tag:blogger.com,1999:blog-8349968578197490482024-03-13T10:37:45.834-07:00Nhat NguyenTechnology Solution and Services. Innovation solutions & advanced technologies for today's complex communication challengesUnknownnoreply@blogger.comBlogger495125tag:blogger.com,1999:blog-834996857819749048.post-55572893484574263932022-12-22T05:42:00.003-08:002022-12-22T05:43:44.614-08:00SkillUp<p><span style="font-size: medium;">Skill Up is a non-profit organization that provide free and paid training for career ranging from information technology to becoming a teacher.</span></p><p><span style="font-size: medium;"><br /></span></p><p><b><span style="font-size: medium;">About:</span></b></p><p><b><span style="font-size: medium;"><br /></span></b></p><p><span style="font-size: medium;">Our non-profit connects workers with the right tools, resources, and support to make confident career shifts. We’ll help you find training and high-growth, good-wage jobs that don’t require a degree.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Skill Up connects workers with the right tools, resources and support, so they can make confident career shifts, find quality living-wage jobs, and position themselves for promising career growth.</span></p><p><b><span style="font-size: medium;"><br /></span></b></p><p><b><span style="font-size: medium;">Our History:</span></b></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The COVID-19 pandemic has taken an economic toll on America’s workers. To address this critical need, we launched the SkillUp Coalition in July 2020, an upskilling non-profit coalition built to help America’s laid-off and furloughed workers access the training and employment opportunities they need to secure a place in the economy of the future.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Rather than push workers back into jobs just like the ones they left, SkillUp allows workers to leverage current skills while building new skills that are suited to in-demand jobs with promising career paths.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Now two years later, SkillUp comprises over 90 organizations including training and education providers, tech firms, employers, and philanthropies. We have connected over 1 Million workers to career and training supports throughout the country and are eager to reach even more in the coming years.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">We proudly support all workers, at any stage of their journey, and create an affordable, equitable, upskilling ecosystem that allows anyone the opportunity to claim their career.</span></p><p><br /></p><p><a href="https://www.skillup.org/" target="_blank"><span style="font-size: medium;">Click here to sign up</span></a></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-50309511764093170382022-10-13T06:23:00.001-07:002022-10-13T06:23:09.891-07:00Linux Firewall Attack Detection and Response With IPTABLES, PSAD, and FWSNORT<p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR2PEQONgM5J0thvJieObylvXaDYLHaqzShFQibN0f7FDN_HFS2qeRIim7G5OpswLx1LZm-wlAVZ7WAlpUGGM0Lmnr2qSiJX7iQBJmxmtq7M5UheTaj5sbYzs-hbVC1HwTuYVLF2Fdcv3p4MGzbOeb4izdnvZ8nzlhKgcEYm02lHGtWQLWJi8-dmTGfw/s755/2022-10-13%2009%2021%2025.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="755" data-original-width="572" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR2PEQONgM5J0thvJieObylvXaDYLHaqzShFQibN0f7FDN_HFS2qeRIim7G5OpswLx1LZm-wlAVZ7WAlpUGGM0Lmnr2qSiJX7iQBJmxmtq7M5UheTaj5sbYzs-hbVC1HwTuYVLF2Fdcv3p4MGzbOeb4izdnvZ8nzlhKgcEYm02lHGtWQLWJi8-dmTGfw/w303-h400/2022-10-13%2009%2021%2025.png" width="303" /></a></div><p></p><p><span style="font-size: medium;">The offense seems to be getting the upper hand. Rarely a day goes by without news of a new exploit for a software vulnerability, a more effective method of distributing spam (my inbox can attest to this), or a high-profile theft of sensitive personal data from a corporation or government agency. Achieving secure computing is a perpetual challenge. There is no shortage of technologies designed to foil crafty black hats, and yet they continue to successfully compromise systems and networks.</span></p><p><span style="font-size: medium;">For every class of security problem, there is almost certainly either an open source or proprietary solution designed to combat it. This is particularly true in the areas of network intrusion detection systems and network access control devices—firewalls, filtering routers, and the like. A trend in firewall technology is to combine application layer inspection techniques from the intrusion detection world with the ability to filter network traffic, something firewalls have been doing for a long time. It is the goal of this book to show that the iptables firewall on Linux systems is well positioned to take advantage of this trend, especially when it is combined with some additional software designed to leverage iptables from an intrusion detection standpoint.</span></p><p><span style="font-size: medium;">It is my hope that this book is unique in the existing landscape of published works. There are several excellent books out there that discuss various aspects of Linux firewalls, but none to my knowledge that concentrate specifically on attacks that can be detected (and in some cases thwarted) by iptables and the data it provides. There are also many books on the topic of intrusion detection, but none focuses on using firewalling technology to truly supplement the intrusion detection process. This book is about the convergence of these two technologies.</span></p><p><a href="https://app.box.com/s/3wq91rmjgkbu8fjgu1iw2awyaf9izza1" target="_blank"><span style="font-size: medium;">Click here to view the full book</span></a></p>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-834996857819749048.post-72935386638949622552022-08-17T11:56:00.016-07:002022-08-19T11:47:03.365-07:00Principle of Information Security Module 4 Risk Management part 4<p style="text-align: center;"><span style="font-size: medium;"><b><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-4-Risk-Management-part-4-e1mne9s" width="400px"></iframe></b></span></p><p style="text-align: center;"><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b>Risk Assessment: Risk Identification</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The first operational phase of the RM process is the identification of risk. As a reminder, risk assessment includes risk identification as well as risk analysis and risk determination. Risk identification begins with the process of self-examination. As Sun Tzu stated, the organization must know itself to understand the risk to its information assets and where that risk resides. At this stage, managers must</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ol style="text-align: left;"><li><span style="font-size: medium;">identify the organization’s information assets,<br /><br /></span></li><li><span style="font-size: medium;">classify them,<br /><br /></span></li><li><span style="font-size: medium;">categorize them into useful groups, and<br /><br /></span></li><li><span style="font-size: medium;">prioritize them by overall importance.</span></li></ol><p></p><p><span style="font-size: medium;">This can be a daunting task, but it must be done to identify weaknesses and the threats they present.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The RM process team must initially confirm or define the categories and classifications to be used for the information assets, once identified. Some organizations prefer to collect the inventory first and then see what natural categories and classifications emerge; those areas are discussed later in this module. Once the risk management team has its organization formalized, it begins with the first major task of risk identification.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Identification of Information Assets</b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;">The risk identification process begins with the identification and cataloging of information assets, including people, procedures, data, software, hardware, and networking elements. This step should be done without prejudging the value of each asset; values will be assigned later in the process.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">One of the toughest challenges in the RM process is identifying information assets with precision for the purposes of risk management. In the most general sense, an information asset is any asset that collects, stores, processes, or transmits information, or any collection, set, or database of information that is of value to the organization. For these purposes, the terms data and information are commonly used interchangeably. In some RM efforts, the information and its supporting technology—hardware, software, data, and personnel—are defined separately, and the decision whether to include a specific category or component is made by the RM process team.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Some commercial RM applications simplify the decision by separating information assets from media. Media in this context include hardware, integral operating systems, and utilities that collect, store, process, and transmit information, leaving only the data and applications designed to directly interface with the data as information assets for the purposes of RM. When the application interfaces with an external database or data file (data set), each is treated as a separate, independent information asset. When an application has data that is integral to its operations, it is treated as a single information asset.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">By separating components that are much easier to replace (hardware and operating systems) from the information assets that are in some cases almost irreplaceable, the RM effort becomes much more straightforward. After all, what is the organization most concerned with? Is it the physical server used to host a critical application? Or is it the application and its data? Servers, switches, routers, and most host technologies are relatively interchangeable. If a server dies, the organization simply replaces it and then reloads the applications and data that give that server purpose in the organization. If an application dies, the replacement effort may be much more substantial than simply reinstalling an off-the-shelf application. Most core applications are heavily customized or even custom-developed for a particular purpose. This is not to insinuate that some assets don’t have value to the organization, but that they are not necessarily integral to an RM program.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Some organizations choose to focus narrowly on their initial RM process and then add information assets in later iterations. They may begin with data and core applications, add communications software, operating systems, and supporting utilities, and finally add physical assets. The bottom line is that the RM process team should decide and define exactly what constitutes an information asset for the purposes of the RM effort, so it can effectively and efficiently manage the scope and focus of the effort.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Table 4-1 shows a model outline of some information assets the organization may choose to incorporate into its RM effort. These assets are categorized as follows:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">The people asset can be divided into internal personnel (employees) and external personnel (nonemployees). Insiders can be further divided into employees who hold trusted roles and therefore have correspondingly greater authority and accountability, and regular staff members who do not have any special privileges. Outsiders consist of other users who have access to the organization’s information assets; some of these users are trusted, and some are untrusted.</span></li></ul><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Procedures can be information assets because they are used to create value for the organization. They can be divided into</span></li></ul><p></p><ol style="text-align: left;"><li><span style="font-size: medium;">IT and business standard procedures and<br /><br /></span></li><li><span style="font-size: medium;">IT and business-sensitive procedures.</span></li></ol><p></p><p><span style="font-size: medium;">Sensitive procedures have the potential to enable an attack or to otherwise introduce risk to the organization. For example, the procedures used by a telecommunications company to activate new circuits pose special risks because they reveal aspects of the inner workings of a critical process, which can be subverted by outsiders for the purpose of obtaining unbilled, illicit services.</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">The data asset includes information in all states: transmission, processing, and storage. This is an expanded use of the term data, which is usually associated with data sets and databases, as well as the full range of information used by modern organizations.<br /><br /></span></li><li><span style="font-size: medium;">Software can be divided into applications, operating systems, utilities, and security components. Software that provides security controls may fall into the operating systems or applications category but is differentiated by the fact that it is part of the InfoSec control environment and must therefore be protected more thoroughly than other systems components.<br /><br /></span></li><li><span style="font-size: medium;">Hardware can be divided into</span></li></ul><p><span style="font-size: medium;"></span></p><ol style="text-align: left;"><li><span style="font-size: medium;">the usual systems devices and their peripherals and</span><br /><br /></li><li><span style="font-size: medium;">the devices that are part of InfoSec control systems.</span></li></ol><div><p><span style="font-size: medium;">The latter must be protected more thoroughly than the former.</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Networking components can include networking devices (such as firewalls, routers, and switches) and the systems software within them, which is often the focal point of attacks, with successful attacks continuing against systems connected to the networks. Of course, most of today’s computer systems include networking elements. You will have to determine whether a device is primarily a computer or primarily a networking device. A server computer that is used exclusively as a proxy server or bastion host may be classified as a networking component, while an identical server configured as a database server may be classified as hardware. For this reason, networking devices should be considered separately rather than combined with general hardware and software components.</span></li></ul><p style="clear: both; text-align: center;"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLFRJTXFiBDfX8g1QDDmRqf3u3QmI4eJytD5Fv2UlhTAyNFEVV5wrJ8FZII3qM147BHjtHd5Yo8s_SoxZDFZpV3YX4ulWqA4SlHo3RvePUoep0XyXlaLRBABPYN2kd8sBPVS9FQ41U6gauaumb3Bc8-et8qnmKF0s1FxJla0nh9ezceenhuDBuvDhr6A/s1351/table%204-1.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="683" data-original-width="1351" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLFRJTXFiBDfX8g1QDDmRqf3u3QmI4eJytD5Fv2UlhTAyNFEVV5wrJ8FZII3qM147BHjtHd5Yo8s_SoxZDFZpV3YX4ulWqA4SlHo3RvePUoep0XyXlaLRBABPYN2kd8sBPVS9FQ41U6gauaumb3Bc8-et8qnmKF0s1FxJla0nh9ezceenhuDBuvDhr6A/w640-h324/table%204-1.jpg" width="640" /></a></div><p style="text-align: left;"><span style="font-size: medium;"><br /></span></p><p></p><p><span style="font-size: medium;">In some corporate models, this list may be simplified into three groups: people, processes, and technology. Regardless of which model is used in the development of risk assessment methods, an organization should ensure that all its information resources are properly identified, assessed, and managed for risk.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">As mentioned previously, the entire set of assets in some risk management programs is divided into RM information assets, such as applications, application-based data, other independent data sets or collections, and media—essentially anything that can collect, store, process, or transmit data. The media are used for grouping access to the asset but are not valued and evaluated as a critical function of the risk identification step. This simplistic approach may be best for organizations just starting out in RM.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Identifying Hardware, Software, and Network Assets</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Many organizations use asset inventory systems to keep track of their hardware, network, and software components. Numerous applications are available, and it is up to the chief information security officer (CISO) or chief information officer (CIO) to determine which application best serves the needs of the organization. Organizations that do not use an off-the-shelf inventory system must create an equivalent manual or automated process. Automated systems are valuable because hardware is already identified by model, make, and location. Note that the number of items and large quantity of data for each item will quickly overwhelm any manual system and might stress poorly designed automated inventory systems.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Whether automated or manual, the inventory process requires a certain amount of planning. Most importantly, you must determine which attributes of each of these information assets should be tracked. That determination will depend on the needs of the organization and its risk management efforts as well as the preferences and needs of the InfoSec and IT communities. When deciding which attributes to track for each information asset, consider the following list of potential attributes:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;"><b>Name</b>—Some organizations may have several names for the same product, and each of them should be cross-referenced in the inventory. By having redundant names for its assets, the organization gains flexibility and allows different units to have their own designations. However, the different names should be cross-listed as synonyms in inventory, and one of the asset names should be designated as the authoritative name. No matter how many names you track or how you select a name, always provide a definition of the asset in question. A recommended practice is to adopt naming standards that do not convey critical information to potential system attackers. For instance, a server named CASH_1 or HQ_FINANCE may entice attackers.</span></li></ul><p></p><ul style="text-align: left;"><li><span style="font-size: medium;"><b>Asset tag</b>—This is used to facilitate the tracking of physical assets. Asset tags are unique numbers assigned to assets and permanently affixed to tangible assets during the acquisition process.</span></li></ul><p></p><ul style="text-align: left;"><li><span style="font-size: medium;"><b>Internet Protocol (IP) address</b>—This attribute may be useful for network devices and servers at some organizations, but it rarely applies to software. This practice is limited when the organization uses the Dynamic Host Configuration Protocol (DHCP) within TCP/IP, which reassigns IP numbers to devices as needed. In such cases, there is no value in using IP numbers as part of the asset-identification process.</span></li></ul><p></p><ul style="text-align: left;"><li><span style="font-size: medium;"><b>Media Access Control (MAC) address</b>—As per the TCP/IP standard, all network-interface hardware devices have a unique number called the MAC address (also called an “electronic serial number” or a “hardware address”). The network operating system uses this number to identify specific network devices. The client’s network software uses the address to recognize traffic that it needs to process. In most settings, MAC addresses can be a useful way to track connectivity, but they can be spoofed by some hardware/software combinations.</span></li></ul><p></p><ul style="text-align: left;"><li><span style="font-size: medium;"><b>Asset type</b>—This attribute describes the function of each asset. For hardware assets, a list of possible asset types that includes servers, desktops, networking devices, and test equipment should be developed. For software assets, the organization should develop a list that includes operating systems, custom applications by type (accounting, human resources, or payroll, to name a few), and packaged applications and/or specialty applications (such as firewall programs). The degree of specificity is determined by the needs of the organization. Asset types can be recorded at two or more levels of specificity by first recording one attribute that classifies the asset at a high level and then adding attributes for more detail. For example, one server might be listed as follows:</span></li></ul><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><p><span style="font-size: medium;">DeviceClass = S (server)</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">DeviceOS = Win16 (Windows 2016)</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">DeviceCapacity = AS (Advanced Server)</span></p></blockquote><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;"><b>Serial number</b>—This is a number that uniquely identifies a specific device. Some software vendors also assign a software serial number to each instance of the program licensed by the organization.</span></li></ul><p></p><ul style="text-align: left;"><li><span style="font-size: medium;"><b>Manufacturer name</b>—This attribute can be useful for analyzing threat outbreaks when specific manufacturers announce specific vulnerabilities.</span></li></ul><p></p><ul style="text-align: left;"><li><span style="font-size: medium;"><b>Manufacturer’s model or part number</b>—This number identifies exactly what the asset is, and can be very useful in the later analysis of vulnerabilities because some threats apply only to specific models of certain devices and/or software components.</span></li></ul><p></p><ul style="text-align: left;"><li><span style="font-size: medium;"><b>Software version, update revision, or FCO number</b>—This attribute includes information about software and firmware versions and, for hardware devices, the current field change order (FCO) number. An FCO occurs when a manufacturer performs an upgrade to a hardware component at the customer’s premises. Tracking this information is particularly important when inventorying networking devices that function mainly through the software running on them.</span></li></ul><p></p><ul style="text-align: left;"><li><span style="font-size: medium;"><b>Software licensing data</b>—The nature and number of an organization’s software licenses, as well as where they are deployed, can be a critically important asset. Because licenses for software products are often tied to specific version numbers, geographic locations, or even specific users, this data may require specialized efforts to track.</span></li></ul><p></p><ul style="text-align: left;"><li><span style="font-size: medium;"><b>Physical location</b>—This attribute does not apply to software elements. Nevertheless, some organizations may have license terms that indicate where software can be used. This may include systems leased at remote locations, often described as being “in the cloud.”</span></li></ul><p></p><ul style="text-align: left;"><li><span style="font-size: medium;"><b>Logical location</b>—This attribute specifies where an asset can be found on the organization’s network. The logical location is most applicable to networking devices and indicates the logical network segment that houses the device.</span></li></ul><p></p><ul style="text-align: left;"><li><span style="font-size: medium;"><b>Controlling entity</b>—This refers to the organizational unit that controls the asset. In some organizations, a remote location’s on-site staff could be placed in control of network devices; in other organizations, a central corporate group might control all the network devices.</span></li></ul><p><span style="font-size: medium;">Consider carefully what should be tracked for specific assets. Often, larger organizations find that they can effectively track only a few valuable facts about the most critical information assets. For instance, a company may track only an IP address, server name, and device type for its mission-critical servers. The organization might forgo additional attribute tracking on all devices and completely omit the tracking of desktop or laptop systems.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Identifying People, Procedures, and Data Assets</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Human resources, documentation, and data information assets are not as readily identified and documented as hardware and software. Responsibility for identifying, describing, and evaluating these information assets should be assigned to managers who possess the necessary knowledge, experience, and judgment. As these assets are identified, they should be recorded via a reliable data-handling process like the one used for hardware and software.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The record-keeping system should be flexible, allowing you to link assets to attributes based on the nature of the information asset being tracked. Basic attributes for various classes of assets include the following:</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>People</b></span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Position name/number/ID—Avoid names; use position titles, roles, or functions<br /><br /></span></li><li><span style="font-size: medium;">Supervisor name/number/ID—Avoid names; use position titles, roles, or functions<br /><br /></span></li><li><span style="font-size: medium;">Security clearance level<br /><br /></span></li><li><span style="font-size: medium;">Special skills</span></li></ul><p></p><p><span style="font-size: medium;"><b>Procedures</b></span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Description<br /><br /></span></li><li><span style="font-size: medium;">Intended purpose<br /><br /></span></li><li><span style="font-size: medium;">Software/hardware/networking elements to which the procedure is tied<br /><br /></span></li><li><span style="font-size: medium;">Location where procedure documents are stored for reference<br /><br /></span></li><li><span style="font-size: medium;">Location where documents are stored for update purposes</span></li></ul><p></p><p><span style="font-size: medium;"><b>Data</b></span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Classification<br /><br /></span></li><li><span style="font-size: medium;">Owner/creator/manager<br /><br /></span></li><li><span style="font-size: medium;">Size of data structure<br /><br /></span></li><li><span style="font-size: medium;">Data organization used (for example, hierarchical, sequential, or relational)<br /><br /></span></li><li><span style="font-size: medium;">Online or offline; if online, whether accessible from outside the organization or not<br /><br /></span></li><li><span style="font-size: medium;">Physical location<br /><br /></span></li><li><span style="font-size: medium;">Media access method (for example, through user client desktops, laptops, or mobile media)<br /><br /></span></li><li><span style="font-size: medium;">Backup procedures, timeline, and backup storage locations</span></li></ul><p></p><p><span style="font-size: medium;">As you will learn later in the text, a number of applications can assist with the collection, organization, and management of these inventories. As shown in Figure 4-2, Clearwater Compliance’s Information Risk Management (CC|IRM) application has detailed fields in its asset inventory list to assist in the inventory and description of information assets.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSSEhBWGHf0zeVur3GNQn7DboWl-LVIbwTj5vJPwlsyhVcwZafGHW7uPYgq9VheI1Hilau0lV5WUvi93Jzl1hnfzP5o_iiJg14rRsjO2cnsytr1jzN490W38vnpr8JZMmO_YYWTK6-RWjv4_Bg1Abk0Sh5gcqoJ44nfZTyiV06etmbVLFysGWwpMM0Hw/s595/figure%204-2.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="475" data-original-width="595" height="510" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSSEhBWGHf0zeVur3GNQn7DboWl-LVIbwTj5vJPwlsyhVcwZafGHW7uPYgq9VheI1Hilau0lV5WUvi93Jzl1hnfzP5o_iiJg14rRsjO2cnsytr1jzN490W38vnpr8JZMmO_YYWTK6-RWjv4_Bg1Abk0Sh5gcqoJ44nfZTyiV06etmbVLFysGWwpMM0Hw/w640-h510/figure%204-2.jpg" width="640" /></a></div><p style="text-align: left;"><span style="font-size: medium;"><br /></span></p><p></p><p><span style="font-size: medium;"><b>Classifying and Categorizing Information Assets</b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;">Once the initial inventory is assembled, you must determine whether its asset categories are meaningful to the organization’s risk management program. Such a review may cause managers to further subdivide the categories presented in Table 4-1 or create new categories that better meet the needs of the risk management program. For example, if the category “Internet components” is deemed too general, it could be further divided into subcategories of servers, networking devices (routers, hubs, switches), protection devices (firewalls, proxies), and cabling.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The inventory should also reflect the sensitivity and security priority assigned to each information asset. A data classification scheme should be developed (or reviewed, if already in place) that categorizes these information assets based on their sensitivity and security needs. Consider the following classification scheme for an information asset: confidential, internal, and public. Confidential describes assets that must be protected as critical to the operations and reputation of the organization, such as strategic and marketing plans. Internal would describe assets that are for official use and should not be released to the public, like an internal phone directory or memorandum. Public would describe anything that can be shared with the general public, like Web content. Each of these classification categories designates the level of protection needed for an information asset. Some asset types, such as personnel, may require an alternative classification scheme that identifies the InfoSec processes used by the asset type. For example, based on need-to-know and right-to-update policies, an employee might be given a certain level of security clearance, which identifies the level of information that individual is authorized to use.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">For organizations that need higher levels of security for very sensitive data, such as research and development (R&D) data, additional levels can be added above “confidential.” Classification categories must be comprehensive and mutually exclusive. “Comprehensive” means that all assets fit into a category; “mutually exclusive” means that each asset fits in only one category. A comprehensive scheme is important for ensuring that all assets are included if they fit in multiple locations.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Assessing the Value of Information Assets</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">As each information asset is identified, categorized, and classified, a relative value must be assigned to it. Relative values are comparative judgments intended to ensure that the most valuable information assets are given the highest priority when managing risk. It may be impossible to know in advance—in absolute economic terms—what losses will be incurred if an asset is compromised; however, a relative assessment helps to ensure that the higher-value assets are protected first.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">As each information asset is assigned to its proper category, posing the following basic questions can help you develop the weighting criteria to be used for information asset valuation or impact evaluation.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">How critical is the asset to the success of the organization? When determining the relative importance of each information asset, refer to the organization’s mission statement or statement of objectives. From this source, determine which assets are essential for meeting the organization’s objectives, which assets support the objectives, and which are merely adjuncts.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">How much does the information asset contribute to revenue generation? The relative value of an information asset depends on how much revenue it generates—or, in the case of a nonprofit organization, how critical it is to service delivery. Some organizations have different systems in place for each line of business or service they offer. Which of these assets plays the biggest role in generating revenue or delivering services?</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">How much does the information asset contribute to profit generation? Managers should evaluate how much profit depends on a particular asset. For instance, at Amazon.com, some servers support the book sales operations, others support the auction process, and still others support the customer book review database. Which of these servers contributes the most to profitability? Although important, the review database server does not directly generate profits. Note the distinction between revenues and profits: Some systems on which revenues depend operate on thin or nonexistent margins and do not generate profits after expenses are paid. In nonprofit organizations, you can determine what percentage of the agency’s clientele receives services from the information asset being evaluated.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">How expensive is the information asset to replace? Sometimes an information asset acquires special value because it is unique. Organizations must control the risk of loss or damage to such unique assets—for example, by buying and storing a backup device. These storage devices must be periodically updated and tested, of course.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">How expensive is the information asset to protect? Some assets are by their nature difficult to protect, and formulating a complete answer to this question may not be possible until the risk identification phase is complete, because the costs of controls cannot be computed until the controls are identified. However, you can still make a preliminary assessment of the relative difficulty of establishing controls for each asset.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">How much embarrassment or liability would the asset’s loss or compromise cause? Almost every organization is aware of its image in the local, national, and international spheres. Loss or exposure of some assets would prove especially embarrassing. Microsoft’s image, for example, was tarnished when an employee’s computer system became a victim of the QAZ Trojan horse and a version of Microsoft Office was stolen as a result.</span></p><p style="text-align: center;"><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">You can use a worksheet such as the one shown in Table 4-2 to collect the answers to the preceding list of questions for later analysis. You may also need to identify and add other institution-specific questions to the evaluation process.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWJK8IMjnSjMIjJeNbp94yrIM1lG-nURQbdeXpmULv8h8Ra28p3mOfFRXJVRlWAq32sq55vhg4Brfe5cINUajGgbxePF6n1t9Gp01fo7ktvsjTOBJuQQ7qI_e25DhtNlpprxruggtdXoSKKxF7UKCXQvT46PvvQUoffrxe7oaZPRutS1F59RWE1rrjrA/s835/table%204-2.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="458" data-original-width="835" height="352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWJK8IMjnSjMIjJeNbp94yrIM1lG-nURQbdeXpmULv8h8Ra28p3mOfFRXJVRlWAq32sq55vhg4Brfe5cINUajGgbxePF6n1t9Gp01fo7ktvsjTOBJuQQ7qI_e25DhtNlpprxruggtdXoSKKxF7UKCXQvT46PvvQUoffrxe7oaZPRutS1F59RWE1rrjrA/w640-h352/table%204-2.jpg" width="640" /></a></div><span style="font-size: medium;"><br /></span><p></p><p><span style="font-size: medium;">Throughout this module, numbers are assigned to example assets to illustrate the concepts being discussed. This highlights one of the challenging issues in risk management. While other industries use actuarially derived sources to make estimates, InfoSec risk management lacks such data. Many organizations use a variety of estimating methods to assess values. Some in the industry question the use of “guesstimated” values in calculations with other estimated values, claiming this degree of uncertainty undermines the entire risk management endeavor. Research in this field is ongoing, and you are encouraged to study the sections later in this module that discuss alternative techniques for qualitative risk management. Figure 4-3 illustrates a simplistic method that can be used to value an information asset by determining its “importance,” as shown in the Clearwater Compliance IRM application.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4jnhCuMBWsbKtJsXpU1QhshKtXjVSUfYJ2scsweYXvp2-AoJb0m4egtUhPDIjYDcOEzT-_pU_lZByXyg_v3kax9-zZYIFQjX0V4ZFsIQdE1jvjkW31VceT2JHrubWSIAl11JjDI8GYtVJtmlNGuEIQGGebsln0KguU1noRezVvJc9dfwmjDAk3NyVEA/s550/figure%204-3.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="550" data-original-width="522" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4jnhCuMBWsbKtJsXpU1QhshKtXjVSUfYJ2scsweYXvp2-AoJb0m4egtUhPDIjYDcOEzT-_pU_lZByXyg_v3kax9-zZYIFQjX0V4ZFsIQdE1jvjkW31VceT2JHrubWSIAl11JjDI8GYtVJtmlNGuEIQGGebsln0KguU1noRezVvJc9dfwmjDAk3NyVEA/w608-h640/figure%204-3.jpg" width="608" /></a></div><span style="font-size: medium;"><br /></span><p></p><p><span style="font-size: medium;"><b>Prioritizing (Rank-Ordering) Information Assets</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The final step in the risk identification process is to prioritize, or rank-order, the assets. This goal can be achieved by using a weighted table analysis similar to the one shown in Table 4-3 and discussed elsewhere in this text. In this process, each information asset is listed in the first column. Next, the relevant criteria that the organization wants to use to value the assets are listed in the top row. Next, each criterion is assigned a weight or value that typically sums to 1.0, 10, 100, or some other value that is easy to sum. The use of these weights is what gives this analysis its name. Next, the organization assigns a value to each asset, again using a scale of 0 to 1, 0 to 5, 0 to 10, or 0 to 100, based on the particular criteria value. Table 4-3 uses values from 0 to 5, corresponding to a simple scale of 1 = not important to 5 = critically important (zero is used to indicate “not applicable”). Finally, each information asset’s cell values are multiplied by the criteria weights and then summed to create the weighted score for that information asset. Sorting the table by the weighted score results in a prioritized list of information assets. Such tables can be used as a method of valuing information assets by ranking various assets based on criteria specified by the organization. This method may prove to be much more straightforward than a raw estimation based on some other more ambiguous assessment.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiM3PzCkcODJpTVTJSZXeDq87RYkdW3vEaAh0wIbmUxupHAJEWYBMnhkGrb_CuwFT52LQWdiqYAUdddxJH60Vpvna761unJ8bozVcfgTfBXRbVUfA5y1rDiL-P69hl7Kh5c0be617bXMi7lJAylIXSjKdG-t7iaw_H-H7MMFMdE9YvEMDCF6Ls_JVNriQ/s1489/table%204-3.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="545" data-original-width="1489" height="234" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiM3PzCkcODJpTVTJSZXeDq87RYkdW3vEaAh0wIbmUxupHAJEWYBMnhkGrb_CuwFT52LQWdiqYAUdddxJH60Vpvna761unJ8bozVcfgTfBXRbVUfA5y1rDiL-P69hl7Kh5c0be617bXMi7lJAylIXSjKdG-t7iaw_H-H7MMFMdE9YvEMDCF6Ls_JVNriQ/w640-h234/table%204-3.jpg" width="640" /></a></div><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b>Threat Assessment</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">As mentioned at the beginning of this module, the goal of risk identification is to assess the circumstances and setting of each information asset to reveal any vulnerabilities. Armed with a properly classified inventory, you can assess potential weaknesses in each information asset—a process known as threat assessment. If you assume that every threat can and will attack every information asset, then the project scope becomes too complex. To make the process less unwieldy, each step in threat identification and vulnerability identification is managed separately and then coordinated at the end. At every step, the manager is called on to exercise good judgment and draw on experience to make the process function smoothly.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Some organizations have implemented processes to maintain ongoing vigilance in the threat environment in which they operate. This process of threat intelligence identifies and collects information about potential threats that may present risk to the organization.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Identifying Threats</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Module 2 identified 12 categories of threats to InfoSec, which are listed alphabetically in Table 4-4. Each of these threats presents a unique challenge to InfoSec and must be handled with specific controls that directly address the particular threat and the threat agent’s attack strategy. Before threats can be assessed in the risk identification process, however, each threat must be further examined to determine its potential to affect the targeted information asset. In general, this process is referred to as threat assessment.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpZK76ZTletMZuRMI4T227txzX50UkJMorZxqEAWmwapqv_qdQXRnTzHxZEq2XtWFuzFgzEF7l9XaEVdZdAg5xCyugF0oTfcVVZr0McAgsj9jroxKEZah5Px4cIn1isw0GUOGutVXt3IC4tBuap4BVMPVvtJdKn3r-xXKram7jpHr86P8N0uG4yLfx7A/s955/table%204-4.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="431" data-original-width="955" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpZK76ZTletMZuRMI4T227txzX50UkJMorZxqEAWmwapqv_qdQXRnTzHxZEq2XtWFuzFgzEF7l9XaEVdZdAg5xCyugF0oTfcVVZr0McAgsj9jroxKEZah5Px4cIn1isw0GUOGutVXt3IC4tBuap4BVMPVvtJdKn3r-xXKram7jpHr86P8N0uG4yLfx7A/w640-h288/table%204-4.jpg" width="640" /></a></div><span style="font-size: medium;"><br /></span><p></p><p><span style="font-size: medium;"><b>Assessing Threats</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Not all threats endanger every organization, of course. Examine each of the categories in Table 4-4 and eliminate any that do not apply to your organization. It is unlikely that an organization can eliminate an entire category of threats, but doing so speeds up the threat assessment process.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The amount of danger posed by a threat is sometimes difficult to assess. It may be tied to the probability that the threat will attack the organization, or it may reflect the amount of damage that the threat could create or the frequency with which the attack may occur. The big question every organization wants to answer is: Which threats represent the greatest danger to this organization’s information assets in its current environment? Posing the following questions can help you find an answer by understanding the various threats the organization faces and their potential effects on an information asset:</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">How much actual danger does this threat represent to our information assets? If there is no actual danger, a perceived threat can be safely ignored. For example, the odds of certain natural disasters vary greatly based on an organization’s geographic locations. An organization located on the plains of Oklahoma shouldn’t worry about tidal waves, mudslides, or other events that are extremely uncommon in that region. Similarly, an organization that doesn’t use a particular software or hardware package doesn’t need to worry about threats to vulnerabilities in those items.