Chat with us, powered by LiveChat MIS450 1 | Abc Paper
+1(978)310-4246 credencewriters@gmail.com
  

Use APA style.
Check the uploaded chapter.

Information Security
and Networking –
MIS450

Corporate Computer Security, 4th Edition
Randall J. Boyle & Raymond R. Panko

Chapter 2
Planning and Policy

PAGES (80-90) AND (97-136)

• Justify the need for formal management processes.

• Explain the plan–protect–respond security
management cycle.

• Describe compliance laws and regulations.

• Describe organizational security issues.

• Describe risk analysis.

• Describe technical security infrastructure.

• Explain policy-driven implementation.

• Know governance frameworks.

Learning Objectives

3

4

• The first chapter focused on threats

• The rest of the book focuses on defense

• In this chapter, we will see that defensive thinking is
build around the plan-protect-respond cycle

• In this chapter, we will focus on planning

• Chapters 3 to 9 focus on protection

• Chapter 10 focuses on response

Orientation

5

What’s Next?

2.1 Introduction & Terminology

2.2 Compliance Laws and Regulations

2.3 Organization

2.4 Risk Analysis

2.5 Technical Security Architecture

2.6 Policy-Driven Implementation

2.7 Governance Frameworks

6

6

• Technology Is Concrete
• Can visualize devices and transmission lines

• Can understand device and software operation

• Management Is Abstract

• Management Is More Important
• Security is a process, not a product (Bruce Schneier)

7

2.1: Management is the Hard Part. P. 82

7

8

2.1: The Need for Comprehensive
Security. P. 83

8

9

2.1: Weakest Link Failure

A failure in any component will lead to failure for the entire system

9

• Complex
• Cannot be managed informally

• Need Formal Processes
• Planned series of actions in security management

• Annual planning

• Processes for planning and developing individual
countermeasures

10

2.1: Security Management Is a
Disciplined Process.

10

• A Continuous Process
• Fail if let up

• Compliance Regulations
• Add to the need to adopt disciplined security management

processes

11

2.1: Security Management Is a Disciplined
Process

11

12

2.1: The Plan-Protect-Respond Cycle
for Security Management. P. 85

Dominates security management thinking

12

• Vision
• Your understanding about your role with respect to your company, its

employees, and the outside world drives everything else

13

2.1: Vision. P. 87

13

• Security as an Enabler
• Security is often thought of as a preventer

• But security is also an enabler

• A company with good security can do things otherwise impossible
• Engage in interorganizational systems with other firms

• Can use SNMP SET commands to manage systems remotely

• Must get in early on projects to reduce inconvenience

14

2.1: Vision

14

• Should Not View Security as Police or Military Force
• Creates a negative view of users

• Police merely punish, they do not prevent crime; security must prevent
attacks

• Military can use fatal force; security cannot even punish (HR does that)

15

2.1: Vision

15

 Identify Current IT Security Gaps

 Identify Driving Forces
◦ The threat environment

◦ Compliance laws and regulations

◦ Corporate structure changes, such as mergers

 Identify Corporate Resources Needing Protection
◦ Enumerate all resources

◦ Rate each by sensitivity

16

2.1: Strategic IT Security Planning. P. 89

16

• Develop Remediation Plans
• Develop a remediation plan for all security gaps

• Develop a remediation plan for every resource unless it is well protected

• Develop an Investment Portfolio
• You cannot close all gaps immediately

• Choose projects that will provide the largest returns

• Implement these

17

2.1: Strategic IT Security Planning

17

What’s Next?

2.1 Introduction & Terminology

2.2 Compliance Laws and Regulations

2.3 Organization

2.4 Risk Analysis

2.5 Technical Security Architecture

2.6 Policy-Driven Implementation

2.7 Governance Frameworks

18

18

• Compliance Laws and Regulations
• Compliance laws and regulations create requirements for corporate security

• Documentation requirements are strong

• Identity management requirements tend to be strong

• Compliance can be expensive

• There are many compliance laws and regulations, and the number is
increasing rapidly

19

2.2: Legal Driving Forces. P. 90

19

What’s Next?

