chapter7Notes

jdArcos 12:22 AM

Key Terms

Acceptable Behavior – The level of behavior that an organization will tolerate

Access Privileges – They are controls granted to users of the system

Accountabilities – Information assurance and security performance for all responsible parties

Authorization – When a person is given access to acquire specific items of information

Awareness – To make sure that the users are knowledgeable about the policies and procedures of an organization

Behavior – Human factor involvement

Boundaries – It is the perimeter of a secure space

Clearance Level – The specification of trust level that must be given to the position

Contractor and Outsourced Work – Work performed by a third party

Disciplined Practice – Every organization must monitor to make sure that policies are implemented

Documentation Process – It is a process that an organization can establish and execute a repeatable set of actions

Friendly Termination – When an employee leaves the organization on mutually agreeable terms

Individual Accountability – Everyone should be held responsible for his or her actions

Least Privilege - Restricting a user’s access to the minimum level of access needed to perform his or her job

Misuse – User takes advantage of the access controls granted by an organization

Motivation – Encouraging users to be aware of the information security rules

Noncompliance – Users not following acceptable usage policy

Personal Screening – It is employed where the information is considered sensitive enough that controls cannot assure security

Personal Security – Security process for an individual user

Procedure Manual – A manual that documents the actions required for ensuring personnel security

Reviews of User Accounts – They are necessary to monitor and manage user accounts

Secure Space – It is an area of known control

Security Strategy – Plan of action to protect the information

Sensitivity – It is the level of trust and access required for every position

Separation of Duties – The single task is distributed among number of individuals

Software-Enabled Monitoring –It is a countermeasure that monitors activities through software

Unauthorized or Illegal Activity – Activity performed by a person who does not have proper authorization

Unfriendly Terminations – When an employee leaves an organization under unfavorable terms

User Account Management – It establishes the policies and procedures to identify, authenticate, and authorize individual access to the system and information assets

 