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Is this threat internal or external? Some threat environments require different approaches, while some defenses address threats from multiple environments. Understanding the potential source of a threat helps to prioritize it.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">How probable is an attack by this threat? Determining the probability that an attack will occur from a threat includes understanding how widely known the attack is (pervasiveness) and how many threat agents can execute the attack.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">How probable is a successful attack by this threat? A threat with a low probability of success is less concerning than one with a high probability of success. Some of the attacks conducted by threats require extremely complicated attack exploits or highly sophisticated attack skills. The more complicated the exploit or the more expert the attacker must be for the attack to occur, the less the organization should worry about it. In summary, the previous question asks, “Could I be attacked by this threat?” while this question asks, “In an attack, would this threat be able to access my information assets?”</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">How severe would the loss be if this threat is successful in attacking? Of equal concern is understanding what damage could result from a successful attack by a threat. A threat with a high probability of success that would cause only minor damage is of less concern than a threat with a lower chance of success that would create a much greater loss to the organization.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">How prepared is the organization to handle this threat? If the organization is ill prepared to handle an attack from a specific threat, it should give priority to that threat in its preparations and planning. This issue becomes increasingly important when rolling out new technologies, starting new business ventures, or making any other change in the organization in which the InfoSec function finds itself in new competitive and threat environments.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">How expensive is it to protect against this threat? Another factor that affects the danger posed by a particular threat is the amount it would cost to protect against that threat. Some threats carry a nominal cost to protect against (for example, malicious code), while others are very expensive, as in protection from forces of nature. Especially in small to medium-sized businesses (SMBs), the budget may be insufficient to cover all the defensive strategies the organization would like to implement; as a result, some threat prioritization simply may boil down to available funds. Here again, the manager ranks, rates, or attempts to quantify the level of danger associated with protecting against a particular threat by using the same techniques used for calculating recovery costs.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">How expensive is it to recover from a successful attack by this threat? One of the calculations that guides corporate spending on controls is the cost of recovery operations if an attack occurs and is successful. At this preliminary phase, it is not necessary to conduct a detailed assessment of the costs associated with recovering from a particular attack. Instead, organizations often create a subjective ranking or listing of the threats based on recovery costs. Alternatively, an organization can assign a rating for each threat on a scale of 1 to 5, where a 1 represents inexpensive recovery costs and a 5 represents extremely expensive costs. If the information is available, a raw value such as $5,000, $10,000, or $2 million can be assigned. In other words, the goal at this phase is to provide a rough assessment of the cost to recover normal business operations if the attack interrupts them.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">You can use both quantitative and qualitative measures to rank values. The preceding questions can be used as categories in a weighted table analysis of threats, like the asset analysis described previously. Because information in this case is preliminary, the organization may simply want to identify threats that top the list for each question.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The preceding list of questions may not cover everything that affects risk assessment. An organization’s specific guidelines or policies should influence the process and will inevitably require that some additional questions be answered.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Prioritizing Threats</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Just as it did with information assets, the organization should conduct a weighted table analysis with threats. The organization should list the categories of threats it faces and then select categories that correspond to the questions of interest described earlier. Next, it assigns a weighted value to each question category and then assigns a value to each threat with respect to each question category. The result is a prioritized list of threats the organization can use to determine the relative severity of each threat facing its assets. In extreme cases, the organization may want to perform such an assessment of each threat by asset, if the severity of each threat is different depending on the nature of the information asset under evaluation.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Vulnerability Assessment</b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYXGyD75VL5WltumwhGBybTByJQ3sB6wXYrPxL01q46vowO10h-3fG76rIl9DvpD-wQtJpCCEFWQPd7ARyqtCsTBGS_unxrp9Cu_5FG3ngYsk6dk7oGNKnj5mB0TLogaB5Hrevxmd_c9oCg75xD9KatLrlQyQywuR544f9PbiklbK9idejsvsYjJ-gCg/s1280/table%204-5.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="494" data-original-width="1280" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYXGyD75VL5WltumwhGBybTByJQ3sB6wXYrPxL01q46vowO10h-3fG76rIl9DvpD-wQtJpCCEFWQPd7ARyqtCsTBGS_unxrp9Cu_5FG3ngYsk6dk7oGNKnj5mB0TLogaB5Hrevxmd_c9oCg75xD9KatLrlQyQywuR544f9PbiklbK9idejsvsYjJ-gCg/w640-h248/table%204-5.jpg" width="640" /></a></div><span style="font-size: medium;"><br /></span><p></p><p><span style="font-size: medium;">Once the organization has identified and prioritized both its information assets and the threats facing those assets, it can begin to compare information assets to threats. This review leads to the creation of a list of vulnerabilities that remain potential risks to the organization. What are vulnerabilities? They are specific avenues that threat agents can exploit to attack an information asset. In other words, they are chinks in the asset’s armor—a flaw or weakness in an information asset, security procedure, design, or control that can be exploited accidentally or on purpose to breach security. For example, Table 4-5 analyzes the threats to a DMZ router and its possible vulnerabilities.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">A list like the one in Table 4-5 should be created for each information asset to document its vulnerability to each possible or likely attack. This list is usually long and shows all the vulnerabilities of the information asset. Some threats manifest themselves in multiple ways, yielding multiple vulnerabilities for that asset-threat pair. Of necessity, the process of listing vulnerabilities is somewhat subjective and is based on the experience and knowledge of the people who create the list. Therefore, the process works best when groups of people with diverse backgrounds work together in a series of brainstorming sessions. For instance, the team that reviews the vulnerabilities for networking equipment should include networking specialists, the systems management team that operates the network, InfoSec risk specialists, and even technically proficient users of the system.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>The TVA Worksheet</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">At the end of the risk identification process, an organization should have</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ol style="text-align: left;"><li><span style="font-size: medium;">a prioritized list of assets and<br /><br /></span></li><li><span style="font-size: medium;">a prioritized list of threats facing those assets.</span></li></ol><p><span style="font-size: medium;">Prioritized lists should be developed using a technique like the weighted table analysis discussed earlier.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The organization should also have a working knowledge of the vulnerabilities that exist between each threat and each asset. These lists serve as the starting point for the next step in the risk management process: risk assessment. The prioritized lists of assets and threats can be combined into a threats-vulnerabilities-assets (TVA) worksheet, in preparation for the addition of vulnerability and control information during risk assessment. Along one axis lies the prioritized set of assets. Table 4-6 shows the placement of assets along the horizontal axis, with the most important asset at the left. The prioritized list of threats is placed along the vertical axis, with the most important or most dangerous threat listed at the top. The resulting grid provides a convenient method of examining the “exposure” of assets, allowing a simple vulnerability assessment. We now have a starting point for our risk assessment, along with the other documents and forms.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhwDd17h5jNvUNzEjFHc5QxvHBNjWyk3_JEJraDmRl3C8LcGlyEZgGE2XdZIajVhZOAKlfV4Q1PKxlw_wZKYfIsrQpTKCMolS8HULDHAiIALwgzE_By2gNFIsI92Gdy5a2q93byPXSkE2w5XG2SRdnAPOF1tQi_UX08iu8cLLqRi_A8AbUm_XhTr0qHw/s595/table%204-6.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="400" data-original-width="595" height="430" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhwDd17h5jNvUNzEjFHc5QxvHBNjWyk3_JEJraDmRl3C8LcGlyEZgGE2XdZIajVhZOAKlfV4Q1PKxlw_wZKYfIsrQpTKCMolS8HULDHAiIALwgzE_By2gNFIsI92Gdy5a2q93byPXSkE2w5XG2SRdnAPOF1tQi_UX08iu8cLLqRi_A8AbUm_XhTr0qHw/w640-h430/table%204-6.png" width="640" /></a></div><span style="font-size: medium;"><br /></span><p></p><p><span style="font-size: medium;">Before you begin the risk analysis process, it may be helpful to create a list of the TVA “triples” to facilitate your examination of the severity of the vulnerabilities. For example, between Threat 1 and Asset 1, there may or may not be a vulnerability. After all, not all threats pose risks to all assets. If a pharmaceutical company’s most important asset is its research and development database and that database resides on a stand-alone network (one that is not connected to the Internet), then there may be no vulnerability to external hackers. If the intersection of T1 and A1 has no vulnerability, then the risk assessment team simply crosses out that box. It is much more likely, however, that one or more vulnerabilities exist between the two, and as these vulnerabilities are identified, they are categorized as follows:</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">T1V1A1—Vulnerability 1 that exists between Threat 1 and Asset 1</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">T1V2A1—Vulnerability 2 that exists between Threat 1 and Asset 1</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">T2V1A1—Vulnerability 1 that exists between Threat 2 and Asset 1 … and so on.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">In the risk analysis phase discussed in the next section, not only are the vulnerabilities examined, the assessment team analyzes any existing controls that protect the asset from the threat or mitigate the losses that may occur. Cataloging and categorizing these controls is the next step in the risk identification process.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">There is a key delineator here between risk identification and risk analysis: In developing the TVA spreadsheet, the organization is performing risk identification simply by determining whether an asset is at risk from a threat and identifying any vulnerabilities that exist. The extent to which the asset is at risk falls under risk analysis. The fine line between the two is part of the reason that many organizations follow the methodology outlined in Figure 4-1 described earlier in this module, but they merge risk identification, risk analysis, and risk evaluation into one logical process and just call it risk assessment.</span></p></div>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-834996857819749048.post-26966939113707495482022-08-17T10:36:00.011-07:002022-08-17T10:52:56.727-07:00Principle of Information Security Module 4 Risk Management part 3<p style="text-align: center;"><span style="font-size: medium;"><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-4-Risk-Management-part-3-e1mjf9o" width="400px"></iframe></span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbo2y3GGfaLP-FSyauYXrKevoJbhP8-hfnI0ZWAK6qk-OPFXqxsPbLDN1Ao3Iv0C3vfFnfa60X9YF-7AeLp3tXoRLoqBDkQzc8naj1_OHNdQK5P3AGC8dHEV24IOTGgDaTU4O63nSojrhEle7HIpdqZNTLk1UDICkjQ0v-6xvmEzicm-QZbY1IZHzE6Q/s768/framework%20implementation.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="296" data-original-width="768" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbo2y3GGfaLP-FSyauYXrKevoJbhP8-hfnI0ZWAK6qk-OPFXqxsPbLDN1Ao3Iv0C3vfFnfa60X9YF-7AeLp3tXoRLoqBDkQzc8naj1_OHNdQK5P3AGC8dHEV24IOTGgDaTU4O63nSojrhEle7HIpdqZNTLk1UDICkjQ0v-6xvmEzicm-QZbY1IZHzE6Q/w640-h246/framework%20implementation.jpg" width="640" /></span></a></div><p style="text-align: center;"><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Once the framework team has finished designing the RM program (framework and process), it begins implementing the program. As with any major project, this involves specifying the project manager for the process and laying out the detailed implementation methodology. The RM process, which is specified in the right half of Figure 4-1, provides general steps to follow in the conduct of risk evaluation and remediation and is designed to be intentionally vague so it can be adapted to any one of the methodologies available.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3UNPCD_RQQ9WX6kGmXtlpF8wBqEL0r_4nOI8m_2UwZO1GmRC9FfproVpz7su4n_f7B1aR-omuCvRmWxvPVbzDbhEjvS5HAtFv7DDTFMyMBUmSCile8JRglsp_JakVAyzTHRfqDJmtyOIt5CE8MMgkV3B_rbwmkSP25HR-hJ7qhlFtSgclt7M2HDvzLw/s1352/4-1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="683" data-original-width="1352" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3UNPCD_RQQ9WX6kGmXtlpF8wBqEL0r_4nOI8m_2UwZO1GmRC9FfproVpz7su4n_f7B1aR-omuCvRmWxvPVbzDbhEjvS5HAtFv7DDTFMyMBUmSCile8JRglsp_JakVAyzTHRfqDJmtyOIt5CE8MMgkV3B_rbwmkSP25HR-hJ7qhlFtSgclt7M2HDvzLw/w640-h324/4-1.jpg" width="640" /></a></div><span style="font-size: medium;"><br /></span><p></p><p><span style="font-size: medium;">The implementation of the RM plan, specifically including the RM process, could be based on several traditional IT implementation methods and is likely to be influenced by the organization’s risk appetite:</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The organization may distribute the plan to all mid- to upper-level managers for a desk check prior to deployment.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The organization could pilot-test the plan in a small area to gauge initial issues and success prior to deployment across the entire organization.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The organization may use a phased approach in which only a portion of the RM program is initially implemented, such as initial meetings with key managers or initial inventory of information assets.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The bold organization with a larger risk appetite may simply choose a direct cutover (also known as a cold-turkey conversion) in which the new RM project is launched in totality across the entire organization.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Whatever rollout method is selected, it is important for the RM framework team to carefully monitor, communicate, and review the implementation so it can detect and address issues before they become threatening to the viability of the program, as discussed in the next section.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkMWXcKFWzIpTU7lVPp6-JdnjZrGEVR_oXUZqK-BvOg_lrfWn3nEtkxXisxsJPC6EG_qGB56r0qH0kXAAcuqHCDxlLNpjfyI6uEHRtM4JxrKhOmBQI81BJ_Q59BYsL8resIa6hMwAmnPFJ1sCya_RSJWsAfUokSZ9_Axg0MwQrDSxZzsmYjfa7I6pWxw/s779/framework%20monitoring.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="249" data-original-width="779" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkMWXcKFWzIpTU7lVPp6-JdnjZrGEVR_oXUZqK-BvOg_lrfWn3nEtkxXisxsJPC6EG_qGB56r0qH0kXAAcuqHCDxlLNpjfyI6uEHRtM4JxrKhOmBQI81BJ_Q59BYsL8resIa6hMwAmnPFJ1sCya_RSJWsAfUokSZ9_Axg0MwQrDSxZzsmYjfa7I6pWxw/w640-h204/framework%20monitoring.jpg" width="640" /></span></a></div><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">After the initial implementation and as the RM effort proceeds, the framework team continues to monitor the conduct of the RM process while simultaneously reviewing the utility and relative success of the framework planning function itself. In the first few iterations, the framework team will examine how successful it was in designing and implementing the RM framework, plan, and RM process, and what issues required adjustments of the plan. The framework itself only exists as a methodology to design and implement the process, so once the framework is documented in the RM plan, the success of the process becomes the greatest concern. Success or failure in the framework’s planning process may be relatively simple to resolve if addressed early, but issues downstream in the actual RM process may require redesign all the way back up to the framework and then modification of the RM plan. Performance measures, which are described in detail in Module 12, are often used to collect data about the RM process and determine its relative success or failure. The results of these assessments are used in the continuous improvement stage, which is described next.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Once the RM process is implemented and operating, the framework team is primarily concerned with the monitoring and review of the RM process cycle. However, until the framework and plan are implemented and operational, the framework team is also concerned with oversight of the RM framework and plan. The governance group also expects regular feedback on the entire RM program, including information about the relative success and progress of both the framework and process activities.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHOwm2TAFnNSGjfnbGmgfLcZediJ6MxxXFSEFAbs7hG-TsCTK5PVLcNWqWzWfZuTYS5EkV3u7-ymE8sxTSG6wRIwnGJk2RrtOmd8RBaVxNOXlSziwhhqTAae0TPXgx0TtZvH5i1PLLflunvok95yd8r41_iaIWeyK0v70NShhpVRwqn9DrYlU2O9O7LA/s784/risk%20management%20process.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="359" data-original-width="784" height="294" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHOwm2TAFnNSGjfnbGmgfLcZediJ6MxxXFSEFAbs7hG-TsCTK5PVLcNWqWzWfZuTYS5EkV3u7-ymE8sxTSG6wRIwnGJk2RrtOmd8RBaVxNOXlSziwhhqTAae0TPXgx0TtZvH5i1PLLflunvok95yd8r41_iaIWeyK0v70NShhpVRwqn9DrYlU2O9O7LA/w640-h294/risk%20management%20process.jpg" width="640" /></span></a></div><p style="text-align: center;"><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">During the implementation phase of the RM framework, the RM plan guides the implementation of the RM process, in which risk evaluation and remediation of key assets are conducted. The three communities of interest must work together to address every level of risk, ranging from full-scale disasters (whether natural or human-made) to the smallest mistake made by an employee. To do so, representatives from each community collaborate to be actively involved in RM process activities. This process uses the specific knowledge and perspective of the team to complete the following tasks:</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Establishing the context, which includes understanding both the organization’s internal and external operating environments and other factors that could impact the RM process.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Identifying risk, which includes the following:</b></span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Creating an inventory of information assets<br /><br /></span></li><li><span style="font-size: medium;">Classifying and organizing those assets meaningfully<br /><br /></span></li><li><span style="font-size: medium;">Assigning a value to each information asset<br /><br /></span></li><li><span style="font-size: medium;">Identifying threats to the cataloged assets<br /><br /></span></li><li><span style="font-size: medium;">Pinpointing vulnerable assets by tying specific threats to specific assets</span></li></ul><p></p><p><span style="font-size: medium;"><b>Analyzing risk, which includes the following:</b></span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Determining the likelihood that vulnerable systems will be attacked by specific threats<br /><br /></span></li><li><span style="font-size: medium;">Assessing the relative risk facing the organization’s information assets so that risk management and control activities can focus on assets that require the most urgent and immediate attention<br /><br /></span></li><li><span style="font-size: medium;">Calculating the risks to which assets are exposed in their current setting<br /><br /></span></li><li><span style="font-size: medium;">Looking in a general way at controls that might come into play for identified vulnerabilities and ways to control the risks that the assets face.<br /><br /></span></li><li><span style="font-size: medium;">Documenting and reporting the findings of risk identification and assessment</span></li></ul><span style="font-size: medium;">Evaluating the risk to the organization’s key assets and comparing identified uncontrolled risks against its risk appetite:</span><p></p><p><span style="font-size: medium;"><br /></span></p><ul style="text-align: left;"><li><span style="font-size: medium;">Identifying individual risk tolerances for each information asset.<br /><br /></span></li><li><span style="font-size: medium;">Combining or synthesizing these individual risk tolerances into a coherent risk appetite statement.</span></li></ul><p></p><p><span style="font-size: medium;"><b>Treating the unacceptable risk:</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Determining which treatment/control strategy is best considering the value of the information asset and which control options are cost-effective.</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Acquiring or installing the appropriate controls<br /><br /></span></li><li><span style="font-size: medium;">Overseeing processes to ensure that the controls remain effective</span></li></ul><p></p><p><span style="font-size: medium;">Summarizing the findings, which involves stating the conclusions of the identification, analysis, and evaluation stages of risk assessment in preparation for moving into the stage of controlling risk by exploring methods to further mitigate risk where applicable or desired.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXCemPtNMBg-hL60OAP2igvmsT4IKGwEh4CZUIyS_v1DPiZ7F3gkgLEhICotNvANjwf_B0U3GW_F_7rvkjFVFMAX6B9mxASIzbwsDoZUc_A7W-PNkx4t3unb9YDop7iuP9eZs1IwZwBJewK5wVlSrYR0rzALPejpKLlWCEOvhYs8uZ1TPu1QenJ7-cGQ/s785/rm%20process%20preparation.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="334" data-original-width="785" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXCemPtNMBg-hL60OAP2igvmsT4IKGwEh4CZUIyS_v1DPiZ7F3gkgLEhICotNvANjwf_B0U3GW_F_7rvkjFVFMAX6B9mxASIzbwsDoZUc_A7W-PNkx4t3unb9YDop7iuP9eZs1IwZwBJewK5wVlSrYR0rzALPejpKLlWCEOvhYs8uZ1TPu1QenJ7-cGQ/w640-h272/rm%20process%20preparation.jpg" width="640" /></span></a></div><p style="text-align: center;"><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">As the RM process team convenes, it is initially briefed by representatives of the framework team and possibly by the governance group. These groups seek to provide executive guidance for the work to be performed by the RM process team, and to ensure that the team’s efforts are in alignment with managerial intent, as documented in the RM policy and plan. The group is briefed on its responsibilities and set to its work. The plan is reviewed and individual assignments given.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The context in this phase is the understanding of the external and internal environments the RM team will be interacting with as it conducts the RM process. It also means understanding the RM process as defined by the framework team and having the internal knowledge and expertise to implement it. Finally, it means ensuring that all members of the RM process team understand the organization’s risk appetite statement and can use the risk appetite to translate that statement into the appropriate risk treatment when the time comes.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5t-Yx_I3Wo2bfSIBVA_KsdHha12b9ndooLyJYhJ0mXIBg5wJSrEk3UEujpJ1aYt-HF4wiyP3_aYRcSmB1daxcOUAmWSkRN3-r2VZ2i73SYBB_cmXtbg5M2IobiBvkTuEoIuAoG3AKBTdgNJiDIKcGGChPh0UydaU7iWOhbdhOwqyZg6FTu80toKDwGA/s787/rm%20process%20preparation%202.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="385" data-original-width="787" height="314" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh5t-Yx_I3Wo2bfSIBVA_KsdHha12b9ndooLyJYhJ0mXIBg5wJSrEk3UEujpJ1aYt-HF4wiyP3_aYRcSmB1daxcOUAmWSkRN3-r2VZ2i73SYBB_cmXtbg5M2IobiBvkTuEoIuAoG3AKBTdgNJiDIKcGGChPh0UydaU7iWOhbdhOwqyZg6FTu80toKDwGA/w640-h314/rm%20process%20preparation%202.jpg" width="640" /></span></a></div><span style="font-size: medium;"><span><br /></span></span><p></p><p><span style="font-size: medium;">NIST’s Special Publication (SP) 800-30, Rev. 1, “Guide for Conducting Risk Assessments,” recommends preparing for the risk process by performing the following tasks:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Identify the purpose of the assessment;<br /><br /></span></li><li><span style="font-size: medium;">Identify the scope of the assessment;<br /><br /></span></li><li><span style="font-size: medium;">Identify the assumptions and constraints associated with the assessment;<br /><br /></span></li><li><span style="font-size: medium;">Identify the sources of information to be used as inputs to the assessment; and<br /><br /></span></li><li><span style="font-size: medium;">Identify the risk model and analytic approaches (i.e., assessment and analysis approaches) to be employed during the assessment<br /></span></li></ul><b><span style="font-size: medium;">External Context</span></b><div><span style="font-size: medium;"><b><br /></b></span><p><span style="font-size: medium;">Understanding the external context means understanding the impact the following external factors could have on the RM process, its goals, and its objectives:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;"><b>The business environment</b>—Customers, suppliers, competitors<br /><br /></span></li><li><span style="font-size: medium;"><b>The legal/regulatory/compliance environment</b>—Laws, regulations, industry standards<br /><br /></span></li><li><span style="font-size: medium;"><b>The threat environment</b>—Threats, known vulnerabilities, attack vectors<br /><br /></span></li><li><span style="font-size: medium;"><b>The support environment</b>—Government agencies like NIST and DHS, professional associations like ISSA, and service agencies such as SecurityFocus</span></li></ul><p></p><p><span style="font-size: medium;">Perhaps other factors known to the subject-matter experts that make up the team.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">These factors should influence the organization’s conduct of the RM process, its assessment methods, its findings, and most importantly, its decisions when treating risk.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Internal Context</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The internal context is the understanding of internal factors that could impact or influence the RM process:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">The organization’s governance structure (or lack thereof).<br /><br /></span></li><li><span style="font-size: medium;">The organization’s internal stakeholders.<br /><br /></span></li><li><span style="font-size: medium;">The organization’s culture.<br /><br /></span></li><li><span style="font-size: medium;">The maturity of the organization’s information security program.<br /><br /></span></li><li><span style="font-size: medium;">The organization’s experience in policy, planning, and risk management in general.</span></li></ul><p></p></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-15592160523820973122022-08-16T09:46:00.005-07:002022-08-16T09:49:34.865-07:00Principle of Information Security Module 4 Risk Management part 2<p style="text-align: center;"><span style="font-size: medium;"><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-4-Risk-Management-part-2-e1mj1n2" width="400px"></iframe></span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYQZUlOLDVjM129sT4w5dP-rKL7NoJJf28cWU6P2iO-mD7iryBZXvIqQI0ZhCwm7fNumR8rcWRAWS1QNNptqn90hUuGaEsQVfFWU4vX3JSwD8ecyMoJw42LAvZ_ka__bzFfpBPru7Jdvv4ulqklfslr-I1BULjb6Usq36tVa4pjHf964u2ZdWkS7q0NA/s1276/slide%2012%20the%20roles%20of%20the%20communities%20of%20interest.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="475" data-original-width="1276" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYQZUlOLDVjM129sT4w5dP-rKL7NoJJf28cWU6P2iO-mD7iryBZXvIqQI0ZhCwm7fNumR8rcWRAWS1QNNptqn90hUuGaEsQVfFWU4vX3JSwD8ecyMoJw42LAvZ_ka__bzFfpBPru7Jdvv4ulqklfslr-I1BULjb6Usq36tVa4pjHf964u2ZdWkS7q0NA/w640-h238/slide%2012%20the%20roles%20of%20the%20communities%20of%20interest.png" width="640" /></a></div><p style="text-align: center;"><br /></p><p><span style="font-size: medium;">Each community of interest has a role to play in managing the risks that an organization encounters. Because members of the information security community best understand the threats and attacks that introduce risk into the organization, they often take a leadership role in addressing risk to information assets. Management and users, when properly trained and kept aware of the threats the organization faces, play a part in early detection and response.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Management must also ensure that sufficient time, money, personnel, and other resources are allocated to the information security and information technology groups to meet the organization’s security needs. Users work with systems and data and are therefore well positioned to understand the value these information assets offer the organization. Users also understand which assets are the most valuable. The information technology community of interest must build secure systems and operate them safely. For example, IT operations ensure good backups to control the risk of data loss due to hard drive failure. The IT community can provide both valuation and threat perspectives to management during the risk management process. The information security community of interest must pull it all together in the risk management process.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">All communities of interest must work together to address all levels of risk, which range from disasters that can devastate the whole organization to the smallest employee mistakes. The three communities of interest—InfoSec, IT, and general management—are also responsible for the following:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Evaluating current and proposed risk controls<br /><br /></span></li><li><span style="font-size: medium;">Determining which control options are cost-effective for the organization<br /><br /></span></li><li><span style="font-size: medium;">Acquiring or installing the needed controls<br /><br /></span></li><li><span style="font-size: medium;">Ensuring that the controls remain effective</span></li></ul><p></p><p><span style="font-size: medium;">Because threats to assets are constantly changing, all three communities of interest must conduct periodic managerial reviews or audits, with general management usually providing oversight and access to information retained outside the IT department. The first managerial review is of the asset inventory. On a regular basis, management must ensure that the completeness and accuracy of the asset inventory is verified, usually through an IT audit. In addition, IT and information security must review and verify threats and vulnerabilities in the asset inventory, as well as current controls and mitigation strategies. They must also review the cost-effectiveness of each control and revisit decisions for deploying controls. Furthermore, managers at all levels must regularly verify the ongoing effectiveness of every deployed control. For example, a business manager might assess control procedures by periodically walking through the office after the workday ends, ensuring that all classified information is locked up, that all workstations are shut down, that all users are logged off, and that offices are secured. Managers may further ensure that no sensitive information is discarded in trash or recycling bins. Such controls are effective ways for managers and employees alike to ensure that no information assets are placed at risk. Other controls include following policy, promoting training and awareness, and employing appropriate technologies.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhdH_yTPKmBYYZe47QjXb4u6arSbM9hIUZ0LMjzs6BiZ_lL8gup3WH9BZjcaIzW2stbtg3C-wYNJwTg_yx1HGTr-UjkFrpNvZLmeTLGTtKdmUrg10UEbZ_NuHgV7L7HC0GKiHRwNBG6NcmDumBlv2zgZpilQ2HsyBmZY7g3DFWgjo92vJC8THkVPh3_g/s1279/slide%2013%20The%20Risk%20Management%20Policy%201%20of%202.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="372" data-original-width="1279" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhdH_yTPKmBYYZe47QjXb4u6arSbM9hIUZ0LMjzs6BiZ_lL8gup3WH9BZjcaIzW2stbtg3C-wYNJwTg_yx1HGTr-UjkFrpNvZLmeTLGTtKdmUrg10UEbZ_NuHgV7L7HC0GKiHRwNBG6NcmDumBlv2zgZpilQ2HsyBmZY7g3DFWgjo92vJC8THkVPh3_g/w640-h186/slide%2013%20The%20Risk%20Management%20Policy%201%20of%202.png" width="640" /></a></div><p style="text-align: center;"><br /></p><p><span style="font-size: medium;">As mentioned in Module 3, policy communicates management’s intent for the outcome of an organization’s effort. For RM program development and implementation, the project leader, in cooperation with the governance group, drafts a risk management policy. This policy converts the instructions and perspectives provided to the RM framework team by the governance group into cohesive guidance that structures and directs all subsequent risk management efforts within the organization.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2jEpjGznQOclGzzmGzzyeYpgkH74cLSCjl3or43mkJWYMOuDQiPszQO-jL09DY-3Uqt5PYqQZFv-FvxbXlRxCv_BGnyT7RyNAL0holS3sqRy-wheEeeFk-KLbe9LUpdBDKazscmULTpl4Azy9K5LMLz-FxF8GE755TdBr1lJB1KvUHCXS4KCZpKZBqg/s1277/slide%2014%20The%20Risk%20Management%20Policy%202%20of%202.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="527" data-original-width="1277" height="264" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2jEpjGznQOclGzzmGzzyeYpgkH74cLSCjl3or43mkJWYMOuDQiPszQO-jL09DY-3Uqt5PYqQZFv-FvxbXlRxCv_BGnyT7RyNAL0holS3sqRy-wheEeeFk-KLbe9LUpdBDKazscmULTpl4Azy9K5LMLz-FxF8GE755TdBr1lJB1KvUHCXS4KCZpKZBqg/w640-h264/slide%2014%20The%20Risk%20Management%20Policy%202%20of%202.png" width="640" /></a></div><span style="font-size: medium;"><br /></span><p></p><p><span style="font-size: medium;">The RM policy, much like the enterprise information security policy (EISP), is a strategic document that formalizes much of the intent of the governance group. While no two policies are identical, most include the following sections:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;"><b>Purpose and scope</b>—What is this policy for and to whom does it apply?<br /><br /></span></li><li><span style="font-size: medium;"><b>RM intent and objectives</b>—What is the general view of RM by the governance group, and how will that be translated into goals and objectives for RM for the entire organization?<br /><br /></span></li><li><span style="font-size: medium;"><b>Roles and responsibilities</b>—A list of the assignments and expectations for each constituent responsible for the RM program. These lists should specify who will be involved (usually by position) and what their involvement is by group:</span></li></ul><p style="text-align: left;"></p><ul style="text-align: left;"><ul><li><span style="font-size: medium;">Oversight and governance group<br /></span></li><li><span style="font-size: medium;">RM framework development team<br /></span></li><li><span style="font-size: medium;">RM process implementation team (if different from framework)<br /></span></li><li><span style="font-size: medium;">Business units<br /></span></li><li><span style="font-size: medium;">IT department<br /></span></li><li><span style="font-size: medium;">Information security group</span></li></ul></ul><p></p><p style="text-align: left;"><span style="font-size: medium;">For example: The chief information security officer will serve as project team leader for the RM framework development team and is responsible for ensuring completion of the framework and implementation of the process within the timelines, budgets, and other constraints specified...</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;"><b>Resource requirements</b>—A list of the resources allocated to the support of RM as a program and to the framework and process teams. The resource list should be compatible with the roles and responsibilities specified earlier.<br /><br /></span></li><li><span style="font-size: medium;"><b>Risk appetite and tolerances</b>—A summary of the expectations and preferences of executive management regarding the level of risk the organization is willing to tolerate.<br /><br /></span></li><li><span style="font-size: medium;"><b>RM program development guidelines</b>—Organization-specific instructions to guide the development and implementation of the RM effort. These could include a need to comply with specific regulations, to follow a particular methodology (which could either be incorporated into this RM project or in place of it), and any other special considerations the governance team wants to make known.<br /><br /></span></li><li><span style="font-size: medium;"><b>Special instructions and revision information</b>—Guidelines for the planned review and revision of the policy document, including information on “who,” “how,” and “when.”<br /><br /></span></li><li><span style="font-size: medium;"><b>References to other key policies, plans, standards, and guidelines</b>—A list of key documents (internal or external) that the organization should remain cognizant of during the development and implementation of the RM program.<br /><br /></span></li></ul><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7GzE-pWwgTXyiK2vA3HQUX-XLj2MYs27xjT4Zf6Ckw7Uoz9_UmnushNhoK4lLobADrQjAGGjd2Xjb762ltGtkl1RAeaUupaV_J4RJEukRlUTEC1DyJ4gsc6yU4s2fc4sa8tF_Eq6LSIF8UKcKMfPKC8lHlqr3UyKwNF88eYcaqI4-APhWeKm7zKxFhw/s1261/Slide%2015%20Framework%20Design.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="448" data-original-width="1261" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7GzE-pWwgTXyiK2vA3HQUX-XLj2MYs27xjT4Zf6Ckw7Uoz9_UmnushNhoK4lLobADrQjAGGjd2Xjb762ltGtkl1RAeaUupaV_J4RJEukRlUTEC1DyJ4gsc6yU4s2fc4sa8tF_Eq6LSIF8UKcKMfPKC8lHlqr3UyKwNF88eYcaqI4-APhWeKm7zKxFhw/w640-h228/Slide%2015%20Framework%20Design.png" width="640" /></a></div><p style="text-align: center;"><br /></p><p><span style="font-size: medium;">In this stage, the framework team begins designing the RM process by which the organization will understand its current levels of risk and determine what, if anything, it needs to do to bring those levels down to an acceptable level in alignment with the risk appetite specified earlier in the process. Designing the RM program means defining and specifying the detailed tasks to be performed by the framework team and the process team. Once the framework itself has been designed and completed at least one iteration, most of the work of the framework team involves oversight of the process rather than developing the framework.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">As you will learn later in this module, a wide variety of methodologies are available for conducting risk management. At this stage, the organization may simply select an “off-the-shelf” implementation of such a methodology, which it can use as is or adapt to its needs. The organization may even decide to develop its own methodology. Whatever it does, this is the phase of the RM framework in which the entire RM program is decided and the corresponding details are specified.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">In addition to coordinating with the governance group on the tasks outlined in the previous section, the framework team must also formally document and define the organization’s risk appetite and draft the risk management (RM) plan.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmMRonGprSCtNCnDAJwqGHeItDciQPZbYsdIlBBUA_zLdL8pi4Pd1U9Kxzqkz-m8OVaZCCY64WWiDFBik7BIyHr7fZnKH5jv1J2imN5SvrqXI_Q4Bnqi2xx7pcOz1Cl8kibfjG4vvjNo2FRCLv4qojFC4gzRFyrIcHxZV71Vi3VdnY5nlVU6bSACoZQQ/s1277/Slide%2016%20Defining%20the%20Organization%E2%80%99s%20Risk%20Tolerance%20and%20Risk%20Appetite.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="616" data-original-width="1277" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhmMRonGprSCtNCnDAJwqGHeItDciQPZbYsdIlBBUA_zLdL8pi4Pd1U9Kxzqkz-m8OVaZCCY64WWiDFBik7BIyHr7fZnKH5jv1J2imN5SvrqXI_Q4Bnqi2xx7pcOz1Cl8kibfjG4vvjNo2FRCLv4qojFC4gzRFyrIcHxZV71Vi3VdnY5nlVU6bSACoZQQ/w640-h308/Slide%2016%20Defining%20the%20Organization%E2%80%99s%20Risk%20Tolerance%20and%20Risk%20Appetite.png" width="640" /></a></div><p style="text-align: center;"><br /></p><p><span style="font-size: medium;">As the governance group communicates its intent to the RM framework development team, it also needs to communicate its general perspective on what level of risk is acceptable and what risk must be reduced or resolved in some fashion. In other words, the RM framework team needs to understand and be able to determine whether the level of controls identified at the end of the risk process results in a level of risk that management can accept. The amount of risk that remains after all current controls are implemented is residual risk. The organization may very well reach this point in the risk management process, examine the documented residual risk and simply state, “Yes, the organization can live with that,” and then document everything for the next risk management review cycle.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The difficulty lies in the process of formalizing exactly what the organization “can live with.” This process is the heart of risk appetite. Documenting risk appetite as part of the RM framework development effort is often a vague and poorly understood proposition.