Professional Documents
Culture Documents
and Methodologies
Michael Poon
NETdefence Co. Limited
08 Nov 2002
(mpoon@netdefence.com)
Agenda
Security Basics
Best Practice in InfoSec Management
InfoSec Risk Assessment
Policies, Standards and Procedures
Value of Information
Impact and value of service
Strategic value
Exam papers
Recovery value
Department image and reputation
Manipulation
Destruction
Falsification
Repudiation
SECURITY = QUALITY
Availability
Continuity Interruption
Punctuality Delay
Confidentialit
Exclusivity Divulgation 5
ID Spoofing
ID Masquerade
Content Modification
SECURITY = QUALITY
Authorization
Verify CredentialsUnauthorized
Grants Rights
Access
Accounting
AuditabilityRepudiation6
Threats
Primary Threats
Unauthorized access
User masquerading
Denial of service
Physical attack
Secondary Threats
Introduction of malware
Bad security administration
Uncontrolled changes
Bad architecture, implementation or exploitation
Misconfiguration
Manual error
7799)
ISO/IEC 13335. Guidelines for the Management of IT Security
(GMITS)
ITIL Security Management
Information Security Forums Standard of Good Practice
NISTs Principles and Practices for Securing IT Systems
ISACAs Control Objectives for Information and related
Technology (COBIT)
Goals
Strategy
Prevent
Protect
Control
React
Management
Operations
Operability
Efficiency
Monitoring & Maintenance
Incident Handling & Forensics
9
10
11
ISO17799/BS7799: History
UK Government initiative to promote confidence in inter-company
trading
Contributed by Shell, BOC, BT, Marks & Spencer, Midland Bank,
Nationwide and Unilever
First Published as DTI Code of Practice as PD 0003 in 1993
Rebadged and published by British Standards Institution (BSI) as
BS7799 Version 1, in Feb 1995
Top selling BSI publication in Spring 1996
Major revision of BS7799 Version 2 published in May 1999
Formal certification and accreditation schemes launched by BSI in
the same year
Fast track ISO initiatives accelerated
Published as ISO standard in Dec 2000
Increasing international acceptance as the primary de facto
industry security standard
12
Security organization
Assets classification &
control
Personnel security
Physical &
environmental security
management
System access control
System development &
maintenance
Business continuity
planning
Compliance
13
International Take Up
BS77999 adopted by UK, Netherlands, Australia, New
14
Component Relationship
exploit
Threats
protect against
increase
Vulnerabilities
increase
expose
reduce
Security Controls
met by
Security Risks
indicate
Security
Requirements
increase
Assets
have
Asset Values
and Potential
Impacts
15
Security (GMITS)
ISO/IEC TR 13335-1: 1996 Part 1: Concepts and models for IT
Security
ISO/IEC TR 13335-2: 1997 Part 2: Managing and planning IT
Security
ISO/IEC TR 13335-3: 1998 Part 3: Techniques for the
management of IT Security
ISO/IEC TR 13335-4: 2000 Part 4: Selection of safeguards
ISO/IEC WD 13335-5: 1999 Part 5: Management guidance on
network security
16
INFOSEC Assessment
Methodology (IAM) developed
by The National Security Agency
(NSA) of the US Government
17
Contingency Planning
Maintenance
Responsibilities
Identification & Authentication
Account Management
Session Controls
External Connectivity
Telecommunications
Auditing
Virus Protection
Configuration Management
Back-ups
Labelling
Media Sanitization/Disposal
Physical Environment
Personnel Security
Training and Awareness
18
Assessment
Post-Assessment
Reduce
Risk
Planning
- Aim
- Scope
- Boundary
- Gathering
information
- System
description
- Target risk &
required certainty
Assessment
Preparation
Risk
Analysis
- Identify assets
- Asset valuation
- Identify threats
- Assess likelihood of a
compromise
- Assess consequence
of a compromise
- Identify vulnerabilities
- Identify safeguards
- Assess risk
Recommendations
Policy
Framework
&
Requirement
Definition
Safeguard
Selection
Risks
- Avoid
- Transfer
- Reduce
- Accept
Decision
Accept
Risk
- Administrative
- Personnel
- Physical
- Technical
Construction
and
Implementation
Certification
Avoid or Transfer Risk
Significant
Change Required
Decision
Insignificant
Operations
and
Maintenance
Decision
Accreditation
19
Assessment Steps
Pre-Assessment
Planning
Information Gathering
Onsite-Assessment
Risk Analysis
- Analyse Policy and
Standards
- Asset Identification
and Valuation
- Threat Analysis
- Vulnerability
Assessment
- Impact and likelihood
Analysis
- Risk Level Analysis
Assessment of Risks
Established
assessment boundary
and Prepared
Assessment Plan
Post-Assessment
Recommendations
Identification/
Review of
Constraints
Risk
Acceptanc
e
Section of Safeguards
Final Assessment
Report
20
Risk Analysis
Qualitative Methodology
A qualitative methodology is adopted throughout the
21
Risk Analysis
Asset Identification and Valuation
Assets of IT infrastructure and systems within assessment boundary
are identified
Information asset is valued according to its sensitivity or criticality
Agree upon the scale to be used and the guideline for assigning a
value to an asset, e.g. on a scale of 0-4 based on CIA properties as
shown in the table below.
Other valuation method can be used, e.g.
Safety
Loss of goodwill
Financial loss/disruption of activities, etc.
Confidentiality
Integrity
Availability
Email Message
DNS Record
Firewall Configuration
22
Risk Analysis
Threat and Likelihood Analysis
To identify the threats and to determine the likelihood of their
occurrence
Vulnerability and Ease of Exploitation Analysis
To identify and analyze the vulnerabilities of the IT Infrastructure and
systems
Levels of Threats
Asset
Value
Low
Medium
High
Levels of Vulnerability
23
24
Document
Review
1. STRATEGY
1.1 Continuity of Business
1.2 Quality Criteria
1.3 Sponsorship
2. MANAGEMENT
Findings
Risk Analysis
Recommendations
Tests
Gap Analysis
Best Practice,
e.g.
ISO 17799
InfoSec
Enhancement
Plan
25
Policies
Standards
Procedures,
Practices
Guidelines
26
Assess Risk
and Determine
Needs
2.
Establish A
Central
Management
Focal Point
5.
6.
Implement
Appropriate
Policies and
Related Controls
Promote
Awareness
Monitor and
Evaluate Policy
and Control
Effectiveness
3.
4.
7.
8.
27
Thank you!
28