2.1 Introduction & Terminology

2.2 Compliance Laws and Regulations

2.3 Organization

2.4 Risk Analysis

2.5 Technical Security Architecture

2.6 Policy-Driven Implementation

2.7 Governance Frameworks

26

26

• Chief Security Officer (CSO)
• Also called chief information security officer (CISO)

• Where to Locate IT Security?
• Within IT

• Compatible technical skills

• CIO will be responsible for security

• Outside of IT
• Gives independence

• Hard to blow the whistle on IT and the CIO

• This is the most commonly advised choice

27

2.3: Organizational Issues. P. 98

27

• Where to Locate IT Security?
• Hybrid

• Place planning, policy making, and auditing outside of IT

• Place operational aspects such as firewall operation within IT

28

2.3: Organizational Issues

28

• Top Management Support
• Budget

• Support in conflicts

• Setting personal examples

29

2.3: Organizational Issues

29

• Relationships with Other Departments
• Special relationships

• Ethics, compliance, and privacy officers

• Human resources (training, hiring, terminations, sanction violators)

• Legal department

30

2.3: Organizational Issues

30

• Relationships with Other Departments
• Special relationships

• Auditing departments

• IT auditing, internal auditing, financial auditing

• Might place security auditing under one of these

• This would give independence from the security function

• Facilities (buildings) management

• Uniformed security

31

2.3: Organizational Issues

31

• Relationships with Other Departments
• All corporate departments

• Cannot merely toss policies over the wall

• Business partners
• Must link IT corporate systems together

• Before doing so, must exercise due diligence in assessing their security

32

2.3: Organizational Issues

32

• Outsourcing IT Security
• Only e-mail or webservice

• Managed Security Service Providers (MSSPs)
• Outsource most IT security functions to the MSSP

• But usually not policy

33

2.3: Organizational Issues

33

34

2.3: E-Mail Outsourcing. P. 102

34

35

2.3: Managed Security Service
Provider (MSSP)

35

What’s Next?

2.1 Introduction & Terminology

2.2 Compliance Laws and Regulations

2.3 Organization

2.4 Risk Analysis

2.5 Technical Security Architecture

2.6 Policy-Driven Implementation

2.7 Governance Frameworks

36

36

• Realities
• Can never eliminate risk

• “Information assurance” is impossible

• Risk Analysis
• Goal is reasonable risk

• Risk analysis weighs the probable cost of compromises against the costs of
countermeasures

• Also, security has negative side effects that must be weighed

37

2.4: Risk Analysis. P. 107

37

2.4: Risk Analysis
Single Loss Expectancy (SLE) Annualized Loss Expectancy

(ALE)

• Asset Value (AV)

• X Exposure Factor (EF)
• Percentage loss in asset

value if a compromise
occurs

• = Single Loss Expectancy
(SLE)
• Expected loss in case of

a compromise

• SLE
• X Annualized Rate of

Occurrence (ARO)
• Annual probability of a

compromise

• = Annualized Loss
Expectancy (ALE)
• Expected loss per year

from this type of
compromise

38

39

2.4: Classic Risk Analysis Calculation

Base

Case

Countermeasure

A

Asset Value (AV) $100,000 $100,000

Exposure Factor (EF) 80% 20%

Single Loss Expectancy (SLE): = AV*EF $80,000 $20,000

Annualized Rate of Occurrence (ARO) 50% 50%

Annualized Loss Expectancy (ALE): =

SLE*ARO $40,000 $10,000

ALE Reduction for Countermeasure NA $30,000

Annualized Countermeasure Cost NA $17,000

Annualized Net Countermeasure Value NA $13,000

Countermeasure A should reduce the exposure factor by 75%
39

40

2.4: Classic Risk Analysis Calculation

Base

Case

Countermeasure

B

Asset Value (AV) $100,000 $100,000

Exposure Factor (EF) 80% 80%

Single Loss Expectancy (SLE): = AV*EF $80,000 $80,000

Annualized Rate of Occurrence (ARO) 50% 25%

Annualized Loss Expectancy (ALE): =

SLE*ARO $40,000 $20,000

ALE Reduction for Countermeasure NA $20,000

Annualized Countermeasure Cost NA $4,000

Annualized Net Countermeasure Value NA $16,000

Countermeasure B should cut the frequency of
compromises in half 40

41

2.4: Classic Risk Analysis Calculation
Base

Case

Countermeasure

A B

Asset Value (AV) $100,000 $100,000 $100,000

Exposure Factor (EF) 80% 20% 80%

Single Loss Expectancy (SLE): = AV*EF $80,000 $20,000 $80,000

Annualized Rate of Occurrence (ARO) 50% 50% 25%

Annualized Loss Expectancy (ALE): =

SLE*ARO $40,000 $10,000 $20,000

ALE Reduction for Countermeasure NA $30,000 $20,000

Annualized Countermeasure Cost NA $17,000 $4,000

Annualized Net Countermeasure Value NA $13,000 $16,000

Although Countermeasure A reduces the ALE more,
Countermeasure B is much less expensive.

The annualized net countermeasure value for B is larger.

The company should select Countermeasure B.