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">According to KPMG, a global network of professional firms providing audit, tax, and advisory services:</span></p><p><span style="font-size: medium;"><br /></span></p><p><b><span style="font-size: medium;">A well-defined risk appetite should have the following characteristics:</span></b></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Reflective of strategy, including organizational objectives, business plans, and stakeholder expectations<br /><br /></span></li><li><span style="font-size: medium;">Reflective of all key aspects of the business<br /><br /></span></li><li><span style="font-size: medium;">Acknowledges a willingness and capacity to take on risk<br /><br /></span></li><li><span style="font-size: medium;">Is documented as a formal risk appetite statement<br /><br /></span></li><li><span style="font-size: medium;">Considers the skills, resources, and technology required to manage and monitor risk exposures in the context of risk appetite<br /><br /></span></li><li><span style="font-size: medium;">Is inclusive of a tolerance for loss or negative events that can be reasonably quantified<br /><br /></span></li><li><span style="font-size: medium;">Is periodically reviewed and reconsidered with reference to evolving industry and market conditions<br /><br /></span></li><li><span style="font-size: medium;">Has been approved by the board</span></li></ul><p></p><p><span style="font-size: medium;">The KPMG approach to defining risk appetite involves understanding the organization’s strategic objectives, defining risk profiles for each major current organizational activity and future strategic plan, and defining a risk tolerance (or risk threshold) for each profile.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Risk tolerance works hand in glove with risk appetite, as it more clearly defines the range of acceptable risk for each initiative, plan, or activity. If an administrator is asked what level of attack success and loss he or she is willing to accept for a particular system, the answer should provide insight into the risk threshold for that system, as well as that for the data it stores and processes. If the answer to the question is “absolutely none,” the administrator has a zero-tolerance risk exposure for the system and requires the highest level of protection. A realistic tolerance usually falls somewhere between “sporadic hardware/software issues” and “total destruction.”</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The synthesis of risk thresholds becomes the risk appetite for the organization. Risk thresholds are more tactical or operational in nature, and the risk appetite is more strategic. The final result of risk assessment is the formalization of risk appetite in the risk appetite statement, which is part of the RM framework policy.</span></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-11884609447315559502022-08-12T07:57:00.008-07:002022-08-15T05:15:55.214-07:00Principle of Information Security Module 4 Risk Management part 1<p style="text-align: center;"><span style="font-size: medium;"><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-4-Risk-Management-part-1-e1mhd29" width="400px"></iframe></span></p><p style="text-align: center;"><span style="font-size: medium;"><br /></span></p><p><b><span style="font-size: medium;">By the end of this module, you should be able to:</span></b></p><p><span style="font-size: medium;"> </span></p><p></p><ol style="text-align: left;"><li><span style="font-size: medium;">Define risk management and describe its importance<br /><br /></span></li><li><span style="font-size: medium;">Explain the risk management framework and process model, including major components<br /><br /></span></li><li><span style="font-size: medium;">Define risk appetite and explain how it relates to residual risk<br /><br /></span></li><li><span style="font-size: medium;">Describe how risk is identified and documented<br /><br /></span></li><li><span style="font-size: medium;">Discuss how risk is assessed based on likelihood and impact<br /><br /></span></li><li><span style="font-size: medium;">Describe various options for a risk treatment and risk control strategy<br /><br /></span></li><li><span style="font-size: medium;">Discuss conceptual frameworks for evaluating risk controls and formulate a cost-benefit analysis<br /><br /></span></li><li><span style="font-size: medium;">Compare and contrast the dominant risk management methodologies</span></li></ol><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfOVptiNG1QWzFBRU-uZkiMQtCMwUJN7X3sU3yVBNSbMFuiOz-MSHob8vhoxwJ4_VV64AmFsMo0AAzJ-XNhBbYaUwPf63zZWLzOVcyOO91S_rK04WLAANxxBH9BPcTzECqI81fgc152sIFk9MkZceRNUFhDuOLOkxImVKlmAwyhixWQs1rSPV1b2DsoQ/s1282/introduction%20to%20risk%20management.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="656" data-original-width="1282" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfOVptiNG1QWzFBRU-uZkiMQtCMwUJN7X3sU3yVBNSbMFuiOz-MSHob8vhoxwJ4_VV64AmFsMo0AAzJ-XNhBbYaUwPf63zZWLzOVcyOO91S_rK04WLAANxxBH9BPcTzECqI81fgc152sIFk9MkZceRNUFhDuOLOkxImVKlmAwyhixWQs1rSPV1b2DsoQ/w640-h328/introduction%20to%20risk%20management.png" width="640" /></span></a></div><p style="text-align: center;"><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The upper management of an organization is responsible for overseeing, enabling, and supporting the structuring of IT and information security functions to defend its information assets. Part of upper management’s information security governance requirement is the establishment and support of an effective risk management (RM) program. The IT community must serve the information technology needs of the entire organization and at the same time leverage the special skills and insights of the InfoSec community in supporting the RM program. The InfoSec team must lead the way with skill, professionalism, and flexibility as it works with other communities of interest to balance the usefulness and security of information systems, as well as evaluating and controlling the risks facing the organization’s information assets.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">In the early days of IT, corporations used computer systems mainly to gain a definitive advantage over the competition. Establishing a superior business model, method, or technique enabled an organization to provide a product or service that created a competitive advantage. In the modern business environment, however, all competitors have reached a certain level of technological competence and resilience. IT is now readily available to all organizations that make the investment, allowing them to react quickly to changes in the market. In this highly competitive environment, organizations cannot expect the implementation of new technologies to provide a competitive lead over others in the industry. Instead, the concept of avoidance of competitive disadvantage—working to prevent falling behind the competition—has emerged. Effective IT-enabled organizations quickly absorb relevant emerging technologies not just to gain or maintain competitive advantage, but to avoid loss of market share from an inability to maintain the highly responsive services required by their stakeholders.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">To keep up with the competition, organizations must design and create safe environments in which their business processes and procedures can function. These environments must maintain confidentiality and privacy and assure the integrity of an organization’s data—objectives that are met by applying the principles of risk management. As an aspiring information security professional, you will play a key role in risk management.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">This module explores a variety of risk management approaches and provides a discussion of how risk is identified and assessed. The module includes a section on selecting and implementing effective control strategies for the protection of information assets in the modern organization.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNVHNoUF3QsFJutZDqWgazweSP5x4eo33frxLsb-vM4qvoQr8cjOFr15piVXq_vNlsKlnziG2qU2OHrjL_mDCqRG43VV6H5UFKzJaS1ULNfehnojQI3Wx0IYAMxshbH-3OM7z30Qp2lLwo0g09-22JjsCEoWhfuWKoIQLgx37_66NTdLyYeuRGoYVvUA/s1289/Sun%20Tzu%20and%20the%20Art%20of%20Risk%20Management.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="546" data-original-width="1289" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNVHNoUF3QsFJutZDqWgazweSP5x4eo33frxLsb-vM4qvoQr8cjOFr15piVXq_vNlsKlnziG2qU2OHrjL_mDCqRG43VV6H5UFKzJaS1ULNfehnojQI3Wx0IYAMxshbH-3OM7z30Qp2lLwo0g09-22JjsCEoWhfuWKoIQLgx37_66NTdLyYeuRGoYVvUA/w640-h272/Sun%20Tzu%20and%20the%20Art%20of%20Risk%20Management.png" width="640" /></span></a></div><p style="text-align: center;"><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">In Module 1, you learned about the C.I.A. triad. Each of the three elements in the triad is an essential part of every organization’s ability to sustain long-term competitiveness. When an organization depends on IT-based systems to remain viable, InfoSec and the discipline of risk management must become an integral part of the economic basis for making business decisions. These decisions are based on trade-offs between the costs of applying information system controls and the benefits of using secured, available systems.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Chinese general Sun Tzu Wu’s quote, referenced earlier in this book, also has direct relevance to risk management:</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Consider the similarities between information security and warfare. Information security managers and technicians are the defenders of information. The many threats discussed in Module 2 constantly attack the defenses surrounding information assets. Defenses are built in layers by placing safeguards behind safeguards. The defenders attempt to prevent, protect, detect, and recover from a seemingly endless series of attacks. Moreover, those defenders are legally prohibited from deploying offensive tactics, so the attackers have no need to expend resources on defense. While the defenders need to win every battle, the attackers only need to win once. To be victorious, defenders must know themselves and their enemy.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Know Yourself</b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;">You must identify, examine, and understand the current information and systems in your organization. To protect information assets, which were defined earlier in this book as information and the systems that use, store, and transmit information, you must know what those assets are, where they are, how they add value to the organization, and the vulnerabilities to which they are susceptible. Once you know what you have, you can identify what you are already doing to protect it. Just because a control is in place does not necessarily mean that the asset is protected. Frequently, organizations implement control mechanisms but then neglect the necessary periodic review, revision, and maintenance. The policies, education and training programs, and technologies that protect information must be carefully maintained and administered to ensure that they remain effective.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Know the Enemy</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Having identified your organization’s assets and weaknesses, you move on to Sun Tzu’s second step: Know the enemy. This means identifying, examining, and understanding the threats facing the organization. You must determine which threat aspects most directly affect the security of the organization and its information assets, and then use this information to create a list of threats, each one ranked according to the importance of the information assets that it threatens.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGzV4AniGVH0AtJObYcqGx7bNJEGJvHxhoYQ_WGwMeewkuCmYp6jzZjNShjwkW2ZZty7aLyfyeiWE9CJ-L_VaHc5jBcHMI2kHNu-PctGxZoJMiJRk_yw4NGmgza1zswuRkwwuwnvwaKkSsxInp6wc5j0X4jaIQVc5y7Zhw21kTEMtAGX5-GPdzTEQ-DA/s1290/The%20Risk%20Management%20Framework%201.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="528" data-original-width="1290" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGzV4AniGVH0AtJObYcqGx7bNJEGJvHxhoYQ_WGwMeewkuCmYp6jzZjNShjwkW2ZZty7aLyfyeiWE9CJ-L_VaHc5jBcHMI2kHNu-PctGxZoJMiJRk_yw4NGmgza1zswuRkwwuwnvwaKkSsxInp6wc5j0X4jaIQVc5y7Zhw21kTEMtAGX5-GPdzTEQ-DA/w640-h262/The%20Risk%20Management%20Framework%201.png" width="640" /></span></a></div><p style="text-align: center;"><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Risk management involves discovering and understanding answers to some key questions about the risk associated with an organization’s information assets:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Where and what is the risk (risk identification)?<br /><br /></span></li><li><span style="font-size: medium;">How severe is the current level of risk (risk analysis)?<br /><br /></span></li><li><span style="font-size: medium;">Is the current level of risk acceptable (risk evaluation)?<br /><br /></span></li><li><span style="font-size: medium;">What do I need to do to bring the risk to an acceptable level (risk treatment)?</span></li></ul><p></p><p><span style="font-size: medium;">The term risk assessment is commonly used to describe the entire set of activities associated with the first three questions, while risk treatment (or risk control) describes the fourth. Here, we will examine these activities individually to ensure that the distinctions between these stages are clear. InfoSec in an organization exists primarily to manage the risk to information assets stemming from the use of information. Managing risk is a key responsibility for every manager within an organization. Well-developed risk management programs rely on formal and repeatable processes. The coverage of risk management in this text was developed based on an extensive assessment of best practices in industry and government and of international standards. The international standard most closely aligned with the findings of this assessment—ISO 31000—was selected and adapted to facilitate ease of presentation and discussion.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFLno3yVk1kr8R5agH2Q5L8V3SKI0adDW4ot6ECi-E1_fYl6kjBcOUMK-4FLF6jjK5ZOuLFGfEGUQ5mOf-HxsLW7YsPdNQD2NRkGx-QgFIrr5_ZslvJ00wKsrEyeguSnDX9RDd3y7rKrUhNIYyGkBNcVKfQL9DnZKp7_h9UL3ea2tcm1QquANarGfLVQ/s1284/The%20Risk%20Management%20Framework%202.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="575" data-original-width="1284" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFLno3yVk1kr8R5agH2Q5L8V3SKI0adDW4ot6ECi-E1_fYl6kjBcOUMK-4FLF6jjK5ZOuLFGfEGUQ5mOf-HxsLW7YsPdNQD2NRkGx-QgFIrr5_ZslvJ00wKsrEyeguSnDX9RDd3y7rKrUhNIYyGkBNcVKfQL9DnZKp7_h9UL3ea2tcm1QquANarGfLVQ/w640-h286/The%20Risk%20Management%20Framework%202.png" width="640" /></span></a></div><p style="clear: both; text-align: center;"><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfgz5LKLpXGmzGLG00r74WssKUq_xdKdFFea-xZ5wVuyU6A_zRm1lKLkN3648-MGbVJBdnR1r7DAlB8xBOSMAkhbOlqf7M5CGE0w52gzJPiGFu4pl3ReSHKlRqF6KlnPCKdEYpbxGwvZwgfe2-gBMlTL6v0O698ASrtqqtRuIbl_3XbefBNTspXiO3ZA/s1277/The%20Risk%20Management%20Framework%203.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="643" data-original-width="1277" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfgz5LKLpXGmzGLG00r74WssKUq_xdKdFFea-xZ5wVuyU6A_zRm1lKLkN3648-MGbVJBdnR1r7DAlB8xBOSMAkhbOlqf7M5CGE0w52gzJPiGFu4pl3ReSHKlRqF6KlnPCKdEYpbxGwvZwgfe2-gBMlTL6v0O698ASrtqqtRuIbl_3XbefBNTspXiO3ZA/w640-h322/The%20Risk%20Management%20Framework%203.png" width="640" /></span></a></div><p style="text-align: center;"><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Risk management is a complex operation that requires a formal methodology, much like the systems development life cycle (SDLC) discussed in Module 11. Figure 4-1 explores the entire approach to RM, which involves two key areas: the RM framework and the RM process. The RM framework is the overall structure of the strategic planning and design for the entirety of the organization’s RM efforts. The RM process is the implementation of risk management, as specified in the framework. In other words, the RM framework (planning) guides the RM process (doing), which conducts the processes of risk evaluation and remediation. The RM framework assesses the RM process, which in turn assesses risk in the organization’s information assets.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXawzew2BdtebAuhXF1PY5z-aKGv-tgF441nwqc3PypXq6PMaLzEirYJw-dQKjEX8kl41Kt6rsMIOEJ0XhFLN3TCF4bfghP713Ka8NoAwhX15J-u8d3G_lw3JLIY_0UssO5BkS1YwndhQuI6OX3-MSOPt5Vb5V9xfQ19l01c0xZw75SEXR1A06C4OMUQ/s754/4-1.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="457" data-original-width="754" height="388" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXawzew2BdtebAuhXF1PY5z-aKGv-tgF441nwqc3PypXq6PMaLzEirYJw-dQKjEX8kl41Kt6rsMIOEJ0XhFLN3TCF4bfghP713Ka8NoAwhX15J-u8d3G_lw3JLIY_0UssO5BkS1YwndhQuI6OX3-MSOPt5Vb5V9xfQ19l01c0xZw75SEXR1A06C4OMUQ/w640-h388/4-1.png" width="640" /></span></a></div><p style="text-align: center;"><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The RM framework and the RM process are continuous improvement activities. That means they are ongoing, repetitive, and designed to continually assess current performance to improve future RM results. The RM framework repeatedly assesses and improves how the RM process is evaluating and reacting to risk. The framework also continuously assesses and improves how well the planning and review activities are being performed—the framework itself. As an example, in a manufacturing plant, executives oversee the measurement of product quality and manufacturing productivity (the results and the equivalent of the RM process) while also assessing the effectiveness of the management processes used to structure manufacturing (the equivalent of the RM framework).</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUN1TVJ-m8RecFynhM79pHGKfpaQbPDcARtmK_LzAql72xOjoZYdYwfK6-eWnfKE0GT8_swjpc4iHzSDSSjBIlmQkOJ5h9qN7mSjKI4Vuipkqizx6vrKSdRrxtUcu-crgy-hsq9AH9ED2LMVhsg4wKNI1j2afmGDT79W-5ErztuoT_FNPk7gU6NcR5fw/s1274/The%20Risk%20Management%20Framework%204.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="645" data-original-width="1274" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUN1TVJ-m8RecFynhM79pHGKfpaQbPDcARtmK_LzAql72xOjoZYdYwfK6-eWnfKE0GT8_swjpc4iHzSDSSjBIlmQkOJ5h9qN7mSjKI4Vuipkqizx6vrKSdRrxtUcu-crgy-hsq9AH9ED2LMVhsg4wKNI1j2afmGDT79W-5ErztuoT_FNPk7gU6NcR5fw/w640-h324/The%20Risk%20Management%20Framework%204.png" width="640" /></span></a></div><p style="text-align: center;"><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The left side of Figure 4-1 illustrates the major activities associated with the RM framework. As you have seen with other major InfoSec initiatives, this framework is developed and reviewed by an executive team led by a champion and organized using effective project management methods. Organizations that have existing RM programs may be able to adapt their operations to the methodology shown here, with minimum impact on their current efforts. Organizations that do not have formal RM programs—or have programs that are unsuccessful, inefficient, or ineffective—need to begin the process from scratch. The RM framework consists of five key stages:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Executive governance and support<br /><br /></span></li><li><span style="font-size: medium;">Framework design<br /><br /></span></li><li><span style="font-size: medium;">Framework implementation<br /><br /></span></li><li><span style="font-size: medium;">Framework monitoring and review<br /><br /></span></li><li><span style="font-size: medium;">Continuous improvement</span></li></ul><p></p><p><span style="font-size: medium;">While this framework is provided as an example of how to perform risk management in the organization, it is not by any means the only way to do RM. Each organization must decide for itself what works best from the multiple options available. The model shown here is adapted to be in alignment with an ISO standard, while others are based on industry standards or proprietary models.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">It would not be difficult for an organization to take the general recommendations of this RM framework and process and adapt it to fit the details of another methodology. Only those involved in the process know what’s best for their organizations.</span></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-17690190337315534812022-08-11T13:05:00.005-07:002022-08-11T13:07:36.365-07:00Principle of Information Security Chapter 3<p style="text-align: left;"><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_21.html" target="_blank">Module 3 Information Security Management part one</a></span></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_95.html" target="_blank">Module 3 Information Security Management part two</a></span></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_22.html" target="_blank">Module 3 Information Security Management part three</a></span></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_25.html" target="_blank">Module 3 Information Security Management part four</a></span></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_27.html" target="_blank">Module 3 Information Security Management part five</a></span></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/08/principle-of-information-security.html" target="_blank">Module 3 Information Security Management part six</a></span></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/08/principle-of-information-security_5.html" target="_blank">Module 3 Information Security Management part seven</a></span></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/08/principle-of-information-security_8.html" target="_blank">Module 3 Information Security Management part eight</a></span></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/08/principle-of-information-security_10.html" target="_blank">Module 3 Information Security Management part nine</a></span></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/08/principle-of-information-security_11.html" target="_blank">Module 3 Information Security Management part ten</a></span></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/08/principle-of-information-security_47.html" target="_blank">Module 3 Information Security Management part eleven</a></span></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-68418380306632180332022-08-11T11:36:00.006-07:002022-08-11T11:38:13.614-07:00Principle of Information Security Module 3 Information Security Management part 11<p style="text-align: center;"><span style="font-size: medium;"><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-3-Information-Security-Management-part-11-e1md4p2" width="400px"></iframe><br /></span></p><p style="text-align: center;"><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlI_jjfR7Ulspi_uVZIbyWQ3DFlnw8cTo_rYT4MjkVqOkDcHJ-WyDTEIKRx-EGpySurpob5SX4WKlokiaqOYhToJ3pMJiZRWpPhNkZZx2nEPF_ZsrrWLwpPWmgn8JCnODhixtQ28SQJ3TG6ZWJAn5E-wk3YLqOrRls_ZzrM8V7VOo50hrwfTNjrLKpog/s1291/other%20sources%20of%20security.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="332" data-original-width="1291" height="164" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlI_jjfR7Ulspi_uVZIbyWQ3DFlnw8cTo_rYT4MjkVqOkDcHJ-WyDTEIKRx-EGpySurpob5SX4WKlokiaqOYhToJ3pMJiZRWpPhNkZZx2nEPF_ZsrrWLwpPWmgn8JCnODhixtQ28SQJ3TG6ZWJAn5E-wk3YLqOrRls_ZzrM8V7VOo50hrwfTNjrLKpog/w640-h164/other%20sources%20of%20security.jpg" width="640" /></span></a></div><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Many public and private organizations promote solid best security practices. Professional societies often provide information on best practices for their members. The Technology Manager’s Forum (www.techforum.com) has an annual best practice award in several areas, including information security. The Information Security Forum (www.securityforum.org) has a free publication titled “Standard of Good Practice for Information Security,” which outlines information security best practices.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Many organizations hold seminars and classes on best practices for implementing security; in particular, the Information Systems Audit and Control Association (www.isaca.org) hosts regular seminars. The International Association of Professional Security Consultants (www.iapsc.org) has a listing of best practices. At a minimum, information security professionals can peruse Web portals for posted security best practices. Several free portals dedicated to security have collections of best practices, such as SearchSecurity.com and NIST’s Computer Resources Center.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB3GcIkKf4rknHHpGSchZ9R3k0x3qx0uMWFMynF0jSgVXvukVpuewp_NAATZY3jFw8UedLV1RBZnH9xgfynqOi57ScrLLvf1Yu24ZeCEAn-Qruk7Jx_JeQA2__ei91H75CaC-rK8tQQppsamrj-IB8IiWR56Jg-d6TOIUmnlWOAjCDKR2muyrX5nKjDw/s1268/design%20of%20the%20security%20architecture.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="576" data-original-width="1268" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjB3GcIkKf4rknHHpGSchZ9R3k0x3qx0uMWFMynF0jSgVXvukVpuewp_NAATZY3jFw8UedLV1RBZnH9xgfynqOi57ScrLLvf1Yu24ZeCEAn-Qruk7Jx_JeQA2__ei91H75CaC-rK8tQQppsamrj-IB8IiWR56Jg-d6TOIUmnlWOAjCDKR2muyrX5nKjDw/w640-h290/design%20of%20the%20security%20architecture.jpg" width="640" /></span></a></div><div class="separator" style="clear: both; text-align: center;"><span style="font-size: medium;"><br /></span></div><p><span style="font-size: medium;">To inform the discussion of information security program architecture and to illustrate industry best practices, the following sections outline a few key components of security architecture. Many of these components are examined in detail in later modules of the book, but this overview can help you assess whether a framework and blueprint are on target to meet an organization’s needs.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW00810BM-KX3denIZlbA62qJZAAH6pRPVCinxl21e0UOtB28pT2kBCsPcIeyJvu8W9YgvwmihFXV89XUwyuVRztBgutxtHjhV1plxiykkKI31icPlnkKgRqNvzQgjAThiL0aVWDK3Rdg70bNAann2fSa2XazxACQd_FUPC2KL965bbDDf01YSIfEolA/s676/sphere%20of%20security%20figure%203-10.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="485" data-original-width="676" height="460" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW00810BM-KX3denIZlbA62qJZAAH6pRPVCinxl21e0UOtB28pT2kBCsPcIeyJvu8W9YgvwmihFXV89XUwyuVRztBgutxtHjhV1plxiykkKI31icPlnkKgRqNvzQgjAThiL0aVWDK3Rdg70bNAann2fSa2XazxACQd_FUPC2KL965bbDDf01YSIfEolA/w640-h460/sphere%20of%20security%20figure%203-10.png" width="640" /></span></a></div><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The spheres of security, shown in Figure 3-10, are the foundation of the security framework. Generally speaking, the spheres of security illustrate how information is under attack from a variety of sources. The right side of Figure 3-10 illustrates the ways in which internal users access information. For example, users can access hard copies of documents and information directly. Information, as the most important asset in this model, is at the center of the sphere. Information is always at risk from attacks whenever it is accessible by people or computer systems. Networks and the Internet are indirect threats, as exemplified by the fact that a person attempting to access information from the Internet must traverse local networks.</span></p><p><span style="font-size: medium;"><br /></span></p><p><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqP50-gmXEaTLAjl-l3h8-UCPPlOg89dazaOWiqLbahsPfV2noITFRzbQpcVwqwDu5-e1-Yn1fkk0duSWgxa_5jhK_Glx8XTGLzk6w9iC0yw-eHOBjOFhb3pCM3VbRCOdQTwl6Qkm75R8SpwB3yDgBt5Q04M8u8vnzk6LLSbvIJyGqv3_dSzt3uVmN2w/s1275/design%20of%20the%20architecture%202.jpg" style="margin-left: 1em; margin-right: 1em; text-align: center;"><span style="font-size: medium;"><img border="0" data-original-height="599" data-original-width="1275" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqP50-gmXEaTLAjl-l3h8-UCPPlOg89dazaOWiqLbahsPfV2noITFRzbQpcVwqwDu5-e1-Yn1fkk0duSWgxa_5jhK_Glx8XTGLzk6w9iC0yw-eHOBjOFhb3pCM3VbRCOdQTwl6Qkm75R8SpwB3yDgBt5Q04M8u8vnzk6LLSbvIJyGqv3_dSzt3uVmN2w/w640-h300/design%20of%20the%20architecture%202.jpg" width="640" /></span></a></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The left side of Figure 3-10 illustrates that a layer of protection must exist between each layer of the sphere of use. For example, “Policy and law” and “Education and training” are protections placed between people and the information. Controls are also implemented between systems and the information, between networks and the computer systems, and between the Internet and internal networks. This reinforces the concept of defense in depth. A variety of controls can be used to protect the information. The items of control shown in the figure are not intended to be comprehensive, but they illustrate some of the safeguards that can protect the systems closer to the center of the sphere. Because people can directly access each ring as well as the information at the core of the model, the side of the sphere of protection that attempts to control access by relying on people requires a different approach to security than the side that uses technology. The members of the organization must become a safeguard that is effectively trained, implemented, and maintained, or they too will present a threat to the information.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Information security is designed and implemented in three layers: policies, people (education, training, and awareness programs), and technology. These layers are commonly referred to as PPT. Each layer contains controls and safeguards to protect the information and information system assets that the organization values. But, before any technical controls or other safeguards can be implemented, the policies that define the management philosophies behind the security process must be in place.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Levels of Controls</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Information security safeguards provide three levels of control: managerial, operational, and technical. Managerial controls set the direction and scope of the security process and provide detailed instructions for its conduct. In addition, these controls address the design and implementation of the security planning process and security program management. They also address risk management and security control reviews (as described in Module 4), describe the necessity and scope of legal compliance, and set guidelines for the maintenance of the entire security life cycle.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Operational controls address personnel security, physical security, and the protection of production inputs and outputs. In addition, operational controls guide the development of education, training, and awareness programs for users, administrators, and management. Finally, they address hardware and software systems maintenance and the integrity of data.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Technical controls are the tactical and technical implementations of security in the organization. While operational controls address specific operating issues, such as developing and integrating controls into the business functions, technical controls include logical access controls, such as identification, authentication, authorization, accountability (including audit trails), cryptography, and the classification of assets and users.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ9ZF4G2LyQEaMW2l9MkSHpKqJW8XSCIF-bvnkPeDOLUjqPKMWJcKxQnhomvdwnEUPqBjad1-vS9XiQRpOZSUlVnSxqHftn20fiG6lK2-Ave_ZA_GuukRJhrFETLJHy2H5i5g1OoXwaDB2myzyLAZLCs3AF0KBlpo3Zuklr7QjVGV2iqG7EgDJgoQ4yA/s670/3-11.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="489" data-original-width="670" height="468" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQ9ZF4G2LyQEaMW2l9MkSHpKqJW8XSCIF-bvnkPeDOLUjqPKMWJcKxQnhomvdwnEUPqBjad1-vS9XiQRpOZSUlVnSxqHftn20fiG6lK2-Ave_ZA_GuukRJhrFETLJHy2H5i5g1OoXwaDB2myzyLAZLCs3AF0KBlpo3Zuklr7QjVGV2iqG7EgDJgoQ4yA/w640-h468/3-11.png" width="640" /></span></a></div><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">A basic tenet of security architectures is the layered implementation of security. To achieve defense in depth, an organization must establish multiple layers of security controls and safeguards, which can be organized into policy, training and education, and technologies, as shown in the CNSS model presented in Module 1. While policy itself may not prevent attacks, it certainly prepares the organization to handle them; when coupled with other layers, policy can deter attacks. For example, the layer of training and education can help defend against attacks enabled by employee ignorance and social engineering. Technology is also implemented in layers, with detection equipment working in tandem with reaction technology behind access control mechanisms. Redundancy can be implemented at several points throughout the security architecture, such as in firewalls, proxy servers, and access controls. Figure 3-11 illustrates the concept of building controls in multiple and sometimes redundant layers. The figure shows firewalls and prevention IDPSs that use both packet-level rules (shown as the packet header in the diagram) and content analysis (shown as a database icon with the caption 0100101011). More information on firewalls and intrusion detection systems is presented in Modules 8 and 9, respectively.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3iu0-5HhdLCIt-94rmoXGdCrmZWhOOauZiF0gBsMSj2vhCl1mRPlomG-6VGxyi468uFbeC_j1pCj98_0NhrkpRGIVa0zCsFpl_amU84bwrdeVvsBaVCvbxU-9FJ50TRZht17nVsY8Ei7sdJ_PfVyoj8cr7u_5GXO9D6l-3E6R9OEmMeyAMpuZsEN9UA/s734/3-12.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="483" data-original-width="734" height="422" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3iu0-5HhdLCIt-94rmoXGdCrmZWhOOauZiF0gBsMSj2vhCl1mRPlomG-6VGxyi468uFbeC_j1pCj98_0NhrkpRGIVa0zCsFpl_amU84bwrdeVvsBaVCvbxU-9FJ50TRZht17nVsY8Ei7sdJ_PfVyoj8cr7u_5GXO9D6l-3E6R9OEmMeyAMpuZsEN9UA/w640-h422/3-12.png" width="640" /></span></a></div><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">A perimeter is a boundary of an area. A security perimeter is the border of security that protects all internal systems from outside threats, as pictured in Figure 3-12. Unfortunately, the perimeter does not protect against internal attacks from employee threats or on-site physical threats. In addition, the emergence of mobile computing devices, telecommuting, and cloud-based functionality has made the definition and defense of the perimeter increasingly more difficult. This has led some security experts to declare the security perimeter extinct and call for an increased focus on improved system-level security and active policing of networked assets. An organization can have both an electronic security perimeter, usually at the exterior network or Internet connection, and a physical security perimeter, usually at the entrance to the organization’s offices. Both require perimeter security. Security perimeters can effectively be implemented as multiple technologies that segregate the protected information from potential attackers. Within security perimeters, the organization can establish security domains, each with differing levels of security, between which traffic must be screened. The assumption is that if people have access to one system within a security domain, they have authorized access to all systems within that domain. The security perimeter is an essential element of the overall security framework, and its implementation details are the core of the completed security blueprint. The key components of the security perimeter are firewalls, DMZs (demilitarized zones), proxy servers, and IDPSs. You will learn more about information security technologies in Modules 8, 9, and 10.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Many security experts argue that the security perimeter is dead. With the dramatic growth in popularity of cloud-based computing and data storage, and the continued use of mobile computing devices, they argue that there is no “inside” or “outside” to organizations’ networks anymore. Whether this is true is the subject of much debate. With the extensive use of cloud-based services to deliver key systems capability, including security-related functions, there is a growing movement toward realizing that a security perimeter is the entirety of an organization’s network presence, anywhere and everywhere the company’s data is, and that the use of defense in depth is still a valid approach to protecting it. Whether you subscribe to the “perimeter is dead” philosophy or not, the responsibility for protecting the organization’s data using every available resource is still alive and well.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Janet stood up from the conference table and left the room.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The meeting had not lasted long, considering how significant its impact would be on Janet’s life. Two officers from the corporate security team waited in the hallway to walk her to her office and collect her personal possessions, which were already in a box at her administrative assistant’s desk. Her access card, phone, tablet, and laptop were already turned in, and every password she had ever used at SLS had been deactivated.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">She was not looking forward to explaining this to her family.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The meeting in the room continued.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Fred asked, “Are we sure this was our only course? This seems harsh to me.”</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Janet’s superior, the senior vice president of marketing, nodded and said, “I have to say that I agree. Janet was a solid performer and will be difficult, and expensive, to replace.”</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Charlie added, “I know what you mean. Jamie Hyack, the network engineer, is the same, except he chose to enable Janet’s network access for her rotisserie league server without approval, without change control, and putting the company’s entire network at risk. He had to go.”</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Gladys took a breath and said, “Sadly, this was needed. We cannot have two tiers of enforcement in our application of policy. If we do not enforce this policy requirement on executives, how can we be expected to have compliance from other employees?”</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">She continued, “As Charlie pointed out when we decided on this course of action, we have to enforce the policy we have in place. We can make changes to it that we feel better about and enforce those changes in the future.”</span></p><p><span style="font-size: medium;"><br /></span></p><p><b><span style="font-size: medium;">Discussion Questions</span></b></p><p><span style="font-size: medium;"><br /></span></p><p></p><ol style="text-align: left;"><li><span style="font-size: medium;">Does this application of policy seem harsh to you? What alternatives might be implemented in policy to make it enforceable and perhaps less stringent than in this example?<br /><br /></span></li><li><span style="font-size: medium;">Are there other punishments that might be enacted for situations like this? How might you propose structuring the policy to clarify what levels of punishment are appropriate?</span></li></ol><p></p><p><b><span style="font-size: medium;">Ethical Decision Making</span></b></p><p><b><span style="font-size: medium;"><br /></span></b></p><p><span style="font-size: medium;">The policies that organizations put in place are similar to laws, in that they are directives for how to act properly. Like laws, policies should be impartial and fair, and are often founded on ethical and moral belief systems of the people who create them.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">In some cases, especially when organizations expand into foreign countries, they experience a form of culture shock when the laws of their new host country conflict with their internal policies. For example, suppose that SLS has expanded its operations into France. Setting aside any legal requirements that SLS make its policies conform to French law, does SLS have an ethical imperative to modify its policies across the company in all of its locations to better meet the needs of its stakeholders in the new country?</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Suppose SLS has altered its policies for all operations in France and that the changes are much more favorable to employees—such as a requirement to provide childcare and eldercare services at no cost to employees. Is SLS under any ethical burden to offer the same benefit to employees in its home country? </span></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-30237653638515581922022-08-11T10:08:00.002-07:002022-08-11T10:09:01.564-07:00Principle of Information Security Module 3 Information Security Management part 10<p style="text-align: center;"><span style="font-size: medium;"><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-3-Information-Security-Management-part-10-e1mcoou" width="400px"></iframe></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>NIST Security Models</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Other approaches to security are described in the many documents available from the NIST Computer Security Resource Center (http://csrc.nist.gov). Because the NIST documents are publicly available at no charge and have been for some time, they have been broadly reviewed by government and industry professionals, and were among the references cited by the U.S. government when it decided not to select the ISO/IEC 17799 (now 27000 series) standards. The following NIST documents can assist in the design of a security framework:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">SP 800-12, Rev. 1: “An Introduction to Information Security”<br /><br /></span></li><li><span style="font-size: medium;">SP 800-18, Rev. 1: “Guide for Developing Security Plans for Federal Information Systems”<br /><br /></span></li><li><span style="font-size: medium;">SP 800-30, Rev. 1: “Guide for Conducting Risk Assessments”<br /><br /></span></li><li><span style="font-size: medium;">SP 800-37, Rev. 2: “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy”<br /><br /></span></li><li><span style="font-size: medium;">SP 800-39: “Managing Information Security Risk: Organization, Mission, and Information System View”<br /><br /></span></li><li><span style="font-size: medium;">SP 800-50: “Building an Information Technology Security Awareness and Training Program”<br /><br /></span></li><li><span style="font-size: medium;">SP 800-55, Rev. 1: “Performance Measurement Guide for Information Security”<br /><br /></span></li><li><span style="font-size: medium;">SP 800-100: “Information Security Handbook: A Guide for Managers”</span></li></ul><p></p><p><span style="font-size: medium;">Many of these documents have been referenced elsewhere in this book as sources of information for the management of security. The following sections examine select documents in this series as they apply to the blueprint for information security.