Date post: | 06-Jan-2018 |
Category: |
Documents |
Upload: | darcy-gilbert |
View: | 227 times |
Download: | 0 times |
SE571Security in Computing
Chap 8: Administering Security
SE571 Security in Computing Dr. Ogara 2
Security involves.. Security is a combination
• Technical – covered in chap 1• Administrative• Physical controls
SE571 Security in Computing Dr. Ogara 3
Administering Security Security Planning Risk analysis Policy Physical control/security
SE571 Security in Computing Dr. Ogara 4
Security Planning Effective security planning is
essential for computer organization A Security plan is a document that
describes how an organization will address its security needs:• It is an official record of current security
practices• Blue print for review to improve those
practices
SE571 Security in Computing Dr. Ogara 5
Three Aspects of Security Planning To define and implement a security
plan we concentrate on three aspects as follows:1. Contents of security plan/what should be
there?2. Who are involved in security planning?3. How to obtain support for a plan
SE571 Security in Computing Dr. Ogara 6
Contents of a Security Plan Security plan should address seven issues
1) Policy – describes the goals and are people involved willing to attain these goals?
2) Current state – the status of security at the time of the plan3) Requirements – recommends ways to meet the security
goals4) Recommended controls – mapping controls to the
vulnerabilities identified in the policy and requirements5) Accountability – who is responsible for each security activity6) Timetable – when do different security functions take place?7) Continuing attention – specify a structure to periodically
update the security plan
SE571 Security in Computing Dr. Ogara 7
OCTAVE Methodology The Software Engineering Institute at
Carnegie Mellon University has created a framework for building a security plan1) Identify enterprise knowledge2) Identify operational area knowledge3) Identify staff knowledge4) Establish security requirements5) Map high priority information assets to
information infrastructure6) Perform an infrastructure vulnerability
evaluation7) Develop a protection strategy
SE571 Security in Computing Dr. Ogara 8
Security Plan Requirements Explain what should be accomplished Are functional or performance
demands placed on a system to ensure a desired level of security
The inputs to a security plan are shown in the diagram
SE571 Security in Computing Dr. Ogara 9
Responsibility for Implementation Plan should identify who are responsible
for implementing security requirements Different groups can be responsible for
different security roles, for example,• PC Users: security of own machines• Project leaders: security of data and
computations• Managers: seeing that the people they
supervise implement security measures
SE571 Security in Computing Dr. Ogara 10
Responsibility for Implementation• Database administrators: access to and
integrity of data in databases• Information officers: creation and use of
data, retention and proper disposal of data• Personnel staff members: security involving
employees
SE571 Security in Computing Dr. Ogara 11
Security Planning Team Members Membership should relate to different
aspects of security Planning team should respect each of the
following groups:• Computer hardware group• System administrators• System programmers• Application programmers• Data entry personnel• Physical security personnel• Representative users
SE571 Security in Computing Dr. Ogara 12
Commitment to Security Plan Ensure the security functions will be implemented
and security activities carried out Three groups of people must contribute to making
the plan success• The planning team• Those affected by the security recommendations• Management: using and enforcing security
Organizations can use a “business continuity plan” to deal with situations having two characteristics:• Catastrophic situations: a computing capability is suddenly
unavailable through fire or flood• Long duration
SE571 Security in Computing Dr. Ogara 13
Risk Analysis Effective security planning includes
careful risk planning Risks can be distinguished from other
events interms of :• Risk impact associated with an event• The probability (P risk) of an incidence
associated with each risk. 0 =< Prisk <= 1; When Prisk = 1 we say that there is a
problem Risk control – the degree to which an outcome can be
changed
SE571 Security in Computing Dr. Ogara 14
Risk Analysis The effects of a risk can be quantified by
multiplying the risk impact by the risk probability, yielding the risk exposure:
Risk Exposure – risk impact * P risk Example: Prisk = 0.40; risk impact $10,000
(cost of cleaning the affected files)Risk Exposure = 0.4*10000 = $ 4,0000
So we can based on the calculation decide an antivirus software worth $400 is worth an investment
SE571 Security in Computing Dr. Ogara 15
Risk Analysis Three Strategies for Risk Reduction: Avoiding the risk
• Change security requirements Transferring the risk
• Allocate the risk to other systems, people, assets
• Buy insurance to cover any financial loss Assuming the risk