Lecture Outline

  1. First Steps First
    1. Origination of Threats
      1. Outsider – threats posed by attacks from outside the organization
      2. Insider – threats posed by attacks by employees within the organization
    2. Access and Security Control: Establishing Secure Space
      1. Secure space are perimeter boundaries
      2. Secure space implies that approved control has been established to ensure the confidentiality, integrity and availability of the information assets
      3. In a secure space, privileges should be assigned specifically to ensure appropriate behavior
      4. Access to secure physical space is controlled by restriction mechanisms that force all individuals seek­ing access to be cleared at a checkpoint
      5. Access to humans also includes cyberspace, thus set of rules must be defined and enforced on people to gain access to secure space
    3. Ensuring Continuous Practice
      1. The assurance process must ensure continuous and disciplined execution of all security tasks
      2. The requirement for disciplined practiceimplies that attention must be paid to motivation
  2. Ensuring Personnel Security Behavior
    1. Routine Activities
      1. They are actions that an individual takes to secure the space that they control from any threats arising during everyday work
    2. Operational Functions
      1. They are the activities that are performed to ensure the security of the entire system during day-to-day operation
    3. Management Responsibilities
      1. The security operation must be managed properly to be effective
    4. Documenting Security Procedures
      1. Documentation ensures that security activities are recorded and properly understood by employees within the organization
      2. Personnel security manual specifies the actions required for ensuring personnel security
      3. The organization must ensure that all information assurance activities, or security management procedures, are performed satisfactorily in the employees’ daily routine
      4. A procedure manual also documents the corrective actions to be taken if a problem occurs
      5. Every documented procedure should specify the
        1. Required steps to be taken and by whom
        2. Expected outcomes and some way to determine that they have been achieved
        3. Interfaces with other security procedures
    5. Assignment of Individual Responsibility
      1. Specific accountability for security duties must be delegated in writing to each individual involved with the cre­ation, handling, or use of information assets
      2. It hinges on the development of a set of rules. These are called rules of behavior
    6. Rules of Behavior
      1. Rules of behavior include all the information assurance and security requirements for individuals who use the system as well as the people it serves
      2. The rules have to be rigorous enough to ensure security, while giving each user the flexibility to perform their jobs properly
      3. Rules of behavior should define the organizationally sanctioned response to such concerns as:
        1. Individual accountability
        2. Assignment and limitation of system privileges
        3. Networking and use of the Internet
      4. Rules should be enforced
    7. The Role of Awareness and Training
      1. Training is an effective countermeasure, which ensures that users are well versed in the system’s technical and procedural controls
      2. The importance of information assurance has to be reinforced
      3. Some awareness or training activity for users should be focused on making all employees part of the information assurance solution
      4. The goal of an awareness or train­ing program is to ensure an acceptable level of knowledge about information assurance practice for all people who work in the secured space
  3. Planning: Ensuring Reliable Control over Personnel
    1. Strategies must ensure that all aspects of personnel behavior that threaten security are anticipated and controlled
    2. Control Principles
      1. Individual Accountability
        1. Everyone should be held responsible for his or her actions
        2. The process of identifying and authenticating users of the system and subsequently monitoring their activities is the mechanism by which individual accountability is assigned and ensured
      2. Least Privilege
        1. It describes the principle of restricting a user’s access to the minimum level of access needed to perform his or her job
        2. Privileges for each user category are established by the access control policy and controlled by the system
        3. The assignment of privileges is contingent on knowing the access requirements for each job type and individual
      3. Separation of Duties
        1. It entails the distribution of the actions to perform a single function among a number of individuals
        2. The separations prevent a single individual from controlling a critical process
      4. Personnel Screening
        1. They are employed where the information is considered sensitive enough that controls cannot assure security
        2. Screening is labor intensive
      5. Planning for Personnel Assurance
        1. Personnel security planning should be part of the overall strategic planning function
        2. The cost of establishing and maintaining control has to be balanced against the risk
  4. Security and the Human Resources Function
    1. Job Definition
      1. It allows the organization to embed a set of information assurance and security requirements into the standard task requirements for the position
      2. The degree of authority and responsibility for each position is determined
      3. The authority for a position determines the access rights and the level of trust required for every individual holding that position
      4. Type of sensitivity and associated level of access required for the work are documented
    2. Assignment of Required Trust
      1. The specification of trust requirements for each position is determined
      2. Specify the sensitivityrequirements for every position
      3. The specification of sensitivity levels for each position is based on factors such as the type and criticality of information handled by that position, as well as traditional criteria such as managerial level and fiduciary responsibilities within the organization
      4. Information assurance and security controls should be assigned to regulate each position
    3. Background Screening and Hiring
      1. It helps the organization confirm that prospective employees fit the information assurance criteria for a given position
      2. Besides criminal history, background checks can include:
        1. Work history
        2. Credit history
        3. Educational history
        4. Interview or psychographic data
        5. Any public evidence of addictive behavior, such as hospitalizations
      3. The position supervisor should not be involved in the screening process
    4. Employee Awareness Training and Education
      1. It is important to provide information assurance and security awareness and training to newly hired employee