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>NIST SP 800-12</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">SP 800-12, Rev. 1, “An Introduction to Information Security,” is an excellent reference and guide for the security manager or administrator in the routine management of information security. It provides little guidance, however, for the design and implementation of new security systems, and therefore should be used only as a precursor to understanding an information security blueprint.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>NIST SP 800-14</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">SP 800-14, “Generally Accepted Principles and Practices for Securing Information Technology Systems,” provides best practices and security principles that can direct the security team in the development of a security blueprint. Even though this legacy publication has been “retired,” there is not yet a replacement document in the NIST SP series that provides a better basic grounding in information security. In addition to detailing security best practices across the spectrum of security areas, it provides philosophical principles that the security team should integrate into the entire information security process:</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b><i>Security supports the mission of the organization</i></b>—Failure to develop an information security system based on the organization’s mission, vision, and culture guarantees the failure of the information security program.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b><i>Security is an integral element of sound management</i></b>—Effective management includes planning, organizing, leading, and controlling. Security enhances management functions by providing input during the planning process for organizational initiatives. Information security controls support sound management via the enforcement of managerial and security policies.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b><i>Security should be cost-effective</i></b>—The costs of information security should be considered part of the cost of doing business, much like the costs of computers, networks, and voice communications systems. Security is not a profit-generating area of the organization and may not lead to competitive advantages. Information security should justify its own costs. The use of security measures that do not justify their cost must have a strong business justification, such as a legal requirement.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b><i>Systems owners have security responsibilities outside their own organizations</i></b>—Whenever systems store and use information from customers, patients, clients, partners, or others, the security of this information becomes the responsibility of the systems’ owners. These owners are expected to diligently work with each other to assure the confidentiality, integrity, and availability of the entire value chain of their interconnected systems.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b><i>Security responsibilities and accountability should be made explicit</i></b>—Policy documents should clearly identify the security responsibilities of users, administrators, and managers. To be legally binding, the policies must be documented, disseminated, read, understood, and agreed to by all involved members of the organization. As noted in Module 6, ignorance of the law is no excuse, but ignorance of policy is. Organizations should also provide information about relevant laws in issue-specific security policies.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b><i>Security requires a comprehensive and integrated approach</i></b>—Security personnel alone cannot effectively implement security. As emphasized throughout this textbook, security is everyone’s responsibility. The three communities of interest—information technology management and professionals; information security management and professionals; and users, managers, administrators, and other stakeholders—should participate in the process of developing a comprehensive information security program.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b><i>Security should be periodically reassessed</i></b>—Information security that is implemented and then ignored is considered negligent because the organization has not demonstrated due diligence. Security is an ongoing process. To be effective against a constantly shifting set of threats and a changing user base, the security process must be periodically repeated. Continuous analyses of threats, assets, and controls must be conducted and new blueprints developed. Only thorough preparation, design, implementation, vigilance, and ongoing maintenance can secure the organization’s information assets.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b><i>Security is constrained by societal factors</i></b>—Several factors influence the implementation and maintenance of security controls and safeguards, including legal demands, shareholder requirements, and even business practices. For example, security professionals generally prefer to isolate information assets from the Internet, which is the leading avenue of threats to the assets, but the business requirements of the organization may preclude this control measure.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>NIST SP 800-18, Rev. 1</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">SP 800-18, Rev. 1, “Guide for Developing Security Plans for Federal Information Systems,” can be used as the foundation for a comprehensive security blueprint and framework. This publication provides detailed methods for assessing, designing, and implementing controls and plans for applications of varying size. SP 800-18, Rev. 1, can serve as a useful guide to the activities described in this module and as an aid in the planning process. It also includes templates for major application security plans. As with any publication of this scope and magnitude, SP 800-18, Rev. 1, must be customized to fit the particular needs of an organization.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>NIST and the Risk Management Framework</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">NIST’s approach to managing risk in the organization, titled the Risk Management Framework (RMF), emphasizes the following.</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Building information security capabilities into federal information systems through the application of state-of-the-practice management, operational, and technical security controls<br /><br /></span></li><li><span style="font-size: medium;">Maintaining awareness of the security state of information systems on an ongoing basis through enhanced monitoring processes.<br /><br /></span></li><li><span style="font-size: medium;">Providing essential information to help senior leaders make decisions about accepting risk to an organization’s operations and assets, individuals, and other organizations arising from the use of information systems.<br /></span></li></ul><b><span style="font-size: medium;">The RMF has the following characteristics:</span></b><p></p><p><span style="font-size: medium;"><br /></span></p><ul style="text-align: left;"><li><span style="font-size: medium;">Promotes the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring.<br /><br /></span></li><li><span style="font-size: medium;">Encourages the use of automation to provide senior leaders with necessary information to make cost-effective, risk-based decisions about information systems that support an organization’s core missions and business functions.<br /><br /></span></li><li><span style="font-size: medium;">Integrates information security into the enterprise architecture and system development life cycle.<br /><br /></span></li><li><span style="font-size: medium;">Emphasizes the selection, implementation, assessment, and monitoring of security controls and the authorization of information systems.<br /><br /></span></li><li><span style="font-size: medium;">Links risk management processes at the information system level to risk management processes at the organization level through a risk executive function.<br /><br /></span></li><li><span style="font-size: medium;">Establishes responsibility and accountability for security controls deployed within an organization’s information systems and inherited by those systems (i.e., common controls).</span></li></ul><p></p><p><span style="font-size: medium;">The NIST Risk Management Framework is discussed in detail in Module 4, “Risk Management.”</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>The NIST Cybersecurity Framework</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">In early 2014, NIST published a new Cybersecurity Framework in response to Executive Order 13636 from President Obama. NIST’s mandate was to create a voluntary framework that provides an effective approach to “manage cybersecurity risk for those processes, information, and systems directly involved in the delivery of critical infrastructure services.”* The resulting framework, which is designed specifically to be vendor-neutral, closely resembles the other approaches described in this textbook, but it provides additional structure to the process, if not detail. The NIST framework builds on and works closely with the RMF described in the previous section. The framework document represents the integration of previously discussed special publications from NIST, in a form that makes the framework easier to understand and enables organizations to implement an information security improvement program.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The intent of the framework is to allow organizations to: “1) Describe their current cybersecurity posture; 2) Describe their target state for cybersecurity; 3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process; 4) Assess progress toward the target state; and 5) Communicate among internal and external stakeholders about cybersecurity risk.”</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>The NIST framework consists of three fundamental components:</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b><i>The framework core</i></b>—This is a set of information security activities an organization is expected to perform, as well as their desired results. These core activities are as follows:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">“<b><i>Identify</i></b>—Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.<br /><br /></span></li><li><span style="font-size: medium;"><b><i>Protect</i></b>—Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.<br /><br /></span></li><li><span style="font-size: medium;"><b><i>Detect</i></b>—Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.<br /><br /></span></li><li><span style="font-size: medium;"><b><i>Respond</i></b>—Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.<br /><br /></span></li><li><span style="font-size: medium;"><b><i>Recover</i></b>—Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.”</span></li></ul><p></p><p><span style="font-size: medium;"><b><i>The framework tiers</i></b>—The framework then provides a self-defined set of tiers so organizations can relate the maturity of their security programs and implement corresponding measures and functions. The four tiers include the following:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;"><b><i>Tier 1: Partial</i></b>—In this category, an organization does not have formal risk management practices, and security activities are relatively informal and ad hoc.<br /><br /></span></li><li><span style="font-size: medium;"><b><i>Tier 2: Risk Informed</i></b>—Organizations in this category have developed but not fully implemented risk management practices, and have just begun their formal security programs, so security is not fully established across the organization.<br /><br /></span></li><li><span style="font-size: medium;"><b><i>Tier 3: Repeatable</i></b>—Organizations in this category not only have risk management practices formally established, they have documented policy implemented. The organization has begun a repeatable security program to improve its approach to information protection and proactively manage risk to information assets.<br /><br /></span></li><li><span style="font-size: medium;"><b><i>Tier 4: Adaptive</i></b>—The most mature organization falls into this tier. The organization not only has well-established risk management and security programs, it can quickly adapt to new environments and threats. The organization is experienced at managing risk and responding to threats and has integrated security completely into its culture.</span></li></ul><p></p><p><span style="font-size: medium;"><b><i>The framework profile</i></b>—Organizations are expected to identify which tier their security programs most closely match and then use corresponding recommendations within the framework to improve their programs. This framework profile is then used to perform a gap analysis—comparing the current state of information security and risk management to a desired state, identifying the difference, and developing a plan to move the organization toward the desired state. This approach is identical to the approaches outlined elsewhere in this text.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Using the materials provided in the NIST framework, organizations are encouraged to follow a seven-step approach to implementing or improving their risk management and information security programs:</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Step 1</b>. <b><i>Prioritize and scope</i></b>—The organization identifies its business/mission objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Step 2</b>. <b><i>Orient</i></b>—Once the scope of the cybersecurity program has been determined for the business line or process, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. The organization then identifies threats to, and vulnerabilities of, those systems and assets.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Step 3</b>. <b><i>Create a current profile</i></b>—The organization develops a current profile by indicating which category and subcategory outcomes from the framework core are currently being achieved.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Step 4</b>. <b><i>Conduct a risk assessment</i></b>—This assessment could be guided by the organization’s overall risk management process or previous risk assessment activities. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Step 5</b>. <b><i>Create a target profile</i></b>—The organization creates a target profile that focuses on the assessment of the framework categories and subcategories describing the organization’s desired cybersecurity outcomes.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Step 6</b>. <b><i>Determine, analyze, and prioritize gaps</i></b>—The organization compares the current profile and the target profile to determine gaps. Next it creates a prioritized action plan to address those gaps that draws upon mission drivers, a cost-benefit analysis, and understanding of risk to achieve the outcomes in the target profile. The organization then determines resources necessary to address the gaps.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Step 7</b>. <b><i>Implement action plan</i></b>—The organization determines which actions to take in regards to the gaps, if any, identified in the previous step. It then monitors its current cybersecurity practices against the target profile.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">As you will learn in Module 11 while studying the SDLC waterfall methodology, the preceding steps are designed to be an iterative process that gradually moves the organization closer to a Tier 4 security level and results in a better approach to risk management and information protection.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">NIST also provides a “Roadmap for Improving Critical Infrastructure Cybersecurity,” which provides supplemental guidance for the framework and insights into its future development and refinement as an evolutionary, living document.</span></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-46293758028559859942022-08-10T10:14:00.008-07:002022-08-10T10:19:12.710-07:00Principle of Information Security Module 3 Information Security Management part 9<p style="text-align: center;"><span style="font-size: medium;"><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-3-Information-Security-Management-part-9-e1mbiae" width="400px"></iframe></span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOanTOqRvQmUh126stwXd67c00Q4RijesXZJJlNassfHJ2DKpVFANGw9PiXdGtiwobbd2rXo4Oo69EZ8qW--XLdwyW8WULEnWwpnFBQE9J9GPRz8vmPmnH3-FzbNxEGRosD3sfy-PrgVYp182d5hTrNI5HZnINwqVYFwriicvt-sX5JWQ91k3EU7UEfg/s763/security%20education.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="330" data-original-width="763" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOanTOqRvQmUh126stwXd67c00Q4RijesXZJJlNassfHJ2DKpVFANGw9PiXdGtiwobbd2rXo4Oo69EZ8qW--XLdwyW8WULEnWwpnFBQE9J9GPRz8vmPmnH3-FzbNxEGRosD3sfy-PrgVYp182d5hTrNI5HZnINwqVYFwriicvt-sX5JWQ91k3EU7UEfg/w640-h276/security%20education.jpg" width="640" /></span></a></div><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Everyone in an organization needs to be trained and made aware of information security, but not everyone needs a formal degree or certificate in information security. When management agrees that formal education is appropriate, an employee can investigate courses in continuing education from local institutions of higher learning. Several universities have formal coursework in information security. For people who are interested in researching formal information security programs, resources are available, such as the DHS/NSA-designated National Centers of Academic Excellence program. This program identifies universities that have had their coursework and practices in information security reviewed and found to meet national standards. Other local resources can also provide information on security education, such as Kennesaw State University’s Institute for Cybersecurity Workforce Development (cyberinstitute.kennesaw.edu).</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL5tLQCNvlkl3QBVCe5iQsBM59mR8GLQLhsrWyPBE8j-gpOkJXiYsSr2b3U7YQVQ5W90_5CwoGS2Ps8CDBX48R2y1xawIBQyS-JmO64-h3ryTJIrhzXvySKLHP0kYTu6MejlLkPbMuST1eiap3YD1NOB5h85i4f-xuCu3XpZ__VVZafavsC71iyv3LZQ/s771/security%20training.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="374" data-original-width="771" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL5tLQCNvlkl3QBVCe5iQsBM59mR8GLQLhsrWyPBE8j-gpOkJXiYsSr2b3U7YQVQ5W90_5CwoGS2Ps8CDBX48R2y1xawIBQyS-JmO64-h3ryTJIrhzXvySKLHP0kYTu6MejlLkPbMuST1eiap3YD1NOB5h85i4f-xuCu3XpZ__VVZafavsC71iyv3LZQ/w640-h310/security%20training.jpg" width="640" /></span></a></div><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Security training provides employees with detailed information and hands-on instruction to prepare them to perform their duties securely. Management of information security can develop customized in-house training or outsource the training program.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Alternatives to formal training programs are industry training conferences and programs offered through professional agencies such as SANS, ISC2, and ISSA. All of these agencies are described in other modules. Many of these programs are too technical for the average employee, but they may be ideal for the continuing education requirements of information security professionals.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">A new venue for security training for both security professionals and the average end user is Massive Open Online Courses, which are available from a number of vendors, including Coursera. Many of these courses are free to enroll in, and a certificate of completion is provided upon payment of a nominal fee. The list of available topics ranges from the traditional academic introduction to security to technical topics and general information.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Several resources for conducting SETA programs offer assistance in the form of sample topics and structures for security classes. For organizations, the Computer Security Resource Center at NIST provides several useful documents free of charge in its special publications area.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixo4mbdwz_inN_8l6gEUrLMLxzKvfNYoD0W9N1JywshpajCC8abD5y-M30hSe1Zb5b4D2DJmMnAmCeANq7MHWz7u_S_X6zgtWD2SP_-MHdvD49MttfTqyWuvG8CXXPVYqw9ztpkEf2j1CdGcy2rONiBiA4LDNbLAbS_r1Xyv9kJ8QXkA8hZZVKngEy5g/s780/security%20awareness.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="323" data-original-width="780" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixo4mbdwz_inN_8l6gEUrLMLxzKvfNYoD0W9N1JywshpajCC8abD5y-M30hSe1Zb5b4D2DJmMnAmCeANq7MHWz7u_S_X6zgtWD2SP_-MHdvD49MttfTqyWuvG8CXXPVYqw9ztpkEf2j1CdGcy2rONiBiA4LDNbLAbS_r1Xyv9kJ8QXkA8hZZVKngEy5g/w640-h266/security%20awareness.jpg" width="640" /></span></a></div><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">A security awareness program is one of the least frequently implemented but most beneficial programs in an organization. A security awareness program is designed to keep information security at the forefront of users’ minds. These programs don’t have to be complicated or expensive. Good programs can include newsletters, security posters (see Figure 3-8 for an example), videos, bulletin boards, flyers, and trinkets. Trinkets can include security slogans printed on mouse pads, coffee cups, T-shirts, pens, or any object frequently used during the workday that reminds employees of security. In addition, a good security awareness program requires a dedicated person who is willing to invest time and effort to promoting the program, and a champion willing to provide the needed financial support.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2latePugpcjYdibozaRN6JXb5XqR3YmH1zjvC4RlOu3ZGZFF2Sfa7ILIOE8d8QS49od9Zswv_gtgsGgdyGb4BC5MGYZxMUX3_aeZR1MPXsV8l786AXj5mu6ewGPfnWtDBrdWQIAVp3jn2lpHnQP7AzVdLaia-99tKGCnHybG7vzy8ACcNDBDt-W7UNg/s589/3-8.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="219" data-original-width="589" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2latePugpcjYdibozaRN6JXb5XqR3YmH1zjvC4RlOu3ZGZFF2Sfa7ILIOE8d8QS49od9Zswv_gtgsGgdyGb4BC5MGYZxMUX3_aeZR1MPXsV8l786AXj5mu6ewGPfnWtDBrdWQIAVp3jn2lpHnQP7AzVdLaia-99tKGCnHybG7vzy8ACcNDBDt-W7UNg/w640-h238/3-8.jpg" width="640" /></span></a></div><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The security newsletter is the most cost-effective method of disseminating security information and news to employees. Newsletters can be distributed via hard copy, e-mail, or intranet. Topics can include new threats to the organization’s information assets, the schedule for upcoming security classes, and the addition of new security personnel. The goal is to keep the idea of information security in users’ minds and to stimulate users to care about security. If a security awareness program is not actively implemented, employees may begin to neglect security matters, and the risk of employee accidents and failures is likely to increase.</span></p><p><span style="font-size: medium;"><br /></span></p><p><b><span style="font-size: medium;">Information Security Blueprint, Models, and Frameworks</span></b></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Once an organization has developed its information security policies and standards, the information security community can begin developing the blueprint for the information security program. The organization’s policy will guide the selection and development of the blueprint, and the organization will use the blueprint to guide the implementation of the rest of the security program. This information security blueprint is the plan and basis for the design, selection, and implementation of all security program elements, including policies, risk management programs, education and training programs, technological controls, and program maintenance.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The blueprint is the organization’s detailed implementation of an information security framework. The blueprint specifies tasks and the order in which they are to be accomplished, just as an architect’s blueprint serves as the design template for the construction of a building. The framework is the philosophical foundation from which the blueprint is designed, like the style or methodology in which an architect was trained.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">In choosing the framework to use for an information security blueprint, the organization should consider adapting or adopting a recognized or widely accepted information security model backed or promoted by an established security organization or agency. This exemplar framework can outline steps for designing and implementing information security in the organization. Several published information security frameworks from government agencies and other sources are presented later in this module. Because each information security environment is unique, the security team may need to modify or adapt pieces from several frameworks. Experience teaches that what works well for one organization may not precisely fit another.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji9faLABmvOUlnadU-2elJemAl_pRY_6WFuL89XFxq8U5ybMd_MC5I9wwTo3VWXxqDwWpyBE0MJjetfQ0PUxWssUtMsCvijs0rjQMHiSuhi8GP3i0NgPnS7fIHibebzY7mxboK9Ak6rUXEo9qQVQKr-avhYD25SWOpAlk5KnAktGKJID40GxPyr9dI1g/s1258/The%20ISO%2027000%20Series.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="489" data-original-width="1258" height="248" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji9faLABmvOUlnadU-2elJemAl_pRY_6WFuL89XFxq8U5ybMd_MC5I9wwTo3VWXxqDwWpyBE0MJjetfQ0PUxWssUtMsCvijs0rjQMHiSuhi8GP3i0NgPnS7fIHibebzY7mxboK9Ak6rUXEo9qQVQKr-avhYD25SWOpAlk5KnAktGKJID40GxPyr9dI1g/w640-h248/The%20ISO%2027000%20Series.png" width="640" /></span></a></div><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">One of the most widely referenced security models is Information Technology—Code of Practice for Information Security Management, which was originally published as British Standard BS7799. In 2000, this code of practice was adopted as ISO/IEC 17799, an international standard framework for information security by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard has been regularly revised and updated, and today it consists of an entire portfolio of standards related to the design, implementation, and management of an “information security management system.” The version released in 2000 was revised in 2005 to become ISO 17799:2005, and it was then renamed as ISO 27002 in 2007 to align it with ISO 27001.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">While the details of the ISO/IEC 27000 series are available only to those who purchase the standard, its structure and general organization are well known and are becoming increasingly significant for all who work in information security. For a summary description of the structure of the most recent standard, ISO 27002:2013, see Table 3-5.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRr8ChU8MU4FiQGT20Rq1gYZhMbg5nrNajpNDC-RdpJk1SKqcFtCIxHJgojCepYZFqoICyNJ0hPJP2Ta51CbYmPr7WYOxTbcu3Pb5vbdiNBVnZDhhALcPD-1AK5SiaWICksf7P6DGq-qh3oQjfm54L3164tFdY7aNhChb9wYBctvHfiAk3gib1o-3lmQ/s723/3-5.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="723" data-original-width="497" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRr8ChU8MU4FiQGT20Rq1gYZhMbg5nrNajpNDC-RdpJk1SKqcFtCIxHJgojCepYZFqoICyNJ0hPJP2Ta51CbYmPr7WYOxTbcu3Pb5vbdiNBVnZDhhALcPD-1AK5SiaWICksf7P6DGq-qh3oQjfm54L3164tFdY7aNhChb9wYBctvHfiAk3gib1o-3lmQ/s16000/3-5.png" /></span></a></div><p><span style="font-size: medium;"><br /></span></p><p><b><span style="font-size: medium;">Here is the stated purpose of ISO/IEC 27002, as derived from its ISO/IEC 17799 origins:</span></b></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices, including the selection, implementation, and management of controls, taking into consideration the organization’s information security risk environment(s).</span></p><p><span style="font-size: medium;"><br /></span></p><p><b><span style="font-size: medium;">It is designed to be used by organizations that intend to:</span></b></p><p><b><span style="font-size: medium;"><br /></span></b></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Select controls within the process of implementing an information security management system based on ISO/IEC 27001;<br /><br /></span></li><li><span style="font-size: medium;">Implement commonly accepted information security controls;<br /><br /></span></li><li><span style="font-size: medium;">Develop their own information security management guidelines.</span></li></ul><p></p><p><span style="font-size: medium;">ISO/IEC 27002:2013 is focused on a broad overview of the various areas of security. It provides information on 14 security control clauses and addresses 35 control objectives and more than 110 individual controls. Its companion document, ISO/IEC 27001:2018, provides information for how to implement ISO/IEC 27002 and set up an information security management system (ISMS). ISO/IEC 27001’s primary purpose is to be used as a standard so organizations can adopt it to obtain certification and build an information security program; ISO 27001 serves better as an assessment tool than as an implementation framework. ISO 27002 is for organizations that want information about implementing security controls; it is not a standard used for certification. Figure 3-9 illustrates the ISO 27001 process.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ-flFeqjN3FDmc1Z9yAaw2qOKx4Js25UpoUWvnS0QmVwLW0C97O5ruSxWDRDd9UXehO5cFEeho4b1tcKjzzg9RSfY1f2wHK-rhJxmsK9OsXfpZ5mzd55Jd_h_jrDZZFXdyCTZZu8zGpzM0fbyl9zeZTUDG3W8hhauSqJSV_nen92vDhn0rT4xMshqLw/s550/3-9.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="550" data-original-width="511" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZ-flFeqjN3FDmc1Z9yAaw2qOKx4Js25UpoUWvnS0QmVwLW0C97O5ruSxWDRDd9UXehO5cFEeho4b1tcKjzzg9RSfY1f2wHK-rhJxmsK9OsXfpZ5mzd55Jd_h_jrDZZFXdyCTZZu8zGpzM0fbyl9zeZTUDG3W8hhauSqJSV_nen92vDhn0rT4xMshqLw/s16000/3-9.png" /></span></a></div><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">In the United Kingdom, correct implementation of both volumes of these standards had to be determined by a BS7799-certified evaluator before organizations could obtain ISMS certification and accreditation. When the standard first came out, several countries, including the United States, Germany, and Japan, refused to adopt it, claiming that it had fundamental problems:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">The global information security community had not defined any justification for a code of practice identified in ISO/IEC 17799.<br /><br /></span></li><li><span style="font-size: medium;">The standard lacked the measurement precision associated with a technical standard.<br /><br /></span></li><li><span style="font-size: medium;">There was no reason to believe that ISO/IEC 17799 was more useful than any other approach.<br /><br /></span></li><li><span style="font-size: medium;">It was not as complete as other frameworks.<br /><br /></span></li><li><span style="font-size: medium;">The standard was hurriedly prepared given the tremendous impact its adoption could have on industry information security controls.</span></li></ul><p></p><p><span style="font-size: medium;">The ISO/IEC 27000 series is becoming increasingly important in the field, especially among global organizations. Many certification bodies and corporate organizations are complying with it or will someday be expected to comply with it.</span></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-58255032223298614552022-08-08T09:48:00.004-07:002022-08-08T09:49:25.981-07:00Principle of Information Security Module 3 Information Security Management part 8<p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-3-Information-Security-Management-part-8-e1m8ndf" width="400px"></iframe></div><p style="clear: both; text-align: center;"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0hZN96hovHpCJmQ2nI4E13mTGbN8u43E1jtzcYmZKn7VogfnhmN2EoDLmRvv54U-nHtbUIPly6sXgWwmLsSkZx6R7qhXhtBd-VDw1aKaclWjXF-YaU9IOLO30ETsQtTT0BEC0TyNDCNwa3D2KBXU0foMJ7d0zxpB_287LoOaLluuQwWvC3uO8fxPx1w/s776/policy%20management.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="350" data-original-width="776" height="288" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0hZN96hovHpCJmQ2nI4E13mTGbN8u43E1jtzcYmZKn7VogfnhmN2EoDLmRvv54U-nHtbUIPly6sXgWwmLsSkZx6R7qhXhtBd-VDw1aKaclWjXF-YaU9IOLO30ETsQtTT0BEC0TyNDCNwa3D2KBXU0foMJ7d0zxpB_287LoOaLluuQwWvC3uO8fxPx1w/w640-h288/policy%20management.jpg" width="640" /></a></div><p></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Policies are living documents that must be managed. It is unacceptable to create such an important set of documents and then shelve them. These documents must be properly distributed, read, understood, agreed to, uniformly applied, and managed. How they are managed should be specified in the policy management section of the issue-specific policy described earlier. Good management practices for policy development and maintenance make for a more resilient organization. For example, all policies, including security policies, undergo tremendous stress when corporate mergers and divestitures occur. In such situations, employees are faced with uncertainty and many distractions. System vulnerabilities can arise, for instance, if incongruent security policies are implemented in different parts of a newly merged organization. When two companies merge but retain separate policies, the difficulty of implementing security controls increases. Likewise, when one company with unified policies splits in two, each new company may require different policies.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">To remain viable, security policies must have a responsible manager, a schedule of reviews, a method for making recommendations for reviews, and a policy issuance and revision date.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Responsible Manager</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Just as information systems and information security projects must have champions and managers, so must policies. The policy manager is often called the policy administrator. Note that the policy administrator does not necessarily have to be proficient in the relevant technology. While practicing information security professionals require extensive technical knowledge, policy management and policy administration require only a moderate technical background. It is good practice, however, for policy administrators to solicit input both from technically adept information security experts and from business-focused managers in each community of interest when revising security policies. The administrator should also notify all affected members of the organization when the policy is modified.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">It is disheartening when a policy that required hundreds of staff hours to develop and document is ignored. Thus, someone must be responsible for placing the policy and all subsequent revisions into the hands of people who are accountable for its implementation. The policy administrator must be clearly identified in the policy document as the primary point of contact for additional information or suggested revisions to the policy.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Schedule of Reviews</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Policies can only retain their effectiveness in a changing environment if they are periodically reviewed for currency and accuracy and then modified accordingly. Policies that are not kept current can become liabilities as outdated rules are enforced (or not) and new requirements are ignored. To demonstrate due diligence, an organization must actively seek to meet the requirements of the market in which it operates. This applies to government, academic, and nonprofit organizations as well as private, for-profit organizations. A properly organized schedule of reviews should be defined and published as part of the document. Typically, a policy should be reviewed at least annually to ensure that it is still an effective control.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Review Procedures and Practices</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">To facilitate policy reviews, the policy manager should implement a mechanism by which people can comfortably make recommendations for revisions, whether via e-mail, office mail, or an anonymous drop box. If the policy is controversial, anonymous submission of recommendations may be the best way to encourage staff opinions. Many employees are intimidated by management and hesitate to voice honest opinions about a policy unless they can do so anonymously. Once the policy has come up for review, all comments should be examined, and management-approved improvements should be implemented. In reality, most policies are drafted by a single responsible employee and then reviewed by a higher-level manager, but even this method does not preclude the collection and review of employee input.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Policy, Review, and Revision Dates</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The simple action of dating the policy is often omitted. When policies are drafted and published without dates, confusion can arise. If policies are not reviewed and kept current, or if members of the organization are following undated versions, disastrous results and legal headaches can ensue. Such problems are particularly common in a high-turnover environment. Therefore, the policy must contain the date of origin and the date(s) of any reviews and/or revisions. If the policy is reviewed and considered up to date, a review date is applied to the document. If it is reviewed and determined to need updating, a revision date is applied once the update is complete. Some policies may also need a sunset clause that indicates their expiration date, particularly if the policies govern information use in short-term business associations. Establishing a policy end date prevents a temporary policy from mistakenly becoming permanent, and it also enables an organization to gain experience with a given policy before adopting it permanently.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Automated Policy Management</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">In recent years, a new category of software has emerged for the management of information security policies. This type of software was developed in response to the needs of information security practitioners. While many software products can meet the need for a specific technical control, software now can automate some of the busywork of policy management. Automation can streamline the repetitive steps of writing policy, tracking the workflow of policy approvals, publishing policy once it is written and approved, and tracking when employees have read the policy. Using techniques from computer-based training and testing, an organization can train staff members and improve its awareness program.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGQLqF0c5MPONtPJp2qQ1fSGET7C0PymufT7YrFgHwCYecxNdBphIMdGg62hdXX5m_ffHveQdQ0zIwIxncDROu7XIbdjhnMBwUIf2hgSi47UYgmXWAKHiYEcZCFqQ1sGk2waxRLh09EX3PAVar1lsnyhxXDaetyTBXoR85tBrZTRYgn-fMMEvigxdXHw/s781/security%20education.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="328" data-original-width="781" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGQLqF0c5MPONtPJp2qQ1fSGET7C0PymufT7YrFgHwCYecxNdBphIMdGg62hdXX5m_ffHveQdQ0zIwIxncDROu7XIbdjhnMBwUIf2hgSi47UYgmXWAKHiYEcZCFqQ1sGk2waxRLh09EX3PAVar1lsnyhxXDaetyTBXoR85tBrZTRYgn-fMMEvigxdXHw/w640-h268/security%20education.jpg" width="640" /></a></div><p style="clear: both; text-align: center;"><br /></p><p></p><p><span style="font-size: medium;"><b>Security Education, Training, and Awareness Program</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Once your organization has defined the policies that will guide its security program, it is time to implement a security education, training, and awareness (SETA) program. The SETA program is the responsibility of the CISO and is a control measure designed to reduce incidents of accidental security breaches by employees. Employee errors are among the top threats to information assets, so it is well worth developing programs to combat this threat. SETA programs are designed to supplement the general education and training programs that many organizations use to educate staff about information security. For example, if an organization detects that many employees are opening questionable e-mail attachments, those employees must be retrained. As a matter of good practice, systems development life cycles must include user training during the implementation phase. Practices used to take control of the security and privacy of online data are sometimes called cyber hygiene.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The SETA program consists of three distinct elements: security education, security training, and security awareness. An organization may not be able or willing to undertake all three of these elements, and it may outsource elements to local educational institutions. The purpose of SETA is to enhance security by doing the following:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Improving awareness of the need to protect system resources<br /><br /></span></li><li><span style="font-size: medium;">Developing skills and knowledge so computer users can perform their jobs more securely<br /><br /></span></li><li><span style="font-size: medium;">Building in-depth knowledge as needed to design, implement, or operate security programs for organizations and systems</span></li></ul><p></p><p><span style="font-size: medium;">Table 3-4 compares the features of security education, training, and awareness within the organization.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8NNg0-WyCUKmMmNsY1yTtCo0qf2EqhvWI4qeQhW_DK5RNwWyx1IUra8QKzxcG6hno61bKBuxtCmSVeTtWfhI5LWzB50VprU8KYijTQQka0o39qVEFL8hxHkmrJhH2UqY4rmJ4ErGhwdk73jFMBjPiDchBvaYCoJbztpb7iDh7yE-z7Y5KRGCOdp3mlg/s935/3-4.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="578" data-original-width="935" height="396" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8NNg0-WyCUKmMmNsY1yTtCo0qf2EqhvWI4qeQhW_DK5RNwWyx1IUra8QKzxcG6hno61bKBuxtCmSVeTtWfhI5LWzB50VprU8KYijTQQka0o39qVEFL8hxHkmrJhH2UqY4rmJ4ErGhwdk73jFMBjPiDchBvaYCoJbztpb7iDh7yE-z7Y5KRGCOdp3mlg/w640-h396/3-4.jpg" width="640" /></a></div><p></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-58976678032634358362022-08-05T13:32:00.003-07:002022-08-05T13:35:13.887-07:00Principle of Information Security Module 3 Information Security Management part 7<div class="separator" style="clear: both; text-align: center;"><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-3-Information-Security-Management-part-7-e1m5cqb" width="400px"></iframe></div><p style="clear: both; text-align: center;"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjawSzS4rNBULqEmny0cS3P5lEXn1mEzStxwefwKUmu5_6kzsMFlSRaDF8t1H5ZZxeu_ADMoL2ckaiY57h0ZjB2HddwVeC-VpKr7AxgL4n9xx5NH9BgzzwWdIzcQXjlD8iK9UwwqPiZWCPEx30NtTSTFKj9gRES0V-1Nitg_XHGRdeNaGxXjE_YxClo9w/s1287/daveloping%20and%20implementing%20effective%20security%20policy.