• Accept and control it with available resources• Prepare to deal with the loss if it happens
SE571 Security in Computing Dr. Ogara 16
Risk Leverage In addition to impact cost there is
also costs associated with reducing it Risk leverage is the difference in risk
exposure divided by the cost of reducing the risk
Risk leverage = (risk exposure before reduction – risk exposure after reduction)/cost of risk reduction
SE571 Security in Computing Dr. Ogara 17
Risk Leverage So if the leverage value of a proposed action
is not high enough then we need to find a less costly strategy
The parameters in Risk Leverage equation demand the risk analysis process to identify and list all exposures in the computing system
For each exposure we need to identify possible controls and their costs
Finally we need to carry out a cost–benefit analysis
SE571 Security in Computing Dr. Ogara 18
Risk Analysis The basic steps of risk analysis are:
1. Identify the assets2. Determine vulnerabilities3. Estimate likelihood of exploitation4. Compute expected annual loss5. Survey applicable controls and their costs6. Project annual savings of control
SE571 Security in Computing Dr. Ogara 19
Alternative Steps in Risk Analysis US Army – OPSEC used during
Vietnam War
1) Identify critical information to be protected
2) Analyze the threats3) Analyze the vulnerabilities4) Asses the risks5) Apply countermeasures
SE571 Security in Computing Dr. Ogara 20
Alternative Steps in Risk Analysis US Airforce – Operational Risk
Management Procedure (AIROO)1) Identify hazards2) Assess hazards3) Make risk decisions4) Implement controls5) Supervise
SE571 Security in Computing Dr. Ogara 21
Policy Indicating the goals of a computer
security effort and the willingness of the people involved to work to achieve those goals.
SE571 Security in Computing Dr. Ogara 22
Organizational Security Policies Document to inform users of the
objectives and constraints on using a system
Purpose of policy document• Recognize sensitive information assets• Clarify security responsibilities• Promote awareness for existing staff• Provide guidelines to new employees
SE571 Security in Computing Dr. Ogara 23
Organizational Security Policies A security policy must address the
following:• The audience – who can gets access?• Contents – which resources• Characteristics of good security policy –
how?
SE571 Security in Computing Dr. Ogara 24
Organizational Security Policies - Audience
Three groups of audience• Users• Owners• Beneficiaries (e.g. customers, clients)
Audience uses the security policy in important but different ways
For each policy define the degree of confidentiality, integrity, and the continuous availability in the computing resources provided to them
SE571 Security in Computing Dr. Ogara 25
Security Policies: Contents The risk analysis identified the assets
that are to be protected These assets (computers, networks,
data) should be listed in the policy document
The policy should also indicate:• Who should have access to protected resources• How unauthorized people will be denied access• How that access will be ensured
SE571 Security in Computing Dr. Ogara 26
Characteristics of a good security policy
Coverage – should be comprehensive ad general
Durability – survive system’s growth and expansion…applicable to new situations
Realism – realistic/feasible to implement
Usefulness – should be concise, clear and direct
SE571 Security in Computing Dr. Ogara 27
Characteristics of a good security policy
Examples:• Data sensitivity policy• U.S. Government Agency IT Security Policy• Internet Security Policy• The U.S. government Email Policy
SE571 Security in Computing Dr. Ogara 28
Physical Security Describes protection needed outside the
computer system Physical security can be in one of this
forms:• Natural disasters• Power loss• Human vandals
Contingency planning is key to successful recovery:• Backups, offsite backups, network storage, etc
SE571 Security in Computing Dr. Ogara 29
Current State Describing the status of security at
the time of the plan Risk analysis – a careful investigation
of the system, its environment, and the things that might go wrong
SE571 Security in Computing Dr. Ogara 30
Requirements Recommending ways to meet the
security goals Heart of the security plan Organizational needs
SE571 Security in Computing Dr. Ogara 31
Recommended Controls Mapping controls to the
vulnerabilities identified in the policy and requirements
SE571 Security in Computing Dr. Ogara 32
Accountability Describing who is responsible for each security activity
Personal computer Project leaders Managers Database administrators Information officers Personnel staff
SE571 Security in Computing Dr. Ogara 33
Accountability Describing who is responsible for each security activity
Personal computer Project leaders Managers Database administrators Information officers Personnel staff
SE571 Security in Computing Dr. Ogara 34
Time Table Identifying when different security
functions are to be done Show how and when the element of
the plan will be performed
SE571 Security in Computing Dr. Ogara 35
Continuing Attention Specifying a structure for periodically
updating the security plan