Information Security chapter 7, 11, 12

final Exam

The Issues and options of human resource staffing

Must get feedback from employees early in the process to feel them out to find out if they are and how much they are resistant to the changes and implementation of the information security plan. Resolving and reassuring employees about the information security role and benefits can go a long way to helping the process

Qualifications and requirements for staffing information security function

The following factors need to be addressed for the security discipline to move forward:

Management needs to learn more about what skills and qualifications are needed when it comes to information security jobs

Upper management needs to learn and understand the budgetary needs of the information security functions and the positions within it

Management and the IT community need to understand the amount of influence and prestige needs to be given to the information security function so that it can be effective

When hiring information security professionals the organization typically looks for individuals that understand the following

How an organization operates at all levels

That information security is usually a management problem and is seldom an exclusively technical problem

How to work with people and collaborate with end-users, and have strong communications and writing skills

The role of policy in guiding security efforts, and the role of education and training in making employees and other authorized users part of the solution, rather than part of the problem

Most mainstream IT technologies (not necessarily as experts, but as generalists)

The terminology of IT and information security; this is the basis for subsequent knowledge and skills needed for the specific positions

The threats facing an organization and how these threats can become attacks

How to protect the organization’s assets from information security attacks

How business solutions (including technology-based solutions) can be applied to solve specific information security problems

Information security positions

Information security positions are classified into 3 areas

Those that define information security programs

Those that build the systems and create the programs that implement the information security controls within the defined systems

Those that administer the information security control systems and programs that have been created

Security manager

Accountable for the day-to-day operations of the information security program

Accomplish objectives set forth by the CISO above

Resolve issues identified by the technicians below

10 domains

Access control systems and methodology

Application and systems development

Business continuity planning

Cryptography

Law, investigation, and ethics

Operations security

Physical security

Security architecture and models

Security management practices

Telecommunications, network, and Internet security

Background checks

Identity checks                                                social security number

Educational and credential                             degrees

Previous employment verification                 how long why you left

Reference                                                        integrity

Worker’s compensation                                  claims

Motor vehicle records                                     suspensions DUI

Drug history                                                    drug use past and present

Credit history                                                  credit problems bankruptcy

Civil court history                                           civil suits

Criminal court history                                    arrests convictions

Remember they have to inform you in writing if they are requesting these

Separation of Duties and Collusion

Separation of duties

It is a control measure used to reduce the chance of an individual violating information security and breaches the confidentially, integrity, or availability of information

Any work that touches sensitive information should require at least 2 people to complete the task

Physical Security

It addresses the design, implementation, and maintenance of countermeasures that protect the physical resources of an organization. It includes the protection of the people, the hardware, and the supporting system elements and resources associated with the control of information in all its states: transmission, storage, and processing

The 7 major sources of physical loss

1.     Extreme Temperature: heat, cold

2.     Gases: war gases, commercial vapors, humid or dry air, particles

3.     Liquids: water, chemicals

4.     Living organisms: viruses, bacteria, people, animals, objects

5.     Projectiles: tangible objects in motion, powered objects

6.     Movement: collapse, shearing, shaking, vibration, liquefaction, flow waves, separation, slide

7.     Energy anomalies: electrical surge or failure, magnetism, static electricity, aging circuitry; radiation: sound, light, radio, microwave, electromagnetic, atomic

Based on trigger type there are 4 types of locks:

1. Manual

Common place and well understood

Key or combination can not be changed

2. Programmable

Combination and keys can be changed by owner

3. Electronic

Can be integrated into alarm systems

4. Biometric

Finger, palm, hand readers, iris, retina, voice, signature

Fail-safe          when lock fails door remains open

Fail-secure      when lock fails door remains locked

Fire Security and Safety

The most important concern of physical security is the safety of people. The most serious threat is fire.