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="652" data-original-width="1287" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjawSzS4rNBULqEmny0cS3P5lEXn1mEzStxwefwKUmu5_6kzsMFlSRaDF8t1H5ZZxeu_ADMoL2ckaiY57h0ZjB2HddwVeC-VpKr7AxgL4n9xx5NH9BgzzwWdIzcQXjlD8iK9UwwqPiZWCPEx30NtTSTFKj9gRES0V-1Nitg_XHGRdeNaGxXjE_YxClo9w/w640-h324/daveloping%20and%20implementing%20effective%20security%20policy.png" width="640" /></span></a></div><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">How policy is developed and implemented can help or hinder its usefulness to the organization. If an organization takes punitive action on an effective policy, the individual affected may sue the organization, depending on its action in implementing the penalties or other actions defined in the policy. Employees terminated for violating poorly designed and implemented policies could sue their organization for wrongful termination. In general, policy is only enforceable and legally defensible if it is properly designed, developed, and implemented using a process that assures repeatable results.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">For policies to be effective and legally defensible, the following must be done properly:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Development—Policies must be written using industry-accepted practices and formally approved by management.<br /><br /></span></li><li><span style="font-size: medium;">Dissemination—Policies must be distributed using all appropriate methods.<br /><br /></span></li><li><span style="font-size: medium;">Review—Policies must be readable and read by all employees.<br /><br /></span></li><li><span style="font-size: medium;">Comprehension—Policies must be understood by all employees.<br /><br /></span></li><li><span style="font-size: medium;">Compliance—Policies must be formally agreed to by act or affirmation.<br /><br /></span></li><li><span style="font-size: medium;">Enforcement—Policies must be uniformly applied to all employees.</span></li></ul><p><span style="font-size: medium;">We will examine each of these stages in the sections that follow. Before we do, however, you should realize that almost every organization has a set of existing policies, standards, procedures, and/or practices. This installed base of guidance may not always have been prepared using an approach that delivers consistent or even usable results. Most of the situations you find yourself in will involve more policy maintenance than policy development. Prior to implementation, policy should be reviewed by the organization’s legal counsel to ensure it is acceptable within the limits of the law and that implementation of the policy and its corresponding penalties would, in fact, be defensible in the event of a legal dispute.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Developing Information Security Policy</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">It is often useful to view policy development as a three-part project. In the first part of the project, policy is designed and written (or, in the case of an outdated policy, redesigned and rewritten). In the second part, a senior manager or executive at the appropriate level and the organization’s legal counsel review and formally approve the document. In the third part of the development project, management processes are established to distribute and enforce the policy within the organization. The first part is an exercise in project management, whereas the latter two parts require adherence to good business practices and legal regulation.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Writing a policy is not always as easy as it seems. However, the prudent security manager always scours available resources (including the Web) for examples that may be adapted to the organization. Seldom will the manager find the perfect policy, ready to be implemented. Some online vendors sell blank policies that you can customize to your organization. In any event, it is important that the organization respect the intellectual property of others when developing policy. If parts of another organization’s policy are adapted, appropriate attribution must be made. Most policies contain a reference section where the author may list any policies used in the development of the current document. Even policies that are purchased from policy vendors or developed from a book on writing policies may require some level of attribution. It is recommended that any policies adapted from outside sources are thoroughly summarized to prevent the need for direct quotations, which can detract from the message the policy is attempting to convey—that “our organization” wants employees to be effective and efficient without undue distractions.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Policy Distribution</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">While it might seem straightforward, getting the policy document into the hands of employees can require a substantial investment by the organization to be effective. The most common alternatives are hard copy and electronic distribution. Hard copy distribution involves either directly handing or mailing a copy to each employee or posting the policy in a publicly accessible location. Posting a policy on a bulletin board or other public area may be insufficient unless another policy requires the employees to read the bulletin board on a specified schedule.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Distribution by internal or external mail may still not guarantee that the individual receives the document. Unless the organization can prove that the policy reached its target audience, it cannot be enforced. Unlike in law, ignorance of policy, where policy is inadequately distributed, is considered an acceptable excuse. Distribution of classified policies—those containing confidential information—requires additional levels of controls, in the labeling of the document, in the dissemination and storage of new policy, and in the collection and destruction of older versions to ensure the confidentiality of the information contained within the policy documents themselves.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Another common method of dissemination is by electronic means: e-mail, newsletter, intranet, or document management systems. Perhaps the easiest way is to post policies on a secure intranet in HTML or PDF (Adobe Acrobat) form. The organization must still enable a mechanism to prove distribution, such as an auditing log for tracking when users access the documents. As an alternative delivery mechanism, e-mail has advantages and disadvantages. While it is easy to send a document to an employee and even track when the employee opens the e-mail, e-mail tracking may not be sufficient as proof that the employee downloaded and actually read any attached policies, and the document can get lost in an avalanche of spam, phishing attacks, or other unwanted e-mail. The best method is through electronic policy management software, as described in the section on automated tools. Electronic policy management software not only assists in the distribution of policy documents, it supports the assessment of comprehension and evaluation of compliance.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Policy Review</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Barriers to employees reading policies can arise from literacy or language issues. A surprisingly large percentage of the workforce is considered functionally illiterate. According to Macrotrends, a full 1 percent of people 15 and older living in the United States cannot read and write with understanding. Based on statistics from 2020, that means more than 3.28 million adults in the United States are considered illiterate.* Many jobs do not require literacy skills—for example, custodial staff, groundskeepers, or production line workers. Because such workers can still pose risks to InfoSec, they must be made familiar with policy even if it must be read to them. Visually impaired employees also require additional assistance, either through audio or large-type versions of the document.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">A contributing factor to the literacy issue is that the number of non-English-speaking residents in the United States continues to climb. According to 2018 U.S. Census data, more than 67 million residents speak a language other than English at home.* However, language challenges are not restricted to organizations with locations in the United States. Multinational organizations also must deal with the challenges of gauging reading levels of foreign citizens. Simple translations of policy documents, while a minimum requirement, necessitate careful monitoring. Translation issues have long created challenges for organizations.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Policy Comprehension</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Simply making certain that a copy of the policy gets to employees in a form they can review may not ensure that they truly understand what the policy requires of them. Comprehension involves two aspects of policy administration:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ol style="text-align: left;"><li><span style="font-size: medium;">the target audience can understand the policy, and<br /><br /></span></li><li><span style="font-size: medium;">the organization has assessed how well they understand it.</span></li></ol><p><span style="font-size: medium;">To be certain that employees can understand the policy, the document must be written at an appropriate reading level, with minimal technical jargon or management terminology. The readability statistics supplied by most productivity suite applications—such as Microsoft Word—can help determine the current reading level of a policy. The Flesch Reading Ease test evaluates writing on a scale of 1–100. The higher the score, the easier it is to understand the writing. For most corporate documents, a score of 60 to 70 is preferred. The Flesch–Kincaid Grade Level test evaluates writing on a U.S. grade-school level. While a 13th-grade level (freshman in college) may be appropriate for a textbook, it is too high for organizational policy intended for a broad audience. For most corporate documents, a score of 7.0 to 8.0 is preferred.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The next step is to use some form of assessment to gauge how well employees understand the policy’s underlying issues. Quizzes and other forms of examination can be employed to assess quantitatively which employees understand the policy by earning a minimum score (e.g., 70 percent) and which employees require additional training and awareness efforts before the policy can be enforced. Quizzes can be conducted in either hard copy or electronic formats. The electronic policy management systems mentioned earlier can assist in the assessment of employee performance on policy comprehension.</span></p><p><span style="font-size: medium;"><br /></span></p><p><b><span style="font-size: medium;">Policy Compliance</span></b></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Policy compliance means the employee must agree to the policy. According to Whitman in “Security Policy: From Design to Maintenance”: Policies must be agreed to by act or affirmation. Agreement by act occurs when the employee performs an action, which requires them to acknowledge understanding of the policy prior to use of a technology or organizational resource. Network banners, end-user license agreements (EULAs), and posted warnings can serve to meet this burden of proof. However, these approaches in and of themselves may not be sufficient. Only through direct collection of a signature or the equivalent digital alternative can the organization prove that it has obtained an agreement to comply with policy, which also demonstrates that the previous conditions have been met.*</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">What if an employee refuses explicitly to agree to comply with policy? Can the organization deny access to information that the individual needs to do his or her job? While this situation has not yet been adjudicated in the legal system, it seems clear that failure to agree to a policy is tantamount to refusing to work and thus may be grounds for termination. Organizations can avoid this dilemma by incorporating policy confirmation statements into employment contracts, annual evaluations, or other documents necessary for the individual’s continued employment.</span></p><p><span style="font-size: medium;"><br /></span></p><p><b><span style="font-size: medium;">Policy Enforcement</span></b></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The final component of the design and implementation of effective policies is uniform and impartial enforcement. As in law enforcement, policy enforcement must be able to withstand external scrutiny. Because this scrutiny may occur during legal proceedings—for example, in a civil suit contending wrongful termination— organizations must establish high standards of due care with regard to policy management. For instance, if policy mandates that all employees wear identification badges in a clearly visible location and select members of management decide they are not required to follow this policy, any actions taken against other employees will not withstand legal challenges. If an employee is punished, censured, or dismissed as a result of a refusal to follow policy and is subsequently able to demonstrate that the policies are not uniformly applied or enforced, the organization may find itself facing punitive as well as compensatory damages.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">One forward-thinking organization found a way to enlist employees in the enforcement of policy. After the organization had just published a new ID badge policy, the manager responsible for the policy was seen without his ID. One of his employees chided him in jest, saying, “You must be a visitor here, since you don’t have an ID. Can I help you?” The manager smiled and promptly produced his ID, along with a $20 bill, which he presented to the employee as a reward for vigilant policy enforcement. Soon, the entire staff was routinely challenging anyone without a badge.*</span></p><p><span style="font-size: medium;"><br /></span></p><p><b><span style="font-size: medium;">Policy Development and Implementation Using the SDLC</span></b></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Like any major project, a policy development or redevelopment project should be well planned, properly funded, and aggressively managed to ensure that it is completed on time and within budget. One way to accomplish this goal is to use a systems development life cycle (SDLC). The following discussion expands the use of a typical SDLC model by discussing the tasks that could be included in each phase of the SDLC during a policy development project.</span></p><p><span style="font-size: medium;"><br /></span></p><p><b><span style="font-size: medium;">Investigation Phase</span></b></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">During the investigation phase, the policy development team or committee should attain the following:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Support from senior management because any project without it has a reduced chance of success. Only with the support of top management will a specific policy receive the attention it deserves from the intermediate-level managers who must implement it and from the users who must comply with it.<br /><br /></span></li><li><span style="font-size: medium;">Support and active involvement of IT management, specifically the CIO. Only with the CIO’s active support will technology-area managers be motivated to participate in policy development and support the implementation efforts to deploy it once created.<br /><br /></span></li><li><span style="font-size: medium;">Clear articulation of goals. Without a detailed and succinct expression of the goals and objectives of the policy, broken into distinct expectations, the policy will lack the structure it needs to obtain full implementation.<br /><br /></span></li><li><span style="font-size: medium;">Participation of the correct individuals from the communities of interest affected by the recommended policies. Assembling the right team, by ensuring the participation of the proper representatives from the groups that will be affected by the new policies, is very important. The team must include representatives from the legal department, the human resources department, and end users of the various IT systems covered by the policies, as well as a project champion with sufficient stature and prestige to accomplish the goals of the project and a capable project manager to see the project through to completion.<br /><br /></span></li><li><span style="font-size: medium;">A detailed outline of the scope of the policy development project and sound estimates for the cost and scheduling of the project.</span></li></ul><p><b><span style="font-size: medium;">Analysis Phase</span></b></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The analysis phase should produce the following:</span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">A new or recent risk assessment or IT audit documenting the current InfoSec needs of the organization. This risk assessment should include any loss history, as well as past lawsuits, grievances, or other records of negative outcomes from InfoSec areas.<br /><br /></span></li><li><span style="font-size: medium;">The gathering of key reference materials, including any existing policies. Sometimes policy documents that affect InfoSec will be housed in the human resources department as well as the accounting, finance, legal, or corporate security departments.<br /><br /></span></li><li><span style="font-size: medium;">The policy development committee must determine the fundamental philosophy of the organization when it comes to policy. This will dictate the general development of all policies, but in particular, the format to be used in the crafting of all ISSPs. This philosophy typically falls into one of two groups:</span></li></ul><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><p style="text-align: left;"></p><ul style="text-align: left;"><li><span style="font-size: medium;">“That which is not permitted is prohibited.” Also known as the “whitelist” approach, this is the more restrictive of the two, and focuses on creating an approach where specific authorization is provided for various actions and behaviors; all other actions and behaviors (and uses) are prohibited or at least require specific permissions. This approach can impede normal business operations if appropriate options emerge but cannot be incorporated into policy until subsequent revisions are made.</span></li></ul></blockquote><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><p style="text-align: left;"></p><ul style="text-align: left;"><li><span style="font-size: medium;">“That which is not prohibited is permitted.” Also known as the “blacklist” approach, this alternate approach specifies what actions, behaviors, and uses are prohibited and then allows all others by default. While easier to implement, this approach can result in issues as more and more areas that should be prohibited are discovered by users.</span></li></ul></blockquote><p><b><span style="font-size: medium;">Design Phase</span></b></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The first task in the design phase is the drafting of the actual policy document. While this task can be done by a committee, it is most commonly done by a single author. This document should incorporate all the specifications and restrictions from the investigation and analysis phases. This can be a challenging process, but you do not have to come up with a good policy document from scratch. A number of resources are at your disposal, including the following:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">The Web—You can search for other similar policies. The point here is not to advocate wholesale copying of these policies but to encourage you to look for ideas for your own policy. For example, dozens of policies available on the Web describe fair and responsible use of various technologies. What you may not find, however, are policies that relate to sensitive internal documents or processes.<br /><br /></span></li><li><span style="font-size: medium;">Government sites—Sites such as http://csrc.nist.gov contain numerous sample policies and policy support documents, including SP 800-100, “Information Security Handbook: A Guide for Managers.” While these policies are typically applicable to federal government Web sites, you may be able to adapt some sections to meet your organization’s needs.<br /><br /></span></li><li><span style="font-size: medium;">Professional literature—Several authors have published books on the subject. Of particular note is Charles Cresson Wood’s Information Security Policies Made Easy series, which not only provides more than 1,000 pages of policies, it makes those policies available in electronic format, complete with permission to use them in internal documents. Exercise caution when using such resources, however; it is extremely easy to take large sections of policy and end up with a massive, unwieldy document that is neither publishable nor enforceable.<br /><br /></span></li><li><span style="font-size: medium;">Peer networks—Other InfoSec professionals must write similar policies and implement similar plans. Attend meetings like those offered by the Information Systems Security Association (www.issa.org) or the Information Systems Audit and Control Association (www.isaca.org), and ask your peers.<br /><br /></span></li><li><span style="font-size: medium;">Professional consultants—Policy is one area of InfoSec that can certainly be developed in-house. However, if your organization does not have the requisite expertise, or if your team simply cannot find the time to develop your own policy, then hiring an outside consultant may be your best option. Keep in mind that no consultant can know your organization as well as you do; you may decide to have the consultant design generic policies that you can then adapt to your specific needs.<br /><br /></span></li><li><span style="font-size: medium;">Next, the development team or committee reviews the work of the primary author and makes recommendations about its revision. Once the committee approves the document, it goes to the approving manager or executive for sign-off.</span></li></ul><p><b><span style="font-size: medium;">Implementation Phase</span></b></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">In the implementation phase, the team must create a plan to distribute and verify the distribution of the policies. Members of the organization must explicitly acknowledge that they have received and read the policy (compliance). Otherwise, an employee can claim never to have seen a policy, and unless the manager can produce strong evidence to the contrary, any enforcement action, such as dismissal for inappropriate use of the Web, can be overturned and punitive damages might be awarded to the former employee. The simplest way to document acknowledgment of a written policy is to attach a cover sheet that states “I have received, read, understood, and agreed to this policy.” The employee’s signature and date provide a paper trail of his or her receipt of the policy.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Some situations preclude a formal documentation process. Take, for instance, student use of campus computer labs. Most universities have stringent policies on what students can and cannot do in a computer lab. These policies are usually posted on the Web, in the student handbook, in course catalogs, and in several other locations, including bulletin boards in the labs. For the policies to be enforceable, however, some mechanism must be established that records the student’s acknowledgment of the policy. This is frequently accomplished with a banner screen that displays a brief statement warning the user that the policy is in place and that use of the system constitutes acceptance of the policy. The user must then click an OK button or press a key to get past the screen. However, this method can be ineffective if the acknowledgment screen does not require any unusual action to move past it. Most acknowledgment screens require that the user click a specific button, press a function key, or type text to agree to the terms of the EULA. Some even require the user to scroll down to the bottom of the EULA screen before the “I accept” button is activated. Similar methods are used on network and computer logins to reinforce acknowledgment of the system use policy.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">A stronger mechanism to document and ensure comprehension is a compliance assessment, such as a short quiz, to make sure that users both read the policy and understand it. A minimum score is commonly established before the employee is certified to be “in compliance.” Coupled with a short training video, the compliance quiz is the current industry best practice for policy implementation and compliance.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The design phase should also include specifications for any automated tool used for the creation and management of policy documents, as well as revisions to feasibility analysis reports based on improved costs and benefits as the design is clarified. During the implementation phase, the policy development team ensures that the policy is properly distributed, read, understood, and agreed to by those to whom it applies, and that their understanding and acceptance of the policy are documented.</span></p><p><span style="font-size: medium;"><br /></span></p><p><b><span style="font-size: medium;">Maintenance Phase</span></b></p><p><b><span style="font-size: medium;"><br /></span></b></p><p><span style="font-size: medium;">During the maintenance phase, the policy development team monitors, maintains, and modifies the policy as needed to ensure that it remains effective as a tool to meet changing threats. The policy should have a built-in mechanism through which users can report problems—preferably on an anonymous basis through a Web form monitored either by the organization’s legal team or a committee assigned to collect and review such content. It is in this phase that the last component of effective policy development—uniform enforcement—comes into play. The organization should make sure that everyone is required to follow the policy equally and that policies are not implemented differently in different areas or hierarchies of the organization.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">When the policy comes up for schedule review, the development committee reassembles, reviews any submitted recommendations, and begins the process anew, as described in the next section.</span></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-1338008086554607102022-08-04T11:36:00.005-07:002022-08-05T07:03:08.144-07:00Principle of Information Security Module 3 Information Security Management part 6<div class="separator" style="clear: both; text-align: center;"><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-3-Information-Security-Management-part-6-e1m3tig" width="400px"></iframe></div><p style="clear: both; text-align: center;"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCp0Xn8rGhq6PJ4kJX0I5y14U7SG8f0pjwsv_S-9e4TTmas8uk8s_krx2TrVNTeBewGSNpToMPkGsds7iJ_3zRwwNiLTbK88rLnbQiTv1LtP42F1v2TuSjz8r8SBXu8rK9EXB5QXNQT5WkBj8wSKcZXYNkTDVVd4lHqL17souTntz1fBqtnuRTUB0wLw/s638/systems%20specific%20policy.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-size: medium;"><img border="0" data-original-height="300" data-original-width="638" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCp0Xn8rGhq6PJ4kJX0I5y14U7SG8f0pjwsv_S-9e4TTmas8uk8s_krx2TrVNTeBewGSNpToMPkGsds7iJ_3zRwwNiLTbK88rLnbQiTv1LtP42F1v2TuSjz8r8SBXu8rK9EXB5QXNQT5WkBj8wSKcZXYNkTDVVd4lHqL17souTntz1fBqtnuRTUB0wLw/w640-h300/systems%20specific%20policy.png" width="640" /></span></a></div><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">While issue-specific policies are formalized as written documents readily identifiable as policy, systems-specific security policies (SysSPs) sometimes have a different look. SysSPs often function as standards or procedures to be used when configuring or maintaining systems. For example, a SysSP might describe the configuration and operation of a network firewall. This document could include a statement of managerial intent; guidance to network engineers on the selection, configuration, and operation of firewalls; and an access control list that defines levels of access for each authorized user. SysSPs can be separated into two general groups, managerial guidance SysSPs and technical specifications SysSPs, or they can be combined into a single policy document that contains elements of both.</span></p><p><span style="font-size: medium;"><br /></span></p><p><b><span style="font-size: medium;">Managerial Guidance SysSPs</span></b></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">A managerial guidance SysSP document is created by management to guide the implementation and configuration of technology and to address the behavior of employees in ways that support information security. For example, while the method for configuring a firewall belongs in the technical specifications SysSP, the firewall’s configuration must follow guidelines established by management. An organization might not want its employees to access the Internet via the organization’s network, for instance; in that case, the firewall should be configured accordingly.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Firewalls are not the only technology that may require systems-specific policies. Any system that affects the confidentiality, integrity, or availability of information must be assessed to evaluate the trade-off between improved security and restrictions.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Systems-specific policies can be developed at the same time as ISSPs, or they can be prepared in advance of their related ISSPs. Before management can craft a policy informing users what they can do with certain technology and how to do it, system administrators might have to configure and operate the system. Some organizations may prefer to develop ISSPs and SysSPs in tandem so that operational procedures and user guidelines are created simultaneously.</span></p><p><span style="font-size: medium;"><br /></span></p><p><b><span style="font-size: medium;">Technical Specifications SysSPs</span></b></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">While a manager can work with a systems administrator to create managerial policy, as described in the preceding section, the systems administrator in turn might need to create a policy to implement the managerial policy. Each type of equipment requires its own set of policies, which are used to translate management’s intent for the technical control into an enforceable technical approach. For example, an ISSP may require that user passwords be changed quarterly; a systems administrator can implement a technical control within a specific application to enforce this policy. There are two general methods of implementing such technical controls: access control lists and configuration rules.</span></p><p><span style="font-size: medium;"><br /></span></p><p><b><span style="font-size: medium;">Access Control Lists</span></b></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">An access control list (ACL) consists of details about user access and use permissions and privileges for an organizational asset or resource, such as a file storage system, software component, or network communications device. ACLs focus on assets and the users who can access and use them. A capabilities table is similar to an ACL, but it focuses on users, the assets they can access, and what they can do with those assets. In some systems, capability tables are called user profiles or user policies.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">These specifications frequently take the form of complex matrices rather than simple lists or tables, resulting in an access control matrix that combines the information in ACLs and capability tables.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">As illustrated in Figures 3-4 and 3-5, both Microsoft Windows and Linux systems translate ACLs into sets of configurations that administrators use to control access to their systems.</span></p><p style="text-align: center;"><span style="font-size: medium;"><b>Figure 3-4</b></span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzGGD8xGg_Uitz4_tY1AZJjZHVJfOsAXsgZGawppJAnF5ABuzNET81eJ4vjkyp8i4e6VUMXXcKQBzwGigoEUhH2wIvSYCYnIhGTclN75wRGImmgMObetQa34OA-pJsT2nzl7-akfO3g1iQan2c_TxmyxQCUZ5qNNSbiaoRHlOxDQKdHpU3yzfB0t5gBA/s692/3-4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="692" data-original-width="595" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzGGD8xGg_Uitz4_tY1AZJjZHVJfOsAXsgZGawppJAnF5ABuzNET81eJ4vjkyp8i4e6VUMXXcKQBzwGigoEUhH2wIvSYCYnIhGTclN75wRGImmgMObetQa34OA-pJsT2nzl7-akfO3g1iQan2c_TxmyxQCUZ5qNNSbiaoRHlOxDQKdHpU3yzfB0t5gBA/w550-h640/3-4.png" width="550" /></a></div><p style="clear: both; text-align: center;"><b><span style="font-size: medium;"><br /></span></b></p><p style="clear: both; text-align: center;"><b><span style="font-size: medium;">Figure 3-5</span></b></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizsdt0dARBGWBNfjV44I09mE62HPTiNHVIJz2FgH0mFdWcQv2UEX1F4MRqhondNgi2Ax8yAgfxaeScaGDTZbqsSuhXD54lzOhKcXZUAe3ps7TZe8nkguM48RqlOAQnq3NOhjxFZcHV_I8vVJUyHAtOK8VFPHDe3HEy5PC3vpZ_nFjQa5I43fvTj9EHbg/s595/3-5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="275" data-original-width="595" height="296" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizsdt0dARBGWBNfjV44I09mE62HPTiNHVIJz2FgH0mFdWcQv2UEX1F4MRqhondNgi2Ax8yAgfxaeScaGDTZbqsSuhXD54lzOhKcXZUAe3ps7TZe8nkguM48RqlOAQnq3NOhjxFZcHV_I8vVJUyHAtOK8VFPHDe3HEy5PC3vpZ_nFjQa5I43fvTj9EHbg/w640-h296/3-5.png" width="640" /></a></div><br /><span style="font-size: medium;"><br /></span><p></p><p><span style="font-size: medium;">The level of detail may differ from system to system, but in general, ACLs can restrict access for a specific user, computer, time, or duration—even a specific file. This specificity provides powerful control to the administrator. In general, ACLs regulate the following:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Who can use the system<br /><br /></span></li><li><span style="font-size: medium;">What authorized users can access<br /><br /></span></li><li><span style="font-size: medium;">When authorized users can access the system<br /><br /></span></li><li><span style="font-size: medium;">Where authorized users can access the system</span></li></ul><p></p><p><span style="font-size: medium;">The who of ACL access may be determined by a person’s identity or membership in a group. Restricting what authorized users are permitted to access—whether by type (printers, files, communication devices, or applications), name, or location—is achieved by adjusting the resource privileges for a person or group to Read, Write, Create, Modify, Delete, Compare, or Copy. To control when access is allowed, some organizations implement time-of-day and day-of-week restrictions for certain network or system resources. To control where resources can be accessed, many network-connected assets block remote usage and have some levels of access that are restricted to locally connected users, such as restrictions by computer MAC address or network IP address. When these various ACL options are applied concurrently, the organization can govern how its resources can be used.</span></p><p><span style="font-size: medium;"><br /></span></p><p><b><span style="font-size: medium;">Configuration Rule Policies</span></b></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Configuration rules (or policies) govern how a security system reacts to the data it receives. Rule-based policies are more specific to the operation of a system than ACLs, and they may or may not deal with users directly. Many security systems—for example, firewalls, intrusion detection and prevention systems (IDPSs), and proxy servers, all of which you will learn about in Modules 8 and 9—use specific configuration scripts that represent the configuration rule policy to determine how the system handles each data element they process. The examples in Figures 3-6 and 3-7 show how network security policy has been implemented by a Palo Alto firewall’s rule set and by Ionx Verisys (File Integrity Monitoring) in a host-based IDPS rule set.</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJskH2kSQSX5AkSGg4OjowUlAPP5bnO9CLb1iY7rkc2H7ZtP7PkYLY9YIYe6tCE9EsX3SLF9iwSB00rg27FTDuFoUY5_EtFyhgnjlz-0bJR-eoHbGGTbhp9wALkbwvlGM27fSXTLT3J0vwdKkfMrc6hIaUZ4eaVSlcUXffjbTzjom33HJvoWDCcB4sMg/s595/3-6.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="302" data-original-width="595" height="324" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJskH2kSQSX5AkSGg4OjowUlAPP5bnO9CLb1iY7rkc2H7ZtP7PkYLY9YIYe6tCE9EsX3SLF9iwSB00rg27FTDuFoUY5_EtFyhgnjlz-0bJR-eoHbGGTbhp9wALkbwvlGM27fSXTLT3J0vwdKkfMrc6hIaUZ4eaVSlcUXffjbTzjom33HJvoWDCcB4sMg/w640-h324/3-6.png" width="640" /></a></div><p><br /></p><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSTqlSGlTdh3p0c4u2-rs9vrV1jb_RjMTNYefaAl-DwiwLC6gJVrjHIfY18TVzDcCzxtRrsIhFhuCocesiJjWVXmCBlq-LPD55g0Q4LcfESYrcAouV5LgNFxJoK0qhi4LlKc1vCy-d-VYYyK_xM0979DuSvr2ps-f-orFBp0JSOcAQstRQF_22kCQesg/s630/3-7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="630" data-original-width="522" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSTqlSGlTdh3p0c4u2-rs9vrV1jb_RjMTNYefaAl-DwiwLC6gJVrjHIfY18TVzDcCzxtRrsIhFhuCocesiJjWVXmCBlq-LPD55g0Q4LcfESYrcAouV5LgNFxJoK0qhi4LlKc1vCy-d-VYYyK_xM0979DuSvr2ps-f-orFBp0JSOcAQstRQF_22kCQesg/w530-h640/3-7.png" width="530" /></a></div><br /><span style="font-size: medium;"><br /></span><p></p><p><b><span style="font-size: medium;">Combination SysSPs</span></b></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Many organizations create a single document that combines the managerial guidance SysSP and the technical specifications SysSP. While this document can be somewhat confusing to casual users, it is practical to have the guidance from managerial and technical perspectives in a single place. If this approach is used, care should be taken to clearly articulate the required actions. Some might consider this type of policy document a procedure, but it is actually a hybrid that combines policy with procedural guidance to assist implementers of the system being managed. This approach is best used by organizations that have multiple technical control systems of different types and by smaller organizations that want to document policy and procedure in a compact format.</span></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-37623295068169022272022-07-28T09:37:00.000-07:002022-07-28T09:37:11.613-07:00Principle of Information Security Exercise Chapter 1<p><span style="font-size: medium;">1. Look up “the paper that started the study of computer security.” Prepare a summary of the key points. What in this paper specifically addresses security in previously unexamined areas?</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">2. Assume that a security model is needed for the protection of information in your class. Using the CNSS model, examine each of the cells and write a brief statement on how you would address the three components of each cell.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">3. Using the Web, identify the chief executive officer (CEO), chief information officer (CIO), chief information security officer (CISO), and systems administrator for your school. Which of these people represents the data owner? Which represents the data custodian?</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">4. Using the Web, find a large company or government agency that is familiar to you or located in your area. Try to find the name of the CEO, the CIO, and the CISO. Which was easiest to find? Which was hardest?</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">5. Using the Web, find out more about Kevin Mitnick. What did he do? Who caught him? Write a short summary of his activities and explain why he is infamous.</span></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-78735941002373441372022-07-27T10:27:00.009-07:002022-08-04T10:42:44.806-07:00Principle of Information Security Module 3 Information Security Management part 5<p style="text-align: center;"><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-3-Information-Security-Management-part-5-e1lnmon" width="400px"></iframe></p><p><br /></p><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTVwpXOOIGe6WHslCRi1H6OQjizhWp0JQkxzsvLk6c57FvZ5jvSOFN5Sn7fL1njWZtNFxnTemc7gQjKcYL1sN3rbsCsvCsMSNKAiyG9vSJ3xHfQoRXDwQgoVdpdu5ird_ZegW7j5zy-gllSDniFTI6Jpl84cJQawnlptBifa-AZmgloL44Vzynt5gcaw/s1280/enterprise%20security%20policy%201.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="586" data-original-width="1280" height="294" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTVwpXOOIGe6WHslCRi1H6OQjizhWp0JQkxzsvLk6c57FvZ5jvSOFN5Sn7fL1njWZtNFxnTemc7gQjKcYL1sN3rbsCsvCsMSNKAiyG9vSJ3xHfQoRXDwQgoVdpdu5ird_ZegW7j5zy-gllSDniFTI6Jpl84cJQawnlptBifa-AZmgloL44Vzynt5gcaw/w640-h294/enterprise%20security%20policy%201.png" width="640" /></a></div></div><p><span style="font-size: medium;">An enterprise information security policy (EISP) is also known as a general security policy, organizational security policy, IT security policy, or information security policy. The EISP is an executive-level document, usually drafted by or in cooperation with the organization’s chief information officer. This policy is usually two to 10 pages long and shapes the philosophy of security in the IT environment. The EISP usually needs to be modified only when there is a change in the strategic direction of the organization.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The EISP guides the development, implementation, and management of the security program. It sets out the requirements that must be met by the information security blueprint. It defines the purpose, scope, constraints, and applicability of the security program. It also assigns responsibilities for the various areas of security, including systems administration, maintenance of the information security policies, and the practices and responsibilities of users. Finally, it addresses legal compliance. According to NIST, the EISP typically addresses compliance in two areas:</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">General compliance to ensure that an organization meets the requirements for establishing a program and assigning responsibilities therein to various organizational components.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>The use of specified penalties and disciplinary action</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">When the EISP has been developed, the CISO begins forming the security team and initiating necessary changes to the information security program.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_B2whevGqNdpCvTG8228NRlK2Gmbr3DxuhwpaHVA8gtAMhNjxWYQN-8UtI-fglLPZ96rXVj0AB3DKClP24BKgIKRCuTQ36ahi2cFnWGDg8I7-hEw9w4RIxMiAroq8HBgn8DDGtSeHA-VVWu-VfsvhmSTpIOgVZiSjldU5f4C14u_yVRUv7asOhGqeFg/s1274/enterprise%20security%20policy%202.