41

• Uneven Multiyear Cash Flows
• For both attack costs and defense costs

• Must compute the return on investment (ROI) using
discounted cash flows

• Net present value (NPV) or internal rate of return (ROI)

42

2.4: Problems with Classic Risk Analysis
Calculations

42

 Total Cost of Incident (TCI)
◦ Exposure factor in classic risk analysis assumes that a

percentage of the asset is lost

◦ In most cases, damage does not come from asset loss

◦ For instance, if personally identifiable information is stolen,
the cost is enormous but the asset remains

◦ Must compute the total cost of incident (TCI)

◦ Include the cost of repairs, lawsuits, and many other
factors

43

2.4: Problems with Classic Risk
Analysis Calculations

43

• Many-to-Many Relationships between
Countermeasures and Resources
• Classic risk analysis assumes that one countermeasure

protects one resource

• Single countermeasures, such as a firewall, often protect
many resources

• Single resources, such as data on a server, are often
protected by multiple countermeasures

• Extending classic risk analysis is difficult

44

2.4: Problems with Classic Risk Analysis
Calculations

44

• Impossibility of Knowing the Annualized Rate of
Occurrence
• There simply is no way to estimate this

• This is the worst problem with classic risk analysis

• As a consequence, firms too often merely rate their
resources by risk level

45

2.4: Problems with Classic Risk Analysis
Calculations

45

• Problems with “Hard-Headed Thinking”
• Security benefits are difficult to quantify

• If only support “hard numbers,” may underinvest in
security

46

2.4: Problems with Classic Risk Analysis
Calculations

46

• Perspective
• Impossible to do perfectly

• Must be done as well as possible

• Identifies key considerations

• Works if countermeasure value is very large or very
negative

• But never take classic risk analysis seriously

47

2.4: Problems with Classic Risk Analysis
Calculations

47

• Risk Reduction
• The approach most people consider

• Install countermeasures to reduce harm

• Makes sense only if risk analysis justifies the
countermeasure

• Risk Acceptance
• If protecting against a loss would be too expensive, accept

losses when they occur

• Good for small unlikely losses

• Good for large but rare losses

48

2.4: Responding to Risk

48

• Risk Transference
• Buy insurance against security-related losses

• Especially good for rare but extremely damaging attacks

• Does not mean a company can avoid working on IT security

• If bad security, will not be insurable

• With better security, will pay lower premiums

49

2.4: Responding to Risk

49

• Risk Avoidance
• Not to take a risky action

• Lose the benefits of the action

• May cause anger against IT security

• Recap: Four Choices When You Face Risk
• Risk reduction

• Risk acceptance

• Risk transference

• Risk avoidance

50

2.4: Responding to Risk

50

What’s Next?

2.1 Introduction & Terminology

2.2 Compliance Laws and Regulations

2.3 Organization

2.4 Risk Analysis

2.5 Technical Security Architecture

2.6 Policy-Driven Implementation

2.7 Governance Frameworks

51

51

• Technical Security Architectures
• Definition

• All of a company’s technical countermeasures

• How these countermeasures are organized

• Into a complete system of protection

• Architectural decisions
• Based on the big picture

• Must be well planned to provide strong security with few
weaknesses

52

2.5: Corporate Technical Security
Architecture. P. 115

52

• Technical Security Architectures
• Dealing with legacy technologies

• Legacy technologies are technologies put in place previously

• Too expensive to upgrade all legacy technologies immediately

• Must upgrade if seriously impairs security

• Upgrades must justify their costs

53

2.5: Corporate Technical Security Architecture

53

• Principles
• Defense in depth

• Resource is guarded by several countermeasures in series

• Attacker must breach them all, in series, to succeed

• If one countermeasure fails, the resource remains safe

54

2.5: Corporate Technical Security Architecture

54

• Principles
• Defense in depth versus weakest links

• Defense in depth: multiple independent countermeasures that
must be defeated in series

• Weakest link: a single countermeasure with multiple
interdependent components that must all succeed for the
countermeasure to succeed

55

2.5: Corporate Technical Security Architecture

55

• Principles
• Avoiding single points of vulnerability

• Failure at a single point can have drastic consequences

• DNS servers, central security management servers, etc.

56

2.5: Corporate Technical Security Architecture

56

• Principles
• Minimizing security burdens

• Realistic goals
• Cannot change a company’s protection level overnight

• Mature as quickly as possible

57

2.5: Corporate Technical Security Architecture

57

• Elements of a Technical Security Architecture
• Border management

• Internal site management

• Management of remote connections

• Interorganizational systems with other firms

• Centralized security management
• Increases the speed of actions

• Reduces the cost of actions

58

2.5: Corporate Technical Security Architecture

58

What’s Next?