Fire Detection and Response

Fire suppression systems

Smoke detection

Most common means of detecting

Photoelectric   project a beam, if broke alarm goes off

Ionization        small amount of radioactive material in chamber

Air-aspirating

These systems take in air, filter it, and move it through a chamber with a laser beam, if the beam is refracted by smoke particles alarm is set off

Fire Suppression

Consist of portable, manual, or automatic apparatus

Portable Fire Extinguishers are rated as follows:

Class A:          wood, paper, textiles, rubber, cloth, trash

Out with water and dry chemicals

Class B:           solvents, gas, paint, lacquer, oil

Out with carbon dioxide, halon, and dry chemicals

Class C:           energized electrical equipment or appliances

Out with non-conducting, carbon dioxide, halon, dry chemicals, NO WATER

Class D:          magnesium, lithium, sodium

Out with special agents and techniques

Uninterruptible Power Supply (UPS)

A device that assures the delivery of electrical power without interruption and is run on car batteries most of the time

Physical Interception of Data

Direct Observation

When the individual is close enough to see the information. Employees taking work to lunch or home

Project Plan:It includes changes to 5 major areas

1.     Procedures            through Policy

2.     People                   through Training

3.     Hardware              through Firewalls

4.     Software                through Encryption

5.     Data                      through Classification

Project Management for Information Security

Project Plan Must address following issues

Project leadership

Projectitis

This is the phenomenon in which a project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than in accomplishing meaningful project work

Project plan is broken down into several major tasks, then each task into subtasks, and finally action steps

Milestone

It is a specific point in the project plan when a task (and its action steps) that has a noticeable impact on the progress of the project plan as a whole is completed

1.     Technical Topics of Implementation

Conversion Strategies

Direct changeover

This approach is also known as “cold turkey”. Stopping the old method one day and starting the new one right away. It could be done over a weekend

Bull’s-eye model for information security project planning

In this model issues are addressed from general to specific

Focus is on systematic solutions instead of individual solutions

4 layer evaluation progression approach

Policies

This is the outer ring

Policy is the foundation and establishes the ground rules

Policy enables all other security to function

Networks

DMZ is the primary defense

Authentication and authorization are secondary

Systems

Includes computers, servers, and desktops

Adding security increases the complexity of systems

Applications

Includes packaged applications, office automation, and email

Change control

This is a process where every change to new and existing systems is looked over in detail before the change in approved and made

Nontechnical aspects of implementation

The culture of change management: Lewin change model

Unfreezing                  thawing out old habits and procedures

Moving                       transition between the old and the new

Refreezing                  integration of the new into the organization

Security triple

threats, assets, vulnerabilities

The 4 steps associated with configuration management

Configuration identification

The identification and documentation of the various components, implementation, and states of configuration items

Configuration control

The administration of changes to the configuration items and issuance of versions

Configuration status accounting

The tracking and recording of the implementation of changes to configuration items

Configuration auditing

Auditing and controlling the overall configuration management program

Security program management (Security management)

These steps are part of a management systems approach to developing, implementing, and improving the effectiveness of an organization’s information security management with regard to the management of risk

Plan

Perform a risk analysis of the vulnerabilities faced by the organization

Do

Apply internal controls to manage risk

Check

Undertake periodic and frequent review to verify effectiveness

Act

Develop incident response plans as necessary

The Maintenance Model: Monitoring the external environment

It is to provide the early awareness of new and emerging threats, threat agents, vulnerabilities, and attacks that the organization needs in order to mount an effective and timely defense

Monitoring, escalation, and incident response

Basic function of external monitoring is to monitor activity, report results, and escalate warnings

The monitoring has 3 primary deliverables

Specific warning bulletins issued when developing threats and specific attacks pose a measurable risk to the organization

Periodic summaries of external information

Detailed intelligence on the highest risk warnings

Monitoring the internal environment

Basic function on internal monitoring is to maintain an informed awareness of the state of all the organization’s networks, information systems, and information security defenses

Internal monitoring is accomplished by

Building and maintaining an inventory of network devices and channels, IT infrastructure and applications, and information security infrastructure elements

Leading the IT governance process within the organization to integrate the inevitable changes found in all network, IT, and information security programs

Monitoring IT activity in real-time using intrusion detection systems to detect and initiate responses to specific actions or trends of events that introduce risk to the organization’s information assets

Monitoring the internal state of the organization’s networks and systems

Vulnerability RA Risk Assessment

Used for communication of the background, details, and proposed remediation for the vulnerability

Vulnerability assessment and remediation

The primary goal is to identify specific, documented vulnerabilities and remediate them in a timely fashion