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="568" data-original-width="1274" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_B2whevGqNdpCvTG8228NRlK2Gmbr3DxuhwpaHVA8gtAMhNjxWYQN-8UtI-fglLPZ96rXVj0AB3DKClP24BKgIKRCuTQ36ahi2cFnWGDg8I7-hEw9w4RIxMiAroq8HBgn8DDGtSeHA-VVWu-VfsvhmSTpIOgVZiSjldU5f4C14u_yVRUv7asOhGqeFg/w640-h286/enterprise%20security%20policy%202.png" width="640" /></a></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><br /></p><p><span style="font-size: medium;">Although the specifics of EISP vary among organizations, most EISP documents should include the following elements.</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">An overview of the corporate philosophy on security<br /><br /></span></li><li><span style="font-size: medium;">Information on the structure of the information security organization and people who fulfill the information security role<br /><br /></span></li><li><span style="font-size: medium;">Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors)<br /><br /></span></li><li><span style="font-size: medium;">Fully articulated responsibilities for security that are unique to each role within the organization</span></li></ul><p></p><p><span style="font-size: medium;">The components of a good EISP are shown in Table 3-2. For examples of EISP documents and recommendations for how to prepare them, we recommend using Information Security Policies Made Easy by Charles Cresson Wood, published by Information Shield. While the current version is relatively expensive, prior editions are widely available as used books and in libraries around the world.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgte_cMTJQoh00u28alMNlB2ohvpSRX8ddMKtHNPBspxHlRNADZRK5NPuEjvfdyZbPnxDbLYL4rIlBHTSAaDMXTgZ0k6-thGWnMskWdXLBMxqFmtjpIDisVcl_pFYaTnHxv1I4ZP7KqWwxsM7M7G-q4valSK9VYNqZU1r0zaG7nnkbrOMKJAJKrRcvdRg/s933/3-2.png" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="620" data-original-width="933" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgte_cMTJQoh00u28alMNlB2ohvpSRX8ddMKtHNPBspxHlRNADZRK5NPuEjvfdyZbPnxDbLYL4rIlBHTSAaDMXTgZ0k6-thGWnMskWdXLBMxqFmtjpIDisVcl_pFYaTnHxv1I4ZP7KqWwxsM7M7G-q4valSK9VYNqZU1r0zaG7nnkbrOMKJAJKrRcvdRg/w640-h426/3-2.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><b>Table 3-2</b></div><p style="clear: both; text-align: center;"><b><br /></b></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: justify;"><span style="font-size: large; text-align: left;">As an organization supports routine operations by executing various technologies and processes, it must instruct employees on their proper use. In general, the issue-specific security policy, or ISSP, addresses specific areas of technology as listed here, requires frequent updates, and contains a statement about the organization’s position on a specific issue.</span></div><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>An ISSP may cover the following topics, among others,</b></span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">E-mail<br /><br /></span></li><li><span style="font-size: medium;">Use of the Internet and World Wide Web<br /><br /></span></li><li><span style="font-size: medium;">Specific minimum configurations of computers to defend against worms and viruses<br /><br /></span></li><li><span style="font-size: medium;">Prohibitions against hacking or testing organization security controls<br /><br /></span></li><li><span style="font-size: medium;">Home use of company-owned computer equipment<br /><br /></span></li><li><span style="font-size: medium;">Use of personal equipment on company networks (BYOD. bring your own device)<br /><br /></span></li><li><span style="font-size: medium;">Use of telecommunications technologies, such as fax, and phone<br /><br /></span></li><li><span style="font-size: medium;">Use of photocopy equipment<br /><br /></span></li><li><span style="font-size: medium;">Use of portable storage devices such as USB memory sticks, backpack drives, game players, music players, and any other device capable of storing digital files<br /><br /></span></li><li><span style="font-size: medium;">Use of cloud-based storage services that are not self-hosted by the organization or engaged under contract; such services include Google Drive, Dropbox, and Microsoft OneDrive<br /><br /></span></li><li><span style="font-size: medium;">Use of networked infrastructure devices, “intelligent assistants” such as Google Assistant and Amazon Echo, and accompanying devices usually classified as the Internet of Things (IoT)<br /><br /></span></li><li><span style="font-size: medium;">Use of programmable logic controller (PLC) devices and associated control protocols with corporate data networks and production-focused industrial networks<br /></span></li></ul><p></p><p><span style="font-size: medium;">For examples of ISSP policies and recommendations for how to prepare them, we recommend using Information Security Policies Made Easy by Charles Cresson Wood, published by Information Shield. The book includes a wide variety of working policy documents and can assist in defining which are needed and how to create them.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Several approaches are used to create and manage ISSPs within an organization. Three of the most common are as follows;</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Independent ISSP documents, each tailored to a specific issue.<br /><br /></span></li><li><span style="font-size: medium;">A single comprehensive ISSP document that covers all issues.<br /><br /></span></li><li><span style="font-size: medium;">A modular ISSP document that unifies policy creation and administration while maintaining each specific issue’s requirements.</span></li></ul><p><span style="font-size: medium;">The independent ISSP document typically has a scattershot effect. Each department responsible for an application of technology creates a policy governing its use, management, and control. This approach may fail to cover all necessary issues and can lead to poor policy distribution, management, and enforcement.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The single comprehensive ISSP is centrally managed and controlled. With formal procedures for the management of ISSP in place, the comprehensive policy approach establishes guidelines for overall coverage of necessary issues and clearly identifies processes for the dissemination, enforcement, and review of these guidelines. Usually, these policies are developed by the people responsible for managing the information technology resources. Unfortunately, these policies tend to overgeneralize the issues and skip over vulnerabilities.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The optimal balance between the independent and comprehensive ISSP is the modular ISSP. It is also centrally managed and controlled, but it is tailored to individual technology issues. The modular approach provides a balance between issue orientation and policy management. The policies created with this approach comprise individual modules, each created and updated by people responsible for the issues addressed. These people report to a central policy administration group that incorporates specific issues into an overall comprehensive policy.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Table 3-3 is an outline of a sample ISSP, which can be used as a model. An organization should start with this structure and add specific details that dictate security procedures not covered by these general guidelines.</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><div style="text-align: center;"><span style="font-size: medium;"><b>Table 3-3</b></span></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVdMynnTbeRz9Pe28jUj6CotlKUOPvsV9mgxMEClCgGIZO84nmx85lhDppXlP63yg_2FcSBmI-Y5T5QXcj_DTPO---n8YKaqscIZ2yIXpDOodWK_k3s2W9lgVLyQtTjzd1u0m_r9EiVpcmIYVa6mo9gtgXY_NiikFLeEYs5aDS_yG5B4MYkFOVyw_wEQ/s1282/3-3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1282" data-original-width="421" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVdMynnTbeRz9Pe28jUj6CotlKUOPvsV9mgxMEClCgGIZO84nmx85lhDppXlP63yg_2FcSBmI-Y5T5QXcj_DTPO---n8YKaqscIZ2yIXpDOodWK_k3s2W9lgVLyQtTjzd1u0m_r9EiVpcmIYVa6mo9gtgXY_NiikFLeEYs5aDS_yG5B4MYkFOVyw_wEQ/s16000/3-3.png" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><p></p><p><span style="font-size: medium;">The components of each major category of a typical ISSP are discussed in the following sections. Even though the details may vary from policy to policy and some sections of a modular policy may be combined, it is essential for management to address and complete each section.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Statement of Policy</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The policy should begin with a clear statement of purpose—in other words, what exactly is this policy supposed to accomplish? Consider a policy that covers the issue of fair and responsible Internet use. The introductory section of this policy should address the following questions: What is the scope of this policy? Who does this policy apply to? Who is responsible and accountable for policy implementation? What technologies and issues does it address?</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Authorized Access and Usage of Equipment</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">This section of the policy statement addresses who can use the technology governed by the policy and what it can be used for. Remember that an organization’s information systems are its exclusive property, and users have no rights of use. Each technology and process is provided for business operations. Use for any other purpose constitutes misuse of equipment. This section defines “fair and responsible use” of equipment and other organizational assets and should address key legal issues, such as protection of personal information and privacy</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Prohibited Use of Equipment</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Unless a particular use is clearly prohibited, the organization cannot penalize its employees for misuse. For example, the following can be prohibited: personal use, disruptive use or misuse, criminal use, offensive or harassing materials, and infringement of copyrighted, licensed, or other intellectual property. As an alternative approach, sections 2 and 3 of Table 3-3 can be collapsed into a single category called “Appropriate Use.” Many organizations use such an ISSP section to cover both categories.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Systems Management</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The systems management section of the ISSP policy statement focuses on the users’ relationship to systems management. Specific rules from management include regulating the use of e-mail, the storage of materials, the authorized monitoring of employees, and the physical and electronic scrutiny of e-mail and other electronic documents. It is important that all such responsibilities are assigned either to the systems administrator or the users; otherwise, both parties may infer that the responsibility belongs to the other.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Violations of Policy</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The people to whom the policy applies must understand the penalties and repercussions of violating it. Violations of policy should carry penalties that are appropriate—neither draconian nor overly lenient. This section of the policy statement should contain not only specific penalties for each category of violation, but instructions for how people in the organization can report observed or suspected violations. Many people think that powerful employees in an organization can retaliate against someone who reports violations. Allowing anonymous submissions is often the only way to convince users to report the unauthorized activities of more influential employees.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Policy Review and Modification</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Because any document is only useful if it is up to date, each policy should contain procedures and a timetable for periodic review. As the organization’s needs and technologies change, so must the policies that govern their use. This section should specify a methodology for reviewing and modifying the policy to ensure that users do not begin circumventing it as it grows obsolete.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Limitations of Liability</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">If an employee is caught conducting illegal activities with the organization’s equipment or assets, management does not want the organization held liable. The policy should state that if employees violate a company policy or any law using company technologies, the company will not protect them, and the company is not liable for their actions. In fact, many organizations assist in the prosecution of employees who violate laws when their actions violate policies. It is assumed that such violations occur without knowledge or authorization by the organization.</span></p><div><br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-34619808336488446892022-07-25T08:15:00.013-07:002022-07-25T10:31:18.715-07:00Principle of Information Security Module 3 Information Security Management part 4<p style="text-align: center;"><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-3-Information-Security-Management-part-4-e1lm03h" width="400px"></iframe></p><p><br /></p><p><span style="font-size: medium;"><b>Planning Levels</b></span></p><div><p style="text-align: left;"></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Once the organization’s overall strategic plan is translated into strategic plans for each major division or operation, the next step is to translate these plans into tactical objectives that move toward reaching specific, measurable, achievable, and time-bound accomplishments. The process of strategic planning seeks to transform broad, general, sweeping statements into more specific and applied objectives. Strategic plans are used to create tactical plans, which in turn are used to develop operational plans.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Tactical planning focuses on undertakings that will be completed within one or two years. The process of tactical planning breaks each strategic goal into a series of incremental objectives. Each objective in a tactical plan should be specific and should have a delivery date within a year of the plan’s start. Budgeting, resource allocation, and personnel are critical components of the tactical plan. Tactical plans often include project plans and resource acquisition planning documents (such as product specifications), project budgets, project reviews, and monthly and annual reports. The CISO and security managers use the tactical plan to organize, prioritize, and acquire resources necessary for major projects and to provide support for the overall strategic plan.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Managers and employees use operational planning derived from tactical planning to organize the ongoing, day-to-day performance of tasks. An operational plan includes the necessary tasks for all relevant departments as well as communication and reporting requirements, which might include weekly meetings, progress reports, and other associated tasks. These plans must reflect the organizational structure, with each subunit, department, or project team conducting its own operational planning and reporting. Frequent communication and feedback from the teams to the project managers and/or team leaders, and then up to the various management levels, will make the planning process more manageable and successful.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Planning and the CISO</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The first priority of the CISO and the information security management team is the creation of a strategic plan to accomplish the organization’s information security objectives. While each organization may have its own format for the design and distribution of a strategic plan, the fundamental elements of planning share characteristics across all types of enterprises. The plan is an evolving statement of how the CISO and various elements of the organization will implement the objectives of the enterprise information security policy (EISP), as you will learn later in this module.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">As a clearly directed strategy flows from top to bottom, a systematic approach is required to translate it into a program that can inform and lead all members of the organization. Strategic plans formed at the highest levels of the organization are used to create an overall corporate strategy. As lower levels of the organizational hierarchy are involved (moving down the hierarchy), the plans from higher levels are evolved into more detailed, concrete planning. So, higher-level plans are translated into more specific plans for intermediate layers of management. That layer of strategic planning by function (such as financial, IT, and operations strategies) is then converted into tactical planning for supervisory managers and eventually provides direction for the operational plans undertaken by non-management members of the organization. This multilayered approach encompasses two key objectives: general strategy and overall strategic planning. First, general strategy is translated into specific strategy; second, overall strategic planning is translated into lower-level tactical and operational planning.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Information security, like information technology, must support more than its own functions. All organizational units will use information, not just IT-based information, so the information security group must understand and support the strategic plans of all business units. This role may sometimes conflict with that of the IT department, as IT’s role is the efficient and effective delivery of information and information resources, while the role of information security is the protection of all information assets.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEih3GE8PsOlb8WcE_AnIEUWKQQtxbsZKW6yoWG5oyWtYOXwxud1qW8e5dciHy_-63QkVAq5BS6g_ck2FBKNmHjmfzwemwPKhtFlvdGTL_BLAAD1iDDAMrAirCYm2k6eeq48DqfO2Jp_EReGJ_JI9uQnMdAg8ISYqpia4EzuYWV49gESI5ZRsIZlXzPnvQ/s717/information%20security%20policy.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="324" data-original-width="717" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEih3GE8PsOlb8WcE_AnIEUWKQQtxbsZKW6yoWG5oyWtYOXwxud1qW8e5dciHy_-63QkVAq5BS6g_ck2FBKNmHjmfzwemwPKhtFlvdGTL_BLAAD1iDDAMrAirCYm2k6eeq48DqfO2Jp_EReGJ_JI9uQnMdAg8ISYqpia4EzuYWV49gESI5ZRsIZlXzPnvQ/w640-h290/information%20security%20policy.png" width="640" /></a></div><p></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b>Information Security Policy, Standards, and Practices</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Management from all communities of interest, including general staff, information technology, and information security, must make policy the basis for all information security planning, design, and deployment. Policies direct how issues should be addressed and how technologies should be used. Policies do not specify the proper operation of equipment or software—this information should be placed in the standards, procedures, and practices of users’ manuals and systems documentation. In addition, policy should never contradict law; policy must be able to stand up in court, if challenged; and policy must be properly administered through dissemination and documented acceptance. Otherwise, an organization leaves itself exposed to significant liability.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Good security programs begin and end with policy. Information security is primarily a management problem, not a technical one, and policy is a management tool that obliges personnel to function in a manner that preserves the security of information assets. Security policies are the least expensive control to execute but the most difficult to implement properly. They have the lowest cost in that their creation and dissemination require only the time and effort of the management team. Even if the management team hires an outside consultant to help develop policy, the costs are minimal compared to those of technical controls.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjebmafC9bM_HWExqMaGUej0qbbTrFwTAnMT7pwq0_1eWtiiepG51jeZ3mvO34U4xfZcmHaA3fGaQ9y_kKiyAY24LV7XMDzzS30XSeIXDFptIZ920JdIs9ANgZFkdTjf28H7JP4fuzhBegus_NUkjjUTrcvcA26pjXlzITCnT3qNVKL3QY6bzxMGlVZ1w/s720/policy%20as%20the%20foundation.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="322" data-original-width="720" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjebmafC9bM_HWExqMaGUej0qbbTrFwTAnMT7pwq0_1eWtiiepG51jeZ3mvO34U4xfZcmHaA3fGaQ9y_kKiyAY24LV7XMDzzS30XSeIXDFptIZ920JdIs9ANgZFkdTjf28H7JP4fuzhBegus_NUkjjUTrcvcA26pjXlzITCnT3qNVKL3QY6bzxMGlVZ1w/w640-h286/policy%20as%20the%20foundation.png" width="640" /></a></div><span style="font-size: medium;"><br /></span><p></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b>Policy as the Foundation for Planning</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Policies function like laws in an organization because they dictate acceptable and unacceptable behavior there, as well as the penalties for failure to comply. Like laws, policies define what is right and wrong, the penalties for violating policy, and the appeal process. Standards, on the other hand, are more detailed statements of what must be done to comply with policy. They have the same requirements for compliance as policies. Standards may be informal or part of an organizational culture, as in de facto standards. Or, standards may be published, scrutinized, and ratified by a group, as in formal or de jure standards. Practices, procedures, and guidelines effectively explain how to comply with policy.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj21Wc4KtnEyZMJNdjDbs5LsZMuS2xzqJbwy_KXw-q8-2FP2fLUeFArh3x9JOXmm4aziIv4wAeeLveFb9DkagK9wVJ5Su7gL3FkNYexZF5k169QNcVbNAo10I4vnqU-1a0QjQhofgFQli3sEcRUGYIKrfaNPrbObuOhUhn4_Vye21o-RDyzXJRVLR76KQ/s935/3-1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="220" data-original-width="935" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj21Wc4KtnEyZMJNdjDbs5LsZMuS2xzqJbwy_KXw-q8-2FP2fLUeFArh3x9JOXmm4aziIv4wAeeLveFb9DkagK9wVJ5Su7gL3FkNYexZF5k169QNcVbNAo10I4vnqU-1a0QjQhofgFQli3sEcRUGYIKrfaNPrbObuOhUhn4_Vye21o-RDyzXJRVLR76KQ/w640-h150/3-1.png" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFMiC1ratU1P0NelK3eFBfgQfQFxX3Ala4XN4ubqU1oLGCiuyHwFc-vBIEJApq27zxnfCZyB6ikTEp0RlfZ6U2QdTB72RB71SARYlHXXgknt74fUkab6hPt5Q6NPRE4rV_haRxSB1GEkk1EBKJyugYKB6XNZFMnktPuQhyEZxYRBzYwVcxj80qMo1rdQ/s600/3-3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="317" data-original-width="600" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFMiC1ratU1P0NelK3eFBfgQfQFxX3Ala4XN4ubqU1oLGCiuyHwFc-vBIEJApq27zxnfCZyB6ikTEp0RlfZ6U2QdTB72RB71SARYlHXXgknt74fUkab6hPt5Q6NPRE4rV_haRxSB1GEkk1EBKJyugYKB6XNZFMnktPuQhyEZxYRBzYwVcxj80qMo1rdQ/w640-h338/3-3.png" width="640" /></a></div><span style="font-size: medium;"><br /></span><p></p><p><span style="font-size: medium;">Table 3-1 and Figure 3-3 show the relationships among policies, standards, guidelines, procedures, and practices. These relationships are further examined in the nearby feature.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Policies, Practices, Standards, Guidelines, and Procedures</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The relationships among these terms, even when carefully defined, sometimes confuse the reader. The following examples are provided for assistance. Note that many organizations may use the terms differently and publish documents they identify as policy, which may be a combination of what this text defines as policy, standards, or procedures.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>The initial statement of intent is the policy</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Policy: Employees must use strong passwords on their accounts. Passwords must be changed regularly and protected against disclosure.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>The standard provides specifics to help employees comply with the policy</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Standard: Passwords must be at least 10 characters long and incorporate at least one lowercase letter, one uppercase letter, one numerical digit (0–9), and one special character permitted by our system (&%$#@!). Passwords must be changed every 90 days and must not be written down or stored on insecure media.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The practice identifies other reputable organizations and agencies that offer recommendations the organization may have adopted or adapted.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Practice: US-CERT recommends the following:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Use a minimum password length of 15 characters for administrator accounts.<br /><br /></span></li><li><span style="font-size: medium;">Require the use of alphanumeric passwords and symbols.<br /><br /></span></li><li><span style="font-size: medium;">Enable password history limits to prevent the reuse of previous passwords.<br /><br /></span></li><li><span style="font-size: medium;">Prevent the use of personal information as passwords, such as phone numbers and dates of birth.<br /><br /></span></li><li><span style="font-size: medium;">Use a minimum password length of 8 characters for standard users.<br /><br /></span></li><li><span style="font-size: medium;">Disable local machine credential caching if not required through the use of a Group Policy Object (GPO).<br /><br /></span></li><li><span style="font-size: medium;">Deploy a secure password storage policy that provides password encryption.<br /><br /></span></li><li><span style="font-size: medium;">Guidelines provide examples and recommendations to assist users in complying with the new policy.</span></li></ul><p></p><p><span style="font-size: medium;">Guidelines: In order to create strong yet easy-to-remember passwords, consider the following recommendations from NIST SP 800-118: “Guide to Enterprise Password Management” (draft), April 2009:</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Mnemonic method—A user selects a phrase and extracts a letter of each word in the phrase (such as the first letter or second letter of each word), adding numbers or special characters or both.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Example: “May the force be with you always, young Jedi” becomes Mtfbwya-yJ</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Altered passphrases—A user selects a phrase and alters it to form a derivation of that phrase. This method supports the creation of long, complex passwords. Passphrases can be easy to remember due to the structure of the password: It is usually easier for the human mind to comprehend and remember phrases within a coherent structure than a string of random letters, numbers, and special characters.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Combining and altering words—A user can combine two or three unrelated words and change some of the letters to numbers or special characters.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Finally, procedures are step-by-step instructions for accomplishing the task specified in the policy.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Procedures: To change your login password on our system, perform the following steps:</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">1. Log in using your current (old) password.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">2. On your organizational portal home page, click the [Tools] Menu option.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">3. Select Change Password.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">4. Enter your old password in the first field and your new password in the second. The system will ask you to confirm your new password to prevent you from mistyping it.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">5. The system will then report that your password has been updated and ask you to log out and log back in with your new password.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Do not write your new password down. If you own a smartphone, you may request that your department purchase an approved password management application like eWallet for storing passwords.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">As stated earlier, many organizations combine their policy and standards in the same document and then provide directions or a Web link to a page with guidelines and procedures.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The meaning of the term security policy depends on the context in which it is used. Governmental agencies view security policy in terms of national security and national policies to deal with foreign states. A security policy can also communicate a credit card agency’s method for processing credit card numbers. In general, a security policy is a set of rules that protects an organization’s assets. An information security policy provides rules for protection of the organization’s information assets.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD2L9H0fVoNYrAuMG-c7hw1jptRvKiVZTYHTwBeKKX3KV2W0bjD5pwbFl0dPELlImomOhQvnMA0OHQaWjxMQBBUk7pO7b_d235KFivmXvK45H4c_LcU-bm3pijpet-1t7Ax1lhFBhbHUNf7mVzMcNmKT_hHx-jc_qHljftqno7FbtDT6jm-VVT3QWWAA/s719/policy%20as%20the%20foundation%201.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="276" data-original-width="719" height="246" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD2L9H0fVoNYrAuMG-c7hw1jptRvKiVZTYHTwBeKKX3KV2W0bjD5pwbFl0dPELlImomOhQvnMA0OHQaWjxMQBBUk7pO7b_d235KFivmXvK45H4c_LcU-bm3pijpet-1t7Ax1lhFBhbHUNf7mVzMcNmKT_hHx-jc_qHljftqno7FbtDT6jm-VVT3QWWAA/w640-h246/policy%20as%20the%20foundation%201.png" width="640" /></a></div><span style="font-size: medium;"><br /></span><p></p><p><span style="font-size: medium;">Management must define three types of security policy, according to SP 800-14 of the National Institute of Standards and Technology (NIST):</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ol style="text-align: left;"><li><span style="font-size: medium;">Enterprise information security policies<br /><br /></span></li><li><span style="font-size: medium;">Issue-specific security policies<br /><br /></span></li><li><span style="font-size: medium;">Systems-specific security policies</span></li></ol><p></p></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-47830933262514656412022-07-22T10:28:00.019-07:002022-07-22T10:41:11.256-07:00Principle of Information Security Module 3 Information Security Management part 3<p style="text-align: center;"><span style="font-size: medium;"><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-3-Information-Security-Management-part-3-e1lijbc" width="400px"></iframe></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Programs</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">InfoSec operations that are specifically managed as separate entities are called “programs.” An example would be a security education, training, and awareness (SETA) program or a risk management program. SETA programs provide critical information to employees to maintain or improve their current levels of security knowledge. Risk management programs include the identification, assessment, and control of risks to information assets. Other programs that may emerge include a physical security program, complete with fire protection, physical access, gates, and guards. Some organizations with specific regulations may have additional programs dedicated to client/customer privacy, awareness, and the like. Each organization will typically have several security programs that must be managed.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Protection</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The protection function is executed via a set of risk management activities, as well as protection mechanisms, technologies, and tools. Each of these mechanisms or safeguards represents some aspect of the management of specific controls in the overall InfoSec plan.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>People</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">People are the most critical link in the InfoSec program. This area encompasses security personnel (the professional information security employees), the security of personnel (the protection of employees and their information), and aspects of the SETA program mentioned earlier.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Projects</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Whether an InfoSec manager is asked to roll out a new security training program or select and implement a new firewall, it is important that the process be managed as a project. The final element for thoroughgoing InfoSec management is the application of a project management discipline to all elements of the InfoSec program. Project management involves identifying and controlling the resources applied to the project, as well as measuring progress and adjusting the process as progress is made toward the goal.</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO_JqqRtcBZy43iah9QgsF2AP8Hqom--FS6YEZ5oJ7rfuDogaBmfdkl4h9113LuDVpBtIbNJfyEAD7EDhZVpBXwe2EX96i-88mEV3ZoUMJcfLfjzwVx-EKMsIzby4Upk7qosSD6Kd7TwU2zfALj2m-acFybeQVG_B6ZfGq7HsYlqueXZGFAIz8WrsNAA/s794/information%20security%20governance%201.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="311" data-original-width="794" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiO_JqqRtcBZy43iah9QgsF2AP8Hqom--FS6YEZ5oJ7rfuDogaBmfdkl4h9113LuDVpBtIbNJfyEAD7EDhZVpBXwe2EX96i-88mEV3ZoUMJcfLfjzwVx-EKMsIzby4Upk7qosSD6Kd7TwU2zfALj2m-acFybeQVG_B6ZfGq7HsYlqueXZGFAIz8WrsNAA/w640-h250/information%20security%20governance%201.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><p><span style="font-size: medium;">Strategic planning sets the long-term direction to be taken by the organization and each of its component parts. Strategic planning should guide organizational efforts and focus resources toward specific, clearly defined goals. After an organization develops a general strategy, it generates an overall strategic plan by extending that general strategy into plans for major divisions. Each level of each division then translates those plan objectives into more specific objectives for the level below. To execute this broad strategy, the executive team must first define individual responsibilities. (The executive team is sometimes called the organization’s C-level, as in CEO, COO, CFO, CIO, and so on.)</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Information Security Leadership</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The leadership of the information security function that delivers strategic planning and corporate responsibility is best accomplished using an approach industry refers to as governance, risk management, and compliance (GRC). GRC seeks to integrate these three previously separate responsibilities into one holistic approach that can provide sound executive-level strategic planning and management of the InfoSec function. The subjects themselves are neither new nor unique to InfoSec; however, recognition of the need to integrate the three at the board or executive level is becoming increasingly important to practitioners in the field. Note that the management of risk is not limited to an organization’s information security. Although organizations increasingly seem to manage their risk challenges with an integrated InfoSec approach focused on GRC, many types of organizations face many types of risk and have developed specific strategies to manage them.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAE97Ak_ON0UASUtQErZgZ-FPfhNqeH8mIy40GNzHhv_3PNDDkWP_BV-RGNbnHCEZwxOBhtifvac5co3rhbGtGJrM9CTip9VnZp01jWrIUOcH0s6JHfO4Pc-LqKM1VtwKBOTRhjJBX5c3q3G0lmlvIYTJR1ZmD_ipr3GdsKnlKE5L0ZOBDM6bmJxPeqA/s781/information%20security%20governance%202.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="332" data-original-width="781" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAE97Ak_ON0UASUtQErZgZ-FPfhNqeH8mIy40GNzHhv_3PNDDkWP_BV-RGNbnHCEZwxOBhtifvac5co3rhbGtGJrM9CTip9VnZp01jWrIUOcH0s6JHfO4Pc-LqKM1VtwKBOTRhjJBX5c3q3G0lmlvIYTJR1ZmD_ipr3GdsKnlKE5L0ZOBDM6bmJxPeqA/w640-h272/information%20security%20governance%202.png" width="640" /></a></div><span style="font-size: medium;"><br /></span><p></p><p><span style="font-size: medium;">InfoSec objectives must be addressed at the highest levels of an organization’s management team in order to be effective and offer a sustainable approach. In organizations with formal boards of directors, the boards should be the basis for governance review and oversight. For organizations that have a parent organization, the executive management of the parent should be the basis. For organizations that don’t have either, this strategic oversight must stem from a formal governance board consisting of executive management from across the organization—usually the chief executive officer (CEO) or president and their immediate subordinate executives.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Just like governments, corporations and other organizations have guiding documents—corporate charters or partnership agreements—as well as appointed or elected leaders or officers, and planning and operating procedures. These elements in combination provide corporate governance.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">When security programs are designed and managed as a technical specialty in the IT department, they are less likely to be effective. A broader view of InfoSec encompasses all of an organization’s information assets, including IT assets. These valuable commodities must be protected regardless of how the information is processed, stored, or transmitted, and with a thorough understanding of the risks and benefits.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Each operating unit within an organization also has controlling customs, processes, committees, and practices. The information security group’s leadership monitors and manages all organizational structures and processes that safeguard information. Information security governance then applies these principles and management structures to the information security function.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">According to the Corporate Governance Task Force (CGTF), the organization should engage in a core set of activities suited to its needs to guide the development and implementation of the InfoSec governance program:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Conduct an annual InfoSec evaluation, the results of which the CEO should review with staff and then report to the board of directors.<br /><br /></span></li><li><span style="font-size: medium;">Conduct periodic risk assessments of information assets as part of a risk management program.<br /><br /></span></li><li><span style="font-size: medium;">Implement policies and procedures based on risk assessments to secure information assets.<br /><br /></span></li><li><span style="font-size: medium;">Establish a security management structure to assign explicit individual roles, responsibilities, authority, and accountability.<br /><br /></span></li><li><span style="font-size: medium;">Develop plans and initiate actions to provide adequate InfoSec for networks, facilities, systems, and information.<br /><br /></span></li><li><span style="font-size: medium;">Treat InfoSec as an integral part of the system life cycle.<br /><br /></span></li><li><span style="font-size: medium;">Provide InfoSec awareness, training, and education to personnel.<br /><br /></span></li><li><span style="font-size: medium;">Conduct periodic testing and evaluation of the effectiveness of InfoSec policies and procedures.<br /><br /></span></li><li><span style="font-size: medium;">Create and execute a plan for remedial action to address any InfoSec inefficiencies.<br /><br /></span></li><li><span style="font-size: medium;">Develop and implement incident response procedures.<br /><br /></span></li><li><span style="font-size: medium;">Establish plans, procedures, and tests to provide continuity of operations.<br /><br /></span></li><li><span style="font-size: medium;">Use security best practices guidance, such as the ISO 27000 series, to measure InfoSec performance.</span></li></ul><p><span style="font-size: medium;">The CGTF framework defines the responsibilities of the board of directors and trustees, the senior organizational executive (for example, the CEO), executive team members, senior managers, and all employees and users.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEeVKRSyYB6NxkIP9G907QY-cYZX0clgkiYqQNsW_3Z0eD70hZxT8_F_txrtjKnyIReC9JwjQRzGfpvzMhPxuNHEqJqtSkikrHb93GlGTdWCJohob70omWApvHTsIGKW2pu7Pe5k6SMfArV4X76oMMA2pqKgB7sZX1KnJE4Vqv_SX3NNCByRkETXFlWQ/s774/information%20security%20governance%203.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="396" data-original-width="774" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEeVKRSyYB6NxkIP9G907QY-cYZX0clgkiYqQNsW_3Z0eD70hZxT8_F_txrtjKnyIReC9JwjQRzGfpvzMhPxuNHEqJqtSkikrHb93GlGTdWCJohob70omWApvHTsIGKW2pu7Pe5k6SMfArV4X76oMMA2pqKgB7sZX1KnJE4Vqv_SX3NNCByRkETXFlWQ/w640-h328/information%20security%20governance%203.png" width="640" /></a></div><p></p><p style="text-align: center;"><br /></p><span style="font-size: medium;">ISO 27014:2013 is the ISO 27000 series standard for Governance of Information Security. This remarkably short document (11 pages) provides brief recommendations for the assessment of an information security governance program. The standard specifies six high-level “action-oriented” information security governance principles:</span><p></p><p><br /></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Establish organization-wide information security.<br /><br /></span></li><li><span style="font-size: medium;">Adopt a risk-based approach.<br /><br /></span></li><li><span style="font-size: medium;">Set the direction of investment decisions.<br /><br /></span></li><li><span style="font-size: medium;">Ensure conformance with internal and external requirements.<br /><br /></span></li><li><span style="font-size: medium;">Foster a security-positive environment.<br /><br /></span></li><li><span style="font-size: medium;">Review performance in relation to business outcomes.</span></li></ul><p></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNxrxILjTi2CjTuZc2z25AWveL5XFSd8D_SfiVokr9bTqc37CwznCFPIJOvLiB8bdTGO6N0UJo_8Y_9m6xCU6HWXi3bnQG4z-xQ7ybaAQKaNcUnahYN46slLLJ0uj54CjJXRhCvtH-4ZvvHjV00pneIJzPROL9DLh2hwL5B0WZ_v1rlu-YaNu57RobeQ/s737/iso%20iec%2027014.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="401" data-original-width="737" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNxrxILjTi2CjTuZc2z25AWveL5XFSd8D_SfiVokr9bTqc37CwznCFPIJOvLiB8bdTGO6N0UJo_8Y_9m6xCU6HWXi3bnQG4z-xQ7ybaAQKaNcUnahYN46slLLJ0uj54CjJXRhCvtH-4ZvvHjV00pneIJzPROL9DLh2hwL5B0WZ_v1rlu-YaNu57RobeQ/w640-h348/iso%20iec%2027014.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><b>Figure 3-1</b></div><p></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The standard also promotes five governance processes, which should be adopted by the organization’s executive management and its governing board. These processes are illustrated in Figure 3-1 and described in the following list.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Evaluate</b>—Review the status of current and projected progress toward organizational information security objectives and make a determination whether modifications of the program or its strategy are needed to keep on track with strategic goals.