Mission, Objective, Goals

They are set up by organisation management. Security specialists should act under the mission, objectives and goals, and be involved in key activities.
Security specialist should give information about risk management.

Risk Management

Three parts:

  • determining the maximum acceptable level of overall risk
  • using risk assessment techniques to determine the initial level of risks
  • If this is excessive, develop risk treatment strategies to ameliorate risks

Risk Assessment

Qualitative Risk Assessment

For a given scope of assets, identify:

  • Vulnerabilities: characteristic of the object/process/asset, for example, a poor lock
  • Threats: burglar
  • Threat probability
  • Attack: when a person tries to use the vulnerability and when the threat comes true
  • Impact: if the attack happens, what will the loss be
  • Countermeasures: how to prevent such an attack

Quantitative Risk Assessment

Extension of qualitative risk assessment.

  • Asset value
  • exposure factor (EF)
  • single loss expectancy SLE = EF * Asset
  • annualized rate of occurrence (ARO)
  • annual loss expectancy ALE = SLE * ARO

Quantifying Countermeasures

Goal: reduction of ALE
Impact of countermeasures:

  • Cost of countermeasure
  • Changes in Exposure Factor (EF)
  • Changes in Single Loss Expectancy (SLE)

Geographic Considerations

  • Replacement and repair costs of assets may vary by location
  • Exposure Factor may vary by location
  • Impact may vary by location

Risk Assessment Methodologies

Not to be tested by listing the content.

  • NIST 800-30
    -Risk Management Guide for Information Technology Systems
  • OCTAVE
    -Operationally Critical Threat, Asset, and Vulnerability Evaluation
  • FRAP
    -Facilitated Risk Analysis Process – qualitative prescreening
  • Spanning Tree Analysis
    -visual, similar to mind map

These assessment methodologies above are very expensive and heavy in labour.

Risk Treatment

  • Risk acceptance: live with that
  • Risk avoidance: discontinue risk-related activity
  • Risk reduction: mitigate.
  • Risk transfer: buy insurance

Security Management Concepts

Security Controls

  • Detective: give us information about the attack, for example, security alarm
  • Preventive: lower the risk of the threat happening, for example, better lock
  • Deterrent: Act on the psychology of the attacker, for example, a CCTV sign
  • Administrative: arrange procedure of which way someone will be allowed to enter a premise
  • Compensating: transfer the risk, buy an insurance.

    CIA Triad

    Three pillars of security:
  • Confidentiality: information and functions can be accessed only by properly authorized parties
  • Integrity: Information and functions can only be added, altered or removed only by authorized persons and means. Does not mean it matches the truth. It only defines who can operate on them.
  • Availability: systems, functions and data must be available on-demand according to any agreed-upon parameters regarding levels of service.

Remember: each of the terms is related to the specific need of the scenario.

Defence in Depth

A layered defence in which two or more layers or controls are used to protect an asset:

  • Heterogeneity(异质性): the different controls should be different types, so as to better resist attack
  • Entire protection: each control completely protects the asset from most or all threats

    Defense in depth reduces or eliminates the risks associated by single points of failure, fail open, malfunctions, and successful attacks on individual components

defence in depth layers

Single Points of Failure

A single point of failure (SPOF): weakness in a system where the failure of a single component results in the failure of the entire system

Fail open, fail closed

When a security mechanism fails, there are usually two possible outcomes:

  • Fail open: the mechanism permits all activity
  • Fail closed: the mechanism blocks all activity.

Principles:

  • Different types of failures will have different results
  • Both fail open and fail closed are undesirable, but sometimes one or the other is catastrophic!

See here for fail open, fail closed, fail safe, and failover(Failover implies recovery of functionality, achieved through redundancy)

Privacy

Defined: the protection and proper handling of sensitive personal information.
Requires proper technology for protection
Requires appropriate business processes and controls for appropriate handling
Issues

  • Inappropriate uses
  • Unintended disclosure to others

Security Management

Security Executive oversight

  • Support and enforcement of policies
  • Allocation of resources
  • Prioritisation of activities
  • Risk treatment

    Governance

    “Security governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.”
  • Steering Committee oversight
  • Resource allocation and prioritization
  • Status reporting
  • Strategic decisions

    Policy, requirements, guidelines, standards, and procedures

  • Policies: constraints of behavior on systems and people. Defines what, but not how.
  • Requirements: required characteristics of a system or process
  • Guidelines: defines how to support a policy
  • Standards: what products, technical standards, and methods will be used to support policy
  • Procedures: step by step instructions

    Roles and responsibilities

    Formally defined in security policy and job descriptions
    These need to be defined:
  • Ownership of assets
  • Access to assets
  • Use of assets
  • Managers responsible for employee behavior

    Service level agreements

    Roles and responsibilities are the main parts of SLA.
    SLAs define a formal level of service.
    SLAs for security activities:
  • Security incident response: what we should do there’s an incident? Many organisation don’t have this sort of agreement/policy on what to do. Often there are substantial losses because there is no proper security incident response.
    Flying a plane is very easy with well programmed regular procedures, but pilots are well paid because they are mainly for handling any unforeseen situation. We cannot programme what happens to a flight. A pilot need to know what to do.
  • Security alert / advisory delivery: how to discover emergent situation
  • Security investigation
  • Policy and procedure review

Secure Outsourcing

Outsourcing risks:

  • Control of confidential information
  • Loss of control of business activities
  • Accountability - the organisation that outsources activities is still accountable for their activities and outcomes: still responsible for the error of contractors.

Data classification and protection

Components of a classification and protection program

  • Sensitivity levels: “confidential”, “restricted”, “secret”, etc.
  • Marking procedures: how to indicate sensitivity on various forms of information
  • Access procedures
  • Handling procedures: e-mailing, faxing, mailing, printing, transmitting, destruction

    Security Labels

    three essential labels:
  • Security level
  • label’s owner
  • data of expiration
    Only with these three labels can we set a productive and functional system.
    It tells the current position of a given document

    Security Clearance

    Security clearance is the security label for user of data.
    Security clearance must be higher or equal to security label: the fundamental component of information security.

Certification and accreditation

Two-step process for the formal evaluation and approval for user of a system.

  • Certification: the process of evaluating a system against a set of formal standards, policies, or specifications.
  • Accreditation: the formal approval for the use of a certified system, for the defined period of time (and possibly other conditions).

Internal audit