2.1 Introduction & Terminology

2.2 Compliance Laws and Regulations

2.3 Organization

2.4 Risk Analysis

2.5 Technical Security Architecture

2.6 Policy-Driven Implementation

2.7 Governance Frameworks

59

59

• Policies
• Statements of what is to be done

• Provide clarity and direction

• Does not specify in detail how the policy is to be implemented in specific
circumstances

• Allows the best possible implementation at any time

• Vary widely in length

60

2.6: Policies. P. 119

60

• Tiers of Security Policies
• Brief corporate security policy to drive everything

• Major policies
• E-mail

• Hiring and firing

• Personally identifiable information

• …

61

2.6: Policies

61

• Tiers of Security Policies
• Acceptable use policy

• Summarizes key points of special importance for users

• Typically, must be signed by users

• Policies for specific countermeasures
• Again, separates security goals from implementation

62

2.6: Policies

62

• Writing Policies
• For important policies, IT security cannot act alone

• There should be policy-writing teams for each policy

• For broad policies, teams must include IT security, management in affected
departments, the legal department, and so forth

• The team approach gives authority to policies

• It also prevents mistakes because of IT security’s limited viewpoint

63

2.6: Policies

63

 Implementation Guidance
◦ Limits the discretion of implementers in order to simplify

implementation decisions and avoid bad choices in
interpreting policies

 None
◦ Implementer is only guided by the policy itself

 Standards versus Guidelines
◦ Standards are mandatory directives

◦ Guidelines are not mandatory but must be considered

64

2.6: Implementation Guidance

64

• Ethics
• A person’s system of values

• Needed in complex situations

• Different people may make different decisions in the same situation

• Companies create codes of ethics to give guidance in ethical decisions

65

2.6: Ethics. P. 128

65

• Code of Ethics: Typical Contents (Partial List)
• Important for having a good workplace and to avoid damaging a firm’s

reputation

• Applies to everybody
• Senior managers usually have additional requirements

• Improper ethics can result in sanctions, up to and including termination

• An employee must report observed unethical behavior

66

2.6: Ethics

66

• Code of Ethics: Typical Contents (Partial List)
• An employee must involve conflicts of interest

• Never exploit one’s position for personal gain

• No preferential treatment of relatives

• No investing in competitors

• No competing with the company while still employed by the firm

67

2.6: Ethics

67

• Code of Ethics: Typical Contents (Partial List)
• No bribes or kickbacks

• Bribes are given by outside parties to get preferential treatment

• Kickbacks are given by sellers when they place an order to secure this or future orders

• Employees must use business assets for business uses only, not personal use

68

2.6: Ethics

68

• Code of Ethics: Typical Contents (Partial List)
• An employee may never divulge

• Confidential information

• Private information

• Trade secrets

69

2.6: Ethics

69

• Exceptions Are Always Required
• But they must be managed

• Limiting Exceptions
• Only some people should be allowed to request exceptions

• Fewer people should be allowed to authorize exceptions

• The person who requests an exception must never be authorizer

70

2.6: Exception Handling

70

• Exception Must be Carefully Documented
• Specifically what was done and who did each action

• Special Attention Should be Given to Exceptions in Periodic Auditing

• Exceptions Above a Particular Danger Level
• Should be brought to the attention of the IT security department and the

authorizer’s direct manager

71

2.6: Exception Handling

71

• Oversight
• Oversight is a group of tools for policy enforcement

• Policy drives oversight, just as it drives implementation

• Promulgation
• Communicate vision

• Training

• Stinging employees?

72

2.6: Oversight

72

• Electronic Monitoring
• Electronically-collected information on behavior

• Widely done in firms and used to terminate employees

• Warn subjects and explain the reasons for monitoring

73

2.6: Oversight

73

• Security Metrics
• Indicators of compliance that are measured periodically

• Percentage of passwords on a server that are crackable, etc.

• Periodic measurement indicates progress in implementing a policy

74

2.6: Oversight

74

• Auditing
• Samples information to develop an opinion about the adequacy of controls

• Database information in log files and prose documentation

• Extensive recording is required in most performance regimes

• Avoidance of compliance is a particularly important finding

75

2.6: Oversight

75

• Vulnerability Tests
• Attack your own systems to find vulnerabilities

• Free and commercial software

• Never test without a contract specifying the exact tests, signed by your
superior

• The contract should hold you blameless in case of damage

76

2.6: Oversight

76

• Sanctions
• If people are not punished when they are caught, nothing else matters

77

2.6: Oversight

77

The End

78

error: Content is protected !!