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Direct</b>—The board of directors provides instruction for developing or implementing changes to the security program. This could include modification of available resources, structure of priorities of effort, adoption of policy, recommendations for the risk management program, or alteration to the organization’s risk tolerance.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Monitor</b>—The review and assessment of organizational information security performance toward goals and objectives by the governing body. Monitoring is enabled by ongoing performance measurement.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Communicate</b>—The interaction between the governing body and external stakeholders, where information on organizational efforts and recommendations for change are exchanged.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Assure</b>—The assessment of organizational efforts by external entities like certification or accreditation groups, regulatory agencies, auditors, and other oversight entities, in an effort to validate organizational security governance, security programs, and strategies.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">According to the Information Technology Governance Institute (ITGI), information security governance includes all of the accountabilities and methods undertaken by the board of directors and executive management to provide the following:</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ul style="text-align: left;"><li><span style="font-size: medium;">Strategic direction.<br /><br /></span></li><li><span style="font-size: medium;">Establishment of objectives.<br /><br /></span></li><li><span style="font-size: medium;">Measurement of progress toward those objectives.<br /><br /></span></li><li><span style="font-size: medium;">Verification that risk management practices are appropriate.<br /><br /></span></li><li><span style="font-size: medium;">Validation that the organization’s assets are used properly.<br /><br /></span></li></ul><p></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihPjckn5fQfiG3NO1neEYj2CCuzD-Mb1B-ARXAeuZsWrf0CB05zfUtHM4Blle_2yGRfciaG3RyHPuDotMbQMuzbLq4JgSCHcbBMm7SC-0bMkAZkPgDgeC2VI3_ONMWFAsEVdozWY2FsTcN4rn8QQMXkSo6rcf7b54lYB2PnesECToRYzkz0c09bxlNDw/s513/3-2.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="427" data-original-width="513" height="532" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihPjckn5fQfiG3NO1neEYj2CCuzD-Mb1B-ARXAeuZsWrf0CB05zfUtHM4Blle_2yGRfciaG3RyHPuDotMbQMuzbLq4JgSCHcbBMm7SC-0bMkAZkPgDgeC2VI3_ONMWFAsEVdozWY2FsTcN4rn8QQMXkSo6rcf7b54lYB2PnesECToRYzkz0c09bxlNDw/w640-h532/3-2.png" width="640" /></a></div><b><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><b><br /></b></div><div style="text-align: center;"><br /></div><div style="text-align: center;"><b>Figure 3-2</b></div></b><p></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Figure 3-2 illustrates the responsibilities of various people within an organization for information security governance.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Information Security Governance Outcomes</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Effective communication among stakeholders is critical to the structures and processes used in governance at every level, and especially in information security governance. It requires the development of constructive relationships, a common language, and a commitment to the objectives of the organization.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>The five goals of information security governance are as follows:</b></span></p><p><span style="font-size: medium;"><br /></span></p><p></p><ol style="text-align: left;"><li><span style="font-size: medium;">Strategic alignment of information security with business strategy to support organizational objectives.<br /><br /></span></li><li><span style="font-size: medium;">Risk management by executing appropriate measures to manage and mitigate threats to information resources.<br /><br /></span></li><li><span style="font-size: medium;">Resource management by using information security knowledge and infrastructure efficiently and effectively.<br /><br /></span></li><li><span style="font-size: medium;">Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved<br /><br /></span></li><li><span style="font-size: medium;">Value delivery by optimizing information security investments in support of organizational objectives.</span></li></ol><p></p><div><br /></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-64495356870438708732022-07-21T07:47:00.004-07:002022-07-21T07:48:47.649-07:00Principle of Information Security Module 3 Information Security Management part 2<p style="text-align: center;"><span style="font-size: large;"><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-3-Information-Security-Management-part-2-e1lh0it" width="400px"></iframe></span></p><p style="text-align: center;"><span style="font-size: large;"><br /></span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo1d9wA64gVMz4X8HMj4umioe_1xZDr594UY8D4nh1SNFtaRA-PbWNzHg_ZiK7h2zZHWgPp9vsWBqUBwk-xFCjZyWGyGz3ErnAbngd92qln8cSvB9PsSq2aLzJLViD7Mgh5BCaBkTPyTCpRu3pOC3TxRATHjmXh0QkcuIQrge9xpOkRmd3CTTDoFY0cg/s783/introduction%20to%20management%20of%20information%20security%202.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="400" data-original-width="783" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjo1d9wA64gVMz4X8HMj4umioe_1xZDr594UY8D4nh1SNFtaRA-PbWNzHg_ZiK7h2zZHWgPp9vsWBqUBwk-xFCjZyWGyGz3ErnAbngd92qln8cSvB9PsSq2aLzJLViD7Mgh5BCaBkTPyTCpRu3pOC3TxRATHjmXh0QkcuIQrge9xpOkRmd3CTTDoFY0cg/w640-h326/introduction%20to%20management%20of%20information%20security%202.png" width="640" /></a></div><p style="text-align: left;"><span style="font-size: medium;"><br /></span></p><p></p><p><span style="font-size: medium;">Because InfoSec management oversees a specialized program, certain aspects of its managerial responsibility are unique. These unique functions, which are known as “the six Ps” (planning, policy, programs, protection, people, and project management), are discussed throughout this book and briefly described in the following sections.</span></p><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><b><span style="font-size: medium;">Planning</span></b></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;">Planning in InfoSec management is an extension of the basic planning mentioned later in this module. Included in the InfoSec planning model are activities necessary to support the design, creation, and implementation of InfoSec strategies within the planning environments of all organizational units, including IT. Because the InfoSec strategic plans must support not only the IT department’s use and protection of information assets but those of the entire organization, it is imperative that the CISO work closely with all senior managers in developing InfoSec strategy. The business strategy is translated into the IT strategy. The strategies of other business units and the IT strategy are then used to develop the InfoSec strategy. Just as the CIO uses the IT objectives gleaned from the business unit plans to create the organization’s IT strategy, the CISO develops InfoSec objectives from the IT and other business units to create the organization’s InfoSec strategy.</span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;">The IT strategy and that of the other business units provides critical information used for InfoSec planning as the CISO gets involved with the CIO and other executives to develop the strategy for the next level down. The CISO then works with the appropriate security managers to develop operational security plans. These security managers consult with security technicians to develop tactical security plans. Each of these plans is usually coordinated across the business and IT functions of the enterprise and placed into a master schedule for implementation. The overall goal is to create plans that support long-term achievement of the overall organizational strategy. If all goes as expected, the entire collection of tactical plans accomplishes the operational goals and the entire collection of operational goals accomplishes the subordinate strategic goals; this helps to meet the strategic goals and objectives of the organization as a whole.</span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;">Several types of InfoSec plans and planning functions exist to support routine operations as well as activities and responses that are not part of the normal operating environment. Routine planning includes that for policy, personnel issues, technology rollouts, risk management, and security programs. Plans and functions that go beyond the routine include planning for incident response, business continuity, disaster recovery, and crisis management. Each of these plans has unique goals and objectives, yet each can benefit from the same methodical approach. These planning areas are discussed in detail in Module 4.</span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;">Another basic planning consideration unique to InfoSec is the location of the InfoSec department within the organization structure. This topic is discussed in Module 7.</span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><b><span style="font-size: medium;">Policy</span></b></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;">In Info Sec, there are three general policy categories, which are discussed in greater detail later in this module:</span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;">Enterprise information security policy (EISP)—Developed within the context of the strategic IT plan, this sets the tone for the InfoSec department and the InfoSec climate across the organization. The CIS O typically drafts the program policy, which is usually supported and signed by the CIO or the CEO.</span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;">Issue-specific security policies (ISSP)—These are sets of rules that define acceptable behavior within a specific organizational resource, such as e-mail or Internet usage.</span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;">Systems-specific policies—A merger of technical and managerial intent, Systems-specific policies include both the managerial guidance for the implementation of a technology as well as the technical specifications for its configuration.</span></center></center>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-78245376482589753152022-07-21T07:35:00.004-07:002022-07-21T07:49:47.543-07:00Principle of Information Security Module 3 Information Security Management part 1<p></p><p></p><center><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-3-Information-Security-Management-part-1-e1lh21g" width="400px"></iframe></center><p></p><p></p><center style="text-align: left;"><br /></center><p></p><center style="text-align: left;"><span style="font-size: medium;"><b>Upon completion of this material, you should be able to:</b></span></center><p></p><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><p></p><center style="text-align: left;"><center style="text-align: left;"><ul style="text-align: left;"><li><span style="font-size: medium;">Describe the different management functions with respect to information security.<br /><br /></span></li><li><span style="font-size: medium;">Define information security governance and list the expectations of the organization’s senior management with respect to it.<br /><br /></span></li><li><span style="font-size: medium;">Describe management’s role in the development, maintenance, and enforcement of information security policy, standards, practices, procedures, and guidelines.<br /><br /></span></li><li><span style="font-size: medium;">List the elements in an effective security education, training, and awareness program and describe a methodology for effectively implementing security policy in the organization.<br /><br /></span></li><li><span style="font-size: medium;">Explain what an information security blueprint is, identify its major components, and explain how it supports the information security program.<br /><br /></span></li></ul></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><b><span style="font-size: medium;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLqFiWRunZk89BmPkZSsSUEhEPOm-3G88BvPV0G-nMsbcWOumH0qR-EMT4MbZkFZgEKMgNncfX6cRRUA5RTe6BjV0mSIl6zXW7pxHukl6Cnxml9JImhehavArieuyQv6Hz4cYC74zXyxGUNjz8eB80J0-_Nm9VWPQyjkj7koin2aHfwVb4enEd9Fui4Q/s776/introduction%20to%20management%20of%20information%20security.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="220" data-original-width="776" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLqFiWRunZk89BmPkZSsSUEhEPOm-3G88BvPV0G-nMsbcWOumH0qR-EMT4MbZkFZgEKMgNncfX6cRRUA5RTe6BjV0mSIl6zXW7pxHukl6Cnxml9JImhehavArieuyQv6Hz4cYC74zXyxGUNjz8eB80J0-_Nm9VWPQyjkj7koin2aHfwVb4enEd9Fui4Q/w640-h182/introduction%20to%20management%20of%20information%20security.png" width="640" /></a></div><p style="clear: both; text-align: center;"><br /></p></span></b></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;">An organization’s information security effort succeeds only when it operates in conjunction with the organization’s information security policy. An information security program begins with policy, standards, and practices, which are the foundation for the information security program and its blueprint. The creation and maintenance of these elements require coordinated planning. The role of planning in modern organizations is hard to overemphasize. All but the smallest organizations engage in some planning, from strategic planning to manage the future direction of the organization to the operational day-to-day planning to control the use and allocation of resources.</span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><p></p><p></p><p></p><center style="text-align: left;"><center style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0rlvnN7tjTR9zZfYjJpT9W8k4Pehr-QPM2FaK0ciE10HQhKSM4r8hGWt1NPcV4A4sylFEZBuQOcgv5fSVWAURkO11lSuFE-8qWzu8nTAw3P5htR0IiSN6KppwScrFfaEExqJbjLAOTKLUu6LNHUsQcTDVyzT7BuJsZwyEky1Am4TLk5yZLUNPqFFYQQ/s784/introduction%20to%20management%20of%20information%20security%201.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="374" data-original-width="784" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0rlvnN7tjTR9zZfYjJpT9W8k4Pehr-QPM2FaK0ciE10HQhKSM4r8hGWt1NPcV4A4sylFEZBuQOcgv5fSVWAURkO11lSuFE-8qWzu8nTAw3P5htR0IiSN6KppwScrFfaEExqJbjLAOTKLUu6LNHUsQcTDVyzT7BuJsZwyEky1Am4TLk5yZLUNPqFFYQQ/w640-h306/introduction%20to%20management%20of%20information%20security%201.png" width="640" /></a></div><span style="font-size: medium;"><br /></span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;">As part of the organization’s management team, the InfoSec management team operates like all other management units. However, the InfoSec management team’s goals and objectives differ from those of the IT and general management communities in that the InfoSec management team is focused on the secure operation of the organization. In fact, some of the InfoSec management team’s goals and objectives may be contrary to or require resolution with the goals of the IT management team, as the primary focus of the IT group is to ensure the effective and efficient processing of information, whereas the primary focus of the InfoSec group is to ensure the confidentiality, integrity, and availability of information.</span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center style="text-align: left;"><center style="text-align: left;"><span style="font-size: medium;">Security, by its very nature, will slow down the information flow into, through, and out of an organization as information is validated, verified, and assessed against security criteria. Because the chief information security officer (CISO) in charge of the security management team typically reports directly to the chief information officer (CIO), who is responsible for the IT function, issues and prioritization conflicts can arise unless upper management intervenes.</span></center></center><center><br /></center><p></p><p></p>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-60899365161146752532022-07-20T10:47:00.002-07:002022-07-20T10:50:55.239-07:00Principle of Information Security Module 2 The Need for Information Security<p><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/06/principle-of-information-security_38.html" target="_blank">Module 2 The Need for Information Security part one</a></span></p><p><br /></p><p><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/06/principle-of-information-security_75.html" target="_blank">Module 2 The Need for Information Security part two</a></span></p><p><br /></p><p><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security.html" target="_blank">Module 2 The Need for Information Security part three</a></span></p><p><br /></p><p><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_1.html" target="_blank">Module 2 The Need for Information Security part four</a></span></p><p><br /></p><p><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_6.html" target="_blank">Module 2 The Need for Information Security part five</a></span></p><p><br /></p><p><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_7.html" target="_blank">Module 2 The Need for Information Security part six</a></span></p><p><br /></p><p><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_8.html" target="_blank">Module 2 The Need for Information Security part seven</a></span></p><p><br /></p><p><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_20.html" target="_blank">Module 2 The Need for Information Security part eight</a></span></p><p><br /></p><p><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_16.html" target="_blank">Module 2 The Need for Information Security part nine</a></span></p><p><br /></p><p><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_19.html" target="_blank">Module 2 The Need for Information Security part ten</a></span></p><p><br /></p><p><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_12.html" target="_blank">Module 2 The Need for Information Security part eleven</a></span></p><p><br /></p><p><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_0.html" target="_blank">Module 2 The Need for Information Security part twelve</a></span></p><p><br /></p><p><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_13.html" target="_blank">Module 2 The Need for Information Security part thirteen</a></span></p><p><br /></p><p><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_18.html" target="_blank">Module 2 The Need for Information Security part fourteen</a></span></p><p><br /></p><p><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_72.html" target="_blank">Module 2 The Need for Information Security part fifteen</a></span></p><p><br /></p><p><span style="font-size: medium;"><a href="https://www.nnguyen14.com/2022/07/principle-of-information-security_79.html" target="_blank">Module 2 The Need for Information Security part sixteen</a></span></p><p><span style="font-size: large;"><br /></span></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-91487335997846777302022-07-19T13:27:00.005-07:002022-07-19T13:37:55.574-07:00Principle of Information Security: Module 1 Introduction to Information Security<p style="text-align: left;"><a href="https://www.nnguyen14.com/2022/06/principle-of-information-security.html" target="_blank"><span style="font-size: medium;">Introduction to Information Security part one</span></a></p><p style="text-align: left;"><br /></p><div><p style="text-align: left;"><a href="https://www.nnguyen14.com/2022/06/principle-of-information-security_28.html" target="_blank"><span style="font-size: medium;">Introduction to Information Security part two</span></a></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><a href="https://www.nnguyen14.com/2022/06/principle-of-information-security_8.html" target="_blank"><span style="font-size: medium;">Introduction to Information Security part three</span></a></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><a href="https://www.nnguyen14.com/2022/06/2000-to-present-today-internet-brings.html" target="_blank"><span style="font-size: medium;">Introduction to Information Security part four</span></a></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><a href="https://www.nnguyen14.com/2022/06/principle-of-information-security_46.html" target="_blank"><span style="font-size: medium;">Introduction to Information Security part five</span></a></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><a href="https://www.nnguyen14.com/2022/06/principle-of-information-security_29.html" target="_blank"><span style="font-size: medium;">Introduction to Information Security part six</span></a></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><a href="https://www.nnguyen14.com/2022/06/principle-of-information-security_9.html" target="_blank"><span style="font-size: medium;">Introduction to Information Security part seven</span></a></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><a href="https://www.nnguyen14.com/2022/06/principle-of-information-security_30.html" target="_blank"><span style="font-size: medium;">Introduction to Information Security part eight</span></a></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><a href="https://www.nnguyen14.com/2022/06/principle-of-information-security_53.html" target="_blank"><span style="font-size: medium;">Introduction to Information Security part nine</span></a></p><p style="text-align: left;"><br /></p><p style="text-align: left;"><a href="https://www.nnguyen14.com/2022/06/principle-of-information-security_56.html" target="_blank"><span style="font-size: medium;">Introduction to Information Security part ten</span></a></p><p style="text-align: left;"><br /></p><p style="text-align: center;"><span style="font-size: large;">< 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ></span></p><p style="text-align: left;"><br /></p></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-56924915044870262352022-07-19T12:21:00.003-07:002022-07-19T13:19:50.242-07:00Principle of Information Security: Module 2 The Need for Information Security (Part 16)<p style="text-align: center;"><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-2-The-Need-for-Information-Security-Part-16-e1lehpk" width="400px"></iframe></p><p style="text-align: center;"><br /></p><div class="separator" style="clear: both; text-align: center;"><p style="clear: both; text-align: left;"><span style="font-size: medium;">Knowledge check Activity 3</span></p><p style="clear: both; text-align: left;"><span style="font-size: medium;"><br /></span></p><p style="clear: both; text-align: left;"><span style="font-size: medium;">Communications interception attacks include all of the following EXCEPT.</span></p><p style="clear: both; text-align: left;"><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: left;"><span style="font-size: medium;">A. Sniffers</span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: medium;">B. Spoofing</span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: medium;">C. Pharming</span></div><div class="separator" style="clear: both; text-align: left;"><span style="font-size: medium;">D. Ransomware</span></div><div style="clear: both; text-align: left;"><span style="font-size: medium;">E. Man-in-the-middle</span></div><div style="clear: both; text-align: left;"><span style="font-size: medium;"><br /></span></div><p style="clear: both; text-align: left;"><span style="font-size: medium;">The answer is <b>C</b> Ransomware.</span></p><p style="clear: both; text-align: left;"><span style="font-size: medium;"><br /></span></p><p style="clear: both; text-align: left;"><span style="font-size: medium;">Each of the others involves using the communication network or procedures as a means of attack. Ransomware uses encryption of the victim’s data as a means to extort payment.</span></p><p style="clear: both; text-align: left;"><span style="font-size: medium;"><br /></span></p></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVDBhBEafp4cznjCl4xpfIS6iJc03uOxo0U8eZXeS3CjlIo_FCcZQb6aRA_qxacbZnXs_JkF7hSslEbosG0ck2nxSa_1fxLPLQzcTkK7TKJLgJ85Lt2z4AHCImAyrywH7QLRX8dnSnLIsQFoUoYTGgiQduAf7SKxAfbbah7jDcEfdf4aGiE8vUPHgL4Q/s1291/technical%20hardware%20failures%201.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="556" data-original-width="1291" height="276" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVDBhBEafp4cznjCl4xpfIS6iJc03uOxo0U8eZXeS3CjlIo_FCcZQb6aRA_qxacbZnXs_JkF7hSslEbosG0ck2nxSa_1fxLPLQzcTkK7TKJLgJ85Lt2z4AHCImAyrywH7QLRX8dnSnLIsQFoUoYTGgiQduAf7SKxAfbbah7jDcEfdf4aGiE8vUPHgL4Q/w640-h276/technical%20hardware%20failures%201.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><p style="clear: both;"><span style="font-size: medium;">Technical hardware failures or errors occur when a manufacturer distributes equipment containing a known or unknown flaw. These defects can cause the system to perform outside of expected parameters, resulting in unreliable service or lack of availability. Some errors are terminal—that is, they result in the unrecoverable loss of the equipment. Some errors are intermittent in that they only manifest themselves periodically, resulting in faults that are not easily repeated. Thus, equipment can sometimes stop working or work in unexpected ways. Murphy’s law (yes, there really was a Murphy) holds that if something can possibly go wrong, it will. In other words, it’s not a question if something will fail, but when.</span></p><p style="clear: both;"><span style="font-size: medium;"><br /></span></p><p style="clear: both; text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2KH0E_tMbsK62Kn0e0JGUPHQD4HyS-SwZnP95v4A7rx-1nNv_Q3qvcvuJGqd0EKcYvFUxvPyfXyKTXOVWxrS-aBfj1beyJeC9srmTuKtleu7EU8ISWZeRi24Mo3Jxylp6NTqFJai_mShqC-HalpRPC9R0kqh1Pl0k6WEin80p3m-TbQSFMh0EgRchSA/s358/processor%202-19.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="339" data-original-width="358" height="303" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj2KH0E_tMbsK62Kn0e0JGUPHQD4HyS-SwZnP95v4A7rx-1nNv_Q3qvcvuJGqd0EKcYvFUxvPyfXyKTXOVWxrS-aBfj1beyJeC9srmTuKtleu7EU8ISWZeRi24Mo3Jxylp6NTqFJai_mShqC-HalpRPC9R0kqh1Pl0k6WEin80p3m-TbQSFMh0EgRchSA/s320/processor%202-19.jpg" width="320" /></a></div><b><div style="text-align: center;"><b>Figure 2-19</b></div></b><span style="font-size: medium;"><br /></span><p></p><p style="clear: both;"><span style="font-size: medium;"><b>The Intel Pentium CPU Failure</b></span></p><p style="clear: both;"><span style="font-size: medium;"><b><br /></b></span></p><p style="clear: both;"><span style="font-size: medium;">One of the best-known hardware failures is that of the Intel Pentium II chip (similar to the one shown in Figure 2-19), which had a defect that resulted in a calculation error under certain circumstances. Intel initially expressed little concern for the defect and stated that it would take an inordinate amount of time to identify a calculation that would interfere with the reliability of results. Yet, within days after the chip’s defect was announced, popular computing journals were publishing a simple calculation (the division of 4,195,835 by 3,145,727 within a spreadsheet) that determined whether a machine contained the defective chip and thus the floating-point operation bug. The Pentium floating-point division bug (FDIV) led to a public-relations disaster for Intel that resulted in its first-ever chip recall and a loss of more than $475 million. A few months later, disclosure of another bug, known as the Dan-0411 flag erratum, further eroded the chip manufacturer’s public image. In 1998, Intel released its Xeon chip and discovered it also had hardware errors. Intel said, “All new chips have bugs, and the process of debugging and improving performance inevitably continues even after a product is in the market.”</span></p><p style="clear: both;"><span style="font-size: medium;"><br /></span></p><p style="clear: both;"><span style="font-size: medium;"><b>Mean Time Between Failure</b></span></p><p style="clear: both;"><span style="font-size: medium;"><b><br /></b></span></p><p style="clear: both;"><span style="font-size: medium;">In hardware terms, failures are measured in mean time between failure (MTBF) and mean time to failure (MTTF). While MTBF and MTTF are sometimes used interchangeably, MTBF presumes that the item can be repaired or returned to service, whereas MTTF presumes the item must be replaced. From a repair standpoint, MTBF = MTTF + MTTD + MTTR, where MTTD examines mean time to diagnose and MTTR calculates mean time to repair. The most commonly failing piece of computer hardware is the hard drive, which currently has an average MTBF of approximately 500,000 hours. Hard drive vendors report they are converting from MTBF for hard drives to a new measure, annualized failure rate, which is based on the manufacturer’s product and warranty data. So, instead of a 500,000 hour MTBF, you could have an AFR of 0.5 percent.</span></p><p style="clear: both;"><span style="font-size: medium;"><br /></span></p><p style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVMsG961hewLgX8tc_UMsELHJtXrXh_Atc3gPAkU2OhKs2czZyrCkDI61JQhGnIUEHaZ0RfqYwt8lLoksZRVmcLafkcfd-dnY44qSps-tpWnc5pXDlVFYlKohuhMz0sJzwiZKUQwljOJs3kqdxYyMA-ZXCCt9NDcH_CJkOldGmPKlKHfBZgHtus-0gJQ/s1281/technical%20hardware%20failures%202.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="498" data-original-width="1281" height="249" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVMsG961hewLgX8tc_UMsELHJtXrXh_Atc3gPAkU2OhKs2czZyrCkDI61JQhGnIUEHaZ0RfqYwt8lLoksZRVmcLafkcfd-dnY44qSps-tpWnc5pXDlVFYlKohuhMz0sJzwiZKUQwljOJs3kqdxYyMA-ZXCCt9NDcH_CJkOldGmPKlKHfBZgHtus-0gJQ/w640-h249/technical%20hardware%20failures%202.png" width="640" /></a></p><p style="clear: both; text-align: center;"><br /></p><div><span style="font-size: medium;">Large quantities of computer code are written, debugged, published, and sold before all their bugs are detected and resolved. Sometimes, combinations of certain software and hardware reveal new failures that range from bugs to untested failure conditions. Sometimes these bugs are not errors but purposeful shortcuts left by programmers for benign or malign reasons. Collectively, shortcut access routes into programs that bypass security checks are called trap doors, and they can cause serious security breaches.</span></div><p style="text-align: left;"><br /></p><div><span style="font-size: medium;">Software bugs are so commonplace that entire Web sites are dedicated to documenting them. Among the most popular is Bugtraq, found at www.securityfocus.com, which provides up-to-the-minute information on the latest security vulnerabilities as well as a thorough archive of past bugs.</span></div><p style="text-align: left;"><br /></p><div><span style="font-size: medium;">Common failures in software development include;</span></div><p style="text-align: left;"><span style="font-size: medium;"><br /></span></p><div><ul style="text-align: left;"><li><span style="font-size: medium;">SQL injection</span></li><li><span style="font-size: medium;">Web server-related vulnerabilities (Cross Site Scripting, Cross Site Request Forgery, and response splitting)</span></li><li><span style="font-size: medium;">Web client-related vulnerability (Cross Site Scripting)</span></li><li><span style="font-size: medium;">Use of magic U R Ls and hidden forms</span></li><li><span style="font-size: medium;">Buffer overrun</span></li><li><span style="font-size: medium;">Format string problems</span></li><li><span style="font-size: medium;">Integer bugs (overflows and underflows)</span></li><li><span style="font-size: medium;">C ++ catastrophes</span></li><li><span style="font-size: medium;">Catching exceptions</span></li><li><span style="font-size: medium;">Command injection</span></li><li><span style="font-size: medium;">Failure to handle errors</span></li><li><span style="font-size: medium;">Information leakage</span></li><li><span style="font-size: medium;">Race conditions</span></li><li><span style="font-size: medium;">Poor usability</span></li><li><span style="font-size: medium;">Not updating easily</span></li><li><span style="font-size: medium;">Executing code with too much privilege</span></li><li><span style="font-size: medium;">Failure to protect stored data</span></li><li><span style="font-size: medium;">Sins of mobile code</span></li><li><span style="font-size: medium;">Use of weak password-based systems</span></li><li><span style="font-size: medium;">Weak random numbers</span></li><li><span style="font-size: medium;">Using cryptography incorrectly</span></li><li><span style="font-size: medium;">Failure to protect network traffic</span></li><li><span style="font-size: medium;">Improper use of Public Key Infrastructure (PKI), especially S S L or Secure Socket Layer.</span></li><li><span style="font-size: medium;">Trusting network name resolution</span></li><li><span style="font-size: medium;">Neglecting change control</span></li></ul></div><p style="text-align: center;"></p><p style="clear: both; text-align: center;"><br /></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu36L16GT62ZsGWbJ0efQRXxQcfuPj2tel6b6L-xUSYdJ8mo27FAFBR0ylB7X53taEH9AL6uz4PV16GRe7W0DM_jVhDmp-9mxvYwd5Gdyzbx4qi3lLugbTN6TqsCC3cgYMUyVCkSakeSMN4swSkZJ7rmUWoeodZoy7DoUoyje3_jnr1Avs0tCoj1bo4Q/s1259/technological%20obsolescene.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="340" data-original-width="1259" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgu36L16GT62ZsGWbJ0efQRXxQcfuPj2tel6b6L-xUSYdJ8mo27FAFBR0ylB7X53taEH9AL6uz4PV16GRe7W0DM_jVhDmp-9mxvYwd5Gdyzbx4qi3lLugbTN6TqsCC3cgYMUyVCkSakeSMN4swSkZJ7rmUWoeodZoy7DoUoyje3_jnr1Avs0tCoj1bo4Q/w640-h172/technological%20obsolescene.png" width="640" /></a></div><p style="clear: both; text-align: center;"><br /></p><p></p><p><span style="font-size: medium;">Antiquated or outdated infrastructure can lead to unreliable and untrustworthy systems. Management must recognize that when technology becomes outdated, there is a risk of losing data integrity from attacks. Management’s strategic planning should always include an analysis of the technology currently in use. Ideally, proper planning by management should prevent technology from becoming obsolete, but when obsolescence is clear, management must take immediate action. IT professionals play a large role in the identification of probable obsolescence.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Recently, the software vendor Symantec retired support for a legacy version of its popular antivirus software, and organizations that wanted continued product support were obliged to upgrade immediately to a different version of antivirus software. In organizations where IT personnel had kept management informed of the coming retirement, these replacements were made more promptly and at lower cost than in organizations where the software had become obsolete.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Perhaps the most significant case of technology obsolescence in recent years is Microsoft’s Windows XP. This desktop operating system was dominant in the market for many years, beginning in 2001. The OS evolved over time to be used in multiple variations such as XP Pro and XP Home, it had feature and capability upgrades in three service packs, and it even made the transition to new processors with a 64-bit edition. It was superseded in the corporation’s lineup of desktop operating systems by Microsoft Vista in January 2007. However, it retained a large following of users and remained in widespread use for many years. Microsoft discontinued support for Windows XP in April 2014. Many industries and organizations built critical elements of their business systems and even their infrastructure control systems on top of Windows XP, or they used it as an embedded operating system inside other systems, such as automated teller machines and power generating and control systems. Similar issues seem to follow other Windows variants, as users get comfortable with a particular OS and then seem reluctant to upgrade to a newer version.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCOSaQieTeyFOiFezJbskK1LKEaBDsyUeht5wNwqrsMP04yejeTTw9WIz2lGnW2rmvt2Pbmah0su5ko5LMbMmGCxdifQQYDEFigX5sflFybBw4AbtIY4C5jolElUAPwyWqps4WG_qOPLdRxKBOWav09N_lQlmgT8XPfUDm36_wzL8DqS1RYFjOxs8tyg/s595/2-20.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="195" data-original-width="595" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCOSaQieTeyFOiFezJbskK1LKEaBDsyUeht5wNwqrsMP04yejeTTw9WIz2lGnW2rmvt2Pbmah0su5ko5LMbMmGCxdifQQYDEFigX5sflFybBw4AbtIY4C5jolElUAPwyWqps4WG_qOPLdRxKBOWav09N_lQlmgT8XPfUDm36_wzL8DqS1RYFjOxs8tyg/w640-h210/2-20.jpg" width="640" /></a></div><b>Figure 2-20</b><br /><span style="font-size: medium;"><br /></span><p></p><p><span style="font-size: medium;">Figure 2-20 shows other examples of obsolete technology, including removable storage media in 8-inch, 5-inch, and 3.5-inch formats as well as open-reel magnetic tape.</span></p><p><span style="font-size: medium;"><br /></span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-pN9eRESeyhRb6uUGVwmDgaFF7VWiprQhPksaHsXUORx9AopcDFuX6CW5fZro0S9Jwyz4Nvr2q0jQMf_InBcrtSfFcwS6BkCy6jz1WAEXtTsTn31khvlp4OTd2Y_so90xhNf4HJ-5-cczDE1L3dxDUNfWGkZ3HHoASLIwu3hxN1wvUvEPeQBKPmDmCw/s1268/theft.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="341" data-original-width="1268" height="172" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-pN9eRESeyhRb6uUGVwmDgaFF7VWiprQhPksaHsXUORx9AopcDFuX6CW5fZro0S9Jwyz4Nvr2q0jQMf_InBcrtSfFcwS6BkCy6jz1WAEXtTsTn31khvlp4OTd2Y_so90xhNf4HJ-5-cczDE1L3dxDUNfWGkZ3HHoASLIwu3hxN1wvUvEPeQBKPmDmCw/w640-h172/theft.png" width="640" /></a></div><p style="clear: both; text-align: center;"><br /></p><p><span style="font-size: medium;">The threat of theft is a constant. The value of information is diminished when it is copied without the owner’s knowledge. Physical theft can be controlled easily using a wide variety of measures, from locked doors to trained security personnel and the installation of alarm systems. Electronic theft, however, is a more complex problem to manage and control. When someone steals a physical object, the loss is easily detected; if it has any importance at all, its absence is noted. When electronic information is stolen, the crime is not always readily apparent. If thieves are clever and cover their tracks carefully, the crime may remain undiscovered until it is too late.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Theft is often an overlapping category with software attacks, espionage or trespass, information extortion, and compromises to intellectual property. A hacker or other individual threat agent could access a system and commit most of these offenses by downloading a company’s information and then threatening to publish it if not paid.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The increasing use of mobile technology, including smartphones, tablet PCs, and laptops, increases the risk of data theft. More disconcerting than the loss of data is the chance that the user has allowed the mobile device to retain account credentials, allowing the thief to use legitimate access to get into business or personal accounts that belong to the victim.</span></p><p><span style="font-size: medium;"><br /></span></p><p><b><span style="font-size: medium;">Summary</span></b></p><p><b><span style="font-size: medium;"><br /></span></b></p><p><span style="font-size: medium;">Information security performs four important functions to ensure that information assets remain safe and useful: protecting the organization’s ability to function, enabling the safe operation of applications implemented on the organization’s IT systems, protecting the data an organization collects and uses, and safeguarding the organization’s technology assets.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">To make sound decisions about information security, management must be informed about threats to its people, applications, data, and information systems, and the attacks they face.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Threats are any events or circumstances that have the potential to adversely affect operations and assets. An attack is an intentional or unintentional act that can damage or otherwise compromise information and the systems that support it. A vulnerability is a potential weakness in an asset or its defensive controls.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Threats or dangers facing an organization’s people, information, and systems fall into the following categories:</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Compromises to intellectual property</b>—Intellectual property, such as trade secrets, copyrights, trademarks, or patents, are intangible assets that may be attacked via software piracy or the exploitation of asset protection controls.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Deviations in quality of service</b>—Organizations rely on services provided by others. Losses can come from interruptions to those services.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Espionage or trespass</b>—Asset losses may result when electronic and human activities breach the confidentiality of information.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Forces of nature</b>—A wide range of natural events can overwhelm control systems and preparations to cause losses to data and availability.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Human error or failure</b>—Losses to assets may come from intentional or accidental actions by people inside and outside the organization.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Threats or dangers facing an organization’s people, information, and systems fall into the following categories:</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Information extortion</b>—Stolen or inactivated assets may be held hostage to extract payment of ransom.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Sabotage or vandalism</b>—Losses may result from the deliberate sabotage of a computer system or business, or from acts of vandalism. These acts can either destroy an asset or damage the image of an organization.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Software attacks</b>—Losses may result when attackers use software to gain unauthorized access to systems or cause disruptions in systems availability.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Technical hardware failures or errors</b>—Technical defects in hardware systems can cause unexpected results, including unreliable service or lack of availability.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Threats or dangers facing an organization’s people, information, and systems fall into the following categories:</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Technical software failures or errors</b>—Software used by systems may have purposeful or unintentional errors that result in failures, which can lead to loss of availability or unauthorized access to information.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Technological obsolescence</b>—Antiquated or outdated infrastructure can lead to unreliable and untrustworthy systems that may result in loss of availability or unauthorized access to information.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Theft</b>—Theft of information can result from a wide variety of attacks.