Overview of Information Security Management: Chapters 1-5

Chapter 1: Introduction to the Management of Information Security

• Information Security (InfoSec): InfoSec focuses on protecting information and its valuable characteristics, including confidentiality, integrity, and availability. It encompasses InfoSec management, computer security, data security, and network security.

• Security: Security is the state of being free from danger. To be secure means being protected from loss, damage, unwanted modification, or other hazards.

• C.I.A. Triad: The C.I.A. triad includes confidentiality, integrity, and availability.

  • Confidentiality means limiting information access to only those who need it and preventing access by unauthorized individuals or systems.

  • Integrity refers to the accuracy and completeness of information.

  • Availability ensures that authorized users have reliable and timely access to information and resources.

• CNSS Security Model: The CNSS (Committee on National Security Systems) security model covers the three dimensions of InfoSec. These dimensions are confidentiality, integrity, and availability, considered in terms of storage, processing, and transmission. The model aims to identify gaps in an InfoSec program.

• Privacy: Privacy in InfoSec means ensuring that personal information is collected, used, and disclosed appropriately.

• InfoSec Processes:

  • Identification involves verifying the identity of a user, device, or process.

  • Authentication confirms the identity claimed by a user or system.

  • Authorization determines what a user is allowed to access.

  • Accountability ensures that actions can be traced back to a specific user or system.

• Threats to Information Security: Threats include a wide range of potential dangers, such as natural disasters, technical hardware failures, software errors, and human actions.

• Technical Hardware Failures or Errors: Mean time between failures (MTBF) is the average time between hardware failures, calculated by dividing the total operating time by the total number of failures.

• Planning:

  • Strategic planning occurs at the highest organizational levels and covers a long period, typically five or more years.

  • Tactical planning focuses on production planning and integrates resources for an intermediate duration, such as one to five years.

  • Operational planning addresses day-to-day operations and local resources in the short term.

• InfoSec Plans and Planning Functions: Types of InfoSec plans include incident response, business continuity, disaster recovery, policy, personnel, technology rollout, risk management, and security program planning.

Chapter 2: Compliance: Law and Ethics

• Law vs. Ethics: In law, guilt is determined by violating others' rights, while in ethics, guilt can arise from merely thinking of doing so.

• Ethics: Ethics is the branch of philosophy concerned with moral judgments. It involves studying how humans ought to act and the rules they should live by.

• Ethical Frameworks:

  • Meta-ethics studies the meaning of ethical judgments and properties.

  • Descriptive ethics studies choices made by individuals in the past.

  • Applied ethics applies moral codes to realistic situations.

  • Deontological ethics studies the rightness or wrongness of intentions and motives.

• Categories of Law: Laws can be categorized as either public or private.

  • Private law governs relationships between individuals and organizations.

  • Public law regulates government agencies and their relationships with citizens.

• Digital Forensics: Digital forensics involves preserving, identifying, extracting, documenting, and interpreting computer media for evidentiary and root-cause analysis.

  • Key steps in digital forensics include detecting a policy violation or crime, obtaining authorization to investigate, collecting and analyzing evidence, and producing a report.

• Affidavit: An affidavit is sworn testimony that certain facts warrant examining specific items at a specific place.

• Electronic Evidence (EM): Identifying potential EM and its probable location is crucial. Investigators must know what to look for to find relevant evidence in locations like flash drives or internet services.

• Analyzing Data: The analysis phase involves indexing all text found on a drive to allow quick searching for specific files.

• Reporting Findings: Investigators tag potential EM and add it to case files. The amount of information needed depends on the case.

• U.S. Secret Service: The U.S. Secret Service is responsible for detecting and arresting individuals committing U.S. federal offenses related to computer fraud and false identification crimes.

• New York State Regulation (2017): Requires financial institutions, law firms, and tax-exempt organizations to conduct periodic risk assessments of their information assets and systems.

• PCI DSS (Payment Card Industry Data Security Standard): PCI DSS includes requirements and security assessment procedures, self-assessment surveys, and support documents.

Chapter 3: Governance and Strategic Planning for Security

• Planning: Planning involves preparing, applying, and controlling a sequence of actions to achieve specific goals.

• Organizations determine if planning is necessary based on their need to manage resources, respond to threats, and achieve objectives.

• Levels of Planning: There are three common levels of planning:

  • Strategic

  • Tactical

  • Operational

• Stakeholders: Stakeholders are individuals or groups with a vested interest in the organization's operations and information assets. Their views are important because planning affects them, and their support is often crucial for successful implementation.

• Statements:

  • A values statement articulates an organization's principles and qualities.

  • A vision statement expresses what the organization aspires to become.

  • A mission statement declares the organization's business and intended operations.

  • These statements are important because they provide a philosophical foundation for planning and guide the creation of the strategic plan.

• Strategy: Strategy defines the long-term direction an organization should take.

• InfoSec Governance: InfoSec governance involves creating and maintaining organizational structures to manage the InfoSec function.

• Board of Directors' Recommendations: A board of directors should recommend that an organization's InfoSec objectives include:

  • Creating a culture that recognizes the criticality of information and InfoSec.

  • Verifying that management's investment in InfoSec aligns with organizational strategies and the risk environment.

  • Mandating a comprehensive InfoSec program.

  • Requiring reports on the InfoSec program's effectiveness.

• Outcomes of InfoSec Governance: Five basic outcomes should be achieved through InfoSec governance:

  • Strategic alignment of InfoSec with business strategy.

