to enforce the policy. E-mail security would be an issue-specific policy.
4. B
In the qualitative risk analysis approach, the Delphi Technique is used to achieve
honest results by allowing the individuals to submit their opinions anonymously. This
technique is designed to allow people to submit their opinions without being influenced
by others.
5. C
Guidelines are used to provide employees with recommendations on how to perform
specific tasks. This is different than a standard, which is a rule that must be followed, or
a baseline, which is a minimal level of security.
6. C
Qualitative risk analysis does not focus on real-number calculations, but instead assigns
rankings to threats and countermeasures and focuses on judgment, intuition, and
experience. Single loss expectancy (SLE) is a method used in quantitative risk analysis.
7. A
System-specific policies are technical directives derived by management to protect
individual systems. They can outline how a system should be accessed or how users
should be trained on the use of a specific system.
8. C
Security awareness is a vital part of a successful security program. As its name states,
the goal is to make employees aware of the components of the security program.
Employees can be made aware in a variety of ways, such as e-mail, regular meetings,
training classes, or by having security-related tasks as part of their performance plans.
Access control lists (ACL) are security controls, but do not contribute to security
awareness.
9. B
A common mistake that many companies make is failing to include penalties in the
security program to be enforced if/when individuals do not comply with outlined
directives. As with any rule or law, without known consequences, it is unlikely that the
instruction will be followed. Security awareness is included in most security policies;
however, following through with the awareness objective is not as common.
10. B
The first step taken when an employee is terminated is to remove all network and
system privileges. The ex-employee could still remotely connect to a network and do
harm. Protecting the company’s assets should be the first step.
11. B
We need to make certain that working with a third party doesn’t introduce new security
concerns, so we use third party governance to work with verifying the third party’s
compliance to your security needs.