</span></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-89733072907908865662022-07-18T12:30:00.008-07:002022-07-18T13:08:32.637-07:00Principle of Information Security: Module 2 The Need for Information Security (Part 15)<div style="text-align: center;"><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-2-The-Need-for-Information-Security-Part-15-e1lct92" width="400px"></iframe></div><p><span style="font-size: medium;"><b><br /></b></span></p><p><span style="font-size: medium;"><b>Back Doors</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Using a known or newly discovered access mechanism, an attacker can gain access to a system or network resource through a back door. Viruses and worms can have a payload that installs a back door or trap door component in a system, allowing the attacker to access the system at will with special privileges. Examples of such payloads include Subseven and Back Orifice.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Sometimes these doors are left behind by system designers or maintenance staff; such a door is referred to as a maintenance hook. More often, attackers place a back door into a system or network they have compromised, making their return to the system that much easier the next time. A trap door is hard to detect because the person or program that places it often makes the access exempt from the system’s usual audit logging features and makes every attempt to keep the back door hidden from the system’s legitimate owners.</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi88N64hk7BM0TPz1f8e-lVeBneLs4oYxhSloKMimh5V5we1-Lm9Vuk9250BBNx8DmhJv5o3R9GgTACwsn4sHNChmcR3_SJ3JNpyEpKOHHOS_kSkxmzn388kCFz7PZOshcGRdue4_2643ngxGq1DLz4DQaXzSlqn8k3wSaUKsKdnkU5e5VldA0vb5mIA/s790/software%20attacks%203.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="309" data-original-width="790" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgi88N64hk7BM0TPz1f8e-lVeBneLs4oYxhSloKMimh5V5we1-Lm9Vuk9250BBNx8DmhJv5o3R9GgTACwsn4sHNChmcR3_SJ3JNpyEpKOHHOS_kSkxmzn388kCFz7PZOshcGRdue4_2643ngxGq1DLz4DQaXzSlqn8k3wSaUKsKdnkU5e5VldA0vb5mIA/w640-h250/software%20attacks%203.png" width="640" /></a></div><span style="font-size: medium;"><div><span style="font-size: medium;"><br /></span></div><div><span style="font-size: medium;"><br /></span></div><div><span style="font-size: medium;"><br /></span></div><div><span style="font-size: medium;"><br /></span></div><div><span style="font-size: medium;"><br /></span></div><div><span style="font-size: medium;"><br /></span></div><div><span style="font-size: medium;"><br /></span></div><div><span style="font-size: medium;"><br /></span></div><div><span style="font-size: medium;"><br /></span></div><div><span style="font-size: medium;"><br /></span></div><div><span style="font-size: medium;"><br /></span></div><div><span style="font-size: medium;"><br /></span></div><br /></span><p></p><p><span style="font-size: medium;"><b>Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">In a denial-of-service (DoS) attack, the attacker sends a large number of connection or information requests to a target (see Figure 2-16). So many requests are made that the target system becomes overloaded and cannot respond to legitimate requests for service. The system may crash or simply become unable to perform ordinary functions. In a distributed denial-of-service (DDoS) attack, a coordinated stream of requests is launched against a target from many locations at the same time. Most DDoS attacks are preceded by a preparation phase in which many systems, perhaps thousands, are compromised. The compromised machines are turned into bots or zombies, machines that are directed remotely by the attacker (usually via a transmitted command) to participate in the attack. DDoS attacks are more difficult to defend against, and currently there are no controls that any single organization can apply. There are, however, some cooperative efforts to enable DDoS defenses among groups of service providers; an example is the “Consensus Roadmap for Defeating Distributed Denial of Service Attacks.” To use a popular metaphor, DDoS is considered a weapon of mass destruction on the Internet. The MyDoom worm attack in February 2004 was intended to be a DDoS attack against www.sco.com, the Web site of a vendor for a UNIX operating system. Allegedly, the attack was payback for the SCO Group’s perceived hostility toward the open-source Linux community.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Any system connected to the Internet and providing TCP-based network services (such as a Web server, FTP server, or mail server) is vulnerable to DoS attacks. DoS attacks can also be launched against routers or other network server systems if these hosts enable other TCP services, such as echo.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Prominent in the history of notable DoS attacks are those conducted by Michael Calce (a.k.a. Mafiaboy) on Amazon.com, CNN.com, ETrade.com, ebay.com, Yahoo.com, Excite.com, and Dell.com in February 2000. These software-based attacks lasted approximately four hours and reportedly resulted in millions of dollars in lost revenue. The British ISP CloudNine is believed to be the first business “hacked out of existence” by a DoS attack in January 2002. This attack was similar to the DoS attacks launched by Mafiaboy. In January 2016, a group calling itself New World Hacking attacked the BBC’s Web site. If the scope of the attack is verified, it would qualify as the largest DDoS attack in history, with an attack rate of 602 Gbps (gigabits per second). The group also hit Donald Trump’s campaign Web site on the same day.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">In October 2016, a massive DDoS attack took down several Web sites, including Airbnb, Etsy, Github, Netflix, Reddit, Spotify, Twitter, and Vox, by attacking their common DNS service provider. While the initial attack only lasted hours, the sites experienced issues for the rest of the day.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>E-Mail Attacks</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">While many consider spam a trivial nuisance rather than an attack, it has been used as a means of enhancing malicious code attacks. In March 2002, there were reports of malicious code embedded in MP3 files that were included as attachments to spam. The most significant consequence of spam, however, is the waste of computer and human resources. Many organizations attempt to cope with the flood of spam by using e-mail filtering technologies. Other organizations simply tell users of the mail system to delete unwanted messages.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">A form of e-mail attack that is also a DoS attack is called a mail bomb. It can be accomplished using traditional e-mailing techniques or by exploiting various technical flaws in the Simple Mail Transport Protocol (SMTP). The target of the attack receives an unmanageably large volume of unsolicited e-mail. By sending large e-mails with forged header information, attackers can take advantage of poorly configured e-mail systems on the Internet and trick them into sending many e-mails to an address of the attackers’ choice. If many such systems are tricked into participating, the target e-mail address is buried under thousands or even millions of unwanted e-mails.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Although phishing attacks occur via e-mail, they are much more commonly associated with a method of social engineering designed to trick users to perform an action, rather than simply making the user a target of a DoS e-mail attack.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Communications Interception Attacks</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Common software-based communications attacks include several subcategories designed to intercept and collect information in transit. These types of attacks include sniffers, spoofing, pharming, and man-in-the-middle attacks. The emergence of the Internet of Things (IoT)—the addition of communications and interactivity to everyday objects—increases the possibility of these types of attacks. Our automobiles, appliances, and entertainment devices have joined our smartphones in being interconnected and remotely controlled. The security of these devices has not always been a primary concern. IoT devices are now integrated intimately into our everyday lives and are proving to be difficult to secure, because they are often difficult or impossible to update and may not allow embedded passwords to be changed. The use of IoT devices poses significant privacy risks when they cannot be properly secured.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">A packet sniffer (or simply sniffer) can monitor data traveling over a network. Sniffers can be used both for legitimate network management functions and for stealing information. Unauthorized sniffers can be extremely dangerous to a network’s security because they are virtually impossible to detect and can be inserted almost anywhere. This feature makes them a favorite weapon in the hacker’s arsenal. Sniffers often work on TCP/IP networks. Sniffers add risk to network communications because many systems and users send information on local networks in clear text. A sniffer program shows all the data going by, including passwords, the data inside files (such as word-processing documents), and sensitive data from applications.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfKhCWgCmyi_4YJmRC8OKg4LISaKKFB5FFXVNK49H9xhe0QGoAcq3F1q8Z3ZyWSsdU0zX1R5KyLIH6INRJe-nM0iH-eh4Xn_ZcD3znskZ9QbKf7dkZzkEgGl-XbGa8Hi4UNhgBBA6kIwJb-5gkbnqIaDaZIJQczUq98YkWbBBS1oajmXnA7VHlCB9Qkw/s797/Picture1.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="456" data-original-width="797" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfKhCWgCmyi_4YJmRC8OKg4LISaKKFB5FFXVNK49H9xhe0QGoAcq3F1q8Z3ZyWSsdU0zX1R5KyLIH6INRJe-nM0iH-eh4Xn_ZcD3znskZ9QbKf7dkZzkEgGl-XbGa8Hi4UNhgBBA6kIwJb-5gkbnqIaDaZIJQczUq98YkWbBBS1oajmXnA7VHlCB9Qkw/w640-h366/Picture1.png" width="640" /></a></div><p style="text-align: left;"><span style="font-size: medium;"><br /></span></p><p style="text-align: left;"><span style="font-size: medium;"><br /></span></p><p style="text-align: left;"><span style="font-size: medium;"><br /></span></p><p style="text-align: left;"><span style="font-size: medium;"><br /></span></p><p style="text-align: left;"><span style="font-size: medium;"><br /></span></p><p style="text-align: left;"><span style="font-size: medium;"><br /></span></p><p style="text-align: left;"><span style="font-size: medium;"><br /></span></p><p style="text-align: left;"><span style="font-size: medium;"><br /></span></p><p style="text-align: left;"><span style="font-size: medium;"><br /></span></p><p style="text-align: left;"><span style="font-size: medium;"><br /></span></p><p style="text-align: left;"><span style="font-size: medium;"><br /></span></p><p></p><p><span style="font-size: medium;"><span>Attackers want to mask their sources, so they frequently use some sort of spoofing to hide</span><span> themselves. In IP spoofing, hackers use a variety of techniques to obtain trusted IP addresses and then modify packet headers (see Figure 2-17) to insert these forged addresses. Newer routers and firewall arrangements can offer protection against IP spoofing.</span></span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5SgwCR1_TTOgoKGrW5IpIOdNHkyKy0nsNJmPUq5sE0zMnk3qnwCJzXR2Yp57-Oz_DNjSO4fIIZ5KAGsi5oACXTWsCwzrUfviE6i8GVEYF1uMfypNVNSjhft-gF0dqTAHoHoAsTX08zClM5anqv2xxJ4-DWkt5kSkOnNEYWKlYFDvAm6RiTezF37jJlw/s780/software%20attack%205.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="232" data-original-width="780" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5SgwCR1_TTOgoKGrW5IpIOdNHkyKy0nsNJmPUq5sE0zMnk3qnwCJzXR2Yp57-Oz_DNjSO4fIIZ5KAGsi5oACXTWsCwzrUfviE6i8GVEYF1uMfypNVNSjhft-gF0dqTAHoHoAsTX08zClM5anqv2xxJ4-DWkt5kSkOnNEYWKlYFDvAm6RiTezF37jJlw/w640-h190/software%20attack%205.png" width="640" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><p></p><p><span style="font-size: medium;">Pharming attacks often use Trojans, worms, or other virus technologies to attack an Internet browser’s address bar so that the valid URL the user types is modified to be that of an illegitimate Web site. A form of pharming called Domain Name System (DNS) cache poisoning targets the Internet DNS system, corrupting legitimate data tables.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">The key difference between pharming and phishing is that the latter requires the user to actively click a link or button to redirect to the illegitimate site, whereas pharming attacks modify the user’s traffic without the user’s knowledge or active participation.</span></p><p><span style="font-size: medium;"><br /></span></p><p style="text-align: center;"></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNlv7seSaF3cel7qxZ3X1U_GYhq0vs8aLL82qovVUIVKVjJSv9FCZlwAvGV6WzbFJdKOYEbzMIabRn9_iIcCVqRljNdJXPz66BC-fmssAh5CYZWAH9GV_Mt4t95fHKu_x6UOm13DYPg6NcQENXwlNJuRMjfyaBEzI4c_v7q7aZQrQ8q2nUWdxYNY7E_w/s655/Picture2.png" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="456" data-original-width="655" height="446" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNlv7seSaF3cel7qxZ3X1U_GYhq0vs8aLL82qovVUIVKVjJSv9FCZlwAvGV6WzbFJdKOYEbzMIabRn9_iIcCVqRljNdJXPz66BC-fmssAh5CYZWAH9GV_Mt4t95fHKu_x6UOm13DYPg6NcQENXwlNJuRMjfyaBEzI4c_v7q7aZQrQ8q2nUWdxYNY7E_w/w640-h446/Picture2.png" width="640" /></a></div><p style="text-align: left;"><span style="font-size: medium;"><br /></span></p><p></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">In the well-known man-in-the-middle attack, an attacker monitors (or sniffs) packets from the network, modifies them, and inserts them back into the network. In a TCP hijacking attack, also known as session hijacking, the attacker uses address spoofing to impersonate other legitimate entities on the network. It allows the attacker to eavesdrop as well as to change, delete, reroute, add, forge, or divert data. A variant of TCP hijacking involves the interception of an encryption key exchange, which enables the hacker to act as an invisible man in the middle—that is, an eavesdropper—on encrypted communications. Figure 2 dash 18 illustrates these attacks by showing how a hacker uses public and private encryption keys to intercept messages. You will learn more about encryption keys in Module 10.</span></p>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-62896230662043565712022-07-18T08:02:00.003-07:002022-07-18T11:21:58.795-07:00Principle of Information Security: Module 2 The Need for Information Security (Part 14)<p></p><center><iframe frameborder="0" height="102px" scrolling="no" src="https://anchor.fm/nhat-nguyen9/embed/episodes/Principle-of-Information-Security-Module-2-The-Need-for-Information-Security-Part-14-e1lcfl5" width="400px"></iframe></center><p></p><p></p><center><br /></center><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7TAMZrln8fEaQq3d3gEs_7nSvGAcbnBVQwSFEZXVLCHvH3WznJyCOcQKX-UZWP3Jrj7Mg97njizUVMz4Hqs3JB-HqL7TfBbZsCFyQebmqgcTWAMtURHS-EK6HUHlNPiHYDWMyL9PUJ-H2rjbJqsA1hkyG6Hqo2pzZn9NgMNjljTTIhYhEJZDgtdwzDQ/s1261/software%20attacks.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="455" data-original-width="1261" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7TAMZrln8fEaQq3d3gEs_7nSvGAcbnBVQwSFEZXVLCHvH3WznJyCOcQKX-UZWP3Jrj7Mg97njizUVMz4Hqs3JB-HqL7TfBbZsCFyQebmqgcTWAMtURHS-EK6HUHlNPiHYDWMyL9PUJ-H2rjbJqsA1hkyG6Hqo2pzZn9NgMNjljTTIhYhEJZDgtdwzDQ/w640-h230/software%20attacks.png" width="640" /></a></div><p></p><center><br /></center><p></p><p></p><center style="text-align: left;"><span style="font-size: medium;">Deliberate software attacks occur when an individual or group designs and deploys software to attack a system. This attack can consist of specially crafted software that attackers trick users into installing on their systems. This software can be used to overwhelm the processing capabilities of online systems or to gain access to protected systems by hidden means.</span></center><p></p><center><center style="text-align: center;"><span style="font-size: medium;"></span></center></center><p></p><center><center style="text-align: center;"><br /></center></center><p></p><p></p><p></p><p></p><p></p><center><center style="text-align: left;"><span style="font-size: medium;">Malware, also referred to as malicious code or malicious software, includes the viruses, worms, and other scripts and applications designed to harm a target computer system. Other attacks that use software, like redirect attacks and denial-of-service attacks, also fall under this threat. These software components or programs are designed to damage, destroy, or deny service to targeted systems. Note that the terminology used to describe malware is often not mutually exclusive; for instance, Trojan horse malware may be delivered as a virus, a worm, or both.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><p></p><p></p><p></p><p></p><p></p><p></p><center><center style="text-align: left;"><span style="font-size: medium;">Malicious code attacks include the execution of viruses, worms, Trojan horses, and active Web scripts with the intent to destroy or steal information. The most state-of-the-art malicious code attack is the polymorphic worm, or multivector worm. These attack programs use up to six known attack vectors to exploit a variety of vulnerabilities in common information system devices. Many successful malware attacks are completed using techniques that are widely known; some have been in use for years. When an attack makes use of malware that is not yet known by the antimalware software companies, it is said to be a zero-day attack.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><p></p><p></p><p></p><p></p><center><center style="text-align: left;"><span style="font-size: medium;">Other forms of malware include covert software applications—bots, spyware, and adware—that are designed to work out of users’ sight or be triggered by an apparently innocuous user action. Bots are often the technology used to implement Trojan horses, logic bombs, back doors, and spyware. Spyware is placed on a computer to secretly gather information about the user and report it. One type of spyware is a Web bug, a tiny graphic that is referenced within the Hypertext Markup Language (HTML) content of a Web page or e-mail to collect information about the user viewing the content. Another form of spyware is a tracking cookie, which is placed on users’ computers to track their activity on different Web sites and create a detailed profile of their behavior.* Each of these hidden code components can be used to collect user information that could then be used in a social engineering or identity theft attack.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><p></p><p></p><center><center style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1UiwbasTlepnei4yZR6B7rvGORnru5mf5klibPN6szhw-qTvMhsrx-c85qi-RyBksB614MoG_nxMK7mse1ClpYRjY9nOHgwVuTTi23EAS71ptQxaI3KIcA8V0DhatYbAlJIMdDESicikSKM0e-Jgwkvkcv62hQlBRh-MLQHeNV3jtfr1f1PJuT1SvFA/s1528/2-7.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="642" data-original-width="1528" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1UiwbasTlepnei4yZR6B7rvGORnru5mf5klibPN6szhw-qTvMhsrx-c85qi-RyBksB614MoG_nxMK7mse1ClpYRjY9nOHgwVuTTi23EAS71ptQxaI3KIcA8V0DhatYbAlJIMdDESicikSKM0e-Jgwkvkcv62hQlBRh-MLQHeNV3jtfr1f1PJuT1SvFA/w640-h268/2-7.png" width="640" /></a></div><br /><span style="font-size: medium;"><br /></span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;">Table 2-7 draws on three surveys to list some of the malware that has had the biggest impact on computer users to date. While this table may seem out of date, the values still hold up as of mid-2020. It seems that newer malware cannot break into the all-time top 10, possibly because of the proliferation of malware variants and do-it-yourself malware kits. It’s hard for any one new piece of malware to “break out” when so many variations are in play. It seems we are entering the days of precisely targeted malware.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUkjjnk4x1bFwDpKyouTYZ-WNbYNXMCPwJFxxDTAsa1-rXCG6f_QG9Mchvbn2DgurBJjAfzdhv2NZZPMOr3yzAit5aTZY3fluzX66mPrZ3BuK1f6L_E_JAl-wIJERJKymXd_i01BbbKrc6k-pNtASOLjFIBtURNN5McwnOUQN4MZE9GabreA5E3XWY8Q/s783/software%20attacks%202.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="378" data-original-width="783" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUkjjnk4x1bFwDpKyouTYZ-WNbYNXMCPwJFxxDTAsa1-rXCG6f_QG9Mchvbn2DgurBJjAfzdhv2NZZPMOr3yzAit5aTZY3fluzX66mPrZ3BuK1f6L_E_JAl-wIJERJKymXd_i01BbbKrc6k-pNtASOLjFIBtURNN5McwnOUQN4MZE9GabreA5E3XWY8Q/w640-h308/software%20attacks%202.png" width="640" /></a></div><p style="clear: both; text-align: center;"><br /></p></span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;">A computer virus consists of code segments (programming instructions) that perform malicious actions. This code behaves much like a virus pathogen that attacks animals and plants, using the cell’s own replication machinery to propagate the attack beyond the initial target. The code attaches itself to an existing program and takes control of the program’s access to the targeted computer. The virus-controlled target program then carries out the virus plan by replicating itself into additional targeted systems. Often, users unwittingly help viruses get into a system. Opening infected e-mail or some other seemingly trivial action can cause anything from random messages appearing on a user’s screen to the destruction of entire hard drives. Just as their namesakes are passed among living bodies, computer viruses are passed from machine to machine via physical media, e-mail, or other forms of computer data transmission. When these viruses infect a machine, they may immediately scan it for e-mail applications or even send themselves to every user in the e-mail address book.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;">One of the most common methods of virus transmission is via e-mail attachment files. Most organizations block e-mail attachments of certain types and filter all e-mail for known viruses. Years ago, viruses were slow-moving creatures that transferred viral payloads through the cumbersome movement of diskettes from system to system. Now computers are networked, and e-mail programs prove to be fertile ground for computer viruses unless suitable controls are in place. The current software marketplace has several established vendors, such as Symantec Norton AntiVirus, Kaspersky Anti-Virus, AVG AntiVirus, and McAfee VirusScan, which provide applications to help control computer viruses. Microsoft’s Malicious Software Removal Tool is freely available to help users of Windows operating systems remove viruses and other types of malware. Many vendors are moving to software suites that include antivirus applications and provide other malware and nonmalware protection, such as firewall protection programs.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;">Viruses can be classified by how they spread themselves. Among the most common types of information system viruses are the macro virus, which is embedded in automatically executing macro code used by word processors, spreadsheets, and database applications, and the boot virus, which infects the key operating system files in a computer’s boot sector. Viruses can also be described by how their programming is stored and moved. Some are found as binary executables, including .exe or .com files; as interpretable data files, such as command scripts or a specific application’s document files; or both.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;">Alternatively, viruses may be classified as memory-resident viruses or non-memory-resident viruses, depending on whether they persist in a computer system’s memory after they have been executed. Resident viruses are capable of reactivating when the computer is booted and continuing their actions until the system is shut down, only to restart the next time the system is booted.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;">In 2002, the author of the Melissa virus, David L. Smith of New Jersey, was convicted in U.S. federal court and sentenced to 20 months in prison, a $5,000 fine, and 100 hours of community service upon release.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><p></p><p></p><center><center style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6DVEv-3UWo15al0jr-ORvWEq2Eg5HXykYeJ0zlHSrvjQbZMEHkq7GfPaia4wVziyucrmSLT3v6MpqBwkLV0SoWSCpEQWbFEX2G6MrdxKQ-l-vXEd89_WWqZjBfqMx9qZRrTOTa4V2qcezf4nI3Z4M5sM8FrxwKBPK6mn4vmewM3AYKC_gDGfiMkD5cw/s1528/2-8.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="469" data-original-width="1528" height="196" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6DVEv-3UWo15al0jr-ORvWEq2Eg5HXykYeJ0zlHSrvjQbZMEHkq7GfPaia4wVziyucrmSLT3v6MpqBwkLV0SoWSCpEQWbFEX2G6MrdxKQ-l-vXEd89_WWqZjBfqMx9qZRrTOTa4V2qcezf4nI3Z4M5sM8FrxwKBPK6mn4vmewM3AYKC_gDGfiMkD5cw/w640-h196/2-8.png" width="640" /></a></div><br /><span style="font-size: medium;"><br /></span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;">Viruses and worms can use several attack vectors to spread copies of themselves to networked peer computers, as illustrated in Table 2-8.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><b>Worms</b></span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;">Named for the tapeworm in John Brunner’s novel The Shockwave Rider, a computer worm can continue replicating itself until it completely fills available resources, such as memory, hard drive space, and network bandwidth. Read the nearby feature about Robert Morris to learn how much damage a worm can cause. Code Red, Sircam, Nimda (“admin” spelled backwards), and Klez are classic examples of a class of worms that combine multiple modes of attack into a single package. Newer malware that includes features of worms and viruses will usually contain multiple exploits that can use any predefined distribution vector to programmatically distribute the worm. (See the description of polymorphic threats later in this section for more details.)</span></center></center><p></p><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;">In November 1988, Robert Morris, Jr. made history. He was a postgraduate student at Cornell who invented a self-propagating program called a worm. He released it onto the Internet, choosing to send it from the Massachusetts Institute of Technology (MIT) to conceal the fact that the worm was designed and created at Cornell. Morris soon discovered that the program was reproducing itself and then infecting other machines at a much greater speed than he had envisaged. The worm had a bug.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;">Many machines across the United States and the world stopped working or became unresponsive. When Morris realized what was occurring, he reached out for help. He contacted a friend at Harvard, and they sent a message to system administrators at Harvard that described the problem and requested guidance for how to disable the worm. However, because the networks involved were jammed from the worm infection, the message was delayed and had no effect. It was too little too late. Morris’ worm had infected many computers, including those at academic institutions, military sites, and commercial concerns. The estimated cost of the infection and the aftermath was estimated at roughly $200 per site.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;">The worm that Morris created took advantage of flaws in the sendmail program. These widely known faults allowed debug features to be exploited, but few organizations had taken the trouble to update or patch the flaws. Staff at the University of California, Berkeley and MIT had copies of the program and reverse-engineered them to determine how it functioned. After working nonstop for about 12 hours, the teams of programmers devised a method to slow down the infection. Another method was discovered at Purdue University and widely published. Ironically, the response was hampered by the clogged state of the e-mail infrastructure caused by the worm. After a few days, things slowly started to regain normalcy, and everyone wondered where the worm had originated. Morris was identified as its author in an article in the New York Times, even though his identity was not confirmed at that time.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;">Morris was convicted under the Computer Fraud and Abuse Act and sentenced to a fine, probation, community service, and court costs. His appeal was rejected in March 1991.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;">Even though it happened long ago, the outbreak of Nimda in September 2001 still serves as an example of how quickly and widely malware can spread. It used five of the six vectors shown in Table 2-8 to spread itself with startling speed. TruSecure Corporation, an industry source for information security statistics and solutions, reported that Nimda spread across the Internet address space of 14 countries in less than 25 minutes.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;">The Klez worm delivered a double-barreled payload: It had an attachment that contained the worm, and if the e-mail was viewed on an HTML-enabled browser, it attempted to deliver a macro virus. News-making attacks, such as MyDoom and Netsky, are variants of the multifaceted attack worms and viruses that exploit weaknesses in leading operating systems and applications.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;">The complex behavior of worms can be initiated with or without the user downloading or executing the file. Once the worm has infected a computer, it can redistribute itself to all e-mail addresses found on the infected system. Furthermore, a worm can deposit copies of itself onto all Web servers that the infected system can reach; users who subsequently visit those sites become infected. Worms also take advantage of open shares found on the network in which an infected system is located. The worms place working copies of their code onto the server so that users of the open shares are likely to become infected.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><p></p><center><center style="text-align: left;"><span style="font-size: medium;">In 2003, Jeffrey Lee Parson, an 18-year-old high school student from Minnesota, was arrested for creating and distributing a variant of the Blaster worm called W32.Blaster-B. He was sentenced to 18 months in prison, three years of supervised release, and 100 hours of community service. The original Blaster worm was reportedly created by a Chinese hacker group.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><p></p><p></p><center><center style="text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmUxtrWaAzzEkk-MwwZawz-_wR1q_ZMrkmV3NS2jNCgTDtT8U6Lu-JwjxZ4OnO1NcuH2BoIeM0OPQhQoJM3_bnxZoZOBtfRRzgfR-0WoHfdrcTdXCxA_k7S9yxdbomVm4GdESatsRpQmJu8BvZi8UtoTLI61WJMyyzCqOGyIOMSSTy8V2IEV10KkchVQ/s622/2-15.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="377" data-original-width="622" height="388" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmUxtrWaAzzEkk-MwwZawz-_wR1q_ZMrkmV3NS2jNCgTDtT8U6Lu-JwjxZ4OnO1NcuH2BoIeM0OPQhQoJM3_bnxZoZOBtfRRzgfR-0WoHfdrcTdXCxA_k7S9yxdbomVm4GdESatsRpQmJu8BvZi8UtoTLI61WJMyyzCqOGyIOMSSTy8V2IEV10KkchVQ/w640-h388/2-15.png" width="640" /></a></div><b>Figure 2-15</b><br /></center></center><p></p><center><center style="text-align: center;"><span style="font-size: medium;"><br /></span></center></center><p></p><p></p><center><center style="text-align: left;"><span style="font-size: medium;">Trojan horses are frequently disguised as helpful, interesting, or necessary pieces of software, such as the readme.exe files often included with shareware or freeware packages. Like their namesake in Greek legend, once Trojan horses are brought into a system, they become activated and can wreak havoc on the unsuspecting user. Figure 2-15 outlines a typical Trojan horse attack. Around January 20, 1999, Internet e-mail users began receiving messages with an attachment of a Trojan horse program named Happy99.exe. When the e-mail attachment was opened, a brief multimedia program displayed fireworks and the message “Happy 1999.” While the fireworks display was running, the Trojan horse program was installing itself into the user’s system. The program continued to propagate itself by following up every e-mail the user sent with a second e-mail to the same recipient and with the same attack program attached. A newer variant of the Trojan horse is an attack known as SMiShing, in which the victim is tricked into downloading malware onto a mobile phone via a text message. SMiShing is an abbreviation for SMS phishing.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;">One of the biggest challenges to fighting viruses and worms has been the emergence of polymorphic threats. A polymorphic threat actually evolves, changing its size and other external file characteristics to elude detection by antivirus software programs.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><p></p><center><center style="text-align: left;"><span style="font-size: medium;">As frustrating as viruses and worms are, perhaps more time and money are spent resolving malware hoaxes. Well-meaning people can disrupt the harmony and flow of an organization when they send group e-mails warning of supposedly dangerous viruses that don’t exist. When people fail to follow virus-reporting procedures in response to a hoax, the network becomes overloaded and users waste time and energy forwarding the warning message to everyone they know, posting the message on bulletin boards, and trying to update their antivirus protection software. Some hoaxes are the chain letters or chain e-mails of the day, which are designed to annoy or bemuse the reader. They are known as “weapons of mass distraction.” One of the most prominent virus hoaxes was the 1994 “Goodtimes virus,” which reportedly was transmitted in an e-mail with the header “Good Times” or “goodtimes.” The virus never existed, and thousands of hours of employee time were wasted retransmitting the e-mail, effectively creating a denial of service.</span></center></center><p></p><center><center style="text-align: left;"><span style="font-size: medium;"><br /></span></center></center><p></p><p></p><center style="text-align: left;"><span style="font-size: medium;">At one time, hoaxes amounted to little more than pranks, although occasionally a sting was attached. For example, the Teddy Bear hoax tricked users into deleting necessary operating system files, which made their systems stop working. Recently, criminals have been able to monetize the hoax virus by claiming that systems are infected with malware and then selling a cure for a problem that does not exist. The perpetrator of the hoax may then offer to sell a fake antivirus program to correct the fake malware.</span></center><center><center style="text-align: left;"><span style="font-size: medium;"><center style="text-align: left;"><br /></center><center style="text-align: left;">Several Internet resources enable people to research viruses and determine if they are fact or fiction.</center></span></center></center>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-834996857819749048.post-13926350748028800562022-07-13T13:39:00.002-07:002022-07-13T13:40:11.065-07:00Principle of Information Security: Module 2 The Need for Information Security (Part 13)<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtNYuiP6eNx2hzOey3qEdQwa8lzS370OjSS58b6m-8y82VHIba1tXiGUEjs1vLBRc1CHLC2oiRfqEE5VmXF8Lte_ecb7trX_jU0Rx5PJ-SWGUVWzKy3b_LmcvHSthGjyi-2DVJg664RJflJWy-iZzvGQmkQAyieFHFNVmu3BjLzRqJlYnign13pjEJNw/s1229/sabotage%20or%20vandalism.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="401" data-original-width="1229" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtNYuiP6eNx2hzOey3qEdQwa8lzS370OjSS58b6m-8y82VHIba1tXiGUEjs1vLBRc1CHLC2oiRfqEE5VmXF8Lte_ecb7trX_jU0Rx5PJ-SWGUVWzKy3b_LmcvHSthGjyi-2DVJg664RJflJWy-iZzvGQmkQAyieFHFNVmu3BjLzRqJlYnign13pjEJNw/w640-h208/sabotage%20or%20vandalism.png" width="640" /></a></div><p><br /></p><p><span style="font-size: medium;">This category of threat involves the deliberate sabotage of a computer system or business or acts of vandalism to destroy an asset or damage the image of an organization. These acts can range from petty vandalism by employees to organized sabotage against an organization.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Although they might not be financially devastating, attacks on the image of an organization are serious. Vandalism to a Web site can erode consumer confidence, diminishing an organization’s sales, net worth, and reputation. For example, in the early hours of July 13, 2001, a group known as Fluffi Bunni left its mark on the home page of the SysAdmin, Audit, Network, and Security (SANS) Institute, a cooperative research and education organization. This event was particularly embarrassing to SANS Institute management because the organization provides security instruction and certification. The defacement read, “Would you really trust these guys to teach you security?” At least one member of the group was subsequently arrested by British authorities.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Online Activism</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">There are innumerable reports of hackers accessing systems and damaging or destroying critical data. Hacked Web sites once made front-page news, as the perpetrators intended. The impact of these acts has lessened as the volume has increased. The Web site that acts as the clearinghouse for many hacking reports, attrition.org, has stopped cataloging all Web site defacements because the frequency of such acts has outstripped the ability of the volunteers to keep the site up to date.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Compared to Web site defacement, vandalism within a network is more malicious in intent and less public. Today, security experts are noticing a rise in another form of online vandalism: hacktivist or cyberactivist operations. For example, in November 2009, a group calling itself “antifascist hackers” defaced the Web site of Holocaust denier and Nazi sympathizer David Irving. They also released his private e-mail correspondence, secret locations of events on his speaking tour, and detailed information about people attending those events, among them members of various white supremacist organizations. This information was posted on the Web site WikiLeaks, an organization that publishes sensitive and classified information provided by anonymous sources.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Leveraging online social media resources can sometimes cross over into unethical or even illegal territory. For example, activists engage in a behavior known as doxing to locate or steal confidential and personal records and then release them publicly to embarrass political opponents.</span></p><p><span style="font-size: medium;"><br /></span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCyuLdGCFdaO1joknZLGbAPCEcazm0lNuK7gIceLFoJ3wPTtYnzLVHyWW98vnS6AEJCmQT61Ee2K3ye4eKCrFBFX7-AE0lK17XBRBs71giQiblomBLhHggbltY2Q4urU-dGdP0X01dPPP1X9p0dZ3KKE9vSBZrcosmwoFA0aCu_5RVMIitJlpLQlgaTg/s590/06431_ch02_14-t2.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="550" data-original-width="590" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCyuLdGCFdaO1joknZLGbAPCEcazm0lNuK7gIceLFoJ3wPTtYnzLVHyWW98vnS6AEJCmQT61Ee2K3ye4eKCrFBFX7-AE0lK17XBRBs71giQiblomBLhHggbltY2Q4urU-dGdP0X01dPPP1X9p0dZ3KKE9vSBZrcosmwoFA0aCu_5RVMIitJlpLQlgaTg/s16000/06431_ch02_14-t2.jpg" /></a></div><div style="text-align: center;"><b><span style="font-size: medium;">Figure 2-14</span></b></div><span style="font-size: medium;"><br /></span><p></p><p><span style="font-size: medium;">Figure 2-14 illustrates how Greenpeace, a well-known environmental activist organization, once used its Web presence to recruit cyberactivists.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Cyberterrorism and Cyberwarfare</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">A much more sinister form of activism—related to hacking—is cyberterrorism, practiced by cyberterrorists. The United States and other governments are developing security measures intended to protect critical computing and communications networks as well as physical and power utility infrastructures.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">In the 1980s, Barry Collin, a senior research fellow at the Institute for Security and Intelligence in California, coined the term “cyberterrorism” to refer to the convergence of cyberspace and terrorism. Mark Pollitt, special agent for the FBI, offers a working definition: “Cyberterrorism is the premeditated, politically motivated attack against information, computer systems, computer programs, and data which result in violence against noncombatant targets by subnational groups or clandestine agents.”</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Cyberterrorism has thus far been largely limited to acts such as the defacement of NATO Web pages during the war in Kosovo. Some industry observers have taken the position that cyberterrorism is not a real threat, but instead is merely hype that distracts from more concrete and pressing information security issues that do need attention.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">However, further instances of cyberterrorism have begun to surface. According to Dr. Mudawi Mukhtar Elmusharaf at the Computer Crime Research Center, “on October 21, 2002, a distributed denial-of-service (DDoS) attack struck the 13 root servers that provide the primary road map for all Internet communications. Nine servers out of these 13 were jammed. The problem was taken care of in a short period of time.”* While this attack was significant, the results were not noticeable to most users of the Internet. A news report shortly after the event noted that “the attack, at its peak, only caused 6 percent of domain name service requests to go unanswered [… and the global] DNS system normally responds almost 100 percent of the time.”</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Internet servers were again attacked on February 6, 2007, with four Domain Name System (DNS) servers targeted. However, the servers managed to contain the attack. It was reported that the U.S. Department of Defense was on standby to conduct a military counterattack if the cyberattack had succeeded. In 2011, China confirmed the existence of a nation-sponsored cyberterrorism organization known as the Cyber Blue Team, which is used to infiltrate the systems of foreign governments.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Government officials are concerned that certain foreign countries are “pursuing cyberweapons the same way they are pursuing nuclear weapons.” Some of these cyberterrorist attacks are aimed at disrupting government agencies, while others seem designed to create mass havoc with civilian and commercial industry targets. However, the U.S. government conducts its own cyberwarfare actions, having reportedly targeted overseas efforts to develop nuclear enrichment plants by hacking into and destroying critical equipment, using the infamous Stuxnet worm to do so.</span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;"><b>Positive Online Activism</b></span></p><p><span style="font-size: medium;"><br /></span></p><p><span style="font-size: medium;">Not all online activism is negative. Social media outlets, such as Facebook, Twitter, and YouTube, are commonly used to perform fund-raising, raise awareness of social issues, gather support for legitimate causes, and promote involvement. Modern business organizations try to leverage social media and online activism to improve their public image and increase awareness of socially responsible actions.</span></p>Unknownnoreply@blogger.com0