  • Risk management.

  • Resource management.

  • Performance measurement.

  • Value delivery.

• Strategic Planning:

  • Top-down strategic planning involves leadership choosing the direction and initiatives for the entire organization.

  • A champion, ideally an executive, is needed to move the project forward.

  • The source does not specify how it differs from bottom-up strategic planning.

  • The source does not specify which is usually more effective in implementing security in a large, diverse organization.

• Security Convergence: Security convergence is the merging of management accountability in areas like physical security, risk management, computer security, network security, and InfoSec. It's significant because it can reduce costs and improve results.

• Joint Application Design (JAD): Key end users are assigned to planning and design teams similar to the joint application design (JAD) teams used in systems development.

• Systems Development Life Cycle (SDLC) Methodology: The systems development life cycle (SDLC) is a methodology for the design and implementation of an information system in an organization.

• Security Systems Development Life Cycle (SecSDLC): The process of phased system development described by the traditional SDLC can be adapted to support the specialized implementation of a security project by using the security systems development life cycle (SecSDLC).

• Primary Objective of SecSDLC: The primary objective of the SecSDLC is to turn InfoSec into a coherent program rather than a series of responses to individual threats and attacks.

  • Major steps include investigation, analysis, design (logical and physical), implementation, and maintenance/change.

• Controls:

  • Managerial controls cover security processes designed by strategic planners and executed by security administration.

  • Operational security controls deal with the operational functionality of security in the organization.

  • Technical security controls address technical approaches used to implement security in the organization.

• Project Champion: A project champion is a senior executive who promotes the project and ensures its support.

• CSO vs. CISO:

  • A Chief Information Security Officer (CISO) is responsible for the assessment, management, and implementation of information-protection activities in the organization.

  • A Chief Security Officer (CSO) is responsible for the protection of all physical and information resources within the organization.

• Maintenance: Maintenance is needed for information security management systems, given the flexibility and persistence of many of the threats facing the modern organization.

Chapter 4: Information Security Policy

• Information Security Policy: Information security policy is critical to the success of the InfoSec program.

• Challenges in Shaping Policy: There are three challenges in shaping policy.

• Guidelines for Sound Policy: Bergeron and Berube stated three guidelines for sound policy.

• Post-Approval Actions: After policy approval, it must be communicated and enforced.

• Policy Status: Policy can be either static or dynamic, depending on various factors.

• NIST SP 800-14 Types of InfoSec Policy: NIST SP 800-14 describes three types of InfoSec policy:

  • Enterprise Information Security Policy (EISP)

  • Issue-Specific Security Policy (ISSP)

  • System-Specific Security Policy (SysSP)

• EISP Purpose: The purpose of an EISP is to provide a high-level overview of the organization's security philosophy.

• ISSP Purpose: The purpose of an ISSP is to address specific security issues.

• SysSP Purpose: The purpose of a SysSP is to address specific systems.

• Integration of Values, Mission, and Objectives: The organization's values, mission, and objectives should be integrated into the policy documents.

• EISP Elements: Four elements that should be present in the EISP.

• ISSP Functions: Three functions that the ISSP serves in the organization.

• ISSP Component: The first component of an ISSP should be a clear statement of purpose.

• Bull's-Eye Model: The bull's-eye model emphasizes the role of policy in an InfoSec program, moving from general to specific issues, starting with policy.

• Policy vs. Standards: Policies differ from standards.

• Policies vs. Procedures: Policies differ from procedures.

Chapter 5: Developing the Security Program

• InfoSec Program: An InfoSec program is the entire set of activities, resources, personnel, and technologies used to manage risks to information assets.

• Functions of a Complete InfoSec Program: Functions that constitute a complete InfoSec program.

• Organizational Variables: Organizational variables that can influence the size and composition of an InfoSec program's staff.

• Security Staff Size: Typical security staff size in small, medium, large, and very large organizations.

• Placement of InfoSec Unit: Where an InfoSec unit should and shouldn't be placed within an organization.

• Division of InfoSec Functions: The four areas into which InfoSec functions should be divided.

• Roles of an InfoSec Professional: Roles that an InfoSec professional can assume.

• Dominant InfoSec-Related Credentials: Dominant InfoSec-related credentials used to document knowledge and/or experience.

• Means of Entering the InfoSec Profession: Predominant means by which individuals enter the InfoSec profession.

• Implementation of Awareness Program: Various ways to implement an awareness program.

• Benefits of Education, Training, and Awareness: Overriding benefits of education, training, and awareness.

• Difference Between Training and Education: How training differs from education.

• Steps for Implementing Training: Steps in the seven-step methodology for implementing training.

• Priorities When Developing an Awareness Program: Priorities to keep in mind when developing an awareness program.

• Project Management: Project management is the application of knowledge, skills, tools, and techniques to project activities to meet project requirements. It is of particular interest in InfoSec because each element of an InfoSec program must be managed as a project.

• Security as a Project and a Process: Security can be both a project and a process.

• Areas of Project Management: The 10 areas that make up the component processes of project management.

• Planning Parameters: The three planning parameters that can be adjusted when a project is not being executed according to plan.

• Work Breakdown Structure (WBS): A work breakdown structure (WBS) is a list of tasks to be accomplished in a project. It provides details for the work, skill sets, start and end dates, estimated resources, and dependencies.

• Approaches to Task Sequencing: Various approaches to task sequencing.