      2. The lack of knowledge of policy and procedure is one of the primary causes of breakdowns in personnel security
        1. United States Government Training Standards
        2. The PL 100-235 Act required computer security awareness training for all Federal employees
        3. PL 107-347 Act established Federal Information Security Management Act (FISMA)
        4. National Centers of Academic Excellence in Information Assurance Education (CAE/IAE) fosters the development of academically based education and research based programs for the field of informa­tion assurance
      3. FISMA
        1. It requires certain government personnel categories to obtain professional qualifications appro­priate to their role or function, including both training and experience
      4. NIST Standards
        1. The National Institute of Standards and Technology (NIST) has developed several standards to guide personnel training programs, as follows:
          1. SP 500-172 Computer Security Training Guidelines, November 1989 — Super­seded by SP 800-16 — These specify a basic set of security principles and topics for federal government applications.
          2. SP 800-16 Information Technology Security Training Requirements: A Role and Performance-Based Model (supersedes NIST Spec. Pub. 500-172). This updated SP 500-172 and shares components and a common body of knowledge with CNSS standards.
          3. Special Publication 800-53, Recommended Security Controls for Federal Infor­mation Systems. This is still a draft publication but its aim is to specify a mini­mum set of concrete controls for information security applications. Knowledge of the purpose and application of these controls could serve as the basis for additional professional certification.
      5. CNSS Training Standards
        1. The Committee for National Security System (CNSS) – was established to provide a forum for the discussion of policy issues, set national policy, and promulgate direction, operational procedures, and guidance for the security of national security systems
      6. DHS and NSA Academic Certification
        1. The Department of Homeland Security (DHS) and National Security Agency (NSA) sponsor a program to certify that the curricula of academic institutions meet required standards
        2. The program is called the National Information Assurance Education and Training Program (NIETP)
      7. Private Sector Security Certification Standards
        1. Certifications such as the Informa­tion Systems Audit and Control Association (ISACA) and the International Informa­tion Systems Security Certification Consortium [(ISC)2] are becoming popular for training professionals
      8. Assigning Value to Certification
        1. The following are some of the decision criteria that would help provide an accurate picture of the value of a certification:
          1. How long has the certification been in existence?
          2. Does the certifying organization’s process conform to established standards?
          3. Is the organization ISO/IEC 17024 certified?
          4. How many people hold the certification?
          5. How widely respected is the certification?
          6. Does the certificate span industry boundaries?
          7. What is the probability that 5 or 10 years from now, the certificate will still be useful?
          8. Does the certification span geographic boundaries?
  5. Controlling Access of Employees and Contractors to Restricted Information
    1. Personnel security process must ensure that user access is properly defined and controlled
    2. The following six factors determine the shape and outcome of that process:
      1. User account management
      2. Audit and management review procedures
      3. Detection of and response to unauthorized activities
      4. Friendly termination
      5. Unfriendly termination
      6. Knowing your contractors
    3. User Account Management
      1. It encompasses the following:
        1. Establish, issue, and close the accounts of individual employees
        2. Track employee access behavior
        3. Track individual employee access authorizations
        4. Manage the employee access control operation
    4. User Account Audit and Management Review
      1. Use of the accounts has to be monitored through review of user accounts
      2. These reviews should verify five user characteristics:
        1. Level(s) of access for each individual employee are appropriate to assigned level of privilege for each application
        2. Level(s) of access assigned conform with the concept of least privilege
        3. Accounts assigned to an employee are active and appropriate to the employee’s job function
        4. Management authorizations are up to date
        5. Required training has been completed
    5. Detecting Unauthorized/Illegal Activities
      1. Policies must establish a clear understanding of what constitutes an unauthorized or illegal use
      2. Countermeasures employed to detect illegal activities are frequently based on software-enabled monitoringfunctions
      3. Direct auditing of system logs and procedural analysis using audit trails are utilized to detect fraudulent actions
    6. Friendly Termination
      1. The only purpose of a friendly termination procedure is to ensure that user account privileges are removed from the system in a timely manner. This includes:
        1. Removal of access privileges, computer accounts, authentication tokens
        2. Assurance of the continued integrity and availability of data in accounts that each access privilege was granted for
        3. Briefing on the continuing responsibility for confidentiality and privacy
        4. Securing cryptographic keys
        5. Return of organization IS property
    7. Unfriendly Termination
      1. Due to the number of adverse consequences associated with an unfriendly termination, the organization should at least consider the following steps:
        1. When an employee notifies an organization of a resignation and it can be rea­sonably expected that it has occurred on unfriendly terms, system access should be terminated immediately
        2. If the organization decides that an employee is to be fired, then system access should be removed immediately after that decision is made
        3. In no case should the employee be allowed to have access to the system after they have been notified that they have been dismissed
        4. If the employee continues to work for a period after they have been notified they will be terminated, then good practice dictates that they should be assigned duties that do not require system access
        5. Where terminations are extremely unfriendly or where the employee has immediate access to critical functions or information, it is advisable to expedite their physical removal from the area
    8. Contractor Considerations
      1. A commitment to impose the degree of interorganization rigor to ensure security has to be included in the contract from the beginning of the process
      2. A thorough job-task analysis of all the outsourced work must be performed
      3. Establish incident reporting function

 

 

 

Post a Comment

0 Comments